Skip to Content

Rule

Licensing and Safety Requirements for Launch

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 50508

AGENCY:

Federal Aviation Administration (FAA), DOT.

ACTION:

Final rule.

SUMMARY:

This final rule amends commercial space transportation regulations governing the launch of expendable launch vehicles. This action is necessary to codify current launch practices at Federal launch ranges and codify rules for launches from a non-Federal launch site. These safety requirements currently apply to a launch operator through its FAA license. The intended effect of this action is to ensure that the public continues to be protected from the hazards of launch from either a Federal launch range or a non-Federal launch site.

DATES:

These amendments become effective September 25, 2006. Compliance is required by August 27, 2007.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

René Rey, Licensing and Safety Division, AST-200, Federal Aviation Administration, 800 Independence Avenue, SW., Washington, DC 20591; telephone (202) 267-7538; e-mail Rene.Rey@faa.gov. For questions regarding legal interpretation, contact Laura Montgomery, AGC-200, (202) 267-3150; e-mail laura.montgomery@faa.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Availability of Rulemaking Documents

You can get an electronic copy using the Internet by:

(1) Searching the Department of Transportation's electronic Docket Management System (DMS) Web page (http://dms.dot.gov/​search);

(2) Visiting the FAA's Regulations and Policies Web page at http://www.faa.gov/​regulations_​policies/​; or

(3) Accessing the Government Printing Office's Web page at http://www.gpoaccess.gov/​fr/​index.html.

You can also get a copy by sending a request to the Federal Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence Avenue, SW., Washington, DC 20591, or by calling (202) 267-9680. Make sure to identify the amendment number or docket number of this rulemaking.

Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT's complete Privacy Act statement in the Federal Register published on April 11, 2000 (Volume 65, Number 70; Pages 19477-78) or you may visit http://dms.dot.gov.

Small Business Regulatory Enforcement Fairness Act

The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires FAA to comply with small entity requests for information or advice about compliance with statutes and regulations within its jurisdiction. If you are a small entity and you have a question regarding this document, you may contact a local FAA official, or the person listed under FOR FURTHER INFORMATION CONTACT. You can find out more about SBREFA on the Internet at http://www.faa.gov/​regulations_​policies/​rulemaking/​sbre_​act.

Authority for This Rulemaking

The Commercial Space Launch Act of 1984, as codified and amended at 49 U.S.C. Subtitle IX—Commercial Space Transportation, ch. 701, Commercial Space Launch Activities, 49 U.S.C. 70101-70121 (the Act), authorizes the Department of Transportation and thus the FAA, through delegations (64 FR 19586, Apr. 21, 1999), to oversee, license, and regulate commercial launch and reentry activities and the operation of launch and reentry sites as carried out by U.S. citizens or within the United States. 49 U.S.C. 70104, 70105. The Act directs the FAA to exercise this responsibility consistent with public health and safety, safety of property, and the national security and foreign policy interests of the United States. 49 U.S.C. 70105. The FAA is also responsible for encouraging, facilitating and promoting commercial space launches by the private sector. 49 U.S.C. 70103. A 1996 National Space Policy recognizes the Department of Transportation as the lead Federal agency for regulatory guidance regarding commercial space transportation activities. The FAA's authority to issue rules regarding commercial space transportation safety is found under the general rulemaking authority, 49 U.S.C. 322(a), of the Secretary of Transportation to carry out Subtitle IX, Chapter 701, 49 U.S.C. 70101-70121 (Chapter 701).

Background

This final rule addressing licensing and safety requirements for launch was preceded by two proposals and a draft rule made available to the public through the docket. The FAA published a comprehensive notice of proposed rulemaking (NPRM) on October 25, 2000. 65 FR 63921. The FAA received comments until April 23, 2001. The FAA addressed commenters' concerns in a supplemental notice of proposed rulemaking (SNPRM) published on July 30, 2002. 67 FR 49456 (“2002 SNPRM”). The FAA held a public meeting on the SNPRM on September 6, 2002 and received comments until October 28, 2002. Commenters were concerned with the anticipated cost of complying with the proposal. On February 28, 2005, the FAA placed a series of documents in the docket, including draft regulatory text, a draft analysis of comments (February 2005 Analysis of Comments), a summary of major changes since the SNPRM, and an independent economic assessment from SAIC. 70 FR 9885 (Mar. 1, 2005).

SAIC estimated that the rule would cost the industry a discounted $3.8 million [1] over the years 2005 through 2009. This is less than the $7.3 million discounted cost to industry estimated by this Regulatory Evaluation. SAIC estimated recurring costs ranging from $110,000 to $165,000 per launch and fixed costs of either $0 or $100,000. However, in deriving the total industry cost of $3.8 million (discounted at 7%), SAIC estimated that there would be four to six launches per year. The current FAA launch forecast is about twelve per year. SAIC also estimated and discounted costs over the period 2005 through 2009, while the FAA estimated and discounted costs over the period 2006 through 2010. SAIC costs are in 2002 dollars while FAA estimates are in 2004 dollars.

The FAA converted the SAIC cost estimates to 2004 dollars, used the latest FAA ELV forecast and discounted costs over the five-year period 2006 through 2010. The result was an estimated cost of $10.5 million (discounted to $8.6 million) over the period. This estimate is a conservative one because it uses the higher per launch cost of $165,000.[2] It is also very close to the estimate derived Start Printed Page 50509independently in FAA's own Regulatory Evaluation.

The FAA held a public meeting on March 29-30, 2005 and received public comment on these documents until June 1, 2005. The draft analysis of comments in the docket is a detailed analysis of voluminous comments the FAA received during this rulemaking process. The FAA encourages the public to review this analysis of comments for specific concerns regarding this rule. The resolution of those comments is part of the record of this rulemaking.

This final rule codifies the successful safety measures that the Department of Defense and NASA have implemented at Federal launch ranges in the U.S. A launch operator must comply with both FAA commercial space transportation regulations and Federal range launch safety requirements, the latter through its launch license. In addition, some Federal range safety practices are incorporated into vehicle specific documents, also known as “tailored documents,” and these practices need to be codified to give all launch operators notice regarding other permissible alternatives. Until this rulemaking, the FAA has not adopted clear safety requirements for launches from a non-Federal launch site. The FAA evaluates applications for launch from a non-Federal launch site on a case-by-case basis, weighing the safety of launches from non-Federal launch sites against Federal launch range practices, procedures and requirements, including the safety requirements of the U.S. Air Force. See 14 CFR part 415, subpart F.

This final rule identifies and establishes the requirements for a launch operator launching from a Federal launch range or a non-Federal launch site. This rule allows a launch operator to interact with a Federal launch range in the same manner it does now. This rule also adopts the latest safety practices of Federal ranges, determined through the Common Standards Working Group (CSWG), a joint FAA and Air Force task force. By standardizing safety requirements between the Federal ranges and the FAA, the same level of safety is achieved throughout the United States. This standardization also improves efficiency in the launch industry, because launch operators have one set of clear rules. Codification improves transparency in the regulatory process for both established launch operators and new entrants.

Summary of the Final Rule

This final rule establishes requirements for obtaining a license to launch an expendable launch vehicle (ELV) from a non-Federal launch site. This rule also codifies safety responsibilities and requirements that apply to any licensed launch, regardless of where it takes place. The rule prescribes standardized application requirements and clarifies safety issues that an applicant must address. These application requirements, contained in 14 CFR part 415, subpart F, require an applicant to demonstrate how it would satisfy the safety requirements of the new part 417 in order to obtain a launch license.

A launch operator currently supplies a Federal launch range much of the information needed for the various safety analyses and verifications that a Federal launch range performs. However, the Federal launch range staffs and controls the launch. Launch operators will do more of their own safety work at a non-Federal launch site than they have at the Federal launch ranges because they will not be able to take advantage of the Federal range personnel and oversight as they do now. This does not mean that the requirements adopted today are new, only that a launch operator at a non-Federal launch site must work with the FAA to determine how to satisfy the safety requirements normally performed by a Federal launch range.

Definitions

The FAA adopts new definitions in this final rule. They include:

Equivalent level of safety. The FAA adopts a different definition than was proposed in the 2002 NPRM. An equivalent level of safety now means an approximately equal level of safety as determined by qualitative or quantitative means. The FAA does not adopt its proposed reference to risk in this definition, because demonstration by qualitative or quantitative means need not be risk based. The definition is now broad enough to adapt to new circumstances.

Launch site safety assessment. The FAA adopts a definition of a Launch Site Safety Assessment (LSSA), formerly called a baseline assessment. The FAA will assess each Federal launch range and determine if the range meets FAA safety requirements. If there are any differences between range practice and FAA requirements, the differences will be documented in the LSSA. The FAA does not anticipate many, if any, differences for Federal launch ranges because it derived most of the requirements for part 417 from the safety requirements of the Federal launch ranges themselves. A launch operator relying on a LSSA to demonstrate compliance with FAA regulations should pay particular attention to any differences because a launch operator will still be responsible for satisfying FAA safety requirements but may have to perform work or conduct analysis previously performed by a Federal launch range.

Requirements for Obtaining a Launch License for an Expendable Launch Vehicle

Part 415 contains requirements that an applicant must meet in order to obtain a license, and part 417 contains requirements that a licensee must comply with during the term of the license. The FAA moved all post-licensing requirements and responsibilities out of part 415 and placed them in part 417, subpart A to group them together. Part 415 references part 417 requirements where appropriate. The FAA did not change its part 415, subpart C application requirements for launching from a Federal launch range, except to clarify the role of a LSSA, and to consolidate and clarify the flight readiness requirements of section 415.37, as discussed in the docketed draft analysis of comments.

Safety Review and Approval for Launch From a Federal Launch Range

Subpart C of part 415 describes how the FAA reviews the safety of licensed launches from Federal launch ranges. Subpart C contains safety requirements and recognizes that a launch operator may use a LSSA to demonstrate compliance of FAA safety-related launch services and property provisions.

Section 415.31 explains how the FAA conducts a safety review of an applicant proposing to launch from a Federal launch range. The FAA clarified section 415.31 and other sections in part 417 to make it absolutely clear that an applicant may contract with a Federal range for many Federal range safety-related launch services and property. These provisions should clarify that a launch operator will maintain the same relationship it has with a Federal launch range.

Safety Review and Approval for Launch From a Non-Federal Launch Site

Subpart F of part 415 contains requirements that an applicant must meet to obtain a safety approval for a launch from a non-Federal launch site. Subpart F requires an applicant to demonstrate how it would satisfy the safety requirements of part 417 in order to obtain a launch license. Start Printed Page 50510

Launch Safety Generally

Part 417 contains the standards by which the FAA assesses the adequacy of both a licensee and a Federal launch range. The FAA assesses a launch operator through the licensing process and a Federal launch range through a LSSA. The FAA developed the standards in part 417 after extensive negotiation in the CSWG. These standards include not only current Federal launch range standards but also current practice at the Federal ranges. This rulemaking incorporates any lessons learned through tailoring of launch operator requirements. Therefore, the FAA anticipates that the LSSA for each Federal launch range will disclose few, if any, range differences with part 417 requirements. Nonetheless, it is possible some FAA requirements may differ from range requirements. In such a case, any differences will be documented in a LSSA.

General and License Terms and Conditions

The FAA moved existing part 415 subpart E, Post-Licensing Requirements—Launch License Terms and Conditions into subpart A of part 417. This change enables a launch operator to reference one source, instead of two or more for the post-licensing responsibilities and requirements. The requirements of part 417, subpart A apply to launch operators launching from both Federal and non-Federal launch sites, except where noted. As a result, part 415 includes all the responsibilities and requirements that an applicant needs to fulfill in order to obtain a license, and part 417 includes all the responsibilities and requirements that a launch operator needs to fulfill in order to keep a license.

Requests for Relief and Tailoring

The Federal ranges permit tailoring of requirements. With tailoring, range and launch operator personnel produce a document that details all areas where the Air Force grants some form of relief without a degradation of safety. The FAA will accept prior agreements between the Air Force and a launch operator, as long as the FAA and the Air Force determine there is no change in circumstance that would degrade safety.

The FAA will utilize equivalent level of safety determinations, similar to the Air Force tailoring process, and FAA waivers to grant relief to launch operators. The FAA will also accept written evidence of Air Force “meets intent” certifications (MIC) and previously granted Air Force waivers. The FAA will also accept Air Force grandfathering of prior practices.

Definition of Public

This final rule does not change the existing FAA definition of the “public.” As discussed in greater detail in the draft final rule in the docket, it is impossible for industry to determine the implications of a change in definition at this time because there has not been opportunity to discuss concerns in depth. Commenters pointed out that a change may impose burdens, place logistical, schedule, and programmatic activities at risk, and adversely impact the cost or availability of insurance. The current FAA definition of public is different from the definition of public that the ranges use. However, recent Federal range safety analysis determined that commercially licensed launches from the Eastern and Western ranges complied with the risk criterion of less than 30 × 10−6 when using the FAA definition of the public. In addition, the Western Range has not assessed the impact of the current FAA definition of public for launches of the Evolved Expendable Launch Vehicle scheduled to launch from that range in the near future. The Western Range will conduct a similar safety analysis once the EELV operators provide the appropriate data.

Launch Services and Liability

As discussed in the public meeting, the FAA seeks to clarify that a launch operator is responsible for its launches, including launches from a Federal range or from a non-Federal launch site. Even if a launch operator contracts with a Federal range to perform many services, the launch operator must still conduct a launch that complies with part 417. In addition, although a launch operator may contract certain duties and responsibilities required by part 417, the launch operator cannot delegate its accountability for safe operations under part 417.

Launch Reporting Requirements

A launch operator is required to provide launch specific information at various times to the FAA after receiving a launch license. All information updates not covered by section 417.17 should be filed under the license modification requirements of section 417.11. The FAA will work with launch operators concerning the availability of information at various points in the launch schedule and the FAA is willing to consider waiver requests for certain reporting requirements.

Post Launch Report

This rule requires a launch operator to identify discrepancies or anomalies that occur during the launch countdown or flight, including any deviations from the terms of the launch license or to the operating environments. This rule requires post launch reporting for every launch.

Launch Safety Responsibilities

Subpart B of part 417 is a road map describing the responsibilities of a launch operator when conducting a licensed launch of an ELV. Subpart B covers all of the safety issues that a launch operator's safety program needs to address. A launch operator should pay particular attention to section 417.107, because its requirements rely on many of the analyses covered in other subparts. Subpart B contains the requirement to implement the results of analysis, other subparts contain the performance requirements governing those analyses and the appendices include the methodologies to satisfy the performance requirements.

The FAA has clarified in this rule that a launch operator launching from a Federal launch range and contracting with a range for certain safety-related launch services and property may use a LSSA to demonstrate compliance with part 417 requirements. In essence, use of a LSSA preserves the current relationship a launch operator has with a range. If a LSSA finds differences between part 417 requirements and range requirements, the FAA will document any differences in the LSSA, and the FAA and the Air Force will work with a launch operator to resolve these differences.

It is also important to reinforce the change from the FAA's original proposal concerning public risk criteria in paragraph 417.107(b). As discussed in the SNPRM, the FAA originally proposed to aggregate the risks attributable to all mission hazards and set a cap on the total mission risk of all hazards at an expected average casualty of 30 × 10−6. The FAA now limits the acceptable risk attributable to each hazard, rather than to an aggregate of the risk for all hazards.

Flight Safety Analysis

A flight safety analysis is one of the cornerstones of a safe launch. A flight safety analysis determines where a launch vehicle may safely fly, where it may not, and monitors and controls risk to the public from normal and malfunctioning launch vehicle flight. A launch operator is required to conduct a flight safety analysis by section Start Printed Page 50511417.107(f). Subpart C of part 417 contains the performance requirements for conducting such an analysis. Appendices A, B, C, and I contain the methodologies for meeting the performance requirements of Subpart C.

This final rule does not change current practice between a launch operator and a Federal launch range. A launch operator launching from a Federal launch range may still contract with that range to provide flight safety analyses. Any launch operator contracting with a Federal launch range for flight safety analysis may rely on a LSSA to determine whether the range can ensure compliance with this subpart. That launch operator must ensure that it satisfies any requirement that a range does not meet. The FAA and the Air Force will work with the launch operator to ensure compliance. A launch operator may also file an alternate flight safety analysis for FAA approval.

Under a flight safety analysis the FAA requires a launch operator to use a flight safety system, a wind-weighting safety system for any unguided suborbital launch vehicle, or an alternative flight safety system approved by the FAA during the licensing process. The chart below describes the flight safety analysis requirements for each type of system.

The performance requirements for a flight safety system and a wind-weighting system are both located in subpart C. However, the methodologies for meeting the performance requirements are different for each system. Appendices A, B, and I contain the methodologies for a flight safety system and Appendices B, C, and I contain the methodologies for a wind-weighting system. All of the following performance requirements adopt current range practices, as identified through FAA consultation with range safety personnel. Below is a description of each of the analyses that together constitute a flight safety analysis. The results of a flight safety analysis using a flight safety system or a wind-weighting safety system are then used to establish rules governing when it is safe to launch, which are referred to as flight commit criteria. A flight safety analysis using a flight safety system also establishes rules governing the termination of flight.

A trajectory analysis establishes, for any time after lift-off, the limits of a launch vehicle's normal flight, as defined by the nominal trajectory and potential three-sigma trajectory dispersions about the nominal trajectory. The trajectory analysis must also establish a fuel exhaustion trajectory and a straight up trajectory. A fuel exhaustion trajectory produces instantaneous impact points with the greatest range for any given time-after-liftoff for any stage that has the potential to impact the Earth and does not burn to propellant depletion before a programmed thrust termination. For example, a stage that fails to terminate at its programmed thrust termination point will continue flight until burnout if the stage contains residual fuel. A straight-up trajectory projects the results that would occur if a launch vehicle malfunctioned and flew in a vertical or near vertical direction above the launch point. Start Printed Page 50512

A malfunction turn analysis describes a launch vehicle's turning capability in the event of a malfunction during flight. This analysis accounts for where a vehicle would go in the event of a malfunction by plotting a series of malfunction turns that must account for numerous factors. This analysis determines, for any point in flight, how far off course a vehicle can travel before either the flight safety system takes action or the vehicle breaks apart due to aerodynamic forces.

A debris analysis accounts for the debris produced by both normal events, such as the planned jettison of stages in an ocean, and abnormal events, such as destruction of the launch vehicle. This analysis must identify the inert, explosive and other hazardous launch vehicle debris that results from normal and malfunctioning launch vehicle flight. A debris analysis also requires a debris list, which is commonly referred to as a “debris model,” and must account for each cause of launch vehicle breakup. The debris lists describe and account for all debris fragments and their physical characteristics. A debris model categorizes, or groups, debris fragments into classes where the characteristics of the mean fragment in each class represent every fragment in the class. These debris lists are used as input to other flight safety analyses, such as those performed to establish flight safety limits and hazard areas and to determine whether a launch satisfies the public risk criteria of section 417.107.

A flight safety limits analysis identifies when flight must terminate to limit the hazardous effects of debris impacts on any populated or other protected area, establishes designated impact limits to bound the area where debris with a ballistic coefficient of three or more is allowed to impact without a flight safety system failure, and ensures that a launch satisfies the public risk criteria.

A straight-up time analysis accounts for how long a vehicle may fly straight up before it poses a hazard to the public if it fails to turn downrange. This analysis also identifies the point in flight where termination is no longer required. This analysis establishes the latest time after liftoff, assuming a launch vehicle malfunctioned and flew in a vertical or near vertical direction above the launch point, that activation of the launch vehicle's flight termination system or breakup of the launch vehicle would not cause hazardous debris or critical overpressure to affect any populated or other protected area.

Data loss flight time and no longer terminate time analyses establish time periods during the nominal flight of a launch vehicle when flight termination is not necessary even if tracking data is not available. Generally, termination is not required because either the data loss is so brief a vehicle could not reach a populated or protected area or the vehicle has reached a point where the remaining thrusting potential, in a worst case scenario, does not let the vehicle reach a populated or protected area.

A time delay analysis establishes the mean elapsed time between the violation of a flight termination rule and the time it takes a flight safety system to terminate flight. This analysis is used in establishing a vehicle's flight safety limits.

A flight hazard area analysis determines what areas of land, air, and sea must be controlled, by evacuation or notices to mariners and airmen, because of the risk to the public from debris impact hazards. The FAA does not adopt a specific impact probability or casualty expectation protection criterion for ship and aircraft hazard areas because the different federal ranges use different criterion. The FAA simply requires a launch operator to provide the same level of protection as that of a federal range when performing the analysis. The FAA does require a launch operator to conduct a hazard analysis and inform the public as to the location of any resulting hazardous areas. In addition, the FAA provides a methodology in appendix B for quantitatively constructing these hazard areas as part of the hazard analysis using the same construction methods that a federal ranges uses.

A probability of failure analysis requires a launch operator to establish a launch vehicle failure probability, regardless of hazard or phase of flight, in a consistent manner, using accurate data, scientific principles, and a statistically valid method. For a launch vehicle with fewer than two flights, the failure probability estimate must account for the outcome of all previous launches of vehicles developed and launched in similar circumstances. For a launch vehicle with two or more flights, launch vehicle failure probability estimates must account for the outcomes of all previous flights of the vehicle in a statistically valid manner.

A debris risk analysis determines the expected number of casualties (Ec) to the collective members of the public, if the public were exposed to inert and explosive debris hazards from the proposed flight of a launch vehicle.

A toxic release hazard analysis determines any potential public hazards from any toxic release during the proposed flight of a launch vehicle or that would occur in the event of a flight mishap. A launch operator performs a toxic release hazard analysis using the methodologies of appendix I of part 417. The FAA requires a toxic release analysis to establish flight commit criteria to protect the public from any toxic release, and to demonstrate compliance with the public risk criterion of section 417.107(b).

A launch operator's flight safety analysis must also establish flight commit criteria that will protect the public from any hazard associated with far field blast overpressure effects due to potential explosions during flight, and to demonstrate compliance with the public risk criterion of section 417.107(b). This analysis applies to any far-field overpressure blast effects analysis such as the potential for overpressure effects based upon meteorological conditions and terrain characteristics, potential for broken windows, launch vehicle explosive capability, population shelter types, window characteristics, and hazard characteristics of glass shards.

A collision avoidance analysis requires a launch operator to establish a period in a planned launch window during which a launch operator could not initiate flight, so as to maintain a 200-kilometer separation from any habitable orbiting object. This analysis must account for all variances associated with launch vehicle performance and timing and ensure that any calculated launch hold incorporates all additional time periods associated with such variances. This standard is in keeping with current practice because a Federal range launch wait already accounts for such variances. A launch vehicle performing nominally within its three-sigma performance envelope could have a different separation distance or intercept time with a resident space object as compared to the same launch vehicle performing on its nominal trajectory. A launch wait, as part of a collision avoidance analysis, accounts for these variances.

An overflight gate analysis determines whether a vehicle can overfly populated areas. This analysis requires a launch operator to file information to explain why it is safe to allow flight through a flight safety limit, the limit that protects populated or protected areas, without terminating a flight. This analysis accounts for the fact that it is potentially more dangerous to populated or protected areas to destroy a malfunctioning vehicle during certain Start Printed Page 50513portions of a launch than not to destroy it. In some circumstances, a destroyed vehicle may disperse debris over a wider area affecting more people than if the vehicle were to impact intact.

A hold and resume gate analysis may, in the event a launch operator has lost tracking data information, still allow a normally performing launch vehicle to overfly or nearly overfly a populated or otherwise protected area to avoid dispersing debris over a populated area when a launch vehicle might still be performing normally. This analysis would expand the range of acceptable trajectories for coastal launch sites whose flight corridors could contain isolated populated or protected islands. It would also increase the availability of inland launch locations by allowing a normally performing vehicle to overfly populated or otherwise protected areas from a site that is wholly contained within a populated or otherwise protected area.

The launch of an unguided suborbital launch vehicle (USLV) flown with a wind weighting safety system also requires analysis to establish wind constraints and other corrections for wind effects on a launch. The flight safety analysis of such a flight must also demonstrate compliance with the safety criteria and operational requirements for the launch of a USLV contained in section 417.125. A launch operator must also ensure the flight safety analysis for a USLV is conducted in accordance with the methodologies in Appendices B, C, and I.

Flight Safety System

The FAA also adopts standards for a flight safety system. As discussed earlier, subpart B of part 417 describes when a launch operator must use a flight safety system. Subpart D of part 417 contains the performance requirements of any flight safety system that a launch operator must use. Appendix D has methodologies for meeting the performance requirements of a flight termination system. Appendix E has the test requirements for a flight termination system.

A flight safety system is a system that provides a means of control during flight for preventing a hazard from a launch vehicle, including any payload hazard, from reaching any populated or other protected area in the event of a launch vehicle failure. A flight safety system includes all hardware and software used to protect the public in the event of a launch vehicle failure, and the functions of any flight safety crew. A typical flight safety system is composed of a flight termination system (FTS) and a command control system. The FAA adopts requirements for the flight termination system components onboard a launch vehicle as well as command control components that are typically ground based. This final rule also defines a process for determining the reliability of a flight safety system. The reliability process consists of specific flight termination system design standards and criteria, a reliability analysis of the FTS design, and comprehensive testing to qualify the FTS design and certify and accept FTS components.

A launch operator may employ an alternate flight safety system if approved by the FAA. An alternate flight safety system must undergo analysis and testing that is comparable to that required by Subpart D of part 417 to demonstrate its reliability to perform its intended functions. In addition, the FAA built flexibility into this area by permitting entities, other than a launch operator to conduct required tests or analysis. The FAA recognizes that a vendor, contractor, or Federal range may perform the required tests and analysis of this subpart. However, the FAA notes that a launch operator is ultimately responsible for employing a flight termination system that satisfies all FAA requirements of subpart D and appendices D and E of part 417.

For launch from a non-Federal launch site, compliance with the flight safety system requirements is demonstrated through the licensing process. For a launch from a Federal launch range, the FAA will accept the flight safety system used or approved on a Federal launch range, if a launch operator has contracted with a Federal launch range for the provision of flight safety system services and property, and the FAA has assessed the range through a LSSA and found that the range's property and services satisfy the requirements of this subpart. In this case, the FAA will treat the Federal launch range's flight safety system's property and services as that of a launch operator. This is consistent with the FAA's current practice for launches from Federal ranges. Under this provision, the FAA expects that launch operators at Federal ranges will continue to rely on the Federal range to approve flight termination systems and provide command control and support systems that comply with the requirements of this part.

A flight safety system must have a command control system to transmit a command signal that has the radio frequency characteristics and power needed for receipt of the signal by the flight termination system onboard the launch vehicle. The command control system must include equipment to ensure that an onboard vehicle termination system will receive a transmitted command signal and must meet subpart D's performance requirements, including those addressing reliability prediction, fault tolerance, configuration control, electromagnetic interference, command transmitter failover, the ability to switch between transmitter systems, radio carrier, command control system monitoring, command transmitter system, and command control antennas. Each command control system, subsystem, component, and part that can affect the reliability of a component must have written performance specifications that demonstrate, and contain the details of, how each satisfies the performance requirements of subpart D.

Testing requirements apply to a new or modified command control system. This testing includes preflight testing. Each test must follow a written plan that specifies procedures and test parameters, and must include instructions on how to handle procedural deviations and react to test failures. A launch operator must also prepare written test reports for each test. In accordance with a launch site safety assessment, for a launch from a Federal launch range, a launch operator may continue to rely on the range's verification that the system satisfies all the test requirements. Appendix D of part 417 contains methodologies that a launch operator can use to conduct the tests. Appendix D provides one means of satisfying the requirements of this rule. A launch operator may also file an alternative means for FAA review and approval.

A flight safety system must also have design, test, and functional requirements for systems that support the functions of a flight safety crew, including any determination to terminate a flight. The vehicle tracking system is one of these support systems. It must include two independent tracking sources and provide the launch vehicle position and status to the flight safety crew from liftoff until the vehicle reaches its planned safe flight state. Other support systems include telemetry, a communications network, data processing, display and recording, displays and controls, support equipment calibration, destruct initiator simulator, and timing. The data processing, display and recording system must display and record raw input and processed data at no less than 0.1 second intervals. Again, appendices D and E of part 417 provide the methodologies that a launch operator Start Printed Page 50514must use, absent an equivalent alternative, to conduct the above tests.

This rule also requires a launch operator to demonstrate the predicted reliability of a flight safety system, including a flight termination system, command and control system, and each of its components. This reliability analysis must use a reliability model that is statistically valid and that accurately represents the actual system. These analyses must identify all possible failure points and undesired events, the probability that they would occur, and their effects on system performance. The analyses must demonstrate the reliability of a radio frequency link, any software or firmware, any battery, and the survivability of a flight termination system, when exposed to various hostile environments.

A flight safety system must be operated by a qualified flight safety crew. The flight safety crew's capabilities are verified through a training program and approved during the licensing process. The FAA's training and qualification approach is an adaptation of Federal launch range practices.

Ground Safety

The FAA also adopts ground safety standards governing the preparation of a launch vehicle for flight. The FAA recognizes that other Federal agencies regulate various aspects of ground safety. This final rule addresses ground safety issues not otherwise addressed by other Federal regulations, that are unique to space launch processing and that could affect the general public. A launch operator licensee is responsible for developing and implementing a ground safety program in compliance with the specified standards. This final rule does not supersede the ground safety requirements of other regulatory agencies.

In order for a launch operator to meet the ground safety requirements of subpart E of part 417 and the methodologies of appendices I and J, a launch operator must conduct a ground safety analysis. In addition to the Subpart E requirements, a launch operator is also required to conduct a toxic release hazard analysis as part of subpart C, flight safety analysis. For a launch from a range, a launch operator may rely on a launch site safety assessment to demonstrate compliance with both the ground safety analysis and the toxic release analysis. In addition, a launch operator may also demonstrate the acceptability of an alternative method of compliance.

A ground safety analysis consists of identifying each potential hazard, each associated cause, and each hazard control that a launch operator must establish and maintain to keep each identified hazard from affecting the public. A launch operator not relying on a LSSA must conduct this analysis for launch vehicle hardware, ground hardware (including launch site and ground support equipment), launch processing, and post-launch operations. A launch operator not relying on a LSSA must record all of this analysis in a ground safety report, the format for which is located in appendix J.

A launch operator must classify each hazard in the analysis described above as a public hazard, a launch location hazard, an employee hazard, or a non-credible hazard. For some hazards capable of creating catastrophic consequences, a launch operator must implement a dual fault system, so that no single act could cause the catastrophic event. Once a hazard is identified, classified, and a corresponding control is in place, a launch operator must also conduct periodic inspections to ensure safety devices and hazard controls remain in working order. A launch operator must also establish a safety clear zone and prohibit public access during hazardous operations.

Discussion of Comments

At the conclusion of the public comment period on June 1, 2005 the FAA received written comments from The Boeing Company, Lockheed Martin Corp., NASA, Orbital Sciences Corp., Sea Launch Company, Space Exploration Technologies, XCOR Aerospace, and three comments from private citizens. The following discussion responds to substantive comments that explain the reasons for the comment and that were not already submitted and responded to in the past.

General Comments

A number of comments repeat suggested changes for several sections. We address these comments here, instead of in every section. First, for several sections commenters suggested repeating the FAA's willingness to accept alternative approaches that provide an equivalent level of safety.[3] However, it is better to state this only once at the beginning of each subpart, so that a finding of an equivalent level of safety may be made for any requirement in a subpart, rather than just in a few select sections.

Second, if a comment submitted in 2005 repeats a comment submitted in response to earlier notices, but raises no new issues or adds no new information, the FAA will continue to rely on its own earlier response, including those placed in the docket on February 28, 2005. For example, XCOR Aerospace, in addition to providing new comments, also submitted a copy of the same comments given in response to the 2001 NPRM.[4]

Third, the FAA is unable to respond to comments that do not provide an explanation or a reason for a suggested change for a comment.[5] Likewise, a number of comments request a change to the proposal based on cost concerns, but do not provide cost data to substantiate that concern.[6] In addition, we do not specifically address requests for clarifying or editorial changes, even though we may accept some of those changes.[7]

Fourth, some commenters continue to suggest that they do not satisfy the part 417 requirements or they are currently operating to a different standard. This is because a range found an equivalent level of safety through tailoring or a meets intent certification. The FAA's grandfathering policies should address these concerns. Also, as noted in the Analysis of Comments the FAA placed in the docket on February 28, 2005, the FAA did consult with the ranges regarding a number of these concerns when they were raised earlier in the rulemaking, and operators are Start Printed Page 50515apparently in compliance, but unaware that they are.[8]

Fifth, the FAA received several comments concerning requirements for a launch operator to file information during a particular time period, e.g., thirty days before a launch. The FAA did not change the suggested timing requirement because the FAA already provides a process for granting waivers under part 404. As noted at the 2005 public meeting, the FAA routinely grants waivers to administrative timing requirements. Additionally, the FAA plans to permit the coordination of timing issues at Federal launch ranges to be taken care of by the Federal launch ranges.[9]

Sixth, the FAA received some comments claiming that a proposed requirement was not current practice. The FAA reviewed current practice with the Federal launch ranges, and received confirmation that the commenters suggestion is current practice at the ranges. The FAA therefore adopts the commenters suggestions.[10] In addition, some comments simply claimed that a proposed requirement is not current practice, without further explaining what the commenter considers current practice.[11] The FAA was able to confirm with the Federal ranges that the FAA requirement is current practice. In this regard, commenters who questioned whether a requirement was current practice in this latest round of comments may be assured that the FAA checked again with U.S. Air Force range safety personnel on each comment discussed in detail below.

Finally, XCOR submitted general comments concerning the latest draft documents placed in the docket on February 28, 2005. These comments included the general statement that the FAA should abandon this rulemaking, start over, and engage industry in real dialogue because this rulemaking will destroy industry, is too burdensome, and actually decreases public safety. The FAA notes that this rulemaking adopts current practice, so there is no degradation to public safety. In addition, the industry's relationship with the Federal launch ranges will not change. To the extent that XCOR is concerned that current practice is too burdensome, the FAA is not proposing any changes.

Launch Site Safety Assessments

In accordance with comments from industry, if the FAA has assessed a Federal launch range, through its launch site safety assessment, and found that an applicable range safety-related launch service or property satisfies FAA requirements, then the FAA will treat the Federal launch range's launch service or property as that of a launch operator's, and there will be no need for further demonstration of compliance to the FAA. The FAA agrees with most commenters that existing Federal launch range safety requirements and processes have worked well in protecting the safety of the public and property. The March 2005 Draft Regulatory Language and Analysis of Comments, at 106, stated that the FAA had assessed the Federal launch ranges through the FAA's launch site safety assessment, and found that applicable range safety-related launch analyses, services or property satisfied the requirements. Therefore, the FAA proposal intended to treat a Federal launch range's launch service or property as that of a launch operator's. The FAA remains committed to this position. Participants at the 2005 public meeting referred to this practice as an “off-ramp.”

The FAA discussed the sufficiency of the launch site assessment process at a public meeting held on March 29-30, 2005 (“2005 public meeting”). At that public meeting, FAA officials thoroughly briefed, discussed, and entertained multiple questions from industry representatives in an attempt to assure the launch operators of the FAA's plan to allow launch operators to continue using the ranges as their primary interface. The FAA encouraged the launch operators to work with the FAA in determining appropriate language if the proposed language did not satisfy industry concerns. Industry was encouraged to act immediately and not wait until the end of the comment period. Industry responded at the close of the comment period.

Orbital [12] described the FAA's previously established approach to accepting a Federal launch range's range safety-related launch service or property as an “off-ramp” for launch operators operating on a Federal launch range. Orbital requested that the FAA expressly provide that no further demonstration of compliance to the FAA be required of a launch operator, and the FAA adopts this clarification. Lockheed suggested similar language for section 417.1(g). The FAA provides this assurance at the beginning of every substantive subpart of this rule.

Boeing suggested removing any suggestion that a Federal launch range's analyses might not satisfy an FAA requirement, and that the provision should not entertain that possibility. The FAA does not accept this suggestion. Federal launch range practices change over time. Ideally, the FAA's launch site safety assessment reflects those changes. However, a Federal launch range could change a requirement without the agreement of the FAA. This is highly unlikely due to the CSWG goal of maintaining common standards. A Federal launch range could, however, decide that it no longer will perform a flight safety analysis or some other service for launch operators due to a decreasing budget or other reasons. Therefore, the FAA's acceptance of Federal launch range work must recognize that theoretical possibility.

Application Requirements

Section 415.111 requires that an applicant's safety review document identify all persons with whom the applicant has contracted to provide goods or services for the launch of the launch vehicle. Sea Launch commented that this is an overly detailed requirement and it would be nearly impossible to meet because it includes all persons with whom the applicant has contracted. Sea Launch recommends that the requirement be limited to only persons who provide safety-related services. The FAA agrees Start Printed Page 50516and adopts the requirement as suggested.

Section 415.123 contains requirements for computing systems and software. Sea Launch commented that these requirements are not current practice. AFSPCMAN 91-710, Volume 1, Attachment 2 , “System Safety Program Requirements,” requires analysis of software and computing systems hazards and risks as part of a comprehensive analysis of system safety, and verification and validation. Therefore, the FAA did not change this section in response to this comment.

Launch Safety

Requests for Relief

Paragraphs (c) and (d) of section 417.1 require written evidence of a meets intent certification or waiver for a launch operator to be eligible for relief. Lockheed and Boeing commented at the 2005 public meeting that such evidence may not exist in the way of a meets intent certification. The FAA clarifies that other forms of written evidence are acceptable and now provides examples

Section 417.1(c) provides a launch operator with an alternative means to satisfy an FAA requirement through an equivalent level of safety if written evidence demonstrates that a Federal launch range has, by the effective date of this part, granted a “meets intent certification.” Section 417.1(d) states that a requirement of this part does not apply to a launch if written evidence demonstrates that a Federal launch range has, by the effective date of this part, granted a waiver that allows noncompliance with the requirement. Lockheed requested the FAA strike the term, “by the effective date of this part.” Lockheed stated that suspension of the “meets intent” certification process and waiver process as of the effective date of the final rule promulgated by the FAA would result in a significant impact to the Atlas program, although Lockheed did not state in its written comments how or why this impact might occur.

As discussed in the 2005 public meeting, the FAA cannot eliminate the reference to the effective date. This effective date is retained because any relief granted before the effective date requires proof that the Federal launch range granted such relief. After the effective date, the FAA will coordinate with the Federal launch range to determine whether relief should be granted. Also, as discussed in the SNPRM, agencies cannot waive each other's requirements. This rulemaking remedies that problem. The effective date requirement must remain because the requirement applies to all previously grandfathered requirements. The effective date does not terminate the relief process, as suggested by Lockheed and Boeing.

Lockheed Martin also suggested that the FAA add a new section adopting the practice of “tailoring” at the Federal ranges. The FAA does not need to add the section because although the FAA in practice will continue the tailoring process, it will do so through the use of an equivalent level of safety determination.

License Terms and Conditions

Section 417.7 states that a launch operator is responsible for ensuring public safety and the safety of property at all times during the conduct of a licensed launch. Lockheed requested the FAA add that for licensed launches from a Federal launch range, compliance with section 417.13, which says a launch operator must enter into an agreement with and comply with range requirements, satisfies the launch operator's public safety requirements. Lockheed reasoned that the Federal launch ranges play a key role in conducting launch activities and the range has its own authorities and responsibility with regard to ensuring public safety. A launch operator cannot subsume these responsibilities. Although Lockheed is correct about the important role of the Federal launch ranges, the role of the range does not detract from a launch operator's responsibilities for safety under its license. A Federal launch range cannot subsume a launch operator's responsibilities either. The FAA's description of the launch operator's responsibility has been part of the regulations for years. See 14 CFR 415.71. That a range has responsibilities does not mean that a launch operator does not have these same responsibilities. As explained in previous rulemakings, a launch operator must comply with the requirements of both the ranges and the FAA. See, Commercial Space Transportation Licensing Regulations, NPRM, 62 FR 13234 (Mar. 19, 1997).

Scheduling

Proposed section 417.17(b)(1) would have required that for each launch, a launch operator must file a launch schedule that identified each point of contact by name and position for each scheduled activity. The FAA proposed that the points of contact be filed no later than six months before flight. Sea Launch commented at the 2005 public meeting and both Boeing and Sea Launch commented in written comments, that a single schedule point of contact is current practice and that requiring the information six months before flight was excessive. The FAA agrees and instead requires a single point of contact for the schedule and that the launch schedule must be filed and updated in time to allow FAA personnel to participate in the reviews, rehearsals, and safety critical launch processing.

Proposed paragraph (b) of section 417.25 would have required that for a launch operator launching from a non-Federal launch site, a launch operator must file a post launch report with the FAA 90 days after the launch. Sea Launch commented that current practice requires a 30 and 60 day report and that the 90 day report is not current practice. The reports filed by Sea Launch under current practice meet the requirement of section 417.25(b). To clarify, the FAA now requires the report be filed no later than 90 days after launch. The clarification is also made to section 417.25(a).

Launch Safety Responsibilities

Section 417.103(b)(2) requires that a safety official have direct access to a launch operator's launch director. The FAA had proposed that a safety official report directly to the launch director, but Lockheed pointed out that these employees may be stationed in different parts of the country. The FAA clarifies that direct access means a safety official can communicate safety concerns to the launch director. This provision does not mandate the organizational structure of a launch operator.

Flight Safety

Section 417.107(b) requires a launch operator to demonstrate that any risk to the public satisfies public risk criteria of Ec ≤ 30 × 10−6 for each hazard before initiating the flight of a launch vehicle. Boeing suggested that the FAA use 30 × 10−6 as a level defining acceptable launch risk without high management review. As it has in the past, Boeing suggested that the Ec criterion lacks mathematical justification and therefore should not represent a hard limit. The acceptable risk criterion for debris at 30×10−6 is current practice and has been an FAA requirement since 1999 under section 415.35(a), which is not changed by this rulemaking. Previous FAA discussions in the July 2002 SNPRM, the February 2005 Analysis of Comments, and the FAA's 2005 public meeting discussed the 30 × 10−6 criterion and its acceptability.

Section 417.107(e) requires a launch operator to ensure that a launch vehicle, any jettisoned components, and its payload do not pass any closer than 200 Start Printed Page 50517kilometer to a habitable orbital object and to obtain a collision avoidance analysis for each launch. Lockheed [13] requested that the FAA change “habitable” to “known inhabitable” on the grounds that if there is uncertainty about whether an object is habitable the required collision avoidance distance may be less. The FAA will not adopt the suggested change because it would not change the separation distance or reflect current practice in classification of these types of orbital objects. Even if an object is not known to be habitable with absolute certainty, safety errs on the side of being conservative and claims of habitability are taken at face value. If an object is designed to be habitable the separation distances must be maintained.

Instead, the FAA requires a 200 km separation distance for “manned or mannable” objects to match the current terminology of the Federal launch ranges in AFSCMAN 91-710 and the United States Strategic Command. Mannable objects include all orbital objects that are designed for manned spaceflight. Habitable, or mannable, objects are known and the FAA requirement only applies to those known objects and not to all resident space objects. Current manned or mannable objects include the Space Transportation System (STS), International Space Station (ISS), and Chinese Shenzou spacecraft. The FAA can adjust the miss distance through an equivalent level of safety on a case-by-case basis similar to Federal launch range current practice.

Section 417.111(e)(2) and (g)(4) require a launch operator to identify personnel, by position, who have authority to approve design changes, maintain documentation of the most current approved design and conduct piece parts tests. Lockheed Martin objected to these requirements on the grounds that a launch operator is responsible for design changes, the requirement might conflict with other hiring, certification and qualification requirements (although Lockheed does not describe the conflicts), and with a launch operator's ability to make personnel decisions. Because the FAA only requires that a launch operator identify such positions, the FAA does not believe that these concerns are well founded. To the contrary, for purposes of configuration management and control, a launch operator should know which position is responsible for design changes, document control and conducting piece parts tests as a matter of prudent business practice.

Section 417.111(h)(2) requires that an accident investigation plan (AIP) contain procedures that ensure the containment and minimization of the consequences of a launch accident, launch incident or other mishap. Boeing comments that this type of procedure is usually in an accident response plan not an accident investigation plan because different personnel perform these tasks. The FAA disagrees because this requirement is consistent with existing FAA regulations as found in 14 CFR 415.41(d), 420.59(c), and 431.45(c).

Sea Launch, commenting on sections 417.117(b)(1) and 417.121(a), recommends against requiring a launch operator to review its hazardous operations or identify safety critical pre-flight operations. Because of its unique circumstances, these requirements do not apply to Sea Launch. The FAA does not regulate launch processing operations on the ground outside of the United States. Chapter 701 of Subtitle IX, defines launch to include “* * * activities involved in the preparation of a launch vehicle * * * for launch, when those activities take place at a launch site in the United States.” 49 U.S.C. 70102(4). The launch processing requirements do not apply to Sea Launch because its preparatory activities take place at a launch site outside the U.S. To some extent the comments address flight safety. Sea Launch claims that identifying safety critical preflight operations in a launch schedule is too detailed, and that the FAA has always been informed when such an operation occurred. The FAA agrees that under current practice Sea Launch keeps the FAA informed of safety critical pre-flight operations, but notes that to be informed of them, they must be identified. The FAA and Sea Launch work closely through e-mail and phone contact to identify schedule updates as safety critical preflight operations change. Sea Launch provides a weekly schedule to the FAA via e-mail and also responds immediately to all FAA phone requests for status on safety critical preflight operations. This process has worked well in the past and the FAA recommends that Sea Launch continue this process of notifying the FAA of schedule changes. However, the FAA believes identifying safety critical preflight operations in a launch schedule is critical to maintaining the current level of safety and adopts the requirement.

Rehearsals

Section 417.119(a)(3) would have required each person with a public safety critical role who will participate in the launch processing or flight of a launch vehicle to participate in at least one related rehearsal that exercises all that person's functions. Sea Launch agreed that personnel must rehearse, but stated it would be impossible to exercise all the functions of a public safety critical role in a rehearsal. The FAA does not agree with Sea Launch's proposal that personnel should only participate actively in one related rehearsal, because a single rehearsal does not necessarily exercise personnel in all disciplines of responsibility. Some rehearsals include deliberate anomalous inputs while others exercise normal countdown flow. Personnel may have to participate in more than one rehearsal to exercise their functions. The FAA does agree, however, that it could be impossible to exercise all the functions of a public safety critical role. Therefore, section 417.119(a)(3) requires that each person with a public safety critical role who will participate in the launch processing or flight of a launch vehicle must participate in at least one related rehearsal that exercises his or her role during nominal and non-nominal conditions so that the launch vehicle will not harm the public.

Section 417.119(c) requires a launch operator to conduct a rehearsal of the emergency response section of the accident investigation plan for a first launch of a new vehicle, for any additional launch that involves a new safety hazard, or for any launch where more than a year has passed since the last rehearsal. Sea Launch stated this requirement was not current practice. This requirement does not apply to Sea Launch until such time as it launches a new vehicle, identifies a new safety hazard, or more than a year has passed since the last rehearsal. The FAA currently accepts the rehearsal methodology employed by Sea Launch.

Section 417.119(d) requires a launch operator to rehearse each part of the communications plan required by section 417.111(k), either as part of another rehearsal or during a communications rehearsal. Sea Launch stated these requirements are not current practice and are impractical. Each launch operator will have different plans. The FAA agrees that each launch operator has a different communications plan, but each launch operator must rehearse each part of its communications plan to validate every part of the communications plan. The differences matter only if they do not Start Printed Page 50518satisfy the requirements. The FAA currently accepts Sea Launch's communications training sessions.

Flight Safety Analysis

Malfunction Turn Analysis

Section 417.209 requires that a flight safety analysis include a malfunction turn analysis that establishes the launch vehicle's turning capability in the event of a malfunction during flight. Section 417.209(a)(6) requires the turning behavior from the time when a malfunction begins to cause a turn until aerodynamic breakup, inertial breakup, or ground impact. The analysis must contain trajectory time intervals, during the malfunction turn, that are sufficient to establish turn curves that are smooth and continuous.

Boeing needed to confirm with the FAA that its current practice provided an equivalent level of safety. The Federal launch ranges at the Eastern Range and Western Range have accepted the current Boeing practice and find that the data provided allows them to conduct their safety analyses in a manner that satisfies the Federal launch range requirements. The Federal launch range and the FAA have common requirements in this area and both of these ranges have an FAA approved launch site safety assessment. Therefore, the FAA accepts this equivalent level of safety as one that satisfies the FAA requirement.

Flight Safety System

Lockheed requested that in the event of a vehicle failure, a flight termination system (FTS) prevent exceeding a casualty expectation, instead of preventing a vehicle hazard from reaching a populated or otherwise protected area. The FAA does not accept this recommendation because it is current practice to require use of an FTS to prevent a vehicle from reaching vulnerable areas and to prevent a low probability, high consequence event. Risk criteria are separate from the safety requirements for a flight termination system and are not interchangeable.

For section 417.303(l)(1), Lockheed inquired whether the requirement for two or more command signals, which are signals to destroy a vehicle, requires at least two antennas. This rule requires two or more command signals, which requirement is a performance standard that only requires the launch operator to use at least two command destruct signals. The method of compliance is up to the launch operator. Redundant antennas may be used to meet this requirement.

Lockheed suggested that section 417.303(l)(2)(iii) should require each antenna beam width to extend out to the boundaries of “the destruct limit lines” instead of “normal flight” as the FAA proposed. The FAA did not accept the suggestion because the boundaries of normal flight could extend beyond the destruct lines. Normal flight is not necessarily along the nominal path.

Section 417.305(a)(1) requires a command control system, including its subsystems and components, to undergo performance testing when new or modified. Lockheed commented that it is unclear how “modified” is defined, and suggested the FAA specify the level of change that triggers the need for acceptance testing. A command control system component will undergo performance testing at acceptance level environments after completion of the manufacturing processes. The extent of the modification for a particular system will determine the amount of additional retesting that will be required. Extensive modifications to the component may require full or limited performance testing at qualification environments using the qualification test article. In such a case, after successful performance testing of the qualification unit, the flight units subjected to acceptance testing under pre-modification test requirements and environments may require full or limited acceptance testing. In some cases, there may be no additional performance testing at either qualification or acceptance environments. There are modifications that are so minor as to avoid the need for new performance testing. The qualification test for the original systems sets the bar for retesting changes. If the change falls within the qualification envelope of the original system, the operator need not retest the system. A qualification of the modified system by similarity to the original system is also acceptable.

The FAA cannot specify a single level of modification that triggers retesting because the level may differ from system to system. The FAA will determine post modification testing requirements jointly with the Air Force and the launch operator.

For section 417.305(d), Lockheed suggested that a launch operator not be required to obtain a range's verification that a command control system satisfies all test requirements. The FAA agrees that for launches from a Federal range where the range provides and tests the command and control system, the FAA will assess this process in the LSSA and the launch operator will not have to obtain the verification.

Support Systems

Section 417.307 contains design, test, and functional requirements that apply to those systems that are required to be part of a flight safety system to support the functions of a flight safety crew, including making a flight termination decision.

Section 417.307(b)(1) requires a launch vehicle tracking system that provides launch vehicle position and status data to the flight safety crew from the first data loss flight time until the planned safe flight state for launch. Lockheed questioned the meaning of “first data loss flight time,” and asked whether it was the same as “time to endanger.” ``First data loss flight time” is simply the first flight time associated with a loss in data. This equates with the time at which the Federal launch range's “green numbers” or “critical time” would begin counting down. “First data loss flight time” has the same meaning as “time to endanger.”

Proposed section 417.307(b)(2) would have required that a tracking system consist of two sources of launch vehicle position data. Lockheed recommended allowing more than two tracking sources. The FAA agrees that more than two tracking sources may be used. This rule only states what is required, and an operator may use more than two tracking sources if it desires. The requirement does not limit the number of tracking sources to two.

Section 417.307(b)(6) requires that each tracking source undergo validation of its accuracy for each launch. Paragraph (b)(6) also requires that for each stage of flight that a launch vehicle guidance system be used as a tracking source. A tracking source that is independent of any system used to aid the guidance system must validate the guidance system data before the data is used in the flight termination decision process. Lockheed recommended against requiring that a tracking source be validated for each stage of flight. The FAA does not accept the recommendation because validation of guidance system data during one stage of flight does not necessarily validate it for any subsequent stages of flight. A shock event, such as staging, can affect the accuracy of guidance system data.

Proposed section 417.307(e)(5) would have required that a flight safety data processing, display, and recording system both display and record raw input and processed data at a rate that maintains the validity of the data and at no less than 0.1-second intervals. Lockheed recommended against requiring intervals of 0.1-second. The FAA did not change this standard Start Printed Page 50519because it is current practice. However, the FAA expects that some systems may be granted an equivalent level of safety determination that allows a sample rate of more than 0.1-second.

Section 417.307(h)(1) requires a destruct initiator simulator to have electrical and operational characteristics matching those of the actual destruct initiator. Lockheed recommended replacing characteristics with a performance margin. Lockheed says that it is not practical to fire live ordnance and, under current practice, the simulators exceed the requirement. The FAA disagrees and adopts section 417.307(h)(1) as proposed because live fire is not required. Simulation is allowed. In addition, a simulator that exceeds the actual destruct initiator or that demonstrates a performance margin, as Lockheed suggested, meets this requirement.

Flight Safety System Analysis

Section 417.309, contains requirements for the system analyses that would apply to the design of a flight termination system and a command control system, including their components. Proposed section 417.309(a)(2) would have required that a flight safety system analysis follow a standard industry system safety and reliability analysis methodology. Sea Launch requested that, because a U.S. standard may not apply globally, the FAA require an analysis to follow an approved FAA system safety and reliability analysis or an equivalent methodology. The FAA agrees and will assess a methodology against the performance requirements of this section.

Section 417.309(c)(1) requires a command control system to undergo an analysis that demonstrates that the system satisfies fault tolerance requirements by following a standard industry methodology such as a fault tree analysis or a failure modes effects and criticality analysis. Lockheed suggested adding fishbone analysis to the list of examples. The FAA agrees that fishbone analysis can be used to satisfy this requirement, but the example list is not intended to be all inclusive.

Section 417.309(f)(1) requires each flight termination system and command control system to undergo a radio frequency link analysis to demonstrate that each system satisfies the required margins. Lockheed recommends clarifying that the margin is for the flight safety system, not individual segments of the system. The FAA agrees and adopts the recommendation.

Section 417.309(j)(3) requires that a flight termination system undergo an analysis that demonstrates that each subsystem and component, including their location on the launch vehicle, provide for the flight termination system to complete all its required functions when exposed to launch vehicle staging, ignition, or any other normal or abnormal event that, when it occurs, could damage flight termination system hardware or inhibit the functionality of any subsystem or component, including any inadvertent separation destruct system. Lockheed suggested tying breakup survival requirements to the shock requirements of section D417.7(g). The FAA does not adopt the suggested change because the breakup environment should include more than just shock.

Proposed section 417.311 (b)(1) would have required that all safety crew members have knowledge of systems and operations. Lockheed commented that not all safety crew members have knowledge of all systems and operations. The safety crew as a whole has the required knowledge but individual safety crew members may not be familiar with all systems and operations. The FAA agrees and has clarified that the safety crew as a whole must have knowledge of systems and operations.

Ground Safety

Section 417.405(b) contains the qualification requirements for personnel who prepare a ground safety analysis. Lockheed commented that the proposed experience and training requirements were too stringent. The FAA agrees and the requirements for education, training, and experience are instead adopted as a performance requirement. The FAA believes the individual who performs the ground safety analysis must possess background and experience qualifications in the engineering disciplines associated with launch vehicle ground operations, ground processing hazards, and the precautions required to prevent mishaps.

Lockheed suggested basing safety clear zones on the “credible effects” for a possible explosive event for section 417.411(a)(1)(i) and for a possible toxic event for section 417.411(a)(1)(ii), instead of basing each safety clear zone on a worst case scenario. The FAA does not adopt this suggestion because public safety and current range practice require use of the worst case standard. In addition, it is unclear what “credible effects” include.

Section 417.415(b)(3) requires a launch operator to establish procedures for controlling hazards associated with a failed flight attempt where a start command was sent to a solid- or liquid-fueled launch vehicle, but the launch vehicle did not liftoff. These procedures must include prohibiting individuals' entry into the launch complex until the launch pad area safing procedures are complete. Lockheed comments that the range permits pad entry on a case-by-case basis. The FAA clarifies that this requirement is intended to prevent entry by the public into the launch complex during a failed attempt. The FAA further clarifies that this requirement does not apply to launch operator personnel.

Flight Safety Analyses Methodologies and Products for a Launch Vehicle Flown With a Flight Safety System

Trajectory

For section A417.7, Boeing suggested the FAA allow a launch operator to define the longitude as positive degrees East or positive degrees West without requiring a specific reference. In response, the FAA will not adopt the proposed specification on the geodetic longitude reference. Section A417.7 corresponds to current requirements at the Federal launch ranges as documented in AFSPCM 91-710, Tables A1.1 through A1.4.

Debris

Section A417.11(b) requires that a debris analysis produce a debris model that accounts for all launch vehicle debris fragments, individually or in groupings. Section A417.11(b)(3) requires a description of the immediate post-breakup or jettison environment of the launch vehicle debris, and any change in debris characteristics over time from launch vehicle breakup or jettison until debris impact. Boeing stated the FAA should encourage one set of simplified “worst-case” estimates of debris characteristics applicable over time. Simplified estimates should be acceptable as long as they were conservative, according to Boeing. Boeing made similar comments regarding sections A417.11(c)(7), A417.11(c)(8), A417.11(d)(5) and A417.11(d)(17). Section 417.211 contains the performance requirement for a debris analysis. Section 417.211 responded to earlier industry comments for a more performance-based requirement. Appendix A provides one suggested method of meeting the performance requirement. A launch operator's analysis may always be more conservative as long as the final analysis meets the public risk criteria of section 417.107(b). Start Printed Page 50520

Flight Termination System Components

Section D417.5(a) requires that a flight termination system have a predicted reliability of 0.999 at a confidence level of 95 percent. A launch operator would demonstrate the system's predicted reliability by satisfying the requirements for system reliability analysis of section 417.309(b). Lockheed states that flight termination system reliability of 0.999 at a confidence level of 95% has been implemented at the Federal ranges as a goal and that this reliability is of limited value. The analysis required by section 417.309(b), however, reflects current practice. This provision does not require demonstration by testing; therefore, a launch operator can meet the proposed standard through analyses.

Section D417.5(c) requires that a flight termination system use redundant components that are structurally, electrically, and mechanically separated. Paragraph (c) also requires that each redundant component's mounting on a launch vehicle, including location or orientation, ensure that any failure that will damage, destroy or otherwise inhibit the operation of one redundant component will not inhibit the operation of the other redundant component and will not inhibit functioning of the flight termination system. Lockheed commented that this requirement will have to be tailored frequently if left unchanged. Boeing commented that the redundancy requirement as written would require significant vehicle redesign. The FAA will not change this requirement because separation of redundant components maximizes the reliability of a flight termination system. This is a flexible performance requirement which a launch operator may satisfy through different methods. The FAA may grandfather certain vehicles and a launch operator may also apply for relief.

Proposed section D417.7(b) would have required a launch operator to determine all maximum predicted non-operating and operating environments that a flight termination system, including each component, will experience. Lockheed suggested clarifying that environments experienced after the planned safe flight state has been achieved should not be included in the maximum predicted environment determination. The FAA agrees because when a launch vehicle reaches its safe state, which typically is when a vehicle reaches orbit, it can no longer endanger the public. The FAA adopts the clarification.

Section D417.7(b)(1) requires that for a launch vehicle configuration for which there have been fewer than three flights, the test margin for the maximum predicted environments must be no less than plus 3 dB for vibration, plus 4.5 dB for shock, and plus or minus 11 °C for thermal range. Lockheed suggested the FAA work closely with industry to establish criteria for what level of change constitutes a new vehicle configuration. The FAA agrees and intends to work closely with industry and the Federal launch range on this issue.

Section D417.7(c) contains component thermal cycle requirements. Lockheed suggested deleting the language that states how a thermal cycle is to be performed and moving the language to appendix E. Although the tests in appendix D appear to be out of place, they provide the standard to which a component must be designed. Accordingly, appendix D is the proper place for them.

Section D417.7(c) requires a component satisfy all its performance specifications when exposed to preflight and flight thermal cycle environments. Paragraph (c)(1) of section D417.7 requires that, for each component, the acceptance-number of thermal cycles be no less than eight thermal cycles or 1.5 times the maximum number of thermal cycles that the component could experience during launch processing and flight, including all launch delays and recycling, rounded up to the nearest whole number, whichever is greater. Lockheed recommends clarifying that the requirement only applies to components that are exposed to significant temperature variations during preflight processing. The FAA disagrees with Lockheed's conclusion because temperature variation may occur during launch processing and flight and must be accounted for. Regardless of whether temperature variations occur during launch processing or flight, they may still affect the performance of a component.

Section D417.7(c)(3) contains thermal cycle requirements that apply to any electronic component that contains active electronic piece-parts such as microcircuits, transistors, and diodes. Section D417.7(c)(3)(i) requires that an electronic component satisfy all its performance specifications when subjected to the sum of ten thermal cycles and the number of thermal cycles required for acceptance testing from one extreme of the maximum predicted thermal range to the other extreme. Lockheed suggested limiting the number of thermal cycles to 18. The FAA does not accept this proposal because ten cycles and the number of thermal cycles required for acceptance testing would typically result in 18 for electronic components. Test data on existing systems often shows failures after eight thermal cycles. The additional 10 acceptance-thermal cycles for a complete electronic component allows for burn-in of electronic piece-parts that make up the electronic component, minimizes the amount of testing required for the individual piece-parts, and is consistent with the approach used at the Federal ranges.

Lockheed also questioned whether section D417.7(c)(4)(iii) is a catch-all for other batteries. The FAA confirms that this section is a catch-all for “any other power source,” including lithium ion batteries.

Section D417.7(e) identifies the sinusoidal vibration environments that would apply to the design of a flight termination system component. Lockheed suggested changing the frequency range from +/−50% to covering the half-power points of the predicted sinusoidal vibration levels. Lockheed stated that the requirement as written could result in over testing. The FAA does not adopt the suggested change because the +/−50% frequency range provides a margin that ensures proper operation of the component under the predicted sinusoidal vibration environment.

Section D417.7(f) contains the requirements for transportation vibration levels. Lockheed suggested using the transportation vibration requirement of appendix E, instead of the levels of section D417.7(f). The FAA does not adopt this suggestion because appendix D contains design requirements and appendix E contains testing requirements. Appendix E permits either test or analysis which should remove concerns about burdensome testing. Appendix D is adopted as proposed, because it contains the design requirements that are based on all predicted environments. The transportation vibration testing requirements of appendix E are not based on predicted environments.

Proposed section D417.7(g)(1)(ii) would have required a flight termination system component to satisfy all its performance specifications when exposed to the workmanship screening forces and frequencies required by Table E417.11-2. Lockheed commented that this table is for minimum breakup shock, not for workmanship. Lockheed is correct and the FAA identifies the table as such here.

Lockheed suggested that the flight termination system installation procedures of section D417.15(b)(1) should only list training or certifications Start Printed Page 50521required to safely perform hazardous tasks, instead of a list of personnel required to perform each task as proposed by section D417.15(b)(3). The FAA adopts the requirement as proposed, because a list of personnel is used to ensure each task is assigned a person, even if the same person is responsible for a number of different tasks.

Section D417.17(b)(2) requires telemetry data to show whether the power to an electronic FTS component is off or on. Lockheed suggested allowing for status of the source of power in addition to whether the power is on or off. The FAA does not adopt this suggestion because it would exceed current requirements. A launch operator may include this information in its data.

Section D417.19(c) requires a flight termination system to satisfy all its performance specifications and not sustain any damage when subjected to a maximum input voltage of no less than the maximum open circuit voltage of the component's power source. The component must satisfy all its performance specifications and not sustain any damage when subjected to a minimum input voltage of no greater than the minimum loaded voltage of the component's power source. Lockheed recommended requiring a flight termination system not sustain any damage when subjected to a maximum power input voltage of no less than the maximum open circuit voltage of the component's power source as measured at the input to the component for no less than twice the expected duration. The component must satisfy all its performance specifications when subjected to a minimum power input voltage of no greater than the minimum loaded voltage of the component's power source or the maximum loaded voltage of the component's power source as measured at the input to the component for an indefinite time. The FAA agrees that performance specifications should be met for a loaded output of the power source and should account for voltage drops in the harness. Current practice, however, is to apply the open circuit voltage. This applies a safety margin that the Federal ranges have relied upon over time.

Section D417.19(h) requires each circuit, element, component, and subsystem of a flight termination system to satisfy all its performance specifications when subjected to repetitive functioning for five times the expected number of cycles required for all acceptance testing, checkout, and operations, including re-tests caused by schedule or other delays. Lockheed suggested requiring that only components that are subject to performance degradation due to repetitive cycling satisfy this requirement. The FAA does not adopt the suggestion because all components could be subject to degradation due to repetitive cycling.

Section D417.19(j) requires a flight termination system component that uses a microprocessor to perform self-tests during flight. Lockheed suggested that during flight the self-test would be performed continuously in the background. Although the FAA agrees that a component that uses a microprocessor typically performs continuous background tests, this provision does not preclude continuous background tests.

Section D417.21 defines the requirements for flight termination system monitor checkout circuits. Lockheed requested that the FAA clarify the meaning of the term “checkout circuit,” and to add clarifying language. “Checkout circuits” mean the circuitries which provide the telemetry, in either analog or digital format, for the internal health status of a component. We did not add the suggested language because the term “checkout circuit” means the same as monitor circuits.

Section D417.21(c) requires that a monitor, checkout, or control circuit not route through a safe-and-arm plug. Lockheed commented that this requirement appears to be addressed in the section D417.21(b), which requires that a monitor, control, or checkout circuit may not share a connector with a firing circuit. The FAA disagrees because there may be designs that could employ the safe and arm plugs in a way that they are not part of a firing circuit but would either enable or disable the function.

Section D417.23 applies to a flight termination system ordnance train. Section D417.23(d) requires that an ordnance train include initiation devices that can be connected or removed from a destruct charge. Paragraph (d) also requires that the design of an ordnance train provide for easy access to each initiation device. Boeing commented that it is unclear what is required, because Boeing has remote safing of the systems, and would not need to disconnect the transfer lines in the destruct changes. Boeing claims it could not accomplish this on the pad, or after the tunnel covers are installed in the horizontal integration facility or high pressure test facility. Boeing's comment is focused on a specific case and the FAA reiterates that tailoring may be available for specific cases. This requirement facilitates end-to-end testing where a simulator replaces an initiator. A safe-and-arm device provides only one inhibit to inadvertent initiation of flight termination system ordnance. One inhibit is not generally sufficient for most launch processing, depending on public access to the vehicle and the potential secondary effects on public safety, such as fire or toxic release, due to inadvertent initiation of flight termination system ordnance.

Proposed section D417.25(d)(4) would have required that all input ports be isolated from all output ports. Lockheed commented that if the inputs are isolated from the outputs, then the radio frequency (RF) cannot get through the coupler. Lockheed also commented that if the intent is to require directional isolation for each port using RF circulators to prevent back feeding in the unintended direction, Atlas does not do this. The FAA agrees that the requirement does not address all types of RF couplers and may not apply to some couplers currently in use. For this reason, section D417.25(d)(4) is not adopted. Section D417.25(d)(1)-(3) still requires isolation.

Lockheed suggested adding proscriptive self test requirements for electronic components in a flight termination system in D417.27(e) by distinguishing between continuous and commanded self tests. The FAA does not adopt the suggestion; however, the performance standard will allow different approaches, including those proposed by Lockheed, to meet this requirement.

Lockheed suggested deleting paragraphs D417.27(f), D417.27(i)(1), (i)(2), and (i)(3) because they duplicate D417.19(h), D417.19(c), D417.19(e), and D417.19(i) respectively. The FAA adopts these sections because the requirements of section D417.19 apply more generally to a flight termination system, whereas the requirements of section D417.27 focus on individual components, instead of a whole system.

Lockheed suggested altering the section D417.27(j) design requirements for an electronic component used in a flight termination system so that each electronic component would have to be compatible with the electromagnetic environment it will be exposed to during preflight or flight. Lockheed also recommended against prohibiting an electronic component from producing inadvertent command outputs. The FAA does not adopt these suggestions because compatibility alone does not ensure that an electronic component will reject rogue or extraneous signals and not produce inadvertent command outputs so as to avoid inadvertent destruct actions. Start Printed Page 50522

Lockheed suggested limiting the performance requirements for a monitoring circuit used to receive radio frequencies for flight termination system commands to the manufacturer's specifications of section D417.29(b)(5)(ii). The FAA does not adopt this change because the current text adopts a performance standard which allows flexibility and does not require use of only the manufacturer's specifications.

For section D417.29(c), Lockheed suggested deleting several performance requirements for a command receiver decoder used to receive and then send commands for a flight termination system. This section requires a command receiver decoder to distinguish between valid and errant signals. Lockheed suggested these requirements do not reflect current practice. The FAA does not adopt the suggested deletions because it is extremely important that command receiver decoders can distinguish valid commands from similar but errant signals. A launch operator can apply for relief for alternative systems. The FAA also confirmed that these requirements reflect current practice.

Section D417.31(f) requires that the insulation resistance between wire shields and conductors and between each connector pin withstand a minimum workmanship voltage of at least 1500 volts, direct current, or 150 percent of the rated output voltage, whichever is greater. Lockheed recommends that direct current at 500 volts is sufficient to perform an adequate workmanship screening of wire harnesses. Lockheed's suggestion is already required by the workmanship screening tests of appendix E of this part.

Flight Termination System Component Testing and Analysis

Lockheed and Boeing requested that the FAA not require testing of a component in Appendix E to the statistical reliability of 0.999 at a 95% confidence level. This requirement appears in sections governing exploding bridgewires, percussion actuated devices and ordnance interrupters and interfaces. These sections allow the use of a statistical firing series, which include Bruceton, Langlie and Neyer tests, to comply with the above standard. Because there are different acceptable firing series, the FAA used “firing series” to permit greater flexibility, instead of naming individual tests. Bruceton tests do not require almost 3000 tests to demonstrate a reliability of 0.999 at a 95% confidence level. Instead, they capture the distribution of responses by incrementally varying energy levels. The FAA adopts the requirements as proposed.

Section E417.1(b) requires a launch operator to identify and implement any additional test or analysis for any new technology or any unique application of an existing technology. Lockheed suggested clarifying that the need for a new requirement may be identified by either the launch operator or the range. No change is required because under section 417.127, the FAA is able to identify and impose a unique safety policy, requirement, or practice as needed to protect the public.

Section E417.1(d)(4) identifies any change in the performance of a component sample occurring at any time during testing as a test failure even if the component satisfies other test criteria. Lockheed proposed that such changes should be evaluated and not considered an automatic failure. The FAA adopts this requirement because changes in component performance frequently result in discovery of a flaw that could lead to failure during flight.

Section E417.1(h) contains requirements for rework, repair and retesting of components that failed acceptance testing. Lockheed proposes to replace the amount of time a component is retested with an analysis of fatigue damage to the component. The FAA now requires that the total number of acceptance tests experienced by a repaired component must not exceed the environments for which the component is qualified. Lockheed's proposed fatigue equivalence satisfies the requirement.

Section E417.5(f) contains requirements that apply to X-ray or N-ray examination of components. Lockheed suggested that X-ray and N-ray examinations are not required for all production hardware and would limit what photo angles must be used. The FAA agrees that these exams are not required for all production hardware, but only for those required by the test tables. Photo angles are used not only as a recurring inspection technique; they may be required in other situations. Therefore, Lockheed's suggestion concerning photo angles is too limiting.

Section E417.7(c) requires that a component undergo each qualification test in a flight representative configuration, with all flight representative hardware such as connectors, cables, and any cable clamps, and with all attachment hardware, such as dynamic isolators, brackets and bolts, as part of that flight representative configuration. Lockheed suggested that this requirement was redundant with the requirements of section E417.11(c). The FAA does not delete this requirement because it is not redundant. Section E417.7(c) includes operating and non-operating qualification testing and analysis, whereas section E417.11(c) only applies to an operating environment.

Lockheed suggested replacing an age limit for requalifying a component proposed in section E417.7(f)(3)(i) [14] with a general exception. The proposed requirement would have prohibited qualifying or re-qualifying a component that was produced more than three years earlier. Under current practice, if a component is qualified and there are no design or material changes, the production time limit does not apply. The FAA does not, however, adopt Lockheed's suggested exception because doing so would make the exception automatic, and, as is the case now under current practice, a launch operator must first demonstrate an equivalent level of safety to qualify for an exception to this requirement.

Lockheed and Boeing recommended against the storage temperature analysis requirements in non-operating environments of subparagraphs E417.9(b)(1) & (b)(2), (b)(2)(i), (b)(2)(ii) because they believe the requirement does not represent current practice. The FAA disagrees because this section only requires a launch operator to show that the storage temperatures for a component are less than the temperatures associated with a thermal cycle or flight. This requirement may be satisfied by showing the storage temperatures are within the range of flight temperatures. No testing is required, and this is current practice.

Section E417.9(d) requires that an analysis must demonstrate that the qualification operating shock environment is more severe than the transportation shock environment. Lockheed suggested requiring that an analysis also demonstrate that acceleration environment is more severe. The FAA does not adopt this suggestion because shock includes acceleration.

Section E417.9(f) requires that any transportation vibration test subject a component to vibration in three mutually perpendicular axes for 60 minutes per axis. Lockheed suggested requiring vibration for 60 minutes per 1000 miles traveled per axis. The FAA does not adopt the suggestion because it could result in longer tests than currently required. Start Printed Page 50523

Lockheed suggested permitting equivalent acceleration under section E417.9(f)(2) as an alternative test method to the transportation vibration tests, which test the effect of vibrations during the transportation of components. The FAA does not adopt the suggestion because there are different ways to meet this requirement. The FAA does not want to limit the method of compliance for this requirement. Equivalent acceleration is only one possible way to satisfy the requirement; fatigue equivalence analysis is another method of compliance.

Section E417.9(i) requires a fine sand test or analysis for a component that will be exposed to sand. Lockheed suggested limiting the fine sand test to components with moving mechanical parts or exposed electrical contacts. The FAA does not adopt Lockheed's suggestion because a launch operator may meet this requirement by analysis.

Section E417.9(k) requires a component to survive the maximum predicted drop and resulting impact that could occur and go undetected during storage, transportation, or installation. Lockheed requested clarification. The FAA clarifies that the maximum predicted drop that could go undetected is a drop that does not cause visible damage.

Section E417.11 contains requirements that apply to each qualification operating environment test or analysis identified by any table of appendix E. Paragraph (b)(2) of section E417.11 requires that qualification sinusoidal vibration environment be no less than 6 dB greater than the maximum predicted sinusoidal vibration environment for no less than three times the maximum predicted duration. Lockheed suggested that the qualification sinusoidal vibration environment must account for test tolerances by allowing a nominal test level. The FAA does not adopt the suggested change because the 6 dB requirement applies to the theoretical level of the maximum predicted environment regardless of test tolerances.

Section E417.11(c)(4)(i)(A) requires that any qualification random vibration test, where a component is hard-mounted, must account for the isolator attenuation and amplification due to the maximum predicted operating random vibration environment, including any thermal effects and acceleration pre-load performance variability, and must add a 1.5 dB margin to account for any isolator attenuation variability.

Lockheed recommended against accounting for thermal effects, acceleration pre-load performance variability, and the 1.5 dB margin because this is not current practice. The FAA disagrees because this is current practice and these requirements account for isolator variability.

Lockheed suggested removing a test requirement, found in many sections, to monitor performance during the test at a sample rate of once every millisecond. Lockheed suggested replacing the above requirement with a performance standard of a sample rate that will detect any component performance degradation. The FAA agrees that a performance standard will maintain the current level of safety and adopts the proposed change.[15]

Lockheed suggested clarifying the qualification acoustic vibration test to clarify that lot acceptance components under E417.11(d)(3) do not have to meet the minimum workmanship screening test level of 144 dBA for each frequency band from 20 to 2000 Hz. This rule does not require the 144 dBA level for each frequency band from 20 to 2000 Hz. The 144 dBA level applies to all frequencies in the 20 to 2000 Hz range.

Section E417.11(g)(3)(ii) requires a humidity test to measure each electrical performance parameter at the cold and hot temperatures during the first, middle and last thermal cycles. Lockheed suggested clarifying what is meant by the middle cycle. The middle cycle is the cycle with an approximately equal number of cycles between the first cycle to the middle cycle and the middle cycle to the last cycle.

Lockheed suggested several changes to the qualification thermal vacuum test for a component covered by E417.11(i)(1) and (2). Lockheed suggested changing the environmental conditions required to conduct this test by including an exception to the pressure gradient provision. The FAA does not adopt this suggestion because the pressure gradient requirement may be met several ways, not just in the manner Lockheed suggested.

Lockheed also suggested eliminating a final vacuum dwell time because it is too long. The FAA does not adopt this suggestion because the required dwell time provides a margin necessary to ensure a component will not degrade during the thermal vacuum phase of flight.

Lockheed suggested that the FAA clarify that there is only one dwell time. The FAA does not adopt this suggestion because there may be more than one dwell time; therefore it is appropriate to identify a “final dwell time.”

Lockheed also sought to limit the final vacuum dwell time for an acceptance thermal vacuum test in E417.13(e)(1)(ii) to be consistent with the recommended changes with E417.11(i)(2). The FAA does not adopt this suggestion because the final vacuum dwell time provides a margin and ensures that a component will not degrade during the thermal vacuum phase of flight.

Section E417.13(a) requires an acceptance test of a component to subject the component to one or more of the component's maximum predicted environments as determined under section D417.7. Lockheed suggested referring to the matrix of section 415.129(b) instead of D417.7 because the requirement could otherwise be interpreted to mean that only one of the environments must be tested. The FAA does not refer to section 415.129(b) because section D417.7 determines the maximum predicted environments to which a component must be tested. Section 415.129(b) does not determine maximum predicted environment levels. It only requires a compliance matrix.

Section E417.13(d)(1) requires the acceptance thermal cycles test to subject each component to no less than the greater of eight thermal cycles or 1.5 times the maximum number of thermal cycles that the component could experience during launch processing and flight, including all launch delays and recycling, rounded up to the nearest whole number. Lockheed described this as a new requirement that should only apply to components that experience extreme temperature variations. This requirement is current practice and applies to components that experience temperature variations that can affect their performance, regardless of whether a temperature meets an unidentified “extreme.”

Section E417.13(d)(2)(ii) requires that an acceptance thermal cycles test subject each component to no fewer than 10 plus the acceptance-number of thermal cycles. Lockheed suggested clarifying that the 10 cycles are for burn-in only, which is intended to identify faulty components. The FAA agrees that the 10 cycles are usually for burn-in, but there are exceptions. The 10 cycles may also be used to identify mechanical failures due to thermal stress.

Section E417.13(e)(1)(iii) requires that during a final vacuum dwell-time, the environment must include no less than the maximum predicted number of thermal cycles. Lockheed suggested that Start Printed Page 50524the requirement only account for in-flight thermal cycles and for the period of launch through the planned safe flight state. The FAA does not adopt the proposed modification because thermal cycles experienced on the ground must be accounted for. There could be significant thermal variations on the ground. For instance, fueling a launch vehicle with liquid hydrogen or oxygen exposes components to very low temperatures.

Section E417.17(b) requires that a status-of-health test of a radio frequency receiving system satisfy section E417.3(f) and include antenna voltage standing wave ratio testing that measures the assigned operating frequency at the high and low frequencies of the operating bandwidth to verify that the antenna satisfies all its performance specifications. Lockheed suggested that the FAA require the testing of components, instead of testing for a system or an antenna. The FAA does not adopt the suggestion because testing of individual components does not verify the functioning of a system into which those components are integrated.

Lockheed suggested changes to the link performance test of a radio frequency component of section E417.17(c). Lockheed stated that it is impossible to conduct this test at every possible trajectory. Testing of the receiving system does not, however, require testing every trajectory: it requires 95% of the radiation sphere surrounding the launch vehicle, which can be achieved while the vehicle is on the ground.[16] Second, Lockheed seeks to clarify which portions of paragraph (c) require analysis and which require tests. Paragraph (c) governs testing standards, not analysis. These tests may relate to required analysis, but this provision only provides test requirements.

Section E417.17(f) requires an antenna pattern test to demonstrate that the radiation gain pattern of the entire radio frequency receiving system, including the antenna, radio frequency cables, and radio frequency coupler will satisfy all the system's performance specifications during vehicle flight. Lockheed commented that the antenna pattern test does not verify link margin, but provides data used to determine the margin. Lockheed suggested referencing the link margin analysis requirement. The FAA does not adopt Lockheed's suggestion because the antenna pattern test results are used to verify the radiation gain pattern used to satisfy the gain levels of the link analysis.

Section E417.17(f)(2) requires all antenna pattern test conditions to emulate flight conditions, including ground transmitter polarization, using a simulated flight vehicle and a flight configured radio frequency command destruct system. Lockheed was concerned that this requires the use of an actual receiver. An actual receiver is not required, however, because the test can be performed with a simulated flight vehicle.

Section E417.17(f)(3) requires an antenna pattern test to measure the radiation gain for 360 degrees around the launch vehicle in degree increments that are small enough to identify any deep pattern null and to verify that the required 12 dB link margin is maintained throughout flight. Each degree increment must not exceed two degrees. Lockheed commented that link analysis determines link margin and that current practice at Federal ranges is to use 2-degree increments for the antenna pattern test. The FAA agrees that the link analysis determines the link margin. This test verifies the gain required by the link analysis. Using 2-degree increments for antenna patterns meets the requirement.

Lockheed suggested eliminating the fine sand test for a command receiver decoder (CRD) qualification test in Table E417.19-2 claiming that the test is not useful. The FAA does not accept the suggestion as it is possible a CRD may be exposed to fine sand at launch. If a launch operator can show that a CRD will not be exposed to fine sand, the launch operator may be able to obtain relief from this test.

Section E417.19(b) requires each measurement of a status-of-health test of a command receiver decoder to demonstrate that all wiring and connectors are installed according to the manufacturer's design. Lockheed commented that the test as proposed would not demonstrate that all wiring is installed according to the manufacturer's design. The FAA disagrees because a test failure indicates whether wiring is installed according to a manufacturer's design and helps identify any problems caused by improper wire installation. This section only requires verification that specific parameters related to the design are within required specifications.

Section E417.19(c)(3) requires that a command receiver decoder functional performance test demonstrate that the maximum leakage current through any command output port is at a level that cannot degrade performance of down-string electrical or ordnance initiation systems or result in an unsafe condition. The test must demonstrate no less than a 20 dB safety margin between the receiver leakage output and the lowest level that could degrade performance of down-string electrical or ordnance initiation systems or result in an unsafe condition. Lockheed suggested requiring that the maximum current must be shown by analysis to demonstrate no less than a 20 dB margin. The FAA adopts this test because the test verifies functional performance, which analysis will not accomplish.

Lockheed suggested relaxing the power dropout portion of the circuit protection test of section E417.19(d)(2) for solid state power transfer switches. The FAA does not adopt the change because Lockheed did not provide a safety justification for allowing solid state power transfer switches to comply with a new standard. It is unclear whether the standard Lockheed proposed would maintain an equivalent level of safety to the current standard.

Lockheed suggested permitting a launch operator to use analysis to meet the memory test for a receiver decoder of section E417.19(d)(6). The FAA adopts this suggestion because analysis is adequate to fulfill this requirement. At the time command codes are loaded into a receiver, the launch operator verifies the codes are loaded correctly in the memory. Memory devices used in a receiver decoder typically do not degrade. The launch operator must still use analysis to demonstrate the construction and characteristics of the memory device.

Section E417.19(e)(2)(viii) requires that a radio frequency processing test demonstrate that any radio frequency losses within a receiver decoder interface to the antenna system satisfy the required 12 dB margin. Lockheed suggested permitting this requirement be satisfied by analysis. The FAA adopts the requirement because this test is necessary to confirm the ratio which analysis generates.

Section E417.19(e)(2)(ix) requires a radio frequency processing test to demonstrate that the receiver decoder satisfies all its performance specifications within the specified tone filter frequency bandwidth using a frequency modulated tone deviation from 2 dB to 20 dB above the measured threshold level. Lockheed suggested that the requirement was new. The requirement is current practice, and command transmitter tone variations must be accounted for.

Section E417.19(e)(2)(xi) requires that a radio frequency processing test demonstrate that a receiver decoder can process commands at twice the Start Printed Page 50525maximum and one-half the minimum timing specification of the ground system. Lockheed suggested requiring processing commands at the maximum and the minimum timing variance specification of the ground system, claiming that the requirement was new and too restrictive. The requirement is current practice and is used at the ranges to test the timing tolerance of the receiver decoder.

Section E417.19(f)(3) requires that an inadvertent command output test demonstrate that a receiver decoder rejects any out-of-band command tone frequency. The test must demonstrate that each tone filter will not respond to another tone outside the specified tone filter frequency bandwidth, using a frequency modulated tone deviation from 2 dB to 20 dB above the measured threshold level. Paragraph (f)(4) of section E417.19 requires an inadvertent command output test demonstrate that none of the tone decoder channels responds to any adjacent frequency modulated tone channel when they are frequency modulated with a minimum of 150% of the expected tone deviation. Lockheed commented that these are new requirements and that they are the same test. The FAA confirms these are current practice and are different tests because (f)(3) tests tone signal strength and (f)(4) tests tone channel frequency modulation.

For tests of a command receiver decoder and its individual components, Lockheed objected to treating as a failure any test results that showed fluctuation or variation. Fluctuation and variation are treated as failures in tests such as the input current monitor test, output functions test, and radio frequency monitor test in section E417.19(g), (h), and (i). Lockheed argued that variation or fluctuation alone should not constitute a test failure, especially because this variation could be within a components' performance standards. The FAA adopts the requirement because variations or fluctuations often indicate internal component damage, which is a potential problem that warrants further investigation.

Section E417.21(j)(3) requires that a silver-zinc battery activation procedure include verification that the electrolyte satisfies the manufacturer's specification for percentage of potassium hydroxide. Lockheed sought clarification that a chemical analysis in an acceptance data package met this requirement. The FAA confirms that a launch operator need not provide an additional chemical analysis if one is included in the acceptance data package.

Lockheed suggested clarifying an exception to the leakage test in Note 3 of Table E417.23-1. Lockheed would have permitted analysis instead of a leakage test. The FAA does not adopt this suggestion because Note 3 requires certain testing to confirm launch operator analysis; analysis cannot confirm another set of analyses for these purposes.

Section E417.25(f)(2) requires that the thermal performance test for a safe-and-arm device must continuously monitor bridgewire continuity with the safe-and-arm device in its arm position to detect each and any variation in amplitude. Paragraph (g)(2) requires that the dynamic performance test for a safe-and-arm device continuously monitor the bridgewire continuity with the safe-and-arm device in its arm position to detect each and any variation in amplitude. Any variation in amplitude in either (f)(2) or (g)(2) constitutes a test failure. Boeing commented that the requirement to continuously monitor the safe-and-arm electro explosive device during environmental exposure in these sections is new. Boeing notes that any variation in amplitude constitutes a test failure and the test fails to acknowledge that resistance changes with temperature. The FAA agrees that resistance changes with temperature. However, the change in resistance due to temperature is well understood and is accounted for in the nominal value. Only significant variations from the nominal value are considered test failures. The FAA would consider a launch operator's demonstration that variation in amplitude would not constitute a test failure.

Section E417.25(j) contains firing test requirements for a safe-and-arm device, electro-explosive device, rotor lead, or booster charge. Paragraph (j)(1)(iv) requires that each test measure ordnance output using a measuring device, such as a swell cap or dent block, to demonstrate that the output satisfies all its performance specifications. Lockheed suggested that this requirement should apply only to an EED. The FAA does not accept this change because there are other types of ordinance devices such as percussion activated devices that must be tested to make sure its performance requirements are met.

Lockheed suggested adopting a performance standard for the high temperature firing test of an ordnance interrupter, percussion activated device, explosive transfer system, ordnance manifold, and a destruct charge of sections E417.29(f)(3), E417.31(d)(3), and E417.33(b)(3) respectively, instead of the +71 °C standard in the rule. The FAA adopts the +71 °C standard because it is a temperature at which electronic components performance start to degrade, making it critical to conduct tests at or above this temperature.

Section E417.35(a) contains requirements for shock isolators that are part of a flight termination system. Paragraph (b)(4)(i)(A) requires a 1.5 dB margin for any hard-mounted acceptance random vibration test for components. Lockheed suggested not requiring the margin for shock isolators, arguing it is unnecessary, the requirements reduce the use of isolators, and that discouraging the use of isolators could adversely affect public safety. The intent of the shock isolator requirements is not to discourage their use, but rather to account for uncertainties introduced by the use of isolators. The requirements for shock isolators are the product of years of experience and capture the best current practice. Lockheed also suggested changing the status-of-health shock or vibration isolator test of section E417.35(c) to exclude vibrations representative of the maximum predicted operating environment because this was not current practice and isolators are expensive. The FAA does not adopt this proposal because the requirement is current practice, and a launch operator may satisfy it by testing only to the maximum predicted operating environment rather than having to test to many different vibration levels, which might otherwise have required additional isolators.

Table E417.37-1 requires each electrical connector or harness that is critical to the functioning of a flight termination system during flight, but is not otherwise part of a flight termination system component, to satisfy each test or analysis identified by table E417.37-1. Lockheed commented that this is a new requirement and that testing for salt fog and humidity is not done. The requirements for electrical connectors and harnesses are current practice. The requirements can be met by analysis.

Lockheed recommended deleting the status of health test for a harness or connector of section E417.37(b) because the test is pass/fail and Lockheed does not see much value in comparing past test data with a current pass/fail test. The FAA disagrees about the value of comparing test data. Although the test is pass/fail, the test produces a value. Comparison shows whether there is a wide variation in results, which may indicate further investigation is necessary.Start Printed Page 50526

Lockheed suggested deleting the wire and harness insulation resistance test of section E417.37(b)(4) because Lockheed did not see its value and questioned whether this applies to any wire. The FAA clarifies that this test applies to any wire and does not make the suggested change because this test is current practice and is necessary to establish whether a wire will survive its performance specifications.

Lockheed commented that the pre-flight component tests of section E417.41(b) capture current practice but suggested that the test apply to all of Appendix E. These tests do not apply throughout appendix E, but only in specific situations, such as for pre-flight components.

Lockheed suggested that the command receiver decoder of section E417.41(h)(2)(i)(4)(iii) need not be powered only by ground power or launch vehicle power. Another power source may be used. The FAA disagrees because current technology only allows for a ground or launch vehicle power source, and relief is available for future developments in power sources.

Appendix F as proposed would have contained requirements for electronic piece-parts used in critical components of a flight termination system. SpaceX commented that the current Federal range safety process is extremely expensive and time consuming for a small launch provider such as SpaceX. Current practices consume approximately 18 to 24 months. The Air Force and Army are striving to expedite the process and move towards a goal of truly operationally responsive space systems. SpaceX claimed that codifying current practices would impede the competitiveness of the industry. Instead, SpaceX said, the FAA should strive to mirror or reduce the normal requirements used at the respective launch ranges and work directly with industry to adopt the best current practices used at the Federal ranges, whether they come from the Air Force, the Army or NASA. A specific example of this is the Army's use of RCC 319 instead of EWR127-1, which allows for the use of qualified COTS hardware instead of highly specialized, much higher-priced piece parts currently required by the Air Force. The FAA does not adopt appendix F because it is not current practice at all ranges, only at the Air Force ranges. Air Force requirements are still available to an operator as a way to meet the reliability requirement. For a launch from an Air Force range, a launch operator will have to comply with Air Force requirements.

Lightning Commit Critiera

Appendix G requires that a launch operator apply flight commit criteria to protect against natural lightning and lightning triggered by the flight of a launch vehicle. A launch operator must apply these criteria under section 417.113 (c) for any launch vehicle that utilizes a flight safety system.

NASA's Kennedy Space Center Weather Office suggested adding certain definitions to section G417.3. The FAA adopts NASA's suggested definitions for specified volume and volume-averaged, height-integrated radar reflectivity (VAHIRR) because the definitions are integral to other changes that NASA suggested and that the FAA is adopting.

Sections G417.9 and G417.11 prohibit launch through and near non-transparent parts of attached and detached anvil clouds under certain conditions for certain time periods. Originally, the FAA proposed restrictions matching current practice at the time of the FAA's proposal. Current practice has evolved in response to new measurements and data obtained as described in comments from NASA. Accordingly, the FAA adopts NASA's proposed exceptions to these prohibitions.

As originally proposed, section G417.9 would have required that, a launch operator not initiate flight if the flight path would carry a launch vehicle through a nontransparent part of any attached anvil cloud. The FAA also proposed that for a flight path within five nautical miles (nm) of any attached anvil cloud, a launch operator would have to wait three hours after the last lightning discharge in or from a parent or anvil cloud.

NASA suggested allowing a launch operator to launch a vehicle through an attached anvil cloud within three hours after the last lightning discharge in or from the parent cloud or anvil cloud if two conditions were met: (1) The temperature along the flight path within 5 nm of the anvil cloud was colder than zero degrees Celsius, and; (2) the volume averaged height integrated radar reflectivity (VAHIRR) was below 33 dBZ-kft. NASA also suggested reducing the wait time for a flight path within 5 nm of any attached anvil cloud from 3 hours, to 30 minutes if the same two conditions were met. The FAA agrees with these exceptions because they identify additional safe launch opportunities as based on the data described in NASA's comments. The Eastern and Western Federal launch ranges already apply these exceptions. The following table describes the changes:

G417.11 Detached Anvil Clouds

For detached anvil clouds, the FAA proposed that a launch operator not initiate flight if the flight path would carry the launch vehicle through a non-transparent part of any detached anvil cloud for the first three hours after the anvil cloud was observed to be detached from the parent cloud or the first four hours after the last lightning discharge from the detached anvil cloud. For a flight path within 5 nm of a non-transparent part of a detached anvil cloud, a launch operator would have to wait at least 3 hours after a lightning Start Printed Page 50527discharge or an observed cloud detachment or meet three conditions.[17]

NASA suggested allowing an additional option for launch through or within 10 nautical miles of a non-transparent detached anvil cloud. Accordingly, under this rule, a launch operator can launch within 30 minutes from when an anvil cloud detaches from its parent, rather than the 3 hours originally proposed, if the temperature and VAHIRR conditions discussed in section G417.9 are satisfied. (1) the temperature along the flight path within 5 nm of the detached anvil cloud must be colder than zero degrees Celsius.

In accordance with the new current practice described by NASA a launch operator may launch within 5 nm of a detached anvil cloud if a launch operator can satisfy the requirements originally proposed and adopted here or if it can meet the two new conditions: (1) the temperature along the flight path within 5 nautical miles of the detached anvil cloud must be colder than zero degrees Celsius, and (2) the VAHIRR must be below 33dbZ-kft. The table below describes the changes:

Effective Date

This final rule will become effective on August 27, 2007. The fact that these regulations are not effective for one year does not affect existing launch operator licenses.

Paperwork Reduction Act

As required by the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq., the Federal Aviation Administration has reviewed the information collection requirements of this final rule. The FAA has determined that this final rule has no additional burden to respondents over and above that which the Office of Management and Budget has already approved under the existing rule titled, “Commercial Space Transportation Licensing Regulations” (OMB control number 2120-0608). Under the existing rule, the FAA considers license applications to launch from non-federal launch sites on a case-by-case basis. In conducting a case-by-case review, the FAA gives due consideration to current practices in space transportation, generally involving launches from federal sites, and collects information accordingly. Accordingly, the FAA believes that, under this final rule, there is no additional information collection not already included in the previously approved information collection activity. This rule would eliminate the case-by-case review, thereby streamlining the licensing process, and would not place any additional burden on the respondent.

An agency may not collect or sponsor the collection of information, nor may it impose an information collection requirement unless it displays a currently valid Office of Management and Budget (OMB) control number.

Regulatory Evaluation Summary; Introduction

Proposed and final rule changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866 directs that each Federal agency propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Trade Agreements Act prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, the Trade Agreements Act also requires agencies to consider international standards and, where appropriate, use them as the basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation).

In conducting these analyses, the FAA has determined that the final rule: (1) Has benefits that justify its costs; while not economically significant, is “a significant regulatory action” as defined Start Printed Page 50528in the Executive Order; and is “significant” as defined in the Department of Transportation's Regulatory Policies and Procedures; (2) does not have a significant impact on a substantial number of small entities; (3) does not impose barriers to international trade; and (4) does not impose an unfunded mandate on State, local, or tribal governments, or on the private sector. These analyses are available in the docket, and are summarized below.

Total Costs and Benefits of This Rulemaking

The estimated cost of this final rule to industry and the FAA is $9.5 million ($7.9 million discounted). Potential benefits, which have not been quantified, include: increased transparency of licensing requirements, reduced likelihood that operators will deviate from the existing high level of safety achieved at federal ranges, operating efficiencies and associated cost savings, reduced uncertainties and increased confidence among the business communities, and a faster return to flight in event of a mishap. Following paragraphs provide more details on costs and benefits.

Who is Potentially Affected by This Rulemaking

Private Sector

  • Commercial space transportation launch operators.
  • Users of commercial space transportation.
  • Users of services provided by users of commercial space transportation.
  • Federal range operating contractors.

Government

  • Federal Aviation Administration.
  • Other Federal organizations such as DOD, NASA.

Our Cost Assumptions and Sources of Information

  • Discount rate—7%.
  • Period of analysis—2006 through 2010.
  • All monetary values are expressed in 2004 dollars.
  • Five commercial space transportation launch operators would each assign two personnel annually to review Federal range implementation of certain regulatory requirements contained in the proposed rule.
  • Five commercial space transportation launch operators would each assign two industry personnel in 2006 to ensure that its records would satisfy an FAA request to provide written evidence of meets intent certifications or waivers granted previously by a Federal range.
  • Annual base salary per industry personnel $116,939.
  • Fringe benefit factor 23.45%.
  • FAA would expend 1.5 full time personnel per year to administer and implement the proposed requirement.

Benefits

Benefits were not quantified but it is expected that the rule will:

  • Increase transparency of existing requirements for established launch operators and new entrants;
  • Preserve the high level of safety demonstrated by commercial space launch operators by reducing the likelihood that operators will deviate from current practice;
  • Yield operating efficiencies by establishing standardized requirements for commercial launch operators;
  • Reduce uncertainties and promote confidence among the commercial space investor and insurance communities which might stimulate business;
  • Facilitate a faster return to flight in the event of a mishap because the rule will yield documentation that may be critical to mishap investigation;
  • Result in industry cost savings by ensuring consistency in implementing the licensing process.

Total Costs

The estimated cost of this final rule is $9.5 million ($7.9 million, discounted) for five years after publication of the rule. The launch industry is expected to incur $8.7 million ($7.3 million, discounted) in costs over the five-year period. The FAA believes that a commercial space transportation launch operator will assign as many as two personnel to review Federal launch range implementation of certain regulatory requirements contained in the final rule. This will result in industry spending $7.2 million ($5.9 million, discounted) over the five-year period to increase its involvement in reviewing Federal launch range implementation of safety requirements in the final rule. Also, the final rule will require a licensed launch operator to provide written evidence, on request, demonstrating that a Federal launch range has granted a meets intent certification or waiver. Although a licensed launch operator is already required to do so by range requirements and the terms of its license, the FAA believes that the commercial space transportation industry would incur an additional $1.4 million ($1.3 million, discounted) to comply with the requirements to ensure that its records are adequate.

The FAA is expected to incur $812,000 ($666,000, discounted) in costs over the five-year period to perform more rigorous and timely launch site safety assessments.

Changes From the SNPRM to the Final Rule

The final rule differs from the SNPRM because it incorporates industry comments to the SNPRM to better capture the current practice and guidelines of the federal ranges. It better accomplishes an FAA purpose in publishing this rule: to codify current practice at the federal ranges and non-federal launch sites.

The costs estimated by the final rule regulatory evaluation differ from costs estimated by the SNPRM regulatory Start Printed Page 50529evaluation. This is because better modeling techniques and better information on potential cost impacts have become available since the SNPRM was published. A summary of the differences between the SNPRM costs and the final rule costs follow.

  • The regulatory evaluation for the SNPRM estimated that the proposed rule would cause two launches from the Eastern range to be delayed, at an estimated cost to industry of $700,000. The delay was attributable to modeling techniques indicating that toxic risks would exist greater than 30 × 10−6, which would cause two launches to be delayed. Application of more refi0ned modeling techniques since publication of the SNPRM regulatory evaluation indicates that there would be no toxic risk level equal to or greater than 30 × 10 −6 associated with these launches. Accordingly, the launches would be allowed to proceed without delay under the final rule.
  • The final rule regulatory evaluation estimates industry costs of approximately $1.4 million per annum, or $7.2 million (undiscounted) over a five-year period from 2006 through 2010. These costs are based on the assumption that the rule will motivate launch operators to take a more aggressive role in understanding and reviewing many of the safety-related responsibilities performed by the federal ranges; this will be accomplished by performing oversight. These costs were not included in the SNPRM regulatory evaluation and are included here to recognize launch operator concerns (of note, at a March 2005 public meeting, one commenter observed that such oversight might not take place.)
  • The final rule regulatory evaluation also estimates industry costs of approximately $1.4 million (or $1.3 million undiscounted) in 2006 to comply with the final rule requirements and ensure that its records are adequate. These costs would fulfill the rule requirements for commercial launch operators to provide written evidence, on request, demonstrating that a federal range has granted a meets intent certification or waiver. These costs were not included in the SNPRM regulatory evaluation and are included here because better information and insight is available.
  • The rule will result in the FAA performing more extensive reviews of federal range flight safety programs. In performing more rigorous and timely baseline assessments, the FAA will incur additional administrative cost of approximately $162,000 per annum, or $812,000 ($665,721 discounted) over the five-year period from 2006 to 2010. These costs were not included in the SNPRM regulatory evaluation and are included here because better information and insight is available.

Regulatory Flexibility Determination

The Regulatory Flexibility Act of 1980 establishes “as a principle of regulatory issuance that agencies shall endeavor, consistent with the objective of the rule and of applicable statutes, to fit regulatory and informational requirements to the scale of the business, organizations, and governmental jurisdictions subject to regulation.” To achieve that principle, the Act requires agencies “to solicit and consider flexible regulatory proposals and to explain the rationale for their actions.” The Act covers a wide-range of small entities, including small businesses, not-for-profit organizations and small governmental jurisdictions. Agencies must perform a review to determine whether a final rule would have a significant economic impact on a substantial number of small entities. If the determination is that it will, then the agency must prepare a regulatory flexibility analysis. In contrast, if an agency determines that a final rule is not expected to have a significant economic impact on a substantial number of small entities, then Section 605(b) of the 1980 act provides that the head of the agency may so certify and a regulatory flexibility analysis is not required.

The Small Business Administration (SBA) has defined small business entities engaged in commercial space transportation vehicles as those employing no more than 1,000 employees, using the North American Industry Classification System codes 336414, Guided Missile and Space Vehicle Manufacturing, 336415, Guided Missile and Space Vehicle Propulsion Unit and Parts Manufacturing, and 336419, Other Guided Missile and Space Vehicle Parts and Auxiliary Equipment Manufacturing. The SBA does not apply a size standard based on maximum annual receipts to define small business entities engaged in the commercial space transportation industry.

The final rule will cause commercial entities, operating in the commercial space launch industry prior to this proposed rulemaking, to perform more rigorous oversight of Federal launch range safety performance and to maintain adequate records of launch deviations from EWR 127-1 requirements granted by a Federal launch range. The FAA recognizes that these good business practices may not have been always performed in current practice, and also recognizes that the final rule (1) highlights commercial launch operator accountability for launch safety and oversight by commercial entities of Federal launch range performance, and (2) requires written documentation for meets intent certifications and waivers granted by the Federal launch ranges as already mandated by Federal launch range requirements. Ordinarily these activities would be expected to be performed as a matter of good business practice.

The FAA believes that the following large business entities are the principal entities currently comprising the ELV commercial space transportation launch operator industry: The Boeing Company, Lockheed Martin Corporation, International Launch Services, Incorporated, Orbital Sciences Corporation, and Sea Launch Company, L.L.C. Further, the FAA has determined that there are no existing small firms, but that there is one small business entity that is planning to enter the ELV commercial space transportation launch industry—Space Exploration Technologies Corporation (which has 20 employees). As a potential new entrant to this industry, this small business entity has neither established a launch history nor established current practices. One potential new entrant as the sole small entity does not constitute a substantial number. Accordingly, pursuant to the Regulatory Flexibility Act, 5 U.S.C. 605(b), I certify that the final rule will not have a significant economic impact on a substantial number of small entities.

International Trade Impact Assessment

The Trade Agreement Act of 1979 prohibits Federal agencies from promulgating any standards or engaging in any related activities that create unnecessary obstacles to the foreign commerce of the United States. Legitimate domestic objectives, such as safety, are not unnecessary obstacles; however, because the final rule will codify the intent of current practice requirements, it will not create obstacles. The statute also requires consideration of international standards and where appropriate, that they be the basis for U.S. standards. In accordance with this statute, the FAA has assessed the potential effect of the final rule and has determined that it will impose the same costs on domestic and international entities, and thus has a neutral trade impact.

Unfunded Mandates Assessment

The Unfunded Mandates Reform Act of 1995 (the Act) is intended, among other things, to curb the practice of Start Printed Page 50530imposing unfunded Federal mandates on State, local, and tribal governments. Title II of the Act requires each Federal agency to prepare a written statement assessing the effects of any Federal mandate in a proposed or final agency rule that may result in an expenditure of $100 million or more (adjusted annually for inflation) in any one year by State, local, and tribal governments, in the aggregate, or by the private sector; such a mandate is deemed to be a “significant regulatory action.” The FAA currently uses an inflation-adjusted value of $120.7 million in lieu of $100 million.

This final rule does not contain such a mandate. The requirements of Title II do not apply.

Executive Order 13132, Federalism

The FAA has analyzed this final rule under the principles and criteria of Executive Order 13132, Federalism. We determined that this action will not have a substantial direct effect on the States, or the relationship between the national Government and the States, or on the distribution of power and responsibilities among the various levels of government, and therefore does not have Federalism implications.

Environmental Analysis

FAA Order 1050.1E identifies FAA actions that are categorically excluded from preparation of an environmental assessment or environmental impact statement under the National Environmental Policy Act in the absence of extraordinary circumstances. The FAA has determined this rulemaking action qualifies for the categorical exclusion identified in paragraph 312(d) and involves no extraordinary circumstances.

Regulations That Significantly Affect Energy Supply, Distribution, or Use

The FAA has analyzed this final rule under Executive Order 13211, Actions Concerning Regulations that Significantly Affect Energy Supply, Distribution, or Use (May 18, 2001). We have determined that it is not a “significant energy action” under the executive order because it is not a “significant regulatory action” under Executive Order 12866, and it is not likely to have a significant adverse effect on the supply, distribution, or use of energy.

Start List of Subjects

List of Subjects

End List of Subjects

The Amendment

Start Amendment Part

In consideration of the foregoing, the Federal Aviation Administration amends Chapter III of Title 14, Code of Federal Regulations as follows:

End Amendment Part

Licensing and Safety Requirements for Launch

Start Part

PART 401—ORGANIZATION AND DEFINITIONS

End Part Start Amendment Part

1. The authority citation for part 401 continues to read as follows:

End Amendment Part Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority Start Amendment Part

2. Amend § 401.5 by adding the following definitions in alphabetical order and revising the definition of “Safety critical” to read as follows:

End Amendment Part
Definitions.
* * * * *

Casualty means serious injury or death.

* * * * *

Equivalent level of safety means an approximately equal level of safety as determined by qualitative or quantitative means.

Expendable launch vehicle means a launch vehicle whose propulsive stages are flown only once.

* * * * *

Instantaneous impact point means an impact point, following thrust termination of a launch vehicle, calculated in the absence of atmospheric drag effects.

* * * * *

Launch site safety assessment means an FAA assessment of a Federal launch range to determine if the range meets FAA safety requirements. A difference between range practice and FAA requirements is documented in the LSSA.

* * * * *

Nominal means, in reference to launch vehicle performance, trajectory, or stage impact point, a launch vehicle flight where all vehicle aerodynamic parameters are as expected, all vehicle internal and external systems perform exactly as planned, and there are no external perturbing influences other than atmospheric drag and gravity.

* * * * *

Populated area means—

(1) An outdoor location, structure, or cluster of structures that may be occupied by people;

(2) Sections of roadways and waterways that are frequented by automobile and boat traffic; or

(3) Agricultural lands, if routinely occupied by field workers.

Public safety means, for a particular licensed launch, the safety of people and property that are not involved in supporting the launch and includes those people and property that may be located within the boundary of a launch site, such as visitors, individuals providing goods or services not related to launch processing or flight, and any other launch operator and its personnel.

* * * * *

Risk means a measure that accounts for both the probability of occurrence of a hazardous event and the consequence of that event to persons or property.

Safety critical means essential to safe performance or operation. A safety critical system, subsystem, component, condition, event, operation, process, or item is one whose proper recognition, control, performance, or tolerance is essential to ensuring public safety. Something that is safety critical item creates a safety hazard or provide protection from a safety hazard

* * * * *

Sigma means a single standard deviation from a fixed value, such as a mean.

* * * * *
Start Part

PART 406—INVESTIGATIONS, ENFORCEMENT AND ADMINISTRATIVE REVIEW

End Part Start Amendment Part

3. The authority citation for part 406 continues to read as follows:

End Amendment Part Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority Start Amendment Part

4. Revise § 406.3(b) to read as follows:

End Amendment Part
Submissions; oral presentation in license and payload actions; standard of proof.
* * * * *

(b) Submissions must include a detailed exposition of the evidence or arguments supporting the petition. Where an applicant must demonstrate an equivalent level of safety or fidelity, Start Printed Page 50531the applicant must make a clear and convincing demonstration.

* * * * *
Start Part

PART 413—LICENSE APPLICATION PROCEDURES

End Part Start Amendment Part

5. The authority citation for part 413 continues to read as follows:

End Amendment Part Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority Start Amendment Part

6. Amend § 413.7 by adding paragraph (d) to read as follows:

End Amendment Part
Application.
* * * * *

(d) Measurement system consistency. For each analysis, an applicant must employ a consistent measurements system, whether English or metric, in its application and licensing information.

Start Part

PART 415—LAUNCH LICENSE

End Part Start Amendment Part

7. The authority citation for part 415 continues to read as follows:

End Amendment Part Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority Start Amendment Part

8. Revise § 415.1 to read as follows:

End Amendment Part
Scope.

This part establishes requirements for obtaining a license to launch an expendable launch vehicle. Requirements for preparing a license application are contained in part 413 of this chapter. Post licensing requirements governing launch from a Federal launch range and a non-Federal launch site are contained in part 417 of this chapter.

[Amended]
Start Amendment Part

9. Amend § 415.9(b) to add the following to the end of the paragraph: “, and part 417 of this chapter.”

End Amendment Part Start Amendment Part

10. Revise § 415.31(a) to read as follows:

End Amendment Part
General.

(a) The FAA conducts a safety review to determine whether an applicant is capable of launching a launch vehicle and its payload without jeopardizing public health and safety and safety of property. The FAA issues a safety approval to a license applicant proposing to launch from a Federal launch range if the applicant satisfies the requirements of this subpart and has contracted with the Federal launch range for the provision of safety-related launch services and property, as long as an FAA launch site safety assessment shows that the range's launch services and launch property satisfy part 417 of this chapter. The FAA evaluates on an individual basis all other safety-related launch services and property associated with an applicant's proposal, in accordance with part 417 of this chapter. A safety approval is part of the licensing record on which the FAA's licensing determination is based.

* * * * *
Start Amendment Part

11. Revise § 415.35 to read as follows:

End Amendment Part
Acceptable flight risk.

(a) Flight risk through orbital insertion or impact. Acceptable flight risk through orbital insertion for an orbital launch vehicle, and through impact for a suborbital launch vehicle, is measured in terms of the expected average number of casualties (c c) to the collective members of the public exposed to debris hazards from any one launch. To obtain safety approval, an applicant must demonstrate that the risk level associated with debris from an applicant's proposed launch meets the public risk criteria of § 417.107(b)(1) of this chapter for impacting inert and impacting explosive debris.

(b) Hazard identification and risk assessment. To demonstrate compliance with paragraph (a) of this section, an applicant must file an analysis that identifies hazards and assesses risks to public health and safety and safety of property associated with nominal and non-nominal flight of its proposed launch.

(c) Design. A launch vehicle must be designed to ensure that flight risks meet the criteria of paragraph (a) of this section. An applicant must identify and describe the following:

(1) Launch vehicle structure, including physical dimensions and weight;

(2) Hazardous and safety critical systems, including propulsion systems; and

(3) Drawings and schematics for each system identified under paragraph (c)(2) of this section.

(d) Operation. A launch vehicle must be operated in a manner that ensures that flight risks meet the criteria of paragraph (a) of this section. An applicant must identify all launch operations and procedures that must be performed to ensure acceptable flight risk.

Start Amendment Part

12. Revise § 415.37 to read as follows:

End Amendment Part
Flight readiness and communications plan.

(a) Flight readiness requirements. An applicant must designate an individual responsible for flight readiness. The applicant must file the following procedures for verifying readiness for safe flight:

(1) Launch readiness review procedures involving the applicant's flight safety personnel and Federal launch range personnel involved in the launch, as required by § 417.117(g) of this chapter.

(2) Procedures that ensure mission constraints, rules and abort procedures are listed and consolidated in a safety directive or notebook approved by licensee flight safety and Federal launch range personnel.

(3) Procedures that ensure currency and consistency of licensee and Federal launch range countdown checklists.

(4) Dress rehearsal procedures that—

(i) Ensure crew readiness under nominal and non-nominal flight conditions;

(ii) Contain criteria for determining whether to dispense with one or more dress rehearsals; and

(iii) Verify currency and consistency of licensee and Federal launch range countdown checklists.

(5) Procedures for ensuring the licensee's flight safety personnel adhere to the crew rest rules of § 417.113(f) of this chapter.

(b) Communications plan requirements. An applicant must file a communications plan that meets § 417.111(k) of this chapter, and that provides licensee and Federal launch range personnel communications procedures during countdown and flight.

(c) An applicant must file procedures that ensure that licensee and Federal launch range personnel receive a copy of the communications plan required by paragraph (b) of this section, and that the Federal launch range concurs in the communications plan.

Start Amendment Part

13. Revise § 415.39 to read as follows:

End Amendment Part
Safety at end of launch.

To obtain safety approval, an applicant must demonstrate compliance with § 417.129 of this chapter, for any proposed launch of a launch vehicle with a stage or component that will reach Earth orbit.

Start Amendment Part

14. Revise § 415.41 to read as follows:

End Amendment Part
Accident investigation plan.

An applicant must file an accident investigation plan (AIP), that satisfies § 417.111(g) of this chapter, and contains the applicant's procedures for reporting and responding to launch accidents, launch incidents, or other mishaps, as defined by § 401.5 of this chapter.

Start Amendment Part

15. Amend § 415.51 by adding a sentence to the end of this section to read as follows:

End Amendment Part
General.

* * * The safety requirements of subpart C and F of this part and of part 417 of this chapter apply to all Start Printed Page 50532payloads, whether or not the payload is otherwise exempt.

Subpart E—[Removed and Reserved]

Start Amendment Part

16. Remove and reserve subpart E, consisting of §§ 415.71 through 415.90.

End Amendment Part
[Redesignated as §§ 415.201 and 415.203]
Start Amendment Part

17. Redesignate §§ 415.101 and 415.103 as §§ 415.201 and 415.203, respectively.

End Amendment Part Start Amendment Part

18. Revise subpart F to read as follows:

End Amendment Part
Subpart F—Safety Review and Approval for Launch of an Expendable Launch Vehicle From a Non-Federal Launch Site
415.91 through 415.100
[Reserved]
415.101
Scope and applicability.
415.102
Definitions.
415.103
General.
415.105
Pre-application consultation.
415.107
Safety review document.
415.109
Launch description.
415.111
Launch operator organization.
415.113
Launch personnel certification program.
415.115
Flight safety.
415.117
Ground safety.
415.119
Launch plans.
415.121
Launch schedule.
415.123
Computing systems and software.
415.125
Unique safety policies, requirements and practices.
415.127
Flight safety system design and operation data.
415.129
Flight safety system test data.
415.131
Flight safety system crew data.
415.133
Safety at end of launch.
415.135
Denial of safety approval.
415.136 through 415.200
[Reserved]

Subpart F—Safety Review and Approval for Launch of an Expendable Launch Vehicle From a Non-Federal Launch Site

Scope and applicability.

(a) This subpart F contains requirements that an applicant must meet to obtain a safety approval when applying for a license to launch an expendable launch vehicle from a non-Federal launch site. This subpart also contains administrative requirements for a safety review, such as when and how an applicant files the required information, and the requirements for the form and content of each submission.

(b) The requirements of this subpart apply to both orbital and suborbital expendable launch vehicles.

(c) An applicant must demonstrate, through the material filed with the FAA, its ability to comply with the requirements of part 417 of this chapter. To facilitate production of the information required by this subpart, an applicant should become familiar with the requirements of part 417 of this chapter.

(d) For a launch from an exclusive use launch site, where there is no licensed launch site operator, a launch operator must satisfy the requirements of this part and the public safety application requirements of part 420 of this chapter.

Definitions.

For the purposes of this subpart, the definitions of § 417.3 and § 401.5 of this chapter apply.

General.

(a) The FAA conducts a safety review to determine whether an applicant is capable of conducting launch processing and flight without jeopardizing public health and safety and safety of property. The FAA issues a safety approval to a license applicant if the applicant satisfies the requirements of this subpart and demonstrates that it will meet the safety responsibilities and requirements of part 417 of this chapter.

(b) The FAA advises an applicant, in writing, of any issue raised during a safety review that would impede issuance of a safety approval. The applicant may respond, in writing, or amend its license application as required by § 413.17 of this chapter.

(c) An applicant must make available to the FAA upon request a copy of any information incorporated into a license application by reference.

(d) A safety approval is part of the licensing record on which the FAA bases its licensing determination.

Pre-application consultation.

(a) An applicant must participate in a pre-application consultation meeting, as required by § 413.5 of this chapter, prior to an applicant's preparation of the initial flight safety analysis required by § 415.115.

(b) At a pre-application consultation meeting, an applicant must provide as complete a description of the planned launch or series of launches as available at the time. An applicant must provide the FAA the following information:

(1) Launch vehicle. Description of:

(i) Launch vehicle;

(ii) Any flight termination system; and

(iii) All hazards associated with the launch vehicle and any payload, including the type and amounts of all propellants, explosives, toxic materials and any radionuclides.

(2) Proposed mission.

(i) For an applicant applying for a launch specific license under § 415.3(a), the apogee, perigee, and inclination of any orbital objects and each impact location of any stage or other component.

(ii) For an applicant applying for a launch operator license under § 415.3(b), the planned range of trajectories and flight azimuths, and the range of apogees, perigees, and inclinations of any orbital objects and each impact location of any stage or other component.

(3) Potential launch site.

(i) Name and location of the proposed launch site, including latitude and longitude of the proposed launch point;

(ii) Identity of any launch site operator of that site; and

(iii) Identification of any facilities at the launch site that will be used for launch processing and flight.

Safety review document.

(a) An applicant must file a safety review document that contains all the information required by §§ 415.109—415.133. An applicant must file the information for a safety review document as required by the outline in appendix B of this part. An applicant must file a sufficiently complete safety review document, except for the ground safety analysis report, no later than six months before the applicant brings any launch vehicle to the proposed launch site.

(b) A launch operator's safety review document must:

(1) Contain a glossary of unique terms and acronyms used in alphabetical order;

(2) Contain a listing of all referenced standards, codes, and publications;

(3) Be logically organized, with a clear and consistent page numbering system and must identify cross-referenced topics;

(4) Use equations and mathematical relationships derived from or referenced to a recognized standard or text, and must define all algebraic parameters;

(5) Include the units of all numerical values provided; and

(6) Include a legend or key that identifies all symbols used for any schematic diagrams.

(c) An applicant's safety review document may include sections not required by appendix B of this part. An applicant must identify each added section by using the word “added” in front of the title of the section. In the first paragraph of the section, an applicant must explain any addition to the outline in appendix B of this part.

(d) If a safety review document section required by appendix B of this part does not apply to an applicant's proposed launch, an applicant must identify the sections in the application Start Printed Page 50533by the words “not applicable” preceding the title of the section. In the first paragraph of the section, an applicant must describe and justify why the section does not apply.

(e) An applicant may reference documentation previously filed with the FAA.

Launch description.

An applicant's safety review document must contain the following information:

(a) Launch site description. An applicant must identify the proposed launch site and include the following:

(1) Boundaries of the launch site;

(2) Launch point location, including latitude and longitude;

(3) Identity of any launch site operator of that proposed site; and

(4) Identification of any facilities at the launch site that will be used for launch processing and flight.

(b) Launch vehicle description. An applicant must provide the following:

(1) A written description of the launch vehicle. The description must include a table specifying the type and quantities of all hazardous materials on the launch vehicle and must include propellants, explosives, and toxic materials; and

(2) A drawing of the launch vehicle that identifies:

(i) Each stage, including strap-on motors;

(ii) Physical dimensions and weight;

(iii) Location of all safety critical systems, including any flight termination hardware, tracking aids, or telemetry systems;

(iv) Location of all major launch vehicle control systems, propulsion systems, pressure vessels, and any other hardware that contains potential hazardous energy or hazardous material; and

(v) For an unguided suborbital launch vehicle, the location of the rocket's center of pressure in relation to its center of gravity for the entire flight profile.

(c) Payload description. An applicant must include or reference documentation previously filed with the FAA that contains the payload information required by § 415.59 for any payload or class of payload.

(d) Trajectory. An applicant must provide two drawings depicting trajectory information. An applicant must file additional trajectory information as part of the flight safety analysis data required by § 415.115.

(1) One drawing must depict the proposed nominal flight profile with downrange depicted on the abscissa and altitude depicted on the ordinate axis. The nominal flight profile must be labeled to show each planned staging event and its time after liftoff from launch through orbital insertion or final impact; and

(2) The second drawing must depict instantaneous impact point ground traces for each of the nominal trajectory, the three-sigma left lateral trajectory and the three-sigma right lateral trajectory determined under § 417.207 of this chapter. The trajectories must be depicted on a latitude/longitude grid, and the grid must include the outlines of any continents and islands.

(e) Staging events. An applicant must provide a table of nominal and ± three-sigma times for each major staging event and must describe each event, including the predicted impact point and dispersion of each spent stage.

(f) Vehicle performance graphs. An applicant must provide graphs of the nominal and ± three-sigma values as a function of time after liftoff for the following launch vehicle performance parameters: thrust, altitude, velocity, instantaneous impact point arc-range measured from the launch point, and present position arc-range measured from the launch point.

Launch operator organization.

An applicant's safety review document must contain organizational charts and a description that shows that the launch operator's organization satisfies the requirements of § 417.103 of this chapter. An applicant's safety review document must also identify all persons with whom the applicant has contracted to provide safety-related goods or services for the launch of the launch vehicle.

Launch personnel certification program.

(a) A safety review document must describe how the applicant will satisfy the personnel certification program requirements of § 417.105 of this chapter and identify by position those individuals who implement the program.

(b) An applicant's safety review document must contain a copy of its documentation that demonstrates how the launch operator implements the personnel certification program.

(c) An applicant's safety review document must contain a table listing each hazardous operation or safety critical task that certified personnel must perform. For each task, the table must identify by position the individual who reviews personnel qualifications and certifies personnel for performing the task.

Flight safety.

(a) Flight safety analysis. An applicant's safety review document must describe each analysis method employed to meet the flight safety analysis requirements of part 417, subpart C, of this chapter. An applicant's safety review document must demonstrate how each analysis method satisfies the flight safety analysis requirements of part 417, subpart C, of this chapter. An applicant's safety review document must contain analysis products and other data that demonstrate the applicant's ability to meet the public risk criteria of § 417.107 of this chapter and to establish launch safety rules as required by § 417.113 of this chapter. An applicant's flight safety analysis must satisfy the following requirements:

(1) An applicant must file the proposed flight safety analysis methodology and the preliminary flight safety analysis products no later than 18 months for any orbital or guided suborbital launch vehicle, and nine months for any unguided suborbital launch vehicle, prior to bringing any launch vehicle to the proposed launch site.

(2) For a launch operator license, an applicant must file flight safety analysis products that account for the range of launch vehicles and flight trajectories applied for, or the worst case vehicle and trajectory under which flight will be attempted, no later than 6 months before the applicant brings any launch vehicle to the proposed launch site. For a launch specific license, an applicant must file flight safety analysis products that account for the actual flight conditions, no later than 6 months before the applicant brings any launch vehicle to the proposed launch site.

(3) The flight safety analysis performed by an applicant must be completed as required by subpart C of part 417 of this chapter. An applicant may identify those portions of the analysis that it expects to refine as the first proposed flight date approaches. An applicant must identify any analysis product subject to change, describe what needs to be done to finalize the product, and identify when before flight it will be finalized. If a license allows more than one launch, an applicant must demonstrate the applicability of the analysis methods to each of the proposed launches and identify any expected differences in the flight safety analysis methods among the proposed launches. Once licensed, a launch operator must perform a flight safety analysis for each launch using final launch vehicle performance and other data as required by subpart C of part 417 Start Printed Page 50534of this chapter and using the analysis methods approved by the FAA through the licensing process.

(b) Radionuclides. An applicant's safety review document must identify the type and quantity of any radionuclide on a launch vehicle or payload. For each radionuclide, an applicant must include a reference list of all documentation addressing the safety of its intended use and describe all approvals by the Nuclear Regulatory Commission for launch processing. An applicant must provide radionuclide information to the FAA at the pre-application consultation as required by § 415.105. The FAA will evaluate launch of any radionuclide on a case-by-case basis, and issue an approval if the FAA finds that the launch is consistent with public health and safety.

(c) Flight safety plan. An applicant's safety review document must contain a flight safety plan that satisfies § 417.111(b) of this chapter. The plan need not be restricted to public safety related issues and may combine other flight safety issues as well, such as employee safety, so as to be all-inclusive.

(d) Natural and triggered lightning. For any orbital or guided suborbital expendable launch vehicle, an applicant must demonstrate that it will satisfy the flight commit criteria of § 417.113(c) of this chapter and appendix G of part 417 of this chapter for natural and triggered lightning. If an applicant's safety review document states that any flight commit criterion that is otherwise required by appendix G of part 417 of this chapter does not apply to a proposed launch or series of launches, the applicant's safety review document must demonstrate that the criterion does not apply.

Ground safety.

(a) General. An applicant's safety review document must include a ground safety analysis report, and a ground safety plan for its launch processing and post-flight operations as required by this section, § 417.109 of this chapter, and subpart E of part 417 of this chapter when launching from a launch point in the United States. Launch processing and post-launch operations at a launch point outside the United States may be subject to the requirements of the governing jurisdiction.

(b) Ground safety analysis. A ground safety analysis must review each system and operation used in launch processing and post-flight operations as required by § 417.109 of this chapter, and subpart E of part 417 of this chapter.

(1) An applicant must file an initial ground safety analysis report no later than 12 months for any orbital or guided suborbital launch vehicle, and nine months for an unguided suborbital launch vehicle, before the applicant brings any launch vehicle to the proposed launch site. An initial ground safety analysis report must be in a proposed final or near final form and identify any incomplete items. An applicant must document any incomplete items and track them to completion. An applicant must resolve any FAA comments on the initial report and file a complete ground safety analysis report, no later than two months before the applicant brings any launch vehicle to the proposed launch site. Furthermore, an applicant must keep its ground safety analysis report current. Any late developing change to a ground safety analysis report must be coordinated with the FAA as an application amendment as required by § 413.17 of this chapter as soon as the applicant identifies the need for a change.

(2) An applicant must file a ground safety analysis report that satisfies the ground safety analysis requirements of § 417.109 of this chapter, and subpart E of part 417 of this chapter.

(3) The person designated under § 417.103(b)(1) of this chapter and the person designated under § 417.103(b)(2) of this chapter must approve and sign the ground safety analysis report.

(c) Ground safety plan. An applicant's safety review document must contain a ground safety plan that satisfies § 417.111(c) of this chapter. The applicant must file this plan with the FAA no later than six months prior to bringing the launch vehicle to the proposed launch site. This ground safety plan must describe implementation of the hazard controls identified by an applicant's ground safety analysis and implementation of the ground safety requirements of subpart E of part 417 of this chapter. A ground safety plan must address all public safety related issues and may include other ground safety issues if an applicant intends it to have a broader scope.

Launch plans.

An applicant's safety review document must contain the plans required by § 417.111 of this chapter, except for the countdown plan of § 417.111(l) of this chapter. An applicant's launch plans do not have to be separate documents, and may be part of other applicant documentation. An applicant must incorporate each launch safety rule established under § 417.113 of this chapter into a related launch safety plan.

Launch schedule.

An applicant's safety review document must contain a generic launch processing schedule that identifies each review, rehearsal, and safety critical preflight operation to be conducted as required by §§ 417.117, 417.119, and 417.121 of this chapter. The launch schedule must also identify day of flight activities. The launch processing schedule must show each of these activities referenced to liftoff, such as liftoff minus three days.

Computing systems and software.

(a) An applicant's safety review document must describe all computing systems and software that perform a safety-critical computer system function for any operation performed during launch processing or flight that could have a hazardous effect on the public as required by § 417.123 of this chapter.

(b) An applicant's safety review document must list and describe all safety-critical computer system functions involved in a proposed launch, including associated hardware and software interfaces. For each system with a safety-critical computer system function, an applicant's safety review document must:

(1) Describe all safety-critical computer system functions, including each safety-critical interface with any other system;

(2) Describe all systems, including all hardware and software, and the layout of each operator console and display;

(3) Provide flow charts or diagrams that show all hardware data busses, hardware interfaces, software interfaces, data flow, and power systems, and all operations of each safety-critical computer system function;

(4) Provide all logic diagrams and software designs;

(5) List all operator user manuals and documentation by title and date;

(6) Describe the computing system and software system safety process as required by § 417.123(a).

(7) Provide all results of computing system and software hazard analyses as required by § 417.123(c).

(8) Provide all plans and results of computing systems and software validation and verification as required by § 417.123(d).

(9) Provide all plans for software development as required by § 417.123(e).

Unique safety policies, requirements and practices.

An applicant's safety review document must identify any public safety-related policy, requirement, or Start Printed Page 50535practice that is unique to the proposed launch, or series of launches, as required by § 417.127 of this chapter. An applicant's safety review document must describe how each unique safety policy, requirement, or practice ensures the safety of the public.

Flight safety system design and operation data.

(a) General. This part applies to an applicant launching an orbital or guided sub-orbital expendable launch vehicle that uses a flight safety system to protect public safety as required by § 417.107(a) of this chapter. An applicant's safety review document must contain the flight safety system data identified by this section. The applicant must file all data required by this section no later than 18 months before bringing any launch vehicle to a proposed launch site.

(b) Flight safety system description. A safety review document must describe an applicant's flight safety system and its operation. Part 417, subpart D of this chapter and appendices D, E, and F of part 417 of this chapter contain the flight safety system and subsystems design and operational requirements.

(c) Flight safety system diagram. An applicant's safety review document must contain a block diagram that identifies all flight safety system subsystems. The diagram must include the following subsystems defined in part 417, subpart D of this chapter: flight termination system; command control system; tracking; telemetry; communications; flight safety data processing, display, and recording system; and flight safety official console.

(d) Subsystem design information. An applicant's safety review document must contain all of the following data that applies to each subsystem identified in the block diagram required by paragraph (c) of this section:

(1) Subsystem description. A physical description of each subsystem and its components, its operation, and interfaces with other systems or subsystems.

(2) Subsystem diagram. A physical and functional diagram of each subsystem, including interfaces with other systems and subsystems.

(3) Component location. Drawings showing the location of all subsystem components, and the details of the mounting arrangements, as installed on the vehicle, and at the launch site.

(4) Electronic components. A physical description of each subsystem electronic component, including operating parameters and functions at the system and piece-part level. An applicant must also provide the name of the manufacturer and any model number of each component and identify whether the component is custom designed and built or off-the-shelf-equipment.

(5) Mechanical components. An illustrated parts breakdown of all mechanically operated components for each subsystem, including the name of the manufacturer and any model number.

(6) Subsystem compatibility. A demonstration of the compatibility of the onboard launch vehicle flight termination system with the command control system.

(7) Flight termination system component storage, operating, and service life. A listing of all flight termination system components that have a critical storage, operating, or service life and a summary of the applicant's procedures for ensuring that each component does not exceed its storage, operating, or service life before flight.

(8) Flight termination system element location. For a flight termination system, a description of where each subsystem element is located, where cables are routed, and identification of mounting attach points and access points.

(9) Flight termination system electrical connectors and connections and wiring diagrams and schematics. For a flight termination system, a description of all subsystem electrical connectors and connections, and any electrical isolation. The safety review document must also contain flight termination system wiring diagrams and schematics and identify the test points used for integrated testing and checkout.

(10) Flight termination system batteries. A description of each flight termination system battery and cell, the name of the battery or cell manufacturer, and any model numbers.

(11) Controls and displays. For a flight safety official console, a description of all controls, displays, and charts depicting how real time vehicle data and flight safety limits are displayed. The description must identify the scales used for displays and charts.

(e) System analyses. An applicant must perform the reliability and other system analyses for a flight termination system and command control system of § 417.309 of this chapter. An applicant's safety review document must contain the results of each analysis.

(f) Environmental design. An applicant must determine the flight termination system maximum predicted environment levels required by section D417.7 of appendix D of part 417 of this chapter, and the design environments and design margins of section D417.3 of appendix D of part 417 of this chapter. An applicant's safety review document must summarize the analyses and measurements used to derive the maximum predicted environment levels. The safety review document must contain a matrix that identifies the maximum predicted environment levels and the design environments.

(g) Flight safety system compliance matrix. An applicant's safety review document must contain a compliance matrix of the function, reliability, system, subsystem, and component requirements of part 417 of this chapter and appendix D of part 417 of this chapter. This matrix must identify each requirement and indicate compliance as follows:

(1) “Yes” if the applicant's system meets the requirement of part 417 of this chapter. The matrix must reference documentation that demonstrates compliance;

(2) “Not applicable” if the applicant's system design and operational environment are such that the requirement does not apply. For each such case, the applicant must demonstrate, in accordance with section 406.3(b), the non-applicability of that requirement as an attachment to the matrix; or

(3) “Equivalent level of safety” in each case where the applicant proposes to show that its system provides an equivalent level of safety through some means other than that required by part 417 of this chapter. For each such case, an applicant must clearly and convincingly demonstrate, as required by § 406.3(b), through a technical rationale within the matrix, or as an attachment, that the proposed alternative provides a level of safety equivalent to satisfying the requirement that it would replace.

(h) Flight termination system installation procedures. An applicant's safety review document must contain a list of the flight termination system installation procedures and a synopsis of the procedures that demonstrates how each of those procedures meet the requirements of section D417.15 of appendix D of part 417 of this chapter. The list must reference each procedure by title, any document number, and date.

(i) Tracking validation procedures. An applicant's safety review document must contain the procedures identified by § 417.121(h) of this chapter for validating the accuracy of the launch vehicle tracking data supplied to the flight safety crew.

Start Printed Page 50536
Flight safety system test data.

(a) General. An applicant's safety review document must contain the flight safety system test data required by this section for the launch of an orbital and guided suborbital expendable launch vehicle that uses a flight safety system to protect public safety as required by § 417.107(a) of this chapter. This section applies to all testing required by part 417, subpart D of this chapter and its appendices, including qualification, acceptance, age surveillance, and preflight testing of a flight safety system and its subsystems and individual components. An applicant must file all required test data, no later than 12 months before the applicant brings any launch vehicle to the proposed launch site. An applicant may file test data earlier to allow greater time for addressing issues that the FAA may identify to avoid possible impact on the proposed launch date. Flight safety system testing need not be completed before the FAA issues a launch license. Prior to flight, a licensee must successfully complete all required flight safety system testing and file the completed test reports or the test report summaries required by § 417.305(d) of this chapter and section E417.1(i) of appendix E of part 417 of this chapter.

(b) Testing compliance matrix. An applicant's safety review document must contain a compliance matrix of all the flight safety system, subsystem, and component testing requirements of part 417 of this chapter and appendix E to part 417 of this chapter. This matrix must identify each test requirement and indicate compliance as follows:

(1) “Yes” if the applicant performs the system or component testing required by part 417 of this chapter. The matrix must reference documentation that demonstrates compliance;

(2) “Not applicable” if the applicant's system design and operational environment are such that the test requirement does not apply. For each such case, an applicant must demonstrate, as required by § 406.3(b), of the non-applicability of that requirement as an attachment to the matrix;

(3) “Similarity” if the test requirement applies to a component whose design is similar to a previously qualified component. For each such case, an applicant must demonstrate similarity by performing the analysis required by appendix E of part 417 of this chapter. The matrix, or an attachment, must contain the results of each analysis; or

(4) “Equivalent level of safety” in each case where the applicant proposes to show that its test program provides an equivalent level of safety through some means other than that required by part 417 of this chapter. For each such case, an applicant must clearly and convincingly demonstrate through a technical rationale, within the matrix or as an attachment, that the alternative provides a level of safety equivalent to satisfying the requirement that it replaces, as required by § 406.3(c).

(c) Test program overview and schedule. A safety review document must contain a summary of the applicant's flight safety system test program that identifies the location of the testing and the personnel who ensure the validity of the results. A safety review document must contain a schedule for successfully completing each test before flight. The applicant must reference the schedule to the time of liftoff for the first proposed flight attempt.

(d) Flight safety system test plans and procedures. An applicant's safety review document must contain test plans that satisfy the flight safety system testing requirements of subpart D of part 417 of this chapter and appendix E of part 417 of this chapter. An applicant's safety review document must contain a list of all flight termination system test procedures and a synopsis of the procedures that demonstrates how they meet the test requirements of part 417 of this chapter. The list must reference each procedure by title, any document number, and date.

(e) Test reports. An applicant's safety review document must contain either the test reports, or a summary of the test report which captures the overall test results, including all test discrepancies and their resolution, prepared as required by § 417.305(d) of this chapter and section E417.1(i) of appendix E of part 417 of this chapter, for each flight safety system test completed at the time of license application. An applicant must file any remaining test reports or summaries before flight as required by § 417.305(d) and section E417.1(i) of appendix E of part 417 of this chapter. Upon request, the launch operator must file the complete test report with the FAA for review, if the launch operator previously filed test report summaries with the FAA.

(f) Reuse of flight termination system components. An applicant's safety review document must contain a reuse qualification test, refurbishment plan, and acceptance test plan for the use of any flight termination system component on more than one flight. This test plan must define the applicant's process for demonstrating that the component can satisfy all its performance specifications when subjected to the qualification test environmental levels plus the total number of exposures to the maximum expected environmental levels for each of the flights to be flown.

Flight safety system crew data.

(a) An applicant's safety review document must identify each flight safety system crew position and the role of that crewmember during launch processing and flight of a launch vehicle.

(b) An applicant's safety review document must describe the certification program for flight safety system crewmembers established to ensure compliance with §§ 417.105 and 417.311 of this chapter.

Safety at end of launch.

An applicant must demonstrate compliance with § 417.129 of this chapter, for any proposed launch of a launch vehicle with a stage or component that will reach Earth orbit.

Denial of safety approval.

The FAA notifies an applicant, in writing, if it has denied safety approval for a license application. The notice states the reasons for the FAA's determination. The applicant may respond to the reasons for the determination and request reconsideration.

Subpart G—[Amended]

Start Amendment Part

19. Subpart G is amended by adding and reserving §§ 415.204 through 415.400.

End Amendment Part Start Amendment Part

20. Add appendix B of part 415 to read as follows:

End Amendment Part Start Appendix

Appendix B of Part 415—Safety Review Document Outline

This appendix contains the format and numbering scheme for a safety review document to be filed as part of an application for a launch license as required by subpart F of part 415. The applicable sections of parts 413, 415, and 417 of this chapter are referenced in the outline below.

Safety Review Document

1.0 Launch Description (§ 415.109)

1.1 Launch Site Description

1.2 Launch Vehicle Description

1.3 Payload Description

1.4 Trajectory

1.5 Staging Events

1.6 Vehicle Performance Graphs

2.0 Launch Operator Organization (§ 415.111)

2.1 Launch Operator Organization (§ 415.111 and § 417.103 of this chapter)

2.1.1 Organization Summary

2.1.3 Organization Charts

2.1.4 Office Descriptions and Safety Functions Start Printed Page 50537

3.0 Launch Personnel Certification Program (§ 415.113 and § 417.105 of this chapter)

3.1 Program Summary

3.2 Program Implementation Document(s)

3.3 Table of Safety Critical Tasks Performed by Certified Personnel

4.0 Flight Safety (§ 415.115)

4.1 Initial Flight Safety Analysis

4.1.1 Flight Safety Sub-Analyses, Methods, and Assumptions

4.1.2 Sample Calculation and Products

4.1.3  Launch Specific Updates and Final Flight Safety Analysis Data

4.2 Radionuclide Data (where applicable)

4.3 Flight Safety Plan

4.3.1 Flight Safety Personnel

4.3.2 Flight Safety Rules

4.3.3 Flight Safety System Summary and Preflight Tests

4.3.4 Trajectory and Debris Dispersion Data

4.3.5 Flight Hazard Areas and Safety Clear Zones

4.3.6 Support Systems and Services

4.3.7  Flight Safety Operations

4.3.8 Unguided Suborbital Launch Vehicles (where applicable)

5.0 Ground Safety (§ 415.117)

5.1 Ground Safety Analysis Report

5.2 Ground Safety Plan

6.0 Launch Plans (§ 415.119 and § 417.111 of this chapter)

6.1 Launch Support Equipment and Instrumentation Plan

6.2 Configuration Management and Control Plan

6.3 Frequency Management Plan

6.4 Flight Termination System Electronic Piece Parts Program Plan

6.5  Accident Investigation Plan

6.6 Local Agreements and Public Coordination Plan

6.7  Hazard Area Surveillance and Clearance Plan

6.8 Communications Plan

7.0 Launch Schedule (§ 415.121)

7.1 Launch Processing Schedule

8.0 Computing Systems and Software (§ 415.123)

8.1 Hardware and Software Descriptions

8.2 Flow Charts and Diagrams

8.3 Logic Diagrams and Software Design Descriptions

8.4 Operator User Manuals and Documentation

8.5 Software Hazard Analyses

8.6 Software Test Plans, Test Procedures, and Test Results

8.7 Software Development Plan

9.0 Unique Safety Policies, Requirements and Practices (§ 415.125)

10.0 Flight Safety System Design and Operation Data (§ 415.127)

10.1 Flight Safety System Description

10.2 Flight Safety System Diagram

10.3 Flight Safety System Subsystem Design Information

10.4 Flight Safety System Analyses

10.5 Flight Termination System Environmental Design

10.6 Flight Safety System Compliance Matrix

10.7 Flight Termination System Installation Procedures

10.8 Tracking System Validation Procedures

11.0 Flight Safety System Test Data (§ 415.129)

11.1 Testing Compliance Matrix

11.2 Test Program Overview and Schedule

11.3 Flight Safety System Test Plans and Procedures

11.4 Test Reports

11.5 Reuse of Flight Termination System Components

12.0 Flight Safety System Crew Data (§ 415.131)

12.1 Position Descriptions

12.2 Certification and Training Program Description

13.0 Safety at End of Launch (§ 415.133)

21. Add part 417 to read as follows:

End Appendix Start Part

PART 417—LAUNCH SAFETY

Subpart A—General and License Terms and Conditions
417.1
General information.
417.3
Definitions and acronyms.
417.5
[Reserved]
417.7
Public safety responsibility.
417.9
Launch site responsibility.
417.11
Continuing accuracy of license application; application for modification of license.
417.13
Agreement with Federal launch range.
417.15
Records.
417.17
Launch reporting requirements and launch specific updates.
417.19
Registration of space objects.
417.21
Financial responsibility requirements.
417.23
Compliance monitoring.
417.25
Post launch report.
417.26 through 417.100
[Reserved]
Subpart B—Launch Safety Responsibilities
417.101
Scope.
417.103
Safety organization.
417.105
Launch personnel qualifications and certification.
417.107
Flight safety.
417.109
Ground safety.
417.111
Launch plans.
417.113
Launch safety rules.
417.115
Tests.
417.117
Reviews.
417.119
Rehearsals.
417.121
Safety critical preflight operations.
417.123
Computing systems and software.
417.125
Launch of an unguided suborbital launch vehicle.
417.127
Unique safety policies, requirements, and practices.
417.129
Safety at end of launch.
417.130 through 417.200
[Reserved]
Subpart C—Flight Safety Analysis
417.201
Scope and applicability.
417.203
Compliance
417.205
General.
417.207
Trajectory analysis.
417.209
Malfunction turn analysis.
417.211
Debris analysis.
417.213
Flight safety limits analysis.
417.215
Straight-up time analysis.
417.217
Overflight gate analysis.
417.218
Hold-and-resume gate analysis.
417.219
Data loss flight time and planned safe flight state analyses.
417.221
Time delay analysis.
417.223
Flight hazard area analysis.
417.224
Probability of failure analysis.
417.225
Debris risk analysis.
417.227
Toxic release hazard analysis.
417.229
Far-field overpressure blast effects analysis.
417.231
Collision avoidance analysis.
417.233
Analysis for an unguided suborbital launch vehicle flown with a wind weighting safety system.
Subpart D—Flight Safety System
417.301
General.
417.303
Command control system requirements.
417.305
Command control system testing.
417.307
Support systems.
417.309
Flight safety system analysis.
417.311
Flight safety system crew roles and qualifications.
Subpart E—Ground Safety
417.401
Scope.
417.402
Compliance.
417.403
General.
417.405
Ground safety analysis.
417.407
Hazard control implementation.
417.409
System hazard controls.
417.411
Safety clear zones for hazardous operations.
417.413
Hazard areas.
417.415
Post-launch and post-flight-attempt hazard controls.
417.417
Propellants and explosives.

Appendix A of Part 417—Flight Safety Analysis Methodologies and Products for a Launch Vehicle Flown with a Flight Safety System

Appendix B of Part 417—Flight Hazard Area Analysis for Aircraft and Ship Protection

Appendix C of Part 417—Flight Safety Analysis Methodologies and Products for an Unguided Suborbital Launch Vehicle Flown With a Wind Weighting Safety System

Appendix D of Part 417—Flight Termination Systems, Components, Installation, and Monitoring

Appendix E of Part 417—Flight Termination System Testing and Analysis

Appendix F of Part 417—[Reserved]

Appendix G of Part 417—Natural and Triggered Lightning Flight Commit Criteria

Appendix H of Part 417—[Reserved]

Appendix I of Part 417—Methodologies for Toxic Release Hazard Analysis and Operational Procedures

Appendix J of Part 417—Ground Safety Analysis Report

Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority

Subpart A—General and License Terms and Conditions

§ 417.1 General information.

(a) Scope. This part sets forth—

(1) The responsibilities of a launch operator conducting a licensed launch of an expendable launch vehicle; and

(2) The requirements for maintaining a launch license obtained under part 415 of this chapter. Parts 413 and 415 of this chapter contain requirements for preparing a license application to Start Printed Page 50538conduct a launch, including information reviewed by the FAA to conduct a policy, safety, payload, and environmental review., and a payload determination.

(b) Applicability.

(1) The administrative requirements for filing material with the FAA in subpart A of this part apply to all licensed launches from a Federal launch range or a non-Federal launch site, except where noted.

(2) The safety requirements of subparts B through E of this part apply to all licensed launches of expendable launch vehicles. See paragraphs (d) and (e) of this section for exceptions to this provision.

(c) “Meets intent” certification. For a licensed launch from a Federal launch range, a launch operator need not demonstrate to the FAA that an alternative means of satisfying a requirement of this part provides an equivalent level of safety for a launch if written evidence demonstrates that a Federal launch range has, by the effective date of this part, granted a “meets intent certification,” including through “tailoring,” that applies to the requirement and that launch. See paragraph (f) of this section for exceptions to this provision. Written evidence includes:

(1) Range flight plan approval,

(2) Missile system pre-launch safety package,

(3) Preliminary and final flight data packages,

(4) A tailored version of EWR 127-1,

(5) Range email to the FAA stating that the MIC was approved, or

(6) Operation approval.

(d) Waiver. For a licensed launch from a Federal launch range, a requirement of this part does not apply to a launch if written evidence demonstrates that a Federal launch range has, by the effective date of this part, granted a waiver that allows noncompliance with the requirement for that launch. See paragraph (f) of this section for exceptions to this provision. Written evidence includes:

(1) Range flight plan approval,

(2) Missile system pre-launch safety package,

(3) Preliminary and final flight data packages,

(4) A tailored version of EWR 127-1,

(5) Range email to the FAA stating that the waiver was approved, or

(6) Operation approval.

(e) Grandfathering. For a licensed launch from a Federal launch range, a requirement of this part does not apply to the launch if the Federal launch range's grandfathering criteria allow noncompliance with the requirement for that launch. See paragraph (f) of this section for exceptions to this provision.

(f) Exceptions to Federal launch range meets intent certifications, waivers, and grandfathering. Even if a licensed launch from a Federal launch range satisfies paragraph (c), (d), or (e) of this section for a requirement of this part, the requirement applies and a launch operator must satisfy the requirement, obtain FAA approval of any alternative, or obtain FAA approval for any further noncompliance if—

(1) The launch operator modifies the launch vehicle's operation or safety characteristics;

(2) The launch operator uses the launch vehicle, component, system, or subsystem in a new application;

(3) The FAA or the launch operator determines that a previously unforeseen or newly discovered safety hazard exists that is a source of significant risk to public safety; or

(4) The Federal launch range previously accepted a component, system, or subsystem, but did not then identify a noncompliance to a Federal launch range requirement.

(g) Equivalent level of safety. The requirements of this part apply to a launch operator and the launch operator's launch unless the launch operator clearly and convincingly demonstrates that an alternative approach provides an equivalent level of safety.

§ 417.3 Definitions and acronyms.

For the purpose of this part,

Command control system means the portion of a flight safety system that includes all components needed to send a flight termination control signal to an onboard vehicle flight termination system. A command control system starts with any flight termination activation switch at a flight safety crew console and ends at each command-transmitting antenna. It includes all intermediate equipment, linkages, and software and any auxiliary transmitter stations that ensure a command signal will reach the onboard vehicle flight termination system from liftoff until the launch vehicle achieves orbit or can no longer reach a populated or other protected area.

Command destruct system means a portion of a flight termination system that includes all components on board a launch vehicle that receive a flight termination control signal and achieve destruction of the launch vehicle. A command destruct system includes all receiving antennas, receiver decoders, explosive initiating and transmission devices, safe and arm devices and ordnance necessary to achieving destruction of the launch vehicle upon receipt of a destruct command.

Conjunction on launch means the approach of a launch vehicle or any launch vehicle component or payload within 200 kilometers of a manned or mannable orbiting object—

(1) During the flight of an unguided suborbital rocket; or

(2) For an orbital launch vehicle during—

(i) The ascent to initial orbital insertion and through at least one complete orbit; and

(ii) Each subsequent orbital maneuver or burn from initial park orbit, or direct ascent to a higher or interplanetary orbit.

Countdown means the timed sequence of events that must take place to initiate flight of a launch vehicle.

Crossrange means the distance measured along a line whose direction is either 90 degrees clockwise (right crossrange) or counter-clockwise (left crossrange) to the projection of a launch vehicle's planned nominal velocity vector azimuth onto a horizontal plane tangent to the ellipsoidal Earth model at the launch vehicle's sub-vehicle point. The terms right crossrange and left crossrange may also be used to indicate direction.

Data loss flight time means the shortest elapsed thrusting time during which a launch vehicle flown with a flight safety system can move from its normal trajectory to a condition where it is possible for the launch vehicle to endanger the public.

Destruct means the act of terminating the flight of a launch vehicle flown with a flight safety system in a way that destroys the launch vehicle and disperses or expends all remaining propellant and renders remaining energy sources non-propulsive before the launch vehicle or any launch vehicle component or payload impacts the Earth's surface.

Downrange means the distance measured along a line whose direction is parallel to the projection of a launch vehicle's planned nominal velocity vector azimuth into a horizontal plane tangent to the ellipsoidal Earth model at the launch vehicle sub-vehicle point. The term downrange may also be used to indicate direction.

Drag impact point means a launch vehicle instantaneous impact point corrected for atmospheric drag.

Dwell time means—

(1) The period during which a launch vehicle instantaneous impact point is over a populated or other protected area; or

(2) The period during which an object is subjected to a test condition. Start Printed Page 50539

Explosive debris means solid propellant fragments or other pieces of a launch vehicle or payload that result from break up of the launch vehicle during flight and that explode upon impact with the Earth's surface and cause overpressure.

Fail-over means a method of ensuring continuous or near continuous operation of a command transmitter system by automatically switching from a primary transmitter to a secondary transmitter when a condition exists that indicates potential failure of the primary transmitter.

Family performance data means—

(1) Results of launch vehicle component and system tests that represent similar characteristics for a launch vehicle component or system; and

(2) Data that is continuously updated as additional samples of a given component or system are tested.

Flight safety limit means criteria to ensure a set of impact limit lines established for the flight of a launch vehicle flown with a flight safety system bound the area where debris with a ballistic coefficient of three or more is allowed to impact when a flight safety system functions.

Flight safety system means the system that provides a means of control during flight for preventing a hazard from a launch vehicle, including any payload hazard, from reaching any populated or other protected area in the event of a launch vehicle failure. A flight safety system includes:

(1) All hardware and software used to protect the public in the event of a launch vehicle failure; and

(2) The functions of any flight safety crew.

Flight safety crew means the personnel, designated by a launch operator, who operate flight safety system hardware and software to monitor the flight of a launch vehicle and make a flight termination decision.

Flight termination system means all components, onboard a launch vehicle, that provide the ability to end a launch vehicle's flight in a controlled manner. A flight termination system consists of all command destruct systems, inadvertent separation destruct systems, or other systems or components that are onboard a launch vehicle and used to terminate flight.

Gate means the portion of a flight safety limit boundary through which the tracking icon of a launch vehicle flown with a flight safety system may pass without flight termination.

In-family means a launch vehicle component or system test result that indicates that the component or system's performance conforms to the family performance data that was established by previous test results.

Inadvertent separation destruct system means an automatic destruct system that uses mechanical means to trigger the destruction of a launch vehicle stage.

Launch azimuth means the horizontal angular direction initially taken by a launch vehicle at liftoff, measured clockwise in degrees from true north.

Launch crew means all personnel who control the countdown and flight of a launch vehicle or who make irrevocable operational decisions that have the potential for impacting public safety. A launch crew includes members of the flight safety crew.

Launch processing means all preflight preparation of a launch vehicle at a launch site, including buildup of the launch vehicle, integration of the payload, and fueling.

Launch wait means a relatively short period of time when launch is not permitted in order to avoid a conjunction on launch or to safely accommodate temporary intrusion into a flight hazard area. A launch wait can occur within a launch window, can delay the start of a launch window, or terminate a launch window early.

Launch window means a period of time during which the flight of a launch vehicle may be initiated.

“Meets intent” certification means a decision by a Federal launch range to accept a substitute means of satisfying a safety requirement where the substitute provides an equivalent level of safety to that of the original requirement.

Normal flight means the flight of a properly performing launch vehicle whose real-time instantaneous impact point does not deviate from the nominal instantaneous impact point by more than the sum of the wind effects and the three-sigma guidance and performance deviations in the uprange, downrange, left-crossrange, or right-crossrange directions.

Normal trajectory means a trajectory that describes normal flight.

Non-operating environment means an environment that a launch vehicle component experiences before flight and when not otherwise being subjected to acceptance tests. Non-operating environments include, but need not be limited to, storage, transportation, and installation.

Operating environment means an environment that a launch vehicle component will experience during acceptance testing, launch countdown, and flight. Operating environments include shock, vibration, thermal cycle, acceleration, humidity, and thermal vacuum.

Operating life means, for a flight safety system component, the period of time beginning with activation of the component or installation of the component on a launch vehicle, whichever is earlier, for which the component is capable of satisfying all its performance specifications through the end of flight.

Operation hazard means a hazard derived from an unsafe condition created by a system or operating environment or by an unsafe act.

Out-of-family means a component or system test result where the component or system's performance does not conform to the family performance data that was established by previous test results and is an indication of a potential problem with the component or system requiring further investigation and possible corrective action.

Passive component means a flight termination system component that does not contain active electronic piece parts.

Performance specification means a statement prescribing the particulars of how a component or part is expected to perform in relation to the system that contains the component or part. A performance specification includes specific values for the range of operation, input, output, or other parameters that define the component's or part's expected performance.

Protected area means an area of land not controlled by a launch operator that:

(1) Is a populated area;

(2) Is environmentally sensitive; or

(3) Contains a vital national asset.

Safety-critical computer system function means any computer system function that, if not performed, if performed out of sequence, or if performed incorrectly, may directly or indirectly cause a public safety hazard.

Service life means, for a flight termination system component, the sum total of the component's storage life and operating life.

Storage life means, for a flight termination system component, the period of time after manufacturing of the component is complete until the component is activated or installed on a launch vehicle, whichever is earlier, during which the component may be subjected to storage environments and must remain capable of satisfying all its performance specifications.

Sub-vehicle point means the location on an ellipsoidal Earth model where the normal to the ellipsoid passes through the launch vehicle's center of gravity. The term is the same as the weapon system term “sub-missile point.” Start Printed Page 50540

System hazard means a hazard associated with a system and generally exists even when no operation is occurring.

Tracking icon means the representation of a launch vehicle's instantaneous impact point, debris footprint, or other vehicle performance metric that is displayed to a flight safety crew during real-time tracking of the launch vehicle's flight.

Uprange means the distance measured along a line that is 180 degrees to the downrange direction. The term uprange may also be used to indicate direction.

Waiver means a decision that allows a launch operator to continue with a launch despite not satisfying a specific safety requirement and where the launch operator is not able to demonstrate an equivalent level of safety.

§ 417.5  [Reserved].

§ 417.7 Public safety responsibility.

A launch operator is responsible for ensuring the safe conduct of a licensed launch and for ensuring public safety and safety of property at all times during the conduct of a licensed launch.

§ 417.9 Launch site responsibility.

(a) A launch operator must ensure that launch processing at a launch site in the United States satisfies the requirements of this part. Launch processing at a launch site outside the United States may be subject to the requirements of the governing jurisdiction.

(b) For a launch from a launch site licensed under part 420 of this chapter, a launch operator must—

(1) Conduct its operations as required by any agreements that the launch site operator has with any Federal and local authorities under part 420 of this chapter; and

(2) Coordinate with the launch site operator and provide any information on its activities and potential hazards necessary for the launch site operator to determine how to protect any other launch operator, person, or property at the launch site as required by the launch site operator's obligations under § 420.55 of this chapter.

(c) For a launch from an exclusive-use site, where there is no licensed launch site operator, a launch operator must satisfy the requirements of this part and the public safety requirements of part 420 of this chapter. This subpart does not apply to licensed launches occurring from Federal launch ranges.

§ 417.11 Continuing accuracy of license application; application for modification of license.

(a) A launch operator must ensure the representations contained in its application are accurate for the entire term of the license. A launch operator must conduct a licensed launch and carry out launch safety procedures in accordance with its application.

(b) After the FAA issues a launch license, a launch operator must apply to the FAA for modification of a launch license if—

(1) A launch operator proposes to conduct a launch or carry out a launch safety procedure or operation in a manner that is not authorized by the license; or

(2) Any representation contained in the license application that is material to public health and safety or safety of property would no longer be accurate and complete or would not reflect the launch operator's procedures governing the actual conduct of a launch. A representation is material to public health and safety or safety of property if it alters or affects the launch operator's launch plans or procedures, class of payload, orbital destination, type of launch vehicle, flight path, launch site, launch point, or any safety system, policy, procedure, requirement, criteria or standard.

(c) A launch operator must prepare and file an application to modify a launch license under part 413 of this chapter. The launch operator must identify any part of its license or license application that a proposed modification would change or affect.

(d) The FAA reviews all approvals and determinations required by this chapter to determine whether they remain valid in light of a proposed modification. The FAA approves a modification that satisfies the requirements of this part.

(e) Upon approval of a modification, the FAA issues to a launch operator either a written approval or a license order modifying the license if a stated term or condition of the license is changed, added or deleted. A written approval has the full force and effect of a license order and is part of the licensing record.

§ 417.13 Agreement with Federal launch range.

Before conducting a licensed launch from a Federal launch range, a launch operator must—

(a) Enter into an agreement with a Federal launch range to provide access to and use of U.S. Government property and services required to support a licensed launch from the facility and for public safety related operations and support. The agreement must be in effect for the conduct of any licensed launch; and

(b) Comply with any requirements of the agreement with the Federal launch range that may affect public safety and safety of property during the conduct of a licensed launch, including flight safety procedures and requirements.

§ 417.15 Records.

(a) A launch operator must maintain all records necessary to verify that it conducts licensed launches according to representations contained in the licensee's application. A launch operator must retain records for three years after completion of all launches conducted under the license.

(b) If a launch accident or launch incident occurs, as defined by § 405.1 of this chapter, a launch operator must preserve all records related to the event until completion of any Federal investigation and the FAA advises the licensee not to retain the records. The launch operator must make available to Federal officials for inspection and copying all records that these regulations require the launch operator to maintain.

§ 417.17 Launch reporting requirements and launch specific updates.

(a) General. A launch operator must satisfy the launch reporting requirements and launch specific updates required by this section and by the terms of the launch operator's license. A launch operator must file any change to the information in the license application, not identified by this section, with the FAA as a request for license modification as required by § 417.11.

(b) Launch reporting requirements for a launch from a Federal launch range or a non-Federal launch site.

(1) Launch schedule and point of contact. For each launch, a launch operator must file a launch schedule that identifies each review, rehearsal, and safety critical launch processing. A launch operator must file a point of contact for the schedule. The launch schedule must be filed and updated in time to allow FAA personnel to participate in the reviews, rehearsals, and safety critical launch processing.

(2) Sixty-day report. Not later than 60 days before each flight conducted under a launch operator license, a launch operator must provide the FAA the following launch-specific information:

(i) Payload information required by § 415.59 of this chapter; and Start Printed Page 50541

(ii) Flight information, including the launch vehicle, planned flight path, staging and impact locations, and any on-orbit activity of the launch vehicle, including each payload delivery point.

(3) U.S. Space Command Launch Notification. Not later than noon, EST, 15 days before each licensed flight, a launch operator must file a completed Federal Aviation Administration/U.S. Space Command (FAA/USSPACECOM) Launch Notification Form (OMB No. 2120-0608) with the FAA.

(c) Launch specific updates for a launch from a non-Federal launch site. A launch operator must file a launch specific update, required by this part, and any required by the terms of the launch license, for every substantive change to the information outlined in this part. For each launch, a launch operator must file the following launch specific updates:

(1) Flight safety system test schedule. For each launch of a launch vehicle flown with a flight safety system, a launch operator must file an updated flight safety system test schedule and points of contact no later than six months before flight. A launch operator must immediately file any later change to ensure that the FAA has the most current data.

(2) Launch plans. A launch operator must file any changes or additions to its launch plans required by § 417.111 to the FAA no later than 15 days before the associated activity is to take place. A launch operator must file the countdown plan with the FAA no later than 15 days before the countdown is to take place. If a change involves the addition of a new public hazard or the elimination of any control for a previously identified public hazard, a launch operator must request a license modification under § 417.11.

(3) Thirty-day flight safety analysis update. A launch operator must file updated flight safety analysis products, using previously approved methodologies, for each launch no later than 30 days before flight.

(i) The launch operator:

(A) Must account for vehicle and mission specific input data;

(B) May reference previously approved analysis products and data that are applicable to the launch or data that is applicable to a series of launches;

(C) Must account for potential variations in input data that may affect any analysis product within the final 30 days before flight;

(D) Must file the analysis products using the same format and organization used in its license application; and

(E) May not change an analysis product within the final 30 days before flight unless the launch operator identified a process for making a change in that period as part of the launch operator's flight safety analysis process and the FAA approved the process by grant of a license to the launch operator.

(ii) A launch operator need not file the 30-day analysis if the launch operator:

(A) Demonstrates that the analysis filed during the license application process satisfies all the requirements of this subpart; and

(B) Demonstrates the analysis does not need to be updated to account for launch specific factors.

(4) Flight termination system qualification test reports. For the launch of a launch vehicle flown with a flight safety system, a launch operator must file all flight termination system qualification test reports, or test report summaries, as required by section E417.1(i) of appendix E of this part, with the FAA no later than six months before the first flight attempt . The summary must identify when and where the tests were performed and provide the results. Complete qualification test reports must be made available to the FAA upon request.

(5) Flight termination system acceptance and age surveillance test report summaries. For the launch of a launch vehicle flown with a flight safety system, a launch operator must file a summary of the results of each flight termination system acceptance and age surveillance test, or the complete test report, as required by section E417.1(i) of appendix E of this part, no later than 30 days before the first flight attempt for each launch . The summary must identify when and where the tests were performed and provide the results. Complete acceptance and age surveillance test reports must be made available to the FAA upon request.

(6) Command control system acceptance test reports. For the launch of a launch vehicle flown with a flight safety system, a launch operator must file all command control system acceptance test reports, or test report summaries, as required by § 417.305(d), with the FAA no later than 30 days before the first flight attempt. The summary must identify when and where the tests were performed and provide the results. Complete acceptance test reports must be made available to the FAA upon request.

(7) Ground safety analysis report updates. A launch operator must file ground safety analysis report updates with the FAA as soon as the need for the change is identified and at least 30 days before the associated activity takes place. A launch operator must file a license modification request with the FAA for each change that involves the addition of a hazard that can affect public safety or the elimination of a previously identified hazard control for a hazard that still exists.

§ 417.19 Registration of space objects.

(a) To assist the U.S. Government in implementing Article IV of the 1975 Convention on Registration of Objects Launched into Outer Space, each launch operator must provide to the FAA the information required by paragraph (b) of this section for all objects placed in space by a licensed launch, including a launch vehicle and any components, except:

(1) Any object owned and registered by the U.S. Government; and

(2) Any object owned by a foreign entity.

(b) For each object that must be registered in accordance with this section, not later than 30 days following the conduct of a licensed launch, an operator must file the following information:

(1) The international designator of the space object(s);

(2) Date and location of launch;

(3) General function of the space object; and

(4) Final orbital parameters, including:

(i) Nodal period;

(ii) Inclination;

(iii) Apogee; and

(iv) Perigee.

§ 417.21 Financial responsibility requirements.

A launch operator must comply with financial responsibility requirements as required by part 440 of this chapter and as specified in a license or license order.

§ 417.23 Compliance monitoring.

(a) A launch operator must allow access by, and cooperate with, Federal officers or employees or other individuals authorized by the FAA to observe any of its activities, or of its contractors or subcontractors, associated with the conduct of a licensed launch.

(b) For each licensed launch, a launch operator must provide the FAA with a console for monitoring the progress of the countdown and communication on all channels of the countdown communications network. A launch operator must also provide the FAA with the capability to communicate with the person designated by § 417.103(b)(1).

§ 417.25 Post launch report.

(a) For a launch operator launching from a Federal launch range, a launch Start Printed Page 50542operator must file a post launch report with the FAA no later than 90 days after the launch, unless an FAA launch site safety assessment shows that the Federal launch range creates a post launch report that contains the information required by this section.

(b) For a launch operator launching from a non-Federal launch site, a launch operator must file a post launch report with the FAA no later than 90 days after the launch.

(c) The post launch report must:

(1) Identify any discrepancy or anomaly that occurred during the launch countdown and flight;

(2) Identify any deviation from any term of the license or any event otherwise material to public safety, and each corrective action to be implemented before any future flight;

(3) For the launch of launch vehicle flown with a flight safety system, identify any flight environment not consistent with the maximum predicted environment as required by § 417.307(b) and any measured wind profiles not consistent with the predictions used for the launch, as required by § 417.217(d)(2); and

(4) For the launch of an unguided suborbital launch vehicle, identify the actual impact location of all impacting stages and any impacting components, and provide a comparison of actual and predicted nominal performance.

§§ 417.26 through 417.100 [Reserved]

Subpart B—Launch Safety Responsibilities

§ 417.101 Scope.

This subpart contains public safety requirements that apply to the launch of an orbital or suborbital expendable launch vehicle from a Federal launch range or other launch site. If the FAA has assessed the Federal launch range, through its launch site safety assessment, and found that an applicable range safety-related launch service or property satisfies the requirements of this subpart, then the FAA will treat the Federal launch range's launch service or property as that of a launch operator without need for further demonstration of compliance to the FAA if:

(a) A launch operator has contracted with a Federal launch range for the provision of the safety-related launch service or property; and

(b) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the Federal launch range's safety-related launch service or property satisfy the requirements of this subpart. In this case, the FAA will treat the Federal launch range's process as that of a launch operator.

§ 417.103 Safety organization.

(a) A launch operator must maintain and document a safety organization. A launch operator must identify lines of communication and approval authority for all public safety decisions, including those regarding design, operations, and analysis. A launch operator must describe its lines of communication, both within the launch operator's organization and between the launch operator and any federal launch range or other launch site operator providing launch services, in writing. Documented approval authority shall also be employed by the launch operator throughout the life of the launch system to ensure public safety and compliance with this part.

(b) A launch operator's safety organization must include, but need not be limited to, the following launch management positions:

(1) An employee of the launch operator who has the launch operator's final approval authority for launch. This employee, referred to as the launch director in this part, must ensure compliance with this part.

(2) An employee of the launch operator who is authorized to examine all aspects of the launch operator's launch safety operations and to monitor independently personnel compliance with the launch operator's safety policies and procedures. This employee, referred to as the safety official in this part, shall have direct access to the launch director, who shall ensure that all of the safety official's concerns are addressed prior to launch.

§ 417.105 Launch personnel qualifications and certification.

(a) General. A launch operator must employ a personnel certification program that documents the qualifications, including education, experience, and training, for each member of the launch crew.

(b) Personnel certification program. A launch operator's personnel certification program must:

(1) Conduct an annual personnel qualifications review and issue individual certifications to perform safety related tasks.

(2) Revoke individual certifications for negligence or failure to satisfy certification requirements.

§ 417.107 Flight safety.

(a) Flight safety system. For each launch vehicle, vehicle component, and payload, a launch operator must use a flight safety system that satisfies subpart D of this part as follows, unless § 417.125 applies.

(1) In the vicinity of the launch site. For each launch vehicle, vehicle component, and payload, a launch operator must use a flight safety system in the vicinity of the launch site if the following exist:

(i) Any hazard from a launch vehicle, vehicle component, or payload can reach any protected area at any time during flight; or

(ii) A failure of the launch vehicle would have a high consequence to the public.

(2) In the downrange area. For each launch vehicle, vehicle component, and payload, a launch operator must provide a flight safety system downrange if the absence of a flight safety system would significantly increase the accumulated risk from debris impacts.

(b) Public risk criteria. A launch operator may initiate the flight of a launch vehicle only if flight safety analysis performed under paragraph (f) of this section demonstrates that any risk to the public satisfies the following public risk criteria:

(1) A launch operator may initiate the flight of a launch vehicle only if the risk associated with the total flight to all members of the public, excluding persons in waterborne vessels and aircraft, does not exceed an expected average number of 0.00003 casualties (E c ≤ 30 × 106) from impacting inert and impacting explosive debris, (E c ≤ 30 × 106) for toxic release, and (E c ≤ 30 × 106) for far field blast overpressure. The FAA will determine whether to approve public risk due to any other hazard associated with the proposed flight of a launch vehicle on a case-by-case basis. The E c criterion for each hazard applies to each launch from lift-off through orbital insertion, including each planned impact, for an orbital launch, and through final impact for a suborbital launch.

(2) A launch operator may initiate flight only if the risk to any individual member of the public does not exceed a casualty expectation (E c of 0.000001 per launch (E c ≤ 1 × 106) for each hazard.

(3) A launch operator must implement water borne vessel hazard areas that provide an equivalent level of safety to that provided by water borne vessel hazard areas implemented for launch from a Federal launch range.

(4) A launch operator must establish aircraft hazard areas that provide an equivalent level of safety to that provided by aircraft hazard areas implemented for launch from a Federal launch range. Start Printed Page 50543

(c) Debris thresholds. A launch operator's flight safety analysis, performed as required by paragraph (f) of this section, must account for any inert debris impact with a mean expected kinetic energy at impact greater than or equal to 11 ft-lbs and, except for the far field blast overpressure effects analysis of § 417.229, a peak incident overpressure greater than or equal to 1.0 psi due to any explosive debris impact.

(1) When using the 11 ft-lbs threshold to determine potential casualties due to blunt trauma from inert debris impacts, the analysis must:

(i) Incorporate a probabilistic model that accounts for the probability of casualty due to any debris expected to impact with kinetic energy of 11 ft-lbs or greater and satisfy paragraph (d) of this section; or

(ii) Count each expected impact with kinetic energy of 11 ft-lbs or greater to a person as a casualty.

(2) When applying the 1.0 psi threshold to determine potential casualties due to blast overpressure effects, the analysis must:

(i) Incorporate a probabilistic model that accounts for the probability of casualty due to any blast overpressures of 1.0 psi or greater and satisfy paragraph (d) of this section; or

(ii) Count each person within the 1.0 psi overpressure radius of the source explosion as a casualty. When using this approach, the analysis must compute the peak incident overpressure using the Kingery-Bulmash relationship and may not take into account sheltering, reflections, or atmospheric effects. For persons located in buildings, the analysis must compute the peak incident overpressure for the shortest distance between the building and the blast source. The analysis must count each person located anywhere in a building subjected to peak incident overpressure equal to or greater than 1.0 psi as a casualty.

(d) Casualty modeling. A probabilistic casualty model must be based on accurate data and scientific principles and must be statistically valid. A launch operator must obtain FAA approval of any probabilistic casualty model that is used in the flight safety analysis. If the launch takes place from a Federal launch range, the analysis may employ any probabilistic casualty model that the FAA accepts as part of the FAA's launch site safety assessment of the Federal launch range's safety process.

(e) Collision avoidance.

(1) A launch operator must ensure that a launch vehicle, any jettisoned components, and its payload do not pass closer than 200 kilometers to a manned or mannable orbital object—

(i) Throughout a sub-orbital launch; or

(ii) For an orbital launch:

(A) During ascent to initial orbital insertion and through at least one complete orbit; and

(B) During each subsequent orbital maneuver or burn from initial park orbit, or direct ascent to a higher or interplanetary orbit or until clear of all manned or mannable objects, whichever occurs first.

(2) A launch operator must obtain a collision avoidance analysis for each launch from United States Strategic Command or from a Federal range having an approved launch site safety assessment. United States Strategic Command calls this analysis a conjunction on launch assessment. Sections 417.231 and A417.31 of appendix A of this part contain the requirements for obtaining a collision avoidance analysis. A launch operator must use the results of the collision avoidance analysis to develop flight commit criteria for collision avoidance as required by § 417.113(b).

(f) Flight safety analysis. A launch operator must perform and document a flight safety analysis as required by subpart C of this part. A launch operator must not initiate flight unless the flight safety analysis demonstrates that any risk to the public satisfies the public risk criteria of paragraph (b) of this section. For a licensed launch that involves a Federal launch range, the FAA will treat an analysis performed and documented by the Federal range, and which has an FAA approved launch site safety assessment, as that of the launch operator as provided in § 417.203(d) of subpart C of this part. A launch operator must use the flight safety analysis products to develop flight safety rules that govern a launch. Section 417.113 contains the requirements for flight safety rules.

§ 417.109 Ground safety.

(a) Ground safety requirements apply to launch processing and post-launch operations at a launch site in the United States.

(b) A launch operator must protect the public from adverse effects of hazardous operations and systems associated with preparing a launch vehicle for flight at a launch site.

(c) §§ 417.111(c), 417.113(b), and 417.115(c), and subpart E of this part provide launch operator ground safety requirements.

§ 417.111 Launch plans.

(a) General. A launch operator must implement written launch plans that define how launch processing and flight of a launch vehicle will be conducted without adversely affecting public safety and how to respond to a launch mishap. A launch operator's launch plans must include those required by this section. A launch operator's launch plans do not have to be separate documents, and may be part of other applicant documentation. A launch operator must incorporate each launch safety rule established under § 417.113 into a related launch safety plan. The launch operator must follow each launch plan.

(b) Flight Safety Plan. A launch operator must implement a plan that includes the following:

(1) Flight safety personnel. Identification of personnel by position who:

(i) Approve and implement each part of the flight safety plan and any modifications to the plan; and

(ii) Perform the flight safety analysis and ensure that the results, including the flight safety rules and establishment of flight hazard areas, are incorporated into the flight safety plan.

(2) Flight safety rules. All flight safety rules required by § 417.113.

(3) Flight safety system. A description of any flight safety system and its operation, including any preflight safety tests that a launch operator will perform.

(4) Trajectory and debris dispersion data. A description of the launch trajectory. For an orbital expendable launch vehicle, the description must include each planned orbital parameter, stage burnout time and state vector, and all planned stage impact times, locations, and downrange and crossrange dispersions. For a guided or unguided suborbital launch vehicle, the description must include each planned stage impact time, location, and downrange and crossrange dispersion.

(5) Flight hazard areas. Identification and location of each flight hazard area established for each launch as required by § 417.223, and identification of procedures for surveillance and clearance of these areas and zones as required by paragraph (j) of this section.

(6) Support systems and services. Identification of any support systems and services that are part of ensuring flight safety, including any aircraft or ship that a launch operator will use during flight.

(7) Flight safety operations. A description of the flight safety related tests, reviews, rehearsals, and other flight safety operations that a launch operator will conduct under §§ 417.115 through 417.121. A flight safety plan must contain or incorporate by reference Start Printed Page 50544written procedures for accomplishing all flight safety operations.

(8) Unguided suborbital launch vehicles. A launch operator's flight safety plan for the launch of an unguided suborbital rocket must meet the requirements of paragraph (b) of this section and provide the following data:

(i) Launch angle limits, as required by § 417.125(c)(3); and

(ii) All procedures for measurement of launch day winds and for performing wind weighting as required by §§ 417.125 and 417.233.

(c) Ground safety plan. A launch operator must implement a ground safety plan that describes implementation of the hazard controls identified by a launch operator's ground safety analysis and implementation of the ground safety requirements of subpart E of this part. A ground safety plan must address all public safety related issues and may include other ground safety issues if a launch operator intends it to have a broader scope. A ground safety plan must include the following:

(1) A description of the launch vehicle and any payload, or class of payload, identifying each hazard, including explosives, propellants, toxics and other hazardous materials, radiation sources, and pressurized systems. A ground safety plan must include figures that show the location of each hazard on the launch vehicle, and indicate where at the launch site a launch operator performs hazardous operations during launch processing.

(2) Propellant and explosive information including:

(i) Total net explosive weight of each of the launch operator's liquid and solid propellants and other explosives for each explosive hazard facility as defined by part 420 of this chapter.

(ii) For each toxic propellant, any hazard controls and process constraints determined under the launch operator's toxic release hazard analysis for launch processing performed as required by § 417.229 and appendix I of this part.

(iii) The explosive and occupancy limits for each explosive hazard facility.

(iv) Individual explosive item information, including configuration (such as, solid motor, motor segment, or liquid propellant container), explosive material, net explosive weight, storage hazard classification and compatibility group as defined by part 420 of this chapter.

(3) A graphic depiction of the layout of a launch operator's launch complex and other launch processing facilities at the launch site. The depiction must show separation distances and any intervening barriers between explosive items that affect the total net explosive weight that each facility is sited to accommodate. A launch operator must identify any proposed facility modifications or operational changes that may affect a launch site operator's explosive site plan.

(4) A description of the process for ensuring that the person designated under § 417.103(b)(2) reviews and approves any procedures and procedure changes for safety implications.

(5) Procedures that launch personnel will follow when reporting a hazard or mishap to a launch operator's safety organization.

(6) Procedures for ensuring that personnel have the qualifications and certifications needed to perform a task involving a hazard that could affect public safety.

(7) A flow chart of launch processing activities, including a list of all major tasks. The flow chart must include all hazardous tasks and identify where and when, with respect to liftoff, each hazardous task will take place.

(8) Identification of each safety clear zone and hazard area established as required by §§ 417.411 and 417.413, respectively.

(9) A summary of the means for announcing when any hazardous operation is taking place, the means for making emergency announcements and alarms, and identification of the recipients of each type of announcement.

(10) A summary of the means of prohibiting access to each safety clear zone, and implementing access control to each hazard area, including any procedures for prohibiting or allowing public access to such areas.

(11) A description of the process for ensuring that all safety precautions and verifications are in place before, during, and after hazardous operations. This includes the process for verification that an area can be returned to a non-hazardous work status.

(12) Description of each hazard control required by the ground safety analysis for each task that creates a public or launch location hazard. The hazard control must satisfy § 417.407(b).

(13) A procedure for the use of any safety equipment that protects the public, for each task that creates a public hazard or a launch location hazard.

(14) The requirement and procedure for coordinating with any launch site operator and local authorities, for each task creating a public or launch location hazard.

(15) Generic emergency procedures that apply to all emergencies and the emergency procedures that apply to each specific task that may create a public hazard, including any task that involves hazardous material, as required by § 417.407.

(16) A listing of the ground safety plan references, by title and date, such as the ground safety analysis report, explosive quantity-distance site plan and other ground safety related documentation.

(d) Launch support equipment and instrumentation plan. A launch operator must implement a plan that ensures the reliability of the equipment and instrumentation involved in protecting public safety during launch processing and flight. A launch support equipment and instrumentation plan must:

(1) List and describe support equipment and instrumentation;

(2) Identify all certified personnel, by position, as required by § 417.105, who operate and maintain the support equipment and instrumentation;

(3) Contain, or incorporate by reference, written procedures for support equipment and instrumentation operation, test, and maintenance that will be implemented for each launch;

(4) Identify equipment and instrumentation reliability; and

(5) Identify any contingencies that protect the public in the event of a malfunction.

(e) Configuration management and control plan. A launch operator must implement a plan that:

(1) Defines the launch operator's process for managing and controlling any change to a safety critical system to ensure its reliability;

(2) Identifies, for each system, each person by position who has authority to approve design changes and the personnel, by position, who maintain documentation of the most current approved design; and

(3) Contains, or incorporates by reference, all configuration management and control procedures that apply to the launch vehicle and each support system.

(f) Frequency management plan. A launch operator must implement a plan that:

(1) Identifies each frequency, all allowable frequency tolerances, and each frequency's intended use, operating power, and source;

(2) Provides for the monitoring of frequency usage and enforcement of frequency allocations; and

(3) Identifies agreements and procedures for coordinating use of radio frequencies with any launch site operator and any local and Federal authorities, including the Federal Communications Commission.

(g) Flight termination system electronic piece parts program plan. A Start Printed Page 50545launch operator must implement a plan that describes the launch operator's program for selecting and testing all electronic piece parts used in any flight termination system to ensure their reliability. This plan must—

(1) Demonstrate compliance with the requirements of § 417.309(b)(2);

(2) Describe the program for selecting piece parts for use in a flight termination system;

(3) Identify performance of any derating, qualification, screening, lot acceptance testing, and lot destructive physical analysis for electronic piece parts;

(4) Identify all personnel, by position, who conduct the piece part tests;

(5) Identify the pass/fail criteria for each test for each piece part;

(6) Identify the levels to which each piece part specification will be derated; and

(7) Contain, or incorporate by reference, test procedures for each piece part.

(h) Accident investigation plan (AIP). A launch operator must implement a plan containing the launch operator's procedures for reporting and responding to launch accidents, launch incidents, or other mishaps, as defined by § 401.5 of this chapter. An individual, authorized to sign and certify the application as required by § 413.7(c) of this chapter, and the person designated under § 417.103(b)(2) must sign the AIP.

(1) Reporting requirements. An AIP must provide for—

(i) Immediate notification to the Federal Aviation Administration (FAA) Washington Operations Center in case of a launch accident, a launch incident or a mishap that involves a fatality or serious injury (as defined by 49 CFR 830.2).

(ii) Notification within 24 hours to the Associate Administrator for Commercial Space Transportation or the Federal Aviation Administration (FAA) Washington Operations Center in the event of a mishap, other than those in § 415.41 (b) (1) of this chapter, that does not involve a fatality or serious injury (as defined in 49 CFR 830.2).

(iii) Submission of a written preliminary report to the FAA, Associate Administrator for Commercial Space Transportation, in the event of a launch accident or launch incident, as defined by § 401.5 of this chapter, within five days of the event. The report must identify the event as either a launch accident or launch incident, and must include the following information:

(A) Date and time of occurrence;

(B) Description of event;

(C) Location of launch;

(D) Launch vehicle;

(E) Any payload;

(F) Vehicle impact points outside designated impact lines, if applicable;

(G) Number and general description of any injuries;

(H) Property damage, if any, and an estimate of its value;

(I) Identification of hazardous materials, as defined by § 401.5 of this chapter, involved in the event, whether on the launch vehicle, payload, or on the ground;

(J) Action taken by any person to contain the consequences of the event; and

(K) Weather conditions at the time of the event.

(2) Response plan. An AIP must—

(i) Contain procedures that ensure the containment and minimization of the consequences of a launch accident, launch incident or other mishap;

(ii) Contain procedures that ensure the preservation of the data and physical evidence;

(3) Investigation plan. An AIP must contain—

(i) Procedures for investigating the cause of a launch accident, launch incident or other mishap;

(ii) Procedures for reporting investigation results to the FAA; and

(iii) Delineated responsibilities, including reporting responsibilities for personnel assigned to conduct investigations and for any one retained by the licensee to conduct or participate in investigations.

(4) Cooperation with FAA and NTSB. An AIP must contain procedures that require the licensee to report to and cooperate with FAA and National Transportation Safety Board (NTSB) investigations and designate one or more points of contact for the FAA and NTSB.

(5) Preventive measure. An AIP must contain procedures that require the licensee to identify and adopt preventive measures for avoiding recurrence of the event.

(i) Local agreements and public coordination plans.

(1) Where there is a licensed launch site operator, a launch operator must implement and satisfy the launch site operator's local agreements and plans with local authorities at or near a launch site whose support is needed to ensure public safety during all launch processing and flight, as required by part 420 of this chapter.

(2) For a launch from an exclusive-use site, where there is no licensed launch site operator, a launch operator must develop and implement any agreements and plans with local authorities at or near the launch site whose support is needed to ensure public safety during all launch processing and flight, as required by part 420 of this chapter.

(3) A launch operator must implement a schedule and procedures for the release of launch information before flight, after flight, and in the event of an mishap.

(4) A launch operator must develop and implement procedures for public access to any launch viewing areas that are under a launch operator's control.

(5) A launch operator must describe its procedures for and accomplish the following for each launch—

(i) Inform local authorities of each designated hazard areas near the launch site associated with a launch vehicle's planned trajectory and any planned impacts of launch vehicle components and debris as defined by the flight safety analysis required by subpart C of this part;

(ii) Provide any hazard area information prepared as required by § 417.225 or § 417.235 to the local United States Coast Guard or equivalent local authority for issuance of the notices to mariners;

(iii) Provide hazard area information prepared as required by § 417.223 or § 417.233 for each aircraft hazard area within a flight corridor to the FAA Air Traffic Control (ATC) office or equivalent local authority having jurisdiction over the airspace through which the launch will take place for the issuance of notices to airmen;

(iv) Communicate with the local Coast Guard and the FAA ATC office or equivalent local authorities, either directly or through any launch site operator, to ensure that notices to airmen and mariners are issued and in effect at the time of flight; and

(v) Coordinate with any other local agency that supports the launch, such as local law enforcement agencies, emergency response agencies, fire departments, National Park Service, and Mineral Management Service.

(j) Hazard area surveillance and clearance plan. A launch operator must implement a plan that defines the process for ensuring that any unauthorized persons, ships, trains, aircraft or other vehicles are not within any hazard areas identified by the flight safety analysis or the ground safety analysis. In the plan, the launch operator must—

(1) List each hazard area that requires surveillance under §§ 417.107 and 417.223;

(2) Describe how the launch operator will provide for day-of-flight surveillance of the flight hazard area to ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight commit Start Printed Page 50546criteria developed for each launch as required by § 417.113;

(3) Verify the accuracy of any radar or other equipment used for hazard area surveillance and account for any inaccuracies in the surveillance system when enforcing the flight commit criteria;

(4) Identify the number of security and surveillance personnel employed for each launch and the qualifications and training each must have;

(5) Identify the location of roadblocks and other security checkpoints, the times that each station must be manned, and any surveillance equipment used; and

(6) Contain, or incorporate by reference, all procedures for launch personnel control, handling of intruders, communications and coordination with launch personnel and other launch support entities, and implementation of any agreements with local authorities and any launch site operator.

(k) Communications plan. A launch operator must implement a plan providing licensee personnel and Federal launch range personnel, if applicable, communications procedures during countdown and flight. Effective issuance and communication of safety-critical information during countdown must include hold/resume, go/no go, and abort commands by licensee personnel and any Federal launch range personnel, during countdown. For all launches from Federal launch ranges, the Federal launch range must concur with the communications plan. The communications plan must:

(1) Describe the authority of licensee personnel and any Federal launch range personnel by individual or position title, to issue these commands;

(2) Ensure the assignment of communication networks, so that personnel identified under this paragraph have direct access to real-time safety-critical information required for issuing hold/resume, go/no go, and abort decisions and commands;

(3) Ensure personnel, identified under this paragraph, monitor each common intercom channel during countdown and flight; and

(4) Ensure the implementation of a protocol for using defined radio telephone communications terminology.

(l) Countdown plan. A launch operator must develop and implement a countdown plan that verifies that each launch safety rule and launch commit criterion is satisfied, verifies that personnel can communicate during the countdown and that the communication is available after the flight; and verifies that a launch operator will be able to recover from a launch abort or delay. A countdown plan must:

(1) Cover the period of time when any launch support personnel are to be at their designated stations through initiation of flight.

(2) Include procedures for handling anomalies that occur during a countdown and events and conditions that may result in a constraint to initiation of flight.

(3) Include procedures for delaying or holding a launch when necessary to allow for corrective actions, to await improved conditions, or to accommodate a launch wait.

(4) Describe a process for resolving issues that arise during a countdown and identify each person, by position, who approves corrective actions.

(5) Include a written countdown checklist that provides a formal decision process leading to flight initiation. A countdown checklist must include the flight day preflight tests of a flight safety system required by subpart D of this part and must contain:

(i) Identification of operations and specific actions completed, verification that there are no constraints to flight, and verification that a launch operator satisfied all launch safety rules and launch commit criteria;

(ii) Time of each event;

(iii) Identification of personnel, by position, who perform each operation or specific action, including reporting to the person designated under § 417.103(b)(3);

(iv) Identification of each communication channel that a launch operator uses for reporting each event;

(v) Identification of all communication and event reporting protocols;

(vi) Polling of personnel, by position, who oversee all safety critical systems and operations, to verify that the systems and the operations are ready to proceed with the launch; and

(vii) Record of all critical communications network channels that are used for voice, video, or data transmission that support the flight safety system, during each countdown.

(6) In case of a launch abort or delay:

(i) Identify each condition that must exist in order to make another launch attempt;

(ii) Include a schedule depicting the flow of tasks and events in relation to when the abort or delay occurred and the new planned launch time; and

(iii) Identify each interface and supporting entity needed to support recovery operations.

§ 417.113 Launch safety rules.

(a) General. For each launch, a launch operator must satisfy written launch safety rules that govern the conduct of the launch.

(1) The launch safety rules must identify the meteorological conditions and the status of the launch vehicle, launch support equipment, and personnel under which launch processing and flight may be conducted without adversely affecting public safety.

(2) The launch safety rules must satisfy the requirements of this section.

(3) A launch operator must follow all the launch safety rules.

(b) Ground safety rules. The launch safety rules must include ground safety rules that govern each preflight ground operation at a launch site that has the potential to adversely affect public safety. The ground safety rules must implement the ground safety analysis of subpart E of this part.

(c) Flight-commit criteria. The launch safety rules must include flight-commit criteria that identify each condition that must be met in order to initiate flight.

(1) The flight-commit criteria must implement the flight safety analysis of subpart C of this part. These must include criteria for:

(i) Surveillance of any region of land, sea, or air necessary to ensure the number and location of members of the public are consistent with the inputs used for the flight safety analysis of subpart C of this part;

(ii) Monitoring of any meteorological condition and implementing any flight constraint developed using appendix G of this part. The launch operator must have clear and convincing evidence that the lightning flight commit criteria of appendix G, which apply to the conditions present at the time of lift-off, are not violated. If any other hazardous conditions exist, other than those identified by appendix G, the launch weather team will report the hazardous condition to the official designated under § 417.103(b)(1), who will determine whether initiating flight would expose the launch vehicle to a lightning hazard and not initiate flight in the presence of the hazard; and

(iii) Implementation of any launch wait in the launch window for the purpose of collision avoidance.

(2) For a launch that uses a flight safety system, the flight-commit criteria must ensure that the flight safety system is ready for flight. This must include criteria for ensuring that:

(i) The flight safety system is operating to ensure the launch vehicle will launch within all flight safety limits;

(ii) Any command transmitter system required by section D417.9 has sufficient coverage from lift-off to the Start Printed Page 50547point in flight where the flight safety system is no longer required by § 417.107(a);

(iii) The launch vehicle tracking system has no less than two tracking sources prior to lift-off. The launch vehicle tracking system has no less than one verified tracking source at all times from lift-off to orbit insertion for an orbital launch, to the end of powered flight for a suborbital launch; and

(iv) The launch operator will employ its flight safety system as designed in accordance with this part.

(3) For each launch, a launch operator must document the actual conditions used for the flight-commit criteria at the time of lift-off and verify whether the flight-commit criteria are satisfied.

(d) Flight termination rules. For a launch that uses a flight safety system, the launch safety rules must identify the conditions under which the flight safety system, including the functions of the flight safety system crew, must terminate flight to ensure public safety. These flight termination rules must implement the flight safety analysis of subpart C of this part and include each of the following:

(1) The flight safety system must terminate flight when valid, real-time data indicate the launch vehicle has violated any flight safety limit of § 417.213;

(2) The flight safety system must terminate flight at the straight-up-time required by § 417.215 if the launch vehicle continues to fly a straight up trajectory and, therefore, does not turn downrange when it should;

(3) The flight safety system must terminate flight when all of the following conditions exist:

(i) Real-time data indicate that the performance of the launch vehicle is erratic;

(ii) The potential exists for the loss of flight safety system control of the launch vehicle and further flight has the potential to endanger the public.

(4) The flight termination rules must incorporate the data-loss flight times and planned safe flight state of § 417.219, including each of the following:

(i) The flight safety system must terminate flight no later than the first data-loss flight time if, by that time, tracking of the launch vehicle is not established and vehicle position and status is unknown; and

(ii) Once launch vehicle tracking is established and there is a subsequent loss of verified tracking data before the planned safe flight state and verified tracking data is not received again, the flight safety system must terminate flight no later than the expiration of the data-loss flight time for the point in flight that the data was lost.

(5) For any gate established under § 417.217, both of the following apply:

(i) The flight safety system must terminate flight if the launch vehicle is performing erratically immediately prior to entering the gate.

(ii) The flight termination rules may permit the instantaneous impact point or other tracking icon to cross the gate only if there is no indication that the launch vehicle's performance has become erratic and the launch vehicle is either flying parallel to the nominal trajectory or converging to the nominal trajectory.

(6) For any hold-and-resume gate established under § 417.218;

(i) The flight safety system must terminate flight if the launch vehicle is performing erratically immediately prior to entering a hold gate.

(ii) The flight termination rules may permit the instantaneous impact point or other tracking icon to cross a hold gate only if there is no indication that the launch vehicle's performance has become erratic and the vehicle is either flying parallel to the nominal trajectory or converging to the nominal trajectory.

(iii) The flight termination rules of paragraphs (d)(1), (d)(3), and (d)(4) of this section apply after the instantaneous impact point or other tracking icon exits a resume gate.

(e) Flight safety system safing. For a launch that uses a flight safety system, the launch safety rules must ensure that any safing of the flight safety system occurs on or after the point in flight where the flight safety system is no longer required by § 417.107(b).

(f) Launch crew work shift and rest rules. For any operation with the potential to have an adverse effect on public safety, the launch safety rules must ensure the launch crew is physically and mentally capable of performing all assigned tasks. These rules must govern the length, number, and frequency of work shifts, including the rest afforded the launch crew between shifts.

§ 417.115 Tests.

(a) General. All flight, communication, and ground systems and equipment that a launch operator uses to protect the public from any adverse effects of a launch, must undergo testing as required by this part, and any corrective action and re-testing necessary to ensure reliable operation. A launch operator must—

(1) Coordinate test plans and all associated test procedures with any launch site operator or local authorities, as required by local agreements, associated with the operation; and

(2) Make test results, test failure reports, information on any corrective actions implemented and the results of re-test available to the FAA upon request.

(b) Flight safety system testing. A launch operator must only use a flight safety system and all flight safety system components, including any onboard launch vehicle flight termination system, command control system, and support system that satisfy the test requirements of subpart D of this part.

(c) Ground system testing. A launch operator must only use a system or equipment used to support hazardous ground operations identified by the ground safety analysis required by § 417.405 that satisfies the test requirements of paragraph (a) of this section.

§ 417.117 Reviews.

(a) General. A launch operator must—

(1) Review the status of operations, systems, equipment, and personnel required by part 417;

(2) Maintain and implement documented criteria for successful completion of each review;

(3) Track to completion and document any corrective actions or issues identified during a review; and

(4) Ensure that launch operator personnel who oversee a review attest to successful completion of the review's criteria in writing.

(b) A launch operator must conduct the following reviews:

(1) Hazardous operations safety readiness reviews. A launch operator must conduct a review before performing any hazardous operation with the potential to adversely affect public safety. The review must determine a launch operator's readiness to perform the operation and ensure that safety provisions are in place. The review must determine the readiness status of safety systems and equipment and verify that the personnel involved satisfy certification and training requirements.

(2) Launch safety review. For each launch, a launch operator must conduct a launch safety review no later than 15 days before the planned day of flight, or as agreed to by the FAA during the application process. This review must determine the readiness of ground and flight safety systems, safety equipment, and safety personnel to support a flight attempt. Successful completion of a launch safety review must ensure satisfaction of the following criteria:

(i) A launch operator must verify that all safety requirements have been or will Start Printed Page 50548be satisfied before flight. The launch operator must resolve all safety related action items.

(ii) A launch operator must assign and certify flight safety personnel as required by § 417.105.

(iii) The flight safety rules and flight safety plan must incorporate a final flight safety analysis as required by subpart C of this part.

(iv) A launch operator must verify, at the time of the review, that the ground safety systems and personnel satisfy or will satisfy all requirements of the ground safety plan for support of flight.

(v) A launch operator must accomplish the safety related coordination with any launch site operator or local authorities as required by local agreements.

(vi) A launch operator must verify the filing of all safety related information for a specific launch with the FAA, as required by FAA regulations and any special terms of a license. A launch operator must verify that information filed with the FAA reflects the current status of safety-related systems and processes for each specific launch.

(3) Launch readiness review for flight. A launch operator must conduct a launch readiness review for flight as required by this section within 48 hours of flight. A person, identified as required by § 417.103(b)(1), must review all preflight testing and launch processing conducted up to the time of the review; and review the status of systems and support personnel to determine readiness to proceed with launch processing and the launch countdown. A decision to proceed must be in writing and signed by the person identified as required by § 417.103(b)(1), and any launch site operator or Federal launch range. A launch operator, during the launch readiness review, must poll the FAA to verify that the FAA has identified no issues related to the launch operator's license. During a launch readiness review, the launch operator must account for the following information:

(i) Readiness of launch vehicle and payload.

(ii) Readiness of any flight safety system and personnel and the results of flight safety system testing.

(iii) Readiness of safety-related launch property and services to be provided by a Federal launch range.

(iv) Readiness of all other safety-related equipment and services.

(v) Readiness of launch safety rules and launch constraints.

(vi) Status of launch weather forecasts.

(vii) Readiness of abort, hold and recycle procedures.

(viii) Results of rehearsals conducted as required by § 417.119.

(ix) Unresolved safety issues as of the time of the launch readiness review and plans for their resolution.

(x) Additional safety information that may be required to assess readiness for flight.

(xi) To review launch failure initial response actions and investigation roles and responsibilities.

§ 417.119 Rehearsals.

(a) General. A launch operator must rehearse its launch crew and systems to identify corrective actions needed to ensure public safety. The launch operator must conduct all rehearsals as follows:

(1) A launch operator must assess any anomalies identified by a rehearsal, and must incorporate any changes to launch processing and flight needed to correct any anomaly that is material to public safety.

(2) A launch operator must inform the FAA of any public safety related anomalies and related changes in operations performed during launch processing or flight resulting from a rehearsal.

(3) For each launch, each person with a public safety critical role who will participate in the launch processing or flight of a launch vehicle must participate in at least one related rehearsal that exercises his or her role during nominal and non-nominal conditions so that the launch vehicle will not harm the public.

(4) A launch operator must conduct the rehearsals identified in this section for each launch.

(5) At least one rehearsal must simulate normal and abnormal preflight and flight conditions to exercise the launch operator's launch plans.

(6) A launch operator may conduct rehearsals at the same time if joint rehearsals do not create hazardous conditions, such as changing a hardware configuration that affects public safety, during the rehearsal.

(b) Countdown rehearsal. A launch operator must conduct a rehearsal using the countdown plan, procedures, and checklist required by § 417.111(l). A countdown rehearsal must familiarize launch personnel with all countdown activities, demonstrate that the planned sequence of events is correct, and demonstrate that there is adequate time allotted for each event. A launch operator must hold a countdown rehearsal after the assembly of the launch vehicle and any launch support systems into their final configuration for flight and before the launch readiness review required by § 417.117.

(c) Emergency response rehearsal. A launch operator must conduct a rehearsal of the emergency response section of the accident investigation plan required by § 417.111(h)(2). A launch operator must conduct an emergency response rehearsal for a first launch of a new vehicle, for any additional launch that involves a new safety hazard, or for any launch where more than a year has passed since the last rehearsal.

(d) Communications rehearsal. A launch operator must rehearse each part of the communications plan required by § 417.111(k), either as part of another rehearsal or during a communications rehearsal.

§ 417.121 Safety critical preflight operations.

(a) General. A launch operator must perform safety critical preflight operations that protect the public from the adverse effects of hazards associated with launch processing and flight of a launch vehicle. The launch operator must identify all safety critical preflight operations in the launch schedule required by § 417.17(b)(1). Safety critical preflight operations must include those defined in this section.

(b) Countdown. A launch operator must implement its countdown plan, of § 417.111(l), for each launch. A launch operator must disseminate a countdown plan to all personnel responsible for the countdown and flight of a launch vehicle, and each person must follow that plan.

(c) Collision avoidance. A launch operator must coordinate with United States Strategic Command to obtain a collision avoidance analysis, also referred to as a conjunction on launch assessment, as required by § 417.231. A launch operator must implement flight commit criteria as required by § 417.113(b) to ensure that each launch meets all the criteria of § 417.107(e).

(d) Meteorological data. A launch operator must conduct operations and coordinate with weather organizations, as needed, to obtain accurate meteorological data to support the flight safety analysis required by subpart C of this part and to ensure compliance with the flight commit criteria required by § 417.113.

(e) Local notification. A launch operator must implement its local agreements and public coordination plan of § 417.111(i).

(f) Hazard area surveillance. A launch operator must implement its hazard area surveillance and clearance plan, of § 417.111(j), to meet the public safety criteria of § 417.107(b) for each launch. Start Printed Page 50549

(g) Flight safety system preflight tests. A launch operator must conduct preflight tests of any flight safety system as required by section E417.41 of appendix E of this part.

(h) Launch vehicle tracking data verification. For each launch, a launch operator must implement written procedures for verifying the accuracy of any launch vehicle tracking data provided. For a launch vehicle flown with a flight safety system, any source of tracking data must satisfy the requirements of § 417.307(b).

(i) Unguided suborbital rocket preflight operations. For the launch of an unguided suborbital rocket, in addition to meeting the other requirements of this section, a launch operator must perform the preflight wind weighting and other preflight safety operations required by §§ 417.125, 417.233, and appendix C of this part.

§ 417.123 Computing systems and software.

(a) A launch operator must document a system safety process that identifies the hazards and assesses the risks to public health and safety and the safety of property related to computing systems and software.

(b) A launch operator must identify all safety-critical functions associated with its computing systems and software. Safety-critical computing system and software functions must include the following:

(1) Software used to control or monitor safety-critical systems.

(2) Software that transmits safety-critical data, including time-critical data and data about hazardous conditions.

(3) Software used for fault detection in safety-critical computer hardware or software.

(4) Software that responds to the detection of a safety-critical fault.

(5) Software used in a flight safety system.

(6) Processor-interrupt software associated with previously designated safety-critical computer system functions.

(7) Software that computes safety-critical data.

(8) Software that accesses safety-critical data.

(9) Software used for wind weighting.

(c) A launch operator must conduct computing system and software hazard analyses for the integrated system.

(d) A launch operator must develop and implement computing system and software validation and verification plans.

(e) A launch operator must develop and implement software development plans, including descriptions of the following:

(1) Coding standards used;

(2) Configuration control;

(3) Programmable logic controllers;

(4) Policy on use of any commercial-off-the-shelf software; and

(5) Policy on software reuse.

§ 417.125 Launch of an unguided suborbital launch vehicle.

(a) Applicability. This section applies only to a launch operator conducting a launch of an unguided suborbital launch vehicle.

(b) Need for flight safety system. A launch operator must launch an unguided suborbital launch vehicle with a flight safety system in accordance with § 417.107 (a) and subpart D of this part unless one of the following exceptions applies:

(1) The unguided suborbital launch vehicle, including any component or payload, does not have sufficient energy to reach any populated area in any direction from the launch point; or

(2) A launch operator demonstrates through the licensing process that the launch will be conducted using a wind weighting safety system that meets the requirements of paragraph (c) of this section.

(c) Wind weighting safety system. A launch operator's wind weighting safety system must consist of equipment, procedures, analysis and personnel functions used to determine the launcher elevation and azimuth settings that correct for the windcocking and wind drift that an unguided suborbital launch vehicle will experience during flight due to wind effects. The launch of an unguided suborbital launch vehicle that uses a wind weighting safety system must meet the following requirements:

(1) The unguided suborbital launch vehicle must not contain a guidance or directional control system.

(2) The launcher azimuth and elevation settings must be wind weighted to correct for the effects of wind conditions at the time of flight to provide a safe impact location. A launch operator must conduct the launch in accordance with the wind weighting analysis requirements and methods of § 417.233 and appendix C of this part.

(3) A launch operator must use a launcher elevation angle setting that ensures the rocket will not fly uprange. A launch operator must set the launcher elevation angle in accordance with the following:

(i) The nominal launcher elevation angle must not exceed 85°. The wind corrected launcher elevation setting must not exceed 86°.

(ii) For an unproven unguided suborbital launch vehicle, the nominal launcher elevation angle must not exceed 80°. The wind corrected launcher elevation setting must not exceed 84°. A proven unguided suborbital launch vehicle is one that has demonstrated, by two or more launches, that flight performance errors are within all the three-sigma dispersion parameters modeled in the wind weighting safety system.

(d) Public risk criteria. A launch operator must conduct the launch of an unguided suborbital launch vehicle in accordance with the public risk criteria of § 417.107(b). The risk to the public determined prior to the day of flight must satisfy the public risk criteria for the area defined by the range of nominal launch azimuths. A launch operator must not initiate flight until a launch operator has verified that the wind drifted impacts of all planned impacts and their five-sigma dispersion areas satisfy the public risk criteria after wind weighting on the day of flight.

(e) Stability. An unguided suborbital launch vehicle, in all configurations, must be stable in flexible body to 1.5 calibers and rigid body to 2.0 calibers throughout each stage of powered flight. A caliber, for a rocket configuration, is defined as the distance between the center of pressure and the center of gravity divided by the largest frontal diameter of the rocket configuration.

(f) Tracking. A launch operator must track the flight of an unguided suborbital launch vehicle. The tracking system must provide data to determine the actual impact locations of all stages and components, to verify the effectiveness of a launch operator's wind weighting safety system, and to obtain rocket performance data for comparison with the preflight performance predictions.

(g) Post-launch review. A launch operator must ensure that the post-launch report required by § 417.25 includes:

(1) Actual impact location of all impacting stages and each impacting component.

(2) A comparison of actual and predicted nominal performance.

(3) Investigation results of any launch anomaly. If flight performance deviates by more than a three-sigma dispersion from the nominal trajectory, a launch operator must conduct an investigation to determine the cause of the rocket's deviation from normal flight and take corrective action before the next launch. A launch operator must file any corrective actions with the FAA as a request for license modification before Start Printed Page 50550the next launch in accordance with § 417.11.

§ 417.127  Unique safety policies, requirements and practices.

For each launch, a launch operator must review operations, system designs, analysis, and testing, and identify any unique hazards not otherwise addressed by this part. A launch operator must implement any unique safety policy, requirement, or practice needed to protect the public from the unique hazard. A launch operator must demonstrate through the licensing process that any unique safety policy, requirement, or practice ensures the safety of the public. For any change to a unique safety policy, requirement, or practice, with the exception of a launch specific update, the launch operator must file a request for license modification as required by § 417.11. The FAA may identify and impose a unique safety policy, requirement, or practice as needed to protect the public.

§ 417.129 Safety at end of launch.

A launch operator must ensure for any proposed launch that for all launch vehicle stages or components that reach Earth orbit—

(a) There is no unplanned physical contact between the vehicle or any of its components and the payload after payload separation;

(b) Debris generation does not result from the conversion of energy sources into energy that fragments the vehicle or its components. Energy sources include chemical, pressure, and kinetic energy; and

(c) Stored energy is removed by depleting residual fuel and leaving all fuel line valves open, venting any pressurized system, leaving all batteries in a permanent discharge state, and removing any remaining source of stored energy.

§§ 417.130 through 417.200 [Reserved]

Subpart C—Flight Safety Analysis

§ 417.201 Scope and applicability.

(a) This subpart contains requirements for performing the flight safety analysis required by § 417.107(f).

(b) The flight safety analysis requirements of this subpart apply to the flight of any launch vehicle that must use a flight safety system as required by § 417.107(a), except as permitted by paragraph (d) of this section.

(c) The flight safety analysis requirements of §§ 417.203, 417.205, 417.207, 417.211, 417.223, 417.224, 417.225, 417.227, 417.229, 417.231, and 417.233 apply to the flight of any unguided suborbital launch vehicle that uses a wind-weighting safety system. Appendices B, C, and I of this part also apply.

(d) For any alternative flight safety system approved by the FAA under § 417.301(b), the FAA will determine during the licensing process which of the analyses required by this subpart apply.

§ 417.203 Compliance.

(a) General. A launch operator's flight safety analysis must satisfy the performance requirements of this subpart. The flight safety analysis must also meet the requirements for methods of analysis contained in appendices A and B of this part for a launch vehicle flown with a flight safety system and appendices B and C of this part for an unguided suborbital launch vehicle that uses a wind-weighting safety system except as otherwise permitted by this section. A flight safety analysis for a launch may rely on an earlier analysis from an identical or similar launch if the analysis still applies to the later launch.

(b) Method of analysis.

(1) For each launch, a launch operator's flight safety analysis must use—

(i) A method approved by the FAA during the licensing process;

(ii) A method approved as a license modification by the FAA; or,

(iii) If the launch takes place from a Federal launch range, a method approved as part of the FAA's launch site safety assessment of the Federal range's processes.

(2) Appendix A of this part contains requirements that apply to all methods of flight safety analysis. A licensee must notify the FAA for any change to the flight safety analysis method. A licensee must file any material change with the FAA as a request for license modification before the launch to which the proposed change would apply. Section 417.11 contains requirements governing a license modification.

(c) Alternate analysis method. The FAA will approve an alternate flight safety analysis method if a launch operator demonstrates, in accordance with § 406.3(b), that its proposed analysis method provides an equivalent level of fidelity to that required by this subpart. A launch operator must demonstrate that an alternate flight safety analysis method is based on accurate data and scientific principles and is statistically valid. The FAA will not find a launch operator's application for a license or license modification sufficiently complete to begin review under § 413.11 of this chapter until the FAA approves the alternate flight safety analysis method.

(d) Analyses performed by a Federal launch range. This provision applies to all sections of this subpart. The FAA will accept a flight safety analysis used by a Federal launch range without need for further demonstration of compliance to the FAA, if:

(1) A launch operator has contracted with a Federal launch range for the provision of flight safety analysis; and

(2) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the range's analysis methods satisfy the requirements of this subpart. In this case, the FAA will treat the Federal launch range's analysis as that of a launch operator.

(e) Analysis products. For a licensed launch that does not satisfy paragraph (d) of this section, a launch operator must demonstrate to the FAA compliance with the requirements of this subpart, and must include in its demonstration the analysis products required by part 415 subpart F of this chapter, part 417 subpart A, and appendices A, B, C, and I of this part, depending on whether the launch vehicle uses a flight safety system or a wind-weighting safety system.

§ 417.205 General.

(a) Public risk management. A flight safety analysis must demonstrate that a launch operator will, for each launch, control the risk to the public from hazards associated with normal and malfunctioning launch vehicle flight. The analysis must employ risk assessment, hazard isolation, or a combination of risk assessment and partial isolation of the hazards, to demonstrate control of the risk to the public.

(1) Risk assessment. When demonstrating control of risk through risk assessment, the analysis must demonstrate that any risk to the public satisfies the public risk criteria of § 417.107(b). The analysis must account for the variability associated with:

(i) Each source of a hazard during flight;

(ii) Normal flight and each failure response mode of the launch vehicle;

(iii) Each external and launch vehicle flight environment;

(iv) Populations potentially exposed to the flight; and

(v) The performance of any flight safety system, including time delays associated with the system.

(2) Hazard isolation. When demonstrating control of risk through hazard isolation, the analysis must Start Printed Page 50551establish the geographical areas from which the public must be excluded during flight and any operational controls needed to isolate all hazards from the public.

(3) Combination of risk assessment and partial isolation of hazards. When demonstrating control of risk through a combination of risk assessment and partial isolation of the hazards from the public, the analysis must demonstrate that the residual public risk due to any hazard not isolated from the public under paragraph (a)(2) of this section satisfies the public risk criteria of § 417.107(b).

(b) Dependent analyses. Because some analyses required by this subpart are inherently dependent on one another, the data output of any one analysis must be compatible in form and content with the data input requirements of any other analysis that depends on that output. Figure 417.205-1 illustrates the flight safety analyses that might be performed for a launch flown with a flight safety system and the typical dependencies that might exist among the analyses.

End Part Start Printed Page 50552

§ 417.207 Trajectory analysis.

(a) General. A flight safety analysis must include a trajectory analysis that establishes:

(1) For any time after lift-off, the limits of a launch vehicle's normal flight, as defined by the nominal trajectory and potential three-sigma trajectory dispersions about the nominal trajectory.

(2) A fuel exhaustion trajectory that produces instantaneous impact points with the greatest range for any given time after liftoff for any stage that has the potential to impact the Earth and does not burn to propellant depletion before a programmed thrust termination.

(3) For launch vehicles flown with a flight safety system, a straight-up trajectory for any time after lift-off until the straight-up time that would result if the launch vehicle malfunctioned and flew in a vertical or near vertical direction above the launch point.

(b) Trajectory model. A final trajectory analysis must use a six-degree of freedom trajectory model to satisfy the requirements of paragraph (a) of this section.

(c) Wind effects. A trajectory analysis must account for all wind effects, including profiles of winds that are no less severe than the worst wind conditions under which flight might be attempted, and must account for uncertainty in the wind conditions.

§ 417.209 Malfunction turn analysis.

(a) General. A flight safety analysis must include a malfunction turn analysis that establishes the launch vehicle's turning capability in the event of a malfunction during flight. A malfunction turn analysis must account for each cause of a malfunction turn, such as thrust vector offsets or nozzle burn-through. For each cause of a malfunction turn, the analysis must establish the launch vehicle's turning capability using a set of turn curves. The analysis must account for:

(1) All trajectory times during the thrusting phases of flight.

(2) When a malfunction begins to cause each turn throughout the thrusting phases of flight. The analysis must account for trajectory time intervals between malfunction turn start times that are sufficient to establish flight safety limits and hazard areas that are smooth and continuous.

(3) The relative probability of occurrence of each malfunction turn of which the launch vehicle is capable.

(4) The time, as a single value or a probability time distribution, when each malfunction turn will terminate due to vehicle breakup.

(5) What terminates each malfunction turn, such as, aerodynamic breakup or inertial breakup.

(6) The launch vehicle's turning behavior from the time when a malfunction begins to cause a turn until aerodynamic breakup, inertial breakup, or ground impact. The analysis must account for trajectory time intervals during the malfunction turn that are sufficient to establish turn curves that are smooth and continuous.

(7) For each malfunction turn, the launch vehicle velocity vector turn angle from the nominal launch vehicle velocity vector.

(8) For each malfunction turn, the launch vehicle velocity turn magnitude from the nominal velocity magnitude that corresponds to the velocity vector turn angle.

(9) For each malfunction turn, the orientation of the launch vehicle longitudinal axis measured relative to the nominal launch vehicle longitudinal axis or Earth relative velocity vector at the start of the turn.

(b) Set of turn curves for each malfunction turn cause. For each cause of a malfunction turn, the analysis must establish a set of turn curves that satisfies paragraph (a) of this section and must establish the associated envelope of the set of turn curves. Each set of turn curves must describe the variation in the malfunction turn characteristics for each cause of a turn. The envelope of each set of curves must define the limits of the launch vehicle's malfunction turn behavior for each cause of a malfunction turn. For each malfunction turn envelope, the analysis must establish the launch vehicle velocity vector turn angle from the nominal launch vehicle velocity vector. For each malfunction turn envelope, the analysis must establish the vehicle velocity turn magnitude from the nominal velocity magnitude that corresponds to the velocity vector turn angle envelope.

§ 417.211 Debris analysis.

(a) General. A flight safety analysis must include a debris analysis. For an orbital or suborbital launch, a debris analysis must identify the inert, explosive, and other hazardous launch vehicle debris that results from normal and malfunctioning launch vehicle flight.

(b) Launch vehicle breakup. A debris analysis must account for each cause of launch vehicle breakup, including at a minimum:

(1) Any flight termination system activation;

(2) Launch vehicle explosion;

(3) Aerodynamic loads;

(4) Inertial loads;

(5) Atmospheric reentry heating; and

(6) Impact of intact vehicle.

(c) Debris fragment lists. A debris analysis must produce lists of debris fragments for each cause of breakup and any planned jettison of debris, launch vehicle components, or payload. The lists must account for all launch vehicle debris fragments, individually or in groupings of fragments whose characteristics are similar enough to be described by a single set of characteristics. The debris lists must describe the physical, aerodynamic, and harmful characteristics of each debris fragment, including at a minimum:

(1) Origin on the vehicle, by vehicle stage or component, from which each fragment originated;

(2) Whether it is inert or explosive;

(3) Weight, dimensions, and shape;

(4) Lift and drag characteristics;

(5) Properties of the incremental velocity distribution imparted by breakup; and

(6) Axial, transverse, and tumbling area.

§ 417.213 Flight safety limits analysis.

(a) General. A flight safety analysis must identify the location of populated or other protected areas, and establish flight safety limits that define when a flight safety system must terminate a launch vehicle's flight to prevent the hazardous effects of the resulting debris impacts from reaching any populated or other protected area and ensure that the launch satisfies the public risk criteria of § 417.107(b).

(b) Flight safety limits. The analysis must establish flight safety limits for use in establishing flight termination rules. Section 417.113(c) contains requirements for flight termination rules. The flight safety limits must account for all temporal and geometric extents on the Earth's surface of a launch vehicle's hazardous debris impact dispersion resulting from any planned or unplanned event for all times during flight. Flight safety limits must account for all potential contributions to the debris impact dispersions, including at a minimum:

(1) All time delays, as established by the time delay analysis of § 417.221;

(2) Residual thrust remaining after flight termination implementation or vehicle breakup due to aerodynamic and inertial loads;

(3) All wind effects;

(4) Velocity imparted to vehicle fragments by breakup;

(5) All lift and drag forces on the malfunctioning vehicle and falling debris;

(6) All launch vehicle guidance and performance errors; Start Printed Page 50554

(7) All launch vehicle malfunction turn capabilities; and

(8) Any uncertainty due to map errors and launch vehicle tracking errors.

(c) Gates. If a launch involves flight over any populated or other protected area, the flight safety analysis must establish a gate as required by §§ 417.217 and 417.218.

(d) Designated debris impact limits. The analysis must establish designated impact limit lines to bound the area where debris with a ballistic coefficient of three or more is allowed to impact if the flight safety system functions properly.

§ 417.215 Straight-up time analysis.

A flight safety analysis must establish the straight-up time for a launch for use as a flight termination rule. Section 417.113(c) contains requirements for flight termination rules. The analysis must establish the straight-up time as the latest time after liftoff, assuming a launch vehicle malfunctioned and flew in a vertical or near vertical direction above the launch point, at which activation of the launch vehicle's flight termination system or breakup of the launch vehicle would not cause hazardous debris or critical overpressure to affect any populated or other protected area.

§ 417.217 Overflight gate analysis.

For a launch that involves flight over a populated or other protected area, the flight safety analysis must include an overflight gate analysis. The analysis must establish the portion of a flight safety limit, a gate, through which a normally performing launch vehicle's tracking icon will be allowed to proceed. A tracking icon must enable the flight safety crew to determine whether the launch vehicle's flight is in compliance with the flight safety rules established under § 417.113. When establishing that portion of a flight safety limit, the analysis must demonstrate that the launch vehicle flight satisfies the flight safety requirements of § 417.107.

§ 417.218 Hold-and-resume gate analysis.

(a) For a launch that involves overflight or near overflight of a populated or otherwise protected area prior to the planned safe flight state calculated as required by § 417.219, the flight safety analysis must construct a hold-and-resume gate for each populated or otherwise protected area. After a vehicle's tracking icon crosses a hold-and-resume gate, flight termination must occur as required by sections 417.113(d)(6).

(b) The hold-and-resume gate analysis must account for:

(1) Overflight of a wholly contained populated or otherwise protected area. A hold-and-resume gate must be a closed, continuous contour that encompasses any populated or otherwise protected area located wholly within the impact limit lines. The hold-and-resume gate must encompass a populated or otherwise protected area such that flight termination or breakup of the launch vehicle while the tracking icon is outside the gate would not cause hazardous debris or overpressure to endanger the populated or otherwise protected area.

(2) Overflight of an uncontained populated or otherwise protected area. A hold-and-resume gate must be a closed, continuous contour that encompasses any area in which flight termination is allowed to occur. The hold-and-resume gate must encompass all hazard areas such that flight termination or breakup of the launch vehicle while the vehicle's tracking icon is inside the gate would not cause hazardous debris or critical overpressure to endanger any populated or otherwise protected area.

§ 417.219 Data loss flight time and planned safe flight state analyses.

(a) General. For each launch, a flight safety analysis must establish data loss flight times, as identified by paragraph (b) of this section, and a planned safe flight state to establish each flight termination rule that applies when launch vehicle tracking data is not available for use by the flight safety crew. Section 417.113(d) contains requirements for flight termination rules.

(b) Data loss flight times. A flight safety analysis must establish the shortest elapsed thrusting time during which a launch vehicle can move from normal flight to a condition where the launch vehicle's hazardous debris impact dispersion extends to any protected area as a data loss flight time. The analysis must establish a data loss flight time for all times along the nominal trajectory from liftoff through that point during nominal flight when the minimum elapsed thrusting time is no greater than the time it would take for a normal vehicle to reach the overflight gate, or the planned safe flight state established under paragraph (c) of this section, whichever occurs earlier.

(c) Planned safe flight state. For a launch vehicle that performs normally during all portions of flight, the planned safe flight state is the point during the nominal flight of a launch vehicle where:

(1) No launch vehicle component, debris, or hazard can impact or affect a populated or otherwise protected area for the remainder of the launch;

(2) The launch vehicle achieves orbital insertion; or

(3) The launch vehicle's state vector reaches a state where the absence of a flight safety system would not significantly increase the accumulated risk from debris impacts and maintains positive flight safety system control to the maximum extent feasible.

§ 417.221 Time delay analysis.

(a) General. A flight safety analysis must include a time delay analysis that establishes the mean elapsed time between the violation of a flight termination rule and the time when the flight safety system is capable of terminating flight for use in establishing flight safety limits as required by § 417.213.

(b) Analysis constraints. A time delay analyses must determine a time delay distribution that accounts for the following:

(1) The variance of all time delays for each potential failure scenario, including but not limited to, the range of malfunction turn characteristics and the time of flight when the malfunction occurs;

(2) A flight safety official's decision and reaction time, including variation in human response time; and

(3) Flight termination hardware and software delays including all delays inherent in:

(i) Tracking systems;

(ii) Data processing systems, including all filter delays;

(iii) Display systems;

(iv) Command control systems; and

(v) Flight termination systems.

§ 417.223 Flight hazard area analysis.

(a) General. A flight safety analysis must include a flight hazard area analysis that identifies any regions of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to control the risk to the public from debris impact hazards. The risk management requirements of § 417.205(a) apply. The analysis must account for, at a minimum:

(1) All trajectory times from liftoff to the planned safe flight state of § 417.219(c), including each planned impact, for an orbital launch, and through final impact for a suborbital launch;

(2) Regions of land potentially exposed to debris resulting from normal flight events and events resulting from any potential malfunction; Start Printed Page 50555

(3) Regions of sea and air potentially exposed to debris from normal flight events, including planned impacts;

(4) In the vicinity of the launch site, any waterborne vessels, populated offshore structures, or aircraft exposed to debris from events resulting from any potential abnormal flight events, including launch vehicle malfunction;

(5) Any operational controls implemented to control risk to the public from debris hazards;

(6) Debris identified by the debris analysis of § 417.211; and

(7) All launch vehicle trajectory dispersion effects in the surface impact domain.

(b) Public notices. A flight hazard areas analysis must establish the ship hazard areas for notices to mariners that encompass the three-sigma impact dispersion area for each planned debris impact. A flight hazard areas analysis must establish the aircraft hazard areas for notices to airmen that encompass the 3-sigma impact dispersion volume for each planned debris impact. Section 417.121(e) contains procedural requirements for issuing notices to mariners and airmen.

§ 417.224 Probability of failure analysis.

(a) General. All flight safety analyses for a launch, regardless of hazard or phase of flight, must account for launch vehicle failure probability in a consistent manner. A launch vehicle failure probability estimate must use accurate data, scientific principles, and a method that is statistically or probabilistically valid. For a launch vehicle with fewer than two flights, the failure probability estimate must account for the outcome of all previous launches of vehicles developed and launched in similar circumstances. For a launch vehicle with two or more flights, launch vehicle failure probability estimates must account for the outcomes of all previous flights of the vehicle in a statistically valid manner.

(b) Failure. For flight safety analysis purposes, a failure occurs when a launch vehicle does not complete any phase of normal flight or when any anomalous condition exhibits the potential for a stage or its debris to impact the Earth or reenter the atmosphere during the mission or any future mission of similar launch vehicle capability. Also, either a launch incident or launch accident constitutes a failure.

(c) Previous flight. For flight analysis purposes, flight begins at a time in which a launch vehicle normally or inadvertently lifts off from a launch platform. Lift-off occurs with any motion of the launch vehicle with respect to the launch platform.

§ 417.225 Debris risk analysis.

A flight safety analysis must demonstrate that the risk to the public potentially exposed to inert and explosive debris hazards from any one flight of a launch vehicle satisfies the public risk criterion of § 417.107(b) for debris. A debris risk analysis must account for risk to populations on land, including regions of launch vehicle flight following passage through any gate in a flight safety limit established as required by § 417.217. A debris risk analysis must account for any potential casualties to the public as required by the debris thresholds and requirements of § 417.107(c).

§ 417.227 Toxic release hazard analysis.

A flight safety analysis must establish flight commit criteria that protect the public from any hazard associated with toxic release and demonstrate compliance with the public risk criterion of § 417.107(b). The analysis must account for any toxic release that will occur during the proposed flight of a launch vehicle or that would occur in the event of a flight mishap. The analysis must account for any operational constraints and emergency procedures that provide protection from toxic release. The analysis must account for all members of the public that may be exposed to the toxic release, including all members of the public on land and on any waterborne vessels, populated offshore structures, and aircraft that are not operated in direct support of the launch.

§ 417.229 Far-field overpressure blast effects analysis.

(a) General. A flight safety analysis must establish flight commit criteria that protect the public from any hazard associated with far field blast overpressure effects due to potential explosions during launch vehicle flight and demonstrate compliance with the public risk criterion of § 417.107(b).

(b) Analysis constraints. The analysis must account for:

(1) The potential for distant focus overpressure or overpressure enhancement given current meteorological conditions and terrain characteristics;

(2) The potential for broken windows due to peak incident overpressures below 1.0 psi and related casualties;

(3) The explosive capability of the launch vehicle at impact and at altitude and potential explosions resulting from debris impacts, including the potential for mixing of liquid propellants;

(4) Characteristics of the launch vehicle flight and the surroundings that would affect the population's susceptibility to injury, such as, shelter types and time of day of the proposed launch;

(5) Characteristics of the potentially affected windows, including their size, location, orientation, glazing material, and condition; and

(6) The hazard characteristics of the potential glass shards, such as falling from upper building stories or being propelled into or out of a shelter toward potentially occupied spaces.

§ 417.231 Collision avoidance analysis.

(a) General. A flight safety analysis must include a collision avoidance analysis that establishes each launch wait in a planned launch window during which a launch operator must not initiate flight, in order to protect any maned or mannable orbiting object. A launch operator must account for uncertainties associated with launch vehicle performance and timing and ensure that any calculated launch waits incorporate all additional time periods associated with such uncertainties. A launch operator must implement any launch waits as flight commit criteria according to § 417.113(b).

(b) Orbital launch. For an orbital launch, the analysis must establish any launch waits needed to ensure that the launch vehicle, any jettisoned components, and its payload do not pass closer than 200 kilometers to a manned or mannable orbiting object during ascent to initial orbital insertion through at least one complete orbit.

(c) Suborbital launch. For a suborbital launch, the analysis must establish any launch waits needed to ensure that the launch vehicle, any jettisoned components, and any payload do not pass closer than 200 kilometers to a manned or mannable orbital object throughout the flight.

(d) Analysis not required. A collision avoidance analysis is not required if the maximum altitude attainable by a launch operator's unguided suborbital launch vehicle is less than the altitude of the lowest manned or mannable orbiting object. The maximum altitude attainable must be obtained using an optimized trajectory, assuming 3-sigma maximum performance.

§ 417.233 Analysis for an unguided suborbital launch vehicle flown with a wind weighting safety system.

For each launch of an unguided suborbital launch vehicle flown with a Start Printed Page 50556wind weighting safety system, in addition to the other requirements in this subpart outlined in § 417.201(c), the flight safety analysis must:

(a) Establish flight commit criteria and other launch safety rules that a launch operator must implement to control the risk to the public from potential adverse effects resulting from normal and malfunctioning flight;

(b) Establish any wind constraints under which launch may occur; and

(c) Include a wind weighting analysis that establishes the launcher azimuth and elevation settings that correct for the windcocking and wind-drift effects on the unguided suborbital launch vehicle.

Subpart D—Flight Safety System

§ 417.301 General.

(a) Applicability. This subpart applies to any flight safety system that a launch operator uses. The requirements of § 417.107(a) define when a launch operator must use a flight safety system. A launch operator must ensure that its flight safety system satisfies all the requirements of this subpart, including the referenced appendices. Paragraph (b) of this section provides an exception to this.

(b) Alternate flight safety system. A flight safety system need not satisfy one or more of the requirements of this subpart for a launch if a launch operator demonstrates, in accordance with § 406.3(b), that the launch achieves an equivalent level of safety as a launch that satisfies all the requirements of this part. The flight safety system must undergo analysis and testing that is comparable to that required by this part to demonstrate that the system's reliability to perform each intended function is comparable to that required by this subpart.

(c) Functions, subsystems, and components. When initiated in the event of a launch vehicle failure, a flight safety system must prevent any launch vehicle hazard, including any payload hazard, from reaching a populated or other protected area. A flight safety system must consist of all of the following:

(1) A flight termination system that satisfies appendices D, E, and F of this part;

(2) A command control system that satisfies §§ 417.303 and 417.305;

(3) Each support system required by § 417.307; and

(4) The functions of any personnel who operate flight safety system hardware or software including a flight safety crew that satisfies § 417.311.

(d) Compliance.

(1) Non-Federal launch site. For launch from a non-Federal launch site, any flight safety system, including all components, must:

(i) Comply with a launch operator's flight safety system compliance matrix of § 415.127(g) that accounts for all the design, installation, and monitoring requirements of this subpart, including the referenced appendices; and

(ii) Comply with a launch operator's testing compliance matrix of § 415.129(b) that accounts for all the test requirements of this subpart, including the referenced appendices.

(2) Federal launch range. This provision applies to all sections of this subpart. The FAA will accept a flight safety system used or approved on a Federal launch range without need for further demonstration of compliance to the FAA if:

(i) A launch operator has contracted with a Federal launch range for the provision of flight safety system property and services; and

(ii) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the Federal launch range's flight safety system property and services satisfy the requirements of this subpart. In this case, the FAA will treat the Federal launch range's flight safety system property and services as that of a launch operator.

§ 417.303 Command control system requirements.

(a) General. When initiated by a flight safety official, a command control system must transmit a command signal that has the radio frequency characteristics and power needed for receipt of the signal by the onboard vehicle flight termination system. A command control system must include all of the following:

(1) All flight termination system activation switches;

(2) All intermediate equipment, linkages, and software;

(3) Any auxiliary stations;

(4) Each command transmitter and transmitting antenna; and

(5) All support equipment that is critical for reliable operation, such as power, communications, and air conditioning systems.

(b) Performance specifications. A command control system and each subsystem, component, and part that can affect the reliability of a component must have written performance specifications that demonstrate, and contain the details of, how each satisfies the requirements of this section.

(c) Reliability prediction. A command control system must have a predicted reliability of 0.999 at the 95 percent confidence level when operating, starting with completion of the preflight testing and system verification of § 417.305(c) through initiation of flight and until the planned safe flight state for each launch. Any demonstration of the system's predicted reliability must satisfy § 417.309(b).

(d) Fault tolerance. A command control system must not contain any single-failure-point that, upon failure, would inhibit the required functioning of the system or cause the transmission of an undesired flight termination message. A command control system's design must ensure that the probability of transmitting an undesired or inadvertent command during flight is less than 1 × 10−7.

(e) Configuration control. A command control system must undergo configuration control to ensure its reliability and compatibility with the flight termination system used for each launch.

(f) Electromagnetic interference. Each command control system component must function within the electromagnetic environment to which it is exposed. A command control system must include protection to prevent interference from inhibiting the required functioning of the system or causing the transmission of an undesired or inadvertent flight termination command. Any susceptible remote control data processing or transmitting system that is part of the command control system must prevent electromagnetic interference.

(g) Command transmitter failover. A command control system must include independent, redundant transmitter systems that automatically switch, or “fail-over,” from a primary transmitter to a secondary transmitter when a condition exists that indicates potential failure of the primary transmitter. The switch must be automatic and provide all the same command control system capabilities through the secondary transmitter system. The secondary transmitter system must respond to any transmitter system configuration and radio message orders established for the launch. The fail-over criteria that trigger automatic switching from the primary transmitter to the secondary transmitter must account for each of the following transmitter performance parameters and failure indicators:

(1) Low transmitter power;

(2) Center frequency shift;

(3) Out of tolerance tone frequency;

(4) Out of tolerance message timing;

(5) Loss of communication between central control and transmitter site; Start Printed Page 50557

(6) Central control commanded status and site status disagree;

(7) Transmitter site fails to respond to a configuration or radiation order within a specified period of time; and

(8) For a tone-based system, tone deviation and tone imbalance.

(h) Switching between transmitter systems. Any manual or automatic switching between transmitter systems, including fail-over, must not result in the radio carrier being off the air long enough for any command destruct system to be captured by an unauthorized transmitter. The time the radio carrier is off the air must account for any loss of carrier and any simultaneous multiple radio carrier transmissions from two transmitter sites during switching.

(i) Radio carrier. For each launch, a command control system must provide all of the following:

(1) The radio frequency signal and radiated power density that each command destruct system needs to activate during flight;

(2) The 12-dB power density margin required by section D417.9(d) of appendix D of this part under nominal conditions; and

(3) A 6-dB power density margin under worst-case conditions.

(j) Command control system monitoring and control. A command control system must provide for monitoring and control of the system from the flight safety system displays and controls required by § 417.307(g), including real-time selection of a transmitter, transmitter site, communication circuits, and antenna configuration.

(k) Command transmitter system. For each launch, a command transmitter system must:

(1) Transmit signals that are compatible with any command destruct system's radio frequency receiving system of section D417.25 and command receiver decoder of section D417.29 of appendix D of this part;

(2) Ensure that all arm and destruct commands transmitted to a flight termination system have priority over any other commands transmitted;

(3) Employ an authorized radio carrier frequency and bandwidth with a guard band that provides the radio frequency separation needed to ensure that the system does not interfere with any other flight safety system that is required to operate at the same time;

(4) Transmit an output bandwidth that is consistent with the signal spectrum power used in the link analysis of § 417.309(f); and

(5) Not transmit other frequencies that could degrade the airborne flight termination system's performance.

(l) Command control system antennas. A command control system antenna or antenna system must satisfy all of the following:

(1) The antenna system must provide two or more command signals to any command destruct system throughout normal flight and in the event of a launch vehicle failure regardless of launch vehicle orientation;

(2) Each antenna beam-width must:

(i) Allow for complete transmission of the command destruct sequence of signal tones before a malfunctioning launch vehicle can exit the 3-dB point of the antenna pattern;

(ii) When the vehicle is centered in the antenna pattern at the beginning of the malfunction, account for the launch vehicle's malfunction turn capability determined by the analysis of § 417.209, the data loss flight times of § 417.219, and the time delay of § 417.221.

(iii) Encompass the boundaries of normal flight for the portion of flight that the antenna is scheduled to support; and

(iv) Account for any error associated with launch vehicle tracking and pointing of the antenna;

(3) The location of each antenna must provide for an unobstructed line of site between the antenna and the launch vehicle;

(4) The antenna system must provide a continuous omni-directional radio carrier pattern that covers the launch vehicle's flight from the launch point to no less than an altitude of 50,000 feet above sea level, unless the system uses a steerable antenna that satisfies paragraphs (l)(1) and (2) of this section for the worst-case launch vehicle malfunction that could occur during that portion of flight;

(5) An antenna must radiate circularly polarized radio waves that are compatible with the flight termination system antennas on the launch vehicle; and

(6) Any steerable antenna must allow for control of the antenna manually at the antenna site or by remote slaving data from a launch vehicle tracking source. A steerable antenna's positioning lag, accuracy, and slew rates must allow for tracking a nominally performing launch vehicle within one half of the antenna's beam-width and for tracking a malfunctioning launch vehicle to satisfy paragraph (l)(2) of this section.

§ 417.305 Command control system testing.

(a) General.

(1) A command control system, including its subsystems and components must undergo the acceptance testing of paragraph (b) of this section when new or modified. For each launch, a command control system must undergo the preflight testing of paragraph (c) of this section.

(2) Each acceptance and preflight test must follow a written test plan that specifies the procedures and test parameters for the test and the testing sequence. A test plan must include instructions on how to handle procedural deviations and how to react to test failures.

(3) If hardware or software is redesigned or replaced with a different hardware or software that is not identical to the original, the system must undergo all acceptance testing and analysis with the new hardware or software and all preflight testing for each launch with the new hardware or software.

(4) After a command control system passes all acceptance tests, if a component is replaced with an identical component, the system must undergo testing to ensure that the new component is installed properly and is operational.

(b) Acceptance testing.

(1) All new or modified command control system hardware and software must undergo acceptance testing to verify that the system satisfies the requirements of § 417.303.

(2) Acceptance testing must include functional testing, system interface validation testing, and integrated system-wide validation testing.

(3) Each acceptance test must measure the performance parameters that demonstrate whether the requirements of § 417.303 are satisfied.

(4) Any computing system, software, or firmware that performs a software safety critical function must undergo validation testing and satisfy § 417.123. If command control system hardware interfaces with software, the interface must undergo validation testing.

(c) Preflight testing.

(1) General. For each launch, a command control system must undergo preflight testing to verify that the system satisfies the requirements of § 417.303 for the launch.

(2) Coordinated command control system and flight termination system testing. For each launch, a command control system must undergo preflight testing during the preflight testing of the associated flight termination system under section E417.41 of appendix E of this part.

(3) Command transmitter system carrier switching tests. A command Start Printed Page 50558transmitter system must undergo a test of its carrier switching system no earlier than 24 hours before a scheduled flight. The test must satisfy all of the following:

(i) Automatic carrier switching. For any automatic carrier switching system, the test must verify that the switching algorithm selects and enables the proper transmitter site for each portion of the planned flight; and

(ii) Manual carrier switching. For any manual carrier switching, the test must verify that the flight safety system crew can select and enable each transmitter site planned to support the launch.

(4) Independent radio frequency open loop verification tests. A command control system must undergo an open loop end-to-end verification test for each launch as close to the planned flight as operationally feasible and after any modification to the system or break in the system configuration. The test must:

(i) Verify the performance of each element of the system from the flight safety system displays and controls to each command transmitter site;

(ii) Measure all system performance parameters received and transmitted using measuring equipment that does not physically interface with any elements of the operational command control system;

(iii) Verify the performance of each flight safety system display and control and remote command transmitter site combination by repeating all measurements for each combination, for all strings and all operational configurations of cross-strapped equipment; and

(iv) Verify that all critical command control system performance parameters satisfy all their performance specifications. These parameters must include:

(A) Transmitter power output;

(B) Center frequency stability;

(C) Tone deviation;

(D) Tone frequency;

(E) Message timing;

(F) Status of each communication circuit between the flight safety system display and controls and any supporting command transmitter sites;

(G) Status agreement between the flight safety system display and controls and each and any supporting command transmitter sites;

(H) Fail-over conditions;

(I) Tone balance; and

(J) Time delay from initiation of a command at each flight safety system control to transmitter output of the command signal.

(d) Test reports. If a Federal launch range oversees the safety of a launch, the range's requirements are consistent with this subpart, and the range provides and tests the command control system, a launch operator need only obtain the range's verification that the system satisfies all the test requirements. For any other case a launch operator must prepare or obtain one or more written reports that:

(1) Verify that the command control system satisfies all the test requirements;

(2) Describe all command control system test results and test conditions;

(3) Describe any analysis performed instead of testing;

(4) Identify by serial number or other identification each test result that applies to each system or component;

(5) Describe any test failure or anomaly, including any variation from an established performance baseline, each corrective action taken, and all results of any additional tests; and

(6) Identify any test failure trends.

§ 417.307 Support systems.

(a) General.

(1) A flight safety system must include the systems required by this section to support the functions of the flight safety system crew, including making a flight termination decision.

(2) Each support system and each subsystem, component, and part that can affect the reliability of the support system must have written performance specifications that demonstrate, and contain the details of, how each satisfies the requirements of this section.

(3) For each launch, each support system must undergo testing to ensure it functions according to its performance specifications.

(b) Launch vehicle tracking.

(1) A flight safety system must include a launch vehicle tracking system that provides launch vehicle position and status data to the flight safety crew from the first data loss flight time until the planned safe flight state for the launch.

(2) The tracking system must consist of at least two sources of launch vehicle position data. The data sources must be independent of one another, and at least one source must be independent of any vehicle guidance system.

(3) All ground tracking systems and components must be compatible with any tracking system components onboard the launch vehicle.

(4) If a tracking system uses radar as one of the independent tracking sources, the system must:

(i) Include a tracking beacon onboard the launch vehicle; or

(ii) If the system relies on skin tracking, it must maintain a tracking margin of no less than 6 dB above noise throughout the period of flight that the radar is used. The flight safety limits must account for the larger tracking errors associated with skin tracking.

(5) The tracking system must provide real-time data to the flight safety data processing, display, and recording system required by paragraph (e) of this section.

(6) For each launch, each tracking source must undergo validation of its accuracy. For each stage of flight that a launch vehicle guidance system is used as a tracking source, a tracking source that is independent of any system used to aid the guidance system must validate the guidance system data before the data is used in the flight termination decision process.

(7) The launch vehicle tracking error from all sources, including data latency and any possible gaps or dropouts in tracking coverage, must be consistent with the flight safety limits of § 417.213 and the flight safety system time delay of § 417.221.

(8) Any planned gap in tracking coverage must not occur at the same time as any planned switching of command transmitters.

(c) Telemetry.

(1) A flight safety system must include a telemetry system that provides the flight safety crew with accurate flight safety data during preflight operations and during flight until the planned safe flight state.

(2) The onboard telemetry system must monitor and transmit the flight termination system monitoring data of section D417.17 and any launch vehicle tracking data used to satisfy paragraph (b) of this section.

(3) The telemetry receiving system must acquire, store, and provide real-time data to the flight safety data processing, display, and recording system required by paragraph (e) of this section.

(d) Communications network. A flight safety system must include a communications network that connects all flight safety functions with all launch control centers and any down-range tracking and command transmitter sites. The system must provide for recording all required data and all voice communications channels during launch countdown and flight.

(e) Data processing, display, and recording. A flight safety system must include one or more subsystems that process, display, and record flight safety data to support the flight safety crew's monitoring of the launch, including the data that the crew uses to make a flight termination decision. The system must: Start Printed Page 50559

(1) Satisfy § 417.123 for any computing system, software, or firmware that must operate properly to ensure the accuracy of the data;

(2) Receive vehicle status data from tracking and telemetry, evaluate the data for validity, and provide valid data for display and recording;

(3) Perform any reformatting of the data as appropriate and forward it to display and recording devices;

(4) Display real-time data against background displays of the nominal trajectory and flight safety limits established in accordance with the flight safety analysis required by subpart C of this part;

(5) Display and record raw input and processed data at a rate that maintains the validity of the data and at no less than 0.1-second intervals;

(6) Record the timing of when flight safety system commands are input by the flight safety crew; and

(7) Record all health and status parameters of the command control system, including the transmitter failover parameters, command outputs, check channel or pilot tone monitor, and status of communications.

(f) Displays and controls.

(1) A flight safety system must include the displays of real-time data and controls that the flight safety crew needs to perform all its functions, such as to monitor and evaluate launch vehicle performance, communicate with other flight safety and launch personnel, and initiate flight termination.

(2) A flight safety system must present all data that the flight safety crew needs to ensure that all flight commit criteria are satisfied for each launch, such as hazard area surveillance, any aircraft and ship traffic information, meteorological conditions, and the flight termination system monitoring data of section D417.17.

(3) The real-time displays must include all data that the flight safety crew needs to ensure the operational functionality of the flight safety system, including availability and quality, and that all flight termination rules are satisfied for each launch, such as:

(i) Launch vehicle tracking data, such as instantaneous vacuum impact point, drag corrected debris footprint, or present launch vehicle position and velocities as a function of time;

(ii) Vehicle status data from telemetry, including yaw, pitch, roll, and motor chamber pressure;

(iii) The flight termination system monitoring data of section D417.17;

(iv) Background displays of nominal trajectory, flight safety limits, data loss flight times, planned safe flight state, and any overflight gate through a flight safety limit all as determined by the flight safety analysis required by subpart C of this part; and

(v) Any video data when required by the flight safety crew to perform its functions, such as video from optical program and flight line cameras.

(4) The controls must allow the flight safety crew to turn a command transmitter on and off, manually switch from primary to backup transmitter antenna, and switch between each transmitter site. These functions may be accomplished through controls available to command transmitter support personnel and communications between those personnel and the flight safety crew.

(5) Each set of command transmitter system controls must include a means of identifying when it has primary control of the system.

(6) The displays must include a means of immediately notifying the flight safety system crew of any automatic fail-over of the system transmitters.

(7) All flight safety system controls must be dedicated to the flight safety system and must not rely on time or equipment shared with other systems.

(8) All data transmission links between any control, transmitter, or antenna must consist of two or more complete and independent duplex circuits. The routing of these circuits must ensure that they are physically separated from each other to eliminate any potential single failure point in the command control system in accordance with § 417.303(d).

(9) The system must include hardware or procedural security provisions for controlling access to all controls and other related hardware. These security provisions must ensure that only the flight safety crew can initiate a flight safety system transmission.

(10) The system must include two independent means for the flight safety crew to initiate arm and destruct messages. The location and functioning of the controls must provide the crew easy access to the controls and prevent inadvertent activation.

(11) The system must include a digital countdown for use in implementing the flight termination rules of § 417.113 that apply data loss flight times and the planned safe flight state. The system must also include a manual method of applying the data loss flight times in the event that the digital countdown malfunctions.

(g) Support equipment calibration. Each support system and any equipment used to test flight safety system components must undergo calibration to ensure that measurement and monitoring devices that support a launch provide accurate indications.

(h) Destruct initiator simulator. A flight safety system must include one or more destruct initiator simulators that simulate each destruct initiator during the flight termination system preflight tests. Each destruct initiator simulator must:

(1) Have electrical and operational characteristics matching those of the actual destruct initiator;

(2) Monitor the firing circuit output current, voltage, or energy, and indicate whether the firing output occurs. The indication that the output occurred must remain after the output is removed;

(3) Have the ability to remain connected throughout ground processing until the electrical connection of the actual initiators is accomplished;

(4) Include a capability that permits the issuance of destruct commands by test equipment only if the simulator is installed and connected to the firing lines; and

(5) For any low voltage initiator, provide a stray current monitoring device in the firing line. The stray current monitoring device, such as a fuse or automatic recording system, must be capable of indicating a minimum of one-tenth of the maximum no-fire current.

(i) Timing. A flight safety system must include a timing system that is synchronized to a universal time coordinate. The system must:

(1) Initiate first motion signals;

(2) Synchronize flight safety system instrumentation, including countdown clocks; and

(3) Identify when, during countdown or flight, a data measurement or voice communication occurs.

§ 417.309 Flight safety system analysis.

(a) General.

(1) Each flight termination system and command control system, including each of their components, must satisfy the analysis requirements of this section.

(2) Each analysis must follow an FAA approved system safety and reliability analysis methodology.

(b) System reliability. Each flight termination system and command control system must undergo an analysis that demonstrates the system's predicted reliability. Each analysis must:

(1) Account for the probability of a flight safety system anomaly occurring and all of its effects as determined by the single failure point analysis and the Start Printed Page 50560sneak circuit analysis required by paragraphs (c) and (g) of this section;

(2) Demonstrate that each system satisfies the predicted reliability requirement of 0.999 at the 95 percent confidence level;

(3) Use a reliability model that is statistically valid and accurately represents the system;

(4) Account for the actual or predicted reliability of all subsystems and components;

(5) Account for the effects of storage, transportation, handling, maintenance, and operating environments on component predicted reliability; and

(6) Account for the interface between the launch vehicle systems and the flight termination system.

(c) Single failure point. A command control system must undergo an analysis that demonstrates that the system satisfies the fault tolerance requirements of § 417.303(d). A flight termination system must undergo an analysis that demonstrates that the system satisfies the fault tolerance requirements of section D417.5(b). Each analysis must:

(1) Follow a standard industry methodology such as a fault tree analysis or a failure modes effects and criticality analysis;

(2) Identify all possible failure modes and undesired events, their probability of occurrence, and their effects on system performance;

(3) Identify single point failure modes;

(4) Identify areas of design where redundancy is required and account for any failure mode where a component and its backup could fail at the same time due to a single cause;

(5) Identify functions, including redundancy, which are not or cannot be tested;

(6) Account for any potential system failures due to hardware, software, test equipment, or procedural or human errors;

(7) Account for any single failure point on another system that could disable a command control system or flight termination system, such as any launch vehicle system that could trigger safing of a flight termination system; and

(8) Provide input to the reliability analysis of paragraph (b) of this section.

(d) Fratricide. A flight termination system must undergo an analysis that demonstrates that the flight termination of any stage, at any time during flight, will not sever interconnecting flight termination system circuitry or ordnance to other stages until flight termination on all the other stages has been initiated.

(e) Bent pin. Each component of a flight termination system and command control system must undergo an analysis that demonstrates that any single short circuit occurring as a result of a bent electrical connection pin will not result in inadvertent system activation or inhibiting the proper operation of the system.

(f) Radio frequency link.

(1) The flight safety system must undergo a radio frequency link analysis to demonstrate that it satisfies the required 12-dB margin for nominal system performance and 6-dB margin for worst-case system performance.

(2) When demonstrating the 12-dB margin, each link analysis must account for the following nominal system performance and attenuation factors:

(i) Path losses due to plume or flame attenuation;

(ii) Vehicle trajectory;

(iii) Ground system and airborne system radio frequency characteristics; and

(iv) The antenna gain value that ensures that the margin is satisfied over 95% of the antenna radiation sphere surrounding the launch vehicle.

(3) When demonstrating the 6-dB margin, each link analysis must account for the following worst-case system performance and attenuation factors:

(i) The system performance and attenuation factors of paragraph (f)(2) of this section;

(ii) The command transmitter failover criteria of § 417.303(g) including the lowest output power provided by the transmitter system;

(iii) Worst-case power loss due to antenna pointing inaccuracies; and

(iv) Any other attenuation factors.

(g) Sneak circuit. Each electronic component that contains an electronic inhibit that could inhibit the functioning, or cause inadvertent functioning of a flight termination system or command control system, must undergo a sneak circuit analysis. The analysis must demonstrate that there are no latent paths of an unwanted command that could, when all components otherwise function properly, cause the occurrence of an undesired, unplanned, or inhibited function that could cause a system anomaly. The analysis must determine the probability of an anomaly occurring for input to the system reliability analysis of paragraph (b) of this section.

(h) Software and firmware. Any computing system, software, or firmware that performs a software safety critical function must undergo the analysis needed to ensure reliable operation and satisfy § 417.123.

(i) Battery capacity. A flight termination system must undergo an analysis that demonstrates that each flight termination system battery has a total amp hour capacity of no less than 150% of the capacity needed during flight plus the capacity needed for load and activation checks, preflight and launch countdown checks, and any potential launch hold time. For a launch vehicle that uses any solid propellant, the analysis must demonstrate that the battery capacity allows for an additional 30-minute hang-fire hold time. The battery analysis must also demonstrate each flight termination system battery's ability to meet the charging temperature and current control requirements of appendix D of this part.

(j) Survivability. A flight termination system must undergo an analysis that demonstrates that each subsystem and component, including their location on the launch vehicle, provides for the flight termination system to complete all its required functions when exposed to:

(1) Breakup of the launch vehicle due to aerodynamic loading effects at high angle of attack trajectories during early stages of flight, including the effects of any automatic or inadvertent destruct system;

(2) An engine hard-over nozzle induced tumble during each phase of flight for each stage; or

(3) Launch vehicle staging, ignition, or any other normal or abnormal event that, when it occurs, could damage flight termination system hardware or inhibit the functionality of any subsystem or component, including any inadvertent separation destruct system.

§ 417.311 Flight safety crew roles and qualifications.

(a) A flight safety crew must operate the flight safety system hardware. A flight safety crew must document each flight safety crew position description and maintain documentation on individual crew qualifications, including education, experience, and training as part of the personnel certification program required by § 417.105.

(b) A flight safety crew must be able to demonstrate the knowledge, skills, and abilities needed to operate the flight safety system hardware in accordance with § 417.113.

(1) A flight safety crew must have knowledge of:

(i) All flight safety system assets and responsibilities, including:

(A) Communications systems and launch operations procedures;

(B) Both voice and data systems;

(C) Graphical data systems;

(D) Tracking; and

(E) Telemetry real time data;

(ii) Flight termination systems; and Start Printed Page 50561

(iii) Contingency operations, including hold, recycle and abort procedures.

(2) An individual who monitors vehicle performance and performs flight termination must have knowledge of and be capable of resolving malfunctions in:

(i) The application of safety support systems such as position tracking sources;

(ii) Digital computers;

(iii) Displays;

(iv) Command destruct;

(v) Communications;

(vi) Telemetry;

(vii) All electrical functions of a flight termination system;

(viii) The principles of radio frequency transmission and attenuation;

(ix) The behavior of ballistic and aerodynamic vehicles in flight under the influence of aerodynamic forces; and

(x) The application of flight termination rules.

(3) An individual who operates flight safety support systems must have knowledge of and be capable of resolving malfunctions in:

(i) The design and assembly of the flight safety support system hardware;

(ii) The operation of electromechanical systems; and

(iii) The nature and inherent tendencies of the flight safety system hardware being operated.

(4) An individual who performs flight safety analysis must have knowledge of orbital mechanics and be proficient in the calculation and production of range safety displays, impact probabilities, and casualty expectations.

(c) Flight safety crew members must complete a training and certification program to ensure launch site familiarization, launch vehicle familiarization, flight safety system functions, equipment, and procedures related to a launch before being called upon to support that launch. Each flight safety crew member must complete a preflight readiness training and certification program. This preflight readiness training and certification program must include:

(1) Mission specific training programs to ensure team readiness.

(2) Launch simulation exercises of system failure modes, including nominal and failure modes, that test crew performance, flight termination criteria, and flight safety data display integrity.

Subpart E—Ground Safety

§ 417.401 Scope.

This subpart contains public safety requirements that apply to launch processing and post-launch operations at a launch site in the United States. Ground safety requirements in this subpart apply to activities performed by, or on behalf of, a launch operator at a launch site in the United States. A licensed launch site operator must satisfy the requirements of part 420 of this chapter.

§ 417.402 Compliance.

(a) General. A launch operator's ground safety process must satisfy this subpart.

(b) Ground safety analysis conducted for launch at a Federal launch range. This provision applies to all sections of this subpart. The FAA will accept a ground safety process conducted for a launch from a Federal launch range without need for further demonstration of compliance to the FAA if:

(1) A launch operator has contracted with a Federal launch range for the provision of the ground safety process; and

(2) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the Federal launch range's ground safety process satisfies the requirements of this subpart. In this case, the FAA will treat the Federal launch range's process as that of a launch operator.

(c) Toxic release hazard analysis conducted for launch processing at a Federal launch range. The FAA will accept a toxic release hazard analysis conducted for launch processing from a Federal launch range provided the toxic release analysis satisfies the Federal launch range's requirements, and the FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the applicable Federal launch range safety-related launch services and property satisfy the requirements of this subpart.

(d) Demonstration of compliance. For a licensed launch that does not satisfy paragraphs (b) and (c) of this section, a launch operator must demonstrate compliance to the FAA with the requirements of this subpart, and must include in its demonstration the analysis products required by subparts A and E of this part, and appendices I and J of this part.

(e) Alternate methods. The FAA will approve an alternate hazard control method if a launch operator demonstrates, in accordance with § 406.3(b), that its proposed hazard control method provides an equivalent level of safety to that required by this subpart.

§ 417.403 General.

(a) Public safety. A launch operator must ensure that each hazard control is in place to protect the public from each potential hazard associated with launch processing and post-launch operations.

(b) Ground safety analysis. A launch operator must perform and document a ground safety analysis that satisfies § 417.405 and appendix J of this part.

(c) Local agreements. A launch operator must coordinate and perform launch processing and post-launch operations that satisfy local agreements to ensure the responsibilities and requirements in this part and § 420.57 of this chapter are met. A launch operator, when using a launch site of a licensed launch site operator, must coordinate the launch operator's operations with the launch site operator and with any agreements that the launch site operator has with local authorities that form a basis for the launch site operator's license.

(d) Launch operator's exclusive use of a launch site. For a launch conducted from a launch site exclusive to its own use, a launch operator must satisfy the requirements of this subpart and of part 420 of this chapter, including subpart D of part 420.

§ 417.405 Ground safety analysis.

(a) A launch operator must perform a ground safety analysis for launch vehicle hardware, ground hardware including launch site and ground support equipment, launch processing, and post-launch operations at a launch site in the United States. The requirements of this section apply to the performance of the ground safety analysis and to the ground safety analysis products that a launch operator must file with the FAA as required by § 417.402(d). This analysis must identify each potential hazard, each associated cause, and each hazard control that a launch operator must establish and maintain to keep each identified hazard from affecting the public. A launch operator must incorporate the launch site operator's systems and operations involved in ensuring public safety into the ground safety analysis.

(b) Technical personnel who are knowledgeable of launch vehicle systems, launch processing, ground systems, operations, and their associated hazards must prepare the ground safety analysis. These individuals must be qualified to perform the ground safety analysis through training, education, and experience.

(c) A launch operator must ensure personnel performing a ground safety analysis or preparing a ground safety Start Printed Page 50562analysis report will have the cooperation of the entire launch operator's organization. A launch operator must maintain supporting documentation and it must be available upon request.

(d) A launch operator must:

(1) Begin a ground safety analysis by identifying the systems and operations to be analyzed;

(2) Define the extent of each system and operation being assessed to ensure there is no miscommunication as to what the hazards are, and who, in a launch operator's organization or other organization supporting the launch, controls those hazards; and

(3) Ensure that the ground safety analysis accounts for each launch vehicle system and operation involved in launch processing and post-launch operations, even if only to show that no hazard exists.

(e) A ground safety analysis need not account for potential hazards of a component if a launch operator demonstrates that no hazard to the public exists at the system level. A ground safety analysis need not account for an operation's individual task or subtask level if a launch operator demonstrates that no hazard to the public exists at the operation level. A launch operator must provide verifiable controls for hazards that are confined within the boundaries of a launch operator's facility to ensure the public will not have access to the associated hazard area while the hazard exists.

(f) A launch operator must identify each potential hazard, including non-credible hazards. The probability of occurrence is not relevant with respect to identifying a hazard. Where an assertion is made that no hazard exists for a particular system or operation, the ground safety analysis must provide the rationale. A launch operator must identify the following hazards of each launch vehicle system, launch site and ground support equipment, launch processing, and post-launch operations:

(1) System hazards, including explosives and other ordnance, solid and liquid propellants, toxic and radioactive materials, asphyxiants, cryogens, and high pressure. System hazards generally exist even when no operation is occurring; and

(2) Operation hazards derived from an unsafe condition created by a system, operating environment, or an unsafe act.

(g) A launch operator must categorize identified system and operation hazards as follows:

(1) Public hazard. A hazard that extends beyond the launch location under the control of a launch operator. Public hazards include the following:

(i) Blast overpressure and fragmentation resulting from an explosion;

(ii) Fire and deflagration, including hazardous materials such as radioactive material, beryllium, carbon fibers, and propellants. A launch operator must assume that in the event of a fire, hazardous smoke from systems containing hazardous materials will reach the public;

(iii) Sudden release of a hazardous material into the air, water, or ground; and

(iv) Inadvertent ignition of a propulsive launch vehicle payload, stage, or motor.

(2) Launch location hazard. A hazard that stays within the confines of the location under the control of a launch operator but extends beyond individuals doing the work. The confines may be bounded by a wall or a fence line of a facility or launch complex, or by a fenced or unfenced boundary of an entire industrial complex or multi-user launch site. A launch location hazard may affect the public depending on public access controls. Launch location hazards that may affect the public include the hazards listed in paragraphs (g)(1)(i)-(iv) of this section and additional hazards in potentially unsafe locations accessible to the public such as:

(i) Unguarded electrical circuits or machinery;

(ii) Oxygen deficient environments;

(iii) Falling objects;

(iv) Potential falls into unguarded pits or from unguarded elevated work platforms; and

(v) Sources of ionizing and non-ionizing radiation such as x-rays, radio transmitters, and lasers.

(3) Employee hazard. A hazard to individuals performing a launch operator's work, but not to other people in the area. A launch operator must comply with all applicable Federal, state, and local employee safety regulations. A launch operator's ground safety analysis must identify employee hazards and demonstrate that there are no associated public safety issues.

(4) Non-credible hazard. A hazard for which possible adverse effects on people or property would be negligible and where the possibility of adverse effects on people or property is remote. A launch operator's ground safety analysis must identify non-credible hazards and demonstrate that the hazard is non-credible.

(h) A ground safety analysis must identify each hazard cause for each public hazard and launch location hazard. The ground safety analysis must account for conditions, acts, or chain of events that can result in a hazard. The ground safety analysis must account for the possible failure of any control or monitoring circuitry within hardware systems that can cause a hazard.

(i) A ground safety analysis must identify the hazard controls to be established by a launch operator for each hazard cause identified in paragraph (h) of this section. A launch operator's hazard controls include the use of engineering controls for the containment of hazards within defined areas and the control of public access to those areas.

(j) A launch operator must verify all information in a ground safety analysis, including design margins, fault tolerance and successful completion of tests. A launch operator must:

(1) Trace any identified hardware to an engineering drawing or other document that describes hardware configuration;

(2) Trace any test or analysis used in developing the ground safety analysis to a report or memorandum that describes how the test or analysis was performed;

(3) Ensure the accuracy of the test or analysis and the associated results;

(4) Trace any procedural hazard control identified to a written procedure, and approved by the person designated under § 417.103(b)(2) or the person's designee, with the paragraph or step number of the procedure specified;

(5) Identify a verifiable hazard control for each hazard; if a hazard control is not verifiable, a launch operator may include it as an informational note on the hazard analysis form;

(6) For each hazard control, reference a released drawing, report, procedure or other document that verifies the existence of the hazard control; and

(7) Maintain records, as required by § 417.15, of the documentation that verifies the information in the ground safety analysis.

(k) A launch operator must ensure the continuing accuracy of its ground safety analysis. The analysis of systems and operations must not end upon submission of a ground safety analysis report to the FAA during the license application process. A launch operator must analyze each new or modified system or operation for potential hazards that can affect the public. A launch operator must ensure that each existing system and operation is subject to continual scrutiny and that the information in a ground safety analysis report is kept current.

§ 417.407 Hazard control implementation.

(a) General. A launch operator must establish and maintain the hazard Start Printed Page 50563controls identified by the ground safety analysis including:

(1) System hazard controls that satisfy § 417.409;

(2) Safety clear zones for hazardous operations that satisfy § 417.411;

(3) Hazard areas and controls for allowing public access that satisfy § 417.413;

(4) Hazard controls after launch or an attempt to launch that satisfy § 417.415; and

(5) Controls for propellant and explosive hazards that satisfy § 417.417.

(b) Hazard control verification. A launch operator must establish a hazard tracking process to ensure that each identified hazard has a verifiable hazard control. Verification status must remain “open” for an individual hazard control until the hazard control is verified to exist in a released drawing, report, procedure, or similar document.

(c) Hazard control configuration control. A launch operator must establish and maintain a configuration control process for safety critical hardware. Procedural steps to verify hazard controls, and their associated documentation, cannot be changed without coordination with the person designated in § 417.103(b)(2).

(d) Inspections. When a potential hazard exists, a launch operator must conduct periodic inspections of related hardware, software, and facilities. A launch operator must ensure qualified and certified personnel, as required by § 417.105, conduct the inspection. A launch operator must demonstrate that the time interval between inspections is sufficient to ensure satisfaction of this subpart. A launch operator must ensure safety devices and other hazard controls must remain in place for that hazard, and that safety devices and other hazard controls must remain in working order so that no unsafe conditions exist.

(e) Procedures. A launch operator must conduct each launch processing or post-launch operation involving a public hazard or a launch location hazard pursuant to written procedures that incorporate the hazard controls identified by a launch operator's ground safety analysis and as required by this subpart. The person designated in § 417.103(b)(2) must approve the procedures. A launch operator must maintain an “as-run” copy of each procedure. The “as-run” procedure copy must include changes, start and stop dates, and times that each procedure was performed and observations made during the operations.

(f) Hazardous materials. A launch operator must establish procedures for the receipt, storage, handling, use, and disposal of hazardous materials, including toxic substances and sources of ionizing radiation. A launch operator must establish procedures for responding to hazardous material emergencies and protecting the public that complies with the accident investigation plan as defined in § 417.111(h)(2). These procedures must include:

(1) Identification of each hazard and its effects;

(2) Actions to be taken in response to release of a hazardous material;

(3) Identification of protective gear and other safety equipment that must be available in order to respond to a release;

(4) Evacuation and rescue procedures;

(5) Chain of command; and

(6) Communication both on-site and off-site to surrounding communities and local authorities.

(g) Toxic release hazard notifications and evacuations. A launch operator must perform a toxic release hazard analysis for launch processing performed at the launch site that satisfies section I417.7 of this part. A launch operator must apply toxic plume modeling techniques that satisfy section I417.7 of this part and ensure that notifications and evacuations are accomplished to protect the public from potential toxic release.

§ 417.409 System hazard controls.

(a) General. A launch operator must establish and maintain hazard controls for each system that presents a public hazard as identified by the ground safety analysis and satisfy the requirements of this section. A launch operator must:

(1) Ensure a system be at least single fault tolerant to creating a public hazard unless other hazard control criteria are specified for the system by the requirements of this part. A system capable of creating a catastrophic public hazard must be at least dual fault tolerant. Dual fault tolerant system hazard controls include: Switches, valves, or similar components that prevent an unwanted transfer or release of energy or hazardous materials;

(2) Ensure each hazard control used to provide fault tolerance is independent from other hazard controls so that no single action or event can remove more than one inhibit. A launch operator must prevent inadvertent activation of hazard control devices such as switches and valves;

(3) Provide at least two fully redundant safety devices if a safety device must function in order to control a public hazard. A single action or event must not be capable of disabling both safety devices; and

(4) Ensure computing systems and software used to control a public hazard satisfy the requirements of § 417.123.

(b) Structures and material handling equipment. A launch operator must ensure safety factors applied in the design of a structure or material handling equipment account for static and dynamic loads, environmental stresses, expected wear, and duty cycles. A launch operator must:

(1) Inspect structures and material handling equipment to verify workmanship, proper operations, and maintenance;

(2) Prepare plans to ensure proper operations and maintenance of structures and material handling equipment;

(3) Assess structures and material handling equipment for potential single point failure;

(4) Eliminate single point failures from structures and material handling equipment or subject the structures and material handling equipment to specific inspection and testing to ensure proper operation. Single point failure welds must undergo both surface and volumetric non-destructive inspection to verify that no rejectable discontinuities exist;

(5) Establish other non-destructive inspection techniques if a volumetric inspection cannot be performed. A launch operator, in such a case, must demonstrate through the licensing process that the inspection processes used accurately verify the absence of rejectable discontinuities; and

(6) Ensure qualified and certified personnel, as defined in § 417.105, conduct the inspections.

(c) Pressure vessels and pressurized systems. A launch operator must apply the following hazard controls to a pressurized flight or ground pressure vessel, component, or systems:

(1) Qualified and certified personnel, as defined in § 417.105, must test each pressure vessel, component, or system upon installation and before being placed into service, and periodically inspect to ensure that no rejectable discontinuities exists;

(2) Safety factors applied in the design of a pressure vessel, component, or system must account for static and dynamic loads, environmental stresses, and expected wear;

(3) Pressurized system flow-paths, except for pressure relief and emergency venting, must be single fault tolerant to causing pressure ruptures and material releases during launch processing; and

(4) Provide pressure relief and emergency venting capability to protect Start Printed Page 50564against pressure ruptures. Pressure relief devices must provide the flow rate necessary to prevent a rupture in the event a pressure vessel is exposed to fire.

(d) Electrical and mechanical systems. A launch operator must apply the following hazard controls to electrical or mechanical systems that can release electrical or mechanical energy during launch processing:

(1) A launch operator must ensure electrical and mechanical systems, including systems that generate ionizing or non-ionizing radiation, are single fault tolerant to providing or releasing electrical or mechanical energy;

(2) In areas where flammable material exists, a launch operator must ensure electrical systems and equipment are hermetically sealed, explosion proof, intrinsically safe, purged, or otherwise designed so as not to provide an ignition source. A launch operator must assess each electrical system as a possible source of thermal energy and ensure that the electrical system can not act as an ignition source; and

(3) A launch operator must prevent unintentionally conducted or radiated energy due to possible bent pins in a connector, a mismated connector, shorted wires, or unshielded wires within electrical power and signal circuits that interface with hazardous subsystems.

(e) Propulsion systems. A propulsion system must be dual fault tolerant to inadvertently becoming propulsive. Propulsion systems must be single fault tolerant to inadvertent mixing of fuel and oxidizer. Each material in a propulsion system must be compatible with other materials that may contact the propulsion system during launch processing including materials used to assemble and clean the system. A launch operator must use engineering controls, including procedures, to prevent connecting incompatible systems. A launch operator must comply with § 417.417 for hazard controls applicable to propellants and explosives.

(f) Ordnance systems. An ordnance system must be at least single fault tolerant to prevent a hazard caused by inadvertent actuation of the ordnance system. A launch operator must comply with § 417.417 for hazard controls applicable to ordnance. In addition, an ordnance system must satisfy the following requirements;

(1) A launch operator must ensure ordnance electrical connections are disconnected until final preparations for flight;

(2) An ordnance system must provide for safing and arming of the ordnance. An electrically initiated ordnance system must include ordnance initiation devices and arming devices, also referred to as safe and arm devices, that provide a removable and replaceable mechanical barrier or other positive means of interrupting power to each ordnance firing circuit to prevent inadvertent initiation of ordnance. A mechanical safe and arm device must have a safing pin that locks the mechanical barrier in a safe position. A mechanical actuated ordnance device must also have a safing pin that prevents mechanical movement within the device. A launch operator must comply with section D417.13 of this part for specific safing and arming requirements for a flight termination system;

(3) Protect ordnance systems from stray energy through grounding, bonding, and shielding; and

(4) Current limit any monitoring or test circuitry that interfaces with an ordnance system to protect against inadvertent initiation of ordnance. Equipment used to measure bridgewire resistance on electro-explosive devices must be special purpose ordnance system instrumentation with features that limit current.

§ 417.411 Safety clear zones for hazardous operations.

(a) A launch operator must define a safety clear zone that confines the adverse effects of each operation involving a public hazard or launch location hazard. A launch operator's safety clear zones must satisfy the following:

(1) A launch operator must establish a safety clear zone that accounts for the potential blast, fragment, fire or heat, toxic and other hazardous energy or material potential of the associated systems and operations. A launch operator must base a safety clear zone on the following criteria:

(i) For a possible explosive event, base a safety clear zone on the worst case event, regardless of the fault tolerance of the system;

(ii) For a possible toxic event, base a safety clear zone on the worst case event. A launch operator must have procedures in place to maintain public safety in the event toxic releases reach beyond the safety clear zone; and

(iii) For a material handling operation, base a safety clear zone on a worst case event for that operation.

(2) A launch operator must establish a safety clear zone when the launch vehicle is in a launch command configuration with the flight safety systems fully operational and on internal power.

(b) A launch operator must establish restrictions that prohibit public access to a safety clear zone during a hazardous operation. A safety clear zone may extend to areas beyond the launch location boundaries if local agreements provide for restricting public access to such areas and a launch operator verifies that the safety clear zone is clear of the public during the hazardous operation.

(c) A launch operator's procedures must verify that the public is outside of a safety clear zone prior to a launch operator beginning a hazardous operation.

(d) A launch operator must control a safety clear zone to ensure no public access during the hazardous operation. Safety clear zone controls include:

(1) Use of security guards and equipment;

(2) Physical barriers; and

(3) Warning signs, and other types of warning devices.

§ 417.413 Hazard areas.

(a) General. A launch operator must define a hazard area that confines the adverse effects of a hardware system should an event occur that presents a public hazard or launch location hazard. A launch operator must prohibit public access to the hazard area whenever a hazard is present unless the requirements for public access of paragraph (b) of this section are met.

(b) Public access. A launch operator must establish a process for authorizing public access if visitors or members of the public must have access to a launch operator's facility or launch location. The process must ensure that each member of the public is briefed on the hazards within the facility and related safety warnings, procedures, and rules that provide protection, or a launch operator must ensure that each member of the public is accompanied by a knowledgeable escort.

(c) Hazard controls during public access. A launch operator must establish procedural controls that prevent hazardous operations from taking place while members of the public have access to the launch location and must verify that system hazard controls are in place that prevent initiation of a hazardous event. Hazard controls and procedures that prevent initiation of a hazardous event include the following:

(1) Use of lockout devices or other restraints on system actuation switches or other controls to eliminate the possibility of inadvertent actuation of a hazardous system.

(2) Disconnect ordnance systems from power sources, incorporate the use of Start Printed Page 50565safing plugs, or have safety devices in place that prevent inadvertent initiation. Activity involving the control circuitry of electrically activated safety devices must not be ongoing while the public has access to the hazard area. Install safing pins on safe and arm devices and mechanically actuated devices. Disconnect explosive transfer lines, not protected by a safe and arm device or a mechanically actuated device or equivalent.

(3) When systems or tanks are loaded with hypergols or other toxic materials, close the system or tank and verify it is leak-tight with two verifiable closures, such as a valve and a cap, to every external flow path or fitting. Such a system must also be in a steady-state condition.

(4) Keep each pressurized system below its maximum allowable working pressure and do not allow it to be in a dynamic state. Activity involving the control circuitry of electrically activated pressure system valves must not be ongoing while the public has access to the associated hazard area. Launch vehicle systems must not be pressurized to more than 25% of the system's design burst pressure, when the public has access to the associated hazard area.

(5) Do not allow sources of ionizing or non-ionizing radiation, such as, x-rays, nuclear power sources, high-energy radio transmitters, radar, and lasers to be present or verify they are to be inactive when the public has access to the associated hazard area.

(6) Guard physical hazards to prevent potential physical injury to visiting members of the public. Physical hazards include the following:

(i) Potential falling objects;

(ii) Falls from an elevated height; and

(iii) Protection from potentially hazardous vents, such as pressure relief discharge vents.

(7) Maintain and verify that safety devices or safety critical systems are operating properly prior to permitting public access.

§ 417.415 Post-launch and post-flight-attempt hazard controls.

(a) A launch operator must establish, maintain and perform procedures for controlling hazards and returning the launch facility to a safe condition after a successful launch. Procedural hazard controls must include:

(1) Provisions for extinguishing fires;

(2) Re-establishing full operational capability of safety devices, barriers, and platforms; and

(3) Access control.

(b) A launch operator must establish procedures for controlling hazards associated with a failed flight attempt where a solid or liquid launch vehicle engine start command was sent, but the launch vehicle did not liftoff. These procedures must include the following:

(1) Maintaining and verifying that each flight termination system remains operational until verification that the launch vehicle does not represent a risk of inadvertent liftoff. If an ignition signal has been sent to a solid rocket motor, the flight termination system must remain armed and active for a period of no less than 30 minutes. During this time, flight termination system batteries must maintain sufficient voltage and current capacity for flight termination system operation. The flight termination system receivers must remain captured by the command control system transmitter's carrier signal;

(2) Assuring that the vehicle is in a safe configuration, including its propulsion and ordnance systems. The flight safety system crew must have access to the vehicle status. Re-establish safety devices and bring each pressurized system down to safe pressure levels; and

(3) Prohibiting launch complex entry until the launch pad area safing procedures are complete.

(c) A launch operator must establish procedural controls for hazards associated with an unsuccessful flight where the launch vehicle has a land or water impact. These procedures must include the following provisions:

(1) Evacuation and rescue of members of the public, to include modeling the dispersion and movement of toxic plumes, identification of areas at risk, and communication with local government authorities;

(2) Extinguishing fires;

(3) Securing impact areas to ensure that personnel and the public are evacuated, and ensure that no unauthorized personnel or members of the public enter, and to preserve evidence; and

(4) Ensuring public safety from hazardous debris, such as plans for recovery and salvage of launch vehicle debris and safe disposal of hazardous materials.

§ 417.417 Propellants and explosives.

(a) A launch operator must comply with the explosive safety criteria in part 420 of this chapter.

(b) A launch operator must ensure that:

(1) The explosive site plan satisfies part 420 of this chapter;

(2) Only those explosive facilities and launch points addressed in the explosive site plan are used and only for their intended purpose; and

(3) The total net explosive weight for each explosive hazard facility and launch point must not exceed the maximum net explosive weight limit indicated on the explosive site plan for each location.

(c) A launch operator must establish, maintain, and perform procedures that ensure public safety for the receipt, storage, handling, inspection, test, and disposal of explosives.

(d) A launch operator must establish and maintain each procedural system control to prevent inadvertent initiation of propellants and explosives. These controls must include the following:

(1) Protect ordnance systems from stray energy through methods of bonding, grounding, and shielding, and controlling radio frequency radiation sources in a radio frequency radiation exclusion area. A launch operator must determine the vulnerability of its electro-explosive devices and systems to radio frequency radiation and establish radio frequency radiation power limits or radio frequency radiation exclusion areas as required by the launch site operator or to ensure safety.

(2) Keep ordnance safety devices, as required by § 417.409, in place until the launch complex is cleared as part of the final launch countdown. No members of the public may re-enter the complex until each safety device is re-established.

(3) Do not allow heat and spark or flame producing devices in an explosive or propellant facility without written approval and oversight from a launch operator's safety organization.

(4) Do not allow static producing materials in close proximity to solid or liquid propellants, electro-explosive devices, or systems containing flammable liquids.

(5) Use fire safety measures including:

(i) Elimination or reduction of flammable and combustible materials;

(ii) Elimination or reduction of ignition sources;

(iii) Fire and smoke detection systems;

(iv) Safe means of egress; and

(v) Timely fire suppression response.

(6) Include lightning protection on each facility used to store or process explosives to prevent inadvertent initiation of propellants and explosives due to lightning unless the facility complies with the lightning protection criteria of § 420.71 of this part.

(e) A launch operator, in the event of an emergency, must perform the accident investigation plan as defined in § 417.111(h).

Start Printed Page 50566

Appendix A of Part 417—Flight Safety Analysis Methodologies and Products for a Launch Vehicle Flown with a Flight Safety System

A417.1 Scope.

The requirements of this appendix apply to the methods for performing the flight safety analysis required by § 417.107(f) and subpart C of this part. The methodologies contained in this appendix provide an acceptable means of satisfying the requirements of subpart C and provide a standard and a measure of fidelity against which the FAA will measure any proposed alternative analysis approach. This appendix also identifies the analysis products that a launch operator must file with the FAA as required by § 417.203(e).

A417.3 Applicability.

The requirements of this appendix apply to a launch operator and the launch operator's flight safety analysis unless the launch operator clearly and convincingly demonstrates that an alternative approach provides an equivalent level of safety. If a Federal launch range performs the launch operator's analysis, § 417.203(d) applies. Section A417.33 applies to the flight of any unguided suborbital launch vehicle that uses a wind-weighting safety system. All other sections of this appendix apply to the flight of any launch vehicle required to use a flight safety system as required by § 417.107(a). For any alternative flight safety system approved by the FAA as required by § 417.301(b), the FAA will determine the applicability of this appendix during the licensing process.

A417.5 General.

A launch operator's flight safety analysis must satisfy the requirements for public risk management and the requirements for the compatibility of the input and output of dependent analyses of § 417.205.

A417.7 Trajectory.

(a) General. A flight safety analysis must include a trajectory analysis that satisfies the requirements of § 417.207. This section applies to the computation of each of the trajectories required by § 417.207 and to each trajectory analysis product that a launch operator must file with the FAA as required by § 417.203(e).

(b) Wind standards. A trajectory analysis must incorporate wind data in accordance with the following:

(1) For each launch, a trajectory analysis must produce ”with-wind” launch vehicle trajectories pursuant to paragraph (f)(6) of this section and do so using composite wind profiles for the month that the launch will take place or composite wind profiles that are as severe or more severe than the winds for the month that the launch will take place.

(2) A composite wind profile used for the trajectory analysis must have a cumulative percentile frequency that represents wind conditions that are at least as severe as the worst wind conditions under which flight would be attempted for purposes of achieving the launch operator's mission. These worst wind conditions must account for the launch vehicle's ability to operate normally in the presence of wind and accommodate any flight safety limit constraints.

(c) Nominal trajectory. A trajectory analysis must produce a nominal trajectory that describes a launch vehicle's flight path, position and velocity, where all vehicle aerodynamic parameters are as expected, all vehicle internal and external systems perform exactly as planned, and no external perturbing influences other than atmospheric drag and gravity affect the launch vehicle.

(d) Dispersed trajectories. A trajectory analysis must produce the following dispersed trajectories and describe the distribution of a launch vehicle's position and velocity as a function of winds and performance error parameters in the uprange, downrange, left-crossrange and right-crossrange directions.

(1) Three-sigma maximum and minimum performance trajectories. A trajectory analysis must produce a three-sigma maximum performance trajectory that provides the maximum downrange distance of the instantaneous impact point for any given time after lift-off. A trajectory analysis must produce a three-sigma minimum performance trajectory that provides the minimum downrange distance of the instantaneous impact point for any given time after lift-off. For any time after lift-off, the instantaneous impact point dispersion of a normally performing launch vehicle must lie between the extremes achieved at that time after lift-off by the three-sigma maximum and three-sigma minimum performance trajectories. The three-sigma maximum and minimum performance trajectories must account for wind and performance error parameter distributions as follows:

(i) For each three-sigma maximum and minimum performance trajectory, the analysis must use composite head wind and composite tail wind profiles that represent the worst wind conditions under which a launch would be attempted as required by paragraph (b) of this section.

(ii) Each three-sigma maximum and minimum performance trajectory must account for all launch vehicle performance error parameters identified as required by paragraph (f)(1) of this section that have an effect upon instantaneous impact point range.

(2) Three-sigma left and right lateral trajectories. A trajectory analysis must produce a three-sigma left lateral trajectory that provides the maximum left crossrange distance of the instantaneous impact point for any time after lift-off. A trajectory analysis must produce a three-sigma right lateral trajectory that provides the maximum right crossrange distance of the instantaneous impact point for any time after lift-off. For any time after lift-off, the instantaneous impact point dispersion of a normally performing launch vehicle must lie between the extremes achieved at that time after liftoff by the three-sigma left lateral and three-sigma right lateral performance trajectories. The three-sigma lateral performance trajectories must account for wind and performance error parameter distributions as follows:

(i) In producing each left and right lateral trajectory, the analysis must use composite left and composite right lateral-wind profiles that represent the worst wind conditions under which a launch would be attempted as required by paragraph (b) of this section.

(ii) The three-sigma left and right lateral trajectories must account for all launch vehicle performance error parameters identified as required by paragraph (f)(1) of this section that have an effect on the lateral deviation of the instantaneous impact point.

(3) Fuel-exhaustion trajectory. A trajectory analysis must produce a fuel-exhaustion trajectory for the launch of any launch vehicle with a final suborbital stage that will terminate thrust nominally without burning to fuel exhaustion. The analysis must produce the trajectory that would occur if the planned thrust termination of the final suborbital stage did not occur. The analysis must produce a fuel-exhaustion trajectory that extends either the nominal trajectory taken through fuel exhaustion of the last suborbital stage or the three-sigma maximum trajectory taken through fuel exhaustion of the last suborbital stage, whichever produces an instantaneous impact point with the greatest range for any time after liftoff.

(e) Straight-up trajectory. A trajectory analysis must produce a straight-up trajectory that begins at the planned time of ignition, and that simulates a malfunction that causes the launch vehicle to fly in a vertical or near vertical direction above the launch point. A straight-up trajectory must last no less than the sum of the straight-up time determined as required by section A417.15 plus the duration of a potential malfunction turn determined as required by section A417.9(b)(2).

(f) Analysis process and computations. A trajectory analysis must produce each three-sigma trajectory required by this appendix using a six-degree-of-freedom trajectory model and an analysis method, such as root sum-square or Monte Carlo, that accounts for all individual launch vehicle performance error parameters that contribute to the dispersion of the launch vehicle's instantaneous impact point.

(1) A trajectory analysis must identify all launch vehicle performance error parameters and each parameter's distribution to account for all launch vehicle performance variations and any external forces that can cause offsets from the nominal trajectory during normal flight. A trajectory analysis must account for, but need not be limited to, the following performance error parameters:

(i) Thrust;

(ii) Thrust misalignment;

(iii) Specific impulse;

(iv) Weight;

(v) Variation in firing times of the stages;

(vi) Fuel flow rates;

(vii) Contributions from the guidance, navigation, and control systems;

(ix) Steering misalignment; and

(x) Winds.

(2) Each three-sigma trajectory must account for the effects of wind from liftoff through the point in flight where the launch vehicle attains an altitude where wind no longer affects the launch vehicle.

(g) Trajectory analysis products. The products of a trajectory analysis that a launch operator must file with the FAA include the following: Start Printed Page 50567

(1) Assumptions and procedures. A description of all assumptions, procedures and models, including the six-degrees-of-freedom model, used in deriving each trajectory.

(2) Three-sigma launch vehicle performance error parameters. A description of each three-sigma performance error parameter accounted for by the trajectory analysis and a description of each parameter's distribution determined as required by paragraph (f)(1) of this section.

(3) Wind profile. A graph and tabular listing of each wind profile used in performing the trajectory analysis as required by paragraph (b)(1) of this section and the worst case winds required by paragraph (b)(2) of this section. The graph and tabular wind data must provide wind magnitude and direction as a function of altitude for the air space regions from the Earth's surface to 100,000 feet in altitude for the area intersected by the launch vehicle trajectory. Altitude intervals must not exceed 5000 feet.

(4) Launch azimuth. The azimuthal direction of the trajectory's ”X-axis” at liftoff measured clockwise in degrees from true north.

(5) Launch point. Identification and location of the proposed launch point, including its name, geodetic latitude, geodetic longitude, and geodetic height.

(6) Reference ellipsoid. The name of the reference ellipsoid used by the trajectory analysis to approximate the average curvature of the Earth and the following information about the model:

(i) Length of semi-major axis;

(ii) Length of semi-minor axis;

(iii) Flattening parameter;

(iv) Eccentricity;

(v) Gravitational parameter;

(vi) Angular velocity of the Earth at the equator; and

(vii) If the reference ellipsoid is not a WGS-84 ellipsoidal Earth model, the equations that convert the filed ellipsoid information to the WGS-84 ellipsoid.

(7) Temporal trajectory items. A launch operator must provide the following temporal trajectory data for time intervals not in excess of one second and for the discrete time points that correspond to each jettison, ignition, burnout, and thrust termination of each stage. If any stage burn time lasts less than four seconds, the time intervals must not exceed 0.2 seconds. The launch operator must provide the temporal trajectory data from launch up to a point in flight when effective thrust of the final stage terminates, or to thrust termination of the stage or burn that places the vehicle in orbit. For an unguided sub-orbital launch vehicle flown with a flight safety system, the launch operator must provide these data for each nominal quadrant launcher elevation angle and payload weight. The launch operator must provide these data on paper in text format and electronically in ASCII text, space delimited format. The launch operator must provide an electronic “read-me” file that identifies the data and their units of measure in the individual disk files.

(i) Trajectory time-after-liftoff. A launch operator must provide trajectory time-after liftoff measured from first motion of the first thrusting stage of the launch vehicle. The tabulated data must identify the first motion time as T-0 and as the “0.0” time point on the trajectory.

(ii) Launch vehicle direction cosines. A launch operator must provide the direction cosines of the roll axis, pitch axis, and yaw axis of the launch vehicle. The roll axis is a line identical to the launch vehicle's longitudinal axis with its origin at the nominal center of gravity positive towards the vehicle nose. The roll plane is normal to the roll axis at the vehicle's nominal center of gravity. The yaw axis and the pitch axis are any two orthogonal axes lying in the roll plane. The launch operator must provide roll, pitch and yaw axes of right-handed systems so that, when looking along the roll axis toward the nose, a clockwise rotation around the roll axis will send the pitch axis toward the yaw axis. The right-handed system must be oriented so that the yaw axis is positive in the downrange direction while in the vertical position (roll axis upward from surface) or positive at an angle of 180 degrees to the downrange direction. The axis may be related to the vehicle's normal orientation with respect to the vehicle's trajectory but, once defined, remain fixed with respect to the vehicle's body. The launch operator must indicate the positive direction of the yaw axis chosen. The analysis products must present the direction cosines using the EFG reference system described in paragraph (g)(7)(iv) of this section.

(iii) X, Y, Z, XD, YD, ZD trajectory coordinates. A launch operator must provide the launch vehicle position coordinates (X, Y, Z) and velocity magnitudes (XD, YD, ZD) referenced to an orthogonal, Earth-fixed, right-handed coordinate system. The XY plane must be tangent to the ellipsoidal Earth at the origin, which must coincide with the launch point. The positive X-axis must coincide with the launch azimuth. The positive Z-axis must be directed away from the ellipsoidal Earth. The Y-axis must be positive to the left looking downrange.

(iv) E, F, G, ED, FD, GD trajectory coordinates. A launch operator must provide the launch vehicle position coordinates (E, F, G) and velocity magnitudes (ED, FD, GD) referenced to an orthogonal, Earth fixed, Earth centered, right-handed coordinate system. The origin of the EFG system must be at the center of the reference ellipsoid. The E and F axes must lie in the plane of the equator and the G-axis coincides with the rotational axis of the Earth. The E-axis must be positive through 0° East longitude (Greenwich Meridian), the F-axis positive through 90' East longitude, and the G-axis positive through the North Pole. This system must be non-inertial and rotate with the Earth.

(v) Resultant Earth-fixed velocity. A launch operator must provide the square root of the sum of the squares of the XD, YD, and ZD components of the trajectory state vector.

(vi) Path angle of velocity vector. A launch operator must provide the angle between the local horizontal plane and the velocity vector measured positive upward from the local horizontal. The local horizontal must be a plane tangent to the ellipsoidal Earth at the sub-vehicle point.

(vii) Sub-vehicle point. A launch operator must provide sub-vehicle point coordinates that include present position geodetic latitude and present position longitude. These coordinates must be at each trajectory time on the surface of the ellipsoidal Earth model and located at the intersection of the line normal to the ellipsoid and passing through the launch vehicle center of gravity.

(viii) Altitude. A launch operator must provide the distance from the sub-vehicle point to the launch vehicle's center of gravity.

(ix) Present position arc-range. A launch operator must provide the distance measured along the surface of the reference ellipsoid, from the launch point to the sub-vehicle point.

(x) Total weight. A launch operator must provide the sum of the inert and propellant weights for each time point on the trajectory.

(xi) Total vacuum thrust. A launch operator must provide the total vacuum thrust for each time point on the trajectory.

(xii) Instantaneous impact point data. A launch operator must provide instantaneous impact point geodetic latitude, instantaneous impact point longitude, instantaneous impact point arc-range, and time to instantaneous impact. The instantaneous impact point arc-range must consist of the distance, measured along the surface of the reference ellipsoid, from the launch point to the instantaneous impact point. For each point on the trajectory, the time to instantaneous impact must consist of the vacuum flight time remaining until impact if all thrust were terminated at the time point on the trajectory.

(xiii) Normal trajectory distribution. A launch operator must provide a description of the distribution of the dispersed trajectories required under paragraph (d) of this section, such as the elements of covariance matrices for the launch vehicle position coordinates and velocity component magnitudes.

A417.9 Malfunction turn.

(a) General. A flight safety analysis must include a malfunction turn analysis that satisfies the requirements of § 417.209. This section applies to the computation of the malfunction turns and the production of turn data required by § 417.209 and to the malfunction turn analysis products that a launch operator must file with the FAA as required by § 417.203(e).

(b) Malfunction turn analysis constraints. The following constraints apply to a malfunction turn analysis:

(1) The analysis must produce malfunction turns that start at a given malfunction start time. The turn must last no less than 12 seconds. These duration limits apply regardless of whether or not the vehicle would breakup or tumble before the prescribed duration of the turn.

(2) A malfunction turn analysis must account for the thrusting periods of flight along a nominal trajectory beginning at first motion until thrust termination of the final thrusting stage or until the launch vehicle achieves orbit, whichever occurs first.

(3) A malfunction turn must consist of a 90-degree turn or a turn in both the pitch and yaw planes that would produce the largest Start Printed Page 50568deviation from the nominal instantaneous impact point of which the launch vehicle is capable at any time during the malfunction turn as required by paragraph (d) of this section.

(4) The first malfunction turn must start at liftoff. The analysis must account for subsequent malfunction turns initiated at regular nominal trajectory time intervals not to exceed four seconds.

(5) A malfunction turn analysis must produce malfunction turn data for time intervals of no less than one second over the duration of each malfunction turn.

(6) The analysis must assume that the launch vehicle performance is nominal up to the point of the malfunction that produces the turn.

(7) A malfunction turn analysis must not account for the effects of gravity.

(8) A malfunction turn analysis must ensure the tumble turn envelope curve maintains a positive slope throughout the malfunction turn duration as illustrated in figure A417.9-1. When calculating a tumble turn for an aerodynamically unstable launch vehicle, in the high aerodynamic region it often turns out that no matter how small the initial deflection of the rocket engine, the airframe tumbles through 180 degrees, or one-half cycle, in less time than the required turn duration period. In such a case, the analysis must use a 90-degree turn as the malfunction turn.

(c) Failure modes. A malfunction turn analysis must account for the significant failure modes that result in a thrust vector offset from the nominal state. If a malfunction turn at a malfunction start time can occur as a function of more than one failure mode, the analysis must account for the failure mode that causes the most rapid and largest launch vehicle instantaneous impact point deviation.

(d) Type of malfunction turn. A malfunction turn analysis must establish the maximum turning capability of a launch vehicle's velocity vector during each malfunction turn by accounting for a 90-degree turn to estimate the vehicle's turning capability or by accounting for trim turns and tumble turns in both the pitch and yaw planes to establish the vehicle's turning capability. When establishing the turning capability of a launch vehicle's velocity vector, the analysis must account for each turn as follows:

(1) 90-degree turn. A 90-degree turn must constitute a turn produced at the malfunction start time by instantaneously re-directing and maintaining the vehicle's thrust at 90 degrees to the velocity vector, without regard for how this situation can be brought about.

(2) Pitch turn. A pitch turn must constitute the angle turned by the launch vehicle's total velocity vector in the pitch-plane. The velocity vector's pitch-plane must be the two dimensional surface that includes the launch vehicle's yaw-axis and the launch vehicle's roll-axis.

(3) Yaw turn. A yaw turn must constitute the angle turned by the launch vehicle's total velocity vector in the lateral plane. The velocity vector's lateral plane must be the two dimensional surface that includes the launch vehicle's pitch axis and the launch vehicle's total velocity.

(4) Trim turn. A trim turn must constitute a turn where a launch vehicle's thrust moment balances the aerodynamic moment while a constant rotation rate is imparted to the launch vehicle's longitudinal axis. The analysis must account for a maximum-rate trim turn made at or near the greatest angle of attack that can be maintained while the aerodynamic moment is balanced by the thrust moment, whether the vehicle is stable or unstable.

(5) Tumble turn. A tumble turn must constitute a turn that results if the launch vehicle's airframe rotates in an uncontrolled fashion, at an angular rate that is brought about by a thrust vector offset angle, and if the offset angle is held constant throughout the turn. The analysis must account for a series of tumble turns, each turn with a different thrust vector offset angle, that are plotted on the same graph for each malfunction start time.

(6) Turn envelope. A turn envelope must constitute a curve on a tumble turn graph that has tangent points to each individual tumble turn curve computed for each malfunction start time. The curve must envelope the actual tumble turn curves to predict tumble turn angles for each area between the calculated turn curves. Figure A417.9-1 depicts a series of tumble turn curves and the tumble turn envelope curve.

(7) Malfunction turn capabilities. When not using a 90-degree turn, a malfunction turn analysis must establish the launch vehicle maximum turning capability as required by the following malfunction turn constraints:

(i) Launch vehicle stable at all angles of attack. If a launch vehicle is so stable that the maximum thrust moment that the vehicle could experience cannot produce tumbling, but produces a maximum-rate trim turn at some angle of attack less than 90 degrees, the analysis must produce a series of trim turns, including the maximum-rate trim turn, by varying the initial thrust vector offset at the beginning of the turn. If the maximum thrust moment results in a maximum-rate trim turn at some angle of attack greater than 90 degrees, the analysis must produce a series of trim turns for angles of attack up to and including 90 degrees.

(ii) Launch vehicle aerodynamically unstable at all angles of attack. If flying a trim turn is not possible even for a period of only a few seconds, the malfunction turn analysis need only establish tumble turns. Otherwise, the malfunction turn analysis must establish a series of trim turns, including the maximum-rate trim turn, and the family of tumble turns.

(iii) Launch vehicle unstable at low angles of attack but stable at some higher angles of attack. If large engine deflections result in tumbling, and small engine deflections do not, the analysis must produce a series of trim and tumble turns as required by paragraph (d)(7)(ii) of this section for launch vehicles aerodynamically unstable at all angles of attack. If both large and small constant engine deflections result in tumbling, regardless of how small the deflection might be, the analysis must account for the malfunction turn capabilities achieved at the stability angle of attack, assuming no upsetting thrust moment, and must account for the turns achieved by a tumbling vehicle.

(e) Malfunction turn analysis products. The products of a malfunction turn analysis that a launch operator must file with the FAA include:

(1) A description of the assumptions, techniques, and equations used in deriving the malfunction turns.

(2) A set of sample calculations for at least one flight hazard area malfunction start time and one downrange malfunction start time. The sample computation for the downrange malfunction must start at a time at least 50 seconds after the flight hazard area malfunction start time or at the time of nominal thrust termination of the final stage minus the malfunction turn duration.

(3) A launch operator must file malfunction turn data in electronic tabular and graphic formats. The graphs must use scale factors such that the plotting and reading accuracy do not degrade the accuracy of the data. For each malfunction turn start time, a graph must use the same time scales for the malfunction velocity vector turn angle and malfunction velocity magnitude plot pairs. A launch operator must provide tabular listings of the data used to generate the graphs in digital ASCII file format. A launch operator must file the data items required in this paragraph for each malfunction start time and for time intervals that do not exceed one second for the duration of each malfunction turn.

(i) Velocity turn angle graphs. A launch operator must file a velocity turn angle graph for each malfunction start time. For each velocity turn angle graph, the ordinate axis must represent the total angle turned by the velocity vector, and the abscissa axis must represent the time duration of the turn and must show increments not to exceed one second. The series of tumble turns must include the envelope of all tumble turn curves. The tumble turn envelope must represent the tumble turn capability for all possible constant thrust vector offset angles. Each tumble turn curve selected to define the envelope must appear on the same graph as the envelope. A launch operator must file a series of trim turn curves for representative values of thrust vector offset. The series of trim turn curves must include the maximum rate trim turn. Figure A417.9-1 depicts an example family of tumble turn curves and the tumble turn velocity vector envelope.

Start Printed Page 50569

(ii) Velocity magnitude graphs. A launch operator must file a velocity magnitude graph for each malfunction start time. For each malfunction velocity magnitude graph, the ordinate axis must represent the magnitude of the velocity vector and the abscissa axis must represent the time duration of the turn. Each graph must show the abscissa divided into increments not to exceed one second. Each graph must show the total velocity magnitude plotted as a function of time starting with the malfunction start time for each thrust vector offset used to define the corresponding velocity turn-angle curve. A launch operator must provide a corresponding velocity magnitude curve for each velocity tumble turn angle curve and each velocity trim-turn angle curve. For each individual tumble turn curve selected to define the tumble turn envelope, the corresponding velocity magnitude graph must show the individual tumble turn curve's point of tangency to the envelope. The point of tangency must consist of the point where the tumble turn envelope is tangent to an individual tumble turn curve produced with a discrete thrust vector offset angle. A launch operator must transpose the points of tangency to the velocity magnitude curves by plotting a point on the velocity magnitude curve at the same time point where tangency occurs on the corresponding velocity tumble-turn angle curve. Figure A417.9-2 depicts an example tumble turn velocity magnitude curve.

Start Printed Page 50570

(iii) Vehicle orientation. The launch operator must file tabular or graphical data for the vehicle orientation in the form of roll, pitch, and yaw angular orientation of the vehicle longitudinal axis as a function of time into the turn for each turn initiation time. Angular orientation of a launch vehicle's longitudinal axis is illustrated in figures A417.9-3 and A417.9-4.

Start Printed Page 50571

(iv) Onset conditions. A launch operator must provide launch vehicle state information for each malfunction start time. This state data must include the launch vehicle thrust, weight, velocity magnitude and pad-centered topocentric X, Y, Z, XD, YD, ZD state vector.

(v) Breakup information. A launch operator must specify whether its launch vehicle will remain intact throughout each malfunction turn. If the launch vehicle will break up during a turn, the launch operator must identify the time for launch vehicle breakup on each velocity magnitude graph. The launch operator must show the time into the turn at which vehicle breakup would occur as either a specific value or a probability distribution for time until breakup.

(vi) Inflection point. A launch operator must identify the inflection point on each tumble turn envelope curve and maximum rate trim turn curve for each malfunction start time as illustrated in figure A417.9-1. The inflection point marks the point in time during the turn where the slope of the curve stops increasing and begins to decrease or, in other words, the point were the concavity of the curve changes from concave up to concave down. The inflection point on a malfunction turn curve must identify the time in the malfunction turn that the launch vehicle body achieves a 90-degree rotation from the nominal position. On a tumble turn curve the inflection point must represent the start of the launch vehicle tumble.

A417.11 Debris.

(a) General. A flight safety analysis must include a debris analysis that satisfies the requirements of § 417.211. This section applies to the debris data required by § 417.211 and the debris analysis products that a launch operator must file with the FAA as required by § 417.203(e).

(b) Debris analysis constraints. A debris analysis must produce the debris model described in paragraph (c) of this section. The analysis must account for all launch vehicle debris fragments, individually or in groupings of fragments called classes. The characteristics of each debris fragment represented by a class must be similar enough to the characteristics of all the other debris fragments represented by that class that all the debris fragments of the class can be described by a single set of characteristics. Paragraph (c)(10) of this section applies when establishing a debris class. A debris model must describe the physical, aerodynamic, and harmful characteristics of each debris fragment either individually or as a member of a class. A debris model must consist of lists of individual debris or debris classes for each cause of breakup and any planned jettison of debris, launch vehicle components, or payload. A debris analysis must account for:

(1) Launch vehicle breakup caused by the activation of any flight termination system. The analysis must account for:

(i) The effects of debris produced when flight termination system activation destroys an intact malfunctioning vehicle.

(ii) Spontaneous breakup of the launch vehicle, if the breakup is assisted by the action of any inadvertent separation destruct system.

(iii) The effects of debris produced by the activation of any flight termination system after inadvertent breakup of the launch vehicle.

(2) Debris due to any malfunction where forces on the launch vehicle may exceed the launch vehicle's structural integrity limits.

(3) The immediate post-breakup or jettison environment of the launch vehicle debris, and any change in debris characteristics over time from launch vehicle breakup or jettison until debris impact.

(4) The impact overpressure, fragmentation, and secondary debris effects of any confined or unconfined solid propellant chunks and fueled components containing either liquid or solid propellants that could survive to impact, as a function of vehicle malfunction time.

(5) The effects of impact of the intact vehicle as a function of failure time. The intact impact debris analysis must identify the trinitrotoluene (TNT) yield of impact explosions, and the numbers of fragments projected from all such explosions, including non-launch vehicle ejecta and the blast overpressure radius. The analysis must use a model for TNT yield of impact explosion that accounts for the propellant weight at impact, the impact speed, the orientation of the propellant, and the impacted surface material.

(c) Debris model. A debris analysis must produce a model of the debris resulting from planned jettison and from unplanned breakup of a launch vehicle for use as input to other analyses, such as establishing flight safety limits and hazard areas and performing debris risk, toxic, and blast analyses. A launch operator's debris model must satisfy the following:

(1) Debris fragments. A debris model must provide the debris fragment data required by this section for the launch vehicle flight from the planned ignition time until the launch vehicle achieves orbital velocity for an orbital launch. For a sub-orbital launch, the debris model must provide the debris fragment data required by this section for the launch vehicle flight from the planned ignition time until impact of the last thrusting stage. A debris model must provide debris fragment data for the number of time periods sufficient to meet the requirements for smooth and continuous contours used to define hazard areas as required by section A417.23.

(2) Inert fragments. A debris model must identify all inert fragments that are not volatile and that do not burn or explode under normal and malfunction conditions. A debris model must identify all inert fragments for each breakup time during flight corresponding to a critical event when the fragment catalog is significantly changed by the event. Critical events include staging, payload fairing jettison, and other normal hardware jettison activities.

(3) Explosive and non-explosive propellant fragments. A debris model must identify all propellant fragments that are explosive or non-explosive upon impact. The debris model must describe each propellant fragment as a function of time, from the time of breakup through ballistic free-fall to impact. The debris model must describe the characteristics of each fragment, including its origin on the launch vehicle, representative dimensions and weight at the time of breakup and at the time of impact. For any fragment identified as an un-contained or contained propellant fragment, whether explosive or non-explosive, the debris model must identify whether or not it burns during free fall, and provide the consumption rate during free fall. The debris model must identify:

(i) Solid propellant that is exposed directly to the atmosphere and that burns but does not explode upon impact as “un-contained non-explosive solid propellant.”

(ii) Solid or liquid propellant that is enclosed in a container, such as a motor case or pressure vessel, and that burns but does not explode upon impact as “contained non-explosive propellant.”

(iii) Solid or liquid propellant that is enclosed in a container, such as a motor case or pressure vessel, and that explodes upon impact as “contained explosive propellant fragment.”

(iv) Solid propellant that is exposed directly to the atmosphere and that explodes upon impact as “un-contained explosive solid propellant fragment.”

(4) Other non-inert debris fragments. In addition to the explosive and flammable fragments required by paragraph (c)(3) of this section, a debris model must identify any other non-inert debris fragments, such as toxic or radioactive fragments, that present any other hazards to the public.

(5) Fragment weight. At each modeled breakup time, the individual fragment weights must approximately add up to the sum total weight of inert material in the vehicle and the weight of contained liquid propellants and solid propellants that are not consumed in the initial breakup or conflagration.

(6) Fragment imparted velocity. A debris model must identify the maximum velocity imparted to each fragment due to potential explosion or pressure rupture. When accounting for imparted velocity, a debris model must:

(i) Use a Maxwellian distribution with the specified maximum value equal to the 97th percentile; or

(ii) Identify the distribution, and must state whether or not the specified maximum value is a fixed value with no uncertainty.

(7) Fragment projected area. A debris model must include each of the axial, transverse, and mean tumbling areas of each fragment. If the fragment may stabilize under normal or malfunction conditions, the debris model must also provide the projected area normal to the drag force.

(8) Fragment ballistic coefficient. A debris model must include the axial, transverse, and tumble orientation ballistic coefficient for each fragment's projected area as required by paragraph (c)(7) of this section.

(9) Debris fragment count. A debris model must include the total number of each type of fragment required by paragraphs (c)(2), (c)(3), and (c)(4) of this section and created by a malfunction.

(10) Fragment classes. A debris model must categorize each malfunction debris fragment into classes where the characteristics of the mean fragment in each Start Printed Page 50573class conservatively represent every fragment in the class. The model must define fragment classes for fragments whose characteristics are similar enough to be described and treated by a single average set of characteristics. A debris class must categorize debris by each of the following characteristics, and may include any other useful characteristics:

(i) The type of fragment, defined by paragraphs (c)(2), (c)(3), and (c)(4) of this section. All fragments within a class must be the same type, such as inert or explosive.

(ii) Debris subsonic ballistic coefficient (βsub). The difference between the smallest log10(βsub) value and the largest log10(βsub) value in a class must not exceed 0.5, except for fragments with βsub less than or equal to three. Fragments with βsub less than or equal to three may be grouped within a class.

(iii) Breakup-imparted velocity (ΔV). A debris model must categorize fragments as a function of the range of ΔV for the fragments within a class and the class's median subsonic ballistic coefficient. For each class, the debris model must keep the ratio of the maximum breakup-imparted velocity (ΔVmax) to minimum breakup-imparted velocity (ΔVmin) within the following bound:

Where: β′sub is the median subsonic ballistic coefficient for the fragments in a class.

(d) Debris analysis products. The products of a debris analysis that a launch operator must file with the FAA include:

(1) Debris model. The launch operator's debris model that satisfies the requirements of this section.

(2) Fragment description. A description of the fragments contained in the launch operator's debris model. The description must identify the fragment as a launch vehicle part or component, describe its shape, representative dimensions, and may include drawings of the fragment.

(3) Intact impact TNT yield. For an intact impact of a launch vehicle, for each failure time, a launch operator must identify the TNT yield of each impact explosion and blast overpressure hazard radius.

(4) Fragment class data. The class name, the range of values for each parameter used to categorize fragments within a fragment class, and the number of fragments in any fragment class established as required by paragraph (c)(10) of this section.

(5) Ballistic coefficient. The mean ballistic coefficient (β) and plus and minus three-sigma values of the β for each fragment class. A launch operator must provide graphs of the coefficient of drag (Cd) as a function of Mach number for the nominal and three-sigma β variations for each fragment shape. The launch operator must label each graph with the shape represented by the curve and reference area used to develop the curve. A launch operator must provide a Cd vs. Mach curve for any axial, transverse, and tumble orientations for any fragment that will not stabilize during free-fall conditions. For any fragment that may stabilize during free-fall, a launch operator must provide Cd vs. Mach curves for the stability angle of attack. If the angle of attack where the fragment stabilizes is other than zero degrees, a launch operator must provide both the coefficient of lift (CL) vs. Mach number and the Cd vs. Mach number curves. The launch operator must provide the equations for each Cd vs. Mach curve.

(6) Pre-flight propellant weight. The initial preflight weight of solid and liquid propellant for each launch vehicle component that contains solid or liquid propellant.

(7) Normal propellant consumption. The nominal and plus and minus three-sigma solid and liquid propellant consumption rate, and pre-malfunction consumption rate for each component that contains solid or liquid propellant.

(8) Fragment weight. The mean and plus and minus three-sigma weight of each fragment or fragment class.

(9) Projected area. The mean and plus and minus three-sigma axial, transverse, and tumbling areas for each fragment or fragment class. This information is not required for those fragment classes classified as burning propellant classes under section A417.25(b)(8).

(10) Imparted velocities. The maximum incremental velocity imparted to each fragment class created by flight termination system activation, or explosive or overpressure loads at breakup. The launch operator must identify the velocity distribution as Maxwellian or must define the distribution, including whether or not the specified maximum value is a fixed value with no uncertainty.

(11) Fragment type. The fragment type for each fragment established as required by paragraphs (c)(2), (c)(3), and (c)(4) of this section.

(12) Origin. The part of the launch vehicle from which each fragment originated.

(13) Burning propellant classes. The propellant consumption rate for those fragments that burn during free-fall.

(14) Contained propellant fragments, explosive or non-explosive. For contained propellant fragments, whether explosive or non-explosive, a launch operator must provide the initial weight of contained propellant and the consumption rate during free-fall. The initial weight of the propellant in a contained propellant fragment is the weight of the propellant before any of the propellant is consumed by normal vehicle operation or failure of the launch vehicle.

(15) Solid propellant fragment snuff-out pressure. The ambient pressure and the pressure at the surface of a solid propellant fragment, in pounds per square inch, required to sustain a solid propellant fragment's combustion during free-fall.

(16) Other non-inert debris fragments. For each non-inert debris fragment identified as required by paragraph (c)(4) of this section, a launch operator must describe the diffusion, dispersion, deposition, radiation, and other hazard exposure characteristics used to determine the effective casualty area required by paragraph (d)(13) of this section.

(17) Residual thrust dispersion. For each thrusting or non-thrusting stage having residual thrust capability following a launch vehicle malfunction, a launch operator must provide either the total residual impulse imparted or the full-residual thrust as a function of breakup time. For any stage not capable of thrust after a launch vehicle malfunction, a launch operator must provide the conditions under which the stage is no longer capable of thrust. For each stage that can be ignited as a result of a launch vehicle malfunction on a lower stage, a launch operator must identify the effects and duration of the potential thrust, and the maximum deviation of the instantaneous impact point, which can be brought about by the thrust. A launch operator must provide the explosion effects of all remaining fuels, pressurized tanks, and remaining stages, particularly with respect to ignition or detonation of upper stages if the flight termination system is activated during the burning period of a lower stage.

A417.13 Flight safety limits.

(a) General. A flight safety analysis must include a flight safety limits analysis that satisfies the requirements of § 417.213. This section applies to the computation of the flight safety limits and identifying the location of populated or other protected areas as required by § 417.213 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e).

(b) Flight safety limits constraints. The analysis must establish flight safety limits as follows:

(1) Flight safety limits must account for potential malfunction of a launch vehicle during the time from launch vehicle first motion through flight until the planned safe flight state determined as required by section A417.19.

(2) For a flight termination at any time during launch vehicle flight, the impact limit lines must:

(i) Represent no less than the extent of the debris impact dispersion for all debris fragments with a ballistic coefficient greater than or equal to three; and

(ii) Ensure that the debris impact area on the Earth's surface that is bounded by the debris impact dispersion in the uprange, downrange and crossrange directions does not extend to any populated or other protected area.

(3) Each debris impact area determined by a flight safety limits analysis must be offset in a direction away from populated or other protected areas. The size of the offset must account for all parameters that may contribute to the impact dispersion. The parameters must include:

(i) Launch vehicle malfunction turn capabilities.

(ii) Effective casualty area produced as required by section A417.25(b)(8).

(iii) All delays in the identification of a launch vehicle malfunction.

(iv) Malfunction imparted velocities, including any velocity imparted to vehicle fragments by breakup.

(v) Wind effects on the malfunctioning vehicle and falling debris.

(vi) Residual thrust remaining after flight termination.

(vii) Launch vehicle guidance and performance errors. Start Printed Page 50574

(viii) Lift and drag forces on the malfunctioning vehicle and falling debris including variations in drag predictions of fragments and debris.

(ix) All hardware and software delays during implementation of flight termination.

(x) All debris impact location uncertainties caused by conditions prior to, and after, activation of the flight termination system.

(xi) Any other impact dispersion parameters peculiar to the launch vehicle.

(xii) All uncertainty due to map error and launch vehicle tracking error.

(c) Risk management. The requirements for public risk management of § 417.205(a) apply to a flight safety limits analysis. When employing risk assessment, the analysis must establish flight safety limits that satisfy paragraph (b) of this section, account for the products of the debris risk analysis performed as required by section A417.25, and ensure that any risk to the public satisfies the public risk criteria of § 417.107(b). When employing hazard isolation, the analysis must establish flight safety limits in accordance with the following:

(1) The flight safety limits must account for the maximum deviation impact locations for the most wind sensitive debris fragment with a minimum of 11 ft-lbs of kinetic energy at impact.

(2) The maximum deviation impact location of the debris identified in paragraph (c)(1) of this section for each trajectory time must account for the three-sigma impact location for the maximum deviation flight, and the launch day wind conditions that produce the maximum ballistic wind for that debris.

(3) The maximum deviation flight must account for the instantaneous impact point, of the debris identified in paragraph (c)(1) of this section at breakup, that is closest to a protected area and the maximum ballistic wind directed from the breakup point toward that protected area.

(d) Flight safety limits analysis products. The products of a flight safety limits analysis that a launch operator must file with the FAA include:

(1) A description of each method used to develop and implement the flight safety limits. The description must include equations and example computations used in the flight safety limits analysis.

(2) A description of how each analysis method meets the analysis requirements and constraints of this section, including how the method produces a worst-case scenario for each impact dispersion area.

(3) A description of how the results of the analysis are used to protect populated and other protected areas.

(4) A graphic depiction or series of depictions of the flight safety limits, the launch point, all launch site boundaries, surrounding geographic area, all protected area boundaries, and the nominal and three-sigma launch vehicle instantaneous impact point ground traces from liftoff to orbital insertion or the end of flight. Each depiction must have labeled geodetic latitude and longitude lines. Each depiction must show the flight safety limits at trajectory time intervals sufficient to depict the mission success margin between the flight safety limits and the protected areas. The launch vehicle trajectory instantaneous impact points must be plotted with sufficient frequency to provide a conformal representation of the launch vehicle's instantaneous impact point ground trace curvature.

(5) A tabular description of the flight safety limits, including the geodetic latitude and longitude for any flight safety limit. The table must contain quantitative values that define flight safety limits. Each quantitative value must be rounded to the number of significant digits that can be determined from the uncertainty of the measurement device used to determine the flight safety limits and must be limited to a maximum of six decimal places.

(6) A map error table of direction and scale distortions as a function of distance from the point of tangency from a parallel of true scale and true direction or from a meridian of true scale and true direction. A launch operator must provide a table of tracking error as a function of downrange distance from the launch point for each tracking station used to make flight safety control decisions. A launch operator must file a description of the method, showing equations and sample calculations, used to determine the tracking error. The table must contain the map and tracking error data points within 100 nautical miles of the reference point at an interval of one data point every 10 nautical miles, including the reference point. The table must contain map and tracking error data points beyond 100 nautical miles from the reference point at an interval of one data point every 100 nautical miles out to a distance that includes all populated or other areas protected by the flight safety limits.

(7) A launch operator must provide the equations used for geodetic datum conversions and one sample calculation for converting the geodetic latitude and longitude coordinates between the datum ellipsoids used. A launch operator must provide any equations used for range and bearing computations between geodetic coordinates and one sample calculation.

A417.15 Straight-up time.

(a) General. A flight safety analysis must include a straight-up time analysis that satisfies the requirements of § 417.215. This section applies to the computation of straight-up time as required by § 417.215 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e). The analysis must establish a straight-up time as the latest time-after-liftoff, assuming a launch vehicle malfunctioned and flew in a vertical or near vertical direction above the launch point, at which activation of the launch vehicle's flight termination system or breakup of the launch vehicle would not cause hazardous debris or critical overpressure to affect any populated or other protected area.

(b) Straight-up time constraints. A straight-up time analysis must account for the following:

(1) Launch vehicle trajectory. The analysis must use the straight-up trajectory determined as required by section A417.7(e).

(2) Sources of debris impact dispersion. The analysis must use the sources described in section A417.13(b)(3)(iii) through (xii).

(c) Straight-up time analysis products. The products of a straight-up-time analysis that a launch operator must file with the FAA include:

(1) The straight-up-time.

(2) A description of the methodology used to determine straight-up time.

A417.17 Overflight gate.

(a) General. The flight safety analysis for a launch that involves flight over a populated or other protected area must include an overflight gate analysis that satisfies the requirements of § 417.217. This section applies to determining a gate as required by § 417.217 and the analysis products that the launch operator must file with the FAA as required by § 417.203(e). The analysis must determine the portion, referred to as a gate, of a flight safety limit, through which a launch vehicle's tracking representation will be allowed to proceed without flight termination.

(b) Overflight gate analysis constraints. The following analysis constraints apply to a gate analysis.

(1) For each gate in a flight safety limit, all the criteria used for determining whether to allow passage through the gate or to terminate flight at the gate must use all the same launch vehicle flight status parameters as the criteria used for determining whether to terminate flight at a flight safety limit. For example, if the flight safety limits are a function of instantaneous impact point location, the criteria for determining whether to allow passage through a gate in the flight safety limit must also be a function of instantaneous impact point location. Likewise, if the flight safety limits are a function of drag impact point, the gate criteria must also be a function of drag impact point.

(2) When establishing a gate in a flight safety limit, the analysis must ensure that the launch vehicle flight satisfies the flight safety requirements of § 417.107.

(3) For each established gate, the analysis must account for:

(i) All launch vehicle tracking and map errors.

(ii) All launch vehicle plus and minus three-sigma trajectory limits.

(iii) All debris impact dispersions.

(4) The width of a gate must restrict a launch vehicle's normal trajectory ground trace.

(c) Overflight gate analysis products. The products of a gate analysis that a launch operator must file with the FAA include:

(1) A description of the methodology used to establish each gate.

(2) A description of the tracking representation.

(3) A tabular description of the input data.

(4) Example analysis computations performed to determine a gate. If a launch involves more than one gate and the same methodology is used to determine each gate, the launch operator need only file the computations for one of the gates.

(5) A graphic depiction of each gate. A launch operator must provide a depiction or Start Printed Page 50575depictions showing flight safety limits, protected area outlines, nominal and 3-sigma left and right trajectory ground traces, protected area overflight regions, and predicted impact dispersion about the three-sigma trajectories within the gate. Each depiction must show latitude and longitude grid lines, gate latitude and longitude labels, and the map scale.

A417.19 Data loss flight time and planned safe flight state.

(a) General. A flight safety analysis must include a data loss flight time analysis that satisfies the requirements of § 417.219. This section applies to the computation of data loss flight times and the planned safe flight state required by § 417.219, and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e).

(b) Planned safe flight state. The analysis must establish a planned safe flight state for a launch as follows:

(1) For a suborbital launch, the analysis must determine a planned safe flight state as the nominal state vector after liftoff that a launch vehicle's hazardous debris impact dispersion can no longer reach any protected area.

(2) For an orbital launch where the launch vehicle's instantaneous impact point does not traverse a protected area prior to reaching orbit, the analysis must establish the planned safe flight state as the time after liftoff that the launch vehicle's hazardous debris impact dispersion can no longer reach any protected area or orbital insertion, whichever occurs first.

(3) For an orbital launch where a gate permits overflight of a protected area and where orbital insertion occurs after reaching the gate, the analysis must determine the planned safe flight state as the time after liftoff when the time for the launch vehicle's instantaneous impact point to reach the gate is less than the time for the instantaneous impact point to reach any flight safety limit.

(4) The analysis must account for a malfunction that causes the launch vehicle to proceed from its position at the trajectory time being evaluated toward the closest flight safety limit and protected area.

(5) The analysis must account for the launch vehicle thrust vector that produces the highest instantaneous impact point range rate that the vehicle is capable of producing at the trajectory time being evaluated.

(c) Data loss flight times. For each launch vehicle trajectory time, from the predicted earliest launch vehicle tracking acquisition time until the planned safe flight state, the analysis must determine the data loss flight time as follows:

(1) The analysis must determine each data loss flight time as the minimum thrusting time for a launch vehicle to move from a normal trajectory position to a position where a flight termination would cause the malfunction debris impact dispersion to reach any protected area.

(2) A data loss flight time analysis must account for a malfunction that causes the launch vehicle to proceed from its position at the trajectory time being evaluated toward the closest flight safety limit and protected area.

(3) The analysis must account for the launch vehicle thrust vector that produces the highest instantaneous impact point range rate that the vehicle is capable of producing at the trajectory time being evaluated.

(4) Each data loss flight time must account for the system delays at the time of flight.

(5) The analysis must determine a data loss flight time for time increments that do not exceed one second along the launch vehicle nominal trajectory.

(d) Products. The products of a data loss flight time and planned safe flight state analysis that a launch operator must file include:

(1) A launch operator must describe the methodology used in its analysis, and identify all assumptions, techniques, input data, and equations used. A launch operator must file calculations performed for one data loss flight time in the vicinity of the launch site and one data loss flight time that is no less than 50 seconds later in the downrange area.

(2) A launch operator must file a graphical description or depictions of the flight safety limits, the launch point, the launch site boundaries, the surrounding geographic area, any protected areas, the planned safe flight state within any applicable scale requirements, latitude and longitude grid lines, and launch vehicle nominal and three-sigma instantaneous impact point ground traces from liftoff through orbital insertion for an orbital launch, and through final impact for a suborbital launch. Each graph must show any launch vehicle trajectory instantaneous impact points plotted with sufficient frequency to provide a conformal estimate of the launch vehicle's instantaneous impact point ground trace curvature. A launch operator must provide labeled latitude and longitude lines and the map scale on the depiction.

(3) A launch operator must provide a tabular description of each data loss flight time. The tabular description must include the malfunction start time and the geodetic latitude (positive north of the equator) and longitude (positive east of the Greenwich Meridian) coordinates of the intersection of the launch vehicle instantaneous impact point trajectory with the flight safety limit. The table must identify the first data lost flight time and planned safe flight state. The tabular description must include data loss flight times for trajectory time increments not to exceed one second.

A417.21 Time delay.

(a) General. A flight safety analysis must include a time delay analysis that satisfies the requirements of § 417.221. This section applies to the computation of time delays associated with a flight safety system and other launch vehicle systems and operations as required by § 417.221 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e).

(b) Time delay analysis constraints. The analysis must account for all significant causes of time delay between the violation of a flight termination rule and the time when a flight safety system is capable of terminating flight as follows:

(1) The analysis must account for decision and reaction times, including variation in human response time, for flight safety official and other personnel that are part of a launch operator's flight safety system as defined by subpart D of this part.

(2) The analyses must determine the time delay inherent in any data, from any source, used by a flight safety official for making flight termination decisions.

(3) A time delay analysis must account for all significant causes of time delay, including data flow rates and reaction times, for hardware and software, including, but not limited to the following:

(i) Tracking system. A time delay analysis must account for time delays between the launch vehicle's current location and last known location and that are associated with the hardware and software that make up the launch vehicle tracking system, whether or not it is located on the launch vehicle, such as transmitters, receivers, decoders, encoders, modulators, circuitry and any encryption and decryption of data.

(ii) Display systems. A time delay analysis must account for delays associated with hardware and software that make up any display system used by a flight safety official to aid in making flight control decisions. A time delay analysis must also account for any manual operations requirements, tracking source selection, tracking data processing, flight safety limit computations, inherent display delays, meteorological data processing, automated or manual system configuration control, automated or manual process control, automated or manual mission discrete control, and automated or manual fail over decision control.

(iii) Flight termination system and command control system. A time delay analysis must account for delays and response times associated with flight termination system and command control system hardware and software, such as transmitters, decoders, encoders, modulators, relays and shutdown, arming and destruct devices, circuitry and any encryption and decryption of data.

(iv) Software specific time delays. A delay analysis must account for delays associated with any correlation of data performed by software, such as timing and sequencing; data filtering delays such as error correction, smoothing, editing, or tracking source selection; data transformation delays; and computation cycle time.

(4) A time delay analysis must determine the time delay plus and minus three-sigma values relative to the mean time delay.

(5) For use in any risk analysis, a time delay analysis must determine time delay distributions that account for the variance of time delays for potential launch vehicle failure, including but not limited to, the range of malfunction turn characteristics and the time of flight when the malfunction occurs.

(c) Time delay analysis products. The products of a time delay analysis that a launch operator must file include:

(1) A description of the methodology used to produce the time delay analysis.

(2) A schematic drawing that maps the flight safety official's data flow time delays from the start of a launch vehicle malfunction through the final commanded Start Printed Page 50576flight termination on the launch vehicle, including the flight safety official's decision and reaction time. The drawings must indicate major systems, subsystems, major software functions, and data routing.

(3) A tabular listing of each time delay source and its individual mean and plus and minus three-sigma contribution to the overall time delay. The table must provide all time delay values in milliseconds.

(4) The mean delay time and the plus and minus three-sigma values of the delay time relative to the mean value.

A417.23 Flight hazard areas.

(a) General. A flight safety analysis must include a flight hazard area analysis that satisfies the requirements of § 417.223. This section applies to the determination of flight hazard areas for orbital and suborbital launch vehicles that use a flight termination system to protect the public as required by § 417.223 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e). Requirements that apply to determining flight hazard areas for an unguided suborbital rocket that uses a wind-weighting safety system are contained in appendix C of this part.

(b) Launch site flight hazard area. A flight hazard area analysis must establish a launch site flight hazard area that encompasses the launch point and:

(1) If the flight safety analysis employs hazard isolation to establish flight safety limits as required by section A417.13(c), the launch site flight hazard area must encompass the flight safety limits.

(2) If the flight safety analysis does not employ hazard isolation to establish the flight safety limits, the launch site flight hazard area must encompass all hazard areas established as required by paragraphs (c) through (e) of this section.

(c) Debris impact hazard area. The analysis must establish a debris impact hazard area that accounts for the effects of impacting debris resulting from normal and malfunctioning launch vehicle flight, except for toxic effects, and accounts for potential impact locations of all debris fragments. The analysis must establish a debris hazard area as follows:

(1) An individual casualty contour that defines where the risk to an individual would exceed an expected casualty (Ec) criteria of 1 x 10 ^6 if one person were assumed to be in the open and inside the contour during launch vehicle flight must bound a debris hazard area. The analysis must produce an individual casualty contour as follows:

(i) The analysis must account for the location of a hypothetical person, and must vary the location of the person to determine when the risk would exceed the Ec criteria of 1 x 10 ^6. The analysis must count a person as a casualty when the person's location is subjected to any inert debris impact with a mean expected kinetic energy greater than or equal to 11 ft-lbs or a peak incident overpressure equal to or greater than 1.0 psi due to explosive debris impact. The analysis must determine the peak incident overpressure using the Kingery-Bulmash relationship, without regard to sheltering, reflections, or atmospheric effects.

(ii) The analysis must account for person locations that are no more than 1000 feet apart in the downrange direction and no more than 1000 feet apart in the crossrange direction to produce an individual casualty contour. For each person location, the analysis must sum the probabilities of casualty over all flight times for all debris groups.

(iii) An individual casualty contour must consist of curves that are smooth and continuous. To accomplish this, the analysis must vary the time interval between the trajectory times assessed so that each location of a debris impact point is less than one-half sigma of the downrange dispersion distance.

(2) The input for determining a debris impact hazard area must account for the results of the trajectory analysis required by section A417.7, the malfunction turn analysis required by section A417.9, and the debris analysis required by section A417.11 to define the impact locations of each class of debris established by the debris analysis, and the time delay analysis required by section A417.21.

(3) The analysis must account for the extent of the impact debris dispersions for each debris class produced by normal and malfunctioning launch vehicle flight at each trajectory time. The analysis must also account for how the vehicle breaks up, either by the flight termination system or by aerodynamic forces, if the different breakup may result in a different probability of existence for each debris class. A debris impact hazard area must account for each impacting debris fragment classified as required by section A417.11(c).

(4) The analysis must account for launch vehicle flight that exceeds a flight safety limit. The analysis must also account for trajectory conditions that maximize the mean debris impact distance during the flight safety system delay time determined as required by section A417.21 and account for a debris model that is representative of a flight termination or aerodynamic breakup. For each launch vehicle breakup event, the analysis must account for trajectory and breakup dispersions, variations in debris class characteristics, and debris dispersion due to any wind condition under which a launch would be attempted.

(5) The analysis must account for the probability of failure of each launch vehicle stage and the probability of existence of each debris class. The analysis must account for the probability of occurrence of each type of launch vehicle failure. The analysis must account for vehicle failure probabilities that vary depending on the time of flight.

(6) In addition to failure debris, the analysis must account for nominal jettisoned body debris impacts and the corresponding debris impact dispersions. The analysis must use a probability of occurrence of 1.0 for the planned debris fragments produced by normal separation events during flight.

(d) Near-launch-point blast hazard area. A flight hazard area analysis must define a blast overpressure hazard area as a circle extending from the launch point with a radius equal to the 1.0 psi overpressure distance produced by the equivalent TNT weight of the explosive capability of the vehicle. In addition, the analysis must establish a minimum near-pad blast hazard area to provide protection from hazardous fragments potentially propelled by an explosion. The analysis must account for the maximum possible total solid and liquid propellant explosive potential of the launch vehicle and any payload. The analysis must define a blast overpressure hazard area using the following equations:

Rop = 45 · (NEW)1/3

Where:

Rop is the over pressure distance in feet.

NEW = WE · C (pounds).

WE is the weight of the explosive in pounds.

C is the TNT equivalency coefficient of the propellant being evaluated. A launch operator must identify the TNT equivalency of each propellant on its launch vehicle including any payload. TNT equivalency data for common liquid propellants is provided in tables A417-1. Table A417-2 provides factors for converting gallons of specified liquid propellants to pounds.

(e) Other hazards. A flight hazard area analysis must identify any additional hazards, such as radioactive material, that may exist on the launch vehicle or payload. For each such hazard, the analysis must determine a hazard area that encompasses any debris impact point and its dispersion and includes an additional hazard radius that accounts for potential casualty due to the additional hazard. Analysis requirements for toxic release and far field blast overpressure are provided in § 417.27 and section A417.29, respectively.

(l) Aircraft hazard areas. The analysis must establish an aircraft hazard area for each planned debris impact for the issuance of notices to airmen as required by § 417.121(e). Each aircraft hazard area must encompass an air space region, from an altitude of 60,000 feet to impact on the Earth's surface, that contains the three-sigma drag impact dispersion.

(2) Ship hazard areas. The analysis must establish a ship hazard area for each planned debris impact for the issuance of notices to mariners as required by § 417.121(e). Each ship hazard area must encompass a surface region that contains the three-sigma drag impact dispersion.

(f) Flight hazard area analysis products. The products of a flight hazard area analysis that a launch operator must file with the FAA include:

(1) A chart that depicts the launch site flight hazard area, including its size and location.

(2) A chart that depicts each hazard area required by this section.

(3) A description of each hazard for which analysis was performed; the methodology used to compute each hazard area; and the debris classes for aerodynamic breakup of the launch vehicle and for flight termination. For each debris class, the launch operator must identify the number of debris fragments, the variation in ballistic coefficient, and the standard deviation of the debris dispersion.

(4) A chart that depicts each of the individual casualty contour.

(5) A description of the aircraft hazard area for each planned debris impact, the Start Printed Page 50577information to be published in a Notice to Airmen, and all information required as part of any agreement with the FAA ATC office having jurisdiction over the airspace through which flight will take place.

(6) A description of any ship hazard area for each planned debris impact and all information required in a Notice to Mariners.

(7) A description of the methodology used for determining each hazard area.

(8) A description of the hazard area operational controls and procedures to be implemented for flight.

A417.25 Debris risk.

(a) General. A flight safety analysis must include a debris risk analysis that satisfies the requirements of § 417.225. This section applies to the computation of the average number of casualties (Ec) to the collective members of debris hazards from the proposed flight of a launch vehicle as required by § 417.225 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e).

(b) Debris risk analysis constraints. The following constraints apply to a debris risk:

(1) A debris risk analysis must use valid risk analysis models that compute Ec as the summation over all trajectory time intervals from lift-off through orbital insertion of the products of the probability of each possible event and the casualty consequences due to debris impacts for each possible event.

(2) A debris risk analysis must account for the following populations:

(i) The overflight of populations located inside any flight safety limits.

(ii) All populations located within five-sigma left and right crossrange of a nominal trajectory instantaneous impact point ground trace and within five-sigma of each planned nominal debris impact.

(iii) Any planned overflight of the public within any gate overflight areas.

(iv) Any populations outside the flight safety limits identified as required by paragraph (b)(10) of this section.

(3) A debris risk analysis must account for both inert and explosive debris hazards produced from any impacting debris caused by normal and malfunctioning launch vehicle flight. The analysis must account for the debris classes determined by the debris analysis required by section A417.11. A debris risk analysis must account for any inert debris impact with mean expected kinetic energy at impact greater than or equal to 11 ft-lbs and peak incident overpressure of greater than or equal to 1.0 psi due to any explosive debris impact. The analysis must account for all debris hazards as a function of flight time.

(4) A debris risk analysis must account for debris impact points and dispersion for each class of debris as follows:

(i) A debris risk analysis must account for drag corrected impact points and dispersions for each class of impacting debris resulting from normal and malfunctioning launch vehicle flight as a function of trajectory time from lift-off through orbital insertion, including each planned impact, for an orbital launch, and through final impact for a suborbital launch.

(ii) The dispersion for each debris class must account for the position and velocity state vector dispersions at breakup, the variance produced by breakup imparted velocities, the effect of winds on both the Start Printed Page 50578ascent trajectory state vector at breakup and the descending debris piece impact location the variance produced by aerodynamic properties for each debris class, and any other dispersion variances.

(iii) A debris risk analysis must account for the survivability of debris fragments that are subject to reentry aerodynamic forces or heating. A debris class may be eliminated from the debris risk analysis if the launch operator demonstrates that the debris will not survive to impact.

(5) A debris risk analysis must account for launch vehicle failure probability. The following constraints apply:

(i) For flight safety analysis purposes, a failure occurs when a vehicle does not complete any phase of normal flight or exhibits the potential for the stage or its debris to impact the Earth or reenter the atmosphere during the mission or any future mission of similar vehicle capability. Also, either a launch incident or launch accident constitutes a failure.

(ii) For a launch vehicle with fewer than 2 flights completed, the analysis must use a reference value for the launch vehicle failure probability estimate equal to the upper limit of the 60% two-sided confidence limits of the binomial distribution for outcomes of all previous launches of vehicles developed and launched in similar circumstances. The FAA may adjust the failure probability estimate to account for the level of experience demonstrated by the launch operator and other factors that affects the probability of failure. The FAA may adjust the failure probability estimate for the second launch based on evidence obtained from the first flight of the vehicle.

(iii) For a launch vehicle with at least 2 flights completed, the analysis must use the reference value for the launch vehicle failure probability of Table A417-3 based on the outcomes of all previous launches of the vehicle. The FAA may adjust the failure probability estimate to account for evidence obtained from the flight history of the vehicle. The FAA may adjust the failure probability estimate to account for the nature of launch outcomes in the flight history of the vehicle, corrective actions taken in response to a failure of the vehicle, or other vehicle modifications that may affect reliability. The FAA may adjust the failure probability estimate to account for the demonstrated quality of the engineering approach to launch vehicle processing, meeting safety requirements in this part, and associated hazard mitigation. The analysis must use a final failure estimate within the confidence limits of Table A417-3.

(A) Values listed on the far left of Table A417-3 apply when no launch failures are experienced. Values on the far right apply when only launch failures are experienced. Values in between apply for flight histories that include both failures and successes.

(B) Reference values in Table A417-3 are shown in bold. The reference values are the median values between 60% two-sided confidence limits of the binomial distribution. For the special cases of zero or N failures in N launch attempts, the reference values may also be recognized as the median value between the 80% one-sided confidence limit of the binomial distribution and zero or one, respectively.

(C) Upper and lower confidence bounds in Table A417-3 are shown directly above and below each reference value. These confidence bounds are based on 60% two-sided confidence limits of the binomial distribution. For the special cases of zero or N failures in N launch attempts, the upper and lower confidence bounds are based on the 80% one-sided confidence limit, respectively.

Start Printed Page 50579

(6) A debris risk analysis must account for the dwell time of the instantaneous impact point ground trace over each populated or protected area being evaluated.

(7) A debris risk analysis must account for the three-sigma instantaneous impact point trajectory variations in left-crossrange, right-crossrange, uprange, and downrange as a function of trajectory time, due to launch vehicle performance variations as determined by the trajectory analysis performed as required by section A417.7.

(8) A debris risk analysis must account for the effective casualty area as a function of launch vehicle flight time for all impacting debris generated from a catastrophic launch vehicle malfunction event or a planned impact event. The effective casualty area must account for both payload and vehicle systems and subsystems debris. The effective casualty area must account for all debris fragments determined as part of a launch operator's debris analysis as required by section A417.11. The effective casualty area for each explosive debris fragment must account for a 1.0 psi blast overpressure radius and the projected debris effects for all potentially explosive debris. The effective casualty area for each inert debris fragment must:

(i) Account for bounce, skip, slide, and splatter effects; or

(ii) Equal seven times the maximum projected area of the fragment.

(9) A debris risk analysis must account for current population density data obtained from a current population database for the region being evaluated or by estimating the current population using exponential population growth rate equations applied to the most current historical data available. The population model must define population centers that are similar enough to be described and treated as a single average set of characteristics without degrading the accuracy of the debris risk estimate.

(10) For a launch vehicle that uses a flight safety system, a debris risk analysis must account for the collective risk to any populations outside the flight safety limits during flight, including people who will be at any public launch viewing area during flight. For such populations, in addition to the constraints of paragraphs (b)(1) through (b)(9) of this section, a launch operator's debris risk analysis must account for the following:

(i) The probability of a launch vehicle failure that would result in debris impact in protected areas outside the flight safety limits.

(ii) The failure probability of the launch operator's flight safety system. A flight safety system failure rate of 0.002 may be used if the flight safety system complies with the flight safety system requirements of subpart D of this part. For an alternate flight safety system approved as required by § 417.107(a)(3), the launch operator must demonstrate the validity of the probability of failure through the licensing process.

(iii) Current population density data and population projections for the day and time of flight for the areas outside the flight safety limits.

(c) Debris risk analysis products. The products of a debris risk analysis that a launch operator must file with the FAA include:

(1) A debris risk analysis report that provides the analysis input data, probabilistic risk determination methods, sample computations, and text or graphical charts that characterize the public risk to geographical areas for each launch.

(2) Geographic data showing:

(i) The launch vehicle nominal, five-sigma left-crossrange and five-sigma right-crossrange instantaneous impact point ground traces;

(ii) All exclusion zones relative to the instantaneous impact point ground traces; and

(iii) All populated areas included in the debris risk analysis.

(3) A discussion of each launch vehicle failure scenario accounted for in the analysis and the probability of occurrence, which may vary with flight time, for each failure scenario. This information must include failure scenarios where a launch vehicle:

(i) Flies within normal limits until some malfunction causes spontaneous breakup or results in a commanded flight termination;

(ii) Experiences malfunction turns; and

(iii) Flight safety system fails to function.

(4) A population model applicable to the launch overflight regions that contains the following: region identification, location of the center of each population center by geodetic latitude and longitude, total area, number of persons in each population center, and a description of the shelter characteristics within the population center.

(5) A description of the launch vehicle, including general information concerning the nature and purpose of the launch and an overview of the launch vehicle, including a scaled diagram of the general arrangement and dimensions of the vehicle. A launch operator's debris risk analysis products may reference other documentation filed with the FAA containing this information. The description must include:

(i) Weights and dimensions of each stage.

(ii) Weights and dimensions of any booster motors attached.

(iii) The types of fuel used in each stage and booster.

(iv) Weights and dimensions of all interstage adapters and skirts.

(v) Payload dimensions, materials, construction, and any payload fuel; payload fairing construction, materials, and dimensions; and any non-inert components or materials that add to the effective casualty area of the debris, such as radioactive or toxic materials or high-pressure vessels.

(6) A typical sequence of events showing times of ignition, cutoff, burnout, and jettison of each stage, firing of any ullage rockets, and starting and ending times of coast periods and control modes.

(7) The following information for each launch vehicle motor:

(i) Propellant type and composition;

(ii) Thrust profile;

(iii) Propellant weight and total motor weight as a function of time;

(iv) A description of each nozzle and steering mechanism;

(v) For solid rocket motors, internal pressure and average propellant thickness, or borehole radius, as a function of time;

(vi) Maximum impact point deviations as a function of failure time during destruct system delays. Burn rate as a function of ambient pressure;

(vii) A discussion of whether a commanded destruct could ignite a non-thrusting motor, and if so, under what conditions; and

(viii) Nozzle exit and entrance areas.

(8) The launch vehicle's launch and failure history, including a summary of past vehicle performance. For a new vehicle with little or no flight history, a launch operator must provide all known data on similar vehicles that include:

(i) Identification of the launches that have occurred;

(ii) Launch date, location, and direction of each launch;

(iii) The number of launches that performed normally;

(iv) Behavior and impact location of each abnormal experience;

(v) The time, altitude, and nature of each malfunction; and

(vi) Descriptions of corrective actions taken, including changes in vehicle design, flight termination, and guidance and control hardware and software.

(9) The values of probability of impact (PI) and expected casualty (Ec) for each populated area.

A417.27 Toxic release hazard analysis.

A flight safety analysis must include a toxic release hazard analysis that satisfies the requirements of § 417.227. A launch operator's toxic release hazard analysis must satisfy the methodology requirements of appendix I of this part. A launch operator must file the analysis products identified in appendix I of this part as required by § 417.203(e).

A417.29 Far field blast overpressure effects analysis.

(a) General. A flight safety analysis must include a far field blast overpressure effects hazard analysis that satisfies the requirements of § 417.229. This section applies to the computation of far field blast overpressure effects from the proposed flight of a launch vehicle as required by § 417.229 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e). The analysis must account for distant focus overpressure and any overpressure enhancement to establish the potential for broken windows due to peak incident overpressures below 1.0 psi and related casualties due to falling or projected glass shards. The analysis must employ either paragraph (b) of this section or the risk analysis of paragraph (c) of this section.

(b) Far field blast overpressure hazard analysis. Unless an analysis satisfies the requirements of paragraph (c) of this section a far field blast overpressure hazard analysis must satisfy the following:

(1) Explosive yield factors. The analysis must use explosive yield factor curves for each type or class of solid or liquid propellant used by the launch vehicle. Each explosive yield factor curve must be based on the most accurate explosive yield data for the corresponding type or class of solid or liquid Start Printed Page 50581propellant based on empirical data or computational modeling.

(2) Establish the maximum credible explosive yield. The analysis must establish the maximum credible explosive yield resulting from normal and malfunctioning launch vehicle flight. The explosive yield must account for impact mass and velocity of impact on the Earth's surface. The analysis must account for explosive yield expressed as a TNT equivalent for peak overpressure.

(3) Characterize the population exposed to the hazard. The analysis must demonstrate whether any population centers are vulnerable to a distant focus overpressure hazard using the methodology provided by section 6.3.2.4 of the American National Standard Institute's ANSI S2.20-1983, “Estimating Air Blast Characteristics for Single Point Explosions in Air with a Guide to Evaluation of Atmospheric Propagation and Effects” and as follows:

(i) For the purposes of this analysis, a population center must include any area outside the launch site and not under the launch operator's control that contains an exposed site. An exposed site includes any structure that may be occupied by human beings, and that has at least one window, but does not include automobiles, airplanes, and waterborne vessels. The analysis must account for the most recent census information on each population center. The analysis must treat any exposed site for which no census information is available, or the census information indicates a population equal to or less than four persons, as a ‘single residence.’

(ii) The analysis must identify the distance between the location of the maximum credible impact explosion and the location of each population center potentially exposed. Unless the location of the potential explosion site is limited to a defined region, the analysis must account for the distance between the potential explosion site and a population center as the minimum distance between any point within the region contained by the flight safety limits and the nearest exposed site within the population center.

(iii) The analysis must account for all weather conditions optimized for a distant focus overpressure hazard by applying an atmospheric blast “focus factor” (F) of 5.

(iv) The analysis must determine, using the methodology of section 6.3.2.4 of ANSI S2.20-1983, for each a population center, whether the maximum credible explosive yield of a launch meets, exceeds or is less than the “no damage yield limit,” of the population center. If the maximum credible explosive yield is less than the “no damage yield limit” for all exposed sites, the remaining requirements of this section do not apply. If the maximum credible explosive yield meets or exceeds the “no damage yield limit” for a population center then that population center is vulnerable to far field blast overpressure from the launch and the requirements of paragraphs (b)(4) and (b)(5) of this section apply.

(4) Estimate the quantity of broken windows. The analysis must use a focus factor of 5 and the methods provided by ANSI S2.20-1983 to estimate the number of potential broken windows within each population center determined to be vulnerable to the distant focus overpressure hazard as required by paragraph (b)(3) of this section.

(5) Determine and implement measures necessary to prevent distant focus overpressure from breaking windows. For each population center that is vulnerable to far field blast overpressure from a launch, the analysis must identify mitigation measures to protect the public from serious injury from broken windows and the flight commit criteria of § 417.113(b) needed to enforce the mitigation measures. A launch operator's mitigation measures must include one or more of the following:

(i) Apply a minimum 4-millimeter thick anti-shatter film to all exposed sites where the maximum credible yield exceeds the “no damage yield limit.”

(ii) Evacuate the exposed public to a location that is not vulnerable to the distant focus overpressure hazard at least two hours prior to the planned flight time.

(iii) If, as required by paragraph (b)(4) of this section, the analysis predicts that less than 20 windows will break, advise the public of the potential for glass breakage.

(c) Far field blast overpressure risk analysis. If a launch operator does not employ paragraph (b) of this section to perform a far field overpressure hazard analysis, the launch operator must conduct a risk analysis that demonstrates that the launch will be conducted in accordance with the public risk criteria of § 417.107(b).

(d) Far field blast overpressure effect products. The products of a far field blast overpressure analysis that a launch operator must file with the FAA include:

(1) A description of the methodology used to produce the far field blast overpressure analysis results, a tabular description of the analysis input data, and a description of any far field blast overpressure mitigation measures implemented.

(2) For any far field blast overpressure risk analysis, an example set of the analysis computations.

(3) The values for the maximum credible explosive yield as a function of time of flight.

(4) The distance between the potential explosion location and any population center vulnerable to the far field blast overpressure hazard. For each population center, the launch operator must identify the exposed populations by location and number of people.

(5) Any mitigation measures established to protect the public from far field blast overpressure hazards and any flight commit criteria established to ensure the mitigation measures are enforced.

A417.31 Collision avoidance.

(a) General. A flight safety analysis must include a collision avoidance analysis that satisfies the requirements of § 417.231. This section applies to a launch operator obtaining a collision avoidance assessment from United States Strategic Command as required by § 417.231 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e). United States Strategic Command refers to a collision avoidance analysis for a space launch as a conjunction on launch assessment.

(b) Analysis constraints. A launch operator must satisfy the following when obtaining and implementing the results of a collision avoidance analysis:

(1) A launch operator must provide United States Strategic Command with the launch window and trajectory data needed to perform a collision avoidance analysis for a launch as required by paragraph (c) of this section, at least 15 days before the first attempt at flight. The FAA will identify a launch operator to United States Strategic Command as part of issuing a license and provide a launch operator with current United States Strategic Command contact information.

(2) A launch operator must obtain a collision avoidance analysis performed by United States Strategic Command 6 hours before the beginning of a launch window.

(3) A launch operator may use a collision avoidance analysis for 12 hours from the time that United States Strategic Command determines the state vectors of the manned or mannable orbiting objects. If a launch operator needs an updated collision avoidance analysis due to a launch delay, the launch operator must file the request with United States Strategic Command at least 12 hours prior to the beginning of the new launch window.

(4) For every 90 minutes, or portion of 90 minutes, that pass between the time United States Strategic Command last determined the state vectors of the orbiting objects, a launch operator must expand each wait in a launch window by subtracting 15 seconds from the start of the wait in the launch window and adding 15 seconds to the end of the wait in the launch window. A launch operator must incorporate all the resulting waits in the launch window into its flight commit criteria established as required by § 417.113.

(c) Information required. A launch operator must prepare a collision avoidance analysis worksheet for each launch using a standardized format that contains the input data required by this paragraph. A launch operator must file the input data with United States Strategic Command for the purposes of completing a collision avoidance analysis. A launch operator must file the input data with the FAA as part of the license application process as required by § 415.115 of this chapter.

(1) Launch information. A launch operator must file the following launch information:

(i) Mission name. A mnemonic given to the launch vehicle/payload combination identifying the launch mission from all others.

(ii) Segment number. A segment is defined as a launch vehicle stage or payload after the thrusting portion of its flight has ended. This includes the jettison or deployment of any stage or payload. A launch operator must provide a separate worksheet for each segment. For each segment, a launch operator must determine the “vector at injection” as defined by paragraph (c)(5) of this section. The data must present each segment number as a sequence number relative to the total number of segments for a launch, such as “1 of 5.” Start Printed Page 50582

(iii) Launch window. The launch window opening and closing times in Greenwich Mean Time (referred to as ZULU time) and the Julian dates for each scheduled launch attempt.

(2) Point of contact. The person or office within a launch operator's organization that collects, analyzes, and distributes collision avoidance analysis results.

(3) Collision avoidance analysis analysis results transmission medium. A launch operator must identify the transmission medium, such as voice, FAX, or e-mail, for receiving results from United States Strategic Command.

(4) Requestor launch operator needs. A launch operator must indicate the types of analysis output formats required for establishing flight commit criteria for a launch:

(i) Waits. All the times within the launch window during which flight must not be initiated.

(ii) Windows. All the times within an overall launch window during which flight may be initiated.

(5) Vector at injection. A launch operator must identify the vector at injection for each segment. “Vector at injection” identifies the position and velocity of all orbital or suborbital segments after the thrust for a segment has ended.

(i) Epoch. The epoch time, in Greenwich Mean Time (GMT), of the expected launch vehicle liftoff time.

(ii) Position and velocity. The position coordinates in the EFG coordinate system measured in kilometers and the EFG components measured in kilometers per second, of each launch vehicle stage or payload after any burnout, jettison, or deployment.

(6) Time of powered flight. The elapsed time in seconds, from liftoff to arrival at the launch vehicle vector at injection. The input data must include the time of powered flight for each stage or jettisoned component measured from liftoff.

(7) Time span for launch window file (LWF). A launch operator must provide the following information regarding its launch window:

(i) Launch window. The launch window measured in minutes from the initial proposed liftoff time.

(ii) Time of powered flight. The time provided as required by paragraph (c)(6) of this section measured in minutes rounded up to the nearest integer minute.

(iii) Screen duration. The time duration, after all thrusting periods of flight have ended, that a collision avoidance analysis must screen for potential conjunctions with manned or mannable orbital objects. Screen duration is measured in minutes and must be greater than or equal to 100 minutes for an orbital launch.

(iv) Extra pad. An additional period of time for collision avoidance analysis screening to ensure the entire first orbit is screened for potential conjunctions with manned or mannable orbital objects. This time must be 10 minutes unless otherwise specified by United States Strategic Command.

(v) Total. The summation total of the time spans provided as required by paragraphs (c)(7)(i) through (c)(7)(iv) expressed in minutes.

(8) Screening. A launch operator must select spherical or ellipsoidal screening as defined in this paragraph for determining any conjunction. The default must be the spherical screening method using an avoidance radius of 200 kilometers for manned or mannable orbiting objects. If the launch operator requests screening for any unmanned or unmannable objects, the default must be the spherical screening method using a miss distance of 25 kilometers.

(i) Spherical screening. Spherical screening utilizes an impact exclusion sphere centered on each orbiting object's center-of-mass to determine any conjunction. A launch operator must specify the avoidance radius for manned or mannable objects and for any unmanned or unmannable objects if the launch operator elects to perform the analysis for unmanned or unmannable objects.

(ii) Ellipsoidal screening. Ellipsoidal screening utilizes an impact exclusion ellipsoid of revolution centered on the orbiting object's center-of-mass to determine any conjunction. A launch operator must provide input in the UVW coordinate system in kilometers. The launch operator must provide delta-U measured in the radial-track direction, delta-V measured in the in-track direction, and delta-W measured in the cross-track direction.

(9) Orbiting objects to evaluate. A launch operator must identify the orbiting objects to be included in the analysis.

(10) Deliverable schedule/need dates. A launch operator must identify the times before flight, referred to as “L-times,” for which the launch operator requests a collision avoidance analysis.

(d) Collision avoidance assessment products. A launch operator must file its collision avoidance analysis products as required by § 417.203(e) and must include the input data required by paragraph (c) of this section. A launch operator must incorporate the result of the collision avoidance analysis into its flight commit criteria established as required by § 417.113.

Appendix B of Part 417—Flight Hazard Area Analysis for Aircraft and Ship Protection

B417.1 Scope.

This appendix contains requirements to establish aircraft hazard areas, ship hazard areas, and land impact hazard areas. The methodologies contained in this appendix represent an acceptable means of satisfying the requirements of § 417.107 and § 417.223 as they pertain to ship, aircraft, and land hazard areas. This appendix provides a standard and a measure of fidelity against which the FAA will measure any proposed alternative approaches. Requirements for a launch operator's implementation of a hazard area are contained in §§ 417.121(e) and (f).

B417.3 Hazard area notifications and surveillance.

(a) A launch operator must ensure the following notifications have been made and adhered to at launch:

(1) A Notice to Airmen (NOTAM) must be issued for every aircraft hazard area identified as required by sections B417.5 and B417.7. The NOTAM must be effective no less than thirty minutes prior to flight and effective until no sooner than thirty minutes after the air space volume requested by the NOTAM can no longer be affected by the launch vehicle or its potential hazardous effects.

(2) A Notice to Mariners (NOTMAR) must be issued for every ship hazard area identified as required by sections B417.5 and B417.7. The NOTMAR must be effective no less than thirty minutes prior to flight and effective until no sooner than thirty minutes after the area requested by the NOTMAR can no longer be affected by the launch vehicle or its potential hazardous effects.

(3) All local officials and landowners adjacent to any hazard area must be notified of the flight schedule no less than two days prior to the flight of the launch vehicle.

(b) A launch operator must survey each of the following hazard areas:

(1) Each launch site hazard area;

(2) Each aircraft hazard area in the vicinity of the launch site; and

(3) Each ship hazard area in the vicinity of the launch site.

B417.5 Launch site hazard area.

(a) General. A launch operator must perform a launch site hazard area analysis that protects the public, aircraft, and ships from the hazardous activities in the vicinity of the launch site. The launch operator must evacuate and monitor each launch site hazard area to ensure compliance with §§ 417.107(b)(2) and (b)(3).

(b) Launch site hazard area analysis input. A launch site hazard area must encompass no less than the following:

(1) Each land hazard area in the vicinity of the launch site calculated as required by section B417.13;

(2) Each ship hazard area in the vicinity of the launch site calculated as required by section B417.11(c); and

(3) The aircraft hazard area in the vicinity of the launch site calculated as required by section B417.9(c).

B417.7 Downrange hazard areas.

(a) General. A launch operator must perform a downrange hazard area analysis that protects the public, aircraft, and ships from the hazardous activities in the vicinity of each scheduled impact location.

(b) Downrange hazard areas analysis input. A launch hazard area must bound no less than the following:

(1) The aircraft hazard area in the vicinity of each planned impact location calculated as required by section B417.9(d);

(2) The ship hazard area in the vicinity of each planned water impact location calculated as required by section B417.11(d); and

(3) The land hazard area in the vicinity of each planned land impact location calculated as required by section B417.13.

B417.9 Aircraft hazard areas analysis.

(a) General. A launch operator must perform an aircraft hazard areas analysis as required by § 417.223(b). A launch operator's Start Printed Page 50583aircraft hazard areas analysis must determine the aircraft hazard area in the vicinity of the launch site and the aircraft hazard area in the vicinity of each planned impact location as required by this section.

(b) Aircraft hazard areas analysis input. A launch operator must account for the following inputs to determine the aircraft hazard areas:

(1) The trajectory analysis performed as required by section A417.7 or section C417.3; and

(2) The debris risk analysis performed as required by section A417.25 or section C417.9.

(c) Methodology for computing an aircraft hazard area in the vicinity of the launch site. An aircraft hazard area analysis must determine an aircraft hazard area that encompasses the launch point from the surface of the Earth to an altitude of 100,000 ft MSL and wholly contains the launch vehicle's normal trajectory plus five nautical miles in every radial direction. A launch operator must calculate an aircraft hazard area in the vicinity of the launch site as follows:

(1) Using the trajectory analysis performed as required by section A417.7 or section C417.3, select all data locations where the vehicle's nominal altitude, or positional component on the z-axis, is less than and equal to 100,000 ft MSL.

(2) From the data locations representing the dispersed trajectories calculated as required by section A417.7(d) or section C417.3(f) and modified to incorporate a 5 nm buffer as required by paragraph (c)(1) of this section for the data locations selected below a nominal altitude of 100,000 ft MSL as required by paragraph (c)(1) of this section, select the location that is the farthest left-hand crossrange, the location that is the farthest right-hand crossrange, the location that is the farthest downrange, and the location that is the farthest uprange.

(3) Construct a box in the xy plane that includes two lines parallel to the azimuth, two lines perpendicular to the azimuth, and contains the four locations selected as required by paragraph (c)(2) of this section.

(4) Extend the box constructed as required by paragraph (c)(3) of this section from the surface of the Earth to an infinite altitude.

(d) Methodology for computing an aircraft hazard area in the vicinity of each planned impact location. A launch operator must determine an aircraft hazard area in the vicinity of each planned impact location from the surface of the Earth to an altitude of 100,000 ft MSL that wholly contains the launch vehicle's calculated impact dispersion with a 5 nm buffer and the normal trajectory. A launch operator must compute an aircraft hazard area in the vicinity of each planned impact location as follows:

(1) The analysis must calculate a three-sigma dispersion ellipse by determining the three-sigma impact limit around a planned impact location.

(2) Taking the three-sigma dispersion ellipse calculated as required by paragraph (d)(1) of this section, plot a co-centric ellipse in the xy plane where the major and minor axes are 10nm longer than the major and minor axes of the three-sigma dispersion ellipse.

(3) Extend the ellipse calculated as required by paragraph (d)(2) of this section from the surface to an infinite altitude.

(4) Using the trajectory that predicts the instantaneous impact locations required in section A417.7(g)(7)(xii) or section C417.3(d), find the location on the trajectory where the vehicle's nominal altitude is predicted to be 100,000 ft MSL.

(5) At the trajectory time where the altitude is represented as 100,000 ft MSL, select the corresponding points from the normal trajectory dispersion that are the farthest uprange, downrange, right crossrange, and left crossrange relative to the nominal trajectory.

(6) Construct a box in the xy plane that includes two lines parallel to the azimuth, two lines perpendicular to the azimuth, and contains the points selected as required by paragraph (d)(5) of this section and the nominal impact point.

(7) Extend the box constructed as required by paragraph (d)(6) of this section from the surface of the Earth to an infinite altitude.

(8) Construct a volume, the aircraft hazard area, that encompasses the volumes calculated as required by paragraphs (d)(3) and (d)(7) of this section.

B417.11 Ship hazard areas analysis.

(a) General. A flight hazard area analysis must establish ship hazard areas bound by the 1 × 10−5 ship impact contour in the vicinity of the launch site and the vehicle's three-sigma dispersion limit plus a 5 nm buffer in the vicinity of a planned, downrange impact location.

(b) Ship hazard area analysis input. A launch operator must account for the following inputs to determine the ship hazard areas:

(1) The trajectory analysis performed as required by section A417.7 or section C417.3;

(2) For a launch vehicle flown with a flight safety system, the malfunction turn analysis required by section A417.9;

(3) The debris analysis required by section A417.11 or section C417.7 to define the impact locations of each class of debris established by the debris analysis;

(4) For a launch vehicle flown with a flight safety system, the time delay analysis required by section A417.21; and

(5) The debris risk analysis performed as required by section A417.25 or section C417.9.

(c) Methodology for computing ship hazard areas in the vicinity of the launch site. The analysis must establish the ship-hit contours as follows:

(1) A ship-hit contour must account for the size of the largest ship that could be located in the ship hazard area. The analysis must demonstrate that the ship size used represents the largest ship that could be present in the ship hazard area or, if the ship size is unknown, the analysis must use a ship size of 120,000 square feet.

(2) The analysis must first calculate the probability of impacting the reference ship selected as required by paragraph (c)(1) of this section at the location of interest. From the location of interest, move the ship away from the launch location along a single radial until the probability that debris is present at that location multiplied by the probability that a ship is at that location is less than or equal to 1 × 10−5. When calculating the probability of impacting a ship, an impact occurs when:

(i) The analysis predicts that inert debris will directly impact the vessel with a mean expected kinetic energy at impact greater than or equal to 11 ft-lbs; or

(ii) The analysis predicts the peak incident overpressure at the reference vessel will be greater than or equal to 1.0 psi due to any explosive debris impact.

(3) The analysis must account for:

(i) The variance in winds;

(ii) The aerodynamic properties of the debris;

(iii) The variance in velocity of the debris;

(iv) Guidance and performance errors;

(v) The type of vehicle breakup, either by any flight termination system or by aerodynamic forces that may result in different debris characteristics; and

(vi) Debris impact dispersion resulting from vehicle breakup and the malfunction turn capabilities of the launch vehicle.

(4) Repeat the process outlined in paragraph (c)(2) of this section while varying the radial direction until enough locations are found where the reference ship's probability of impact is less than or equal to 1 × 10−5 such that connecting each location will result in a smooth and continuous contour.

(d) Methodology for computing ship hazard areas in the vicinity of each planned water impact location. A launch operator must compute a ship hazard area in the vicinity of each planned impact location as required by the following:

(1) The analysis must calculate a three-sigma dispersion ellipse by determining the three-sigma impact limit around a planned impact location.

(2) Taking the three-sigma dispersion ellipse calculated as required by paragraph (d)(1) of this section, plot a co-centric ellipse in the xy plane where the major and minor axes are 10 nm longer than the major and minor axes of the three-sigma dispersion ellipse.

B417.13 Land hazard areas analysis.

(a) General. A flight hazard area analysis must establish land hazard areas in the vicinity of the launch site and land hazard areas in the vicinity of each land impact location to ensure that the probability of a member of the public being struck by debris satisfies the probability threshold of 1 × 10−6 required by § 417.107(b) and to determine exclusion areas that may require entry control and surveillance prior to initiation of flight. The analysis must establish a land impact hazard area that accounts for the effects of impacting debris resulting from normal and malfunctioning launch vehicle flight, except for toxic effects, and accounts for potential impact locations of all debris fragments. The land hazard area must encompass all individual casualty contours and the near-launch-point blast hazard area calculated as required by paragraph (c) of this section. A launch operator may initiate flight only if no member of the public is present within the land hazard area. Start Printed Page 50584

(b) Land hazard areas analysis input. A land hazard analysis must account for the following inputs to determine the land hazard area:

(1) The trajectory analysis performed as required by section A417.7 or section C417.3;

(2) For a launch vehicle flown with a flight safety system, the malfunction turn analysis required by section A417.9;

(3) The debris analysis required by section A417.11 or section C417.7 to define the impact locations of each class of debris established by the debris analysis;

(4) For a launch vehicle flown with a flight safety system, the time delay analysis required by section A417.21; and

(5) The debris risk analysis performed as required by section A417.25 or section C417.9.

(c) Methodology for computing land hazard areas in the vicinity of the launch site and in the vicinity of each planned land impact location. The analysis must establish a land hazard area as follows:

(1) Each land hazard area must completely encompass all individual casualty contours that define where the risk to an individual would exceed the expected casualty (Ec) criteria of 1 × 10−6 if one person were assumed to be in the open and inside the contour during launch vehicle flight. The analysis must produce an individual casualty contour as follows:

(i) The analysis must account for the location of a hypothetical person, and must vary the location of the person to determine when the risk would exceed the Ec criteria of 1 × 10−6. The analysis must count a person as a casualty when the person's location is subjected to any inert debris impact with a mean expected kinetic energy greater than or equal to 11 ft-lbs or a peak incident overpressure equal to or greater than 1.0 psi due to explosive debris impact. The analysis must determine the peak incident overpressure using the Kingery-Bulmash relationship, without regard to sheltering, reflections, or atmospheric effects.

(ii) The analysis must account for all person locations that are no more than 1000 feet apart in the downrange direction and no more than 1000 feet apart in the crossrange direction to produce an individual casualty contour. For each person location, the analysis must sum all the probabilities of casualty over all flight times for all debris groups.

(iii) An individual casualty contour must consist of curves that are smooth and continuous. To accomplish this, the analysis must vary the time interval between each trajectory time assessed so that each location of a debris impact point is less than one-half sigma of the downrange dispersion distance.

(2) The input for determining a land impact hazard area must account for the following in order to define the impact locations of each class of debris established by the debris analysis and the time delay analysis required by section A417.21 for a launch vehicle flown with a flight safety system:

(i) The results of the trajectory analysis required by section A417.7 or section C417.3;

(ii) The malfunction turn analysis required by section A417.9 for a launch vehicle flown with a flight safety system; and

(iii) The debris analysis required by section A417.11 or section C417.7.

(3) The analysis must account for the extent of the impact debris dispersions for each debris class produced by normal and malfunctioning launch vehicle flight at each trajectory time. The analysis must also account for how the vehicle breaks up, either by any flight termination system or by aerodynamic forces, if the different breakup may result in a different probability of existence for each debris class. A land impact hazard area must account for each impacting debris fragment classified as required by section A417.11(c) or section C417.7.

(4) For a launch vehicle flown with a flight safety system, the analysis must account for launch vehicle flight that exceeds a flight safety limit. The analysis must also account for trajectory conditions that maximize the mean debris impact distance during the flight safety system delay time determined as required by section A417.21 and account for a debris model that is representative of a flight termination or aerodynamic breakup.

(5) For each launch vehicle breakup event, the analysis must account for trajectory and breakup dispersions, variations in debris class characteristics, and debris dispersion due to any wind condition under which a launch would be attempted.

(6) The analysis must account for the probability of failure of each launch vehicle stage and the probability of existence of each debris class. The analysis must account for the probability of occurrence of each type of launch vehicle failure. The analysis must account for each vehicle failure probabilities that vary depending on the time of flight.

(7) In addition to failure debris, the analysis must account for nominal jettisoned body debris impacts and the corresponding debris impact dispersions. The analysis must use a probability of occurrence of 1.0 for the planned debris fragments produced by normal separation events during flight.

(d) Near-launch-point blast hazard area. A land hazard area analysis must define a blast overpressure hazard area as a circle extending from the launch point with a radius equal to the 1.0 psi overpressure distance produced by the equivalent TNT weight of the explosive capability of the vehicle. In addition, the analysis must establish a minimum near-launch point blast hazard area to provide protection from hazardous fragments potentially propelled by an explosion. The analysis must account for the maximum possible total solid and liquid propellant explosive potential of the launch vehicle and any payload. The analysis must define a blast overpressure hazard area using the following equations:

Rop = 45 · (NEW)1/3

Where:

Rop is the over pressure distance in feet.

NEW = WE · C (pounds).

WE is the weight of the explosive in pounds.

C is the TNT equivalency coefficient of the propellant being evaluated. A launch operator must identify the TNT equivalency of each propellant on its launch vehicle including any payload. TNT equivalency data for common liquid propellants is provided in tables A417-1. Table A417-2 provides factors for converting gallons of specified liquid propellants to pounds.

(e) Other hazards. A flight hazard area analysis must identify any additional hazards, such as radioactive material, that may exist on the launch vehicle or payload. For each such hazard, the analysis must determine a hazard area that encompasses any debris impact point and its dispersion and includes an additional hazard radius that accounts for potential casualty due to the additional hazard. Analysis requirements for toxic release and far field blast overpressure are provided in sections A417.27 and A417.29, respectively.

(f) Land impact dispersion ellipses. A land impact hazard area must contain the land impact dispersion ellipse for each planned land impact. A launch operator must compute a land impact dispersion ellipse in the vicinity of each planned land impact location as follows:

(1) The analysis must calculate a one-sigma dispersion ellipse by determining the one-sigma impact limit around a planned impact location.

(2) Taking the one-sigma dispersion ellipse calculated as required by paragraph (f)(1) of this section, plot a co-centric ellipse in the xy plane where the major and minor axes are 10nm longer than the major and minor axes of the one-sigma dispersion ellipse.

Appendix C of Part 417—Flight Safety Analysis Methodologies and Products for an Unguided Suborbital Launch Vehicle Flown With a Wind Weighting Safety System

C417.1 General.

(a) This appendix contains methodologies for performing the flight safety analysis required for the launch of an unguided suborbital launch vehicle flown with a wind weighting safety system, except for the hazard area analysis required by § 417.107, which is covered in appendix B of this part. This appendix includes methodologies for a trajectory analysis, wind weighting analysis, debris analysis, debris risk analysis, and a collision avoidance analysis.

(b) The requirements of this appendix apply to a launch operator and the launch operator's flight safety analysis unless the launch operator clearly and convincingly demonstrates that an alternative approach provides an equivalent level of safety.

(c) A launch operator must:

(1) Perform a flight safety analysis to determine the launch parameters and conditions under which an unguided suborbital launch vehicle may be flown using a wind weighting safety system as required by § 417.233.

(2) When conducting the flight safety analysis, comply with the safety criteria and operational requirements contained in § 417.125; and

(3) Conduct the flight safety analysis for an unguided suborbital launch vehicle using the methodologies of this appendix and appendix B of this part unless the launch operator demonstrates, in accordance with § 406.3(b), through the licensing process, that an alternate method provides an equivalent level of fidelity. Start Printed Page 50585

C417.3 Trajectory analysis.

(a) General. A launch operator must perform a trajectory analysis for the flight of an unguided suborbital launch vehicle to determine:

(1) The launch vehicle's nominal trajectory;

(2) Each nominal drag impact point; and

(3) Each potential three-sigma dispersion about each nominal drag impact point.

(b) Definitions. A launch operator must employ the following definitions when determining an unguided suborbital launch vehicle's trajectory and drag impact points:

(1) Drag impact point means the intersection of a predicted ballistic trajectory of an unguided suborbital launch vehicle stage or other impacting component with the Earth's surface. A drag impact point reflects the effects of atmospheric influences as a function of drag forces and mach number.

(2) Maximum range trajectory means an optimized trajectory, extended through fuel exhaustion of each stage, to achieve a maximum downrange drag impact point.

(3) Nominal trajectory means the trajectory that an unguided suborbital launch vehicle will fly if all rocket aerodynamic parameters are as expected without error, all rocket internal and external systems perform exactly as planned, and there are no external perturbing influences, such as winds, other than atmospheric drag and gravity.

(4) Normal flight means all possible trajectories of a properly performing unguided suborbital launch vehicle whose drag impact point location does not deviate from its nominal location more than three sigma in each of the uprange, downrange, left crossrange, or right crossrange directions.

(5) Performance error parameter means a quantifiable perturbing force that contributes to the dispersion of a drag impact point in the uprange, downrange, and cross-range directions of an unguided suborbital launch vehicle stage or other impacting launch vehicle component. Performance error parameters for the launch of an unguided suborbital launch vehicle reflect rocket performance variations and any external forces that can cause offsets from the nominal trajectory during normal flight. Performance error parameters include thrust, thrust misalignment, specific impulse, weight, variation in firing times of the stages, fuel flow rates, contributions from the wind weighting safety system employed, and winds.

(c) Input. A trajectory analysis requires the input necessary to produce a six-degree-of-freedom trajectory. A launch operator must use each of the following as inputs to the trajectory computations:

(1) Launcher data, as follows—

(i) Geodetic latitude and longitude;

(ii) Height above sea level;

(iii) All location errors; and

(iv) Launch azimuth and elevation.

(2) Reference ellipsoidal Earth model, as follows—

(i) Name of the Earth model employed;

(ii) Semi-major axis;

(iii) Semi-minor axis;

(iv) Eccentricity;

(v) Flattening parameter;

(vi) Gravitational parameter;

(vii) Rotation angular velocity;

(viii) Gravitational harmonic constants; and

(ix) Mass of the Earth.

(3) Vehicle characteristics for each stage. A launch operator must identify the following for each stage of an unguided suborbital launch vehicle's flight:

(i) Nozzle exit area of each stage.

(ii) Distance from the rocket nose-tip to the nozzle exit for each stage.

(iii) Reference drag area and reference diameter of the rocket including any payload for each stage of flight.

(iv) Thrust as a function of time.

(v) Propellant weight as a function of time.

(vi) Coefficient of drag as a function of mach number.

(vii) Distance from the rocket nose-tip to center of gravity as a function of time.

(viii) Yaw moment of inertia as a function of time.

(ix) Pitch moment of inertia as a function of time.

(x) Pitch damping coefficient as a function of mach number.

(xi) Aerodynamic damping coefficient as a function of mach number.

(xii) Normal force coefficient as a function of mach number.

(xiii) Distance from the rocket nose-tip to center of pressure as a function of mach number.

(xiv) Axial force coefficient as a function of mach number.

(xv) Roll rate as a function of time.

(xvi) Gross mass of each stage.

(xvii) Burnout mass of each stage.

(xviii) Vacuum thrust.

(xix) Vacuum specific impulse.

(xx) Stage dimensions.

(xxi) Weight of each spent stage.

(xxii) Payload mass properties.

(xxiii) Nominal launch elevation and azimuth.

(4) Launch events. Each stage ignition times, each stage burn time, and each stage separation time, referenced to ignition time of first stage.

(5) Atmosphere. Density as a function of altitude, pressure as a function of altitude, speed of sound as a function of altitude, temperature as a function of altitude.

(6) Wind errors. Error in measurement of wind direction as a function of altitude and wind magnitude as a function of altitude, wind forecast error, such as error due to time delay from wind measurement to launch.

(d) Methodology for determining the nominal trajectory and nominal drag impact points. A launch operator must employ the steps in paragraphs (d)(1)-(d)(3) of this section to determine the nominal trajectory and the nominal drag impact point locations for each impacting rocket stage and component:

(1) A launch operator must identify each performance error parameter associated with the unguided suborbital launch vehicle's design and operation and the value for each parameter that reflect nominal rocket performance. A launch operator must identify each performance error parameter's distribution to account for all launch vehicle performance variations and any external forces that can cause offsets from the nominal trajectory during normal flight. These performance error parameters include thrust misalignment, thrust variation, weight variation, fin misalignment, impulse variation, aerodynamic drag variation, staging timing variation, stage separation-force variation, drag error, uncompensated wind, launcher elevation angle error, launcher azimuth angle error, launcher tip-off, and launcher location error.

(2) A launch operator must perform a no-wind trajectory simulation using a six-degrees-of-freedom (6-DOF) trajectory simulation with all performance error parameters set to their nominal values to determine the impact point of each stage or component. The 6-DOF trajectory simulation must provide rocket position translation along three axes of an orthogonal Earth-centered coordinate system and rocket orientation in roll, pitch and yaw. The 6-DOF trajectory simulation must compute each translation and orientation in response to forces and moments internal and external to the rocket including all the effects of the input data required by paragraph (c) of this section. A launch operator may incorporate the following assumptions in a 6-DOF trajectory simulation:

(i) The airframe may be treated as a rigid body.

(ii) The airframe may have a plane of symmetry coinciding with the vertical plane of reference.

(iii) The vehicle may have aerodynamic symmetry in roll.

(iv) The airframe may have six degrees-of-freedom.

(v) The aerodynamic forces and moments may be functions of mach number and may be linear with small flow incidence angles of attack.

(3) A launch operator must tabulate the geodetic latitude and longitude of the launch vehicle's nominal drag impact point as a function of trajectory time and the final nominal drag impact point of each planned impacting stage or component.

(e) Methodology for determining maximum downrange drag impact points. A launch operator must compute the maximum possible downrange drag impact point for each launch vehicle stage and impacting component. A launch operator must use the nominal drag impact point methodology, as defined by paragraph (d) of this section, modified to optimize the unguided suborbital launch vehicle's performance and flight profile to create the conditions for a maximum downrange drag impact point, including fuel exhaustion for each stage and impacting component.

(f) Methodology for computing drag impact point dispersions. A launch operator must employ the steps in paragraphs (f)(1)-(f)(3) of this section when determining the dispersions in terms of drag impact point distance standard deviations in uprange, downrange, and crossrange direction from the nominal drag impact point location for each stage and impacting component:

(1) For each stage of flight, a launch operator must identify the plus and minus one-sigma values for each performance error parameter identified as required by paragraph (d)(1) of this section (i.e., nominal Start Printed Page 50586value plus one standard deviation and nominal value minus one standard deviation). A launch operator must determine the dispersion in downrange, uprange, and left and right crossrange for each impacting stage and component. A launch operator may either perform a Monte Carlo analysis that accounts for the distribution of each performance error parameter or determine the dispersion by a root-sum-square method under paragraph (f)(2) of this section.

(2) When using a root-sum-square method to determine dispersion, a launch operator must determine the deviations for a given stage by evaluating the deviations produced in that stage due to the performance errors in that stage and all preceding stages of the launch vehicle as illustrated in Table C417-1, and by computing the square root of the sum of the squares of each deviation caused by each performance error parameter's one sigma dispersion for each stage in each of the right crossrange, left crossrange, uprange and downrange directions. A launch operator must evaluate the performance errors for one stage at a time, with the performance of all subsequent stages assumed to be nominal. A launch operator's root-sum-square method must incorporate the following requirements:

(i) With the 6-DOF trajectory simulation used to determine nominal drag impact points as required by paragraph (d) of this section, perform a series of trajectory simulation runs for each stage and planned ejected debris, such as a fairing, payload, or other component, and, for each simulation, model only one performance error parameter set to either its plus or minus one-sigma value. For a given simulation run, set all other performance error parameters to their nominal values. Continue until achieving a trajectory simulation run for each plus one-sigma performance error parameter value and each minus one-sigma performance error parameter value for the stage or the planned ejected debris being evaluated. For each trajectory simulation run and for each impact being evaluated, tabulate the downrange, uprange, left crossrange, and right crossrange drag impact point distance deviations measured from the nominal drag impact point location for that stage or planned debris.

(ii) For uprange, downrange, right crossrange, and left crossrange, compute the square root of the sum of the squares of the distance deviations in each direction. The square root of the sum of the squares distance value for each direction represents the one-sigma drag impact point dispersion in that direction. For a multiple stage rocket, perform the first stage series of simulation runs with all subsequent stage performance error parameters set to their nominal value. Tabulate the uprange, downrange, right crossrange, and left crossrange distance deviations from the nominal impact for each subsequent drag impact point location caused by the first stage one-sigma performance error parameter. Use these deviations in determining the total drag impact point dispersions for the subsequent stage impacts as described in paragraph (f)(2)(iii) of this section.

(iii) For each subsequent stage impact of an unguided suborbital launch vehicle, determine the one-sigma impact dispersions by first determining the one-sigma distance deviations for that stage impact caused by each preceding stage as described in paragraph (f)(2)(ii) of this section. Then perform a series of simulation runs and tabulate the uprange, downrange, right crossrange, and left crossrange drag impact point distance deviations as described in paragraph (f)(2)(i) of this section for that stage's one-sigma performance error parameter values with the preceding stage performance parameters set to nominal Start Printed Page 50587values. For each uprange, downrange, right crossrange, and left crossrange direction, compute the square root of the sum of the squares of the stage impact distance deviations due to that stage's and each preceding stage's one-sigma performance error parameter values. This square root of the sum of the squares distance value for each direction represents the total one-sigma drag impact point dispersion in that direction for the nominal drag impact point location of that stage. Use these deviations when determining the total drag impact point dispersions for the subsequent stage impacts.

(3) A launch operator must determine a three-sigma dispersion area for each impacting stage or component as an ellipse that is centered at the nominal drag impact point location and has semi-major and semi-minor axes along the uprange, downrange, left crossrange, and right crossrange axes. The length of each axis must be three times as large as the total one-sigma drag impact point dispersions in each direction.

(g) Trajectory analysis products for a suborbital launch vehicle. A launch operator must file the following products of a trajectory analysis for an unguided suborbital launch vehicle with the FAA as required by § 417.203(e):

(1) A description of the process that the launch operator used for performing the trajectory analysis, including the number of simulation runs and the process for any Monte Carlo analysis performed.

(2) A description of all assumptions and procedures the launch operator used in deriving each of the performance error parameters and their standard deviations.

(3) Launch point origin data: name, geodetic latitude (+N), longitude (+E), geodetic height, and launch azimuth measured clockwise from true north.

(4) Name of reference ellipsoid Earth model used. If a launch operator employs a reference ellipsoid Earth model other than WGS-84, Department of Defense World Geodetic System, Military Standard 2401 (Jan. 11, 1994), the launch operator must identify the semi-major axis, semi-minor axis, eccentricity, flattening parameter, gravitational parameter, rotation angular velocity, gravitational harmonic constants (e.g., J2, J3, J4), and mass of Earth.

(5) If a launch operator converts latitude and longitude coordinates between different ellipsoidal Earth models to complete a trajectory analysis, the launch operator must file the equations for geodetic datum conversions and a sample calculation for converting the geodetic latitude and longitude coordinates between the models employed.

(6) A launch operator must file tabular data that lists each performance error parameter used in the trajectory computations and each performance error parameter's plus and minus one-sigma values. If the launch operator employs a Monte Carlo analysis method for determining the dispersions about the nominal drag impact point, the tabular data must list the total one-sigma drag impact point distance deviations in each direction for each impacting stage and component. If the launch operator employs the square root of the sum of the squares method of paragraph (f)(2) of this section, the tabular data must include the one-sigma drag impact point distance deviations in each direction due to each one-sigma performance error parameter value for each impacting stage and component.

(7) A launch operator must file a graphical depiction showing geographical landmasses and the nominal and maximum range trajectories from liftoff until impact of the final stage. The graphical depiction must plot trajectory points in time intervals of no greater than one second during thrusting flight and for times corresponding to ignition, thrust termination or burnout, and separation of each stage or impacting body. If there are less than four seconds between stage separation or other jettison events, a launch operator must reduce the time intervals between plotted trajectory points to 0.2 seconds or less. The graphical depiction must show total launch vehicle velocity as a function of time, present-position ground-range as a function of time, altitude above the reference ellipsoid as a function of time, and the static stability margin as a function of time.

(8) A launch operator must file tabular data that describes the nominal and maximum range trajectories from liftoff until impact of the final stage. The tabular data must include the time after liftoff, altitude above the reference ellipsoid, present position ground range, and total launch vehicle velocity for ignition, burnout, separation, booster apogee, and booster impact of each stage or impacting body. The launch operator must file the tabular data for the same time intervals required by paragraph (g)(7) of this section.

(9) A launch operator must file a graphical depiction showing all geographical landmasses and the unguided suborbital launch vehicle's drag impact point for the nominal trajectory, the maximum impact range boundary, and the three-sigma drag impact point dispersion area for each impacting stage or component. The graphical depiction must show the following in relationship to each other: The nominal trajectory, a circle whose radius represents the range to the farthest downrange impact point that results from the maximum range trajectory, and the three-sigma drag impact point dispersions for each impacting stage and component.

(10) A launch operator must file tabular data that describes the nominal trajectory, the maximum impact range boundary, and each three-sigma drag impact point dispersion area. The tabular data must include the geodetic latitude (positive north of the equator) and longitude (positive east of the Greenwich Meridian) of each point describing the nominal drag impact point positions, the maximum range circle, and each three-sigma impact dispersion area boundary. Each three-sigma dispersion area must be described by no less than 20 coordinate pairs. All coordinates must be rounded to the fourth decimal point.

C417.5 Wind weighting analysis.

(a) General. As part of a wind weighting safety system, a launch operator must perform a wind weighting analysis to determine launcher azimuth and elevation settings that correct for the windcocking and wind-drift effects on an unguided suborbital launch vehicle due to forecasted winds in the airspace region of flight. A launch operator's wind weighting safety system and its operation must comply with § 417.125(c). The launch azimuth and elevation settings resulting from a launch operator's wind weighting analysis must produce a trajectory, under actual wind conditions, that results in a final stage drag impact point that is the same as the final stage's nominal drag impact point determined according to section C417.3(d).

(b) Wind weighting analysis constraints.

(1) A launch operator's wind weighting analysis must:

(i) Account for the winds in the airspace region through which the rocket will fly. A launch operator's wind weighting safety system must include an operational method of determining the wind direction and wind magnitude at all altitudes that the rocket will reach up to the maximum altitude defined by dispersion analysis as required by section C417.3.

(ii) Account for all errors due to the methods used to measure the winds in the airspace region of the launch, delay associated with wind measurement, and the method used to model the effects of winds. The resulting sum of these error components must be no greater than those used as the wind error dispersion parameter in the launch vehicle trajectory analysis performed as required by section C417.3.

(iii) Account for the dispersion of all impacting debris, including any uncorrected wind error accounted for in the trajectory analysis performed as required by section C417.3.

(iv) Establish flight commit criteria that are a function of the analysis and operational methods employed and reflect the maximum wind velocities and wind variability for which the results of the wind weighting analysis are valid.

(v) Account for the wind effects during each thrusting phase of an unguided suborbital launch vehicle's flight and each ballistic phase of each rocket stage and component until burnout of the last stage.

(vi) Determine the impact point location for any parachute recovery of a stage or component or the launch operator must perform a wind drift analysis to determine the parachute impact point location.

(2) A launch operator must perform a wind weighting analysis using a six-degrees-of-freedom (6-DOF) trajectory simulation that targets an impact point using an iterative process. The 6-DOF simulation must account for launch day wind direction and wind magnitude as a function of altitude.

(3) A launch operator must perform a wind weighting analysis using a computer program or other method of editing wind data, recording the time the data was obtained, and recording the balloon number or identification of any other measurement device used for each wind altitude layer.

(c) Methodology for performing a wind weighting analysis. A launch operator's method for performing a wind weighting analysis on the day of flight must account for the following:Start Printed Page 50588

(1) A launch operator must measure the winds on the day of flight to determine wind velocity and direction. A launch operator's process for measuring winds must provide wind data that is consistent with any assumptions made in the launch operator's trajectory and drag impact point dispersion analysis, as required by section C417.3, regarding the actual wind data available on the day of flight. Wind measurements must be made at altitude increments such that the maximum correction between any two measurements does not exceed 5%. Winds must be measured from the ground level at the launch point to a maximum altitude that is consistent with the launch operator's drag impact point dispersion analysis. The maximum wind measurement altitude must be that necessary to account for 99% of the wind effect on the impact dispersion point. A launch operator's wind measuring process must employ the use of balloons and radar tracking or balloons fitted with a Global Positioning System transceiver, and must account for the following:

(i) Measure winds from ground level to an altitude of at least that necessary to account for 99% of the wind effect on the impact dispersion point within six hours before flight and after any weather front passes the launch site before liftoff. Repeat a wind measurement up to the maximum altitude whenever a wind measurement, for any given altitude, from a later balloon release is not consistent with a wind measurement, for the same altitude, from an earlier balloon release.

(ii) Measure winds from ground level to an altitude of at least that necessary to account for 95% of the wind effect on the impact dispersion point within four hours before flight and after any weather front passes the launch site before liftoff. Repeat a wind measurement to the 95% wind effect altitude whenever a wind measurement, for any given altitude, from a later lower altitude balloon release is not consistent with the wind measurement, for the same altitude, from the 95% wind effect altitude balloon release.

(iii) Measure winds from ground level to an altitude of no less than that necessary to account for 80% of the wind effect on the impact dispersion point twice within 30 minutes of liftoff. Use the first measurement to set launcher azimuth and elevation, and the second measurement to verify the first measurement data.

(2) A launch operator must perform runs of the 6-DOF trajectory simulation using the flight day measured winds as input and targeting for the nominal final stage drag impact point. In an iterative process, vary the launcher elevation angle and azimuth angle settings for each simulation run until the nominal final stage impact point is achieved. The launch operator must use the resulting launcher elevation angle and azimuth angle settings to correct for the flight day winds. The launch operator must not initiate flight unless the launcher elevation angle and azimuth angle settings after wind weighting are in accordance with the following:

(i) The launcher elevation angle setting resulting from the wind weighting analysis must not exceed ± 5° from the nominal launcher elevation angle setting and must not exceed a total of 86° for a proven launch vehicle, and 84° for an unproven launch vehicle. A launch operator's nominal launcher elevation angle setting must be as required by § 417.125(c)(3).

(ii) The launcher azimuth angle setting resulting from the wind weighting analysis must not exceed +30° from the nominal launcher azimuth angle setting unless the launch operator demonstrates clearly and convincingly, through the licensing process, that its unguided suborbital launch vehicle has a low sensitivity to high wind speeds, and the launch operator's wind weighting analysis and wind measuring process provide an equivalent level of safety.

(3) Using the trajectory produced in paragraph (c)(2) of this section, for each intermediate stage and planned ejected component, a launch operator must compute the impact point that results from wind drift by performing a run of the 6-DOF trajectory simulation with the launcher angles determined in paragraph (c)(2) of this section and the flight day winds from liftoff until the burnout time or ejection time of the stage or ejected component. The resulting impact point(s) must be accounted for when performing flight day ship-hit operations defined in section B417.11(c).

(4) If a parachute is used for any stage or component, a launch operator must determine the wind drifted impact point of the stage or component using a trajectory simulation that incorporates modeling for the change in aerodynamics at parachute ejection. Perform this simulation run in addition to any simulation of spent stages without parachutes.

(5) A launch operator must verify that the launcher elevation angle and azimuth angle settings at the time of liftoff are the same as required by the wind weighting analysis.

(6) A launch operator must monitor and verify that any wind variations and maximum wind limits at the time of liftoff are within the flight commit criteria established according to § 417.113(c).

(7) A launch operator must generate output data from its wind weighting analysis for each impacting stage or component in printed, plotted, or computer medium format. This data must include:

(i) Launch day wind measurement data, including magnitude and direction.

(ii) The results of each computer run made using the launch day wind measurement data, including but not limited to, launcher settings, and impact locations for each stage or component.

(iii) Final launcher settings recorded.

(d) Wind weighting analysis products. The products of a launch operator's wind weighting analysis filed with the FAA as required by § 417.203(e) must include the following:

(1) A launch operator must file a description of its wind weighting analysis methods, including its method and schedule of determining wind speed and wind direction for each altitude layer.

(2) A launch operator must file a description of its wind weighting safety system and identify all equipment used to perform the wind weighting analysis, such as any wind towers, balloons, or Global Positioning System wind measurement system employed and the type of trajectory simulation employed.

(3) A launch operator must file a sample wind weighting analysis using actual or statistical winds for the launch area and provide samples of the output required by paragraph (c)(7) of this section.

C417.7 Debris analysis.

(a) General. A flight safety analysis must include a debris analysis that satisfies the requirements of § 417.211. This section applies to the debris data required by § 417.211 and the debris analysis products that a launch operator must file with the FAA as required by § 417.203(e).

(b) Debris analysis constraints. A debris analysis must produce the debris model described in paragraph (c) of this section. The analysis must account for all launch vehicle debris fragments, individually or in groupings of fragments called classes. The characteristics of each debris fragment represented by a class must be similar enough to the characteristics of all the other debris fragments represented by that class that all the debris fragments of the class can be described by a single set of characteristics. Paragraph (c)(10) of this section applies when establishing a debris class. A debris model must describe the physical, aerodynamic, and harmful characteristics of each debris fragment either individually or as a member of a class. A debris model must consist of lists of individual debris or debris classes for each cause of breakup and any planned jettison of debris, launch vehicle components, or payload. A debris analysis must account for:

(1) Debris due to any malfunction where forces on the launch vehicle may exceed the launch vehicle's structural integrity limits.

(2) The immediate post-breakup or jettison environment of the launch vehicle debris, and any change in debris characteristics over time from launch vehicle breakup or jettison until debris impact.

(3) The impact overpressure, fragmentation, and secondary debris effects of any confined or unconfined solid propellant chunks and fueled components containing either liquid or solid propellants that could survive to impact, as a function of vehicle malfunction time.

(4) The effects of impact of the intact vehicle as a function of failure time. The intact impact debris analysis must identify the trinitrotoluene (TNT) yield of impact explosions, and the numbers of fragments projected from all such explosions, including non-launch vehicle ejecta and the blast overpressure radius. The analysis must use a model for TNT yield of impact explosion that accounts for the propellant weight at impact, the impact speed, the orientation of the propellant, and the impacted surface material.

(c) Debris model. A debris analysis must produce a model of the debris resulting from planned jettison and from unplanned breakup of a launch vehicle for use as input to other analyses, such as establishing hazard areas and performing debris risk and toxic analyses. A launch operator's debris model must satisfy the following:

(1) Debris fragments. A debris model must provide the debris fragment data required by Start Printed Page 50589this section for the launch vehicle flight from the planned ignition time until thrust termination of the last thrusting stage. A debris model must provide debris fragment data for the number of time periods sufficient to meet the requirements for smooth and continuous contours used to define hazard areas as required by appendix B of this part.

(2) Inert fragments. A debris model must identify all inert fragments that are not volatile and that do not burn or explode under normal and malfunction conditions. A debris model must identify all inert fragments for each breakup time during flight corresponding to a critical event when the fragment catalog is significantly changed by the event. Critical events include staging, payload fairing jettison, and other normal hardware jettison activities.

(3) Explosive and non-explosive propellant fragments. A debris model must identify all propellant fragments that are explosive or non-explosive upon impact. The debris model must describe each propellant fragment as a function of time, from the time of breakup through ballistic free-fall to impact. The debris model must describe the characteristics of each fragment, including its origin on the launch vehicle, representative dimensions and weight at the time of breakup and at the time of impact. For any fragment identified as an un-contained or contained propellant fragment, whether explosive or non-explosive, the debris model must identify whether or not it burns during free fall, and provide the consumption rate during free fall. The debris model must identify:

(i) Solid propellant that is exposed directly to the atmosphere and that burns but does not explode upon impact as “un-contained non-explosive solid propellant.”

(ii) Solid or liquid propellant that is enclosed in a container, such as a motor case or pressure vessel, and that burns but does not explode upon impact as “contained non-explosive propellant.”

(iii) Solid or liquid propellant that is enclosed in a container, such as a motor case or pressure vessel, and that explodes upon impact as “contained explosive propellant fragment.”

(iv) Solid propellant that is exposed directly to the atmosphere and that explodes upon impact as “un-contained explosive solid propellant fragment.”

(4) Other non-inert debris fragments. In addition to the explosive and flammable fragments identified under paragraph (c)(3) of this section, a debris model must identify any other non-inert debris fragments, such as toxic or radioactive fragments, that present any other hazards to the public.

(5) Fragment weight. At each modeled breakup time, the individual fragment weights must approximately add up to the sum total weight of inert material in the vehicle and the weight of contained liquid propellants and solid propellants that are not consumed in the initial breakup or conflagration.

(6) Fragment imparted velocity. A debris model must identify the maximum velocity imparted to each fragment due to potential explosion or pressure rupture. When accounting for imparted velocity, a debris model must:

(i) Use a Maxwellian distribution with the specified maximum value equal to the 97th percentile; or

(ii) Identify the distribution, and state whether or not the specified maximum value is a fixed value with no uncertainty.

(7) Fragment projected area. A debris model must include each of the axial, transverse, and mean tumbling areas of each fragment. If the fragment may stabilize under normal or malfunction conditions, the debris model must also provide the projected area normal to the drag force.

(8) Fragment ballistic coefficient. A debris model must include the axial, transverse, and tumble orientation ballistic coefficient for each fragment's projected area as required by paragraph (c)(7) of this section.

(9) Debris fragment count. A debris model must include the total number of each type of fragment required by paragraphs (c)(2), (c)(3), and (c)(4) of this section and created by a malfunction.

(10) Fragment classes. A debris model must categorize malfunction debris fragments into classes where the characteristics of the mean fragment in each class conservatively represent every fragment in the class. The model must define fragment classes for fragments whose characteristics are similar enough to be described and treated by a single average set of characteristics. A debris class must categorize debris by each of the following characteristics, and may include any other useful characteristics:

(i) The type of fragment, defined by paragraphs (c)(2), (c)(3), and (c)(4) of this section. All fragments within a class must be the same type, such as inert or explosive.

(ii) Debris subsonic ballistic coefficient (βsub). The difference between the smallest log10sub) value and the largest log10sub) value in a class must not exceed 0.5, except for fragments with βsub less than or equal to three. Fragments with βsub less than or equal to three may be grouped within a class.

(iii) Breakup-imparted velocity (ΔV). A debris model must categorize fragments as a function of the range of ΔV for the fragments within a class and the class's median subsonic ballistic coefficient. For each class, the debris model must keep the ratio of the maximum breakup-imparted velocity (ΔVmax) to minimum breakup-imparted velocity (ΔVmin) within the following bound:

Where:

β′sub is the median subsonic ballistic coefficient for the fragments in a class.

(d) Debris analysis products. The products of a debris analysis that a launch operator must file with the FAA as required by § 417.203(e) must include:

(1) Debris model. The launch operator's debris model that satisfies the requirements of this section.

(2) Fragment description. A description of the fragments contained in the launch operator's debris model. The description must identify the fragment as a launch vehicle part or component, describe its shape, representative dimensions, and may include drawings of the fragment.

(3) Intact impact TNT yield. For an intact impact of a launch vehicle, for each failure time, a launch operator must identify the TNT yield of each impact explosion and blast overpressure hazard radius.

(4) Fragment class data. The class name, the range of values for each parameter used to categorize fragments within a fragment class, and the number of fragments in any fragment class established as required by paragraph (c)(10) of this section.

(5) Ballistic coefficient. The mean ballistic coefficient (β) and plus and minus three-sigma values of the β for each fragment class. A launch operator must provide graphs of the coefficient of drag (Cd) as a function of Mach number for the nominal and three-sigma β variations for each fragment shape. The launch operator must label each graph with the shape represented by the curve and reference area used to develop the curve. A launch operator must provide a Cd vs. Mach curve for any axial, transverse, and tumble orientations for any fragment that will not stabilize during free-fall conditions. For any fragment that may stabilize during free-fall, a launch operator must provide Cd vs. Mach curves for the stability angle of attack. If the angle of attack where the fragment stabilizes is other than zero degrees, a launch operator must provide both the coefficient of lift (CL) vs. Mach number and the Cd vs. Mach number curves. The launch operator must provide the equations for each Cd vs. Mach curve.

(6) Pre-flight propellant weight. The initial preflight weight of solid and liquid propellant for each launch vehicle component that contains solid or liquid propellant.

(7) Normal propellant consumption. The nominal and plus and minus three-sigma solid and liquid propellant consumption rate, and pre-malfunction consumption rate for each component that contains solid or liquid propellant.

(8) Fragment weight. The mean and plus and minus three-sigma weight of each fragment or fragment class.

(9) Projected area. The mean and plus and minus three-sigma axial, transverse, and tumbling areas for each fragment or fragment class. This information is not required for those fragment classes classified as burning propellant classes under section A417.25(b)(8).

(10) Imparted velocities. The maximum incremental velocity imparted to each fragment class created by explosive or overpressure loads at breakup. The launch operator must identify the velocity distribution as Maxwellian or must define the distribution, including whether or not the specified maximum value is a fixed value with no uncertainty.

(11) Fragment type. The fragment type for each fragment established as required by paragraphs (c)(2), (c)(3), and (c)(4) of this section.

(12) Origin. The part of the launch vehicle from which each fragment originated.

(13) Burning propellant classes. The propellant consumption rate for those fragments that burn during free-fall.

(14) Contained propellant fragments, explosive or non-explosive. For contained Start Printed Page 50590propellant fragments, whether explosive or non-explosive, a launch operator must provide the initial weight of contained propellant and the consumption rate during free-fall. The initial weight of the propellant in a contained propellant fragment is the weight of the propellant before any of the propellant is consumed by normal vehicle operation or failure of the launch vehicle.

(15) Solid propellant fragment snuff-out pressure. The ambient pressure and the pressure at the surface of a solid propellant fragment, in pounds per square inch, required to sustain a solid propellant fragment's combustion during free-fall.

(16) Other non-inert debris fragments. For each non-inert debris fragment identified as required by paragraph (c)(4) of this section, a launch operator must describe the diffusion, dispersion, deposition, radiation, and other hazard exposure characteristics used to determine the effective casualty area required by paragraph (c)(9) of this section.

(17) Residual thrust dispersion. For each thrusting or non-thrusting stage having residual thrust capability following a launch vehicle malfunction, a launch operator must provide either the total residual impulse imparted or the full-residual thrust in foot-pounds as a function of breakup time. For any stage not capable of thrust after a launch vehicle malfunction, a launch operator must provide the conditions under which the stage is no longer capable of thrust. For each stage that can be ignited as a result of a launch vehicle malfunction on a lower stage, a launch operator must identify the effects and duration of the potential thrust, and the maximum deviation of the instantaneous impact point which can be brought about by the thrust.

C417.9 Debris risk.

(a) General. A launch operator must perform a debris risk analysis that satisfies the requirements of § 417.225. This section applies to the computation of the average number of casualties (Ec) to the collective members of the public exposed to inert and explosive debris hazards from the proposed flight of an unguided suborbital launch vehicle as required by § 417.225 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e).

(b) Debris risk analysis constraints. The following constraints apply to debris risk:

(1) A debris risk analysis must use valid risk analysis models that compute Ec as the summation over all trajectory time intervals from lift-off through impact of the products of the probability of each possible event and the casualty consequences due to debris impacts for each possible event.

(2) A debris risk analysis must account for the following populations:

(i) The overflight of populations located inside any flight hazard area.

(ii) All populations located within five-sigma left and right crossrange of a nominal trajectory instantaneous impact point ground trace and within five-sigma of each planned nominal debris impact.

(3) A debris risk analysis must account for both inert and explosive debris hazards produced from any impacting debris caused by normal and malfunctioning launch vehicle flight. The analysis must account for the debris classes determined by the debris analysis required by section A417.11. A debris risk analysis must account for any inert debris impact with mean expected kinetic energy at impact greater than or equal to 11 ft-lbs and peak incident overpressure of greater than or equal to 1.0 psi due to any explosive debris impact. The analysis must account for all debris hazards as a function of flight time.

(4) A debris risk analysis must account for debris impact points and dispersion for each class of debris in accordance with the following:

(i) A debris risk analysis must account for drag corrected impact points and dispersions for each class of impacting debris resulting from normal and malfunctioning launch vehicle flight as a function of trajectory time from lift-off through final impact.

(ii) The dispersion for each debris class must account for the position and velocity state vector dispersions at breakup, the variance produced by breakup imparted velocities, the effects of winds on both the ascent trajectory state vector at breakup and the descending debris piece impact location, the variance produced by aerodynamic properties for each debris class, and any other dispersion variances.

(iii) A debris risk analysis must account for the survivability of debris fragments that are subject to reentry aerodynamic forces or heating. A debris class may be eliminated from the debris risk analysis if the launch operator demonstrates that the debris will not survive to impact.

(5) A debris risk analysis must account for launch vehicle failure probability. The following constraints apply:

(i) For flight safety analysis purposes, a failure occurs when a vehicle does not complete any phase of normal flight or exhibits the potential for the stage or its debris to impact the Earth or reenter the atmosphere during the mission or any future mission of similar vehicle capability. Also, either a launch incident or launch accident constitutes a failure.

(ii) For a launch vehicle with fewer than 2 flights completed, the analysis must use a reference value for the launch vehicle failure probability estimate equal to the upper limit of the 60% two-sided confidence limits of the binomial distribution for outcomes of all previous launches of vehicles developed and launched in similar circumstances. The FAA may adjust the failure probability estimate to account for the level of experience demonstrated by the launch operator and other factors that affects the probability of failure. The FAA may adjust the failure probability estimate for the second launch based on evidence obtained from the first flight of the vehicle.

(iii) For a launch vehicle with at least 2 flights completed, the analysis must use the reference value for the launch vehicle failure probability of Table C417-2 based on the outcomes of all previous launches of the vehicle. The FAA may adjust the failure probability estimate to account for evidence obtained from the flight history of the vehicle. Failure probability estimate adjustments to the reference value may account for the nature of launch outcomes in the flight history of the vehicle, corrective actions taken in response to a failure of the vehicle, or other vehicle modifications that may affect reliability. The FAA may adjust the failure probability estimate to account for the demonstrated quality of the engineering approach to launch vehicle processing. The analysis must use a final failure estimate within the confidence limits of Table C417-2.

(A) Values listed on the far left of Table C417-2 apply when no launch failures are experienced. Values on the far right apply when only launch failures are experienced. Values in between apply for flight histories that include both failures and successes.

(B) Reference values in Table C417-2 are shown in bold. The reference values are the median values between 60% two-sided confidence limits of the binomial distribution. For the special cases of zero or N failures in N launch attempts, the reference values may also be recognized as the median value between the 80% one-sided confidence limit of the binomial distribution and zero or one, respectively.

(C) Upper and lower confidence bounds in Table C417-2 are shown directly above and below each reference value. These confidence bounds are based on 60% two-sided confidence limits of the binomial distribution. For the special cases of zero or N failures in N launch attempts, the upper and lower confidence bounds are based on the 80% one-sided confidence limit, respectively.

Start Printed Page 50591

(6) A debris risk analysis must account for the dwell time of the instantaneous impact point ground trace over each populated or protected area being evaluated.

(7) A debris risk analysis must account for the three-sigma instantaneous impact point trajectory variations in left-crossrange, right-crossrange, uprange, and downrange as a function of trajectory time, due to launch vehicle performance variations as determined by the trajectory analysis performed as required by section C417.3.

(8) A debris risk analysis must account for the effective casualty area as a function of launch vehicle flight time for all impacting debris generated from a catastrophic launch vehicle malfunction event or a planned impact event. The effective casualty area must:

(i) Account for both payload and vehicle systems and subsystems debris;

(ii) Account for all debris fragments determined as part of a launch operator's debris analysis as required by section A417.11;

(iii) For each explosive debris fragment, account for a 1.0 psi blast overpressure radius and the projected debris effects for all potentially explosive debris; and

(iv) For each inert debris fragment, account for bounce, skip, slide, and splatter effects; or equal seven times the maximum projected area of the fragment.

(9) A debris risk analysis must account for current population density data obtained from a current population database for the region being evaluated or by estimating the current population using exponential population growth rate equations applied to the most current historical data available. The population model must define population centers that are similar enough to be described and treated as a single average set of characteristics without degrading the accuracy of the debris risk estimate.

(c) Debris risk analysis products. The products of a debris risk analysis that a launch operator must file with the FAA must include:

(1) A debris risk analysis report that provides the analysis input data, probabilistic risk determination methods, sample computations, and text or graphical charts that characterize the public risk to geographical areas for each launch.

(2) Geographic data showing:

(i) The launch vehicle nominal, five-sigma left-crossrange and five-sigma right-crossrange instantaneous impact point ground traces;

(ii) All exclusion zones relative to the instantaneous impact point ground traces; and

(iii) All populated areas included in the debris risk analysis.

(3) A discussion of each launch vehicle failure scenario accounted for in the analysis and the probability of occurrence, which may vary with flight time, for each failure scenario. This information must include failure scenarios where a launch vehicle:

(i) Flies within normal limits until some malfunction causes spontaneous breakup; and

(ii) Experiences malfunction turns.

(4) A population model applicable to the launch overflight regions that contains the following: Region identification, location of the center of each population center by geodetic latitude and longitude, total area, number of persons in each population center, and a description of the shelter characteristics within the population center.

(5) A description of the launch vehicle, including general information concerning the nature and purpose of the launch and an overview of the launch vehicle, including a scaled diagram of the general arrangement and dimensions of the vehicle. A launch operator's debris risk analysis products may reference other documentation filed with the FAA containing this information. The description must include:

(i) Weights and dimensions of each stage.

(ii) Weights and dimensions of any booster motors attached.

(iii) The types of fuel used in each stage and booster.

(iv) Weights and dimensions of all interstage adapters and skirts.

(v) Payload dimensions, materials, construction, and any payload fuel; payload fairing construction, materials, and dimensions; and any non-inert components or materials that add to the effective casualty area of the debris, such as radioactive or toxic materials or high-pressure vessels.

(6) A typical sequence of events showing times of ignition, cutoff, burnout, and jettison of each stage, firing of any ullage rockets, and starting and ending times of coast periods and control modes.

(7) The following information for each launch vehicle motor:

(i) Propellant type and composition;

(ii) Vacuum thrust profile;

(iii) Propellant weight and total motor weight as a function of time;

(iv) A description of each nozzle and steering mechanism; Start Printed Page 50592

(v) For solid rocket motors, internal pressure and average propellant thickness, or borehole radius, as a function of time;

(vi) Burn rate; and

(vii) Nozzle exit and entrance areas.

(8) The launch vehicle's launch and failure history, including a summary of past vehicle performance. For a new vehicle with little or no flight history, a launch operator must provide all known data on similar vehicles that include:

(i) Identification of the launches that have occurred;

(ii) Launch date, location, and direction of each launch;

(iii) The number of launches that performed normally;

(iv) Behavior and impact location of each abnormal experience;

(v) The time, altitude, and nature of each malfunction; and

(vi) Descriptions of corrective actions taken, including changes in vehicle design, flight termination, and guidance and control hardware and software.

(9) The values of probability of impact (PI) and expected casualty (Ec) for each populated area.

C417.11 Collision avoidance.

(a) General. A flight safety analysis must include a collision avoidance analysis that satisfies the requirements of § 417.231. This section applies to a launch operator obtaining a collision avoidance assessment from United States Strategic Command as required by § 417.231 and to the analysis products that the launch operator must file with the FAA as required by § 417.203(e). United States Strategic Command refers to a collision avoidance analysis for a space launch as a conjunction on launch assessment.

(b) Analysis not required. A collision avoidance analysis is not required if the maximum altitude attainable by the launch operator's unguided suborbital launch vehicle is less than the altitude of the lowest manned or mannable orbiting object. The maximum altitude attainable means an optimized trajectory, assuming 3-sigma maximum performance, extended through fuel exhaustion of each stage, to achieve a maximum altitude.

(c) Analysis constraints. A launch operator must satisfy the following when obtaining and implementing the results of a collision avoidance analysis:

(1) A launch operator must provide United States Strategic Command with the launch window and trajectory data needed to perform a collision avoidance analysis for a launch as required by paragraph (d) of this section, at least 15 days before the first attempt at flight. The FAA will identify a launch operator to United States Strategic Command as part of issuing a license and provide a launch operator with current United States Strategic Command contact information.

(2) A launch operator must obtain a collision avoidance analysis performed by United States Strategic Command 6 hours before the beginning of a launch window.

(3) A launch operator may use a collision avoidance analysis for 12 hours from the time that United States Strategic Command determines the state vectors of the manned or mannable orbiting objects. If a launch operator needs an updated collision avoidance analysis due to a launch delay, the launch operator must file the request with United States Strategic Command at least 12 hours prior to the beginning of the new launch window.

(4) For every 90 minutes, or portion of 90 minutes, that pass between the time United States Strategic Command last determined the state vectors of the orbiting objects, a launch operator must expand each wait in a launch window by subtracting 15 seconds from the start of the wait in the launch window and adding 15 seconds to the end of the wait in the launch window. A launch operator must incorporate all the resulting waits in the launch window into its flight commit criteria established as required by § 417.113.

(d) Information required. A launch operator must prepare a collision avoidance analysis worksheet for each launch using a standardized format that contains the input data required by this paragraph. A launch operator must file the input data with United States Strategic Command for the purposes of completing a collision avoidance analysis.

(1) Launch information. A launch operator must file the following launch information:

(i) Mission name. A mnemonic given to the launch vehicle/payload combination identifying the launch mission from all others.

(ii) Segment number. A segment is defined as a launch vehicle stage or payload after the thrusting portion of its flight has ended. This includes the jettison or deployment of any stage or payload. A launch operator must provide a separate worksheet for each segment. For each segment, a launch operator must determine the “vector at injection” as defined by paragraph (d)(5) of this section. The data must present each segment number as a sequence number relative to the total number of segments for a launch, such as “1 of 5.”

(iii) Launch window. The launch window opening and closing times in Greenwich Mean Time (referred to as ZULU time) and the Julian dates for each scheduled launch attempt.

(2) Point of contact. The person or office within a launch operator's organization that collects, analyzes, and distributes collision avoidance analysis results.

(3) Collision avoidance analysis results transmission medium. A launch operator must identify the transmission medium, such as voice, FAX, or e-mail, for receiving results from United States Strategic Command.

(4) Requestor launch operator needs. A launch operator must indicate the types of analysis output formats required for establishing flight commit criteria for a launch:

(i) Waits. All the times within the launch window during which flight must not be initiated.

(ii) Windows. All the times within an overall launch window during which flight may be initiated.

(5) Vector at injection. A launch operator must identify the vector at injection for each segment. “Vector at injection” identifies the position and velocity of all orbital or suborbital segments after the thrust for a segment has ended.

(i) Epoch. The epoch time, in Greenwich Mean Time (GMT), of the expected launch vehicle liftoff time.

(ii) Position and velocity. The position coordinates in the EFG coordinate system measured in kilometers and the EFG components measured in kilometers per second, of each launch vehicle stage or payload after any burnout, jettison, or deployment.

(6) Time of powered flight. The elapsed time in seconds, from liftoff to arrival at the launch vehicle vector at injection. The input data must include the time of powered flight for each stage or jettisoned component measured from liftoff.

(7) Time span for launch window file (LWF). A launch operator must provide the following information regarding its launch window:

(i) Launch window. The launch window measured in minutes from the initial proposed liftoff time.

(ii) Time of powered flight. The time provided as required by paragraph (d)(6) of this section measured in minutes rounded up to the nearest integer minute.

(iii) Screen duration. The time duration, after all thrusting periods of flight have ended, that a collision avoidance analysis must screen for potential conjunctions with manned or mannable orbital objects. Screen duration is measured in minutes.

(iv) Extra pad. An additional period of time for collision avoidance analysis screening to ensure the entire trajectory time is screened for potential conjunctions with manned or mannable orbital objects. This time must be 10 minutes unless otherwise specified by United States Strategic Command.

(v) Total. The summation total of the time spans provided as required by paragraphs (d)(7)(i) through (d)(7)(iv) expressed in minutes.

(8) Screening. A launch operator must select spherical or ellipsoidal screening as defined in this paragraph for determining any conjunction. The default must be the spherical screening method using an avoidance radius of 200 kilometers for manned or mannable orbiting objects. If the launch operator requests screening for any unmanned or unmannable objects, the default must be the spherical screening method using a miss-distance of 25 kilometers.

(i) Spherical screening. Spherical screening utilizes an impact exclusion sphere centered on each orbiting object's center-of-mass to determine any conjunction. A launch operator must specify the avoidance radius for manned or mannable objects and for any unmanned or unmannable objects if the launch operator elects to perform the analysis for unmanned or unmannable objects.

(ii) Ellipsoidal screening. Ellipsoidal screening utilizes an impact exclusion ellipsoid of revolution centered on the orbiting object's center-of-mass to determine any conjunction. A launch operator must provide input in the UVW coordinate system in kilometers. The launch operator must Start Printed Page 50593provide delta-U measured in the radial-track direction, delta-V measured in the in-track direction, and delta-W measured in the cross-range direction.

(9) Deliverable schedule/need dates. A launch operator must identify the times before flight, referred to as “L-times,” for which the launch operator requests a collision avoidance analysis.

(e) Collision avoidance assessment products. A launch operator must file its collision avoidance analysis products as required by § 417.203(e) and must include the input data required by paragraph (d) of this section. A launch operator must incorporate the result of the collision avoidance analysis into its flight commit criteria established as required by § 417.113.

Appendix D of Part 417—Flight Termination Systems, Components, Installation, and Monitoring

D417.1 General.

This appendix applies to each flight termination system and the components that make up the system for each launch. Section 417.301 requires that a launch operator's flight safety system include a flight termination system that complies with this appendix. Section 417.301 also contains requirements that apply to a launch operator's demonstration of compliance with the requirements of this appendix.

D417.3 Flight termination system functional requirements.

(a) When a flight safety system terminates the flight of a vehicle because it has either violated a flight safety rule as defined in § 417.113 or the vehicle inadvertently separates or destructs as described in section D417.11, a flight termination system must:

(1) Render each propulsion system that has the capability of reaching a populated or other protected area, incapable of propulsion, without significant lateral or longitudinal deviation in the impact point. This includes each stage and any strap on motor or propulsion system that is part of any payload;

(2) Terminate the flight of any inadvertently or prematurely separated propulsion system capable of reaching a populated or other protected area;

(3) Destroy the pressure integrity of any solid propellant system to terminate all thrust or ensure that any residual thrust causes the propulsion system to tumble without significant lateral or longitudinal deviation in the impact point; and

(4) Disperse any liquid propellant, whether by rupturing the propellant tank or other equivalent method, and initiate burning of any toxic liquid propellant.

(b) A flight termination system must not cause any solid or liquid propellant to detonate.

(c) The flight termination of a propulsion system must not interfere with the flight termination of any other propulsion system.

D417.5 Flight termination system design.

(a) Reliability prediction. A flight termination system must have a predicted reliability of 0.999 at a confidence level of 95 percent. A launch operator must demonstrate the system's predicted reliability by satisfying the requirements for system reliability analysis of § 417.309(b).

(b) Single fault tolerance. A flight termination system, including monitoring and checkout circuits, must not have a single failure point that would:

(1) Inhibit functioning of the system during flight; or

(2) Produce an inadvertent initiation of the system that would endanger the public.

(c) Redundancy. A flight termination system must use redundant components that are structurally, electrically, and mechanically separated. Each redundant component's mounting on a launch vehicle, including location or orientation, must ensure that any failure that will damage, destroy or otherwise inhibit the operation of one redundant component will not inhibit the operation of the other redundant component and will not inhibit functioning of the system. Each of the following exceptions applies:

(1) Any linear shaped charge need not be redundant if it initiates at both ends, and the initiation source for one end is not the same as the initiation source for the other end; or

(2) Any passive component such as an antenna or radio frequency coupler need not be redundant if it satisfies the requirements of this appendix.

(d) System independence. A flight termination system must operate independently of any other launch vehicle system. The failure of another launch vehicle system must not inhibit the functioning of a flight termination system. A flight termination system may share a component with another launch vehicle system, only if the launch operator demonstrates that sharing the component will not degrade the flight termination system's reliability. A flight termination system may share a connection with another system if the connection must exist to satisfy a flight termination system requirement, such as any connection needed to:

(1) Accomplish flight termination system arming and safing;

(2) Provide data to the telemetry system; or

(3) Accomplish any engine shut-down.

(e) Performance specifications for components and parts. Each flight termination system component and each part that can affect the reliability of a flight termination component during flight must have written performance specifications that show, and contain the details of, how the component or part satisfies the requirements of this appendix.

(f) Ability to test. A flight termination system, including each component and associated ground support and monitoring equipment, must satisfy the tests required by appendix E of this part.

(g) Software safety critical functions. The requirements of § 417.123 apply to any computing system, software or firmware that is associated with a flight termination system and performs a software safety critical function as defined in § 417.123.

(h) Component storage, operating, and service life. Each flight termination system component must have a specified storage life, operating life, and service life and must satisfy all of the following:

(1) Each component must satisfy all its performance specifications when subjected to the full length of its specified storage life, operating life, and service life; and

(2) A component's storage, operating, or service life must not expire before flight. A launch operator may extend an ordnance component's service life by satisfying the service life extension tests of appendix E of this part.

(i) Consistency of components. A launch operator must ensure that each flight component sample is manufactured using parts, materials, processes, quality controls, and procedures that are each consistent with the manufacture of each qualification test sample.

D417.7 Flight termination system environment survivability.

(a) General. A flight termination system, including all of its components, mounting hardware, cables, and wires, must each satisfy all of their performance specifications when subjected to each maximum predicted operating and non-operating environment and environmental design margin required by this appendix. As an alternative to subjecting the flight termination system to the maximum predicted environments and margin for each dynamic operating environment, such as vibration or shock, a flight termination system need only satisfy all its performance specifications when subjected to an environmental level greater than the level that would cause structural breakup of the launch vehicle.

(b) Maximum predicted environments. A launch operator must determine all maximum predicted non-operating and operating environments that a flight termination system, including each component, will experience before its safe flight state. This determination must be based on analysis, modeling, testing, or monitoring. Non-operating and operating environments include temperature, vibration, shock, acceleration, acoustic, and other environments that apply to a specific launch vehicle and launch site, such as humidity, salt fog, dust, fungus, explosive atmosphere, and electromagnetic energy. Both of the following apply:

(1) Each maximum predicted vibration, shock, and thermal environment for a flight termination system component must include a margin that accounts for the uncertainty due to flight-to-flight variability and any analytical uncertainty. For a launch vehicle configuration for which there have been fewer than three flights, the margin must be no less than plus 3 dB for vibration, plus 4.5 dB for shock, and plus and minus 11 °C for thermal range; and

(2) For a launch vehicle configuration for which there have been fewer than three flights, a launch operator must monitor flight environments at as many locations within the launch vehicle as needed to verify the maximum predicted flight environments for each flight termination system component. An exception is that the launch operator may obtain empirical shock environment data through ground testing. A launch operator must adjust each maximum predicted flight environment for any future launch to account for all data obtained through monitoring. Start Printed Page 50594

(c) Thermal environment. A component must satisfy all its performance specifications when exposed to preflight and flight thermal cycle environments. A thermal cycle must begin with the component at ambient temperature. The cycle must continue as the component is heated or cooled to achieve the required dwell time at one extreme of the required thermal range, then to achieve the required dwell time at the other extreme, and then back to ambient temperature. Each cycle, including all dwell times, must be continuous without interruption by any other period of heating or cooling. Paragraphs (c)(2) through (c)(6) of this section identify the required thermal range for each component. A thermal cycle must include no less than a one-hour dwell time at each temperature extreme. The thermal rate of change between the extremes must be no less than the maximum predicted thermal rate of change or 1 °C per minute, whichever is greater. For an ordnance device, the thermal cycle must include no less than a two-hour dwell time at each temperature extreme. The thermal rate of change between the extremes for an ordnance device must be no less than the maximum predicted thermal rate of change or 3 °C per minute, whichever is greater.

(1) Acceptance-number of thermal cycles. For each component, the acceptance-number of thermal cycles must be no less than eight thermal cycles or 1.5 times the maximum number of thermal cycles that the component could experience during launch processing and flight, including all launch delays and recycling, rounded up to the nearest whole number, whichever is greater.

(2) Passive components. A passive component must satisfy all its performance specifications when subjected to:

(i) The acceptance-number of thermal cycles from one extreme of the maximum predicted thermal range to the other extreme; and

(ii) Three times the acceptance-number of thermal cycles from the lower of −34 °C or the predicted lowest temperature minus 10 °C, to the higher of 71 °C or the predicted highest temperature plus 10 °C.

(3) Electronic components. An electronic flight termination system component, including any component that contains an active electronic piece-part such as a microcircuit, transistor, or diode must satisfy all its performance specifications when subjected to:

(i) The sum of ten thermal cycles and the acceptance-number of thermal cycles from one extreme of the maximum predicted thermal range to the other extreme; and

(ii) Three times the acceptance-number of thermal cycles from the lower of −34 °C or the predicted lowest temperature minus 10 °C, to the higher of 71 °C or the predicted highest temperature plus 10 °C.

(4) Power source thermal design. A flight termination system power source, including any battery, must satisfy all its performance specifications when exposed to preflight and flight thermal environments. The power source must satisfy the following:

(i) A silver zinc battery must satisfy all its performance specifications when subjected to the acceptance-number of thermal cycles from 10 °C lower than the lowest temperature of the battery's maximum predicted temperature range to 10 °C higher than the highest temperature of the range. An exception is that each thermal cycle may range from 5.5 °C lower than the lowest temperature of the battery's maximum predicted temperature range to 10 °C higher than the highest temperature of the range if the launch operator monitors the battery's operating temperature on the launch vehicle with an accuracy of no less than ± 1.5 °C.

(ii) A nickel cadmium battery must satisfy all its performance specifications when subjected to three times the acceptance-number of thermal cycles from the lower of −20 °C or the predicted lowest temperature minus 10 °C, to the higher of 40 °C or the predicted highest temperature plus 10 °C.

(iii) Any other power source must satisfy all its performance specifications when subjected to three times the acceptance-number of thermal cycles from 10 °C lower than the lowest temperature of the maximum predicted temperature range to 10 °C higher the highest temperature of the range.

(5) Electro-mechanical safe-and-arm devices with internal explosives. A safe-and-arm device must satisfy all its performance specifications when subjected to:

(i) The acceptance-number of thermal cycles from one extreme of the maximum predicted thermal range to the other extreme; and

(ii) Three times the acceptance-number of thermal cycles from the lower of −34 °C or the predicted lowest temperature minus 10 °C, to the higher of 71 °C or the predicted highest temperature plus 10 °C.

(6) Ordnance thermal design. An ordnance device and any associated hardware must satisfy all its performance specifications when subjected to the acceptance-number of thermal cycles from the lower of −54 °C or the predicted lowest temperature minus 10 °C, to the higher of 71 °C or the predicted highest temperature plus 10 °C. Each cycle must include a two-hour dwell time at each temperature extreme and a thermal rate of change between the extremes must be no less than the maximum predicted thermal rate of change or 3 °C per minute, whichever is greater.

(d) Random vibration. A component must satisfy all its performance specifications when exposed to a composite vibration level profile consisting of the higher of 6 dB above the maximum predicted flight random vibration level or a 12.2Grms workmanship screening level, across the 20 Hz to 2000 Hz spectrum of the two levels. The component must satisfy all its performance specifications when exposed to three times the maximum predicted random vibration duration time or three minutes per axis, whichever is greater, on each of three mutually perpendicular axes and for all frequencies from 20 Hz to 2000 Hz.

(e) Sinusoidal vibration. A component must satisfy all its performance specifications when exposed to 6 dB above the maximum predicted flight sinusoidal vibration level. The component must satisfy all its performance specifications when exposed to three times the maximum predicted sinusoidal vibration duration time on each of three mutually perpendicular axes and for all frequencies from 50% lower than the predicted lowest frequency to 50% higher than the predicted highest frequency. The sweep rate must be no greater than one-third the maximum predicted sweep rate on each of the three axes.

(f) Transportation vibration. A component must satisfy all its performance specifications when exposed to 6 dB above the maximum predicted transportation vibration level to be experienced when the component is in the configuration in which it is transported, for three times the maximum predicted transportation exposure time. A component must also satisfy all its performance specifications when exposed to the workmanship screening vibration levels and duration required by section E417.9(f).

(g) Pyrotechnic shock.

(1) A flight termination system component must satisfy all its performance specifications when exposed to the greater of:

(i) A force of 6 dB above the maximum predicted pyrotechnic shock level to be experienced during flight with a shock frequency response range from 100 Hz to 10,000 Hz; or

(ii) The minimum breakup qualification shock levels and frequencies required by Table E417.11-2 of appendix E of this part.

(2) A component must satisfy all its performance specifications after it experiences a total of 18 shocks consisting of three shocks in each direction, positive and negative, for each of three mutually perpendicular axes.

(h) Transportation shock. A flight termination system component must satisfy all its performance specifications after being exposed to the maximum predicted shock to be experienced during transportation while in the configuration in which it is packed for transport.

(i) Bench handling shock. A flight termination system component must satisfy all its performance specifications after being exposed to the maximum predicted shock to be experienced during handling in its unpacked configuration.

(j) Acceleration environment. A flight termination system component must satisfy all its performance specifications when exposed to launch vehicle breakup acceleration levels or twice the maximum predicted flight acceleration levels, whichever is greater. The component must satisfy all its performance specifications when exposed to three times the maximum predicted acceleration duration for each of three mutually perpendicular axes.

(k) Acoustic environment. A flight termination system component must satisfy all its performance specifications when exposed to 6 dB above the maximum predicted sound pressure level. The component must satisfy all its performance specifications when exposed to three times the maximum predicted sound pressure duration time or three minutes, whichever is greater for each of three mutually perpendicular axes. The frequency must range from 20 Hz to 2000 Hz.

(l) Other environments. A flight termination system component must satisfy all its performance specifications after experiencing any other environment that it Start Printed Page 50595could experience during transportation, storage, preflight processing, or preflight system testing. Such environments include storage temperature, humidity, salt fog, fine sand, fungus, explosive atmosphere, and electromagnetic energy environments.

D417.9 Command destruct system.

(a) A flight termination system must include a command destruct system that is initiated by radio command and satisfies the requirements of this section.

(b) A command destruct system must have its radio frequency components on or above the last launch vehicle stage capable of reaching a populated or other protected area before the planned safe flight state for the launch.

(c) The initiation of a command destruct system must result in accomplishing all the flight termination system functions of section D417.3.

(d) At any point along the nominal trajectory from liftoff until no longer required by § 417.107, a command destruct system must operate with a radio frequency input signal that has an electromagnetic field intensity of 12 dB below the intensity provided by the command transmitter system under nominal conditions over 95 percent of the radiation sphere surrounding the launch vehicle.

(e) A command destruct system must survive the breakup of the launch vehicle until the system accomplishes all its flight termination functions or until breakup of the vehicle, including the use of any automatic or inadvertent separation destruct system, accomplishes the required flight termination.

(f) A command destruct system must receive and process a valid flight termination system arm command before accepting a flight termination system destruct command.

(g) For any liquid propellant, a command destruct system must allow a flight safety official to non-destructively shut down any thrusting liquid engine by command before destroying the launch vehicle.

D417.11 Automatic or inadvertent separation destruct system.

(a) A flight termination system must include an automatic or inadvertent separation destruct system for each stage or strap-on motor capable of reaching a protected area before the planned safe flight state for each launch if the stage or strap-on motor does not possess a complete command destruct system. Any automatic or inadvertent separation destruct system must satisfy the requirements of this section.

(b) The initiation of an automatic or inadvertent separation destruct system must accomplish all flight termination system functions of section D417.3 that apply to the stage or strap-on motor on which it is installed.

(c) An inadvertent separation destruct system must activate when it senses any launch vehicle breakup or premature separation of the stage or strap-on motor on which the inadvertent separation destruct system is located.

(d) A launch operator must locate an automatic or inadvertent separation destruct system so that it will survive launch vehicle breakup until the system activates and accomplishes all its flight termination functions.

(e) For any electrically initiated automatic or inadvertent separation destruct system, each power source that supplies energy to initiate the destruct ordnance must be on the same stage or strap-on motor as the system.

D417.13 Flight termination system safing and arming.

(a) General. A flight termination system must provide for safing and arming of all flight termination system ordnance through the use of a mechanical barrier or other positive means of interrupting power to each of the ordnance firing circuits to prevent inadvertent initiation of ordnance.

(b) Flight termination system arming. A flight termination system must provide for each flight termination system ordnance initiation device or arming device to be armed and all electronic flight termination system components to be turned on before arming any launch vehicle or payload propulsion ignition circuits. For a launch where propulsive ignition occurs after first motion of the launch vehicle, the system must include an ignition interlock that prevents the arming of any launch vehicle or payload propulsion ignition circuit unless all flight termination system ordnance initiation devices and arming devices are armed and all electronic flight termination system components are turned on.

(c) Preflight safing. A flight termination system must provide for remote and redundant safing of all flight termination system ordnance before flight and during any launch abort or recycle operation.

(d) In-flight safing. Any safing of flight termination system ordnance during flight must satisfy all of the following:

(1) Any onboard launch vehicle hardware or software used to automatically safe flight termination system ordnance must be single fault tolerant against inadvertent safing. Any automatic safing must satisfy all of the following:

(i) Any automatic safing must occur only when the flight of the launch vehicle satisfies the safing criteria for no less than two different safing parameters or conditions, such as time of flight, propellant depletion, acceleration, or altitude. The safing criteria for each different safing parameter or condition must ensure that the flight termination system on a stage or strap-on-motor can only be safed once the stage or strap-on motor attains orbit or can no longer reach a populated or other protected area;

(ii) Any automatic safing must ensure that all flight termination system ordnance initiation devices and arming devices remain armed and all electronic flight termination system components remain powered during flight until the requirements of paragraph (d)(1)(i) of this section are satisfied and the system is safed; and

(iii) If operation of the launch vehicle could result in satisfaction of the safing criteria for one of the two safing parameters or conditions before normal thrust termination of the stage or strap-on motor to which the parameter or condition applies, the launch operator must demonstrate that the greatest remaining thrust, assuming a three-sigma maximum engine performance, cannot result in the stage or strap-on motor reaching a populated or other protected area;

(2) If a radio command safes a flight termination system, the command control system used for in-flight safing must be single fault tolerant against inadvertent transmission of a safing command under § 417.303(d).

D417.15 Flight termination system installation.

(a) A launch operator must establish and implement written procedures to ensure that all flight termination system components are installed on a launch vehicle according to the qualified flight termination system design. The procedures must ensure that:

(1) The installation of all flight termination system mechanical interfaces is complete;

(2) Installation personnel use calibrated tools to install ordnance when a specific standoff distance is necessary to ensure that the ordnance has the desired effect on the material it is designed to cut or otherwise destroy; and

(3) Each person involved is qualified for each task that person is to perform.

(b) Flight termination system installation procedures must include:

(1) A description of each task to be performed, each facility to be used, and each hazard involved;

(2) A checklist of tools and equipment required;

(3) A list of personnel required for performing each task;

(4) Step-by-step directions written with suffic