Skip to Content

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Feedback' button on the bottom right of each page!

Rule

Streamlined Launch and Reentry License Requirements

Comments on this document are being accepted at Regulations.gov. Submit a formal comment

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 79566

AGENCY:

FAA Aviation Administration (FAA), Department of Transportation (DOT).

ACTION:

Final rule.

SUMMARY:

This rule streamlines and increases flexibility in the FAA's commercial space launch and reentry regulations, and removes obsolete requirements. It consolidates and revises multiple regulatory parts and applies a single set of licensing and safety regulations across several types of operations and vehicles. The rule describes the requirements to obtain a vehicle operator license, the safety requirements, and the terms and conditions of a vehicle operator license.

DATES:

Effective date: This rule is effective March 10, 2021, except for amendatory instructions 3, 11, 17, 20, 27, 44 and 54, concerning §§ 401.5, 413.1, and 413.23, the removal of parts 415, 417, 431, and 435, and instructions 68 and 73 amending §§ 440.3 and 460.45, respectively, which are effective March 10, 2026.

Compliance: Affected parties, however, are not required to comply with the information collection requirements in part 450 until the Office of Management and Budget (OMB) approves the collection and assigns a control number under the Paperwork Reduction Act of 1995. The FAA will publish in the Federal Register a notice of the control number assigned by the Office of Management and Budget (OMB) for these information collection requirements.

ADDRESSES:

For information on where to obtain copies of rulemaking documents and other information related to this final rule, see “How To Obtain Additional Information” in the SUPPLEMENTARY INFORMATION section of this document.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

For technical questions concerning this action, contact Randy Repcheck, Office of Commercial Space Transportation, Federal Aviation Administration, 800 Independence Avenue SW, Washington, DC 20591; telephone (202) 267-8760; email Randy.Repcheck@faa.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Authority for This Rulemaking

The Commercial Space Launch Act of 1984, as amended and codified at 51 U.S.C. 50901-50923 (the Act), authorizes the Secretary of Transportation to oversee, license, and regulate commercial launch and reentry activities, and the operation of launch and reentry sites within the United States or as carried out by U.S. citizens. Section 50905 directs the Secretary to exercise this responsibility consistent with public health and safety, safety of property, and the national security and foreign policy interests of the United States. In addition, § 50903 requires the Secretary to encourage, facilitate, and promote commercial space launches and reentries by the private sector. As codified at 49 CFR 1.83(b), the Secretary has delegated authority to carry out these functions to the FAA Administrator.

This rulemaking amends the FAA's launch and reentry requirements, consolidating and revising multiple regulatory parts to set forth a single set of licensing and safety regulations across several types of operations and vehicles. It also streamlines the commercial space regulations by, among other things, replacing many prescriptive regulations with performance-based rules, and giving industry greater flexibility to develop means of compliance that maximize their objectives while maintaining public safety.

List of Abbreviations and Acronyms Frequently Used in This Document

AC—Advisory Circular

CEC—Conditional expected casualty

EC—Expected casualty

ELOS determination—Equivalent-level-of-safety determination

ELV—Expendable launch vehicle

FSA—Flight safety analysis

FSS—Flight safety system

RLV—Reusable launch vehicle

Table of Contents

I. Overview

II. Background

III. Discussion of the Rule

A. Safety Framework

B. Detailed Discussion of the Final Rule

1. Prescriptive vs Performance-Based Regulations, ELOS, Safety Case

2. Part 450 Subpart A—General Discussion

a. Pre-Application Consultation

b. Application Process

c. Compliance Period for Legacy Licenses (§ 450.1(b))

d. Definition and Scope of Launch (§ 450.3)

e. Safety Element Approval (Part 414)

f. Vehicle Operator License—Issuance, Duration, Additional License Terms and Conditions, Transfer, and Rights Not Conferred (§§ 450.5 Through 450.13)

3. Part 450 Subpart B—Requirements To Obtain a Vehicle Operator License

a. Incremental Review and Determinations (§ 450.33)

b. Means of Compliance (§ 450.35)

c. Use of Safety Element Approval (§ 450.39)

d. Policy Review (§ 450.41)

e. Payload Reviews (§ 450.43)

f. Safety Review and Approval (§ 450.45)

g. Environmental Review (§ 450.47)

4. Part 450 Subpart C—Safety Requirements

a. Neighboring Operations Personnel (§ 450.101(a) and (b))

b. High Consequence Event Protection (§ 450.101(c))

c. Critical Asset and Critical Payload Protection

d. Other Safety Criteria (§ 450.101(d), (e), (f), and (g))

e. System Safety Program (§ 450.103)

f. Hazard Control Strategies (§ 450.107)

g. Hazard Control Strategy Determination (§ 450.107(b))

h. Flight Abort (§ 450.108)

i. Flight Hazard Analysis (§ 450.109)

j. Physical Containment (§ 450.110)

k. Wind Weighting (§ 450.111)

l. Flight Safety Analysis (§§ 450.113 to 450.139)

m. Flight Safety Analysis Requirements—Scope (§ 450.113)

n. Flight Safety Analysis Methods (§ 450.115)

o. Trajectory Analysis for Normal Flight (§ 450.117)

p. Trajectory Analysis for Malfunction Flight (§ 450.119)

q. Debris Analysis (§ 450.121)

r. Population Exposure Analysis (§ 450.123)

s. Probability of Failure Analysis (§ 450.131)

t. Flight Hazard Area Analysis (§ 450.133)

u. Debris Risk Analysis (§ 450.135)

v. Far-Field Overpressure Blast Effect Analysis, or Distant Focus Overpressure (DFO) (§ 450.137)

w. Toxic Hazards (§§ 450.139 and 450.187)

x. Computing Systems (§ 450.141)

y. Safety-Critical Systems Design, Test, and Documentation (§ 450.143)

z. Flight Safety Systems (§§ 450.143 and 450.145)

aa. Hybrid Vehicles

bb. Agreements and Airspace (§ 450.147)

cc. Safety-Critical Personnel Qualifications (§ 450.149)

dd. Work Shift and Rest Requirements (§ 450.151)

ee. Radio Frequency (§ 450.153)

ff. Readiness and Rehearsals (§ 450.155)

gg. Communications (§ 450.157)

hh. Pre-Flight Procedures (§ 450.159)

ii. Control of Hazard Areas (§ 450.161)

jj. Lightning Hazard Mitigation (§ 450.163)

kk. Flight Commit Criteria (§ 450.165)

ll. Tracking (§ 450.167)

mm. Launch and Reentry Collision Avoidance Analysis Requirements (§ 450.169)Start Printed Page 79567

nn. Safety at End of Launch (§ 450.171)

oo. Mishap (Definition, §§ 450.173 and 450.175)

pp. Unique Safety Policies, Requirements and Practices (§ 450.177)

qq. Ground Safety (§ 450.179 to § 450.189)

5. Part 450 Subpart D—Terms and Conditions of a Vehicle Operator License

a. Public Safety Responsibility, Compliance With License, Financial Responsibility, Human Spaceflight Requirements (§§ 450.201 to 450.207)

b. Compliance Monitoring (§ 450.209)

c. Continuing Accuracy of License Application; Application for Modification of License (§ 450.211)

d. Pre-Flight Reporting (§ 450.213)

e. Post-Flight Reporting (§ 450.215)

f. Registration of Space Objects (§ 450.217)

6. Changes to Parts 401, 413, 414, 420, 433, 437, and 440

7. Miscellaneous Comments

8. Responses to Regulatory Impact Analysis Comments

IV. Regulatory Notices and Analyses

A. Regulatory Evaluation

B. Regulatory Flexibility Act

C. International Trade Impact Assessment

D. Unfunded Mandates Assessment

E. Paperwork Reduction Act

F. International Compatibility

G. Environmental Analysis

V. Executive Order Determinations

A. Executive Order 13771, Reducing Regulation and Controlling Regulatory Costs

B. Executive Order 13132, Federalism

C. Executive Order 13211, Regulations That Significantly Affect Energy Supply, Distribution, or Use

VI. How To Obtain Additional Information

Rulemaking Documents

Comments Submitted to the Docket

Small Business Regulatory Enforcement Fairness Act

I. Overview

Overview of Final Rule

This rule amends 14 CFR parts 415, 417, 431, and 435 by consolidating, updating, and streamlining all launch and reentry regulations into a single part 450. After March 10, 2026, parts 415, 417, 431, and 435 will be removed. This rule also revises multiple regulatory parts to apply a single set of licensing and safety regulations across several types of operations and vehicles. In addition, this rule replaces many prescriptive regulations with performance-based rules, giving industry greater flexibility to develop means of compliance that meet their objectives while maintaining public safety. Where possible, the FAA has adopted performance standards, and considered the prescriptive requirements for placement in advisory circulars (AC) that will identify possible means of compliance, but not the only means of compliance, with this rule. The goal of this approach is to afford the industry and the FAA the added flexibility of using new methods to better enable future innovative concepts and operations. While some of the provisions in this rule may increase the risk to public safety compared to the current regulations, such as the provisions that apply to neighboring operations personnel, the FAA has ensured that the increased risk is minimal and there is a corresponding public interest benefit.

Part 450 accommodates all vehicle operators, including hybrid vehicle operators. The revisions include more performance-based requirements, alternatives to flight abort and flight safety analysis (FSA) requirements based on demonstrated reliability, use of equivalent level of safety (ELOS) for the measurement of a high consequence event, and allowing application process alternatives as agreed to by the FAA.

Part 450 is divided into subparts A through D. Part 450 is organized by sections that have both safety requirements for what an operator must do to be safe and application requirements for what must be submitted in an application. By “applicant,” the FAA intends to reference an applicant for either a vehicle operator license, an incremental approval, a payload determination, a policy approval, or an environmental determination. By “operator,” the FAA intends to reference the holder of a license, which is consistent with the definition of “operator” in § 401.7.

This preamble will discuss in detail the safety framework encapsulated in part 450, part 450 requirements in sequential order, followed by corresponding and related changes to other parts, and cost implications for this rule.

i. Subpart A

Subpart A includes a general discussion on the application process, licensing scope and duration, and compliance dates. Pre-application consultation, which may include discussion of any applicable flexibilities in the application process, scope of license, and means of compliance, is required by part 413.

Figure 1 illustrates the licensing process. The licensing process begins with pre-application consultation, which sets the stage for an applicant to submit a license application. The application evaluation consists of five major components: (1) A policy review, (2) a payload review, (3) a safety review, (4) a determination of maximum probable loss (MPL) for establishing financial responsibility requirements, and (5) an environmental review. The license specifies the range of activities the licensee may undertake along with any limitations. Requirements after a license is issued encompass the licensee's responsibility for public safety and compliance with its license, representations in the license application, and FAA regulations. An important component of this compliance is the FAA's authority to perform safety inspections.

Start Printed Page 79568

In the final rule, the FAA does not make any changes to the existing pre-application consultation provision, except to update the term “safety approval” to the newly adopted “safety element approval.” The FAA makes this change to delineate between the safety approval portion of a license application and a safety element approval that the FAA grants under Part 414. This distinction between terms will not affect industry.

During the pre-application consultation stage, an applicant will work with the FAA to develop an application and licensing process that best fits its proposed operation. This stage will focus on compliance planning and positioning the applicant to prepare an acceptable application, which will increase the efficiency of the licensing process. The length of pre-application consultation will vary based on the proposed operation. For example, pre-application consultations may be lengthy when involving new launch vehicles that are under development or with operators inexperienced with the FAA's regulations. Alternatively, pre-application consultation with experienced operators using proven vehicles from established sites may be considerably shorter.

During this stage, the FAA expects to discuss the following topics with an applicant: Entrance and exit criteria for pre-application consultation, the intended means of compliance to meet the regulatory requirements in part 450, the scope of the license, safety element approvals, incremental review, review period for license evaluation, compliance expectations, and time frames an operator is required to meet to satisfy part 450. Some of the topics allow for flexibility that can result in a more efficient licensing process for both the applicant and the FAA.

The rule allows an applicant and the FAA flexibility to establish the scope of the license. Determining the point at which launch begins will be discussed during pre-application consultation. The applicant will describe to the FAA its launch site and its intended concept of operations leading up to a launch, including any operations that are hazardous to the public. Once the FAA and the applicant have a mutual understanding of the applicant's intended concept of operations, the FAA will determine what constitutes hazardous pre-flight operations and thus the beginning of launch. The applicant will then scope its application materials based on this starting point.

In the Notice of Proposed Rulemaking (NPRM), the FAA proposed to set the scope of activity authorized by a vehicle operator license by identifying the beginning and end of launch and reentry. The final rule provides flexibility to scale the beginning of launch to the operation. Specifically, the FAA will identify the beginning and end of launch on a case-by-case basis and in consultation with an applicant. The final rule does not adopt the proposed default that hazardous ground pre-flight operations commence when a launch vehicle or its major components arrive at a U.S. launch site. Instead, the final rule identifies certain activities that qualify as hazardous pre-flight operations, including, but not limited to, pressurizing or loading of propellants into the vehicle or launch system, operations involving a fueled launch vehicle, the transfer of energy necessary to initiate flight, or any hazardous activity preparing the vehicle for flight. This rule also clarifies that hazardous pre-flight operations do not include the period between the end of the previous launch and launch vehicle reuse when the vehicle is in a safe and dormant state.

For the end of launch and reentry, the FAA replaces each use of “vehicle stage” in the proposed rule with “vehicle component” in the final rule. The FAA adopts this change in recognition that components other than vehicle stages may return to Earth. Also, the FAA now includes “impact or landing” in the end of launch and reentry sections in the scope of license requirements to accommodate increasing efforts to reuse components.

ii. Subpart B

Subpart B contains the requirements to obtain a vehicle operator license. The topics include incremental review and determinations, means of compliance, Start Printed Page 79569policy review, payload review, safety review and approval, and environmental review. This rule retains the key components of a license application review: The policy review, payload review, safety review, MPL determination, and environmental review. This rule continues to allow operators to submit the payload, policy, environmental, and financial responsibility portions of its application independently of each other.

The final rule will also allow an applicant to submit an application for a safety review in modules using an incremental approach approved by the FAA. The safety review is typically the most complex part of the license application and usually involves submission of numerous documents. In this rule, the FAA has concluded that a structured approach agreed to during pre-application consultation will reduce regulatory uncertainty by allowing the FAA to affirm at an early stage of development that the proposed safety measure or methodology meets the FAA's requirements. An applicant must have its incremental review approach approved by the FAA prior to submitting its application so that the FAA can ensure that the modules can be reviewed independently and in a workable order under an agreed time frame.

The rule makes it easier for an applicant to seek a safety element approval in conjunction with its license application. A safety element approval is an FAA document containing the FAA determination a safety element, when used or employed within a defined envelope, parameter, or situation, will not jeopardize public health and safety or safety of property. A safety element includes a launch vehicle, reentry vehicle, safety system, process, service, or any identified component thereof; and qualified and trained personnel, performing a process or function related to licensed activities or vehicles. An applicant may also leverage existing safety element approvals by citing a safety element approval in another license application, thus streamlining the subsequent licensing process.

After the final rule becomes effective on March 10, 2021, operators holding an active launch or reentry license, or who have an accepted launch or reentry license application within 90 days after the effective date, may choose to operate under parts 415 and 417 for expendable launch vehicles (ELVs), part 431 for reusable launch vehicles (RLVs), or part 435 for reentry vehicles, until five years after the effective date of this rule.[1] All operators, including those exercising this provision, must come into compliance with this regulation's requirements for critical asset protection and collision avoidance (COLA) analysis beginning from the effective date of this rule. Any operator may also choose to operate under part 450 on the effective date of this rule. Operators conducting operations under parts 415, 417, 431 or 435 may submit requests for license renewals such that their license remains valid for up to five years after the effective date of this rule. A license renewal issued after the effective date of this rule will be valid for no longer than five years after the effective date of this rule.[2] All operators will need to comply with all parts of this rule five years after its effective date. Any operator may also choose to operate under part 450 on the effective date of this rule.

For an application for a license modification submitted after this rule becomes effective and within five years of the effective date, the FAA will determine the applicability of part 450 on a case-by-case basis. In determining whether to apply part 450 in evaluating a license modification under this scenario in consultation with the applicant, the FAA will consider the extent and complexity of the modification, whether the applicant proposes to modify multiple parts of the application, and if the application requires significant reevaluation.

The final rule allows most time frames to be determined during pre-application consultation, or during the application review process. An operator may propose alternative time frames for any of the requirements listed in the newly created Appendix A to part 404.

Compliance with the performance requirements in this rule may be demonstrated by using a means of compliance that is accepted by the FAA. Means of compliance may be government standards, industry consensus standards, or unique means of compliance developed by an individual applicant. During pre-application consultation, the FAA will work with applicants on compliance planning. The FAA will review the submitted means of compliance to determine whether they satisfy the regulatory safety standard.

For five requirements, an applicant must use a means of compliance the FAA has accepted in advance of submitting an application. Those requirements for which an applicant must use an accepted means of compliance in advance are identified in § 450.35 and include FSA methods, airborne toxic concentration and duration thresholds for any toxic hazards for flight, highly reliable flight safety systems (FSS), lightning commit criteria, and airborne toxic concentration and duration thresholds toxic hazard mitigation for ground operations. For all other requirements, an applicant may include an accepted means of compliance or a means of compliance the FAA has not yet accepted as part of its application for the FAA to review during application evaluation. The FAA will publish any publicly available means of compliance that it accepts. In addition, an operator may request that the FAA publish the operator's unique means of compliance, once reviewed and accepted.

The FAA evaluates five major components in an application for a vehicle operator license. The FAA adopts the proposed requirements for the policy review without modification. For the FAA to conduct a policy review, an applicant must identify the launch or reentry vehicle and its proposed flight profile, and describe the vehicle by characteristics that include individual stages and their dimensions, the type and amounts of all propellants, and maximum thrust. The final rule clarifies that a payload review is not required when the proposed launch or reentry vehicle will not carry a payload or when the payload is owned or operated by the U.S. Government. The FAA will continue to conduct safety reviews to determine whether an applicant is capable of conducting a launch or reentry without jeopardizing public health and safety and safety of property as specified in §§ 415.103, 431.31(a), and 435.31. Finally, the FAA adopts with revisions the proposed requirements for environmental review. The revisions include clarification on the FAA requirements for an Environmental Assessment (EA) and the FAA's responsibility to determine whether a Categorical Exemption (CATEX) applies, in accordance with current regulations. The MPL calculation and financial responsibility requirements are discussed under Subpart D.

iii. Subpart C

Subpart C addresses safety requirements. In the final rule, the FAA revises numerous sections under Start Printed Page 79570subpart C in response to public comments on the proposed rule, so that the rule is more performance-based. Subpart C includes regulations for key areas of concern to Federal launch or reentry sites that had not been covered in previous FAA regulations (e.g., the treatment of neighboring operations personnel and critical assets, including critical payloads). Throughout this document, the terms “Federal launch or reentry sites” and “Federal sites” replace the NPRM's use of “Federal launch range.”

The FAA structured the rule to facilitate elimination of duplication of the requirements of Federal launch or reentry sites by incorporating critical asset protections, to avoid the need for Federal sites to impose this requirement. The rule also creates a path for the FAA to determine that a Federal launch or reentry site's ground safety processes, requirements, and oversight are not inconsistent with the Secretary's statutory authority over commercial space activities.

The safety criteria in § 450.101 (Safety Criteria) set the public and property safety criteria that must be met before an operator may initiate the flight of a launch or reentry vehicle.[3] The quantitative safety criteria continue to be the linchpin requirement for flight safety, which is fundamental for all operators. There are quantitative risk criteria for collective risk, individual risk, and aircraft risk. The final rule applies collective and individual risk criteria to people on waterborne vessels, enabling risk management techniques that previously required a waiver. The rule carves out neighboring operations personnel on a launch or reentry site as a separate category of the public subject to different risk criteria. This rule also adds risk criteria for the protection of critical assets essential to the national interests of the United States, including a more stringent requirement for the protection of critical payloads. The final rule uses conditional risk management to ensure (1) mitigations, such as flight abort, will be implemented to protect against high consequence events, and (2) implementation of mitigations will produce reasonable conditional risks.

The rule allows for neighboring operations personnel to be protected as members of the public, but to a less stringent risk threshold as compared to other members of the public. In the final rule, the FAA adopts the proposed requirements on neighboring operations personnel in §§ 401.7, 440.3, 450.101(a) and (b), and 450.137 (Far-field Overpressure Blast Effect Analysis) paragraph (c)(6), but removes the phase “as determined by the Federal or licensed launch or reentry site operator” from the definition of “neighboring operations personnel” in § 401.7. Instead, the Federal or licensed site operator will determine those persons who are eligible for neighboring operations personnel status in coordination with the operators at the site and in accordance with definition in § 401.7. A site operator at a non-Federal site will have the option to designate certain personnel as neighboring operations personnel.

In the final rule, critical assets include property, facilities, or infrastructure necessary to maintain national security, or assured access to space for national priority missions. In the final rule, the FAA does not adopt the proposed requirement for operators to calculate the risks to critical assets in preparing a flight hazard analysis, debris analysis, and debris risk analysis. The FAA anticipates that it will perform all critical asset and critical payload risk assessments for commercial space transportation operations involving non-Federal sites.

Under § 450.101(c) of the NPRM, the FAA proposed to require an operator to use flight abort as a hazard control strategy if the consequence of any reasonably foreseeable vehicle response mode, in any one-second period of flight, is greater than 1 × 103 CEC for uncontrolled areas. The FAA amends the title of § 450.101(c) from “Flight Abort” in the NPRM to “High Consequence Event Protection” in the final rule, because the final rule allows an operator to use a method other than flight abort in certain situations in which the operator can show sufficient protection against high consequence events. The FAA retains the CEC requirement as a quantitative criterion that an applicant must use to measure high consequence events, but revises the final rule to allow ELOS for the CEC requirement. The final rule also allows options for how an applicant may protect against a low likelihood, high consequence event in uncontrolled areas for each phase of flight, such as using flight abort in accordance with § 450.108 (Flight Abort) or demonstrating that CEC is below a certain threshold without using flight abort.

The FAA adopts with revisions the proposal that an operator must implement and document a system safety program throughout the operational lifecycle of a launch or reentry system in § 450.103 (System Safety Program). The system safety program includes a safety organization, hazard management, configuration management and control, and post-flight data review. In the final rule, the FAA removes the proposed term “operational” to clarify that the regulation applies to hazards throughout the lifecycle of a launch or reentry system—not just to operational hazards. The FAA also does not adopt the proposed requirement in § 450.105 to conduct a preliminary safety assessment, because that requirement has been replaced with a requirement to conduct a functional hazard analysis under the Hazard Control Strategies section in the final rule.

In the NPRM, the FAA proposed under the Hazard Control Strategies section (§§ 450.107 to 450.111) that, for each phase of a vehicle's flight, an operator would not need to conduct a flight hazard analysis for that phase of flight if the public safety and safety of property hazards identified in the preliminary safety assessment could be mitigated adequately to meet the requirements of proposed § 450.101 using physical containment, wind weighting, or flight abort. In the final rule, the FAA concludes that an operator must use one or more of the hazard control strategies defined in §§ 450.108 through 450.111 to meet the safety criteria. The FAA also adds a new paragraph to this section to address how an operator determines its hazard control strategy or strategies for any phase of flight during a launch or reentry.

The FAA adopts proposed § 450.108, which is a consolidation and revision of several proposed sections associated with flight abort requirements in the NPRM. As a result of this consolidation, the FAA removes the flight abort related requirements in §§ 450.123, 450.125, 450.127, and 450.129. The requirements in these sections have been revised to be performance-based standards included in § 450.108(c), which addresses flight safety limits objectives, and § 450.108(d), which addresses flight safety limits constraints.Start Printed Page 79571

Section 450.109 (Flight Hazard Analysis) details requirements for an operator using a flight hazard analysis as its hazard control strategy for one or more phases of flight. A flight hazard analysis must identify, describe, and analyze all reasonably foreseeable hazards to public safety and safety of property resulting from the flight of a launch or reentry vehicle, mitigate hazards as appropriate, and validate and verify the hazard mitigations. The FAA revises the final rule to reflect that performing a flight hazard analysis is included as a hazard control strategy to derive hazard controls for the flight, or phase of flight, of a launch or reentry vehicle.

Regardless of the hazard control strategy chosen or mandated an operator must conduct an FSA to demonstrate quantitatively that a launch or reentry meets the safety criteria for debris, far-field overpressure, and toxic hazards. An operator may be required to conduct additional analyses to use flight abort or wind weighting hazard control strategies. The FAA anticipates that an operator will be required to conduct some FSA for at least some phases of flight, regardless of the hazard control strategy chosen or mandated. For example, an FSA must determine flight hazard areas for any vehicle with planned debris impacts capable of causing a casualty.

The FAA revises the FSA requirements in § 450.113 (Flight Safety Analysis Requirements—Scope), which establish the portions of flight for which an operator would be required to perform and document an FSA. An operator must perform and document an FSA for all phases of flight, unless otherwise agreed to by the FAA. The FAA may agree there is no need for an FSA for certain phases of flight based on demonstrated reliability for any launch or reentry vehicle, instead of just for hybrid vehicles as proposed in the NPRM. The FAA expands this exception because, conceivably, an operation involving a vehicle other than a hybrid could have an extensive and safe enough flight history to demonstrate compliance with the risk criteria in § 450.101 based on empirical data in lieu of the traditional risk analysis.

An FSA generally consists of a set of quantitative analyses used to determine flight commit criteria, flight abort rules, flight hazard areas, and other mitigation measures, and to demonstrate compliance with the safety criteria in § 450.101. In the NPRM, the FAA proposed 15 sections associated with FSA requirements in §§ 450.113 to 450.141. The final rule moves requirements associated with flight safety limits to § 450.108 and condenses the remaining FSA requirements into 11 performance-based sections that cover the scope of the analyses, general methodology requirements, and specific sections on normal trajectories, malfunction trajectories, hazardous debris characterization, population exposure, probability of failure, flight hazard areas, debris risks, and far-field overpressure blast effects. The FAA moved some of the proposed FSA requirements such that an operator could generally perform the analyses in the order that they appear in the final rule, if they choose.

The FAA revises the FSA sections to be more performance-based than what was proposed in the NPRM. Specifically, the FAA revises the FSA requirements to identify their fundamental purpose, the essential constraints, and the objectives in each section. The FSA requirements in the final rule are consistent with current practice, but the rule articulates important, often misunderstood, aspects of flight analysis such as the creation of hazard areas and other operating constraints necessary to protect public health and safety and safety of property.

Sections 450.139 (Toxic Hazards for Flight) and 450.187 (Toxic Hazards Mitigation for Ground Operations) contain the requirements for toxic release analysis. In the final rule, the FAA adopts §§ 450.139 and 450.187 with some revisions. The FAA clarifies that operators are not required to perform a toxic release hazard analysis for kerosene-based fuels unless directed by the FAA. Also, the FAA revises the requirements for performing toxic containment.

In the NPRM, § 450.111 contained computing systems and software requirements. In the final rule, the FAA revises and relocates the requirements for computing systems and software to § 450.141 (Computing Systems and Software). In response to comments, the FAA revises the requirements of § 450.141 to be more performance-based, and levies requirements for computing system safety items in proportion to their criticality instead of the item's level of autonomy. The final rule also requires independent verification and validation for computing system safety items that meet the definition of “safety-critical” in § 401.7.

The requirements of § 450.143 (Safety-Critical System Design, Test, and Documentation) apply to all safety-critical systems except highly reliable FSS and safety-critical software items, which are regulated by the requirements in §§ 450.145 and 450.141 respectively. In the final rule, the FAA revises the reference to FSS requirements in § 450.143(a); amends § 450.143(b) to include other means of compliance and broader safe design concepts; and removes the term “vehicle” in § 450.143(c) because safety-critical systems can be located off-vehicle. In addition, the FAA amends the application requirements in § 450.143(f) to require that applicants describe the method used to validate predicted operating environments and any standards used for each safety-critical system.

Section 450.145 (Highly Reliable Flight Safety System) contains the requirements for certain FSS. The FAA revises § 450.145 to apply to a highly reliable FSS, which consists of any onboard portion and if used, any ground-based, space-based, or otherwise not onboard portion of the system. Conventional FSS with airborne flight termination receivers and ground-based command transmitter systems will have both airborne and ground-based subsystems. The final rule provides additional flexibility for operations where the CEC is between 1 × 102 and 1 × 103 and exempts the FSS for such operations from the requirements of § 450.145; however, the FSS for such operations must still meet the requirements of § 450.143. The FAA makes these changes to scope the FSS design, testing, and analysis more closely to potential consequence and risk. These changes will reduce burden on operators that have a lower potential for causing high consequence events. The FAA also removes the reliability threshold required of an FSS for operations where CEC is between 1 × 102 and 1 × 103. The final rule provides that an FSS required for operations for which the CEC is between 1 × 102 and 1 × 103 must meet the requirements of § 450.143.

Section 450.147 (Agreements) requires a vehicle operator to have a written agreement with any entity that provides a service or use of property to meet a requirement in part 450. In the final rule, the FAA requires an operator to enter into multiple agreements if the operator works with multiple entities. Also, operators will continue to be required to enter into agreements with the appropriate entities for launches and reentries that cross airspace or impact water not under U.S. jurisdiction.

Section 450.153 contains the requirements for radio frequency. In the NPRM, the FAA proposed that an operator would be required to identify each frequency, all allowable frequency tolerances, and each frequency's intended use, operating power, and Start Printed Page 79572source; and provide for the monitoring of frequency usage and enforcement of frequency allocations. In the final rule, the FAA adopts the proposed requirements with modifications to the performance-based objectives central to radio frequency management. Operators will be required to ensure that radio frequency does not adversely affect the performance of FSS or safety-critical systems, and to coordinate radio frequency with local and Federal authorities.

Section 450.157 contains the requirements for communications. In the NRPM, the FAA proposed that personnel that have authority to issue “hold/resume,” “go/no go,” and abort commands must monitor each common intercom channel during countdown and flight. The FAA does not adopt the proposal because it was overly prescriptive.

Section 450.161 (Control of Hazard Areas) contains the control of hazard areas. In the final rule, the FAA does not remove the requirement for an operator to verify that warnings have been issued when the operator relies on another party to publicize those warnings. Instead, the FAA clarifies that the requirement may be met by demonstrating due diligence pursuant to agreements that the operator has with that party and notifying the FAA of any deviations from the agreements by any party. The FAA also adds an application requirement for the applicant to give a description of how the applicant will provide for any publication of flight hazard areas.

In the final rule, the FAA does not adopt the four mishap categories proposed in the NPRM. The FAA agrees with commenters that the regulatory requirements for the proposed mishap classes, from most severe (Class 1) to least severe (Class 4), were largely the same, and concludes that the mishap classes are not needed to achieve the objective of consolidating mishap-related terms and streamlining the requirements to report, respond to, and investigate mishaps. Instead, the FAA combines the substantive criteria of Mishap Classes 1-4 under the definition of “mishap.” The revised definition in the final rule describes events that constitute a mishap. The requirements to report, respond to, and investigate mishaps are incumbent upon an operator regardless of a mishap's severity.

Section 450.173 (Mishap Plan—Reporting, Response, and Investigation Requirements) contains the requirements for the mishap plan. In the final rule, the FAA does not adopt the proposed requirement for a licensee to cooperate with FAA and NTSB investigations contained in the NPRM. The FAA finds this requirement duplicative of § 450.13, which states that a vehicle operator license does not relieve a licensee of its obligations to comply with all applicable requirements of law or regulation that may apply to its activities. Also, the final rule standardizes criteria for mishap plans across all of 14 CFR Chapter III by making § 450.173 applicable to launch and reentry licensees, experimental permittees, and site operators.

The FAA proposed to give license applicants and licensees the option to pre-coordinate testing activities with the FAA. In the final rule, the FAA clarifies that § 450.175 (Test-induced Damage) will only apply to licensees or license applicants who choose to apply for the exception. The final rule also allows an operator to coordinate the possibility of test-induced damage prior to an operation and exclude damage meeting certain requirements from constituting a mishap, thereby reducing unnecessary reporting.

v. Subpart D

Subpart D addresses the terms and conditions of a vehicle operator license. This includes compliance monitoring (§ 450.209), material changes and continuing accuracy (§ 450.211), pre-flight reporting (§ 450.213), post-flight reporting (§ 450.215), and registration of space objects (§ 450.217). In the final rule, the FAA adopts these sections as proposed with the exception of revisions to § 450.213 (Pre-flight Reporting) as described below.

The final rule makes few changes to the post-licensing requirements, for which the final rule standardizes requirements for all launches and reentries from Federal sites and commercial spaceports or exclusive use launch sites. In line with the previous requirements, operators will provide information and comply with reported collision avoidance closures. A Federal agency will continue to provide operators the appropriate launch or reentry closures, but the rule allows the possibility of some other entity's providing this service in the future. The final rule offers operators flexibility, in coordination with the FAA, to use different timelines for the submission of pre-flight and post-flight reports. The FAA revises § 450.213(d) to allow an operator the flexibility to identify an appropriate time frame in coordination with the FAA. The FAA also revises § 450.217(c) so that licensees will only need to notify the FAA that they removed an object from orbit if removal occurs during or immediately after licensed activities.

II. Background

This rulemaking arose from work by the National Space Council that led to President Donald J. Trump's Space Policy Directive-2 (SPD-2) in May 2018, directing the U.S. Department of Transportation to streamline the regulations governing commercial space launch and reentry licensing. The goals of this streamlining include creating a single licensing regime for all types of commercial space flight launch and reentry operations, and replacing prescriptive requirements with performance-based criteria. The final rule is consistent with DOT's regulations under 49 CFR 5.5(e), which instruct that regulations should be technologically neutral, and, to the extent feasible, should specify performance objectives, rather than prescribing specific conduct that regulated entities must adopt.

On March 8, 2018, the FAA chartered the Streamlined Launch and Reentry Licensing Requirements Aviation Rulemaking Committee (ARC) to provide a forum for a broad range of stakeholders from the aviation and space communities to discuss regulations to set forth procedures and requirements for commercial space transportation launch and reentry licensing. The FAA tasked the ARC with developing recommendations for a performance-based regulatory approach in which the regulations set forth the safety objectives to be achieved while providing the applicant flexibility to produce tailored and innovative means of compliance.

On April 30, 2018, the ARC submitted its final recommendation report to the FAA.[4] The FAA addressed the recommendations in more detail throughout the NPRM. This final rule incorporates recommendations provided by the ARC.

On March 26, 2019, the FAA posted on its website an NPRM titled “Launch and Reentry Licensing Requirements” that would revise parts 401, 404, 413, 414, 415, 417, 420, 431, 433, 435, 437, and 440, and create a new part 450. In the NPRM, the FAA proposed to streamline and increase flexibility in the FAA's commercial space launch and reentry regulations, remove obsolete requirements, consolidate and revise multiple regulatory parts, and apply a single set of licensing and safety Start Printed Page 79573regulations across several types of operations and vehicles.

On April 15, 2019, the FAA published this NPRM in the Federal Register (85 FR 15296). The initial comment period was 60-days from the date of publication, ending on June 14, 2019.

In the ensuing month, commenters submitted fifty-six requests for an extension of the comment period to a total of 120 days, or until August 13, 2019.

In response, on May 31, 2019, the FAA published an extension of the comment period on the NPRM (84 FR 25207), for an additional 45-days to July 30, 2019, to allow commenters more time to analyze the proposed rule.

On June 14, 2019, the FAA posted to the docket a response [5] to MLA Space, LLC, which had requested that the FAA reconvene the ARC to engage in dialogue regarding the NPRM. In the response, the FAA stated its belief that engagement with industry in the form of an ARC, a public meeting, or through a special session of Commercial Space Transportation Advisory Committee (COMSTAC) would not be beneficial at that point in the rulemaking process. The FAA encouraged members of industry to submit any questions requesting clarification regarding the NPRM to the docket.

On July 16, 2019, the FAA posted to the docket the first of its responses [6] to commenters' questions requesting clarification. Also on July 16, 2019, the FAA posted a statement [7] to the docket encouraging commenters to post any further requests for clarification in the docket as soon as possible. That statement reasserted the FAA's judgment that further engagement with industry through a public meeting to have clarifying dialogue regarding the NPRM would not be beneficial, but also offered to entertain meetings in the month of July 2019 with members of the public who wished to provide to the FAA their information bearing on the proposed rule.

Subsequently, the FAA met with Blue Origin,[8] the Coalition for Deep Space Exploration,[9] Space Exploration Technologies Corp. (SpaceX),[10] Virgin Galactic,[11] and Virgin Orbit [12] to receive their clarifying questions and a preview of their comments on the NPRM.[13]

On July 22, 2019, the FAA published a second extension of the comment period to the NPRM (84 FR 35051). To provide commenters with sufficient time to review the FAA's clarifications in response to the commenter's questions, the FAA extended the comment period to August 19, 2019.[14]

On August 16, 2019, the FAA posted its response to the docket [15] to commenters' questions for clarification received by July 12, 2020, and July 29, 2019.

On August 19, 2019, the comment period closed, with a total of 155 submissions from 85 commenters, and two submissions containing proprietary information. Of these comments, 62 requested an extension of the comment period, 10 requested to reconvene the ARC, 29 requested a public meeting, 18 requested a Supplemental Notice of Proposed Rulemaking (SNPRM), 18 contained clarifying questions for parts of the NPRM, and 53 comments contained substantive feedback regarding the proposed rule. The FAA discusses the adjudication of these comments in more detail later in the preamble.

III. Discussion of the Rule

A. Safety Framework

Start Printed Page 79574

General. The final rule relies on a safety framework that provides the flexibility needed to accommodate current and future launch and reentry operations. The safety framework encompasses both ground safety and flight safety. Acceptable safety for ground operations is achieved primarily through a process-based hazard analysis and certain prescribed hazard controls. Acceptable safety for flight operations is achieved through several elements discussed further in this preamble section. The FAA identifies specific safety criteria and requirements in § 450.101 that must be met before a launch or reentry can take place, including collective risk, individual risk, aircraft risk, risk to critical assets, protection against high consequence events, disposal of orbiting stages, risk to people and property on orbit, and notification of planned impacts.

System Safety Program. All operators are required to have a system safety program that establishes system safety management principles for both ground safety and flight safety throughout the operational lifecycle of a launch or reentry system. The system safety program includes a safety organization, hazard management, configuration management and control, and post-flight data review.

Hazard Control Strategies. To address the wide variety of commercial launch and reentry systems and operations concepts, the final rule includes four hazard control strategies. An operator can use multiple hazard control strategies during flight because different strategies may be appropriate for different phases of flight. Different hazard control strategies may also be appropriate during any one phase of flight to protect different sets of people and property. The hazard control strategies are physical containment, wind weighting, flight abort, and flight hazard analysis.

  • Physical containment would most likely be used for low energy test flights, when a launch vehicle does not have sufficient energy for any hazards associated with its flight to reach the public or critical assets.
  • Wind weighting is traditionally used in the launch of unguided suborbital launch vehicles, otherwise known as sounding rockets, where the operator adjusts launcher azimuth and elevation settings to correct for the effects of wind conditions at the time of flight to provide impact locations for the launch vehicle or its components that will ensure compliance with the safety criteria in § 450.101.
  • Flight abort is the traditional safety approach for expendable launch vehicles, and is a process to limit or restrict the hazards to public safety and the safety of property presented by a launch vehicle or reentry vehicle, including any payload, while in flight by initiating and accomplishing a controlled ending to vehicle flight. With the exception of phases of flight with demonstrated reliability, flight abort is mandated as a hazard control strategy if the potential for a high consequence event is above a certain threshold.
  • Flight hazard analysis is the traditional safety approach for reusable launch vehicles, and is the most flexible hazard control strategy because an operator derives specific hazard controls unique to its launch or reentry vehicle system and operations concept. Flight hazard analysis is mandated as a hazard control strategy if the other three hazard control strategies cannot mitigate the safety hazards sufficient to meet the safety criteria of § 450.101.

An operator determines the appropriate hazard control strategy by conducting a functional hazard analysis.Start Printed Page 79575

Flight Safety Analyses. Regardless of the hazard control strategy chosen or mandated, an operator is required to conduct several FSA. These include trajectory analyses for normal and malfunction flight, a debris analysis, a population exposure analysis, and a probability of failure analysis. These analyses provide input to a debris risk analysis, a far-field overpressure blast effects analysis, and a toxic hazard analysis that together demonstrate compliance with the safety criteria of § 450.101, and provide input to a flight hazard area analysis.

Derived Hazard Controls. With respect to flight operations, an operator would derive several hazard controls by conducting the FSA and, if necessary, a flight hazard analysis. Because hazard controls are derived from these analyses, they are not specifically addressed in part 450.

Prescribed Hazard Controls for Computing Systems and Software and Safety-Critical Hardware. Regardless of the hazard controls derived from a flight hazard analysis and FSA, the FAA requires many other hazard controls. The first set of hazard controls includes requirements for computing systems and software, safety-critical systems, and highly reliable FSS.

Other Prescribed Hazard Controls. The second set of hazard controls have historically been necessary to achieve acceptable flight safety. These include requirements for (1) written agreements, (2) safety-critical personnel qualifications, (3) work shift and rest requirements, (4) radio frequency management, (5) readiness, (6) communications, (7) pre-flight procedures, (8) control of hazard areas, (9) lightning hazard mitigation, (10) flight commit criteria, (11) tracking, (12) collision avoidance, (13) safety at the end of launch, and (14) mishap plans.

Ground Safety. With respect to the safety of ground operations, the safety framework includes (1) coordination with a site operator, (2) explosive siting, (3) a ground hazard analysis, (4) toxic hazard mitigations, and (5) prescribed hazard controls addressing visitors, countdown aborts, fire suppression, and emergency procedures. These together provide an acceptable set of public safety considerations for ground operations.

B. Detailed Discussion of the Final Rule

1. Prescriptive vs Performance-Based Regulations, ELOS, Safety Case

i. Prescriptive

The FAA sought in the NPRM to propose changes that would convert many of its prescriptive requirements to more performance-based requirements that would allow for different means of compliance. The FAA received several comments stating generally that the proposed rule was still too prescriptive. The Commercial Spaceflight Federation (CSF) and SpaceX commented that some of the proposed requirements would unnecessarily drive applicants to a burdensome equivalent level of safety (ELOS) process as a default. Blue Origin recommended broadly that the FAA remove all prescriptive portions of the proposed rule.[16]

The FAA agrees that some of the requirements in proposed part 450 were unnecessarily prescriptive, particularly those for software and FSA. The FAA has modified those requirements to remove unnecessary prescriptiveness and provide additional flexibility while still preserving safety and providing regulatory clarity. For many of the requirements amended for this purpose in the final rule, the prescriptive parts of the proposal will be moved to a corresponding AC as guidance on means of compliance. Specific changes to the requirements are discussed later in this preamble.

Several commenters, including Blue Origin, CSF, and SpaceX, also stated that the FAA should base its new requirements on parts 431 and 435 and add details on how to comply through guidance. CSF also stated that the FAA ignored the draft regulatory text provided by the ARC, which used parts 431 and 435 as a basis for updated rules.

The FAA disagrees that parts 431 and 435 should be used as the sole basis for part 450. Part 431 depends on an operator to use the system safety process to derive hazard controls, which as reflected in part 450, is appropriate for some launch and reentry vehicle systems and operations. However, as also reflected in part 450, not all launch and reentry vehicle systems and operations require an operator to derive hazard controls through the system safety process. Specifically, physical containment, wind weighting, and, most importantly, flight abort are often sufficient. Part 450 incorporates the flexibility of part 431, but acknowledges the acceptability of other hazard control strategies. Part 450 also builds on the precedent set by part 431's limits on the foreseeable consequences of a failure in terms of conditional expected casualties and establishes a less stringent threshold.[17] Furthermore, the FAA stated in the NPRM that it would not specifically address the ARC's proposed regulatory text because that regulatory text did not receive broad consensus within the ARC.

One individual commenter noted that streamlining was long overdue. Another individual commenter noted that the proposed rule is longer and more complicated than the rule it proposes to replace, and that past FAA approaches led to codifying Federal launch and reentry site requirements, which the Federal sites subsequently changed such that they no longer matched the FAA requirements.

In response, the FAA notes that the proposed regulation combined elements from parts 415, 417, 431, and 435. Part 450 is shorter than parts 415 and 417 and more performance-based. Although it is longer than parts 431 and 435, part 450 is more flexible and encompasses more types of launch and reentry operations. This final rule allows operators to use a means of compliance that will accommodate customized operations, changing technologies, and innovation.

ii. Equivalent Level of Safety (§ 450.37)

In the NPRM, the FAA proposed in § 450.37 (Equivalent Level of Safety) that for all requirements in part 450, except § 450.101, an applicant may clearly and convincingly demonstrate that an alternative approach provides an equivalent level of safety (ELOS) to the requirement.

In the final rule, the FAA revises § 450.37 so that only some portions of § 450.101—specifically § 450.101(a), (b), (c)(1), (c)(3), (d), (e)(1), and (g)—are excluded from eligibility for an ELOS approach. This change allows an applicant to propose an equivalent level of safety to the orbital debris requirement in § 450.101(e)(2) and the notification of planned impacts requirement in § 450.101(f). Most significantly, this change also allows an applicant to propose an equivalent level of safety to the use of a CEC of 1 × 103 Start Printed Page 79576as the measure of a high consequence event in § 450.101(c)(2). Section 450.101(c) is discussed more fully later in this preamble.

Virgin Galactic commented that ELOS determinations should be part of the license application process. The FAA agrees with the comment and incorporates ELOS determinations into the license application process. To exercise this option, an applicant must demonstrate, through technical rationale, that the proposed alternative provides a level of safety equivalent to the requirement it would replace. The FAA will evaluate the proposal during the application evaluation.

CSF stated that, if the FAA adopted the parts 431 and 435 framework, ELOS would be unnecessary because the ELOS process does not exist under those regulations.[18] Blue Origin urged the FAA to consider the need for an ELOS option in this rule.

In response to CSF's comments, the FAA acknowledges that, in theory, a performance-based regulation like part 450 could function without an ELOS provision, because, in concept, a performance-based rule allows many different means of compliance with the required safety standard. The FAA considered eliminating the ELOS provision from the final rule, but decided that eliminating the ELOS provision would remove a useful regulatory tool that provides flexibility. Unlike means of compliance, which demonstrate compliance with the regulation, ELOS allows an applicant to propose and demonstrate a method that ensures an ELOS to the requirement, but not necessarily compliance with the requirement itself. The FAA has chosen to retain the option of ELOS to allow operators to propose unique processes and procedures that this rule may not have contemplated.

Blue Origin stated that it supports the use of safety cases as a means to establish an ELOS under proposed § 450.37. A safety case is a structured argument, supported by a body of evidence that provides a compelling, comprehensive, and valid case that a system is safe, for a given application in a particular setting. Regarding process, Blue Origin recommended requiring only one layer of external-to-applicant audit, and that the audit criteria be transparently developed with industry input to ensure understanding of the scope of compliance with the ELOS proposal process. Another individual commenter stated that the FAA should add a provision that would allow use of an alternate process for obtaining a license based on the use of a “safety case” methodology. This methodology would consist of voluntary audits of an applicant's safety and risk management program, followed by development of a safety case showing how the public would be protected during licensed activities.

The FAA finds that the proposed regulation is flexible in allowing an applicant to propose a means of compliance. It also affords the possibility of meeting most requirements by demonstrating an ELOS.[19] An applicant may wish to use a safety case to demonstrate that it is has satisfied the ELOS standard; however, the FAA declines to add prescriptive audit requirements for its use. An applicant could, but is not required to, use a safety case to show that a certain method satisfies an ELOS to a regulatory requirement, excluding the requirements of § 450.101(a), (b), (c)(1), (c)(3), (d), (e)(1), and (g). A safety case is not required to demonstrate ELOS. It is one way to provide rationale for ELOS. An applicant could use a safety case or other justification for ELOS.

Virgin Galactic recommended that safety cases be counted as an alternative to CEC in § 450.101(c). The Boeing Company (Boeing), Lockheed Martin Corporation (Lockheed Martin), Northrop Grumman Corporation (Northrop Grumman), and United Launch Alliance (ULA) sought clarification as to why § 450.37 would not apply to § 450.101. Similarly, Blue Origin, CSF, SpaceX, and Virgin Galactic commented that ELOS should be allowed for § 450.101(c).

The FAA agrees with allowing ELOS for § 450.101(c)(2). This allows an operator to make a safety case or provide some other justification for an ELOS determination for an alternative method to protect against a high consequence event, such as safeguards other than flight abort, or an alternative to CEC as a measurement of the potential for a high consequence event, such as a risk profile, both of which are described more in the preamble section discussing § 450.101(c). Section 450.101(a), (b), (c)(1), (c)(3), (d), (e)(1), and (g) contain the core safety requirements to protect people and property on land, at sea, in the air, and in space. Any proposed non-compliance with these risk requirements will require a waiver and are not eligible for a demonstration of ELOS. By contrast, all other flight safety requirements in part 450 subpart C, which can be demonstrated through ELOS, support the achievement of these underlying risk criteria. To use an ELOS, an operator may demonstrate that an alternative approach provides an equivalent level of safety to a requirement in accordance with § 450.37. A petition for waiver must be submitted at least 60 days in advance and address why granting the request for relief is in the public interest and will not jeopardize the public health and safety, safety of property, and national security and foreign policy interests of the United States in accordance with § 404.5.

Boeing, Lockheed Martin, Northrop Grumman, and ULA commented that the FAA should accept a Federal launch or reentry site's safety processes as providing an ELOS to the FAA's own safety standards without any additional safety requirements.

The FAA disagrees. FAA regulations apply to licensed launches and, in accordance with § 450.45(b) (Safety Review and Approval), the FAA will accept any safety-related launch or reentry service provided by a Federal launch or reentry site or other Federal entity by contract, if the FAA determines that the launch or reentry service satisfies part 450. Although it is possible for the FAA to find that a service provided by a Federal launch or reentry site does not satisfy a requirement in part 450 but does provide an ELOS, the FAA needs to make that determination on a case-by-case basis.

iii. “As agreed to by the Administrator”

Throughout the NPRM, the FAA used the clause “as agreed to by the Administrator.” The term was used in all time frame requirements, as well as in proposed §§ 450.3(a) and (b)(1), 450.33, 450.101(c), 450.113(a)(5), 450.107(b)(2), 450.107(d), 450.147(c), 450.173(g), 450.213(a), and 450.215(b). As stated in the proposal, this clause is used to mean that an operator may submit an alternative to the proposed requirement to the FAA for review. The FAA must agree to the operator's proposal for the operator to use the alternative.

CSF and SpaceX commented that it was unclear how the clause “as agreed to by the Administrator” differed from an ELOS determination. CSF and SpaceX requested that the FAA describe its expectations and capture any process associated with this option in guidance. CSF and SpaceX also recommended adding “unless otherwise agreed to by the Administrator” to the beginning of proposed § 450.101(c).Start Printed Page 79577

The clause “as agreed to by the Administrator” means that an operator may submit an alternative to a regulatory requirement. The FAA must agree to the operator's proposal for the operator to use this alternative. Unlike an ELOS determination, an applicant need not demonstrate that this alternative satisfies an ELOS to the requirement. Each use of the term “as agreed to by the Administrator” includes criteria or considerations by which the FAA will agree to a different approach than the regulatory requirement. An applicant should look to these criteria or considerations to determine what the FAA would expect from an applicant when providing an alternative proposal.

For most of the requirements in part 450, an applicant may demonstrate an equivalent level of safety if the applicant is unable to meet a requirement. In addition, an operator may request a waiver to any requirement. An ELOS may be submitted in a license application and must clearly and convincingly demonstrate that an alternative approach provides an equivalent level of safety to the requirement. A petition for waiver must be submitted 60 days in advance and address why granting the request for relief is in the public interest and will not jeopardize the public health and safety, safety of property, and national security and foreign policy interests of the United States.

For some requirements, the FAA anticipated the need for additional regulatory flexibility without the burden of providing an equivalent level of safety or applying for a separate waiver. For those requirements, the FAA has incorporated the clause “as agreed to by the Administrator” to mean that an operator may submit an alternative to the proposed requirement to the FAA for review. For each requirement where the FAA has provided additional flexibility by including the “as agreed to by the Administrator” clause, the FAA has also provided criteria that the Administrator will consider in determining whether to approve the alternative approach, including safety considerations when appropriate. For example, an alternative time frame will generally be accepted if it provides sufficient time for the FAA to review the submittal. These alternatives will typically be agreed to in pre-application consultation.

The FAA addresses the recommendation from CSF and SpaceX by including ELOS in § 450.101(c)(2). The use of ELOS and “agreed to by the Administrator” for § 450.101(c) is discussed in more detail in the preamble section addressing CEC.

iv. Time frames

In the NPRM, the FAA proposed to allow an operator to propose different time frames for certain regulatory sections if “agreed to by the Administrator”. Blue Origin, CSF, and SpaceX disagreed with this approach and requested that the FAA remove any requirement to submit such a request in a specific time frame other than as soon as the operator understands that a different time frame is necessary. Virgin Galactic recommended that alternate time frames should be spelled out within an operator's license application documents and suggested alternative regulatory text.

The FAA disagrees with the approach to remove specific time frames because the time frames are designed to ensure the FAA has sufficient time to conduct its review and make the requisite public health and safety, safety of property, and national security and foreign policy findings. The FAA notes that the time frames proposed in the NPRM and adopted in the final rule are default time frames. An applicant can propose and the FAA can accept an alternative time frame. The FAA expects alternative time frames to be proposed and accepted during pre-application consultation or during the application process so that the agreed to time frames are then reflected in the license once issued. Time frames can be adjusted after a license is issued through the license modification process, as opposed to the waiver process under the current regulations. However, in most cases, the FAA expects flexible time frames to be negotiated for all the launches or reentries under the license prior to the first licensed activity.

v. Level of Rigor Based on Experience

An individual commenter stated startup launch operators should not operate under the same regimen as experienced operators. This individual stated that startup operators should be subject to strict and precise regulations. Similarly, another individual expressed concern that the proposed rule would apply performance-based requirements to launch vehicles with no prior launch history. SpinLaunch, Inc. (SpinLaunch) commented that the correct regulatory framework should consist of an applicant's demonstrating the necessary skills and knowledge to perform safe and accepted operations.

The FAA disagrees that startup launch operators should operate under a different regulatory regime than experienced operators, and that performance-based requirements should not apply to launch vehicles with no prior launch history. Performance-based requirements provide flexibility to all operators. Means of compliance located in ACs and other standards that have been identified as accepted means of compliance to part 450 provide detailed guidance to those new operators that have not yet established safety processes and procedures. In response to SpinLaunch's comment, the final rule is structured such that an applicant must demonstrate to the FAA the necessary skills and knowledge to perform safe operations in its launch or reentry license application.

2. Part 450 Subpart A—General Discussion

a. Pre-Application Consultation

In the NPRM, the FAA proposed to retain the requirement for pre-application consultation from § 413.5 (Pre-Application Consultation) because the various flexibilities proposed in this rule would benefit from pre-application discussions. These include incremental review, timelines, and the performance-based nature of the regulatory requirements. In the final rule, the FAA adopts the proposal with no changes to the existing pre-application consultation provision.

As proposed, this rule retains pre-application consultation for vehicle operators seeking a license. The FAA will also publish a pre-application consultation Advisory Circular, which will provide additional guidance but will not establish new regulatory requirements. Pre-application consultation will continue to focus on compliance planning and ensuring the applicant can prepare an acceptable application, which will increase the efficiency of the licensing process. The length of pre-application consultation will vary based on the proposed operation. For example, pre-application consultations may be longer when involving new launch vehicles that are under development or with operators inexperienced with FAA's regulations. Alternatively, pre-application consultations with operators who demonstrate knowledge of FAA regulations and/or use proven vehicles from established sites should be considerably shorter. The FAA expects to discuss the following topics with an applicant during pre-application consultation, to the extent they are relevant to the applicant's proposed operation: Entrance and exit criteria for pre-application consultation, the intended means of compliance to meet the regulatory requirements in part 450, Start Printed Page 79578the scope of the license, safety element approvals, incremental review, review period for license evaluation, compliance expectations, and time frames an operator is required to meet to satisfy part 450. Some of the topics allow for flexibility that can result in a more efficient licensing process for both the applicant and the FAA.

The FAA will continue to consider the following factors to determine if a prospective applicant is ready to begin pre-application consultation: Whether the concept of operations is realistic and whether the prospective applicant is able to provide a program schedule that includes definition of significant milestones and a funding source or sources. The regulatory requirements for a launch and reentry license are the same for all applicants; however, FAA expects it will take longer for less experienced operators to meet all of the requirements. As currently required, to exit pre-application consultation and begin the license evaluation period, an application must be complete enough in accordance with § 413.11 (Acceptance of an application). A complete enough application must include enough information for the FAA to start its review. The FAA will screen an application in its entirety or in modules to determine whether it is complete enough for the FAA to start its review. The components of a vehicle operator license application are listed in § 450.31 (General) and include a policy review, a payload review, a safety review that complies with Subpart C, an environmental review, and information necessary to satisfy the maximum probable loss analysis required by part 440.

For the five sections listed in § 450.35(a), an applicant must use a means of compliance that has been accepted by the Administrator prior to application acceptance. An applicant may propose another standard or a unique means of compliance for these five sections before submitting its application.[20] Furthermore, many requirements throughout the final rule allow an operator to use an alternative method if that method has been agreed to by the Administrator. This allowance maximizes flexibility and will reduce the need for the applicant and the FAA to use process waivers. During pre-application consultation, the FAA anticipates that applicants will discuss the means of compliance they plan to use for the remaining sections of the rule, and any alternative means they plan to use for those sections that allow alternative means of compliance. While the FAA anticipates that this pre-application consultation will expedite license review times and aid both FAA and applicant, it is only required for the sections listed in § 450.35(a).

The final rule has built-in flexibilities for determining the beginning and end of launch such that the launch is scoped to an individual operator's unique circumstances. It is important that the applicant and the FAA come to a mutual understanding during pre-application consultation about the beginning and end of launch for the license. The beginning and end points of a launch operation define the extent of a number of requirements, including, but not limited to, indemnification and FAA oversight. Therefore, an applicant should define the beginning and end of its operation during pre-application consultation, and should coordinate with the FAA before finalizing and submitting its application.[21] In this way, the applicant can ensure that the FAA will evaluate the complete scope of its proposed operation.

If an applicant is planning to seek a safety element approval, the applicant must continue to consult with the FAA before submitting its application in accordance with § 414.9 (Pre-Application Consultation). Doing so will help ensure that the FAA and the applicant have a thorough understanding of how the applicant will comply with the regulatory requirements surrounding a safety element approval before submitting an application. During pre-application consultation, the FAA would expect an applicant to be able to discuss, at a minimum, the following information as outlined in § 414.15: (1) How the applicant will meet the applicable requirements of part 450; (2) the information required in § 414.13(b)(3), (c)(2), and (c)(3); and (3) the sections of the license application that support the application for a safety element approval.

If an applicant is proposing an incremental review of its application, the applicant must have its approach approved by the FAA prior to submitting its application, in accordance with § 450.33 (Incremental Review and Determinations). Incremental review is intended primarily to give additional flexibility to the applicant, by allowing the applicant to separate the safety review into sections so that those sections can be approved independently. In many ways, the incremental review process is similar to the independent payload review or a safety element approval process because it allows the applicant to comply with the safety approval portion of the regulation in modules or sections rather than all at once. An applicant considering the use of the incremental review process should indicate to the FAA during pre-application consultation which portions of its application will be evaluated under the incremental review process. See the Incremental Review section of this preamble for further discussion.

Finally, part 450 allows an operator to propose alternative time frames for certain requirements, which are listed in Appendix A to part 404. If an operator knows in advance of application submittal that it will propose an alternative time frame, the applicant should raise this proposal during pre-application consultation. The FAA would also be able to discuss during pre-application consultation the FAA's expected review period to make its determination on the proposed alternative time frame. Flexible time frames are discussed at length later in this preamble.

The FAA received several comments on the pre-application consultation process. An individual commenter stated that pre-application consultation may not provide substantial benefits for an existing program and suggested allowing the FAA to request a pre-application consultation process with a 30-day completion timeline for any “material changes” to existing programs deemed as posing a significant risk to the safety of the vehicle. The commenter also suggested the FAA could request this process at least 60 days before the integration of the launch vehicle. The commenter stated that past performance of space flights and aircraft should be taken into consideration for the level of rigor for the pre-application process.

The FAA will not attach a schedule to pre-application consultation but agrees with the commenter that a material change can be discussed as part of pre-application consultation. The FAA acknowledges that pre-application consultation should be minimal for experienced operators using proven vehicles from established sites. This type of abbreviated consultation period for experienced operators would be consistent with the pre-application process prior to issuance of this final rule. The FAA disagrees with a 30-day completion timeline for pre-application consultation for any material change to existing programs. The FAA also disagrees with the suggestion that the Start Printed Page 79579FAA request pre-application consultation at least 60 days before integration of the launch vehicle or that pre-application consultation be tied to the flight safety risk of the vehicle. These timelines and criteria may be inadequate in some cases to prepare a complete application properly; in others, they might result in unnecessary delays in addressing and implementing critical safety changes. In addition, the FAA will not tie pre-application consultation to risk to the vehicle because the FAA does not oversee risk to the vehicle but rather risk to the public.

Sierra Nevada noted that operators could work with the FAA to develop a program schedule and define anticipated data submissions during pre-application consultation. Sierra Nevada noted that this use of the consultation process was not specifically codified in the proposed regulations and recommended including it expressly in an AC.

The FAA agrees and will include guidance on application scheduling and data submissions in the pre-application consultation AC. The FAA considered including more robust requirements for pre-application consultation in the final rule, however, the FAA concluded that the current regulation both prepares the applicant to submit a complete application and the FAA to accept it, while also providing flexibility to the applicant to approach pre-application consultation in a manner that best fits the proposed operation.

b. Application Process

In the NPRM, the FAA proposed to clarify in § 413.1 (Scope of this Part) that the term “application” means either an application in its entirety or a portion of an application for incremental review. In § 413.21 (Denial of a License or Permit Application), the FAA proposed to remove “license” from paragraph (c) so the regulation applied to both license and permit applications. In part 414 (Safety Element Approvals), the FAA proposed to change the term “sufficiently complete” to “complete enough,” as used in § 413.11 (Acceptance of an Application), because the two terms both described the point at which the FAA determined it had sufficient information to accept an application and begin its evaluation. Finally, the FAA proposed to amend § 413.7 (Application Submission) paragraph (a)(3) to allow an applicant the option to submit its application by email as a link to a secure server and remove the requirement that an application be in a format that cannot be altered. In the final rule, the FAA adopts these changes as proposed.

A joint set of comments submitted by Boeing, Lockheed Martin, Northrop Grumman, and ULA expressed support for the proposal to allow the submission of an application using physical electronic storage.

In addition, the FAA received suggested changes to the generic application process. The American Association of Airport Executives (AAAE) and the Denver International Airport commented on the need for further engagement with stakeholders during an operator's application process. These commenters said the FAA should provide an opportunity for affected stakeholders to provide input on an operator's application regarding issues such as impacts to the National Airspace System (NAS). Denver International Airport stated that stakeholders should be able to submit comments on license applications.

The FAA does not agree that an application should be open to a public input process. The FAA issues a license based on whether the applicant's proposal will not jeopardize public health and safety, the safety of property, and the national security and foreign policy interests of the United States. The FAA coordinates with government or private entities as necessary to make this determination. A broad public input process outside the environmental review process is unnecessary for the FAA to make its licensing determination. While commenters may seek the opportunity to raise issues such as non-safety impacts to the NAS or the economic impact to land adjacent to a launch, the FAA cannot consider such issues in the licensing determination.

The NPRM specifically sought comments on how the FAA could standardize and better implement the “complete enough” application standard. Sierra Nevada inquired whether the FAA will still conduct a complete enough review. Sierra Nevada concurred with the FAA's approach in conducting complete enough reviews but commented that the FAA should specify a timeline for these reviews. SpaceX commented that the FAA should aim to conduct its complete enough review within ten days of receipt of submission and apply that standard to submissions for continuing accuracy, renewals, and modifications. Furthermore, Sierra Nevada asserted that the review should be included in the FAA's statutory 180-day review period or a new, defined timeline. CSF and SpaceX recommended that the complete enough standard in current § 413.11 be expanded to apply to any application submission, including the initial license application, continuing accuracy submissions, and modification submissions. CSF and SpaceX suggested regulatory text changes to § 413.11 to this end. Both commenters also requested the FAA issue an AC that that explains how the agency makes the complete enough determination, including a checklist comprising regulatory sections that require submissions. Virgin Galactic recommended that what constitutes “complete enough” be agreed upon by both the applicant and the FAA during the pre-application consultation phase and provided several changes to the regulatory text.

The FAA will continue to use the complete enough standard to determine whether a license is sufficiently complete to begin review. The FAA endeavors to make these determinations within 14 calendar days of receiving an application. Limiting the FAA to ten days, as suggested by SpaceX, may not provide adequate time for review. The FAA begins the calculation of the 180-day statutory review period on the date that it receives the information needed to make the application complete enough, regardless of how long it takes to make that determination. The FAA does not base this calculation on the date it determines that the application is complete enough. The complete enough standard applies to any submission, including those for license modifications for consistency. The FAA has applied this standard to submissions for license modifications and, when necessary, requested additional information and clarifications to allow it to proceed with its evaluation. Section 450.211(c) states that an application to modify a license must be prepared and submitted in accordance with part 413. Therefore, § 413.11 is applicable to an initial license application submission and license modification submissions and does not need to be modified to apply to any application submission. The FAA will work closely with applicants on a case-by-case basis to determine what changes may be made without invalidating the license. In accordance with § 450.211(c), the licensee must apply to the FAA for modification of the license once a license has been issued, except for the allowable changes identified by the FAA. An operator may propose an alternate method from part 413 to request a license modification. This alternate method could include an agreed-upon submittal schedule and FAA review period.

It should be noted that § 450.211 (Continuing Accuracy of License Start Printed Page 79580Application; Application for Modification of License) also covers license modification submissions related to continuing accuracy. The FAA will provide an AC that includes application checklists that an applicant can choose to use to help guide application submittal. However, additional information may be needed depending on the type of operation.

In response to Virgin Galactic's comments, the FAA agrees that dialogue as to what constitutes “complete enough” can be part of the pre-application consultation, but disagrees that any change in the regulatory text is required. One of the primary purposes of pre-application consultation is to provide the applicant guidance in preparing its license application. Although the FAA determines when an application is complete enough to begin its review, the FAA expects to develop collaboratively agreed upon criteria with an applicant for determining “complete enough” during pre-application consultation. By allowing applicants and the FAA to negotiate criteria for “complete-enough” during pre-application, the FAA anticipates applicants will be able to more predictably track their progress toward completing the application.

CSF and SpaceX also suggested that the FAA provide a substantive response to submittals within 30 days of receiving the application. CSF also suggested the FAA provide status updates to an applicant every two weeks.

The FAA already typically provides written response to submittals within 30 days, often much sooner. In some instances, however, the FAA requires more than 30 days to draft a response, especially for highly technical analyses. The FAA also provides a substantive response to an applicant in writing whenever additional information is required and, therefore, does not see a compelling rationale for a requirement to provide status updates on a predetermined schedule. However, FAA recognizes the concerns expressed by operators regarding extended delays between communications in certain circumstances. While the FAA does not believe establishing a specific time period for communication to applicants is a necessary component of its regulatory framework, it also recognizes the need for applicants to stay informed and anticipates communicating with applicants throughout the application process, including procedural changes to ensure applicants will be provided a status update within 14 days of receipt of an application.

c. Compliance Period for Legacy Licenses (§ 450.1(b))

In the NPRM, under proposed § 450.1(b) and subject to two exceptions, the FAA would permit an operator to conduct a launch or reentry pursuant to a license issued by the FAA under parts 415,[22] 431, and 435 before the effective date of the new part 450 or an application accepted by the FAA before the effective date of part 450. Even though the operator could continue to conduct operations under the regulations in effect at the time of license or application as referenced above, the proposed requirements under §§ 450.169 for collision avoidance analysis (COLA) and 450.101(a)(4) and (b)(4) for critical asset protection would apply to all operators subject to the FAA's authority under 51 U.S.C. chapter 509 conducting launches after the effective date of the new regulations. The FAA would determine the applicability of part 450 to an application for a license modification submitted after the effective date of the part on a case-by-case basis based on the extent and complexity of the modification, whether the applicant proposes to modify multiple parts of the application, or if the application requires significant reevaluation.

The FAA adopts § 450.1 (Applicability) with revisions. The FAA does not adopt § 450.1(b) as proposed in the NPRM. While the FAA adopts the concept as proposed in § 450.1(b) in parts 415, 417, 431, and 435, it also makes corresponding changes to §§ 413.23 and 415.3 to limit the duration of all licenses issued or renewed to no more than five years after the effective date of part 450. The FAA refers to these licenses as “legacy licenses” throughout this preamble. After that time, all operators must come into compliance with the new regulations. In the final rule, the FAA makes numerous revisions to certain regulations that apply to operators conducting operations under parts 415, 417, 431, and 435. These revisions include amending § 401.5 title to read “Definitions as Applied to Parts 415, 417, 431, 435,” adding new § 401.7 for definitions, updating § 413.1, and amending parts 415, 417, 431, 435, 440, and 460 to reference compliance with part 450.

The FAA notes that certain definitions in § 401.5 apply to parts 415, 417, 431, and 435. Therefore, because the FAA will allow operators that hold an approved license at the time this rule goes into effect, or an accepted license application within 90 days after the effective date of the final rule, to operate under parts 415, 417, 431, and 435 for up to five years, this rule preserves § 401.5 without change. Section 401.5 will be removed five years after the effective date of the final rule.

The FAA adds § 401.7, which contains the definitions that apply to Chapter III other than parts 415, 417, 431, and 435, and which broadly captures those changes proposed in § 401.5 in the NPRM. The FAA notes that parts 415, 417, 431, and 435 and § 401.5 will be removed five years after the effective date of the final rule.

Part 413 explains how to apply for a license or experimental permit. In the final rule, the FAA amends the table in § 413.1(b) to identify that the requirements in parts 415, 417, 431, and 435 apply only to applicants whose launch or reentry license has been approved or license application has been accepted by the FAA no later than 90 days after the effective date of the final rule. As previously mentioned, operators holding an approved launch or reentry license, or who have an accepted launch or reentry license application may choose to continue to operate under parts 415 and 417, part 431, and part 435, until five years after the effective date of this rule. The FAA also adds “Launch and Reentry License Requirements” as a subject in the table in § 413.1(b). Finally, the FAA adopts the provision that the FAA may grant a request to renew a license issued under parts 415, 417, 431 or with a non-standard duration in proposed § 450.1(b) and re-designates it as § 413.23(a)(2) in the final rule. Specifically, the FAA may grant a request to renew a under parts 415, 431, and 435 with a non-standard duration so as not to exceed five years after the effective date of this rulemaking. The FAA adds an applicability section to parts 415, 431, and 435. These parts apply to such licenses issued before the effective date of the final rule and licenses issued on or after the effective date of the final rule if the FAA accepted the application under § 413.11 no later than 90 days after the effective date. All operators must comply with the COLA and critical asset protection requirements in part 450.

In the final rule, the FAA adds the phrase “pursuant to a license issued under part 415 of this chapter” to the scope in § 417.1(a). The FAA also removes § 417.1(e), which addresses grandfathering that is no longer used from when part 417 was first established. For the same reason, the FAA also removes the grandfathering Start Printed Page 79581reference to paragraph (e) in § 417.1(f). As a result of this amendment, the FAA re-designates § 417.1(f) and (g) as § 417.1(e) and (f) in the final rule.

The FAA further revises §§ 417.11 and 431.73 in the final rule. The FAA adds a paragraph stating that the Administrator may determine that a modification to a license issued under these parts must comply with the requirements in part 450. The Administrator will base the determination on the extent and complexity of the modification, whether the applicant proposes to modify multiple parts of the application, or if the application requires significant evaluation.

The FAA revises § 440.3, which addresses definitions. In the final rule, § 440.3 references the definitions contained in §§ 401.5 and 401.7. The reference to § 401.5 will be removed from § 440.3 five years after the effective date of the final rule.

Finally, the FAA revises § 460.45 to identify which mishap definitions an operator should apply in the description of the safety record of the vehicle to each space flight participant. Specifically, § 460.45(d)(1) addresses licenses issued under part 450. For these licenses, the operator's safety record must cover events that meet paragraphs (1), (4), (5), and (8) of the definition of a “mishap” in § 401.7 that occurred during and after vehicle verification performed in accordance with § 460.17. Section 460.45(d)(2) addresses licenses issued under parts 415, 431, or 435. For these licenses, the operator's safety record must cover launch and reentry accidents and human space flight incidents as defined by § 401.5. Section 460.45(d)(1) will be re-designated to §§ 460.45(d) and 460.45(d)(2) will be removed from § 460.45 five years after the effective date of the final rule.

Several commenters asked for clarity on the FAA's approach in § 450.1(b) to legacy licenses issued under the current regulations. CSF objected to requiring renewals of licenses issued under the current regulations to meet the requirements of proposed part 450, as this would result in significant cost and regulatory burdens for the operator and the FAA.

As previously noted, the FAA does not adopt § 450.1(b) in the final rule. However, the FAA implements the concept as proposed in § 450.1(b) in parts 415, 417, 431, and 435. In the final rule, the FAA establishes a five-year period after the effective date of this rule. Operators holding either an active license or an accepted license application no later than 90 days after the effective date of this rule may operate under the applicable regulatory provisions upon which the licensing determination was made. In addition, these operators may submit requests for license renewals within that five-year period and will be required to comply with the regulations under which the license determination was made.[23] The FAA has revised §§ 413.23 and 415.3 to reflect that no license issued under parts 415, 431 or 435 will be renewed with an expiration date that extends beyond the five-year period. As such, applications for renewal submitted near the end of the five-year period will be valid only for a short time. All operators will need to comply with this rule in its entirety five years after its effective date.

CSF noted that operators under current parts 431 and 435 would need to come into compliance with the proposed part 450. Similarly, Virgin Galactic requested that FAA allow currently licensed operators to be grandfathered into part 450 for vehicles that cannot meet certain part 450 requirements as long as the current public safety requirements are met. Virgin Galactic stated that, unlike ELV operators, RLV operators use their vehicles repeatedly, and the FAA has not shown why it is necessary for current operators to undergo new analyses and possible design changes. Virgin Galactic noted that the FAA's aviation regulations allow for “true” grandfathering. Virgin Galactic commented that if the FAA chooses not to allow for “true” grandfathering, it should work with each licensee during pre-application consultation to determine applicability of the new rule to modifications to current licenses.

The FAA notes that as the final rule is more performance-based than the rule as proposed in the NPRM, many of the current requirements would serve as a means of compliance to meet the new regulations. The FAA anticipates that there would be few, if any, additional requirements that will not be fulfilled by previously submitted information. The FAA will not allow operating under parts 415, 417, 431, and 435 indefinitely because the current rule is more streamlined, performance-based, and up-to-date than the previous regulations. Therefore, the FAA will require all operators to come into compliance with the new rule five years after the effective date. The FAA will consult with existing licensees shortly after the final rule is published to assist operators with the transition to part 450 so they may take advantage of the significant number of new flexibilities.

CSF objected to the lack of clarity on grandfathering and recommended that the FAA make clear that a licensee approved under the current licensing regime may continue to renew its approvals, with no significant changes, without having to apply under part 450. License renewals without significant changes may continue to be renewed, but not to exceed the five-year compliance period.

Operators currently holding an active, valid license will have five years after the effective date of this rule to come into compliance with the entirety of part 450. If a license expires before the end of this period, an applicant may seek a renewal under the previous provisions in parts 415, 417, 431, and 435, but the renewal will only be valid for however much time remains between the time of issuance of the renewal and the end of the five-year period.

Virgin Galactic recommended the FAA hold a pre-application phase for all current license holders to ensure that licensees and the FAA are in agreement as to whether the FAA would require part 450 requirements or parts 415, 417, 431, and 435 requirements when an operator requests to modify a legacy license once part 450 becomes effective.

During the five-year compliance period, an operator may need to modify its legacy license. The provisions that relate to modification are contained in §§ 417.11 and 431.73. Whether or not new license modifications need to comply with part 450 is subject to Administrator approval on a case-by-case basis, which can be determined during consultation with the FAA before the applicant requests the modification. In making the determination as to whether a license modification is necessary to comply with the new requirements, the Administrator will consider the extent and complexity of the modification, whether the licensee would need to modify multiple parts of the application, or if the license requires significant reevaluation. The FAA encourages licensees to consult with the FAA on transitioning to part 450 in advance of the compliance period deadline.

d. Definition and Scope of Launch (§ 450.3)

In the NPRM, the FAA proposed to set the scope of activity authorized by a vehicle operator license by identifying the beginning and end of launch in Start Printed Page 79582§ 450.3 (Scope of Vehicle Operator License).[24]

i. Beginning of Launch

In § 450.3(b)(1) and (b)(2), the FAA proposed that launch begins under a license with the start of hazardous activities that pose a threat to the public at a U.S. launch site. The proposed rule further stated that, unless agreed to by the Administrator, those hazardous pre-flight ground operations would commence when a launch vehicle or its major components arrive at a U.S. launch site. For a non-U.S. launch site, the FAA proposed that launch begins at ignition or first movement that initiates flight.

In the final rule, the FAA adopts proposed § 450.3(b)(1) and (b)(2) with revisions. First, the FAA does not adopt the proposed default that hazardous ground pre-flight operations commence when a launch vehicle or its major components arrive at a U.S. launch site. The final rule identifies certain activities that qualify as hazardous pre-flight operations, including but not limited to, pressurizing or loading of propellants into the vehicle or launch system, operations involving a fueled launch vehicle, the transfer of energy necessary to initiate flight, or any hazardous activity preparing the vehicle for flight. Second, this rule also clarifies that hazardous pre-flight operations do not include the period between the end of the previous launch and launch vehicle reuse when the vehicle is in a safe and dormant state. Finally, this rule adds language in § 450.3(a) that allows the Administrator to agree to a scope of license different from that laid out in § 450.3(b), as discussed later in this document. An applicant wishing to deviate from the scope of license parameters laid out in § 450.3(b) would discuss the deviation during pre-application consultation. The FAA would only allow a deviation for unique operations where the scope of license continued to cover those hazardous launch activities identified by statute.

CSF, SpaceX, and Virgin Galactic suggested proposed § 450.3(b)(1) be revised to remove reference to the arrival of major components at a U.S. launch site as beginning of launch. Virgin Galactic noted that the beginning of hazardous pre-flight ground operations should be determined only on a case-by-case basis and commented that the arrival of components at a launch site was an inappropriate prescriptive default limit chosen for administrative convenience. CSF, SpaceX, and Virgin Galactic also requested that the FAA limit the beginning of hazardous pre-flight operations only to include potential threats to the public over which no other Federal regulatory agency has jurisdiction.

The FAA agrees that the beginning of pre-flight ground operations should be determined on a case-by-case basis because each operation is unique. The FAA recognizes that with this flexibility comes some ambiguity as to when launch will begin for each unique operation. The designation of when launch begins is important for both operators and the FAA. Among other things, the financial responsibility protections apply from beginning to end of launch. Therefore, a clear understanding of when launch begins is essential for an operator to understand fully its responsibilities under chapter III and for the FAA to satisfy its obligations, including the calculation of maximum probable loss (MPL).

Because the proposed default beginning of launch, phrased as “arrival of major components at a U.S. launch site,” is removed from § 450.3(b)(1) in the final rule, an application requirement is added to § 450.3(d) to require an operator to identify the scope of the license being sought in the application, specifically pre- and post-flight ground operations. The final rule requires an applicant intending to launch from a U.S. launch site to identify pre- and post-flight ground operations such that the FAA is able to determine when the launch operation would begin and end. This requirement applies only to launches from a U.S. launch site, as launches from a non-U.S launch site begin at ignition or first movement that initiates flight. The FAA anticipates that an applicant would identify hazardous pre- and post-flight operations that are reasonably expected to pose a risk to the public. During pre-application consultation, the applicant is expected to describe to the FAA its launch site and its intended concept of operations leading up to a launch, including any operations that are potentially hazardous to the public. Once the FAA and the applicant have a clear, mutual understanding of the applicant's concept of operations, the FAA and the applicant will agree on a starting point for hazardous pre-flight operations, and thus, the beginning of launch. The applicant will provide that information in its application and scope its application materials based on this starting point. The scope of the license lends itself to the first module of an incremental review.

The FAA also agrees that the arrival of components at the launch site is an unnecessarily prescriptive baseline that may not constitute the threshold for hazardous pre-flight operations for all launches. Therefore, the FAA revises § 450.3(b)(1) to remove the reference to arrival of components at a launch site. Because the beginning of launch is an important designation upon which many licensee responsibilities rely, the FAA has added to the regulatory text certain activities that constitute hazardous pre-flight operations. The list of hazardous pre-flight operations added to the final regulatory text is derived from the preamble text in the NPRM explaining the proposal.[25] Hazardous pre-flight operations include, but are not limited to, pressurizing or loading of propellants into the vehicle or launch system, operations involving a fueled launch vehicle, the transfer of energy necessary to initiate flight, or any hazardous activity preparing the vehicle for flight. This list is not exhaustive, and during pre-application consultation the FAA or an applicant may identify an activity not included in this list that poses a hazard to the public and may constitute the beginning of launch. The FAA retains the ability to determine that licensed oversight is unnecessary for certain activities if the Administrator determines that they do not jeopardize public health and safety, safety of property, and the national security and foreign policy interests of the United States.

The FAA further amends § 450.3(b)(1) to indicate clearly that activities occurring between launches of reusable vehicles will not be considered hazardous pre-flight activities if the vehicle is in a safe and dormant state. Generally, a launch system is in a safe and dormant state when it is not undergoing the pressurizing or loading of propellants, a transfer of energy necessary to initiate flight, operations involving a fueled launch vehicle, or any other hazardous activity preparing the vehicle for flight. The NPRM preamble discussed the exemption of RLVs if a vehicle is in a safe and dormant state.[26]

One commenter suggested the definition of beginning of flight for hybrid vehicles be changed to include the first forward motion of the vehicle with the intent for takeoff.

The FAA agrees that the beginning of flight for a hybrid vehicle is the first forward motion of the vehicle with the Start Printed Page 79583intent to takeoff. However, the FAA will continue to use “first movement that initiates flight” to define beginning of the flight phase of launch because it better accommodates all vehicle types.

Regarding the FAA's jurisdiction over launch activities at a non-U.S. launch site, CSF stated that proposed § 450.3(b)(2) could be problematic for captive carry technologies for which an operator must comply with the oversight of foreign aviation authorities. CSF suggested removing reference to “the first movement that initiates flight.”

The FAA does not adopt CSF's recommendation because the current regulation is flexible enough to accommodate all launch vehicle technologies at non-U.S. sites, as well as comprehensive enough to protect public safety. Starting launch at ignition will not capture the full flight of the captive carry hybrid vehicle system. The FAA regulates all of the components of a hybrid vehicle system, including any captive carry operations under a license; however, as discussed earlier, the flexibility in § 450.3(a) for the Administrator to adjust the scope of license applies to § 450.3(b)(2) as well. In the case of a unique operation for which hazardous activities begin later than first movement or ignition, the Administrator may agree to a different beginning of launch for that operation.

Virgin Galactic recommended that the FAA continue to avoid duplicating oversight and memorialize that commitment in its description of the beginning of launch as starting when hazardous pre-flight ground operations commence at a U.S. launch site that pose a threat to the public and over which no other Federal regulatory agency has jurisdiction.

The FAA has amended the regulation to address duplicative oversight at Federal launch or reentry sites in the final rule. These changes are discussed in the preamble section addressing launch and rentries from a Federal launch or reentry site. The FAA does not agree with the comment that launch under this chapter may only begin at a site over which no other Federal agency has jurisdiction. In fact, many sites, such as Federal sites or launch sites co-located at airports, may be subject to the jurisdiction of multiple Federal agencies depending on the types of activities that are conducted.

ii. End of Launch

In the NPRM, the FAA proposed to amend the definition of end of launch to remove reference to RLVs and ELVs. Although it did not receive comment on this proposal specifically, the FAA makes the following additional changes to the end of launch language: The addition of “vehicle component” and “impact or landing” throughout to ensure the definition captures a broader variety of operations; and the addition of “deployment” in § 450.3(b)(3) to include operations for which a payload remains on the vehicle. Under § 450.3(b)(3) and (c), the FAA replaces each use of “vehicle stage” in the proposed rule in recognition of the fact that components other than vehicle stages may return to Earth. Examples include a discarded engine or payload fairing. In addition, throughout § 450.3(b)(3) and (c), the FAA includes “impact or landing” in the end of launch and reentry sections in the scope of license requirements where the proposal only referred to one or the other or failed to reference either. With the increasing efforts to reuse components, including both impact and landing throughout § 450.3(b)(3) and (c) encompasses a broader range of activities because landing includes a soft vertical landing or runway landing of a vehicle or component, whereas impact is more accurate to describe a hard landing of a stage or component. Under § 450.3(b)(3)(ii), the FAA adds that, for an orbital launch of a vehicle with a reentry of the vehicle, launch may also end “after vehicle component impact or landing on Earth, after activities necessary to return the vehicle or component to a safe condition on the ground after impact or landing.” This additional language accommodates a carrier vehicle landing after the completion of the orbital part of the launch.

CSF, SpaceX, and Virgin Galactic expressed confusion regarding proposed § 450.3(b)(3), and requested clarity regarding proposed § 450.3(b)(3)(iv), including when reentry applies to suborbital vehicles and end of launch. The FAA introduced suborbital reentry in its experimental permit final rulemaking in 2007. In that rulemaking, the FAA stated that:

A suborbital rocket may engage in reentry. For most suborbital launches, whether the flight entails a reentry will not matter from a regulatory perspective. The FAA will authorize the flight under a single license or permit, implementing safety requirements suitable to the safety issues involved. Recognizing suborbital reentry matters for two reasons. First, if a suborbital rocket is flown from a foreign country by a foreign entity into the United States, that entity may require a reentry license or permit from the FAA, depending on whether the planned trajectory of the rocket includes flight in outer space. Second, a permanent site that supports the landing of suborbital rockets may now be considered a reentry site depending, once again, on whether the planned trajectory reaches outer space.[27]

The NPRM did not propose any change to this framework, and no change is made in the final rule.

Virgin Galactic commented that the FAA should include specific parameters for suborbital reentry. Virgin Galactic also recommended additional regulatory language specifying that, for a suborbital reentry, reentry ends when each vehicle has returned to Earth and has been returned to a safe condition as defined in the operator's application documents. As noted earlier, a suborbital reentry requires flight into outer space.

This distinction does not change when launch ends for a suborbital vehicle because, whether a vehicle or vehicle component impacts or lands on Earth due to a launch or reentry, the launch or reentry would end at the same point in time; namely, after activities necessary to return the vehicle or vehicle component to a safe condition on the ground after landing. (See § 450.3(b)(3)(iv) and (c)).

CSF and SpaceX suggested that orbital launch without a reentry in proposed § 450.3(b)(3)(i) did not need to be separately defined by the regulation, stating that, regardless of the type of launch, something always returns: Boosters land or are disposed, upper stages are disposed. CSF and SpaceX further requested that the FAA not distinguish between orbital and suborbital vehicles for end of launch.

The FAA does not agree because the distinctions in § 450.3(b)(3)(i) and (ii) are necessary due to the FAA's limited authority on orbit. For a launch vehicle that will eventually return to Earth as a reentry vehicle, its on-orbit activities after deployment of its payload or payloads, or completion of the vehicle's first steady-state orbit if there is no payload, are not licensed by the FAA. In addition, the disposal of an upper stage is not a reentry under 51 U.S.C. Chapter 509, because the upper stage does not return to Earth substantially intact.

The FAA proposed in § 450.3(b)(3)(ii) that for an orbital launch of a vehicle with a reentry of the vehicle, launch ends after deployment of all payloads, upon completion of the vehicle's first steady-state orbit if there is no payload, after vehicle component impact or landing on Earth, after activities necessary to return the vehicle or component to a safe condition on the ground after impact or landing, or after activities necessary to return the site to a safe condition, whichever occurs later. The final rule changes “if there is no payload” to “if there is no payload Start Printed Page 79584deployment” to clarify the FAA's intent on how to determine the end of launch for a vehicle carrying no payload or payloads that stay onboard a vehicle.

Both CSF and SpaceX proposed “end of launch” should be defined on a case-by-case basis in pre-application consultation and specified in the license. The FAA disagrees, in part. The FAA only regulates on a case-by-case basis if the nature of an activity makes it impossible for the FAA to promulgate rules of general applicability. This need has not arisen, as evidenced by decades of FAA oversight of end-of-launch activities. That said, because the commercial space transportation industry continues to innovate, § 450.3(a) gives the FAA the flexibility to adjust the scope of license, including end of launch, based on unique circumstances as agreed to by the Administrator. Unique circumstances may include, but are not limited to, unconventional technologies like railguns that may use innovative launch and reentry procedures requiring adjustments to a scope of license.

Finally, CSF pointed out that in the proposed rule, for hybrid vehicles, end of launch did not mention the recovery of carrier aircraft.

Section 450.3(b)(3) distinguishes orbital vehicles with and without a reentry, and suborbital vehicles with and without a reentry. A separate section for end of launch for hybrid vehicles is unnecessary because the same parameters apply to hybrids as apply to non-hybrid vehicles regarding end of launch. The FAA also acknowledges that the end-of-launch parameters do not mention the recovery of a carrier aircraft. Again, it is unnecessary to include this distinction because, during launch, a carrier aircraft is considered part of the launch vehicle.[28] Therefore, to the extent that § 450.3(b)(3) refers to activities necessary to return the vehicle or component to a safe condition on the ground after impact or landing, this reference will include returning the carrier aircraft to a safe condition after impact or landing.[29]

Blue Origin asked how the FAA plans to prevent disparate impacts of the proposed rule on those operators at multiuse facilities and at U.S. facilities. While the meaning of disparate impacts is unclear, the FAA construes the commenter as asking how the FAA will distinguish between launch and non-launch (e.g., manufacturing or refurbishment of pre-flown stages) activities at a launch site. Because launch begins with the start of hazardous pre-flight ground operations that prepare a vehicle for flight, an operator may manufacture or refurbish launch vehicle components or perform certain other activities on a launch site without requiring an FAA authorization during the time after the end of the launch and before hazardous operations begin for the next launch. This treatment is consistent with existing practice prior to this rule: a vehicle operator could theoretically perform non-launch related activities on a launch site without needing a license as long as those activities are not in the scope of the license and do not pose a risk to public safety.

The Airline Pilots Association (ALPA) suggested the FAA define “family of vehicles.”

The FAA does not define “family of vehicles” in this final rule because the industry continues to innovate and it would be premature to attempt to classify all types of vehicle families for the emerging and still-evolving commercial space industry. As discussed in the NPRM, launch operators often define “family of vehicles” themselves. Usually, the vehicles have similar base operational characteristics, but each member of the family may be capable of different performance characteristics.

AAAE and Denver International Airport believed that operating at a specific site should necessitate a separate and thorough review from the FAA, and that operators should not be able to receive one license covering multiple sites.

The FAA will perform a thorough and complete review of all sites where a vehicle is authorized to operate. An applicant will not be able to add another location to its license “with a lesser review standard” as described by the commenter. A licensee will have to meet all applicable regulations for all sites authorized in a license. Denver International Airport cited 49 U.S.C 50904(d) to argue the FAA lacked statutory authority to grant a vehicle operator permission to operate from multiple launch and/or reentry sites on a single license. The FAA believes Denver International Airport meant to cite 51 U.S.C. 50904(d), which states that the Secretary of Transportation (the “Secretary”) shall ensure that only 1 license or permit is required from the DOT to conduct activities, including launch and reentry. The law does not prohibit the FAA from issuing a license that allows an operator to conduct an approved operation from various sites. Rather, section 50904(d) merely prevents the FAA from requiring multiple licenses for the same type of activity for which a license or permit is required under title 51 chapter 509.

e. Safety Element Approval (Part 414)

In the NPRM, the FAA proposed to change the part 414 term from “safety approval” to “safety element approval” to distinguish it from “safety approval” as used in parts 415, 431, 435, and 450. Also, the NPRM proposed to modify part 414 to streamline the process by enabling applicants to request a safety element approval in conjunction with a license application. The final rule adopts the changes as proposed.

Several commenters expressed general support for the FAA's proposed regulations regarding safety element approvals in part 414. Blue Origin concurred with the FAA's proposal and anticipated many benefits to an applicant's ability to submit a separate safety element approval. One individual commented that more extensive use of these approvals could increase operator flexibility and significantly simplify the licensing process for future launches.

Virgin Galactic recommended an operator that already holds a license be able to use previously submitted data to apply for a safety element approval. Virgin Galactic also noted that the language in the first sentence of proposed § 414.23 should be changed from “safety approval” to “safety element approval” to reflect the updated terminology.

The FAA agrees that an operator that already holds a license may use previously submitted data to apply for a safety element approval. Just as is the case with a license application or modification, an applicant can reference previously submitted data in its safety element approval application. The applicant will need to specify clearly what it is referencing and indicate the referenced material is still valid. In addition, the FAA has corrected “safety approval” to “safety element approval” in §§ 414.23 and 414.3.

An individual commenter suggested a new definition for safety element approvals for hybrid vehicles. The commenter suggested the definition include a reference to hybrid vehicle components that are critical to avoiding Start Printed Page 79585or mitigating hazards to the public, including vehicle characteristics.

The FAA does not agree that it should add a separate definition of “safety element approvals” specifically for hybrid vehicles. The definition of “safety element approval” is broad enough to encompass approvals for hybrid and non-hybrid vehicle systems. The definition already includes the phrase “any identified component thereof,” which includes a carrier vehicle. The FAA agrees that it is possible to craft a safety element approval for the types of hazard control strategies employed by hybrid vehicles. The FAA notes that the definition of a “safety element” includes launch vehicle, reentry vehicle, safety system, process, service, or any identified component thereof; or qualified and trained personnel performing a process or function related to licensed activities or vehicles. This definition would allow a hybrid operator to apply for a wide range of safety element approvals.

Regarding process, a joint set of comments submitted by Boeing, Lockheed Martin, Northrop Grumman, and ULA stated an operator should not be required to apply to the FAA to transfer a safety element approval under proposed § 414.33 when the transfer is due to a corporate transaction, reorganization, or restructure that does not affect the material content of the original application.

The FAA will apply the same standard for application, transfer, and issuance of a safety element approval as it does for a license. Name changes and internal corporate restructuring do not typically require a license transfer and therefore will not require a safety element approval transfer.

Microcosm, Inc. (Microcosm), inquired as to how the FAA will issue a safety element approval. The FAA will issue a safety element approval applied for concurrently with a part 450 license in accordance with part 414.

f. Vehicle Operator License—Issuance, Duration, Additional License Terms and Conditions, Transfer, and Rights Not Conferred (§§ 450.5 Through 450.13)

In the NPRM, the FAA proposed requirements addressing the issuance, duration, and transfer of a vehicle operator license in proposed §§ 450.5 (Issuance of a Vehicle Operator License), 450.7 (Duration of a Vehicle Operator License), and 450.11 (Transfer of a Vehicle Operator License), respectively. The FAA also proposed requirements addressing the addition and modification of licensing terms in proposed § 450.9 (Additional License Terms of Conditions). Finally, the FAA proposed requirements describing those rights that would not be conferred by a vehicle operator license in proposed § 450.13 (Rights Not Conferred by a Vehicle Operator License). The FAA proposed these rules to consolidate the requirements for different types of launch and reentry licenses in parts 415, 431, and 435 into a single vehicle operator license.

AIA and Sierra Nevada commented that the FAA should not be allowed to make modifications to the terms and conditions of a license except within a limited time frame and subject to specified procedures to ensure reasonable notice and due process to the vehicle operator. The FAA will not adopt this recommendation and retains the provision in § 450.9 that allows the FAA to modify a vehicle operator license at any time by modifying or adding license terms and conditions to ensure compliance with the Act and its implementing regulations. This provision was introduced in 1999 in 14 CFR 415.11 because the FAA recognized that a particular licensee's launch (or reentry) may present unique circumstances that were not covered by the license terms and conditions in place. Because such a modification would be based on unique circumstances, the FAA is unable to specify a timeline as requested by the commenter.

In the final rule, the FAA adopts these requirements as proposed and adds specificity to § 450.11 to indicate that either the holder of a vehicle operator license or the prospective transferee may request a vehicle operator license transfer, both the holder and prospective transferee must agree to the transfer, and the FAA will provide written notice of its determination to the person requesting the vehicle operator license transfer. These additions mirror the language used for the transfer of a safety element approval and reflect current practice.

The FAA did not receive any comments on these proposed requirements.

3. Part 450 Subpart B—Requirements To Obtain a Vehicle Operator License

a. Incremental Review and Determinations (§ 450.33)

In the NPRM, the FAA proposed to amend part 413 and to include provisions in part 450 to allow an applicant the option for an incremental review of all portions of its application. This proposal was in response to the ARC recommendations. Specifically, the FAA proposed to amend § 413.15 (Review Period) to provide that the time frame for any incremental review and determinations would be established with an applicant on a case-by-case basis during pre-application consultation. As stated in the NPRM, the FAA did not propose to reduce by regulation the statutory review period of 180 days.

In the final rule, the FAA provides clarification on the basis the Administrator would consider when approving an incremental approach.

In the NPRM, the FAA sought comment on how a formal incremental review process would account for the statutory 180-day review period when application increments or modules are likely to be submitted and reviewed at different times, other useful guidelines for applicants crafting incremental approaches, and any safety approval sections that would be appropriate for incremental review. The FAA did not receive any comments with feasible solutions on any of these topics.

Several commenters expressed support for the FAA's proposed incremental review process, stating that it would increase flexibility. Virgin Galactic supported the FAA's proposed approach to incremental review and commented that it aligned with many other approval processes in other divisions of the FAA.

Many commenters, including Leo Aerospace, Microcosm, Sierra Nevada, SpaceX, and Virgin Orbit asked about the duration of incremental review periods. Noting the FAA's statutory mandate to issue a license determination not later than 180 days after accepting an application, commenters inquired whether each module would be subject to this 180-day review period. Several commenters, including CSF and Sierra Nevada, stated they interpret the 180-day statutory requirement to mean that the sum total of all module reviews must not exceed 180 days. Commenters noted that if every module was subject to a 180-day review, the process would be very time-intensive.

Until the FAA has more experience with the incremental review process, the FAA will review each module in accordance with a schedule discussed with the prospective applicant during pre-application consultation. In developing the incremental review schedule, the FAA will consider the interdependence of parts of the evaluation and the sequence of their submissions. The FAA makes these criteria explicit in this rule in § 450.33 (Incremental Review and Start Printed Page 79586Determinations) paragraphs (b)(1) and (b)(2).[30]

Review of any modules prior to submittal of an application in its entirety will not initiate or be bound by the statutory 180-day review period. Rather, an agreed upon review period will begin once the FAA has a complete enough application in its entirety. During pre-application consultation, an applicant seeking an incremental review may negotiate a time frame shorter than the statutory 180-day review period. As the FAA gains more experience with the incremental review process, it may develop guidance concerning expected timelines for various sequences of modular submissions.

Sierra Nevada commented that, if a module is denied, proposed § 413.21 (Denial of a License or Permit Application) should allow the FAA to extend the review period by up to 60 days to consider a revised application. The commenter noted it supports the FAA's practice of tolling the review period in the case of a deficient application as long as the applicant understands the deficiency and what must be submitted for the FAA to continue its review. Leo Aerospace inquired whether an application would be considered accepted after the incremental process is defined, or after the last step of the incremental process is completed, and asked how an operator would be notified if its safety review was accepted.

Sierra Nevada's interpretation of incremental review is incorrect because a module cannot be denied under § 413.21. If the FAA determines a module does not contain sufficient information, the FAA and the applicant will discuss amending the agreed upon incremental review schedule to allow time for the applicant to submit a revised module. An applicant will be notified in writing when its complete application has been accepted.

Sierra Nevada noted the primary concern with module time frames was the transparency of the FAA's license application process and the ability for operators to reduce operational risk associated with the various time frames. To that end, a number of commenters, including Sierra Nevada, Leo Aerospace, and SpaceX, requested the FAA provide an outline of acceptance and review timelines and example timelines for incremental applications. CSF and Sierra Nevada agreed with the FAA's proposal to establish the timeline for incremental submissions in the pre-application phase but suggested the FAA include in an AC its goal for maximum review time frames for particular modules. CSF and Sierra Nevada recommended the AC include the following time frames: 60 days for policy approval; 30 days for payload review; 60 days for safety approval; 5 days for environmental assessment; and 15 days for financial responsibility assessment. CSF and Sierra Nevada noted that the FAA's review of the environmental assessment should only take 5 days because the FAA has had insight into the contractor used to conduct the environmental assessment, and the FAA's review should therefore simply be a verification that the applicant has submitted the final product. CSF and Sierra Nevada acknowledged that the financial responsibility assessment could take longer than 15 days for methods other than obtaining insurance, but stated that this possibility could be mitigated by the FAA's providing guidance that addresses the type of information that a licensee would need to submit to satisfy FAA review under § 440.9(f).

Commenters suggested that time frames for incremental review should be based on the complexity of the review and that they should be shorter than the statutory limit for the review of a complete application. Specifically, Virgin Galactic commented time frames should be based on the complexity of the item being reviewed. Sierra Nevada recommended modules be subject to a shorter review time frame than full application reviews and to define that time frame in § 413.15. Sierra Nevada stated the FAA should consider a shorter timeline of 90 days for review of a license application in order to meet the direction in Space Policy Directive-2 to streamline the review process.

The FAA declines to incorporate the suggested time frame changes because they will not provide adequate time for the FAA to assess application materials for completeness in all situations and for all potential applications. The FAA agrees that modules will likely be reviewed faster than an entire application, and that review times will depend largely on complexity; however, at this point it is premature to define those time frames until FAA has more experience with incremental reviews. The FAA will not at this time adopt maximum time frames, because each evaluation is a unique review that must be adjusted to each operation. The FAA's evaluation of the safety implications of an application typically requires the most effort and time, usually far more than the 60 days suggested by the commenters. The MPL is derived from the safety analysis and cannot be completed independently of it. An environmental review must be completed before a license can be issued. Particularly for new operations, the environmental process can be lengthy, and the FAA advises applicants to begin it early, even before a license application is submitted. For example, an applicant must submit a completed environmental impact statement (EIS) prepared by the FAA (or an FAA-selected and managed consultant contractor), FAA-approved environmental assessment (EA), categorical exclusion determination, or written re-evaluation as part of its application materials. The 180-day statutory application review period is not intended to encompass the time needed for the applicant to develop the necessary application materials, including environmental documentation. Five days may not be enough time to evaluate an environmental document, such as a complex EA.

For conventional operations that do not pose substantial policy-related challenges, policy and payload reviews can be conducted in less time than the safety review. However, these reviews are often performed concurrently with the safety review so their completion typically does not reduce the overall time required to reach a license determination. As the FAA gains more experience with the incremental review process, it may elect to update guidance to reflect timelines that have consistently proven effective.

Submitting an application incrementally affords an applicant the approval of various systems and processes earlier than the current non-incremental review process. The FAA expects that the central value of an incremental approach is regulatory certainty for components of the application and flexibility for applicants rather than a reduction in overall review time. However, the FAA anticipates that a determination of an accepted application that utilizes safety element approvals or approved modules will be completed faster than a similar application that does not use safety element approvals or incremental review.Start Printed Page 79587

Sierra Nevada recommended that an AC should also address the type of information a licensee would need to submit for the FAA's financial responsibility review. The financial responsibility requirements contained in part 440 are beyond the scope of this rulemaking. However, the financial responsibility requirements are adequately addressed in Appendix A to Part 440—Information Requirements for Obtaining a Maximum Probable Loss Determination for Licensed or Permitted Activities. Virgin Galactic recommended the FAA take into account FAA AVS[31] Project Specific Certification Plans to inform the incremental review process in proposed part 414. The FAA will discuss project-specific information, including AVS documents, during pre-application consultation.

Virgin Galactic also inquired how the operator would be notified when the operator's safety review has been accepted or rejected. The FAA will inform an applicant in writing as to whether each module is accepted or rejected.

b. Means of Compliance (§ 450.35)

In the NPRM, the FAA proposed that an applicant would be required to use an accepted means of compliance for the following requirements: Highly reliable FSS, FSA methods, lightning flight commit criteria, and airborne toxic concentration and duration thresholds for both flight and ground hazards. For these requirements, the means of compliance would need to be accepted by the FAA prior to the submission of an application. For all other performance-based requirements, an applicant would be able to use a means of compliance proposed in an application.

While the final rule maintains that an applicant must use an accepted means of compliance in an application for specified requirements, the FAA has made amendments to the structure of the regulatory text to identify more clearly that the use of accepted means of compliance is an application requirement. This requirement is now specified in § 450.35(a) of the final rule.

As stated above, for those five sections now identified in § 450.35, an applicant must use a means of compliance in its application that has been reviewed and accepted by the Administrator. The FAA will not accept an application that uses a means of compliance that has not already been accepted by the Administrator for any of the five requirements listed in § 450.35. The five requirements listed in § 450.35 are essential to public safety and involve well-established and complex methodologies, thresholds, or practices. Because of the complex nature and public safety impact of these requirements, the FAA would be unable to review unique means of compliance for these five requirements during its application evaluation within its review time frame. Rather, an applicant could choose to use an accepted means of compliance in its evaluation, or could submit a unique means of compliance for review and acceptance prior to submitting its application. Unique means of compliance for the requirements identified in § 450.35 may require evaluation before they are accepted as demonstrating fidelity and safety, however this rule allows unique means of compliance for these sections to be submitted in advance of a license application in order to provide flexibility and enable innovative concepts. For all other sections of part 450, an applicant may propose in its application a means of compliance that has not been previously accepted by the Administrator, and the FAA will review the means of compliance as part of its application review process. It is worth noting that an applicant who uses means of compliance that have already been accepted by the FAA in its license application will likely experience a more expeditious license review and determination.

A means of compliance is one means, but not the only means, by which a requirement can be met and may be used to demonstrate compliance with any of the performance-based requirements. For all performance-based requirements other than those listed in § 450.35, an applicant may include a unique means of compliance in an application for the FAA to review during the application evaluation. In the NPRM docket,[32] the FAA included a table listing all publicly available means of compliance for each proposed performance-based requirement (the “Means of Compliance Table”) in subpart C that the FAA has accepted to date. An applicant need not include the entirety of an accepted means of compliance standard in an application, but may instead reference the accepted means of compliance using identifying features such as title and date or version.

Several commenters interpreted the NPRM as only allowing the means of compliance listed in the Means of Compliance Table. Conversely, the CSF commented that applying means of compliance flexibility only to the regulations cited in the Means of Compliance Table would be too limited, and should be expanded. The CSF also requested that the FAA remove or correct the preamble text to reflect that any applicant can seek to add an accepted means of compliance to the Means of Compliance table. The CSF specifically mentioned that the FAA should allow flexible means of compliance to meet the conditional expected casualty calculation in proposed § 450.101(c). SpaceX also commented that the FAA should expand the scope of flexible means of compliance and specifically identified proposed § 450.101(c).

The FAA emphasizes that any requirement in part 450 can have one or more means of compliance. The Means of Compliance Table provides one way, but not the only way, to meet the requirements in part 450. The conditional expected casualty thresholds in proposed § 450.101(c) were intended as safety criteria to measure and protect against potential high consequence events. In the final rule, the FAA has clarified § 450.101(c) to allow alternative demonstrations of high consequence event mitigation. This change is discussed in detail later in the preamble. The FAA will review the submitted means of compliance to determine whether they satisfy the regulatory safety standard. These means of compliance may be government standards, industry consensus standards, or unique means of compliance developed by an individual applicant. For government standards or means of compliance developed by a consensus standards body, the FAA will provide public notice of those accepted means of compliance that it determines satisfy the corresponding regulatory requirement. The FAA will also review unique means of compliance developed by an individual applicant to determine whether they satisfy the regulatory requirement.

Once a means of compliance is accepted by the FAA, it may be used to demonstrate compliance with the corresponding regulatory requirement. An updated Means of Compliance Table will be placed on the docket once the final rule publishes. This updated table identifies the means of compliance accepted by the FAA at this time for the corresponding regulation. This table will be made available on the FAA website and updated as additional means of compliance are accepted by the FAA. Unique individual operator-developed means of compliance will not be included in the Means of Compliance Table to protect proprietary information, Start Printed Page 79588unless the operator that developed the means of compliance requests that its means of compliance be included.

CSF requested that the FAA clarify that it would not require compliance with an untailored RCC 319 [33] in order to demonstrate reliability. Blue Origin commented that the preamble does not address accepted means of compliance as a standalone flexibility measure. CSF and SpaceX commented that the proposed rule risks being quickly outdated and could discourage innovation because it does not allow tailoring of the requirements.

This rule does not require compliance with an untailored RCC 319 in order to demonstrate reliability; however, at this time, RCC 319 is the only accepted means of compliance for flight abort with a highly reliable FSS under § 450.145. An applicant may propose a tailored version of any accepted means of compliance, including RCC 319. If an applicant wishes to tailor RCC 319, the applicant must propose its tailored means of compliance as a unique means of compliance in advance of its license application. An applicant may include any unique means of compliance as part of its license application, other than those sections identified in § 450.35(a) that require a means of compliance to be accepted prior to application submittal. An applicant may also propose a unique means of compliance to meet these requirements in advance of its license application.

An individual commenter recommended that the FAA allow tailoring and include a clause to attend United States Air Force (USAF) tailoring meetings as part of meeting parts 415 and 417 requirements. As noted earlier, the FAA does allow tailoring. Part 450 will not change the FAA's current practice of attending tailoring meetings.

Virgin Galactic also recommended that the current part 417 appendices and range analyses continue to satisfy the requirements in part 450, and that the FAA complete its Launch Site Safety Assessments (LSSAs) in order for operators to know which Federal launch or reentry site's analyses and processes the FAA would find acceptable as means of compliance. ULA commented that the rule should more clearly allow work performed by another Federal agency to meet FAA requirements.

The part 417 appendices that can be used as an accepted means of compliance to part 450 requirements are listed in the Means of Compliance Table in the docket. The FAA agrees that it needs to determine and communicate to the industry which Federal launch or reentry site analyses and processes satisfy part 450. As noted earlier, the FAA will accept any safety-related launch or reentry service provided by a Federal launch or reentry site or other Federal entity by contract, as long as the FAA determines that the launch or reentry service satisfies part 450.

The New Zealand Space Agency (NZSA) and Virgin Galactic asked what process and standards the Administrator would employ for accepting means of compliance. Virgin Galactic asked what accepted means of compliance would be and whether the Administrator would use means of compliance that have not been published. Virgin Galactic also stated that means of compliance would need to be published prior to any work being performed that would require the means of compliance. Northrup Grumman supported the publication of newly accepted means of compliance.

The FAA will provide public notice of each publicly available means of compliance that the Administrator has accepted by posting the acceptance on its website. This notification will communicate to the public and the industry that the FAA has accepted a means of compliance or any revision to an existing means of compliance. The FAA will not post unique means of compliance documents with proprietary information submitted by applicants, unless specifically authorized by the applicant. The applicant may wish to consider offering its unique means of compliance to a consensus standards body for inclusion as part of an industry-developed consensus standard. The final rule does not adopt proposed § 450.35(b), which stated that the FAA would provide public notice of each means of compliance that the Administrator has accepted. The FAA removes this requirement because it is not a licensing requirement.

Proposed § 450.35(c) is amended and renumbered as § 450.35(b). The provision is renumbered because the final rule removes the proposed § 450.35(b), as discussed previously. In the final rule, § 450.35(b) allows a person to submit a means of compliance to the FAA for review outside the licensing process. The means of compliance must be submitted in a form and manner acceptable to the Administrator. The proposed rule limited this provision to applicants, whereas the final rule would allow any person to request acceptance of a proposed means of compliance. This is because the FAA anticipates other people or entities other than applicants may wish to submit a proposed means of compliance, such as operators that plan to be applicants in the future, and voluntary consensus standards bodies. The FAA wants to enable this. Section 450.35(b) is limited to requests for acceptance of a proposed means of compliance outside a license application, because the license application process is already defined in parts 413 and 450. Lastly, the FAA changes the modifier in front of “means of compliance” from “alternative” to “proposed.” The term “proposed” is better suited to the types of means of compliance the FAA would expect from this provision.

The process the FAA employs to accept a means of compliance will be set forth in guidance. [34] When submitting a unique means of compliance, an applicant's proposal should identify the regulation that the proposed means of compliance will address and provide the rationale as to why it demonstrates compliance with the applicable regulation. When reviewing a unique means of compliance, the FAA will consider past engineering practices, the technical quality of the proposal to demonstrate compliance with the part 450 regulations, the safety risk of the proposal, best practice history, and consultations with technical specialists for additional guidance.

NZSA and Virgin Galactic asked how the FAA would protect an operator's proprietary information when publishing means of compliance. NZSA recommended that the FAA retain the ability to share, with consent of the applicant, information about the means of compliance used to issue a license that may include proprietary information.

As a general matter, the FAA does not share proprietary data with the public. The FAA will treat any proprietary data linked to a unique means of compliance in the same manner as it protects proprietary data that an applicant uses to support a license application.

An individual commenter suggested the development of a Space Safety Institute to develop industry consensus standards. A consensus standards body, any individual, or any organization would be able to submit means of compliance documentation to the FAA for consideration and potential acceptance. The FAA recommends that in developing standards, a voluntary Start Printed Page 79589consensus standards body consider the processes outlined in OMB Circular A-119.

c. Use of Safety Element Approval (§ 450.39)

In the NPRM, the FAA proposed §  450.39 (Use of Safety Element Approval) to allow an applicant to use any vehicle, safety system, process, service, or personnel for which the FAA has issued a safety element approval under part 414 without the FAA's reevaluation of that safety element during a license application evaluation to the extent its use is within its approved envelope. The proposed rule would also change the part 414 term from “safety approval” to “safety element approval” to distinguish it from “safety approval” as used in parts 415, 431, and 435, and proposed part 450, because these terms have different meanings.

In the final rule, the FAA replaces the word “envelope” with the word “scope.” “Scope” more accurately captures “envelope, parameter, or situation” as used in the definition of “safety element approval.” For consistency, the same change is made in § 437.21.

d. Policy Review (§ 450.41)

In the NPRM, the FAA proposed to remove the requirement that applications include, for the purpose of conducting a policy review, information related to the structural, pneumatic, propulsion, electrical, thermal, guidance, and avionics systems used in the launch vehicle and all propellants. Instead, in order for the FAA to conduct its policy review, the FAA proposed that an applicant identify the launch or reentry vehicle and its proposed flight profile and describe the vehicle by characteristics that include individual stages, its dimensions, type and amounts of all propellants, and maximum thrust. In the final rule, the FAA adopts § 450.41 (Policy Review and Approval) as proposed.

Boeing, Lockheed Martin, Northrop Grumman, Sierra Nevada, and ULA suggested the FAA change the word “normal” in proposed § 450.41(e)(4)(iv) to “nominal” to be consistent with industry vernacular.

The FAA disagrees with this suggestion because the FAA seeks a range of possible impact areas in this section, not a particular impact point inferred by the use of “nominal.”

Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended the FAA add to § 450.41(b)(3) the phrase “but not limited to” in order to allow the FAA to consult Federal agencies other than the National Aeronautics and Space Administration (NASA).

The FAA disagrees that the additional language is needed to clarify that the FAA may consult Federal agencies other than NASA pursuant to § 450.41(b)(3). The term “include” implies the phrase “but not limited to.”

The FAA notes, consistent with current practice, that if a launch or reentry proposal would potentially jeopardize U.S. national security or foreign policy interests, or international obligations of the United States, the FAA may seek additional information from an applicant in support of interagency consultation to protect U.S. Government interests.

An individual commenter recommended the FAA require licensees to comply with the Committee on Space Research's planetary protection policy (COSPAR PPP) as a means of ensuring that commercial launches comply with the Outer Space Treaty and of resolving existing gaps in the statutory prohibition on obtrusive advertising in outer space.

The FAA acknowledges the commenter's concerns, but the scope of this rulemaking does not encompass COSPAR's PPP or the statutory prohibition on obtrusive advertising.

e. Payload Reviews (§ 450.43)

In the NPRM, the FAA proposed to consolidate payload review requirements, remove the requirement to identify the method of securing the payload on an RLV, add application requirements to assist the interagency review, such as the identification of approximate transit time to final orbit and any encryption, clarify the FAA's relationship with other Federal agencies for payload reviews, and modify the 60-day notification requirements currently found in §§ 415.55 and 431.53.

The FAA stated in the NPRM preamble that, while it would review all payloads to determine their effect on the safety of launch, the FAA will not make a determination on those aspects of payloads that are subject to regulation by the Federal Communications Commission (FCC) or the Department of Commerce or on payloads owned or operated by the U.S. Government. In addition, the proposed rule added informational requirements that would include the composition of the payload and any hosted payloads, anticipated life span of the payload in space, any planned disposal, and any encryption associated with data storage on the payload and transmissions to or from the payload. Finally, the NPRM proposed to preserve the ability of payload operators to request a payload review independent of a launch license application. The FAA sought comments on the approach of including more requirements for a payload review in the regulation in order to expedite payload review application processing, but received none.

In the final rule, the FAA adopts § 450.43 (Payload Review and Determination) with revisions. The FAA adds the term, “if applicable,” to §§ 450.31(a)(3) and 450.43(a) to clarify that a payload review is not always required. The FAA notes that all payloads include any hosted or secondary payloads.

The Commercial Smallsat Spectrum Management Association (CSSMA) suggested that the FAA adopt a sixty (60) day timeline for independent payload review. CSSMA found little incentive for a payload owner or operator to use the independent payload review process, absent a fixed timeline for such payload reviews. CSSMA also recommended language that would render § 413.21(a) (Denial of a License or Permit) applicable to independent payload reviews.

The FAA declines to revise § 413.21(a) as suggested because the payload review is a requirement to obtain a launch or reentry license under part 450. The FAA notes that a favorable payload determination does not itself constitute a license. As such, the procedures set forth in § 413.21(a) do not apply to payload reviews, whether conducted independently of or in conjunction with a license application.

The FAA also declines to incorporate CSSMA's suggested timeline for review. The FAA has not specified a timeline to complete payload reviews independent of a license application because, historically, payload owners or operators have requested such reviews for unique missions that have raised novel concerns regarding public health and safety, safety of property, or national security or foreign policy interests of the United States. Because independent payload reviews often raise complex issues and often require extensive interagency consultation, the FAA cannot anticipate a standard timeline for payload reviews conducted independently from a license application. Accordingly, FAA will not establish a standard timeline for such reviews in its regulations. Applicants are encouraged to discuss timelines to review their particular proposals during pre-application consultation.

NZSA requested the FAA include in the final rule all legislative or regulatory standards by which the FAA will assess payloads at the application stage. NZSA stated that doing so would give owners Start Printed Page 79590of novel payloads and non-U.S. operators regulatory certainty on the standards they must meet to be launched on a vehicle licensed by the FAA. As one example of a rule that would affect payload review but did not appear in proposed § 450.41, NZSA cited the prohibition on launching payloads for “Obtrusive Space Advertising.”

The FAA declines to expand the bases for issuing an unfavorable payload determination beyond those set forth in § 450.43(a). It would not be practical to list every law, regulation, and policy that may possibly affect a proposed payload under § 450.43. Rather, applicants are required to complete a pre-application consultation during which the FAA can learn about the proposed action and advise the applicant on a path forward, including any U.S. regulations, laws, or policies that may impact its proposal. Payload owners and operators may also use the independent payload review process set forth in § 450.43(d), which provides greater regulatory certainty for novel payloads.

Virgin Galactic suggested the FAA treat payloads that stay within a vehicle as additional equipment on the launch vehicle, subject only to the safety analysis required of any other piece of equipment on board a launch vehicle. Virgin Galactic commented that requiring a payload review for items not ejected from a launch vehicle places an unnecessary burden on operators and the FAA. Virgin Galactic also requested clarification on seemingly contradictory language in the NPRM preamble regarding a payload placed in outer space versus a payload that remained on or within the vehicle.

The FAA disagrees with Virgin Galactic's suggestion. Payloads that (1) stay within a vehicle, (2) do not contain hazardous materials, or (3) have previously been approved may require less scrutiny but are still being placed in outer space and therefore meet the 14 CFR 401.5 definition of “payload” and require a payload review. Under 51 U.S.C. 50904(c), the FAA must verify that all licenses, authorizations, and permits required for a payload have been obtained; and that the proposed launch or reentry will not jeopardize public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. The FAA therefore declines to exclude from the requirement to obtain a payload review any payload that remains on the vehicle.

Virgin Galactic recommended the FAA amend proposed § 450.31(a)(3), which seemed to require favorable payload determinations for any launch or reentry, noting that not all vehicles carry payloads. Absent this amendment, Virgin Galactic commented it would need to seek a waiver for each non-payload flight, creating an unnecessary burden.

The FAA agrees that an applicant does not need to seek a payload determination if the proposed launch or reentry will not involve a payload. Therefore, the FAA revises § 450.31(a)(3) by adding the phrase, “if applicable.”

Space Logistics, LLC (Space Logistics) urged the FAA to coordinate with other Federal agencies before expanding its payload review process in order to avoid duplicating activities. Space Logistics noted that the requirements to describe encryption associated with a payload's data storage and transmissions and to provide any information deemed necessary by the FAA under proposed § 450.43(i) were open-ended and may duplicate requirements of the FCC, NASA, the National Oceanic and Atmospheric Administration (NOAA), or Office of Space Commerce (OSC).

The FAA agrees with Space Logistics's comment that Federal agencies must continue to streamline requirements applicable to commercial space activities and work closely to eliminate duplicative requirements and minimize review times for policy and payload issues. The FAA has engaged its Federal partners in this rulemaking process in order to minimize duplication. For instance, the FAA proposed to require that applicants provide encryption data (in § 450.43(i)(1)(x)) in part to support the Department of Defense (DOD) review of payloads for impacts to national security. Encryption information allows the DOD to assess impacts on national security due to potential cyber intrusion or loss of vehicle control. Through its interagency coordination, the FAA endeavors not to request information already provided to other Federal agencies.

Boeing, Lockheed Martin, Northrop Grumman, and ULA suggested adding to proposed § 450.43(a) a requirement for FAA coordination with the applicable Federal agency to ensure that the payload will not interfere with or impede launch, on‐orbit operations, or reentry of other approved missions. The commenters stated this addition would avoid adverse impacts to other federally-approved missions or operating systems.

Although the FAA agrees that coordination with applicable Federal agencies is important to ensure a payload or payload class will not interfere with agency operations, the FAA disagrees that the recommended addition to § 450.43(a) is necessary. The interagency coordination required for both payload and license application review, coupled with the criteria set forth in § 450.43(a)(1) and (a)(2), adequately addresses the commenters' concerns. Those provisions direct that the FAA will issue a favorable payload determination if (1) the applicant, payload owner, or payload operator has obtained all required licenses, authorizations, and permits; and (2) the launch or reentry of the payload would not jeopardize public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. The FAA notes, consistent with current practice, that if a payload or payload class presents a potential risk to an agency's asset or other mission, the FAA may seek additional information from an applicant on behalf of the agency to protect U.S. Government interests and assets consistent with these two objectives. However, in light of commenters' concerns, the FAA is working with the appropriate agencies to increase transparency and support the development of agency guidance on the interagency consultation process during a payload review. The FAA also plans to publish its own guidance on payload review, in the form of an Advisory Circular, which will reference NASA, DOD, or other agency guidance. Insight into the interagency process will help operators anticipate what questions and concerns may arise during interagency consultation, which may vary depending on the operation, and will allow operators to be better prepared to address any potential issues during payload review. To the extent the commenters intended to address space traffic management or access-to-space issues, such matters exceed the scope of this rulemaking.

Boeing suggested the FAA refrain, in proposed § 450.43(b)(2), from issuing a determination on payload components owned, sponsored, or operated by the U.S. Government. Similarly, Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended the FAA exclude from the review requirement in proposed § 450.31(a)(3) any payloads that have undergone safety review or received approval by another Federal agency.

The FAA declines to exclude from review under § 450.43(b) payloads that are sponsored by the U.S. Government. Section 450.43(b)(2) excludes payloads owned or operated by the U.S. Start Printed Page 79591Government. Payloads that are not owned or operated by the U.S. Government may not have undergone the same scrutiny, and hence the FAA review is warranted. The FAA also disagrees with the recommended change to § 450.31(a)(3). Although the FAA does not make a determination on those aspects of payloads that are subject to regulation by other Federal agencies, the FAA does review all payloads to determine their effect on the safety of launch, which may differ from the purpose of another agency's payload review. As such, no change from the proposal is made.

Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended adding to the agencies listed in proposed § 450.43(e)(3) the FCC, NOAA, and the National Telecommunications and Information Administration. The commenters also proposed adding to the interagency consultation process set forth in proposed § 450.43(e) a requirement that the FAA consult with Federal launch or reentry sites to coordinate facility information for MPL determination, and to coordinate collision avoidance analysis with the cognizant Federal agency, when the launch or reentry activity is not on a Federal launch or reentry site. The commenters stated that operators should not have to obtain and provide Federal site facility information, which is often sensitive and not available to commercial operators.

The FAA disagrees that the recommended addition to § 450.43(e)(3) is necessary. The list of agencies that the FAA consults with under § 450.43(e) is not exhaustive and does not preclude consultation with any other Federal entity in order to ensure that a payload meets the criteria set forth in § 450.43. With respect to the recommendation for the FAA to add the interagency consultation process to its MPL determination, current regulations address coordination. In addition, changes to part 440 are outside the scope of the rulemaking. In accordance with 14 CFR 440.7(b), the FAA consults with Federal agencies that are involved in, or whose personnel or property are exposed to risk of damage or loss as a result of, a licensed activity and obtains any information needed to determine financial responsibility requirements. Similarly, collision avoidance analysis is conducted wholly outside of the payload review. Part 450 provides for coordination of collision avoidance analyses with the cognizant Federal agency, though this coordination is primarily conducted on a launch-by-launch basis, and well after the payload review process, which often occurs during the application review process.

f. Safety Review and Approval (§ 450.45)

i. Launch and Reentries From a Federal Launch or Reentry Site (§ 450.45(b))

In the NPRM, to address concerns regarding duplicative government requirements at Federal launch or reentry sites, the FAA proposed largely performance-based requirements for both ground and flight safety that an operator could meet using Air Force and NASA practices as means of compliance. The FAA pointed out that it issues a safety approval to a license applicant proposing to launch from a Federal launch or reentry site if the applicant satisfies the requirements of part 415, Subpart C (Safety Review and Approval for Launch from a Federal Launch Range), and has contracted with the Federal site for the provision of safety-related launch services and property, as long as an FAA LSSA shows that the site's launch services and launch property satisfy part 417. The FAA did not refer to the LSSA process in the regulatory text in proposed part 450. The FAA did propose, in § 450.45 (Safety Review and Approval) paragraph (b), that the FAA would accept any safety-related launch or reentry service or property provided by a Federal launch or reentry site or other Federal entity by contract, as long as the FAA determined that the launch or reentry services or property provided satisfy part 450.

The FAA adopts § 450.45(b) as proposed, with one revision. The FAA changes the reference to “Federal range” to “Federal launch or reentry site” throughout part 450, to include NASA and DOD launch and reentry sites.

As discussed in the NPRM preamble, the FAA assesses each Federal launch or reentry site and determines if the Federal site meets FAA safety requirements. If the FAA assessed a Federal launch or reentry site and found that an applicable safety-related launch service or property satisfies FAA requirements, then the FAA treats the Federal site's launch service or property as that of a launch operator's, and there is no need for further demonstration of compliance to the FAA. The FAA reassesses a site's practices only when the site changes its practice. The final rule maintains the position discussed in the NPRM, namely that these performance-based regulations allow an operator to use DOD and NASA practices as a means of compliance. In addition, this rule introduces a provision that allows operators operating from certain Federal sites to opt out of demonstrating compliance with the FAA's ground safety requirements.

CSF and Space Florida submitted comments indicating their dissatisfaction with the NPRM's approach to reducing duplication regarding launch from a Federal launch or reentry site. ULA encouraged the FAA to reduce duplication between the FAA and Federal sites.

Northrop Grumman commented that the FAA should accept the Federal launch or reentry site safety processes as satisfying FAA requirements because it was reasonable to presume changes to launch range regulations would continue to provide for safe pre-flight and flight operations on Federal launch or reentry sites. Similarly, SpaceX stated that part 450 or its supporting documents should reference agreements between the FAA and other Federal entities, including the USAF, which allow each agency to accept the analyses and technical determinations of the other. Blue Origin commented that it looks forward to understanding the contents of any agreements between the ranges and the FAA.

Another individual commenter raised similar concerns that the FAA's proposed licensing regulations do not resolve long-standing issues with duplicative and overlapping rules burdening commercial launch operators at the KSC and CCAFS. CSF stated that duplicative or conflicting rules among overlapping Federal jurisdictions create a barrier to entry for small startups and unnecessarily increase the cost of space access to all users by forcing all providers either to pass those costs on to their customers (including the U.S. Government) or to be denied the availability of new capabilities due to lack of bandwidth and resources. CSF argued that this burden will drive internationally-competed business to other countries to avoid the cost or schedule impacts arising from duplicative, conflicting, and overlapping sets of rule. CSF also argued the FAA did not address the overlapping jurisdiction of the FAA and other Federal and State agencies (the Occupational Safety and Health Administration (OSHA), the Environmental Protection Agency (EPA), the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), and their State and local equivalents) for hazardous ground operations.

The FAA does not agree with the comment that the FAA is duplicating oversight with other agencies such as OSHA, EPA, and ATF. Commercial space activities may be subject to the Start Printed Page 79592jurisdiction of multiple Federal agencies depending on the types of activities that are being conducted. OSHA, EPA, and ATF may regulate or provide oversight for different aspects of an operation without duplicating FAA oversight. The authority for protecting public health and safety, safety of property, and national security and foreign policy interests of the United States during commercial space launches and reentries remains solely with the FAA.

In the interest of removing duplicative authorities, CSF suggested the FAA should acknowledge when other agencies have jurisdiction over activities and not duplicate that oversight. SpaceX recommended that instead of the FAA's determining that the launch or reentry services or property provided by a Federal launch or reentry site or other Federal entity satisfy part 450, the FAA should just determine that the site operations are in good standing.

In the final rule, an operator may meet part 450's performance-based requirements using DOD and NASA practices that have been accepted by the FAA as a means of compliance. An applicant would reference in its application those DOD or NASA requirements or procedures accepted as means of compliance. The 2015 Commercial Space Launch Competitiveness Act directed the Secretary of Transportation to consult with the Secretary of Defense, Administrator of NASA, and other agencies, as appropriate, to identify and evaluate requirements imposed on commercial space launch and reentry operators to protect the public health and safety, safety of property, national security interests, and foreign policy interests of the United States. It also directed the Secretary of Transportation to resolve any inconsistencies and remove any outmoded or duplicative Federal requirements or approvals applicable to any commercial launch of a launch vehicle or commercial reentry of a reentry vehicle.[35] The FAA has worked closely with DOD and NASA in developing part 450 to minimize any need for a DOD or a NASA facility to impose additional requirements.[36] The FAA will continue to work with DOD and NASA in reviewing means of compliance that involve these Federal entities' practices to ensure those practices continue to satisfy the FAA's part 450 requirements. The FAA expects that there will be few, if any, instances in which DOD or NASA practices do not satisfy part 450's performance-based requirements. In addition, part 450 should provide enough flexibility to accommodate changes in DOD and NASA practices in the future.

In addition to issuing performance-based requirements that an operator could meet using DOD and NASA practices as means of compliance, the FAA has addressed concerns regarding duplicative government requirements by modifying its approach to ground safety at certain Federal sites. For ground safety, the Administrator may determine that the Federal launch or reentry site's ground safety processes, requirements, and oversight are not inconsistent with the Secretary's statutory authority over commercial space activities. Therefore, under § 450.179 (Ground Safety—General) paragraph (b), an operator is not required to comply with the ground safety requirements of part 450 if:

(1) The launch or reentry is being conducted from a Federal launch or reentry site;

(2) The operator has contracted with the Federal launch or reentry site for ground safety services or oversight; and

(3) The Administrator has determined that the Federal launch or reentry site's ground safety processes, requirements and oversight are not inconsistent with the Secretary's statutory authority over commercial space activities.

In making the determination to accept the Federal site's processes without specific compliance with ground safety regulations, under § 450.179(c), the Administrator will consider the nature and frequency of launch and reentry activities conducted from the Federal launch or reentry site, coordination between the FAA and the Federal launch or reentry site safety personnel, and the Administrator's knowledge of the Federal site's requirements. The FAA will consider the nature and frequency of the activity in order to evaluate a site's level of experience with different types of launch and reentry operations. An example of the “nature” of the launch and reentry activities would be that a site's experience with non-toxic or non-explosive propellant might not qualify the site for an exemption from FAA ground safety requirements involving toxic or explosive materials. The FAA makes this change to respond to the direction of SPD-2, the National Space Council, and the recommendation of the ARC to address duplicative requirements across Federal agencies for commercial space licensing.

In the final rule, an operator need not comply with the ground safety requirements contained in §§ 450.181 (Coordination with a Site Operator) through 450.189 (Ground Safety Prescribed Hazard Controls) if the conditions in § 450.179(b) are met. In making this change, the FAA preserves its statutory jurisdiction over those ground safety activities that are part of launch and reentry, but recognizes certain Federal processes and procedures as sufficient to meet the FAA's mandate.

For § 450.179(b) to apply, an operator must conduct launch or reentry activities from a Federal launch or reentry site. The FAA limits the applicability of this provision to certain Federal sites, such as Kennedy Space Center and Cape Canaveral Air Force Station, because they have a long history of conducting launches and reentries in a manner consistent with FAA regulations. In addition, an operator must contract with the Federal launch or reentry site for ground safety services or oversight. The FAA would require that the operator have a written agreement with the Federal site to use its ground safety services or oversight and comply with its ground safety processes and requirements. Finally, the Administrator must have determined, consistent with the considerations in § 450.179(c), that the Federal launch or reentry site's ground safety processes, requirements, and oversight are not inconsistent with the Secretary's statutory authority over commercial space activities. In considering the site's ground safety record, the Administrator will consider the extent and sophistication of both its ground safety procedures and the frequency with which the site uses them during FAA-licensed activities.

In making the determination to accept a Federal site's ground safety procedures, the Administrator generally will accept only those sites that have a regular cadence of both commercial and government launches and highly developed, well-understood processes and procedures. In considering the coordination between the FAA and the Federal site safety personnel, the Administrator generally will approve only those sites with which the FAA has a long-term working relationship through the Common Standards Working Group (CSWG). Familiarity with a Federal site's ground safety practices and procedures is the only means by which the FAA can ensure it has met its statutory obligation to ensure public health and safety, safety of Start Printed Page 79593property, and national security and foreign policy interests of the United States. When the Administrator finds that a site meets the conditions in § 450.179(b), the FAA will develop a Memorandum of Agreement (MOA) with the approved site and publish the MOA on the FAA's website. If these conditions are met, then the operator can seek FAA permission during pre-application consultation to comply only with the ground safety regulations imposed by the Federal site. The FAA will publish, maintain, and update the Federal launch and reentry site ground safety MOAs on its website.

For Federal launch or reentry sites or other Federal entities that do not satisfy the conditions in § 450.179(b), the final rule retains the LSSA-like process in accordance with § 450.45(b). As noted earlier, the FAA believes that because of the performance-based nature of part 450, Federal launch or reentry sites will typically satisfy most or all FAA requirements.

ii. Radionuclides (§ 450.45(e)(6))

In the NPRM, the FAA proposed in § 450.45(e)(6) that the FAA would evaluate the launch or reentry of any radionuclide on a case-by-case basis, and issue an approval if the FAA finds that the launch or reentry is consistent with public health and safety, safety of property, and national security and foreign policy interests of the United States. For any radionuclide on a launch or reentry vehicle, an applicant would need to identify the type and quantity, include a reference list of all documentation addressing the safety of its intended use, and describe all approvals by the Nuclear Regulatory Commission for pre-flight ground operations.

SpaceX requested that the FAA clarify the intent of this regulation, as this topic is heavily regulated by other Federal entities. In addition, SpaceX recommended that the FAA defer to and accept results from other Federal entities when applicable, and stated that processes for acceptance and deferral should be provided in an AC.

As discussed in the NPRM preamble, § 450.45(e)(6) will address the potential launch or reentry of radionuclides, similar to current § 415.115(b), but with the addition of reentries. It is the current practice of the FAA to address novel public safety issues on a case-by-case basis because such proposals are so rarely encountered in commercial space transportation. When applicable, FAA will work closely with other Federal entities to avoid duplicative requirements. Moving forward however, the Presidential Memorandum on Launch of Spacecraft Containing Space Nuclear Systems [37] directs the Secretary to issue public guidance for applicants seeking a license for launch or reentry of a space nuclear system. The FAA is currently developing this guidance.

g. Environmental Review (§ 450.47)

In the NPRM, the FAA proposed to consolidate and clarify environmental review requirements for launch and reentry operators in a single section, § 450.47 (Environmental Review). In addition, the FAA proposed to revise §§ 420.15, 433.7, 433.9, and 437.21 to conform to the changes in proposed § 450.47. These revisions codify the environmental review process as currently conducted, in accordance with FAA Order 1051.F, in which applicants for a launch or reentry license provide the FAA with the information needed to comply with the National Environmental Policy Act (NEPA) and other applicable environmental laws, regulations, and Executive Orders.

In the final rule, the FAA adopts § 450.47 as proposed with revisions. The FAA revises § 450.47(b) to affirmatively state that an applicant must prepare an Environmental Assessment (EA), assume financial responsibility for preparation of an Environmental Impact Statement (EIS), or provide information to support a written re-evaluation of a previously submitted EA or EIS, when directed by the FAA. The FAA revised this section to clarify that the FAA, not the applicant, determines which environmental documentation is required by NEPA. If the FAA determines that under NEPA an EIS is required, the FAA will select a contractor to prepare the EIS for the license applicant who will pay the contractor. The FAA also revised §§ 420.15(b), 433.7(c), 437.21(b)(1)(iii), and 450.47(c) to clarify that it is the FAA's responsibility to determine whether a Categorical Exemption (CATEX) applies under NEPA.

An applicant may provide data and analysis to assist the FAA in determining whether a CATEX could apply (including whether an extraordinary circumstance exists) to a license action. Examples include modifications that are administrative in nature or involve minor facility siting, construction, or maintenance actions. In the final rule, the FAA revises §§ 420.15(b), 433.7(c), 437.21(b)(1)(iii), and 450.47(c) to state affirmatively that it is the FAA's responsibility to determine whether a CATEX applies rather than an applicant's responsibility to request a CATEX.

If a CATEX does not apply to the proposed action, but it is not anticipated to have significant environmental effects, then NEPA requires the preparation of an EA. When directed by the FAA, an applicant must prepare an EA with FAA oversight. When NEPA requires an EIS for commercial space actions, the FAA uses third-party contracting to prepare the document. That is, the FAA selects a contractor to prepare the EIS, and the license applicant pays the contractor. Finally, if an EA or EIS was previously developed, the FAA may require an applicant to submit information to support a written re-evaluation of the environmental document by an FAA-selected contractor to ensure the document's continued adequacy, accuracy, and validity.[38]

This rule will not alter the current environmental review requirements. However, as explained in the NPRM preamble, the consolidation of the launch and reentry regulations necessitates a consolidation of the environmental review requirements.

CSF asked the FAA to explain why it added the requirement that applicants prepare EAs with FAA oversight, assume financial responsibility for preparation of an EIS, or submit a written re-evaluation of a previously submitted EA or EIS. CSF requested clarification on the phrase “under FAA oversight” in proposed § 450.47, versus the current language in FAA Order 1050.1 that requires FAA approval of an applicant-prepared EA. CSF requested further that the FAA clarify when and for what purpose the FAA might require an applicant to prepare a written re-evaluation of a previously-submitted EA or EIS, noting that the costs and schedule impacts of this requirement are unclear.

As noted in the NPRM, the changes to the regulatory text on environmental review do not represent a substantive change to past regulations or to current practice. Section 450.47 reflects the existing environmental review process that §§ 415.201 and 415.203 broadly described, in which applicants must provide sufficient information to enable the FAA to comply with NEPA. Section 450.47 replaces this general requirement by identifying the specific documents that the FAA may require applicants to Start Printed Page 79594provide and the process to prepare those documents. The language added to § 450.47 reflects current practice and is consistent with NEPA and FAA policy. According to FAA Order 1050.1, unless the FAA determines that a categorical exclusion applies, the FAA may prepare an EA, EIS, or written re-evaluation, or direct an applicant to provide the information as described in §§ 450.47(b)(1), (2), and (3).[39] In response to CSF's comment, the FAA revises § 450.47(b), as well as §§ 420.15(b), 433.7(b), and 437.21(b)(1)(ii), from the language proposed in the NPRM to state expressly that an applicant must provide the documents set forth in paragraph (b) “when directed by the FAA.” The modified text clarifies the applicant's responsibilities in accordance with FAA Order 1050.1 (Paragraph 2-2-2). These responsibilities are consistent with current practice and will not increase the cost, impact schedules, or alter the burden under the previous regulations.

With respect to § 450.47(b)(1), “with FAA oversight” means the FAA will guide the work of an applicant or an applicant's contractor. In order to use an applicant or contractor-prepared document for compliance with NEPA or other environmental requirements, the FAA must evaluate and take responsibility for the document. The FAA's oversight ensures that: (1) The applicant's potential conflict of interest does not impair the objectivity of the document; and (2) the EA meets the requirements of FAA Order 1050.1. The FAA may require an applicant to submit information to support a written re-evaluation of a previously prepared environmental document (i.e., a draft or final EA or EIS) to determine whether the document remains valid or a new or supplemental environmental document is required. Applicants should work closely with the FAA to determine the documentation requirements of NEPA and other applicable environmental requirements.[40] In response to CSF's comment, the FAA revises § 450.47(b)(3), as well as §§ 420.15(b), 433.7(b), and 437.21(b)(1)(ii), to clarify that an applicant would submit “information to support” a written re-evaluation of a previously submitted EA or EIS, rather than the re-evaluation document itself, as proposed. The contractor selected by the FAA will use the information provided by the applicant to prepare the re-evaluation document.

CSF commented that the FAA should adopt, to the greatest extent possible, NEPA documentation from other Federal agencies or licensed site operators.

The FAA notes that it may adopt, in whole or in part, another Federal agency's draft or final EA, the EA portion of another agency's EA/FONSI, [41] or EIS in accordance with applicable regulations and authorities implementing NEPA.[42] Whenever possible, the FAA will adopt the other Federal agency's NEPA documents to support the issuance of launch and reentry licenses. Further, the FAA encourages early coordination with the FAA to benefit applicants that are seeking approvals from other Federal agencies related to the FAA-issued license (e.g., an applicant seeking approval from a Federal agency to make modifications on a Federal launch or reentry site in anticipation of receiving a launch license from the FAA). This coordination will increase the likelihood of a more efficient environmental review process as the applicant seeks different but related approvals from multiple Federal agencies. The applicant should consult with the FAA early in the project's development phase, prior to the development of the NEPA document, to determine environmental review responsibilities, and the appropriate level of review, and to foster efficient procedures to develop documentation to meet the agencies' legal requirements.

CSF also encouraged the FAA to request appropriations to fund regional or area EAs. This recommendation is beyond the scope of this rulemaking.

The Aircraft Owners and Pilots Association (AOPA) stated its concern that, under the proposed regulations, existing Special Use Airspace approvals (SUAs) would be activated for purposes that may not align with the original environmental determinations that led to approval of the SUAs. AOPA noted that the environmental process for establishing SUAs includes detailed studies of the intended activity, its frequency, and its effect on the public. Many of the SUAs activated in support of commercial space activity originally underwent environmental review and approval on the assumption that they were supporting military or governmental activity, not commercial civil space operators.

This rule will not affect the environmental determination process for establishing or altering SUAs. Environmental review concerns associated with the designation or activation of SUAs are not the subject of this rulemaking. The FAA notes that all environmental impacts associated with a proposed launch or reentry will be addressed in the NEPA document prepared for that activity.

AOPA urged the FAA to ensure that the documentation for commercial space operations is complete and transparent so that the public can understand and identify potential impacts.

This rule will not alter the current environmental review process, which requires documentation of environmental impacts. The FAA remains responsible for complying with NEPA and other applicable environmental laws, regulations, and Executive Orders prior to issuing a launch or reentry license. The FAA ensures transparency of the potential environmental impacts by publishing all draft and final EAs and EISs, and associated Findings of No Significant Impact and Records of Decisions.

CSF and Denver International Airport requested clarification on how the environmental reviews required under NEPA would apply to multiple sites. In accordance with applicable regulations and authorities implementing NEPA, the FAA's decision-making process must consider and disclose the potential impacts of a proposed action and its alternatives on the quality of the human environment. This process includes considering the impacts of launches from multiple sites, which may be covered in a single NEPA document when appropriate. In some instances, one single NEPA document may not be possible and individual site-specific NEPA documents could be developed. The FAA is examining the use of programmatic NEPA documents to analyze the impacts of launches from multiple sites. Under such an approach, applicants could tier their individual, site-specific NEPA analyses from the programmatic document.[43] The FAA will conduct programmatic EA analyses consistent with FAA Order 1050.1 and CEQ regulations.

SpinLaunch stated the environmental review process is lengthy, sometimes taking as long as 2 years or more. To facilitate the process, it recommended (1) including the environmental review within the statutory period, thereby Start Printed Page 79595forcing an expedited process; and (2) establishing limited environmental approval for proposed activities (e.g., non-rocket launch systems) that do not have the adverse environmental impacts of a traditional rocket.

The FAA does not consider the 180-day statutory review period to include NEPA document preparation. Specifically, the applicant must submit a completed EIS prepared by the FAA (or an FAA-selected and managed consultant contractor) or an FAA-approved EA, categorical exclusion determination from the FAA, or written re-evaluation as part of its application materials. The statutory application review period is not intended to encompass the time needed for the applicant to develop the necessary application materials, including environmental documentation. Regarding the commenter's second recommendation, the FAA is bound by CEQ's NEPA regulations. There are three levels of NEPA review: CATEX, EA, and EIS. Each of the three levels of review is described in FAA Order 1050.1. The required level of review depends on the nature of the commercial space action. Applicants should coordinate with the FAA early in the application process to determine the appropriate level of NEPA review based on the potential for significant impact.

Boeing, Lockheed Martin, Northrop Grumman, and ULA jointly recommended adding to proposed § 450.47(a) a statement requiring the FAA to coordinate with other government entities to assist the applicant in completing EAs, in order to alleviate the cost impact on operators who currently have to negotiate multiple sets of requirements by Federal, State, and local governments. The joint commenters also recommended amending §§ 420.15(b)(ii), 433.7(b)(2), and 450.47(b)(2) to allow EISs to be prepared by an FAA-approved consultant contractor, in addition to one selected and managed by the FAA. The commenters suggested these changes would provide flexibility and allow an operator to use qualified EIS contractors at the State- or local-level as long as the contractor meets the qualifications for completing an EIS in accordance with the law.

The FAA declines the suggested regulatory text changes.

Section 1506.5(c) of the CEQ Regulations for Implementing the Provisions of NEPA and Appendix C of FAA Order 1050.1 state that EISs must be prepared by a contractor selected by the lead agency to avoid a conflict of interest.

Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended the FAA craft an additional section to proposed § 450.47 to address space environmental impacts such as debris, collision risk, and interference.

The FAA does not agree with this recommendation. The applicability of NEPA to space debris is outside the scope of this rulemaking.

One individual commenter expressed concern that the proposed part 450 may cause companies to forgo environmental considerations or somehow bypass compliance requirements. The proposal does not alter NEPA and will continue to require potential licensees to comply with all policies and procedures implementing NEPA, as well as other applicable environmental laws, regulations, and Executive Orders intended to protect the environment.

4. Part 450 Subpart C—Safety Requirements

a. Neighboring Operations Personnel (§ 450.101(a) and (b))

In the NPRM, the FAA proposed to carve out separate individual and collective risk criteria for neighboring operations personnel. The proposal was intended to reduce the need to clear or evacuate other launch operator personnel during a commercial launch or reentry operation. Under the current regulations, an operator may be required to clear anywhere from a handful of employees to over a thousand employees from a neighboring site for a significant portion of a day. To address this issue, the NPRM proposed to define “public” and “neighboring operations personnel” in § 401.5. Under the proposal, neighboring operations personnel would still be members of the public, but would be subject to different individual and collective risk criteria. These proposed regulations were intended to enable neighboring operations personnel to remain within safety clear zones and hazardous launch areas during flight as long as their risk did not exceed the newly designated thresholds.

In the final rule, the FAA adopts the proposal for neighboring operations personnel in §§ 401.7, 440.3, 450.101(a) and (b), and 450.137(c)(6). The FAA revises the § 401.7 definition of “neighboring operations” by removing the phrase “as determined by the Federal or licensed launch or reentry site operator” because the phrase is not relevant to the definition of neighboring operations personnel. The FAA also revises § 450.133 (Flight Hazard Area Analysis) paragraph (e)(2) to require that an applicant provide the hypothetical location of any member of the public that could be exposed to a probability of casualty of 1 × 105 or greater for neighboring operations personnel, in response to a comment to clarify representative probability contours.

The FAA sought comment on the proposed approach, as well as on proposals (1) not to require that neighboring operations personnel be specially trained, (2) not to designate ground operations hazard criteria for neighboring operations personnel, and (3) for the purpose of determining MPL, to align the individual risk threshold for neighboring operations personnel with the threshold for losses to government property and involved government personnel. Many commenters agreed with the FAA's proposal to change the risk threshold for neighboring operations personnel, stating that a higher risk threshold is necessary to allow for co-processing of multiple operations at a single facility. Despite this general agreement, some commenters disagreed with the specifics of the proposal. Several commenters pointed out that the FAA's approach to neighboring operations personnel differs from the ARC recommendation to exclude permanently badged personnel and neighboring launch operations from the definition of “public” but still to employ mitigation measures for uninvolved neighboring operations personnel when a hazardous operation or launch is scheduled.

Several commenters, including Blue Origin, Boeing, CSF, Lockheed Martin, Northrop Grumman, Space Florida, SpaceX, ULA, and Virgin Orbit, commented that neighboring operations personnel should not be included as members of the public. CSF stated that neighboring operations personnel should not be considered members of the public because they have essential, on-going requirements to conduct neighboring space transportation activities. CSF further stated that the FAA has the flexibility to exclude neighboring operations personnel from its definition of “public.” Blue Origin similarly stated that neighboring operations personnel are more familiar with the hazardous operations present at a launch site and may have a relationship or engagement with their neighboring operators and, therefore, should be treated differently from the public who are completely uninvolved and are not knowledgeable about launch and reentry operations. Space Florida also commented that employees of the licensee who may be working on a test program or a different launch or reentry program are not members of the public and raised the question whether the Start Printed Page 79596FAA should have statutory authority over launch essential personnel of a neighboring operator for other launch, reentry, or associated operations. Virgin Orbit commented that it would be better to include neighboring operations personnel under launch personnel, rather than requiring a new and possibly burdensome expected casualty analysis.

The FAA agrees that neighboring operations personnel are a unique category of people because of their essential, ongoing tasks. The FAA disagrees, however, with commenters' assertions that neighboring operations personnel should be excluded from the definition of “public” because of their involvement in launch operations or the tasks they are expected to perform. The FAA has a statutory obligation to protect the health and safety of members of the public. Prior to this rulemaking, the FAA defined public safety, for a particular licensed launch, as the safety of people and property that are not involved in supporting the launch, including those people and property that may be located within the boundary of a launch site, such as visitors, individuals providing goods or services not related to launch processing or flight, and any other launch operator and its personnel. The FAA's definition of “public” is derived from the definition of “public safety” in § 401.5 and the definition of “public” in § 420.5.[44]

The FAA's definition of “public” encompasses neighboring operations personnel because they are not involved in supporting the specific launch or reentry they are neighboring. The FAA agrees that neighboring operations personnel are more familiar with the hazardous operations present at a launch site and may have a relationship or engagement with their neighboring operators, but the FAA does not find that to be sufficient to exclude them from the definition of “public.” It was a factor, however, in the FAA's decision to apply a risk requirement to neighboring operations personnel different from the requirement applied to other members of the public. Although this rule includes neighboring operations personnel in the definition of “public,” the FAA recognizes that neighboring operations personnel are aware of the inherent risks associated with launch and reentry activities and are likely trained and prepared to respond to hazards present at these sites. Because of these differences, as well as their unique role in performing safety, security, and critical tasks, the FAA considers neighboring operations personnel a separate category of public, whose collective exposure to risk may not exceed 2 × 104 and for whom the risk to any individual may not exceed 1 × 105.

The FAA disagrees with Virgin Orbit's comment that neighboring operations personnel should be included as launch personnel so as to be exempted from risk calculations and eliminate the burden of the additional risk calculation. Neighboring operations personnel are not supporting the licensed activity and are members of the public; therefore, they must be protected under the FAA's statutory mandate. The FAA acknowledges that this conclusion requires risk analysis for the neighboring operations personnel; however, the FAA expects that this analysis will involve little additional effort because the operator already has to perform a similar analysis for the other members of the public and will only need to account for the population of neighboring operations personnel, if any. For these reasons, the FAA adopts the proposal without amendment.

In addition to comments recommending that neighboring operations personnel be excluded from the definition of “public,” several commenters had other recommendations for the proposed definition of “public.” CSF commented that the proposal does not specify how involved in a licensed operation a person needs to be to fall outside public risk protections. CSF also proposed that the definition of “public” should allow for a risk threshold for those who have been briefed on the risks and hazards and chosen to participate to the same level as neighboring operations personnel, and that historic NASA operations have followed this model. CSF further stated that the definition of “public” should not include persons who have a passive involvement in the licensed activity, such as invited guests of the operator, customers, families of astronauts, and other stakeholders with a legitimate enough interest in the launch or reentry activity to be on-site. SpaceX echoed CSF's comments on this issue, and further suggested that the definition of “public” should generally include only those people who reside and work outside the controlled areas of a launch or reentry site. Blue Origin, CSF, and SpaceX recommended excluding invited guests of the launch or reentry operator from the definition of “public.”

As discussed earlier, the FAA's definition of “public” was derived from the definition of “public safety” in § 401.5 and the definition of “public” in § 420.5. Historically, the FAA has considered “public” to include all people and property that are not involved in supporting a licensed or permitted launch and in the final rule extends the same definition to reentry. While neighboring operations personnel or invited guests [45] may accept a higher level of background risk, they are not involved in supporting the particular licensed operation and this rule continues the FAA's longstanding practice of protecting them as members of the “public.” While the FAA expects that certain members of the public may be briefed and aware of hazards, the FAA does not agree with CSF's rationale that being informed is a sufficient condition for such persons to be treated under the higher risk threshold for neighboring operations personnel. In addition to being informed of potential hazards, neighboring operations personnel are required to perform safety, security, or critical tasks at the neighboring site. The FAA finds that the necessity of these tasks justifies the minimal increase in risk to which neighboring operations personnel are exposed. Informed members of the public do not meet this criterion and, therefore, will continue to be protected at the public threshold rather than the higher threshold for neighboring operations personnel.

The FAA considered potential regulatory mechanisms for allowing public stakeholders with a legitimate enough interest in the launch or reentry activity to be on-site as requested by commenters. However, the FAA identified certain statutory and regulatory challenges with making these changes as a part of this final rule. Given the inherent risks associated with commercial space activity, Congress established a framework for liability insurance and financial responsibility that distinguishes individuals involved in launch or reentry activities from third parties. Section 50902 defines third party as persons other than launch or reentry participants.[46] Section 50914 Start Printed Page 79597states that a licensee must obtain liability insurance to protect launch or reentry participants from third party claims, based on maximum probable loss calculations.[47] Additionally, section 50914(b) establishes a reciprocal waiver of claims regime for applicable parties whereby each party to the waiver agrees to be responsible for personal injury to, death of, or property damage or loss sustained by it or its own employees resulting from an activity carried out under the applicable license. This regime includes certain parties waiving claims against the U.S. Government.[48] The FAA has codified these requirements in the part 440 regulations.

While the FAA may waive certain risk requirements in order to allow members of the public to be present in hazard areas during launch or reentry activities, these individuals are third parties under title 51 and will therefore be included in maximum probable loss calculations. This would likely increase insurance costs, which would be borne by the licensee. Additionally, these individuals are not currently included in title 51's cross-waiver framework nor has the FAA gone beyond the scope of title 51 in part 440 to expand the cross-waiver framework to include them. As such, their presence in hazard areas during launch or reentry activities may increase the liability of the United States (and others involved in the launch who have executed cross-waivers with the operator) because of the increased potential for third party claims. Finally, any regulatory changes would need to be effectuated in part 440 where the FAA's financial responsibility requirements for commercial space transportation are located; however, the FAA did not contemplate substantial changes to part 440 in this rulemaking. Because of these challenges, the FAA elects to proceed with a waiver regime rather than a regulatory change at this time.The FAA notes that operators may request waivers to allow members of the public to be present in areas where risk requirements under part 450 would not otherwise allow them to be during launch and reentry activities.[49] Such requests can serve a purpose of encouraging, facilitating, or promoting commercial space launches and reentries by the private sector, facilitating private sector involvement in commercial space transportation activity, and promoting public-private partnerships. However, the FAA expects operators to articulate more specifically the reasons why allowing particular individuals to be in areas they otherwise would be prohibited from entering is in the public interest. In considering such waiver requests, the FAA would be mindful of its role in protecting the public and accounting for any additional liability such a waiver would impose on the U.S. Government. Some factors that would affect the FAA's decision may include the number of people an operator seeks to have present and the strength of association between those people and the launch or reentry activity. Individuals that have an employment or contractual arrangement with the licensee, or are otherwise part of the cross-waiver framework of the license, may pose minimal, if any, liability for the U.S. Government. This could include high-level company officials and U.S. Government officials. Members of the public for whom a waiver is requested should have a strong connection to the launch, reentry, or licensee; for example, future customers, major investors, or invited press might qualify.

The operator bears the burden of providing adequate justification for this relief through the waiver process. The operator should include in its waiver application an assessment of the risks to the individuals covered by the requested waiver,[50] information on how the operator will assume liability and hold the U.S. Government harmless, and the individuals' association to the launch, reentry, or licensee. The FAA anticipates using its experience in considering waivers to accommodate the presence of additional members of the public during commercial space launch and reentry activities to inform potential future rulemaking in this area.

The FAA also received several comments on the proposed definition of “neighboring operations personnel.” Blue Origin requested that the FAA further define the term “critical tasks” referenced in the new definition to include “tasks that are critical to normal business operations.”

The FAA does not agree that adding Blue Origin's definition of “critical tasks” is necessary. In the absence of a regulatory definition, the plain language definition applies and is sufficient here. In addition, the FAA gave context in the preamble to the NPRM for the types of activity that may qualify as “safety, security, or critical tasks.” The plain language definition maintains flexibility to include various tasks as industry practices evolve over time. These tasks include maintaining the security of a site or facility or performing critical launch processing tasks such as monitoring pressure vessels or testing safety-critical systems of a launch vehicle for an upcoming mission. These tasks also include business operations that cannot be reasonably conducted off site, such as onsite hardware work as well as data processing that must be conducted in a secure facility. Neighboring operations personnel do not include individuals conducting normal business operations that need not be conducted in hazardous areas, individuals in training for any job, or individuals performing routine activities such as administrative, office building maintenance, human resource functions, or janitorial work. This flexibility accommodates practices like those USAF and NASA follow at their launch sites and is intended to allow critical operations to proceed at neighboring locations without jeopardizing those operations. As explained in the NPRM, neighboring operations personnel are members of the public. The FAA allows a slightly increased risk to these personnel over that permissible to other members of the public. The FAA does not believe that an increase in risk is justified for reasons other than to facilitate performing safety, security, or critical tasks at the site. The FAA estimates that the collective risk criteria in the final rule for neighboring operations personnel will enable, on average, approximately forty additional personnel to operatate in this capacity, which the FAA believes will ensure that neighboring operators can maintain operations with minimum disruption.

Virgin Galactic commented that the definition of “neighboring operations personnel” should include all personnel who have been properly trained to respond to hazards present at a launch or reentry site and who are notified of hazardous operations occurring by other licensed operators at that site. Virgin Start Printed Page 79598Galactic objected to including in the definition a requirement that neighboring operations personnel be notified of the operation, stating that a lack of notification should not exclude individuals from qualifying as neighboring operations personnel. Similarly, ULA commented that the requirement appeared to be mostly in the definition, which “removes the definition's objectivity.”

FAA disagrees with Virgin Galactic that training and notification are sufficient to justify the inclusion of personnel in the neighboring operations personnel category. Training alone does not justify placing personnel at a raised level of risk. Only those personnel performing safety, security, or critical tasks qualify as neighboring operations personnel who may be subjected to a higher risk threshold because of the nature of those tasks, as discussed previously and in the NPRM. Furthermore, as explained in the NPRM, requiring a licensee to ensure neighboring operations personnel are trained would be burdensome and is not necessary to justify the increase in risk allowed for workers performing safety, security, or critical tasks.

The FAA does not agree with Virgin Galactic and ULA that the definition of “neighboring operations personnel” imposes a regulatory requirement. Rather, it enables neighboring operations to continue by describing which individuals qualify as neighboring operations personnel. Notification of an operation is a precondition to qualify as neighboring operations personnel. Personnel cannot be designated as neighboring operations personnel and be subject to the higher risk thresholds, if they have not been notified of the operation. For these reasons, the FAA declines to accept these particular changes to the proposed definition.

A number of commenters focused on which authority designates personnel as neighboring operations personnel. Many commenters, including CSF, Space Florida, and SpaceX, noted their agreement that the designation of neighboring operations personnel should be coordinated and determined by the site operator, but urged the FAA to remove its proposed neighboring operations personnel risk thresholds and instead allow site operators to designate what mitigations would be necessary to protect neighboring operations personnel. CSF urged the FAA generally to defer to Federal, State, local, or private site owners and operators as the sole decision-makers responsible for determining which personnel would be considered essential to ongoing operations and what hazard mitigation measures should be observed.

Other commenters, including ULA and Virgin Galactic, commented that the FAA should designate neighboring operations personnel. These commenters argued that a site operator should not determine who qualifies as neighboring operations personnel, because it would be tantamount to the FAA's reassigning its decision-making authority on the matter. Sierra Nevada recommended that the FAA collect the neighboring operations personnel information and calculate the risk on behalf of the applicant so that the proprietary nature of workforce numbers can be maintained between competitive companies. The Aerospace Industry Association (AIA), Blue Origin, Virgin Galactic, and other commenters also raised concerns about how proprietary data would be shared after neighboring operations are designated. Virgin Galactic commented that those best suited to know which employees are required for safety, security, or critical tasks are the other launch operators, not the site operator.

As previously described, the FAA maintains that the separate risk thresholds are the appropriate protections for neighboring operations personnel, and the FAA does not agree with removing its proposed neighboring operations personnel risk thresholds and instead allowing site operators to designate what mitigations would be necessary to protect neighboring operations personnel. The FAA does not agree with ULA and Virgin Galactic that the FAA or the launch operator should determine what individuals are appropriately classified as neighboring operations personnel. Site operators are in the best position to know what operations occur on their sites and which individuals are appropriately designated as neighboring operations personnel. The FAA expects that the site operator (i.e., an operator of a Federal site or FAA-licensed launch or reentry site) would work with operators of neighboring sites to identify these personnel because the site operator is in the best position to identify which personnel are required to perform safety, security, or critical tasks at the launch site. The site operator has a formal relationship with all operators on its site and has an interest in enabling continued and unimpeded operations amongst its tenants. At Federal sites, the site operator already fulfills this function, and thus enabling neighboring operations personnel does not impose any additional costs on the site operator. The designation of neighboring operations personnel is optional for FAA-licensed or exclusive use site operators. The FAA will monitor a launch site operator's designation and vehicle operator's implementation of neighboring operations personnel to ensure the appropriateness of these designations, thereby retaining its authority to determine which individuals are properly characterized as neighboring operations personnel.

Further, site operators are best positioned to adjudicate between tenants, to coordinate acceptable numbers of neighboring operations personnel during licensed operations, and to protect their tenants' proprietary information and furnish the necessary information to the licensed operator. The FAA expects that the coordination of the necessary data transfer will be collaborative between the licensed operator, the site operator, and the neighboring operators. Neighboring operators have the option of removing their personnel during the flight of a neighboring flight or reentry. As discussed above, neighboring operators have the option of discussing with the site operator which personnel they believe need to remain present in order to maintain safety, security, or other critical tasks. The accommodation of neighboring operations personnel through the risk thresholds benefits the launch or reentry operator by reducing the possibility that their presence without evacuation could result in a violation of the public risk criteria. It also benefits the neighboring operators to allow safety, security, or critical tasks to continue in cases where the site operator might otherwise require evacuation of personnel. Hence, the FAA believes that generally, as is current practice at Federal sites, neighboring operations personnel can be accommodated with little direct intervention by the FAA.

Blue Origin, CSF, and SpaceX all commented that the neighboring operations personnel provisions should apply to exclusive-use or private sites. Blue Origin asked whether the FAA intended to exclude such sites from its proposal because, although these are sites that the FAA does not license, launch and reentry activities at these sites can cause disruptions to non-licensed neighboring activities, such as developmental or test programs.

The FAA does not license exclusive-use sites, but it does license launch and reentry activities that occur at exclusive-use sites. The FAA does not anticipate that many exclusive-use sites would have personnel within a launch or reentry site, or an adjacent launch or reentry site, that qualify as neighboring Start Printed Page 79599operations personnel. Nevertheless, the FAA may accept the designation of neighboring operations personnel at an exclusive-use site if they are designated by the licensed vehicle operator that operates the site. Such designations will only apply to members of the public located within the site or an adjacent launch or reentry site who are not associated with the specific hazardous licensed or permitted operation being conducted, but who are required to perform safety, security, or critical tasks at the site and are notified of the operation. This approach is accommodated by the proposed regulations without change.

The FAA recognizes that there are activities that currently take place at launch sites that are not explicitly associated with launch or reentry operations. For example, payload processing typically occurs at launch sites. The Reagan Test Site at Kwajalein also has facilities that are essential for tracking objects in space. The U.S. Navy has a presence at Cape Canaveral Air Force Station (CCAFS). These activities may sometimes require critical personnel to remain on site during neighboring launch activities to ensure the continuation of operations. While the FAA envisioned primarily facilitating launch operations by proposing a carve out for neighboring operations personnel, it will allow other personnel conducting non-licensed activities on a launch or reentry site or an adjacent launch or reentry site to qualify as neighboring operations personnel as long as they meet the criteria enumerated in the definition.

ALPA and Space Florida questioned whether the neighboring operations personnel provisions would apply at joint spaceport/airport facilities to allow airport staff to stay in the hazard area or clear zone based on risk assessments during licensed space operations. In the NPRM, the FAA took into account that neighboring operations personnel are more likely than the rest of the public to be specially trained and prepared to respond to hazards present at a launch or reentry site. The USAF and NASA definitions specify that these personnel are either trained in mitigation techniques or accompanied by a properly trained escort. However, the FAA did not require that neighboring operations personnel be trained or accompanied by a trained escort because such a requirement would be burdensome, and training is not necessary to justify the slight increase in risk allowed for workers performing safety, security, or critical tasks. Although in developing the NPRM, the FAA did not contemplate airport personnel at co-located sites as neighboring operations personnel, the proposed definition did not preclude the possibility. In response to commenters, the FAA finalizes the definition of “neighboring operations personnel” as proposed, and agrees that the definition may include airport personnel working at a launch site.

Many commenters expressed concerns about the impact of designating neighboring operations personnel on the MPL calculation and the associated financial responsibility requirements. Northrup Grumman, Sierra Nevada, SpaceX, and ULA all commented that the inclusion of neighboring operations personnel would likely raise MPL, even at the proposed lower threshold in the NPRM. CSF, Space Florida, and SpaceX requested that neighboring operations personnel should be excluded from MPL calculations via waivers of liability.

Section 50914(c) of title 51 of the U.S. Code states that the Secretary of Transportation shall determine the maximum probable losses for which a licensee must obtain liability insurance or demonstrate financial responsibility. This amount must include the maximum probable loss from claims by, in relevant part, third parties. 51 U.S.C. 50914(a)(1)(A). Neighboring operations personnel are third parties under chapter 509 of title 51.[51] Therefore, the FAA must include neighboring operations personnel in its MPL calculations.

The FAA agrees with the comments that MPL calculations could be affected by the designation of neighboring operations personnel because the proposed rule allowed more people to stay inside the 1 × 105 probability of casualty hazard area. While the FAA must include neighboring operations personnel in the MPL calculation, it does not expect the inclusion to affect materially the MPL amount. This expectation is based on the adoption in the proposed rule, for the purpose of determining MPL, of setting the threshold for neighboring operations personnel at the same threshold for losses to government property and involved government personnel. The MPL will determine losses to property and personnel of neighboring operators that have a probability of occurrence of no less than one in one hundred thousand (1 × 105), instead of the more stringent requirement of one in ten million (1 × 107) used for other third party losses. This threshold is appropriate for neighboring operations personnel because, unlike other third parties, except for involved government personnel, the presence of neighboring operations personnel at a launch or reentry site is necessary either for security reasons or to avoid the disruption of co-located activities at neighboring sites. The MPL methodology captures catastrophic events that, while extremely unlikely, still fall within the probability threshold.

The FAA's examination of past MPL determinations gives it confidence that these other events will generally drive MPL amounts more than the limited presence of neighboring operations personnel.[52] While additional insurance costs are expected to be minimal, these minimal cost burdens are more appropriately placed on the launch or reentry operator creating the hazards, rather than the neighboring operator who otherwise must halt its operation. The FAA notes, however, that these regulations do not prevent a launch operator from entering into an agreement with a neighboring operator to recover costs as a result of any increase in the required amount of third party liability insurance due to the presence of neighboring operations personnel. Should a launch operator choose to enter into such an agreement, the launch operator would still be required to purchase insurance to cover all third parties, to include any neighboring operations personnel, and could seek reimbursement as a secondary measure. Therefore, the FAA adopts the proposal without amendment.

Start Printed Page 79600

b. High Consequence Event Protection (§ 450.101(c))

In the NPRM, the FAA proposed to expand the FAA's use of consequence criteria to protect the public from an unlikely but catastrophic event. Specifically, the FAA proposed to use conditional expected casualties (CEC) as the quantitative metric for: (1) Determining the need for flight abort [53] as a hazard control strategy in proposed § 450.101(c); (2) setting reliability standards for an FSS required by § 450.101(c) in proposed § 450.145(a); and (3) determining when to initiate a flight abort in proposed § 450.125(c)(1) and (c)(2). The proposed use of CEC represented the most significant change in the NPRM because it introduced a new safety criteria pertaining to low probability, high consequence events and provided a means by which an operator could demonstrate that expensive, highly reliable FSS design and testing may be unnecessary to protect public safety. As explained in the NPRM, consequence can be measured in terms of CEC without regard to the probability of failure.

The FAA received extensive comments on this proposal and, as a result, has made significant changes in the final rule to allow for additional flexibility in measuring and mitigating high consequence events. The following subsections provide an overview of the finalized CEC requirements in § 450.101(c), the FAA's rationale for making the change, and specific responses to comments. The FAA notes that this section of the preamble focuses on CEC as a means to measure the potential for high consequence events under § 450.101(c). CEC will be discussed further in the preamble sections addressing §§ 450.108 (Flight Abort) and 450.145 (Highly Reliable Flight Safety System).

i. § 450.101(c)

In the NPRM, proposed § 450.101(c) would require an operator to use flight abort as a hazard control strategy if the consequence of any reasonably foreseeable vehicle response mode, in any one-second period of flight, is greater than 1 × 103 CEC for uncontrolled areas. The FAA further proposed that the requirement would apply to all phases of flight, unless otherwise agreed to by the Administrator based on the demonstrated reliability of the launch or reentry vehicle during that phase of flight. Although not specifically spelled out in the regulatory text, the FAA explained in the preamble that § 450.101(c) was designed to ensure the public was sufficiently protected against low probability, high consequence events using CEC as a measure of the potential for high consequence events.

In the final rule, the FAA retains the use of CEC as a quantitative criteria that an applicant may use to measure the potential for high consequence events. However, as explained in the preamble section addressing § 450.101(c)(2), the FAA revises § 450.37(b) (Equivalent Level of Safety) to allow an applicant to propose an alternative way to measure high consequence events other than by CEC. The final rule also allows multiple ways an applicant may protect against a low probability, high consequence event in uncontrolled areas for each phase of flight in § 450.101(c)(1) through (3). As discussed in more detail later in this section, an operator sufficiently protects against a high consequence event by (1) using flight abort in accordance with § 450.108; (2) demonstrating that CEC is below a certain threshold without any FSS; or (3) demonstrating sufficient vehicle reliability and in consideration of CEC.[54] The FAA changes the heading of § 450.101(c) from “Flight Abort” in the NPRM to “High Consequence Event Protection” in the final rule because this section allows an operator in certain circumstances to use a method other than flight abort to protect against high consequence events.

Multiple commenters, including CSF, Sierra Nevada, and SpaceX, stated that the NPRM requirements in § 450.101(c) were too prescriptive and objected to the lack of an explicit provision allowing an applicant to propose another approach to address a high consequence event, absent a waiver. The FAA agrees that the final rule should provide additional flexibility and discusses those changes in more detail later in this section.

Multiple commenters, including CSF and Virgin Galactic, indicated that the EC collective risk criteria alone should be enough to establish the need for an FSS, the reliability of the FSS, and when an FSS would be required to be activated to ensure public safety.[55] The FAA finds that the use of collective risk through analyses of EC and individual risk through analysis of Probability of Casualty (PC) is inherently inadequate to establish sufficient protection against low probability, high consequence events during launch and reentry operations. Whereas PC limits the maximum risk to an individual and EC limits the average outcome in terms of casualties in a group of people, both PC and EC are indifferent to the risk of events that involve multiple casualties. This indifference means that, if the risk of a potential event that could result in a high number of casualties is low enough, the PC and EC criteria would not act to prevent that event. As explained in the NPRM, the purpose of CEC is to protect the public from certain high consequence events, regardless of the probability of those events. Thus, the final rule includes specific provisions, such as in §§ 450.101, 450.108, and 450.145, to ensure adequate protection against low probability but high consequence events during launch and reentry.

In addition, a conditional risk assessment ensures adequate mitigation measures are in place to protect against a low probability, high consequence event in circumstances in which EC and Pc may not dictate the need for mitigation. As explained in the NPRM, unlike collective risk that determines the expected casualties factoring in the probability that a dangerous event will occur, conditional risk determines the expected casualties assuming the dangerous event will occur.[56] This assumption means that using EC alone may result in a lack of mitigations, such as flight abort capability and preparedness, for certain high consequence events because the low probability of occurrence would translate into an EC below the 1 × 104 limit. Conversely, using a conditional risk assessment ensures that, if a high consequence event is reasonably foreseeable, such as an incorrect azimuth at lift-off, then an operator will have a mitigation in place to prevent that event from producing catastrophic results. This result is assured because the decision to activate an FSS is always made in response to a system failure in the operational environment, as no operator plans to implement a flight abort unless the mission objectives include an intentional test of the FSS.

Start Printed Page 79601

Calculating CEC ensures an operator correctly recognizes certain system failures that may have catastrophic consequences and builds mitigations into the system to account for those failures. As such, an FSS is generally activated in the following context: (1) The vehicle is no longer performing nominally; (2) the vehicle is outside the limits of a useful mission; [57] and (3) continued flight would increase public risks in uncontrolled areas. Hence, the risk to the public associated with the decision to activate an FSS is inherently conditioned on the fact that a system failure has occurred. An operator would only identify a system failure for low probability, high consequence events if the operator used a CEC-based analysis, rather than an EC calculation, because a CEC analysis assumes that the event will occur. Therefore, relying on the collective risk criteria alone would not adequately protect against low probability, high consequence events that could result in multiple public casualties.

The FAA received several comments regarding the potential for various launch operations to comply with the proposed CEC thresholds in the NPRM. Rocket Lab USA, Inc. (“Rocket Lab”) commented that it would be “nearly impossible” for any orbital launch vehicle to meet the CEC thresholds defined in the proposal and recommended the use of cumulative risk and individual risk metrics as additional or alternative means of determining the reliability required for the flight abort system. Blue Origin also stated that most, if not all operators, including those operating smaller suborbital launch vehicles in remote locations, would be forced to implement an FSS that complies with an unmodified set of USAF requirements. SpaceX recommended that the FAA gather more detail on CEC for different launch vehicles and trajectory profiles to evaluate appropriate lower tiers of reliability.

The FAA sponsored a series of tasks, performed by ACTA, LLC (ACTA), to investigate the potential conditional risks associated with a wide array of past and foreseeable future launch operations using the best available information and tools. The study [58] provided an independent evaluation of the potential for the CEC-related requirements in the NPRM to necessitate changes to current practice for more than a dozen missions involving large, medium, and small launch vehicles from a wide variety of sites. The results of this study demonstrate that the required reliability of an FSS for relatively small rockets depends greatly on the launch site. Specifically, the ACTA study found that a small ELV launched from Cape Canaveral or Wallops Island would need a highly reliable FSS compliant with proposed § 450.145 to meet the NPRM requirements, but that a less reliable FSS, such as an FSS compliant with proposed § 450.143, would suffice for the same vehicle launched from more remote locations, such as the Mahia Peninsula and Kodiak Island. To the extent that commenters suggested proposed § 450.101(c) would require currently licensed operators to use an FSS, the ACTA study results indicate that no changes would be required under the final rule regarding the need for an FSS for any currently licensed launch vehicle launched from a Federal launch or reentry site.[59] The ACTA study also indicates that, for operators who currently employ an FSS to meet the FAA's public risk criteria, their current practices regarding FSS reliability and activation criteria would be sufficient to demonstrate compliance with the requirements in § 450.108.

A number of commenters asserted that the proposed CEC requirements would increase cost for operators, particularly for current RLV operators.

CEC analysis is not mandatory. If an operator chooses to use a § 450.145 compliant FSS, it does not need to do the CEC analysis to establish if a § 450.145 compliant FSS is necessary or if a § 450.143 compliant FSS would suffice. A CEC analysis to establish compliant Flight Safety Limits is unnecessary if the operator chooses to demonstrate compliance with § 450.108(c)(6).

The FAA does not agree that the cost of a CEC analysis is prohibitively expensive. The FAA provides estimates in the final Regulatory Impact Assessment of the costs of the CEC analyses as well as estimates of cost savings on those launches that will not need an FSS.

The ACTA study calculated CEC for a sample of licensed RLVs and the results indicate that the final rule will not require any changes regarding the FSS robustness and FSS activation criteria currently used for the operations at the Mojave Air and Space Port. The ACTA study results suggest that launches from Spaceport America would not need to use flight abort as a hazard control strategy to meet the CEC requirements in the final rule. Thus, the ACTA study suggests the final rule could facilitate a reduction in costs for RLV launches from non-Federal launch sites for current part 431 licenses that include flight abort as a hazard control strategy. Ultimately, the ACTA study indicates that CEC will not drive a requirement for flight abort for currently licensed RLVs operating from non-Federal sites and is therefore not expected to drive costs for RLV operators. In the final Regulatory Impact Analysis, the FAA discusses in detail estimated voluntary costs to perform CEC analyses as well as cost savings that result when an FSS is not required.

Several commenters, including CSF, Rocket Lab, Sierra Nevada, SpaceX, and an individual commenter, expressed a need for clarification of acceptable methodologies to compute CEC. CSF and Sierra Nevada commented that there are no publicly available methodologies or background for conducting CEC analysis. CSF noted that the CEC analysis is computationally intensive and approved risk analysis tools and input data were not readily available. SpaceX stated it needed guidance on several specific technical issues on the computation of CEC. Rocket Lab stated that, without standardized methods and input data, results would vary widely.

The FAA notes that CEC is inherent in the calculation of EC for launch or reentry operations. There are extensive guidance documents available currently that explain methodologies that can be used to compute EC and, as a byproduct, CEC as well.[60] The FAA is aware of at least one operator that has used these guidelines to develop and implement its own safety analysis tools to demonstrate Start Printed Page 79602compliance with the current public risk criteria under part 417. Some tools have already been modified to compute CEC with only a few hours of effort. Even so, the FAA remains dedicated to improving the guidance materials available to applicants and plans to provide additional advisory materials to explain acceptable safety analysis methods, including those that address any unique aspects of CEC computations.

Sierra Nevada commented that CEC analysis was not a widely accepted practice, nor had it been subject to rigorous testing, and it was not ready to be implemented. In response, the FAA notes that RCC 321 Standard and Supplement has included conditional risk standards and guidelines since 2010. Moreover, CEC analysis has been used to help inform important decisions regarding the safety of commercial space transportation operations since 2016, when the FAA first cited CEC as part of a formal waiver evaluation.[61] As noted in the NPRM preamble, in granting these waivers, the FAA has adopted the conditional risk management approach, noting that the predicted consequence was below a threshold of 1 × 10[2] CEC.[62] The FAA further stated in the preamble that measuring the consequence from reasonably foreseeable, albeit unlikely, failures is an appropriate metric to assess prudent mitigations of risks to public health and safety and the safety of property. In recent years, the USAF has also used CEC analyses to establish appropriate FSS activation criteria for launch operations from both CCAFS and VAFB. Most recently, the FAA considered the results of CEC analyses in granting waivers to the debris containment requirements in § 417.213(a) and (d) that enabled the SAOCOM-1B mission to be conducted safely.

Several commenters, including CSF, Sierra Nevada, and SpaceX, recommended that the proposed CEC-related requirements be moved to a guidance document as an accepted means of compliance to a more performance-based regulation to preserve flexibility. CSF stated that, at a minimum, the quantitative criteria should be moved to a guidance document.

The FAA considered replacing the proposed quantitative CEC criteria with a qualitative standard and moving the quantitative criteria to a guidance document as one acceptable means of compliance. However, the FAA finds that a qualitative approach to determine the three key CEC-related issues (i.e., the need for flight abort with a reliable FSS as a hazard control strategy, the reliability standards for any required FSS, and the criteria for activation of an FSS) would lack regulatory clarity necessary to ensure a consistent level of public protection, given the wide variety of launch and reentry operations. As noted by Rocket Lab and other commenters, even the results of quantitative high consequence event assessments can vary significantly from operator to operator without standardized methods and input data.

Although quantitative CEC is retained in the final rule, the FAA adds flexibility in both the manner in which a high consequence may be measured and the manner in which an operator can sufficiently protect against a high consequence event. First, in the NPRM, ELOS would not have been allowed for the requirements in § 450.101. As noted in the discussion of ELOS earlier in the preamble, the FAA has revised § 450.37 in the final rule to allow operators to use ELOS to measure a high consequence event under § 450.101(c)(2). Second, § 450.101(c)(2) permits an operator whose CEC is greater than 1 × 103 to propose safeguards other than flight abort to reduce the CEC below 1 × 103. These revisions are discussed in greater detail later in this section.

Virgin Galactic recommended the FAA provide a definition of CEC. In addition, Virgin Galactic commented that, in the NPRM preamble, CEC was described using the phrase, “without regard to the probability of failure,” which appeared to Virgin Galactic to translate to “assume 100% failure probability.” Virgin Galactic recommended the FAA use the terminology “assuming the failure will occur” and clearly state the probability of failure would be 1, if that was what was intended.

The FAA does not agree that CEC should be defined in the final rule. Rather, the preamble and associated AC (on High Consequence Event Protection) discuss in detail what the requirement entails and how to calculate CEC. A CEC value is calculated as the mean number of casualties predicted to occur given a specified failure mode in a given time interval with a probability of 1. As previously mentioned, there are extensive guidance documents currently available that explain methodologies that can be used to compute EC and, as a byproduct, CEC as well.[63] The term “high consequence” appears in § 417.107(a)(1)(ii), but the FAA chose not to define this term formally at this time to allow for operational flexibility. High consequence events include incidents that could involve multiple casualties, massive toxic exposures, extensive property or environmental damage, or events that jeopardize the national security or foreign policy interests of the United States.

Boeing, Lockheed Martin, Northrop Grumman, and ULA provided regulatory text recommendations for § 450.101(c) including removal of “flight abort,” stating that a distinction needed to be made from flight abort that was not initiated based on threat to public health and safety because not all abort systems are considered FSS.

The FAA understands that the term “flight abort” has been used in other U.S. Government contexts to mean something different, but the FAA finds that “flight abort” accurately describes the required hazard mitigations while remaining flexible as to implementation. For these reasons, the FAA will not amend the rule to remove the term “flight abort.” The final rule adopts the proposed definition of flight abort in § 401.7, which means the process to limit or restrict the hazards to public health and safety, and the safety of property, presented by a launch vehicle or reentry vehicle, including any payload, while in flight by initiating and accomplishing a controlled ending to vehicle flight. The final rule also adopts in § 401.7 the proposed definition of “flight safety system,” which means a system used to implement flight abort, for which a human can be a part of an FSS.

The FAA finds that the definition of “flight abort” is consistent with current practice for licensed launches and reentries. Most RLVs use some method to achieve flight abort reliably, either in the form of a pilot that can safely abort flight using system controls or an automated system to terminate thrust. Traditional FSS for ELVs are comprised of an onboard flight termination system, a ground-based command and control system, and tracking and telemetry systems. Historically, the flight safety crew monitoring the course of a vehicle would send a command to self-destruct, Start Printed Page 79603thus aborting the flight, if the vehicle crossed flight safety limits and in doing so threatened a protected area. Redundant transceivers in the launch vehicle would receive the destruct command from the ground, set off charges in the vehicle to destroy the vehicle and disperse the propellants so that an errant vehicle's hazards would not impact populated areas. While this method of flight abort through ordnance is conventional, the existing definition in § 417.3 and the definition in the final rule do not require an FSS to be destructive.

In response to commenters' concerns, the FAA finds that the definitions of “flight abort” and “flight safety system” adopted in the final rule remove any perceived confusion over the use of these terms for the purpose of FAA licensing under part 450.

ii. § 450.101(c)(1)

Section 450.101(c)(1) states that an operator must protect against a high consequence event in uncontrolled areas for each phase of flight by using flight abort as a hazard control strategy in accordance with the requirements of § 450.108. The FAA has not included the reference to the CEC threshold of 1 × 10[3] in § 450.101(c)(1) because an operator who uses flight abort in accordance with § 450.108 has demonstrated compliance with § 450.101(c)'s requirement to protect against a high consequence event without further inquiry into CEC beyond the requirements in § 450.108(c). This change is consistent with the concept proposed in § 450.101(c) of the NPRM that required an operator to use flight abort with a reliable FSS [64] if CEC was greater than 1 × 103 for any phase of flight. Under the proposal, if an operator elected to use flight abort with an FSS that met the reliability requirements in § 450.145, the FAA would not have required the operator to calculate CEC for the purposes of determining compliance with proposed § 450.101(c) because the operator opted into flight abort as a hazard control strategy irrespective of CEC.

As such, in the final rule, there is no need to reference a CEC threshold in § 450.101(c)(1) because an operator who elects to use flight abort as its hazard control strategy and complies with § 450.108 does not need to calculate CEC (beyond the requirements in § 450.108(c) discussed later in the preamble) to determine that it has sufficiently protected against a high consequence event. Rather, use of flight abort consistent with the requirements in § 450.108 by itself demonstrates compliance with § 450.101(c).

As explained in the next two sections, operators who do not elect to use flight abort consistent with the requirements of § 450.108 must demonstrate they can protect against a high consequence event by means other than flight abort. If an operator cannot demonstrate compliance with § 450.101(c)(2)—including through ELOS—or (c)(3), the operator would be required to rely on § 450.101(c)(1) as the only remaining means to protect against a high consequence event.

iii. § 450.101(c)(2)

In the final rule, § 450.101(c)(2) states that an operator must protect against a high consequence event in uncontrolled areas for each phase of flight by ensuring the consequence of any reasonably foreseeable failure mode, in any significant period of flight, is not greater than 1 × 103 CEC. As noted, proposed § 450.101(c) would have required an operator with a CEC greater than 1 × 103 to use flight abort with an FSS that meets the reliability requirements of proposed § 450.145 except for a single exception explained in greater detail in the discussion of § 450.101(c)(3).

The FAA recognizes that flight abort is not the only method to protect against low probability, high consequence events. Therefore, in the final rule, § 450.101(c)(2) allows an operator with CEC greater than 1 × 103 in any significant period of flight to demonstrate protection against a low probability, high consequence event through means other than flight abort. This added flexibility in the final rule allows operators to implement other safeguards that sufficiently protect against a high consequence event. For example, one company included a design feature in a system so that a launch failure during downrange overflight would result in break-up and demise and thus mitigate the risk from the potential for the capsule to survive intact to impact.

In addition, although this provision retains the quantitative CEC threshold proposed in § 450.101(c), the FAA provides additional flexibility by modifying § 450.37 to allow applicants to propose alternative approaches that provide an equivalent level of safety, which can be approved by the FAA without a waiver. The FAA added this flexibility because it is aware of methods other than using CEC to measure high consequence events, such as conditional risk profile. If an operator chooses to propose an alternative means of measuring a high consequence event, the FAA would expect the alternative means to account for the potential for any event that would be expected to produce multiple casualties,[65] using a method that demonstrates equivalent level of safety to a CEC analysis. The operator must ensure that the alternative means accurately assesses that the operation would not exceed an acceptable threshold for high consequence events. In order to determine whether an alternative threshold for high consequence events is acceptable, the FAA will compare the alternative measurement to the CEC threshold. Alternatively, the applicant would be expected to demonstrate that either the consequence of any failure during any significant period of flight is at least an order of magnitude less than the average results from a fixed-wing general aviation aircraft fatal accident.[66]

For example, the Range Commanders Council Document 321-17, “Common Risk Criteria Standards for National Test Ranges” (RCC 321) includes catastrophic risk protection provisions that use a “risk profile.” [67] In fact, the FAA currently uses a modified risk profile method to establish the insurance requirements for certain launch or reentry operations.[68] The Start Printed Page 79604FAA understands that risk profiles are currently in use in other industries [69] and could be a useful means to quantify the probability of high consequence events associated with a wide variety of hazardous operations. However, the computation of a risk profile generally entails significantly more effort than the CEC evaluation because a risk profile involves more sophisticated computations and additional input data. Specifically, the development of a risk profile for a launch or reentry operation would consist of an evaluation of the absolute probability of each foreseeable failure mode and the relative probability of each outcome of each failure mode in terms of the number of public casualties that could result in uncontrolled areas. The RCC 321 Supplement describes a more simplified and conservative method to screen for excessive catastrophic risk, which the FAA finds as another acceptable method to measure high consequence events.[70] In contrast, a CEC analysis is independent of the probability of each failure mode and requires an assessment of only the average outcome of each failure mode. In addition, the FAA is publishing an AC that describes how an applicant can demonstrate compliance with § 450.101(c)(2) by showing that the conditional risk profile for its proposed launch or reentry mission is comparable with the conditional risk profile empirically derived from evidence from a set of past fixed-wing general aviation fatal accidents. Finally, the FAA recognizes that industry may develop new innovative and less burdensome methods, and therefore the final rule allows applicants to propose methods other than CEC to measure high consequence events.

In § 450.101(c)(2), the FAA replaces the term “one-second period of flight” in proposed § 450.101(c) with “significant period of flight.” A period of flight would be significant if it is long enough for a mitigation, such as flight abort, to decrease the public risks or consequences materially from any reasonably foreseeable failure mode. The FAA makes this change because it recognizes that for some launch and reentry concepts, such as relatively slow-moving vehicles like balloons, a “significant” period of flight could exceed one second. In addition, the FAA foresees circumstances in which an elevated CEC in a single second of flight would not warrant additional mitigation, such as when no additional mitigation would improve public safety meaningfully in terms of the public risks and consequences. The preamble discussion of § 450.108 contains further explanation of what constitutes a material decrease.

Finally, the final rule replaces the phrase “any reasonably foreseeable vehicle response mode” proposed in § 450.101(c) with “any reasonably foreseeable failure mode” in § 450.101(c)(2) of the final rule. The NPRM defined “vehicle response mode” as a mutually exclusive scenario that characterizes foreseeable combinations of vehicle trajectory and debris generation. Thus, the NPRM would have required an evaluation of CEC for each foreseeable combination of vehicle trajectory and debris generation. By replacing the term “vehicle response mode” (VRM) with “failure mode,” the final rule is both less prescriptive and consistent with the current requirements.[71]

In the NPRM, the FAA defined a VRM as a mutually exclusive scenario that characterizes foreseeable combinations of vehicle trajectory and debris generation. As stated in the NPRM, proposed § 450.101(c) would have required, at a minimum, that an operator compute the effective casualty area and identify the population density that would be impacted for each reasonably foreseeable vehicle response mode in any one-second period of flight in terms of CEC. The NPRM further explained that the casualty area, population density, and predicted consequence for each vehicle response mode are intermediate quantities that are necessary to demonstrate compliance with the individual and collective risk criteria currently; thus, these new requirements would not necessarily impart significant additional burden on operators.

The draft AC 450.115-1 on High Fidelity Flight Safety Analysis published for comment in conjunction with the NPRM further explained that “VRMs are a combination of debris list and failure modes” and provided a description of typical failure modes for launch and reentry systems, including loss of thrust, engine explosion, attitude control failure, structural failure, separation failure, guidance or navigation failure, etc. Because the final rule replaces the term “vehicle response mode” with “failure mode,” an operator is no longer required to evaluate CEC for each foreseeable combination of failure mode and debris generation. Instead, an operator is required to evaluate CEC for each reasonably foreseeable failure mode in any significant period of flight.[72]

Boeing suggested changing the term “reasonably foreseeable” to “credible” vehicle response modes. The FAA does not agree that the term “reasonably foreseeable” should be replaced by the term “credible” in this section. As previously noted, the term “reasonably foreseeable” is used in § 431.35 and commonly used in system safety. In the absence of a compelling reason to change, the FAA prefers to continue to use language consistent with previous regulations instead of introducing a new term at this time. Furthermore, the FAA finds that the term “credible” is prone to errors in judgment whereas the term “reasonably foreseeable” is more readily discerned by analysis (e.g., fault trees).

iv. § 450.101(c)(3)

In the NPRM, in instances in which CEC was greater than 1 × 103, proposed § 450.101(c) provided relief from the use of flight abort if the Administrator agreed that flight abort was not necessary based on the demonstrated reliability of the launch or reentry vehicle during a phase of flight. The NPRM preamble cited the flight of a certificated aircraft carrying a rocket to a drop point as an example of a phase of flight when the use of an FSS would likely not be necessary, even though the CEC could be above the threshold because the aircraft would have demonstrated reliability.

While the final rule retains the “demonstrated reliability concept” proposed in the § 450.101(c) of the Start Printed Page 79605NPRM, it has been revised and relocated to § 450.101(c)(3). Section 450.101(c)(3) of the final rule states that an operator must protect against a high consequence event in uncontrolled areas for each phase of flight by establishing the launch or reentry vehicle has sufficient demonstrated reliability based on the CEC during that phase of flight.

Because demonstrated reliability provides an alternative to flight abort when CEC is greater than 1 × 10[3] , it is appropriate to assess it consistent with the approach to flight abort and FSS reliability, which depends on CEC with a 1 × 10[2] threshold.[73] Notably, the ARC recommended that the need for an FSS should be determined by taking into account population density, the realm of reasonably foreseeable failures, trajectory, size, and explosive capabilities of the vehicle. CEC accounts for all those factors. As such, the CEC computed for a proposed operation is inherent in determining whether the vehicle has sufficient demonstrated reliability to protect against a high consequence event. This revision informs operators on the approach the FAA will take in determining whether the launch or reentry vehicle has sufficient demonstrated reliability to protect against a high consequence event.

More specifically, the FAA will use the demonstrated reliability and average ground consequence results from fatal accidents involving U.S. civil aviation aircraft with standard airworthiness certificates to establish what constitutes sufficient demonstrated reliability to protect against a high consequence event based on CEC. For example, a carrier vehicle with a CEC near 1 × 10[2] in a given phase of flight would need to have demonstrated reliability during that phase of flight on par with the subset of fixed-wing general aviation aircraft that empirically produce CEF[74] near 1 × 10[2] . However, the same carrier vehicle operated in a more densely populated area could have a CEC near 1 in a given phase of flight and thus would need to have demonstrated reliability during that phase of flight on par with commercial transport aircraft that empirically produce CEF near 1.[75] This approach is consistent with the longstanding and often cited principle that launch and reentry should be no more hazardous to the public than over-flight of conventional aircraft, as explained in the NPRM preamble.

The FAA received multiple comments seeking clarification of the provision to use demonstrated reliability as a means to ensure a low probability, high consequence event is sufficiently mitigated. In the NPRM, the FAA noted that “demonstrated reliability” in this context refers to statistically valid probability of failure estimates based on the outcomes of all previous flights of the vehicle or stage. For example, a probability of failure analysis that complies with § 450.131 will provide a valid basis to establish the demonstrated reliability of a launch or reentry vehicle in a given phase of flight. That concept is also applicable to § 450.101(c)(3) of the final rule. Furthermore, the FAA will consider the magnitude of the high consequence event in determining what level of reliability will be sufficient to ensure that the high consequence event is mitigated. One way to show that a vehicle has demonstrated reliability during a phase of flight is to show that it has demonstrated reliability during that phase of flight equivalent to a specific aircraft type or an average aircraft of similar size and performance characteristics with a standard airworthiness certificate.[76] The FAA notes an average aircraft of similar size would have less uncertainty than a specific type aircraft because there would be more data collected for an average aircraft, and thus the demonstrated reliability of an average aircraft could be more readily characterized with a reasonable level of confidence. Furthermore, both a specific aircraft type and an average aircraft with a standard airworthiness certificate generally will not need additional flight abort capability unless the addition of the rocket substantially increased the risk from a high consequence event. However, aside from some carrier aircraft used as a component of a launch vehicle, no launch vehicle, including U.S. government owned and operated vehicles, to date has a significant amount of historical flights to ensure sufficient protection against a high consequence event based on demonstrated reliability in accordance with § 450.101(c)(3).

c. Critical Asset and Critical Payload Protection

Commercial space transportation operations occur increasingly in close proximity to critical assets. In order to maintain the continuing functionality of critical assets, the FAA proposed to define “critical assets” in § 401.5 (§ 401.7 in the final rule) and add a quantitative risk criterion (1 × 103) for the protection of critical assets during launch or reentry activity under § 450.101 in the NPRM.

In the final rule, the FAA adopts the “critical asset” definition in § 401.7 with modification, as discussed below. The FAA adopts the risk criterion as proposed but removes the requirement for operators to assess the risks to critical assets in preparing a flight hazard analysis (proposed § 450.109(a)(3)(ii)), debris analysis (proposed § 450.121(c)(1) and (c)(2)), debris risk analysis (§ 450.135), and ground hazard analysis (§ 450.185(c)). Instead, in accordance with § 450.101(a)(4)(iii) and (b)(4)(iii), either the FAA or a Federal launch or reentry site operator will determine whether the proposed activity would expose critical assets to a risk of loss of functionality that exceeds the risk criterion in § 450.101(a)(4) or (b)(4) and convey any necessary constraints to the operator. The operator must receive confirmation from the FAA or Federal launch or reentry site operator that the risk to critical assets satisfies the risk criterion in § 450.101(a)(4) or (b)(4) prior to launch or reentry. The FAA anticipates that most critical assets for a given launch site will be known when an applicant begins pre-application consultation. Current practice demonstrates that the critical asset evaluation can often be completed using preliminary flight safety data (during pre-application or during the license evaluation), sufficient to show critical assets risks are acceptable. Where the prevailing weather conditions are important to the critical asset risks, an assessment is performed either close to or on the day-of-launch.Start Printed Page 79606

In the final rule, the FAA also clarified in § 450.101(a)(4)(ii) and (b)(4)(ii) the Federal procedure by which critical assets will be identified. To identify critical assets, the FAA will consult with relevant Federal agencies, and each agency will identify, for purposes of part 450, any critical assets that the agency owns or otherwise depends on. The FAA will accept any identification by the Secretary of Defense that an asset is critical to national security. For critical assets identified by other relevant Federal agencies, such as NASA, the FAA will work with the agency to ensure its identification of critical assets aligns with the requirements of part 450.

The FAA also adds in § 450.165(a)(5) (Flight Commit Criteria) a requirement that operators' flight commit criteria include confirmation from the FAA that the risk to critical assets satisfies the requirements of § 450.101(a)(4) or (b)(4). Lastly, the FAA sought comments in the NPRM on its proposal to add to the final rule a definition for “critical payload” and a requirement that the probability of loss of functionality not exceed 1 × 104 for each critical payload. The FAA adopts the proposed definition and requirement in the final rule.

In the final rule, the FAA adopts the risk criterion proposed for critical assets in the NPRM. The property protection criteria in § 450.101(a)(4) and (b)(4) are consistent with current practice at Federal sites. Launch operations from NASA-operated ranges are currently subject to requirements that limit the probability of debris impact to less than or equal to 1 × 103 for designated assets. The USAF requirement in AFI 91-202 and the Guidance Memorandum to AFSPCI 13-610 match those proposed by the FAA. The FAA also adopts its proposal to extend the protection of critical assets to non-Federal launch or reentry sites because the protection of critical assets is necessary irrespective of the location of the launch.

As proposed in the NPRM, a critical asset is an asset that is essential to the national interests of the United States. The proposed definition noted that critical assets include property, facilities, or infrastructure necessary to maintain national defense, or assured access to space for national priority missions.[77] In the final rule, the FAA replaces “necessary to maintain national defense” with “necessary for national security” to be more consistent with the rest of 14 CFR Chapter III. The FAA also adds that critical assets may include those necessary for high priority civil space purposes, for clarity. An example of this would be infrastructure necessary to support launch and reentry services to deliver cargo to and from the International Space Station.

CSF and SpaceX noted that critical assets are frequently located on or near Federal launch or reentry sites, and that the current practice at Federal launch or reentry sites is to allow a site operator or neighboring operator to waive the critical asset requirement for its own facilities. The commenters requested the regulation provide a similar allowance to reduce the frequency with which operators would need to apply for waivers. SpaceX recommended revising the regulation to allow for the waiver of an operator's own designated critical assets, as well as assets that may be shared or used as common infrastructure at a range.

The FAA acknowledges that critical assets located on a launch site, including the launch facility itself, may be exposed to a risk of loss of functionality that exceeds 1 × 10[3] during launch activity. The FAA finds that it would be burdensome to require a waiver of the critical asset protection requirement when a launch site operated by the U.S. Government or licensed by the FAA allows an operator to use its facility for launch. Therefore, the FAA revises § 450.101(b)(4) to not apply the critical asset risk criteria to property, facilities, or infrastructure supporting the launch that are within the public area distance, as defined in part 420 Appendix E, Tables E1 and E2 or associated formulae, of the vehicle's launch point.[78] Assets that fall within this exception, located at § 450.101(b)(4)(v), are exempt from the critical asset protection requirements in § 450.101(a)(4)(i) and (b)(4)(ii) for a licensed launch.

Assets excepted from risk criteria are determined by the required distance to a public area specified in Table E-1 or E-2 or associated formulae in Appendix E to part 420, using the quantities of propellants or other explosives on the vehicle, including any payloads. These distances are equivalent to Inhabited Building Distances commonly observed on Federal launch or reentry sites to protect critical assets. The exception limits consideration to quantities of propellants on the vehicle, including any payloads. Any critical assets within this area that are not supporting the activity would be subject to the risk criteria. This exclusion would be applicable from ignition or at the first movement that initiates flight, whichever occurs earlier, and end when the launch ends.

The FAA received many comments on the definition of “critical asset.” ULA expressed support for the proposed definition. A number of commenters, including CSF and Sierra Nevada, asked who will determine whether an asset is “critical” and how the determination would be communicated to an applicant. Virgin Galactic commented that the proposed definition is vague and did not provide enough information to the operator to ensure protection of critical assets because the definition could potentially apply to all property at a Federal site. Virgin Orbit commented that the lack of clarity could result in Federal agencies incorrectly concluding their assets were protected. CSF and SpaceX commented that there was no limit on the number or location of assets for which an operator would need to perform a risk analysis. CSF and SpaceX recommended the definition of “critical asset” be limited to U.S. Government assets located on Federal property that the Secretary of Defense or Administrator of NASA determines to be essential to the national interests of the United States. Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended critical assets be defined as assets for which incapacitation or destruction would have a very serious, debilitating effect on national defense, or assured access to space for national priority missions. The commenters noted this change would be consistent with the definition in DCMA-MAN 3401-02, Defense Industrial Base Critical Asset Identification and Prioritization. Furthermore, the commenters stated that classification as a critical asset should be determined by minimum criteria (not specified in the comment) and an assessment by the asset owner.

The FAA disagrees that the definition of “critical asset” is vague or overbroad. The proposed definition, along with the examples provided in the NPRM preamble, bound the scope of critical assets appropriately and provide sufficient clarity for operators. Only those facilities, property, or infrastructure that are necessary for national security purposes, high priority civil space purposes, or assured access to space for national priority missions will be deemed critical assets under § 401.7. Critical assets will also include certain military, intelligence, and civil payloads, including essential infrastructure when directly supporting the payload at the launch site. The FAA provided several examples of critical Start Printed Page 79607assets in the NPRM. Critical assets include assets that, if incapacitated or destroyed, would have a serious, debilitating effect on national security or assured access to space for national security missions, but the FAA disagrees that the additional words proposed by the commenters add clarity beyond the proposed definition.

Virgin Orbit's concern that Federal agency may assume incorrectly that a critical asset was protected is alleviated by the fact that critical assets will be identified by Federal agencies that own or otherwise depend on assets that are essential to the national interests of the United States. The FAA will work with operators to identify any measures that operators may need to undertake in order to protect critical assets to the level required by § 450.101(a)(4) or (b)(4).

With respect to the concern that Federal agencies might be inclined to overestimate their assets as critical, the FAA does not find that experience at Federal launch or reentry sites warrants such a concern. In fact, discussions with safety officials at CCAFS indicate that the risk to critical assets or critical payloads has rarely exceeded the risk thresholds adopted by the FAA. Federal launch or reentry sites have not excessively designated assets as critical, nor have they imposed significant restrictions on launch activity. When approving the use of their sites for launch activity, Federal sites consider the potential of launch activities endangering other facilities. Similarly, other users of the site do not knowingly put their assets at risk. The FAA maintains that similar considerations would hold at non-Federal sites. Non-Federal launch or reentry site operators will consider the siting and scheduling of activities to avoid one user's activity threatening the assets of another user. Occasionally, delays in one site user's activity may necessitate rescheduling another user's activity. Otherwise, a new activity that was not anticipated when siting decisions were made, such as fly-back of a stage, is most likely to expose a critical asset to risk exceeding the criterion.

Only property, facilities, or infrastructure located close to the launch point might typically be expected to exceed the criteria, and those assets are generally associated with the subject launch operation. As discussed in this section, the FAA revised § 450.101(a)(4) to eliminate the need to seek waivers for assets located within the immediate vicinity of a launch point during the launch. Although many of these assets may be critical, meeting the critical asset criteria would be impractical during a launch from the particular launch point. Hence, assets located within the public area distance required by part 420 during a licensed launch are exempt from the critical asset protection requirements in § 450.101(a)(4)(i) and (b)(4)(i). As such, the FAA anticipates that operations exceeding the risk criteria for critical assets will continue to be few, resulting in minimal restrictions on launch activity.

The FAA maintains that establishing explicit risk criteria for protecting critical assets in this final rule provides a level of certainty. Launch and reentry site operators will have a metric to determine what activities are appropriate for various locations on their sites. Either the FAA or Federal site will perform any necessary analysis, and will provide written confirmation to the operator that the criteria in § 450.101(a)(4) or (b)(4) have been met. If the risk to critical assets posed by the proposed activity exceeds the criteria in § 450.101(a)(4) or (b)(4), then the FAA will work with asset owners and operators to reach solutions that allow operations without sacrificing safety to the critical assets or mission objectives.

The FAA does not adopt the suggestion by CSF and SpaceX to limit critical assets to U.S. Government assets located on Federal property that the Secretary of Defense or the Administrator of NASA determines to be essential to the national interests of the United States. Federal entities other than the DOD and NASA might own or otherwise depend on critical assets, such as NOAA. Thus, it would be inappropriate to assign the determination of critical assets to only these agencies. However, as noted earlier, critical assets will be identified by Federal agencies, such as DOD and NASA, which own or otherwise depend on assets that are essential to the national interests of the United States, and the FAA will accept any identification by the Secretary of Defense that an asset is critical to national security. Note also that the FAA does not limit the definition of “critical assets” to assets that are owned or located on property owned by the U.S. Government. As stated in the NPRM, the FAA extended the protection of critical assets to non-Federal launch or reentry sites, which previously had no regulatory assurance of protection from loss of functionality of critical assets. The FAA maintains the same safety standards for critical assets for launches that take place on a Federal launch or reentry site as those that take place on a non-Federal launch or reentry site, some of which are dual use, supporting both commercial and military operations. Similarly, as explained in the NPRM the FAA will deem any commercial property that meets the definition set forth in § 401.7 a critical asset.

Blue Origin asked the FAA to provide examples of critical infrastructure. The FAA notes that in the past, the launch complexes at CCAFS that support Atlas V and Delta IV launches have been designated as critical assets because they support missions essential to the interests of the United States.

An individual commenter recommended the FAA define categories of national security interests, including cybersecurity, security controls, and classification level. Although these are important national interests, they are not by themselves critical assets, and the FAA does not find it necessary to add categories of national security interests.

Airlines for America (A4A) recommended the FAA extend the safety protections of critical assets to include critical aviation infrastructure, including airports. The FAA notes that the definition of “critical asset” does not preclude aviation infrastructure from being a critical asset. More generally, the definition of “critical asset” can include non-space associated assets, including those not located at or adjacent to a launch or reentry site. However, the criterion for loss of functionality likely limits aviation infrastructure assets from being subject to protection.

Commenters were divided on the need for critical asset protection. ULA acknowledged the need for protection of critical assets. Virgin Galactic questioned whether the FAA's proposed critical asset requirements were within the FAA's statutory authority, as title 51 did not reference “national interests” or “national priority missions.” Blue Origin acknowledged the FAA's statutory authority to protect property and asked the FAA to explain how it will interpret and implement this authority. An individual commenter stated only assets directly related to national security should be given heightened protection. CSF, Spaceport Strategies, LLC (Spaceport Strategies), and SpaceX commented that critical assets were already protected by current requirements at Federal launch and reentry sites, rendering the FAA's regulations duplicative. SpaceX added that NASA or DOD may not agree with the FAA's proposed critical asset requirements, which may lead to further duplication of requirements at Federal sites.Start Printed Page 79608

The FAA has the authority to protect critical assets. The Commercial Space Launch Act authorizes the DOT, and the FAA by delegation, to protect public health and safety, safety of property, and national security and foreign policy interests of the United States. In carrying out its responsibility to protect property, the FAA has established a quantitative requirement to protect assets that are essential to the national interests of the United States. As noted in the NPRM, national interests go beyond national security and include infrastructure such as that used to support high priority NASA missions. As noted earlier, an example of this would be infrastructure necessary to support launch and reentry services to deliver cargo to and from the International Space Station.

As CSF, Spaceport Strategies, and SpaceX noted, the FAA's critical asset requirements codify current practice at Federal launch or reentry sites, but also extend the same regulatory protection for launch or reentry activity at non-Federal launch or reentry sites. Although critical assets are primarily located on Federal launch or reentry sites at this time, the FAA foresees increased commercial space activity at non-Federal sites that may result in the presence of critical assets at those sites. In licensing commercial launch or reentry activities, the FAA safeguards critical assets—which by definition are essential to the national interests of the United States—irrespective of their location.

The FAA does not find the critical asset requirements to be unnecessarily duplicative of requirements at Federal launch or reentry sites. As discussed in the NPRM, the FAA proposed these requirements to further the goal of common standards for launches from any U.S. launch or reentry site, Federal or non-Federal. Inclusion of critical asset protection in FAA regulations aligns FAA licensing with Federal launch or reentry site requirements and removes duplication of effort. The FAA closely coordinated the critical asset requirements with the CSWG and its interagency partners, including NASA and DOD. As a result of this coordination, the FAA anticipates that the methodologies used by the Federal launch or reentry sites will satisfy the FAA's requirements for critical asset protection.

Many commenters, including AIA, Blue Origin, Boeing, CSF, Lockheed Martin, Northrop Grumman, Sierra Nevada, SpaceX, Virgin Galactic, and ULA raised concerns about how an applicant would obtain the information necessary to perform the proposed critical asset analysis, including proprietary or confidential information. CSF and SpaceX noted the same data should be provided to all operators to ensure the fair and unbiased application of this regulation. Sierra Nevada recommended the FAA provide a method of acceptable means of compliance that does not require a commercial company to contract with DOD to complete this analysis. Alternatively, Sierra Nevada recommended the FAA provide the analysis instead of the applicant. CSF and SpaceX also recommended the FAA publish an AC that would provide an acceptable means for analyzing critical assets, describe how the FAA would obtain a definitive list of critical assets, and how the FAA would provide operators the data necessary to conduct the analysis. Blue Origin stated that, by requiring information that includes data from other entities, the FAA would become responsible for facilitating acquisition of this data or would risk implementing a requirement that would not be possible to comply with or a requirement that would establish a sole source provider of a service.

The FAA acknowledges the practical problems an applicant would likely encounter in collecting the input data necessary to identify and perform a risk assessment for critical assets, especially critical payloads. The FAA agrees with Sierra Nevada that it would be better for the U.S. Government to perform all critical asset and critical payload risk assessments necessary to ensure operators comply with the risk criteria in part 450. The FAA therefore removes the requirement for operators to assess the risks to critical assets in preparing a flight hazard analysis, debris analysis, and debris risk analysis. The FAA also removes from § 450.185 (Ground Hazard Analysis) the requirement that the ground hazard analysis ensure that the likelihood of any hazardous condition that may cause damage to critical assets is remote. The FAA notes that the input data and analysis tools necessary to perform a risk assessment for critical assets are often a subset of those the FAA uses to establish the MPL values. The FAA will perform all critical asset and critical payload risk assessments for commercial space transportation operations involving non-Federal sites. Hence, operators should not bear additional cost for the analyses associated with critical assets.

Blue Origin asked how the FAA will address overflight of critical assets. The FAA notes that overflight of a critical asset is possible if the safety criteria set forth in § 450.101 are satisfied. Past experience demonstrates that the critical asset criteria in § 450.101 are satisfied except in occasional cases involving critical assets located within the same launch site. Historically, the risk to critical assets from overflight outside the launch site is negligible.

Virgin Galactic asked how an operator would have input on or dispute the determination of a critical asset. The FAA will discuss with operators any concerns they may have about ensuring protection of critical assets during their licensed activities, but the FAA is not proposing a formal dispute mechanism to adjudicate its determination that an asset is critical or threatened within the risk criterion. Often, it might not be possible to share such information due to national security issues and proprietary interests. The FAA notes, however, that if the FAA denies an application for a license based on its determination that the proposed activity exceeds the risk threshold for critical assets, an applicant may request reconsideration under § 413.21 or a hearing in accordance with part 406 of this chapter.

CSF asked how the FAA will manage proprietary and national security concerns among operators and asset-owners. The FAA does not foresee a need to share proprietary data with non-Federal entities because the Federal Government will conduct the assessment of critical asset risk on behalf of the licensee. Based on discussions with relevant Federal agencies, it is also possible to perform an assessment of critical assets without disclosing the precise location or nature of each asset, thereby eliminating the need to share proprietary and national security information. For example, the USAF 45th Space Wing/Wing Safety identifies what facilities are threatened within the thresholds and shares that information with the appropriate tenants. The tenant can then inform the USAF, or another entity performing the analysis, that an asset is threatened without divulging sensitive information to any entity outside the U.S. Government. The FAA will work with the entities responsible for critical assets to ensure any necessary coordination, taking into account the need to protect proprietary and confidential data.

Several commenters, including CSF, SpaceX, and Virgin Galactic requested clarification as to the meaning of “loss of functionality” and how the FAA or other entity would determine what could result in the “loss of functionality” of a critical asset. CSF sought clarification on whether infrastructure was “critical” if it was needed to support full functionality of a critical asset and on the standard for Start Printed Page 79609determining whether an asset's function had been lost. It inquired whether it would matter if the function could be restored in a timely manner or met with an alternative asset.

CSF and SpaceX also recommended that “loss of functionality” be defined in § 401.7 as an asset designated critical by the Secretary of Defense or Administrator of NASA that (a) has been rendered unable to support a specific mission or program deemed critical to the national interest; (b) for which the loss of function will preclude the assurance of a time-critical mission or program unless promptly restored; or (c) for which the asset's function cannot be restored by an accelerated recovery strategy or replaced by an alternate means of mission/program execution. SpaceX and Virgin Galactic requested the FAA include this new definition in an SNPRM, along with a clear rationale for the FAA's proposed requirements for protecting critical assets.

Under the final rule, the party responsible for the critical asset would determine what constitutes loss of functionality. The FAA recognizes that the threshold conditions that cause loss of functionality will be different depending on the type of asset and its robustness. For example, infrastructure is typically more robust than a payload that may be more fragile. For this reason, the FAA does not elect to incorporate a specific standard for what may constitute loss of functionality into the final rule. Likewise, the FAA does not find that it is useful to create a more detailed definition of “loss of functionality” but agrees that considerations such as those suggested by CSF and SpaceX (e.g., ability to support missions critical to national interests, or ability to repair or restore function through alternative means in a timely manner) would be relevant and appropriate to determining loss of functionality.

An individual commenter stated that critical asset protection should not compromise protection of the public and neighboring operation personnel. The commenter stated that an operator's required insurance should already cover losses to critical assets.

The FAA notes that the critical asset protection requirements will not compromise the protection of the public or neighboring operation personnel. The FAA retains stringent requirements for protecting the public, including neighboring operations personnel, which are independent of the requirements protecting critical assets. The FAA also disagrees with the commenter that an operator's financial responsibility requirements are adequate to protect critical assets. The FAA is limited by statute to imposing no more than $100 million in financial responsibility to compensate for losses to U.S. Government property. The value of many critical assets easily exceeds that limit, with some critical payloads reportedly costing over a billion dollars. More importantly, financial compensation for a loss may not address the delay before repairs or replacement, during which time national security might be jeopardized or the opportunity to accomplish important national interests missed.

The FAA sought comments on its proposal to require a more stringent criterion for critical assets of utmost importance to the U.S., to be defined as “critical payloads” in § 401.7. The FAA proposed to require that the probability of loss of functionality for critical payloads, including essential infrastructure when directly supporting the payload, not exceed 1 × 104. In the past, Federal launch or reentry sites have, on occasion, applied a more stringent requirement, limiting the probability of debris impact caused by launch or reentry hazards to less than or equal to 1 × 104 for national security payloads, including essential infrastructure when directly supporting the payload at the launch site. The FAA asked commenters to identify (1) the impacts a 1 × 104 risk criterion would have on their operations if applied to critical payloads; (2) whether a more stringent risk criterion should be imposed on any commercial payload; and (3) potential additional costs and benefits associated with applying a 1 × 104 risk criterion to critical payloads.

In the final rule, the FAA adopts the risk criterion and definition as discussed in the NPRM preamble, with minor clarifications.

ULA supported the 1 × 104 risk criterion for critical payloads, stating that given the time and expense associated with replacing these assets, it was essential they receive the greatest protection possible. It further commented that this risk criterion should also apply to infrastructure and booster hardware in direct support of critical payloads, beginning when booster hardware for that particular critical payload was received and began processing at the launch site. Under ULA's suggestion, at the completion of the launch campaign, the risk criterion should revert to 1 × 104. Virgin Galactic, however, commented that it was not necessary to adopt a heightened risk criteria for critical payloads. It saw no benefit to the discussed 1 × 104 requirement over the 1 × 104 requirement. It also inquired whether the criterion would apply to payloads on the vehicle of the operator that might be subject to this new risk threshold. If so, Virgin Galactic stated this would constitute managing mission success. Virgin Galactic also inquired whether this risk criterion would apply to payloads at neighboring launch sites. If so, Virgin Galactic believes the FAA must demonstrate need and a nexus to statutorily obligated concerns. It further stated that a more stringent criterion for commercial payloads would place undue burden on operators, potentially requiring additional analyses or redesign. Virgin Galactic noted that it did not intend to carry critical payloads, so impacts to its operations from this requirement would be negligible.

In the final rule, the FAA defines a critical payload as a payload and essential infrastructure directly supporting such a payload that is a critical asset (1) that is so costly or unique that it cannot be readily replaced, or (2) for which the time frame for its replacement would adversely affect the national interests of the United States. As noted in the NPRM, a commercial payload that meets this definition will be treated as a critical payload. The critical payload protection requirement does not apply to payloads on the vehicle of the operator regulated under part 450 but will apply to payloads on neighboring launch sites. The FAA agrees with ULA that the 1 × 103 risk criterion should apply to essential infrastructure directly supporting the critical payload, and notes that it will likely apply to booster hardware in direct support of the launch of a critical payload. After a launch of a critical payload, the infrastructure supporting the launch will be critical only if it is essential to the national interests of the United States. The risk criterion determines the protection required for critical assets and payloads. It is not necessary to specify in the regulation that this requirement does not apply during activities that do not exceed the risk threshold.

The FAA disagrees with Virgin Galactic that there is no benefit in applying a 1 × 104 risk criterion to critical payloads. As explained in the NPRM, during the interagency review process, DOD requested that the FAA consider specifying a more stringent criterion for certain critical assets of utmost importance. The FAA considers a critical payload a type of critical asset. The FAA finds it necessary to protect payloads such as vital national security payloads and high-priority NASA and NOAA payloads. The NPRM noted that a payload such as NASA's Curiosity rover would likely be afforded this Start Printed Page 79610protection. In the final rule, the FAA adopts this higher protection criterion to safeguard those payloads of utmost importance to the U.S. meriting a greater degree of protection than other critical assets. While the FAA is providing for heightened protection for critical payloads, it expects the protection to have minimal effects on commercial launch and reentry operations. Currently there are few commercial payloads that would rise to the level of being considered critical payloads, although the FAA recognizes that might change in the future, if for instance, DOD were to rely on a commercial service for critical communication support.

Virgin Galactic requested the FAA adopt neither 1 × 103 nor a more stringent criterion. It argued the proposed requirement contradicted the requirement in 51 U.S.C. § 50901(a)(7) that the FAA regulate only to the extent necessary. Virgin Galactic stated the FAA did not show why these requirements were necessary, given that Federal launch or reentry sites already protect their own property. Furthermore, Virgin Galactic commented that the FAA would be enforcing a more stringent, but undisclosed criterion and argued the proposed regulation was non-transparent and would deprive the public of the opportunity to comment on this criterion as required by the Administrative Procedure Act. The commenter asserted this undisclosed criterion could prevent operators from planning ahead and would create two standards that might conflict.

As articulated in the NPRM, the FAA finds it necessary to codify current practice at Federal launch or reentry sites to protect critical assets that are of utmost importance to the U.S. and to extend the same protections for launch or reentry activity conducted at non-Federal sites. For launches from Federal sites, this rule does not change current practice; rather it incorporates that practice in a regulation. This regulation consolidates the FAA's requirements for protection of critical assets and critical payloads in all commercial launch or reentry operations, in accordance with the FAA's statutory authority. This rule reduces the need for a Federal or non-Federal site operator to impose critical asset protection requirements on operators as a contractual condition for the use of its facility. The FAA expects that the instances in which a more stringent criterion will be necessary will be rare. Preserving the flexibility to protect particularly vital assets at a more stringent criterion in a license, as proposed in the NPRM, is consistent with current practice at Federal launch and reentry sites and will reduce the need for a Federal or non-Federal launch site operator to impose a more stringent criterion on operators through contract.

CSF and SpaceX commented that the FAA did not assess the cost burden on industry for compliance with the critical asset requirements. Virgin Orbit commented that critical asset calculations would require additional analysis and resources.

In the final rule, the FAA's removal of the requirements for operators to assess impacts to critical assets in flight hazard, ground hazard, debris or debris risk analyses assuages the commenters' concerns for costs associated with performing those analyses. As compared to the proposal, there will be much reduced administrative burden on the operator. The FAA will coordinate as necessary with critical assets owners, and either the FAA or the Federal site operator will provide written confirmation to the operator that the criteria in § 450.101(a)(4) or (b)(4) have been met. If the FAA or Federal site operator determines that the criteria have not been met, either the FAA or Federal site operator will work with the operator to identify any measures that operators may need to undertake in order to protect critical assets to the level required by § 450.101(a)(4) or (b)(4).

An individual commenter stated that the proposed regulation would require companies to perform trade studies to determine if additional controls would be needed to reduce the likelihood of critical asset loss of functionality. The commenter requested the FAA require a cost-benefit analysis to ensure that upfront investment of controls to protect critical assets would be less than the cost of replacing that asset.

When determining whether an asset is a critical asset, the cost of an asset is a factor. However, ultimately an asset is critical if it is essential to the national interests of the United States. If it cannot be replaced in a time frame that satisfies those interests, the cost of the asset is irrelevant. Furthermore, the FAA does not find that most mitigations will impose significant cost.

Virgin Galactic indicated the need for FAA assistance in planning hazard control strategies pursuant to proposed § 450.107(e)(2)(ii) [79] due to the secrecy of some critical assets. If an operator is using physical containment as a hazard control strategy, the FAA or Federal launch or reentry site operator will work with the operator to ensure no critical assets are within the flight hazard area. The most likely mitigation is shifting the launch point or, if the critical asset is mobile, changing in the launch schedule.

Sierra Nevada requested the FAA conduct a publicly-available assessment to determine if the proposed critical asset protection requirements would impact an operator's MPL calculation. CSF requested the FAA engage industry on the topic of critical assets.

The FAA does not find that the protection of critical assets will increase MPL. The designation of an asset as critical is unrelated to financial responsibility. In performing its MPL calculation for U.S. Government property, the FAA ascertains the financial responsibility required so that the likelihood of exceeding losses to government property involved in a licensed activity (taken to mean such property on a Federal launch or reentry site) that are reasonably expected to result from that activity does not exceed 1 × 105; or, in the rarer situation in which a critical asset might not be U.S. Government property on a Federal launch or reentry site, 1 × 107. Critical assets are protected to a less stringent 1 × 103, or in the case of certain critical payloads, 1 × 104, and financial responsibility and protection are not directly related. If anything, the requirement to protect critical assets has the potential to lower MPL for U.S. Government property because the mitigation employed may well remove the possibility that the asset can be damaged even within the more stringent MPL threshold. This would be the case if, to avoid placing the critical asset at risk a launch was rescheduled, its trajectory adjusted, or the critical asset was moved or physically protected. The FAA finds that it is unlikely that a mitigation employed to protect critical assets will change the MPL for third-party liability.

d. Other Safety Criteria (§ 450.101(d), (e), (f), and (g))

The FAA adopts the criteria in § 450.101(d), (e), (f), and (g) with no changes. Section 450.101(d) addresses disposal safety criteria, § 450.101(e) is the requirement for the protection of people and property on orbit, § 450.101(f) requires the notification of planned impacts, and § 450.101(g) addresses the validity of analyses.

The FAA received public comments from Virgin Galactic on the notification of planned impacts. Specifically, Virgin Start Printed Page 79611Galactic advised that a carrier aircraft operating under an airworthiness certificate should be exempt from proposed § 450.101(f). This comment is discussed in further detail in the preamble section on hybrid vehicles. The FAA will not exempt all hybrid vehicle operators from the requirement in § 450.101(f). If an operation has no planned impacts from debris capable of causing a casualty, then no notification will be necessary to comply with § 450.101(f). The regulation is adopted as proposed.

e. System Safety Program (§ 450.103)

In the NPRM, the FAA proposed in § 450.103 that an operator must implement and document a system safety program throughout the operational lifecycle of a launch or reentry system. The system safety program was proposed to include a safety organization (§ 450.103(a)), procedures to evaluate the operational lifecycle of the launch or reentry system (§ 450.103(b)), configuration management and control (§ 450.103(c)), and post-flight data review (§ 450.103(d)).

In the final rule, the FAA adopts proposed § 450.103 with revisions. The FAA replaced the term “operational lifecycle” in the introductory paragraph of § 450.103 with simply “lifecycle” to clarify that the regulation applies to hazards throughout the lifecycle of a launch or reentry system, not just operational changes to the system. This change is consistent with the statements in the NPRM indicating that, due to the complexity and variety of vehicle concepts and operations, a system safety program would be necessary to ensure that an operator considers and addresses all risks to public safety, which include both design and operational changes to a system.

i. Safety Organization

In the NPRM, the FAA proposed that the system safety program would require an operator to maintain and document a safety organization that has clearly defined lines of communication and approval authority for all public safety decisions, and that includes a mission director and safety official. In the final rule, the FAA adopts the proposed rule with a revision. The FAA removes “and document” from the proposed requirement because the first sentence in § 450.103 already requires a system safety program to be documented.

Proposed § 450.103(a)(1) stated that for each launch or reentry, an operator would be required to designate a position responsible for the safe conduct of all licensed activities and authorized to provide final approval to proceed with licensed activities. This position is referred to as the mission director. In the final rule, the FAA adopts § 450.103(a)(1) as proposed. The FAA did not receive comments on this section.

Proposed § 450.103(a)(2) stated that, for each launch or reentry, an operator would be required to designate a position with direct access to the mission director who would be responsible for communicating potential safety and noncompliance issues to the mission director and would be authorized to examine all aspects of the operator's ground and flight safety operations, and to independently monitor compliance with the operator's safety policies, safety procedures, and licensing requirements. This position would be referred to as a safety official. The FAA noted in the NPRM preamble that the absence of a safety official could result in a lack of independent safety oversight and a potential for a breakdown in communications of important safety-related information. The FAA also noted that a safety organization that included a safety official was essential to public safety; however, identifying that individual by name was not necessary. In the final rule, the FAA adopts § 450.103(a)(2) as proposed. Thus, a safety official will need to be in place prior to and throughout any licensed activity.

Rocket Lab supported the proposed safety organization documentation requirements in proposed § 450.103(a), noting the requirements would provide improved flexibility for the industry and support growth in operations, while maintaining clear lines of communication and independence in safety decision making. Virgin Galactic noted that it agreed with the FAA's approach not to require a specific person be listed as the safety official. Microcosm inquired if a specific named safety official would be required for each launch site for operators with licensed activity at multiple sites, and how far in advance that information would need to be provided to the FAA.

The FAA notes that a safety official must be named and in place prior to the initiation of any licensed activity, and an operator may use the same safety official for multiple launch or reentry sites. It may be difficult for a single individual to serve as a safety official for multiple sites if launch or reentry activities were to occur close in time to each other. In those instances, an operator may choose to have multiple safety officials. An operator needs to provide the name of the safety official to the FAA only when requested. The FAA may request the name of the individual who will act as a safety official as part of a compliance monitoring action. As is current practice, the FAA will coordinate in advance with the operator prior to a compliance monitoring action.

ALPA concurred with the requirement for operators to develop a general system safety program. It also recommended that that embedding FAA representatives within commercial space companies would assist the commercial space community in growing robust system safety procedures. The FAA notes that embedding FAA representatives within commercial space companies is outside the scope of this rulemaking.

Proposed § 450.103(a)(3) requires the mission director to ensure that all of the safety official's concerns are addressed. In the final rule, the FAA adopts § 450.103(a)(3) as proposed. The FAA did not receive any comments on this section.

ii. Hazard Management

Proposed § 450.103(b) would have required an operator to establish procedures to evaluate the operational lifecycle of the launch or reentry system, including methods to review and assess the validity of the proposed preliminary safety assessment and any flight hazard analysis throughout the operational lifecycle of the launch or reentry system, methods for updating the preliminary safety assessment and flight hazard analysis, and methods for communicating and implementing the updates throughout the organization. For operators that would need to conduct a flight hazard analysis, the proposed rule would also require an operator's system safety program to include a process for tracking hazards, risks, mitigation and hazard control measures, and verification activities.

In the final rule, the FAA adopts proposed § 450.103(b) with revisions. The FAA renames this section “Hazard management” to be more descriptive than the proposed name of “Procedures.” The FAA also does not adopt the proposed requirement in § 450.103(b)(1) to conduct a preliminary safety assessment because that requirement has been replaced with the requirement to conduct a hazard control strategy determination in § 450.107(b) in the final rule, as will be discussed later.

As noted, proposed § 450.103(b)(1) would have required the system safety program to include: (i) Methods to review and assess the validity of the preliminary safety assessment throughout the operational lifecycle of Start Printed Page 79612the launch or reentry system; (ii) methods for updating the preliminary safety assessment; and (iii) methods for communicating and implementing the updates throughout the organization. For those operators required to conduct a flight hazard analysis, proposed § 450.103(b)(2) would have required the system safety program to include the same methods for the flight hazard analysis and a process for tracking hazards, risks, mitigation and hazard control measures, and verification activities.

In the final rule, the FAA consolidates the requirements in proposed § 450.103(b)(1) and (b)(2) into § 450.103(b)(1) of the final rule. Section 450.103(b)(1) requires a system safety program to include methods to assess the system to ensure the validity of the hazard control strategy determination and any flight hazard or FSA throughout the lifecycle of the launch or reentry system.[80] The FAA added FSA to this requirement because, as proposed in § 450.101(g) and adopted in the final rule, any analysis used to demonstrate compliance with § 450.101 must use accurate data. This is consistent with the proposal because proposed § 450.103(b)(1)(i) would have required methods to review and assess the validity of the preliminary safety assessment, which would have included components of FSA such as vehicle response modes, public safety hazards associated with vehicle response modes, population exposed to hazards, and CEC. As previously noted, the final rule in § 450.103(b)(1) uses the term “lifecycle” by itself to clarify that the regulation applies to hazards throughout the lifecycle of a launch or reentry system, not just operations hazards.

Proposed § 450.103(b)(1)(iii) and (b)(2)(iii) would have required the system safety program to include methods for communicating and implementing the updates throughout the organization. In the final rule, the FAA consolidates the requirements in proposed § 450.103(b)(1)(iii) and (b)(2)(iii) into § 450.103(b)(2) of the final rule with a revision. The FAA changes the term “the updates” to “any updates” to clarify the intent for comprehensiveness.

Proposed § 450.103(b)(2)(iv) would have required the system safety program, for operators that must conduct a flight hazard analysis, to include a process for tracking hazards, risks, mitigation and hazard control measures, and verification activities. The FAA adopts the language proposed in § 450.103(b)(2)(iv) of the NPRM in § 450.103(b)(3) of the final rule with a revision. The FAA deletes the terms “hazard control,” because it is duplicative with the existing term “mitigation measures.”

iii. Configuration Management and Control

Proposed § 450.103(c) would have required an operator to (1) employ a process that tracks configurations of all safety-critical systems and documentation related to the operation; (2) ensure the use of correct and appropriate versions of systems and documentation tracked under the subsection; and (3) maintain records of launch or reentry system configurations and document versions used for each licensed activity, as required by the requirement for records in proposed § 450.219.

In the final rule, the FAA adopts § 450.103(c)(1) and (c)(2) as proposed and revises § 450.103(c)(3) as discussed later.

Blue Origin commented that tracking and maintaining records of individual configurations and associated operations documentation for completed operations does not, by itself, enhance public safety. Blue Origin believes that changes should be evaluated for safety impact according to a configuration management plan, which is a deliverable under the current regulations. Blue Origin stated that an approved configuration management plan, coupled with continued accuracy of the application, should suffice without additional requirements for increased documentation and storage of records.

The FAA agrees that tracking and maintaining records for completed operations in isolation does not directly enhance public safety, but tracking and maintaining records for completed operations is an important component of configuration management, which, as a whole, does enhance public safety. The FAA agrees with Blue Origin that an approved configuration management plan coupled with continued accuracy of the application should suffice, but does not agree that current requirements are sufficient. Part 431 does not have any requirements for configuration management, and § 417.111(e) is more general in its requirement to define the launch operator's process for managing and controlling any change to a safety-critical system to ensure its reliability. Section 450.103(c) adds necessary detail.

Blue Origin also stated that proposed § 450.103(c) is repetitive of the recordkeeping requirements in proposed § 450.219, making it unnecessary. Blue Origin added that if the FAA were to maintain the requirement, it should be written in the context of safety-critical systems, which would tie directly to FAA's responsibility to protect public safety.

While the FAA considers § 450.103(c) necessary, proposed § 450.103(c)(3) could be perceived as repetitive. Proposed § 450.103(c)(3) would have required an operator to maintain records of launch or reentry system configurations and document versions used for each licensed activity, as required by § 450.219 (Records). Section 450.219 requires a licensee to maintain for 3 years all records, data, and other material necessary to verify that a launch or reentry is conducted in accordance with representations contained in the licensee's application, the requirements of part 450 subparts C and D, and the terms and conditions contained in the license. The FAA removes the reference to maintaining records in § 450.103(c)(3) and revises the provision to require an operator to document the configurations and versions identified in paragraph (c)(2) for each licensed activity. This is a more focused requirement than § 450.219 and limits the documentation requirement specifically to safety-critical systems, consistent with Blue Origin's recommendation.

iv. Post-Flight Data Review

Proposed § 450.103(d) would have required an operator to employ a process for evaluating post-flight data to (1) ensure consistency between the assumptions used for the preliminary safety assessment, any hazard or flight safety analysis, and associated mitigation and hazard control measures; (2) resolve any identified inconsistencies prior to the next flight of the vehicle; (3) identify any anomaly that may impact any flight hazard analysis, FSA, or safety-critical system, or would otherwise be material to public health and safety and the safety of property; and (4) address any anomaly identified in (3) prior to the next flight, including updates to any flight hazard analysis, FSA, or safety-critical system. The FAA explained in the NPRM that this requirement was consistent with industry practice to review post-flight data to address Start Printed Page 79613vehicle reliability and mission success and that this requirement imposes no additional burden. The FAA sought comment on whether proposed § 450.103(d) would change an operator's approach to reviewing post-flight data.

In the final rule, the FAA adopts proposed § 450.103(d)(1), (d)(2), and (d)(4) with revisions, and adopts § 450.103(d)(3) as proposed. Section 450.103(d)(1) was modified to replace “preliminary safety assessment” with “hazard control strategy determination” as discussed earlier. The FAA also added the word “flight” in front “hazard or flight safety analysis” to make clear that the requirement addresses any flight hazard analysis or FSA.

CSF, Rocket Lab, and Sierra Nevada commented that proposed § 450.103(d) should be deleted because it was overly burdensome and inconsistent with the directive to streamline the regulations. The commenters stated that the requirement would extend the industry practice beyond the typical analysis for reliability and mission success. Sierra Nevada suggested that the section could be re-written to address only post-flight data of safety-critical systems.

As discussed in the NPRM, operator review of post-flight data provides valuable safety information on future operations. The inconsistencies that need to be resolved in this subsection are only those that affect safety analyses and associated mitigation and hazard control measures, such as greater population in the launch area than modeled. The anomalies that need to be addressed are only those that may impact any flight hazard analysis, FSA, or safety-critical system, or are otherwise material to public health and safety and the safety of property, such as the momentary drop-out of an FSS. Therefore, while the FAA revises § 450.103(d)(2) to narrow its applicability, as discussed below, it declines to remove proposed § 450.103(d)(2).

Blue Origin proposed a revision of § 450.103(d)(2) to specify “public safety.” Virgin Galactic recommended removing the word “any” in front of “identified inconsistencies,” and recommended limiting applicable inconsistencies to those that have an effect on the safety criteria of § 450.101.

The FAA agrees that proposed § 450.103(d)(2) could be read to reach more broadly than public safety, so the FAA has revised the section to require that an operator resolve any inconsistencies “identified in paragraph (d)(1) of this section” prior to the next flight of the vehicle. This language would explicitly limit the applicability of the provision to the hazard control strategy determination, and any hazard or flight safety analyses and associated mitigation and hazard control measures, as opposed to mission success. The FAA does not agree with Virgin Galactic's suggestion to limit applicable inconsistencies to those that have an effect on the safety criteria of § 450.101. That change would imply that a quantitative analysis is all that is required. As discussed earlier in the hazard management section, the hazard control strategy determination and the hazard and flight safety analyses must be kept up to date throughout the lifecycle of the launch and reentry system, so inconsistencies need to be addressed. The FAA also does not agree with Virgin Galactic to remove the word “any” in front of “inconsistencies” because it would not change the scope of the requirement, because § 450.103(d)(2) explicitly refers to the analyses in § 450.103(d)(1).

Virgin Galactic recommended that proposed § 450.103(d)(4)—which would have required an operator to address any anomaly identified in paragraph (d)(3) prior to the next flight, including updates to any flight hazard analysis, FSA, or safety-critical system—be revised to state the FAA should review and provide a determination on an operator's post-flight data to approve the operator's ability to launch according to schedule, rather than delaying until all anomalies are resolved.

The FAA notes that proposed § 450.103(d)(4) would not have required FAA approval of the methodology an operator uses to address anomalies in general or a specific anomaly in particular. In order to avoid Virgin Galactic's interpretation that all anomalies must be resolved prior to the next flight, the FAA revised the final rule to require an operator to address any anomaly identified in paragraph (d)(3) prior to the next flight as necessary to ensure public safety. As proposed, this would include updates to any flight hazard analysis, FSA, or safety-critical system. To ensure public safety, the FAA would expect an operator to reassess its safety analyses to determine any potentially new public safety hazards or increased risks to known public safety hazards due to the anomaly and, if necessary, determine the need for any additional mitigation strategies or updates to its safety analyses.

v. Application Requirements

An applicant under proposed § 450.103(e) would have to submit (1) a description of the applicant's safety organization, identifying the applicant's lines of communication and approval authority, both internally and externally, for all public safety decisions and the provision of public safety services; and (2) a summary of the processes and products identified in the system safety program requirements.

In the final rule, the FAA adopts § 450.103(e) as proposed. The FAA did not receive any comments on this section.

f. Hazard Control Strategies (§ 450.107)

In the NPRM, the FAA proposed in § 450.107 that, for each phase of a vehicle's flight, an operator does not need to conduct a flight hazard analysis for that phase of flight if the public safety hazards identified in the preliminary safety assessment (PSA) can be mitigated adequately to meet the requirements of proposed § 450.101 using physical containment, wind weighting, or flight abort, in accordance with § 450.107(b), (c), and (d). If the public safety hazards identified in the PSA could not be adequately mitigated using these methods, an operator would be required to conduct a flight hazard analysis in accordance with proposed § 450.109 to derive hazard controls for that phase of flight.

The FAA has restructured § 450.107 in the final rule to require an operator to use a functional hazard analysis to make a hazard control strategy determination. This requirement is based on the requirements for the PSA that was proposed, but not adopted, in § 450.105. In addition, the FAA has removed from § 450.107 specific details for each hazard control strategy available to operators and instead directs operators to §§ 450.108, 450.109, 450.110, and 450.111, which provide requirements for flight abort,[81] flight hazard analysis, physical containment,[82] and wind weighting, respectively.

Section 450.107 also characterizes flight hazard analysis as a hazard control strategy. Although a flight hazard analysis is different from the other hazard control strategies in that it does not lay out specific hazard controls, it does lay out a process by which hazard controls can be derived. The hazard controls that are derived from the flight hazard analysis, like those defined in the other three hazard Start Printed Page 79614control strategies, are then used as part of the input to the FSA that is used to show compliance with § 450.101(a), (b), and (c). Therefore, because a flight hazard analysis is a means by which an operator derives the appropriate hazard controls, the FAA has characterized it as a hazard control strategy in this final rule. As such, throughout the final rule, a flight hazard analysis is listed with physical containment, wind-weighting, and flight abort as a hazard control strategy.[83] Further, § 450.107(c) retains the proposed requirement that an operator must conduct a flight hazard analysis if the public safety hazards for that phase of flight cannot be mitigated adequately to meet the requirements of § 450.101 through physical containment, wind weighting, or flight abort.[84]

Lastly, the final rule fixes an error in proposed § 450.107, which referenced § 450.101 in its entirety as being relevant to the hazard control strategies, even though certain requirements in § 450.101 regarding the disposal of upper stages, protection of people and property on orbit, and notification of planned impacts, are not relevant to the hazard control strategies defined in § 450.107. Section 450.107 refers instead to § 450.101(a), (b), or (c).

The FAA adds paragraph (b) to § 450.107 to address how an operator determines its hazard control strategy or strategies for any phase of flight during a launch or reentry. This paragraph is based on and replaces a portion of the preliminary safety assessment in proposed § 450.105 of the NPRM. Because an operator determines a hazard control strategy or strategies based on an assessment of potential hazards, the requirements for such an assessment are better suited for this section. The next preamble section discusses the revision to § 450.107(b) more fully.

Proposed § 450.107(e) would have required an applicant in its application to describe its hazard control strategy for each phase of flight. The application requirements in the final rule, in § 450.107(d), similarly require an applicant to provide a description of its hazard control strategy or strategies for each phase of flight. The FAA added the phrase “or strategies” to reflect the fact that an operator may use one or more hazard control strategies for any given phase of flight. In addition, because the requirements for physical containment have been relocated to § 450.110, the FAA has likewise relocated the application requirements for physical containment proposed in § 450.107(e) to § 450.110(c).[85] These requirements have been adopted as proposed.

Lastly, § 450.107(d) in the final rule requires an applicant to submit in its application the results of its hazard control strategy determination, including all functional failures identified under § 450.107(b)(1), the identification systems, and a timeline of all safety-critical events. These relate to the hazard control strategy determination, which is discussed in the next section of this preamble.

The FAA received a few comments for proposed § 450.107. One individual commenter supported the additional flexibility inherent in allowing an operator to select its hazard control strategy and noted that this flexibility would help to reduce overall design costs for the private enterprise. Virgin Galactic requested that the FAA define “traditional hazard controls” and provide opportunity for public comment through the issuance of an SNPRM. Blue Origin proposed that the FAA amend proposed § 450.107(e)(2)(ii) to require that an applicant describe the methods used to ensure that risk to the public and critical assets in flight hazard areas meet allowable criteria. This latter comment is discussed later in the preamble section titled Physical Containment.

To the extent that Virgin Galactic commented that the term “traditional hazard controls” should be defined and comment allowed through publication of an SNPRM, the FAA notes that the NPRM stated that traditional hazard controls included physical containment, wind weighting, and flight abort.[86]

g. Hazard Control Strategy Determination (§ 450.107(b))

In the NPRM, the FAA proposed in § 450.105 to require that every operator conduct and document a PSA for the flight of a launch or reentry vehicle to identify potential public safety impacts early in the design process. The FAA intended the PSA to be a top-level assessment of the potential public safety impacts identifiable early in the design process and broad enough that minor changes in vehicle design or operations would not have a significant impact on, or invalidate the products produced by, the PSA. As proposed, the PSA would have required the operator to identify a number of items, including: A preliminary hazard list that documents all hardware, operational, and design causes of vehicle response modes that, excluding mitigation, have the capability to create a hazard to the public; safety-critical systems; and a timeline of all safety-critical events.[87] An applicant would have been required to submit the PSA result, including the items identified above, in its application for a license.

The final rule removes proposed § 450.105 in its entirety but relocates certain items from the PSA section into § 450.107(b) as part of the hazard control strategy determination. The final rule replaces the requirement for a PSA with a functional hazard analysis and replaces the term “vehicle response mode” with “reasonably foreseeable hazardous events.” The FAA finds these changes are less prescriptive and burdensome on an operator, while preserving the intended benefits and level of safety of the proposed requirements.

Blue Origin and Microcosm commented that requiring operators to develop a preliminary hazard list that identifies all causes of hazards and vehicle response modes for a PSA, prior to analysis or testing of their vehicle systems, was unreasonable. Blue Origin stated it would be infeasible to document in a preliminary hazard list all hardware, operational, and design causes of vehicle response modes capable of causing a hazard to the public at the preliminary design phase. Start Printed Page 79615The commenters noted that operators identify potential hazards, but not all causes of vehicle response modes, prior to the detailed design phase. Blue Origin added that identification of causes was a continuous process that evolves as hardware and operations design matures, and recommended the PSA be limited to analyzing and identifying all functional failures that could have the capability to create a hazard to the public, rather than analyzing the detailed design, which may still be maturing. Blue Origin also noted that early engagement with the FAA through the pre-application process, before a design is mature, was beneficial to both parties.

The FAA concurs that the detailed design may not be mature enough at a preliminary stage such that an operator could define all hardware, operational, and design causes of vehicle response modes with minimal changes downstream in the development process in a preliminary hazard list. Although the preliminary hazard list would not have been provided to the FAA until an applicant submitted an application, the FAA agrees with the commenters that the proposed rule would have required a launch or reentry operator to complete the preliminary hazard list early in the design process, to enable the operator to then carry out its hazard control strategy or strategies. This, as noted by Blue Origin, would not have been practicable as proposed. Accordingly, the FAA does not adopt the proposed requirement for an operator to identify a preliminary hazard list. Instead, the FAA requires an operator, in § 450.107(b), to determine its hazard control strategy or strategies for any phase of flight during a launch or reentry, based on a functional hazard analysis accounting for all functional failures associated with reasonably foreseeable hazardous events, safety-critical systems, and safety-critical events. Even with this change, the FAA also agrees with Blue Origin that this approach will encourage operators to engage early with the FAA, prior to the design becoming mature.

In the final rule, the FAA eliminates proposed § 450.105, but moves, with some revision, the requirements in proposed §§ 450.105(a)(6) through (a)(8) into § 450.107(b). Section 450.107(b), titled “Hazard Control Strategy Determination,” requires that for any phase of flight during a launch or reentry, an operator must use a functional hazard analysis to determine a hazard control strategy or strategies accounting for (1) all functional failures associated with reasonably foreseeable hazardous events that, excluding mitigation, have the capability to create a hazard to the public, (2) safety-critical systems, and (3) a timeline of all safety-critical events.

In the NPRM, proposed § 450.105(a)(6) would have required a preliminary hazard list documenting all hardware, operational, and design causes of vehicle response modes that, excluding mitigation, have the capability to create a hazard to the public. The final rule requires an operator to use a functional hazard analysis that accounts for, among other things, all functional failures associated with reasonably foreseeable hazardous events that, excluding mitigation, have the capability to create a hazard to the public. A functional failure is a condition of a system, subsystem, or component function derived by assessing each function against multiple potential failure modes during each phase of the system's mission. This addresses Blue Origin's concerns about the preliminary hazard list because identifying functional failures does not require detailed design information that may not be finalized at the stage of design when a hazard control strategy is being considered.

A functional hazard analysis is a common system safety tool that, as articulated in DOD's MIL-STD-882E, is used to identify and classify the system functions and the safety consequences of functional failure or malfunction.[88] A functional hazard analysis is a foundational tool useful throughout the lifecycle of the launch or reentry system that helps drive the design and development process at a preliminary stage by identifying safety-critical functions of which launch and reentry vehicle developers should be cognizant throughout the process to ensure public safety. The requirement to perform a functional hazard analysis instead of a preliminary hazard list, as proposed in § 450.105, should reduce the burden on operators, for the reasons cited by Blue Origin.

The FAA finds that a functional hazard analysis will preserve the benefits of the preliminary safety assessment proposed in the NPRM, but reduce the burden on applicants by not requiring detailed design information that may not be finalized at the stage of design when a hazard control strategy is being considered. Like the PSA, a functional hazard analysis should help an operator identify specific information relevant to public safety, scope the analyses that must be conducted to ensure that the launch or reentry operation satisfies safety criteria, identify the effect of design and operational decisions on public safety, and provide the operator with an appropriate hazard control strategy for its proposed operation.

Section 450.107(b)(1) in the final rule requires an operator to use a functional hazard analysis to determine a hazard control strategy accounting for all functional failures associated with reasonably foreseeable hazardous events that, excluding mitigation, have the capability to create a hazard to the public. As noted earlier, a functional failure is a condition of a system, subsystem, or component function derived by assessing each function against multiple potential failure modes during each phase of the system's mission. The failure end-effect is the resulting system behavior from each functional failure. Failure end-effects that result in impacts to public safety should in turn identify the safety-critical systems and can be grouped to identify the system hazards to the public. Thus, the inability of a safety-critical system, subsystem, or component to function as designed, or to function erroneously, may potentially result in a hazard to the public. It is important to note that public exposure to a hazard should only be accounted for after determining the potential hazards to the public. That is, limits to public exposure can be a mitigation when considering hazards at the overall system or mission level, and thus not considered when determining what constitutes a hazard to the public (i.e., functional sources of the hazard) for the purposes of § 450.107(b)(1).

The FAA does not retain in § 450.107(b) the items in proposed § 450.105(a)(1) through (a)(5) for an operator to identify (1) vehicle response modes, (2) public safety hazards associated with vehicle response modes, (3) geographical areas where vehicle response modes could jeopardize public safety, (4) any population exposed to public safety hazards in or near the identified geographical areas, and (5) the CEC. These are addressed in the four hazard control strategies and in FSA.

Finally, the FAA replaces the term “vehicle response mode” in the NPRM with “reasonably foreseeable hazardous events” in § 450.107(b)(1) in the final rule. As explained in the preamble section discussing § 450.101(c), the NPRM defined “vehicle response mode” as a mutually-exclusive scenario that characterizes foreseeable combinations of vehicle trajectory and debris generation. The final rule is less prescriptive by requiring that an operator account for reasonably foreseeable hazardous events, instead of Start Printed Page 79616each foreseeable combination of vehicle trajectory and debris generation. Accounting for reasonably foreseeable hazardous events in a functional hazard analysis is consistent with common industry standards. This change also means the FAA does not adopt the proposed definition of “vehicle response mode” in § 401.7.

Blue Origin also requested clarification from the FAA on its interpretation of the requirement proposed in § 450.105(a)(8) to provide “a timeline of all safety-critical events.” Blue Origin noted that it interprets “safety” to mean meeting the collective and individual risk requirements for launch and reentry and, in essence, suggested that the PSA should be limited in scope based on the collective risk criteria resulting from the FSA.

The FAA does not agree with Blue Origin's interpretation nor with its suggestion that this requirement, now in § 450.107(b)(3) in the final rule, be limited by the results of FSA. The FAA will consider any event that occurs during a phase of flight of a launch or reentry vehicle that meets the definition of “safety critical” in § 401.7 to be a “safety-critical event.”

As noted earlier, proposed § 450.105 would have required that every operator conduct and document a PSA for the flight of a launch or reentry vehicle and submit its results. Virgin Galactic inquired as to when the PSA would be due to the FAA, as well as the timeline for the review. The final rule replaces the requirement to conduct a PSA with the requirement to conduct a functional hazard analysis in § 450.107(b). The application requirements for § 450.107(b) are in § 450.107(d) and are due with the application, even though a launch or reentry operator will conduct the functional hazard analysis early in the design phase, well before it applies for a license. This approach is consistent with Blue Origin's recommendation that the analysis be limited to analyzing and identifying all functional failures that could have the capability to create a hazard to the public, rather than analyzing the detailed design, which may still be maturing. As such, in the final rule an applicant is required to provide the results of the functional hazard analysis, including all functional failures, the identification of all safety-critical systems, and a timeline of all safety-critical events.

h. Flight Abort (§ 450.108)

As discussed, if an operator cannot ensure by means other than flight abort [89] that it has sufficiently protected against a high consequence event (as measured by CEC), the only remaining way to satisfy § 450.101(c) is to use flight abort consistent with the requirements in § 450.108.

In the NPRM, the FAA proposed to address flight abort in several sections. As proposed, to implement flight abort as a hazard control strategy, an operator would have been required to:

(1) Establish flight safety limits and gates in accordance with proposed §§ 450.123 (Flight Safety Limits Analysis) and 450.125 (Gate Analysis);

(2) establish when an operator must abort a flight following the loss of vehicle tracking information with proposed § 450.127 (Data Loss Flight Time and Planned Safe Flight State Analyses);

(3) establish the mean elapsed time between the violation of a flight abort rule and the time when the FSS is capable of aborting flight for use in establishing flight safety limits in accordance with proposed § 450.129 (Time Delay Analysis);

(4) establish flight abort rules in accordance with § 450.165(c) (Flight Abort Rules); and

(5) employ an FSS in accordance with § 450.145 and software in accordance with § 450.111.

Many of these requirements were derived from existing requirements in part 417 and retained a more prescriptive approach to flight abort than the final rule adopts.

Blue Origin, CSF, and SpaceX commented that the FSA requirements in proposed §§ 450.117 through 450.141 were too prescriptive and should be replaced with a performance standard. The commenters cited a lack of flexibility and the use of an approach directed at large orbital launches from Federal launch or reentry sites.

In the final rule, the FAA consolidates the requirements for flight abort in § 450.108 and revises the more prescriptive requirements from the proposal into a single performance-based regulation. As a result of this consolidation, proposed §§ 450.123, 450.125, 450.127, and 450.129 are not included in the final rule. The requirements in these sections have been revised to reflect the performance-based standards in § 450.108(c), which establishes flight safety limits objectives, and § 450.108(d), which establishes flight safety limits constraints. The FAA adds § 450.108(e) in the final rule to relieve the operator from the requirement to use flight abort in certain situations in which high consequence events are possible but would not be effectively mitigated by an FSS. In addition, the flight abort rule requirements proposed in § 450.165(c) have been revised and relocated to § 450.108(f) to reflect the revisions to the flight safety limits requirements. The FAA also moves the reference to FSS reliability from proposed § 450.101(c) to § 450.108(b).

The FAA will provide guidance to illustrate how operators may demonstrate compliance with these requirements. The guidance will encompass many of the traditional means of developing flight safety limits, but operators can develop other means of demonstrating compliance with the performance-based objectives and constraints. As discussed in more detail throughout this section of the preamble, the revisions in the final rule allow for greater flexibility for operators while maintaining the same level of safety as proposed in the NPRM.

i. FSS Thresholds Using CEC

In the NPRM, an operator required to use flight abort under proposed § 450.101(c) was referred to proposed § 450.145 to determine the required reliability of its FSS based on CEC. Section 450.145(a)(1) proposed to require an operator to employ an FSS with design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing if the consequence of any vehicle response mode is 1 × 10[2] CEC or greater. This is the reliability standard for a highly reliable FSS under part 417. Section 450.145(a)(2) proposed to require that, if the consequence of any vehicle response mode is between 1 × 10[2] and 1 × 10[3] CEC for uncontrolled areas, an operator must employ an FSS with a design reliability of 0.975 at 95 percent confidence and commensurate design, analysis, and testing. The FAA explained that, for operations for which the consequence of a flight failure is less, an FSS—while still being reliable—may not need to be as highly reliable as an FSS for a vehicle operating in an area where the consequence of a flight failure is higher.[90]

In the final rule, the CEC thresholds for establishing the reliability or other requirements for an FSS proposed in § 450.145(a) have been moved to § 450.108(b). The requirements for a highly reliable FSS proposed in Start Printed Page 79617§ 450.145(a)(1) remain in § 450.145.[91] However, the requirements for an FSS proposed in § 450.145(a)(2) have been revised and relocated to § 450.143.[92]

Rocket Lab agreed with the concept of quantifying consequence as a key metric in determining the reliability of a flight abort system. Other commenters were critical of the proposed use of CEC thresholds to set reliability standards for any required FSS, particularly in situations in which a lower reliability FSS may be sufficient to protect the public. For example, SpaceX commented that the requirement in RCC 319 for an FSS with 0.999 at 95 percent confidence reliability was overly prescriptive for low-risk mission profiles. CSF noted that, by “binning” the CEC of a vehicle and then prescribing a fixed reliability requirement for the FSS, risk of an unmitigated (by FSS) CEC event was not consistent. CSF commented that such an approach requires the same FSS even though the risk varies by an order of magnitude between the extreme values. Several other commenters, including CSF and Sierra Nevada commented that the FAA should not preclude applicants from making a “safety case” to justify a certain level of rigor for their FSS.

As noted in the discussion of § 450.101(c), the FAA has retained CEC as the appropriate regulatory standard for measuring high consequence events. Likewise, for the reasons set forth in that section of the preamble, the FAA has retained the use of CEC in § 450.108(b) to determine the level of reliability required for an FSS. However, in response to comments, the FAA has added flexibility for FSS that do not need to meet the standard for highly reliable FSS in proposed § 450.145(a)(1) based on the CEC. The FAA notes that an operator does not need to calculate CEC for the purposes of determining reliability under § 450.108(b) if it elects to use a highly reliable FSS that meets the requirements of § 450.145.

In the final rule, the FAA removes the prescribed reliability threshold proposed in § 450.145(a)(2) of the NPRM for operations with a maximum CEC value between 1 × 102 and 1 × 103. Accordingly, an operator does not need to employ an FSS with a design reliability of 0.975 at 95 percent confidence and commensurate design, analysis, and testing. Rather, under § 450.108(b)(2), an operator must use an FSS that meets the requirements of § 450.143 if the consequence of any reasonably foreseeable failure mode in any significant period of flight is between 1 × 102 and 1 × 103 CEC for uncontrolled areas.

The requirements for the two types of FSS, as well as the removal of the proposed requirements, are discussed in more detail later in this preamble in the discussion of §§ 450.143 and 450.145.

ii. Flight Safety Limits Objectives

Proposed § 450.123(a) stated an FSA must identify the location of uncontrolled areas and establish flight safety limits that define when an operator must initiate flight abort to: (1) Ensure compliance with the safety criteria of § 450.101; and (2) prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission.

The introductory language of § 450.108(c) is a revision of proposed § 450.123(a).[93] In the final rule, § 450.108(c), titled “Flight Safety Limits Objectives,” requires an operator to determine and use flight safety limits that define when an operator must initiate flight abort if the conditions enumerated in § 450.108(c)(1) through (c)(5) are met. Alternatively, an operator could meet § 450.108(c)(6) to satisfy the requirements of § 450.108(c)(2) and (c)(4).

The following sections provide additional detail on the performance-based flight safety limits objectives derived from the more prescriptive requirements proposed in the NPRM and respond to public comments on the proposals in the NPRM to the extent they are relevant to compliance with the final rule.

Section 450.108(c)(1)

Section 450.108(c)(1) requires that an operator initiate flight abort to ensure compliance with the safety criteria of § 450.101(a) and (b). The FAA proposed a related requirement in § 450.123(a)(1), which stated that an FSA must identify the location of uncontrolled areas and establish flight safety limits that define when an operator must initiate flight abort to ensure compliance with the safety criteria of § 450.101. In the final rule, § 450.108(c)(1) specifies the relevant subparagraphs in § 450.101 to which this requirement applies. The FAA makes this change in the final rule because the requirement in § 450.101(c)(1) is met through use of flight abort as a hazard control strategy, and § 450.101(d), (e), and (f) are not relevant to flight abort.

Section 450.108(c)(2)

In the NPRM, proposed § 450.123(a)(2) required the operator to prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. In the final rule, § 450.108(c)(2) requires that an operator initiate flight abort to prevent continued flight from increasing risk in uncontrolled areas if the vehicle is unable to achieve a useful mission.

Although proposed § 450.123(a)(2) focused on debris impacts in uncontrolled areas to define when an operator must initiate flight abort, § 450.108(c)(2), as finalized, acknowledges that debris impact is not the only risk contributor that must be accounted for in determining flight safety limits. For example, a release of toxic propellant following a debris impact may also contribute to risk. Therefore, in § 450.108(c)(2), an operator must determine and use flight safety limits to prevent continued flight from increasing risk once a vehicle can no longer achieve a useful mission. The FAA recognizes that a vehicle may deviate from the limits of a useful mission during a period when hazard containment through flight abort is not possible. In this case, the requirement is not to allow continued flight to increase risk, though some risk from either flight abort or continued flight may be unavoidable.

For example, a vehicle may begin an unplanned turn away from a nominal trajectory while overflying an island. Once the vehicle leaves the limits of a useful mission, the operator should initiate flight abort if continued flight would result in an increase in risk. Pursuant to § 450.108(c)(2), depending on the risk to the public, it may be better to withhold flight abort until the hazards resulting from the abort would not affect the island. However, if the turn is towards a major population center on the island, it may pose less of a risk to the public to abort the flight as soon as it leaves the limits of a useful mission, even if it might result in a hazard posed to less-dense populated areas.Start Printed Page 79618

The concepts of “useful mission” and “limits of a useful mission” [94] are discussed in greater detail in the preamble section on FSA methods (specifically, in § 450.119 (Trajectory Analysis for Malfunction Flight)).

The FAA also notes that the maximum extents of a gate,[95] determined by the limits of a useful mission in proposed § 450.125(c)(2), are addressed by § 450.108(c)(2) in the final rule, which requires flight abort to prevent continued flight from increasing risk in uncontrolled areas if the vehicle is unable to achieve a useful mission. Therefore, trajectories outside the limits of a useful mission that intersect flight safety limits that prevent increased risk in uncontrolled areas must trigger flight abort.

Virgin Galactic recommended that the term “prevent” in proposed § 450.123(a)(2) be qualified, as it could be taken to mean many probabilistic values. Although proposed § 450.123(a)(2) has been removed from the final rule, § 450.108(c) uses the term “prevent” in five places including § 450.108(c)(2). In § 450.108 (c)(2), (3), (5), and (6), prevention is dependent on the proper functioning of the FSS. There is no expectation that these objectives will be met if the FSS fails to function properly. In § 450.108(c)(4), when the reliability of the FSS is accounted for pursuant to § 450.108(d)(5), prevention is considered to be achieved.

Section 450.108(c)(3)

As noted earlier, the FAA proposed in § 450.125 to establish the requirements for a gate analysis. The FAA explained that the primary purpose of gates is to establish safe locations and conditions to abort the flight prior to the vehicle entering a region or condition where it may endanger populated or other protected areas if flight were to continue. A gate should be placed where a trajectory within the limits of a useful mission intersects a flight safety limit as long as that trajectory meets the risk criteria in § 450.101. In response to comments that the proposed gate analysis requirements created confusion and should be more performance-based, § 450.125 is not included in the final rule.

In the final rule, the concept of gate analysis in proposed § 450.125 is captured in a more performance-based manner in § 450.108(c)(3).[96] Section 450.108(c)(3) requires that an operator initiate flight abort to prevent the vehicle from entering a period of materially increased public exposure in uncontrolled areas, including before orbital insertion, if a critical vehicle parameter is outside its pre-established expected range or indicates an inability to complete flight within the limits of a useful mission. The FAA removes the term “gate” in the final rule to allow operators to use another method to comply with the requirements. Furthermore, the term “gate” can have different meanings within the industry, which can cause confusion. However, although the term “gate” is not used in the final rule, the FAA expects a similar approach to a gate analysis will be used by many operators and by Federal launch or reentry sites. With the removal of explicit gate requirements, the term “tracking icon” is no longer required, and the FAA therefore removes the term from the final rule.

The FAA notes that a period of materially increased public exposure would include the beginning of a period when the vehicle will overfly a major landmass prior to orbital insertion (e.g., Europe, Africa, or South America). Overflight of large islands with substantial population may also constitute a period of materially increased public exposure, while overflight of islands with small populations or other areas of sparse population will not constitute a period of materially increased public exposure. Consequence may be used to determine if an exposed area should be considered an area of materially increased public exposure. Orbital insertion also results in a material increase in public exposure due to the possibility of a random reentry from a vehicle that cannot achieve a minimum safe orbit. A vehicle intended for orbit that cannot achieve a minimum safe orbit would require flight abort under § 450.108(c)(3). The FAA will provide guidance on what constitutes materially increased public exposure.[97]

The FAA notes that, for purposes of § 450.108(c)(3), a “critical vehicle parameter” is a parameter that demonstrates the vehicle is capable of completing safe flight through the upcoming phase of flight for which population is exposed to hazardous debris effects from reasonably foreseeable failure modes. An example of a critical vehicle parameter outside its pre-established expected range is a tank pressure that is higher than the normal operating range and could lead to a rupture. An example of a critical vehicle parameter that indicates an inability to complete flight within the limits of a useful mission is an acceleration that is too low and would result in a vehicle failing to reach orbit. The operator must select parameters and their acceptable ranges that are appropriate for the vehicle and mission, with consideration of the ability to measure and act on the parameters, and describe in the application the parameters that will be used and how their ranges were determined, pursuant to the application requirement in § 450.108(g)(3).

The intent of the gate analysis in proposed § 450.125 was to prevent unnecessarily exposing the public to hazards from a mission that can no longer be useful. Proposed § 450.125(a) required that an FSA include a gate analysis for an orbital launch or any launch or reentry where one or more trajectories that represent a useful mission intersect a flight safety limit that provides containment of debris capable of causing a casualty. Gate analysis was necessary if a vehicle on a useful mission needed to fly in an area where population could be exposed to hazards in the event of a vehicle failure. As long as a trajectory met the individual and collective risk criteria of § 450.101(a)(1) and (a)(2) for a launch, or (b)(1) and (b)(2) for a reentry, when treated like a nominal trajectory with normal trajectory dispersions, the flight safety limit with which it intersected would be removed (or “relaxed,” as described in the NPRM),[98] so flight of the vehicle would not be aborted. Alternatively, under proposed § 450.125(b)(1), the flight safety limit could be replaced with a gate that allowed continued flight as long as a real-time measure of performance indicated that the vehicle was able to complete a useful mission.

Section 450.108(c)(3) achieves the intent in proposed § 450.125(a) because it codifies the goals achieved by gate analysis but allows for alternative approaches to achieve the same objective. Similar to the gate analysis in proposed § 450.125(a), the analysis in § 450.108(c)(3) is required when a trajectory that represents a useful Start Printed Page 79619mission approaches an uncontrolled area.

Proposed § 450.125(b)(1) required that a gate analysis establish a relaxation of the flight safety limits that allows continued flight or a gate where a decision will be made to abort the launch or reentry or allow continued flight. This proposed requirement is addressed in § 450.108(c)(3) because it also either allows continued flight without a check of critical vehicle parameters if the upcoming population exposure is not materially increased, or requires a check of critical vehicle parameters before continued flight if the upcoming population exposure is materially increased. In this respect, the final rule provides clarity on the point at which the check of critical vehicle parameters is required, whereas the proposal was ambiguous on when a gate would be required.

Proposed § 450.125(b)(2) stated that, if a gate is established, a gate analysis must include a measure of performance at the gate that enables the flight abort crew or autonomous FSS to determine whether the vehicle is able to complete a useful mission or abort the flight if it is not. In the final rule, this requirement is addressed in § 450.108(c)(3), which states, “if a critical vehicle parameter is outside its pre-established expected range or indicates an inability to complete flight within the limits of a useful mission.” The pre-established expected range of the critical vehicle parameters are those values that do not predict the vehicle will fail or exit the limits of a useful mission, or simply those that indicate the vehicle is performing as intended. Accordingly, as with gate analysis under the proposal, the operator will establish the measure of performance—referred to as the critical vehicle parameter(s) and pre-established expected range(s) in the final rule—that will determine whether flight abort must be initiated.

Proposed § 450.125(b)(4) stated that a gate analysis must establish, for an orbital launch, a gate at the last opportunity to determine whether the vehicle's flight is in compliance with the flight abort rules and can make a useful mission, and to abort the flight if it is not. This requirement is addressed by the § 450.108(c)(3) requirement that critical vehicle parameters must be checked before orbital insertion. Therefore, § 450.108(c)(3) is a more performance-based requirement that is consistent with the proposed § 450.125(b)(4).

The FAA notes that certain concepts in proposed § 450.125 are also captured in § 450.108(c)(2), (c)(4), and (d)(7), as discussed in the preamble associated with those sections. The FAA finds that the intent of the proposed gate analysis requirements would be clearer if these requirements are included as separate flight safety limits objectives and constraints because they can also be applied outside of a traditional gate analysis.

The FAA received several comments on proposed § 450.125 focused on the proposed definition of the term “gate,” the prescriptive nature of the requirements for a gate analysis, and the manner in which gates would be applied. Boeing, Lockheed Martin, Northrop Grumman, and ULA commented that the gate analysis must establish a relaxation of the flight safety limits that allows continued flight or a gate where a decision will be made to abort the launch or reentry or allow continued flight. The commenters asserted that flight rules and placards can constrain allowable trajectories, and that it is appropriate to disapprove a trajectory if the nominal trajectory is beyond the flight safety limits. The FAA declined to make the recommended change because § 450.108(c)(3) allows a nominal vehicle to overfly a populated area, which is current practice. A flight safety limit that intersects the nominal trajectory trace can only be enforced if the vehicle has experienced a malfunction before reaching the limit. These limits are common, such as gates protecting downrange landmasses before overflight.

Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended replacing “flight abort” with “flight termination” to distinguish between a flight abort for a reason unrelated to public safety. The FAA did not adopt this change because the term “flight abort” is meant to encompass hazard control strategies that may not include destruction of a vehicle or termination of thrust. For example, flight abort for a captive carry mission may entail aborting the mission and returning to base or landing at a contingency site. The FAA finds that the term “flight termination” has connotations that are inconsistent with the FAA's intent.

Boeing, Lockheed Martin, Northrop Grumman, and ULA requested clarification on the term “relaxation of a flight safety limit” in the NPRM and questioned whether it is appropriate for an operator to relax a flight safety limit.

The FAA agrees that the proposed language “relaxation of a flight safety limit” lacked clarity and that the regulation should be clear about when a vehicle may overfly population without a performance check. The final rule removes terms related to relaxed flight safety limits and states in § 450.108(c)(3) that the critical vehicle parameter check is required prior to entering a period of materially increased public exposure in uncontrolled areas, including before orbital insertion. The meaning of “materially increased public exposure” is discussed earlier in this section.

Rocket Lab inquired whether a gate analysis is required for when a trajectory intersects a flight safety limit, if an operator was using flight abort only as a hazard control strategy.

In the final rule, pursuant to § 450.108(c)(3), this performance check is not necessary if the vehicle is not approaching an area of materially increased public exposure regardless of how the operator develops flight safety limits, as long as it meets requirements in § 450.108(c) and (d). The FAA also notes that if flight abort is not required as a hazard control strategy to meet the safety criteria of § 450.101, an operator may still choose to use flight abort at its discretion. Compliance with § 450.108(c)(3) is only required for an operator required to use flight abort as a hazard control strategy to meet the safety criteria of § 450.101.

Section 450.108(c)(4)

As noted earlier, proposed § 450.125(c) would have required the extent of any gate or relaxation of the flight safety limits to be based on normal trajectories, trajectories that may achieve a useful mission, collective risk, and consequence criteria. Section 450.108(c)(4) in the final rule is related to proposed § 450.125(c)(1) and (c)(2) in that it describes the consequence requirements for flight safety limits; however, it contains differences as explained in this section of the preamble.

In the final rule, § 450.108(c)(4) requires that an operator initiate flight abort to prevent conditional expected casualties greater than 1 × 102 in uncontrolled areas due to flight abort or due to flight outside the limits of a useful mission from any reasonably foreseeable off-trajectory failure mode initiating in any significant period of flight. The purpose of § 450.108(c)(4) is to ensure that, when an operator cannot develop flight safety limits that prevent hazards from affecting uncontrolled areas, the failure modes that result in deviations from the planned trajectory will not result in a high consequence event if the vehicle is unable to achieve a useful mission. This scenario can arise when some public exposure must be accepted to allow useful vehicles to continue during a phase of flight when flight abort is still used as a hazard control strategy.Start Printed Page 79620

This situation frequently occurs, for example, on northeasterly missions launched from the Eastern Range that are permitted to overfly some portions of Nova Scotia and Newfoundland on trajectories within the limits of a useful mission. If the vehicle fails after the overflight has begun and reaches flight safety limits protecting more westerly portions of the uncontrolled areas from flight outside the limits of a useful mission, the consequence from flight abort must meet the criteria in § 450.108(c)(4).

Proposed § 450.125(c)(1) and (c)(2) included the consequence requirements as a part of gate analysis. In the final rule, the consequence requirements are a standalone flight safety limits objective in § 450.108(c)(4). The final rule also makes several revisions. First, the final rule expressly states flight safety limits are required only to prevent high consequence events in uncontrolled areas. This concept was implied in the NPRM because, per proposed § 450.123(a)(2), flight safety limits must prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. The consequence criteria in proposed § 450.125(c)(1) and (c)(2) were applicable to flight safety limits that did not prevent debris from impacting in uncontrolled areas following a gate or relaxation in a flight safety limit developed per § 450.123(a)(2). Therefore, the proposed consequence criteria only applied to uncontrolled areas.

Second, the requirement in the final rule applies in cases of flight abort and in cases where the vehicle is outside the limits of a useful mission. The consequence criteria in proposed § 450.125(c)(1) and (c)(2) were only applicable in cases of flight abort. If only flight abort action were considered, a high consequence event resulting from other outcomes (intact impacts, structural breakup, etc.) outside the limits of a useful mission might not be identified.

Vehicle failures within the limits of a useful mission are excluded from the consequence criteria in § 450.108(c)(4) in the final rule because flight abort cannot prevent a failure from affecting uncontrolled areas that must be exposed to allow a vehicle on a useful mission to continue flight. For example, if a vehicle begins an unplanned turn from the nominal trajectory while overflying uncontrolled areas and breaks up aerodynamically before exiting the limits of a useful mission, this failure would not count against the consequence criteria because the vehicle was within the limits of a useful mission when the outcome of the failure occurred. Collective risk requirements still apply in these scenarios and ensure that the risk is met for any trajectory that the operator declares as representing a useful mission, pursuant to § 450.108(d)(7).

Third, whereas proposed § 450.125(c)(1) and (c)(2) concerned the consequence from flight abort “resulting from any reasonable vehicle response mode,” § 450.108(c)(4) concerns the consequence from any “reasonably foreseeable off-trajectory failure mode.” The replacement of “vehicle response mode” with “failure mode” is discussed in the preamble section on § 450.101(c)(2).[99] The term “off-trajectory” was added to explain further which types of failures must result in the consequence criteria being met. Off-trajectory failures are those for which the vehicle deviates from its intended flight path—for example due to failures of the guidance, navigation, or control systems. Outcomes from on-trajectory failures, such as an explosion or loss of thrust along the intended flight path, are not able to be fully mitigated by an FSS because once the failure occurs the hazard cannot be prevented from affecting uncontrolled areas if the failure occurred during a period in which the uncontrolled areas were exposed. At best, the hazard can be reduced for some failure modes such as a loss of thrust that may result in an intact impact unless a destructive abort that disperses propellants is implemented. In this case, flight abort may still be required to reduce risk per § 450.108(c)(2) since the vehicle is unable to achieve a useful mission, but the consequence criteria would not apply.

Boeing, Lockheed Martin, Northrop Grumman, and ULA requested clarification on the intent of the CEC limits in proposed § 450.125(c)(1) and (c)(2). In the final rule, the FAA retained the CEC limits related to flight abort. The intent of these limits is to ensure that, when flight abort or a flight outside the limits of a useful mission resulting from an off-trajectory failure mode produces debris capable of causing a casualty, it nonetheless protects against a high consequence event. In other words, flight abort provides sufficient protection against a high consequence event when flight abort is implemented to prevent the CEC from any reasonably foreseeable off-trajectory failure mode initiating in any significant period of flight from exceeding 1 × 102 casualties, even though the public in uncontrolled areas might be exposed to debris from a flight abort.

SpaceX asked if there were restrictions to using flight safety limits that met the risk requirements of proposed § 450.101 but did not meet the 1 × 102 CEC requirement.

Under § 450.108(c)(4), flight safety limits must not allow CEC greater than

1 × 102 unless the consequence resulted from a vehicle within the limits of a useful mission and therefore could not be mitigated by flight abort without aborting a vehicle on a useful mission, or the consequence resulted from an on-trajectory failure mode.

An example of when the consequence requirement would not apply is when a vehicle on a normal trajectory suffers a spontaneous breakup. This on-trajectory event cannot be mitigated by flight abort without terminating a useful vehicle before it overflies uncontrolled areas. An operator would not be required to initiate flight abort under the final rule for this scenario. An example of when the consequence requirement would apply is if a malfunction causes the vehicle to depart from the limits of a useful mission. If CEC is used to measure high consequence events, the flight safety limits must prevent the consequence from such a failure mode (i.e., a malfunction that causes the vehicle to depart from the limits of a useful mission) from exceeding 1 × 102 CEC, whether produced by flight abort or other reasonably foreseeable outcomes (such as aerodynamic/structural breakup, intact impact, etc.).

SpaceX requested guidance on how an operator should balance EC and CEC when designing flight safety limits and expressed concern that EC may increase as an operator attempts to reduce CEC. SpaceX also recommended removing all numerical values associated with CEC and requiring the consequence of flight abort at the flight safety limits to be minimized.

Regarding the balance of EC and CEC, the FAA notes that flight safety limits must be designed to meet the EC and CEC requirements as described in § 450.108(c)(1) and (c)(4), respectively. If the flight safety limits must be modified to reduce the CEC to acceptable levels, EC must still be kept within acceptable levels. The FAA does not agree with the recommendation to remove the numerical value associated with the CEC requirement because this could allow flight safety limits that result in a high consequence through flight abort or through flight abort inaction. However, the final rule does Start Printed Page 79621allow for methods of measuring consequence other than CEC that provide an equivalent level of safety under § 450.37.

Section 450.108(c)(5)

Section 450.108(c)(5) requires that an operator initiate flight abort to prevent the vehicle state from reaching identified conditions that are anticipated to compromise the capability of the FSS if further flight has the potential to violate a flight safety limit. For example, if a roll rate of a particular magnitude would preclude ground-based flight abort commands from being received by the vehicle, a flight safety limit should be developed that triggers flight abort before the roll rate reaches this value.

Section 450.108(c)(5) is related to the flight abort rule in proposed § 450.165(c)(3)(ii), which required that flight abort rules include that the FSS must abort flight when the vehicle state approaches conditions that are anticipated to compromise the capability of the FSS and further flight has the potential to violate the FSS. In the NPRM, the FAA did not include a flight safety limit objective that corresponded with the flight abort rule in proposed § 450.165(c)(3)(ii). The FAA adds this flight safety limit objective in § 450.108(c)(5). The flight abort rule in proposed § 450.165(c)(3)(ii) is in § 450.108(f)(2)(ii) and is discussed further under Flight Abort Rules in the following paragraphs.

Section 450.108(c)(6)

Section § 450.108(c)(6) states that, in lieu of meeting § 450.108(c)(2) and § 450.108(c)(4), an operator may initiate flight abort to prevent debris capable of causing a casualty due to any hazard from affecting uncontrolled areas using an FSS that complies with § 450.145. The FAA adds this regulation to clarify that a CEC analysis is not required if an FSS that complies with § 450.145 provides hazard containment. Hazard containment is a means of achieving the goals of § 450.108(c)(2) and (c)(4) because, if an operator provides for hazard containment, continued flight will not increase risk in uncontrolled areas and hazard containment would prevent conditional expected casualties greater than 1 × 102 in uncontrolled areas. This requirement is consistent with the NPRM because if an operator is able to contain hazards throughout the period when flight abort is used, the proposed consequence requirements in § 450.125(c)(1) and (c)(2) would not apply since a gate analysis would not be necessary.

In developing the NPRM, the FAA considered alternatives to a conditional risk limit, including the current approach employed in § 417.213.[100] The FAA rejected using the approach in § 417.213 as a requirement in part 450 because it is unnecessarily restrictive to require designated impact limit lines to bound the area where debris with a ballistic coefficient of three pounds per square foot or more is allowed to impact if the FSS functions properly, as evidenced by the need for the FAA to grant waivers to allow innovative missions to proceed safely, such as return of boosters to the launch site.[101] However, if an operator satisfies the current requirements in § 417.213, it would meet the requirement in § 450.108(c)(6). This strategy is not an option when hazard containment is not possible during a phase of flight when flight abort must be used as a hazard control strategy. For example, if an area of overflight occurs on the nominal trajectory during a phase of flight when flight abort is still used as a hazard control strategy, an operator cannot claim containment during this phase and must meet § 450.108(c)(2) and (c)(4). The FAA notes that its approach in § 450.108(c) to employing conditional risk limits is consistent with a recommendation made by the National Academy of Sciences.[102]

Virgin Galactic recommended adding an exclusion to the requirement for flight safety limits in proposed § 450.123 for vehicles that already meet the public risk criteria, as flight safety limits analysis amounts to an additional layer of regulation that Virgin Galactic believed was redundant and unneeded.

The FAA determined that a clarification is required in response to this recommendation. Pursuant to § 450.108(a), flight safety limits are only required in phases of flight in which flight abort is used as a hazard control strategy to meet the safety criteria of § 450.101. The FAA does not agree that meeting public risk criteria, or just collective and individual risk, are the only objectives of flight abort, as explained in the preamble section on CEC. The FAA finds it necessary to include additional objectives for flight abort in § 450.108(c) to protect public safety adequately. Lastly, the preamble section on CEC describes why a conditional risk assessment is appropriate to provide the public protection from unlikely but catastrophic events in the context of launch and reentry operations.

iii. Flight Safety Limits Constraints

Section 450.108(d) in the final rule describes flight safety limits constraints. This subsection consolidates the flight safety limits constraints in proposed §§ 450.123 through 450.129.

Section 450.108(d)(1)

Proposed § 450.123(b)(1) required flight safety limits to account for temporal and geometric extents on the Earth's surface of any vehicle hazards resulting from any planned or unplanned event for all times during flight.

In the final rule, § 450.108(d)(1) requires that flight safety limits account for temporal and geometric extents on the Earth's surface of any reasonably foreseeable vehicle hazards under all reasonably foreseeable conditions during normal and malfunctioning flight. The FAA adds “reasonably foreseeable” before “vehicle hazards” to be consistent with language elsewhere in the regulation. As noted earlier, “reasonably foreseeable” is a term commonly used in system safety. The FAA also replaces “from any planned or unplanned event for all times during flight” in proposed § 450.123(b)(1) with “under all reasonably foreseeable conditions during normal and malfunctioning flight” in § 450.108(d)(1). This revision does not result in a substantive change from the proposal, but the FAA finds the revised language to be clearer and consistent with language elsewhere in the regulation through use of the term “reasonably foreseeable conditions” in place of the proposed “planned or Start Printed Page 79622unplanned event.” This standard does not hold the operator responsible for unforeseeable events.

Section 450.108(d)(2)

Section 450.108(d)(2) requires that flight safety limits account for the physics of hazard generation and transport including uncertainty. This articulation represents a revision of proposed § 450.123(b)(2), which stated flight safety limits must account for potential contributions to debris impact dispersions. The FAA finds the NPRM language was unclear as to the scope of the requirement. The NPRM would have required an operator to consider how factors like winds, imparted velocities, and uncertainty in mass properties affect where debris from a failed vehicle may impact. However, direct debris impacts are not the only hazards posed by vehicle failures. For example, an intact impact of a vehicle may lead to a blast wave or release of toxic propellant, both of which must be considered when developing flight safety limits. Hazard generation and transport are factors that apply to all hazards, unlike factors that only apply to determining debris impact dispersions. Hazard generation refers to the process by which a vehicle becomes a hazard, and transport is how the hazard moves from the source to an exposed person or asset. Simply accounting for potential contributions to debris impact dispersions would not encompass all hazards, though debris impact dispersions also need to be accounted for under § 450.108(d)(2).

Blue Origin requested clarification of the term “potential contributions” in proposed § 450.123(b)(2). The FAA notes the term “potential contributions” to debris impact dispersions are those that influence the propagation of debris following a vehicle breakup, such as explosion-induced velocities, winds, uncertainty in aerodynamic properties, etc. The FAA further notes the term “potential contributions” does not appear in the final rule. The FAA will address development of debris impact dispersions in guidance, similar to the existing Flight Safety Analysis Handbook.

Section 450.108(d)(3)

In the NPRM, the FAA proposed to consolidate and update data loss flight times and planned safe flight states requirements in proposed § 450.127 (Data Loss Flight Time and Planned Safe Flight State Analyses). As explained in the proposal, data loss flight time analysis is necessary to establish when an operator must abort a flight following the loss of vehicle tracking information. In the NPRM, the FAA explained that data loss flight time would be the shortest elapsed thrusting or gliding time during which a vehicle flown with an FSS can move from its trajectory to a condition in which it is possible for the vehicle to violate a flight safety limit. Data loss flight times would have been required from the initiation of flight until the minimum elapsed thrusting or gliding time was no greater than the time it would take for a normal vehicle to reach the final gate crossing or the planned safe flight state.

Section 450.108(d)(3) revises the prescriptive requirements in § 450.127 to require that flight safety limits account for the potential to lose valid data necessary to evaluate the flight abort rules. Data is valid when it is of sufficient quality to be used to make flight abort decisions. Data used to make flight abort decisions can be missing or invalid for a number of reasons, but resulting from an unplanned event, such as disruption or loss of communication pathways with ground-based or onboard tracking sensors. Despite an operator's or launch site's best efforts, the potential to lose track data is a contingency for which operators must plan.

Section 450.108(d)(3) requires an operator to account for the potential to lose valid data necessary to evaluate the flight abort rules because the loss of valid data does not absolve the operator from attempting to meet the flight safety limits requirements in § 450.108(c) and (d). Section 450.108(d)(3) captures the performance-based intent of proposed § 450.127 (Data Loss Flight Time and Planned Safe Flight State Analyses). The FAA finds that this revision allows for the use of data loss flight times as a means of satisfying § 450.108(d)(3), but also allows operators to propose other methods of meeting the requirement.

Microcosm and SpaceX requested clarification of the intent for proposed § 450.127. The FAA notes that the purpose of proposed § 450.127 was to determine when flight abort is required if track data used to evaluate the flight abort rules is lost. If a vehicle is able to reach a flight safety limit when track data is lost, then a countdown begins that would indicate, upon reaching zero, that a flight safety limit may have been reached. Under proposed § 450.165(c)(3)(iii), flight abort would have to occur no later than when the countdown reaches zero. Throughout flight, the time for the countdown to reach zero is the data loss flight time. If reliable tracking sources are regained before the countdown reaches zero, then flight abort rule evaluation resumes and the countdown resets. In Federal launch site parlance, data loss flight times are known as “green numbers.”

In the NPRM, data loss flight times would not be used if a vehicle's tracking icon has potentially passed a final gate when the countdown reaches zero because this could result in introducing hazards in uncontrolled areas that the gate protects. As described in proposed § 450.127(b)(1), there are no data loss flight times when the minimum elapsed thrusting or gliding time is greater than the time it would take for a normal vehicle to reach the final gate crossing, to preclude abort from occurring after a gate crossing.

Proposed § 450.127(c)(1) through (c)(3) described other phases of flight when data loss flight times would be unnecessary. If a vehicle cannot reach a flight safety limit, then a data loss flight time cannot be computed and would be unnecessary. It may seem futile to have a flight safety limit that cannot be reached, but for purposes of data loss flight times a flight safety limit is considered unreachable if the vehicle cannot reach it starting from within normal trajectory limits when track data is lost. The flight safety limit may still be reachable if the vehicle was outside of normal trajectory limits at the time data was lost. Therefore, these flight safety limits may still have value.

Finally, in the NPRM, data loss flight times would not be necessary in phases of flight when an FSS is not required. There may still be flight safety limits during such phases if an operator retains an FSS and active flight abort rules even though they are not required. Loss of track data would not require flight abort since the flight safety limits themselves are unnecessary. This approach would allow operators to be conservative in the use of flight safety limits in phases of flight when they are unnecessary, with no threat of flight abort from loss of track data.

Proposed § 450.127(b)(3) would have permitted the real-time computation and application of data loss flight times during vehicle flight, in which case the state vector just prior to loss of data should be used as the nominal state vector. The FAA finds that § 450.108(d)(3) provides the same level of safety as the proposed requirement in § 450.127 and provides additional flexibility. The FAA will provide guidance on compliance with § 450.108(d)(3). The proposed requirement in § 450.127 can be part of a viable means of compliance with § 450.108(d)(3). An operator may propose other means of compliance with § 450.108(d)(3). Microcosm and SpaceX requested clarification of the intent for proposed § 450.127. The FAA Start Printed Page 79623notes that the purpose of proposed § 450.127 was to determine when flight abort is required if track data used to evaluate the flight abort rules is lost.

Section 450.108(d)(4)

Proposed § 450.129 (Time Delay Analysis) would have required an operator to perform a time delay analysis to establish the mean elapsed time between the violation of a flight abort rule and the time when the FSS is capable of aborting flight for the purpose of establishing flight safety limits. The time delay analysis would have been required to determine a time delay distribution that accounts for all foreseeable sources of delay.

While proposed § 450.129 does not appear in the final rule, the objective of proposed § 450.129 is captured by § 450.108(d)(4). Section 450.108(d)(4) requires that flight safety limits account for the time delay, including uncertainties, between the violation of a flight abort rule and the time when the FSS is expected to activate. The term in the final rule “time delay including uncertainties” is consistent in intent with the NPRM language “mean elapsed time” and “determine a time delay distribution.”

The time delay distribution in proposed § 450.129 is distribution in a statistical sense. The uncertainties referred to in § 450.108(d)(4) are the same as the time delay distribution referred to in proposed § 450.129. To meet § 450.108(d)(4), the operator must consider the range of values that the actual time delay could fall between. While proposed § 450.129 stated that the time delay analysis would be used in establishing flight safety limits, the final rule specifies that the time delay is a constraint in developing flight safety limits. Time delays are important in a flight safety limits analysis because the decision to abort flight must be made in time to achieve the flight safety limits objectives. This is not possible unless the time delay between the violation of a flight abort rule and the time when the FSS is expected to activate is known. The FAA finds that including this requirement in the flight safety limits constraints provides more clarity regarding the relation between this requirement and the flight safety limits.

Section 450.108(d)(5)

Section 450.108(d)(5) requires an operator to determine flight safety limits that account for individual, collective, and conditional risk evaluations both for proper functioning of the FSS and failure of the FSS. To satisfy this requirement, an operator must account for the reliability of the FSS under two scenarios when determining whether individual, collective, or conditional risk requirements are met with the flight safety limits objectives. The applicable flight safety limits objectives are located in § 450.108(c)(1), which addresses individual and collective risk, and § 450.108(c)(4), which addresses conditional risk. Although § 450.108(c)(2) is also associated with risk, it is independent of the FSS reliability because it is a comparison between the risk if the FSS is activated and the risk if it is not activated.

To comply with § 450.108(d)(5), first, the FSS must be assumed to have a reliability of one, meaning it is presumed to function without error. The risk evaluations using an FSS reliability of one ensure that the criteria are met if the FSS functions as intended. This requirement is important because an FSS failure should not be relied upon to make flight safety limits compliant with risk requirements. The decision to implement a flight abort is a deliberate safety intervention. The FAA wants to be sure that the public is safe given any deliberate safety intervention. This objective is consistent with proposed § 450.125(c)(1) and (c)(2), which contain requirements for consequence from flight abort, implying that the flight abort action occurs, and is also consistent with current practice for all risk evaluations.

Second, the risk evaluations must consider the predicted reliability of the FSS. Predicted reliability of the FSS is important because even low probabilities of FSS failures can have significant impacts on risk. This consideration is consistent with the NPRM because FSS reliabilities are a fundamental component of the viability of flight abort as a hazard control strategy, and it is expressly stated in the final rule for clarity. Consideration of the FSS reliability in risk evaluations is also consistent with current practice.

The final rule allows an operator flexibility to establish the design, analysis, and testing of its FSS and the conditions that require initiation of flight abort as long as the CEC is no greater than 1 × 102 for any reasonably foreseeable failure mode in any significant period of flight that could require the operator to initiate flight abort, accounting for the reliability of the FSS pursuant to § 450.108(d)(5).

Section 450.108(d)(6)

Proposed § 450.123(b)(3) would have added a requirement to design flight safety limits to avoid flight abort under conditions that result in increased collective risk to people in uncontrolled areas, compared to continued flight. In the NPRM, the FAA explained that the proposed requirement is equivalent to the U.S. Government consensus standard that a conditional risk management process should be implemented to ensure that mission rules do not induce unacceptable consequences when they are implemented.

Section 450.108(d)(6) requires that flight safety limits be designed to avoid flight abort that results in increased collective risk to the public in uncontrolled areas, compared to continued flight. This language is very similar to proposed § 450.123(b)(3), with one change. The FAA changes the term “people” in the proposed rule to “the public” in the final rule because the FAA regulates the safety of the public. The term “people” could be construed as meaning something broader than “public,” such as mission essential personnel who may be in uncontrolled areas.

Blue Origin stated that proposed §§ 450.123(d), 450.125(b)(2), 450.125(c), and 450.125(c)(3) were in conflict and commented on the definition of a “useful mission.” Blue Origin explained that, even though the intent was to meet the public safety requirements in proposed § 450.101, terminating a vehicle that may not meet the definition of a “useful mission” may result in an increase in risk to the public, including those on ships and aircraft, compared to continued flight that may result in reaching orbit. Blue Origin commented that, if the limits were defined only with respect to the risk criteria in proposed § 450.101, allowing the vehicle to continue flight may result in a safer risk profile.

The FAA agrees that the risk to the public must not be increased by flight abort. However, if a vehicle intended for orbit is outside the limits of a useful mission and approaching populated uncontrolled areas, there is likely an optimum location to abort the flight without increasing risk. For launches where the instantaneous impact point (IIP) [103] approaches a landmass from the ocean, aborting flight before the resulting debris would encroach on the landmass and dense coastal shipping traffic would be compliant with § 450.108(d)(6). Current practice for orbital launches from Federal launch sites is to allow the vehicle to continue to orbit if it can achieve a minimum safe orbit and is within the limits of a useful Start Printed Page 79624mission in the IIP projection. This practice is consistent with the requirements in § 450.108. If an operator proposes to allow a vehicle outside the IIP limits of a useful mission to overfly population to proceed to orbit, it must demonstrate that this option presents lower risk than aborting the flight before the overflight begins.

The FAA agrees that a discrepancy existed in the NPRM in proposed § 450.123(d) but is uncertain if this is the conflict to which Blue Origin referred. The proposed § 450.123(d) referred to risk criteria in § 450.101, but mistakenly omitted the requirement to prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. The option to determine the need for flight abort in real time as described in proposed § 450.123(d) does not appear in the final rule because it is just one means of meeting the requirements for flight safety limits. However, this does not preclude an operator from determining the need for flight abort entirely in real-time, as long as requirements in § 450.108 are met.

Section 450.108(d)(7)

As noted in the section on flight safety limits objectives, proposed § 450.125(c)(1) stated that flight safety limits would be required to be gated or relaxed where they intersect with a normal trajectory if that trajectory would meet the individual and collective risk criteria of proposed § 450.101(a)(1) and (a)(2) or (b)(1) and (b)(2) when treated like a nominal trajectory with normal trajectory dispersions. Proposed § 450.125(c)(2) stated that flight safety limits may be gated or relaxed where they intersect with a trajectory within the limits of a useful mission if that trajectory would meet the individual and collective risk criteria of proposed § 450.101(a)(1) and (a)(2) or (b)(1) and (b)(2) when treated like a nominal trajectory with normal trajectory dispersions.

In the final rule, § 450.108(d)(7) requires an operator to determine flight safety limits that ensure that any trajectory within the limits of a useful mission that is permitted to be flown without abort would meet the collective risk criteria of § 450.101(a)(1) or (b)(1) when analyzed as if it were the planned mission pursuant to § 450.213(b)(2).[104] The relocation of requirements in proposed § 450.125 to § 450.108(c)(2) through (c)(4) and § 450.108(d)(7) necessitated a revision to the language in § 450.108(d)(7). Section 450.108(d)(7) requires only that any trajectory within the limits of a useful mission that is permitted to be flown without abort would meet the collective risk criteria of § 450.101(a)(1) or (b)(1) when analyzed as if it were the planned mission pursuant to § 450.213(b)(2). As stated in the NPRM, the philosophy behind proposed § 450.125(c)(2) was to allow a non-normal flight to continue as long as the mission does not pose an unacceptable conditional risk given the present trajectory. The intent of § 450.108(d)(7) is similar but is stated in a different context than in the NPRM and also revised for clarity. In the final rule, the FAA removes the individual risk criterion from the requirement because the intent of the requirement was not to potentially create flight hazard areas along every azimuth within the limits of a useful mission wherever an individual risk contour exceeds 1 × 106.

The FAA found that the phrase “when analyzed as if it were the planned mission pursuant to § 450.213(b)(2)” was more precise than “when treated like a nominal trajectory with normal trajectory dispersions.” A planned mission must be characterized with uncertainties and assessed for risk from planned events and reasonably foreseeable failure modes; therefore, trajectories must be within the limits of a useful mission that are permitted to be flown without abort, pursuant to § 450.108(d)(6).

Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended replacing the terms “normal trajectories” and “limits of a useful mission trajectories” in proposed § 450.123(c) and § 450.125(c) with “nominal trajectories.” The FAA finds that such a change would restrict severely the allowable flight corridor of vehicles that could achieve a potentially useful mission by requiring that a vehicle be on a nominal trajectory to enter a period of materially increased public exposure in uncontrolled areas. As such, §§ 450.108(c)(3) and 450.108(d)(7) in the final rule allow vehicles within the limits of a useful mission to enter a period of materially increased public exposure in uncontrolled areas, provided the trajectory meets the collective risk requirement.

iv. End of Flight Abort

The FAA adds § 450.108(e) in the final rule, which states that a flight does not need to be aborted to protect against high consequence events in uncontrolled areas beginning immediately after critical vehicle parameters are validated, if the vehicle is able to achieve a useful mission and certain conditions are met for the remainder of flight. Specifically, the conditions which must be present are: (1) Flight abort would not materially decrease the risk from a high consequence event, and (2) there are no key flight safety events. Section 450.108(e) relieves the operator from the requirement to use flight abort in certain situations in which high consequence events are possible but would not be effectively mitigated by an FSS. This change responds to comments and addresses a common occurrence during a period of planned overflight of an uncontrolled area before orbital insertion.

Section 450.108(e) applies to a flight beginning immediately after critical vehicle parameters are validated, if the vehicle is able to achieve a useful mission. As discussed in the section on flight safety limits objectives, “critical vehicle parameters” are those parameters that demonstrate the vehicle is capable of completing safe flight through the upcoming phase of flight where population is exposed to hazardous debris effects from reasonably foreseeable failure modes. Due to the wide variety of launch and reentry vehicles that could be licensed, there is a wide variety of vehicle parameters that could be considered critical in this context. For example, recent state vector history data, as well as vehicle health indicators such as motor chamber pressure, generally will qualify as critical vehicle parameters.

Section 450.108(e) only applies when the following conditions are met. The first condition is that flight abort would not decrease the risk from a high consequence event materially as measured by CEC or other means identified through ELOS. The FAA expects that the requirement in § 450.108(e)(1) can be met by implementation of the current practices at the 45th SW, specifically, performing a comparison of the CEC and EC in uncontrolled areas with and without flight abort from each reasonably foreseeable failure mode in any significant period of flight during the subject phase of flight. If flight abort would not reduce the CEC and EC associated with each failure mode materially, then this condition is met.Start Printed Page 79625

A material decrease would exclude any best estimate of the mean value that is already two orders of magnitude or more below the criteria in § 450.101(a) and (b). As the best estimate approaches the established limits in § 450.101(a) and (b) on the mean predicted values, a material decrease would be smaller, including: (1) Any reduction that brings the operation into compliance with § 450.101(a) and (b) limits, (2) any half-order of magnitude reduction in the best estimate of the mean value of EC, or (3) a reduction by an amount at least as large as the coefficient of variation due to uncertainty in the population distribution. Section 450.108(e)(1) uses the phrase “risk from a high consequence event” deliberately so that other measures of collective risk and consequences, not just CEC and EC, can be considered in evaluating compliance with this requirement, absent a waiver. The FAA will provide guidance on what constitutes material decrease.

The second condition in § 450.108(e) requires that there are no key flight safety events for the remainder of flight. The FAA currently has a formal definition of the term “key flight-safety event” in part 437 (Experimental Permits). Section 437.3 states that key flight-safety event means a permitted flight activity that has an increased probability of causing a launch accident compared with other portions of flight. In addition, § 437.59(a) states that, at a minimum, a key flight-safety event includes: (1) Ignition of any primary rocket engine, (2) any staging event, or (3) any envelope expansion. The current description of key flight safety events in the permit regulation conveys what the FAA may consider a key flight safety event in the context of part 450.

Section 401.7 of the final rule has added a definition of “key flight safety events” and states that a key flight safety event means a flight activity that has an increased probability of causing a failure compared with other portions of flight. The term key flight safety event in the context of part 450 includes events that could compromise any safety-critical system, or otherwise increase the risk from high consequence events, such as events that subject a safety-critical system to environments at or near the maximum predicted environment.

SpaceX commented that launches that overfly major landmasses (e.g., Europe, Africa, or South America) prior to orbital insertion would violate the CEC requirement in proposed § 450.101(c) during overflight. SpaceX urged the FAA to update the regulation to clarify that an operator would not have to perform a CEC analysis for the ”overflight” phase of flight. SpaceX also recommended that the CEC requirement apply only to vehicle response modes that are mitigated by the FSS.

The FAA acknowledges that some launches that overfly major landmasses prior to orbital insertion produce CEC levels in excess of the 1 × 102 threshold and that flight abort will not mitigate the consequences associated with those failure modes. The FAA modifies the final rule to address such circumstances by adopting requirements proposed in the NPRM, such as § 450.125(c). Specifically, § 450.108(e) identifies conditions that, if met, demonstrate a high consequence event is sufficiently mitigated. These conditions are met generally by U.S. launches that overfly downrange landmasses prior to orbital insertion. Thus, the final rule includes specific provisions designed to allow the current practice where some launches proceed through a phase of flight, such as the downrange overflight of a major landmass just prior to orbital insertion, without additional protections against low probability, high consequence events.

The FAA finds that meeting the requirements in § 450.108(e) demonstrates sufficient protection against the probability of high consequence events, even though the CEC may exceed the 1 × 103 or 1 × 102 thresholds during the subject phase of flight. The use of collective risk to determine acceptability of downrange overflight is consistent with current practice.

Blue Origin, CSF, and SpaceX commented that flight abort may actually increase risk during overflight where vehicle hazards cannot be contained. Even for vehicles that implement an FSS with a reliability of 0.999 at 95 percent, it would still be possible to fall into the highest risk bin and not improve a risk posture measured by CEC.

The FAA agrees with the commenters. In the final rule in § 450.108(e), the FAA sets conditions that demonstrate that a high consequence event is sufficiently mitigated, including if flight abort in that phase of flight would not materially decrease the risk from a high consequence event.

vi. Flight Abort Rules

Proposed § 450.165(c) (Flight Commit Criteria) contained the requirements for flight abort rules. As explained in the NPRM, an operator would identify the conditions under which an FSS, including the functions of any flight abort crew, must abort the flight to ensure compliance with § 450.101. An operator would be required to abort a flight if a flight safety limit is violated or if some condition exists that could lead to a violation, such as a compromised FSS or loss of data.

In the final rule, the FAA revised and relocated the flight abort rules to § 450.108 consistent with the objective of consolidating relevant flight abort requirements into a single section in the final rule. In § 450.108(f), an operator must establish and observe flight abort rules that govern the conduct of launch and reentry.

Section 450.108(f)(1) requires that vehicle data required to evaluate flight abort rules must be available to the FSS under all reasonably foreseeable conditions during normal and malfunctioning flight. A similar requirement appeared in proposed § 450.165(c)(2), which required vehicle data necessary to evaluate flight abort rules to be available to the FSS across the range of normal and malfunctioning flight. The FAA adds “under all reasonably foreseeable conditions” to § 450.108(f)(1) to acknowledge that some conditions that prevent vehicle data from being available to evaluate flight abort rules might be unforeseeable and therefore unpreventable through planning and design.

Section 450.108(f)(2) describes when the FSS must abort flight, similar to proposed § 450.165(c)(3). Section 450.108(f)(2)(i) requires that the FSS must abort flight when valid, real-time data indicate the vehicle has violated any flight safety limit developed pursuant to this section. In the final rule, the FAA revised the language from proposed § 450.165(c)(3)(i) to add “developed pursuant to this section” because the flight safety limits requirements now appear in the same section as this flight abort rule.

As proposed in § 450.165(c)(3)(ii), the flight abort rules would have required the FSS to abort flight when the vehicle state approaches conditions that are anticipated to compromise the capability of the FSS and further flight has the potential to violate a flight safety limit.

Blue Origin commented that, while it is possible to write flight abort rules to account for specific cases, there was not currently a practical means of writing general rules that would abort flight when the vehicle state approaches conditions that could result in a compromise of the FSS for every circumstance proposed in § 450.165(c)(3)(ii). It also commented that the potential to violate a flight safety limit is vague and outside the capability of current generation autonomous FSS. Blue Origin Start Printed Page 79626recommended the rule be reworded as “the flight safety system must abort flight when the vehicle state approaches identified conditions from the system safety analysis that are anticipated to compromise the capability of the flight safety system and the flight safety system is required to contain the risk to an acceptable level (as analyzed in the flight safety analysis).”

In the final rule, the revised requirement in § 450.108(f)(2)(ii) adopts Blue Origin's recommendation to add “identified” before “conditions that are anticipated to compromise the capability of the flight safety system.” The FAA finds this addition reasonable because it avoids requiring protections against unknown conditions. As revised, § 450.108(f)(2)(ii) requires that the FSS must abort flight when the vehicle state approaches identified conditions that are anticipated to compromise the capability of the FSS and further flight has the potential to violate a flight safety limit. This requirement is used in conjunction with the flight safety limits objective in § 450.108(c)(5).

The FAA declines to adopt Blue Origin's recommendation to limit this requirement to the system safety analysis because a system safety analysis is not the only means to identify these conditions. For example, an FSS survivability analysis or a link analysis for a command destruct architecture may identify conditions anticipated to compromise the capability of the FSS. The FAA also does not adopt Blue Origin's recommendation to change § 450.165(c)(3)(ii) by replacing “and further flight has the potential to violate a flight safety limit” with “and the flight safety system is required to contain the risk to an acceptable level (as analyzed in the flight safety analysis).”

The FAA finds an acceptable level of risk might be interpreted as only meeting collective and individual risk requirements, while flight safety limits must meet other requirements as described in § 450.108 in the final rule. The FAA recognizes that a real-time determination of whether a particular failure may evolve to reach a flight safety limit is not possible. The operator must determine in pre-flight analyses (system safety analysis, link analysis, etc.) which failure modes can compromise the capability of the FSS. The operator must then use FSA to determine if those failure modes can potentially violate a flight safety limit. If it finds a failure mode that can potentially violate a flight safety limit, the operator must develop flight abort rules that protect against those modes. If the ability to reach a flight safety limit via a particular failure mode is uncertain, the assumption should be made that it is possible during any phase of flight where flight abort is used as a hazard control strategy. This approach is consistent with acceptable methods of compliance with proposed § 450.165(c)(3)(ii).

Section 450.108(f)(2)(iii) requires that the FSS must abort flight in accordance with methods used to satisfy § 450.108(d)(3) if tracking data is invalid and further flight has the potential to violate a flight safety limit. This requirement is similar to proposed § 450.165(c)(3)(iii), which stated that the FSS must incorporate data loss flight times to abort flight at the first possible violation of a flight safety limit, or earlier, if valid tracking data is insufficient for evaluating a minimum set of flight abort rules required to maintain compliance with proposed § 450.101.

As noted in the discussion of flight abort constraints, the FAA has replaced proposed § 450.127, which contained requirements for a data loss flight time analysis, with the more performance-based approach in § 450.108(d)(3). Consistent with that change, the FAA revises the language in proposed § 450.165(c)(3)(iii) in final § 450.108(f)(2)(iii). Data loss flight times are not the only means of compliance with the performance-based requirement in § 450.108(d)(3) to account for the potential to lose valid data necessary to evaluate the flight abort rules. The FAA also removes the requirement to abort flight at the first possible violation of a flight safety limit, or earlier, if valid tracking data is insufficient for evaluating a minimum set of flight abort rules required to maintain compliance with proposed § 450.101. This statement was associated with implementation of data loss flight times, but the performance-based requirement in § 450.108(d)(3) will allow other methods of compliance that may not be consistent in all cases with the NPRM language in § 450.165(c)(3)(iii). The FAA will provide guidance on compliance with §§ 450.108(d)(3) and 450.108(f)(2)(iii). The FAA also does not adopt the proposed definition for “data loss flight time” in § 401.7 in the final rule. The relation between §§ 450.108(d)(3) and 450.108(f)(2)(iii) in the final rule is substantively the same as that between proposed §§ 450.127 and 450.165(c)(3)(iii).

The FAA removes proposed § 450.165(c)(1), which required that for a vehicle that uses an FSS, the flight abort rules must identify the conditions under which the FSS, including the functions of any flight abort crew, must abort the flight. These included proposed § 450.165(c)(1)(i), to ensure compliance with proposed § 450.101, and proposed § 450.165(c)(1)(ii), to prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. The FAA finds this requirement to be unnecessary, as flight safety limits requirements and flight abort rules requirements are clearly stated in § 450.108(c) through (f). In addition, in the final rule the FAA does not adopt the proposed definition for “flight abort crew” in § 401.7 because the term is no longer used in the final rule.

Virgin Galactic commented that proposed § 450.165(c)(ii) seems unachievable for an operator with a nominal trajectory that meets EC requirements but can result in debris outside of the controlled area. Virgin Galactic recommended deleting the requirement or excluding the requirement if EC was met.

The FAA finds, based on the context of the comment, that Virgin Galactic meant to refer to proposed § 450.165(c)(1)(ii). The FAA acknowledges that a mission that flies over uncontrolled areas on the nominal trajectory cannot always prevent debris impacts on the uncontrolled area, but the requirement only applies to vehicles outside the limits of a useful mission. A nominal vehicle is on a useful mission; therefore, this requirement would not apply to the scenario in Virgin Galactic's comment. In the final rule, the intent of proposed § 450.165(c)(1)(ii) is covered in § 450.108(f)(2)(i).

The FAA removes the requirement proposed in § 450.165(c)(3)(iv) that a flight may continue past any gate established under proposed § 450.125 only if the parameters used to establish the ability of the vehicle to complete a useful mission are within limits. The replacement of proposed § 450.125 with performance-based requirements in § 450.108(c) and (d) makes this requirement unnecessary.

SpinLaunch commented that the FAA should simplify the proposed flight safety limits analysis (§ 450.123), gate analysis (§ 450.125), and time delay analysis (§ 450.129) regulations by stating that the safety analyses must address certain goals and relying on a training and evaluation structure to assure applicants are knowledgeable and capable of performing the analyses in a manner that sufficiently addresses those goals. The FAA revises the requirements in proposed §§ 450.123, 450.125, and 450.129 to be more Start Printed Page 79627performance-based. However, the FAA does not agree that training applicants to be capable of performing the subject analyses is sufficient to ensure compliance with the regulations.

v. Application Requirements

Section 450.108(g) contains application requirements for flight abort. Section 450.108(g)(1) requires an applicant to submit a description of the methods used to demonstrate compliance with § 450.108(c), including descriptions of how each analysis constraint in § 450.108(d) is satisfied in accordance with § 450.115 (Flight Safety Analysis Methods). This rule is similar to proposed § 450.123(e)(1), which required that an applicant submit in its application a description of how each flight safety limit would be computed, including references to the safety criteria of proposed § 450.101.[105] The intent of the requirement in the final rule is similar to the proposal. However, the reference to § 450.101 is excluded in the final rule because not all flight safety limits objectives in § 450.108(c) refer directly to § 450.101.

Section 450.108(g)(2) requires that an applicant must submit in its application a description of how each flight safety limit and flight abort rule is evaluated and implemented during vehicle flight, including the quantitative criteria that will be used, a description of any critical parameters, and how the values required in § 450.108(c)(3) and 450.108(e) are identified. This provision is derived from three requirements in the NPRM. First, proposed § 450.123(e)(2) would have required an applicant to submit representative flight safety limits and associated parameters. Second, proposed § 450.125(d)(2) would have required an applicant to submit a description of the measure of performance used to determine whether a vehicle would be allowed to cross a gate without flight abort, the acceptable ranges of the measure of performance, and how these ranges were determined. Third, proposed § 450.165(d)(2)(i) would have required an applicant to submit, for flight abort rules, a description of each rule and the parameters that would be used to evaluate each rule.

As discussed earlier, the FAA has removed §§ 450.123 and 450.125 from the final rule and relocated the flight abort rules from § 450.165 to reflect a more performance-based approach to flight abort and allow greater flexibility than would have been possible under the flight safety limits analysis and traditional gate analysis proposed in the NPRM. Accordingly, the application requirements associated with those sections have been combined in § 450.108(g)(2) in the final rule. This approach improves organization and increases flexibility with regard to how an operator demonstrates compliance with § 450.108.

Section 450.108(g)(3) requires an applicant to submit a graphic depiction or series of depictions of flight safety limits for a representative mission, together with the launch or landing point, all uncontrolled area boundaries, the nominal trajectory, extents of normal flight, and limits of a useful mission trajectories, with all trajectories in the same projection as each of the flight safety limits. This rule is similar to proposed § 450.123(e)(4), which required that an applicant submit a graphic depiction or series of depictions of representative flight safety limits, the launch or landing point, all uncontrolled area boundaries, and vacuum IIP traces for the nominal trajectory, extents of normal flight, and limits of a useful mission trajectories.

The final rule clarifies that an applicant will need only to submit flight safety limits for a representative mission. Also, the FAA finds that the requirement for depictions of vacuum IIP trajectories would not be appropriate for flight safety limits in different projections (such as present position) and revises the final rule to require all trajectories in the same projection as each of the flight safety limits. This change will not result in an increased burden compared to the NPRM because the applicant would have to depict the trajectories in either case; the final rule simply states explicitly that the trajectories must be depicted in the appropriate projection.

Section 450.108(g)(4) requires an applicant to submit a description of the vehicle data that will be available to evaluate flight abort rules under all reasonably foreseeable conditions during normal and malfunctioning flight. This section is similar to proposed § 450.165(d)(2)(iii), which required an applicant to submit a description of the vehicle data that would be available to evaluate flight abort rules across the range of normal and malfunctioning flight. In the final rule, the FAA replaces “across the range of normal and malfunctioning flight” with “under all reasonably foreseeable conditions during normal and malfunctioning flight” to be consistent with language elsewhere in the regulation. It results in no increased burden on the operator from the application requirement proposed in the NPRM.

Microcosm requested clarification of proposed § 450.165(d)(2)(i) and (iii), which would require that the applicant submit, for flight abort rules, a description of each rule, and the parameters that would be used to evaluate each rule; and a description of the vehicle data that would be available to evaluate flight abort rules across the range of normal and malfunctioning flight.

The FAA provides the following examples in response to Microcosm's comment. An example of a flight abort rule would be a line on the Earth's surface that, when crossed by an IIP (the parameter), would trigger flight abort. In this example, the vehicle data would be position and velocity data necessary to compute the IIP, as provided by external (such as ground-based) or onboard sensors. The operator should consider the availability of this data during normal and malfunctioning flight and the effect on the operator's ability to evaluate the applicable flight abort rule—which in this example is that flight abort be initiated if the IIP crosses the line on the Earth's surface.

Another example would be an altitude versus downrange distance constraint. If the vehicle is outside of a range of altitudes as a function of the downrange distance, flight abort would be triggered. The ranges of altitudes and downrange distances are the parameters in this example. In this example, the vehicle data would be position data, similarly reported by external or onboard sensors.

Other examples of parameters used in flight abort rules could be chamber pressure, body rates, health and status of critical systems, etc. In the final rule, the requirements in proposed § 450.165(d)(2)(i) and (d)(2)(iii) are addressed by § 450.108(g)(2) and § 450.108(g)(4), respectively.

i. Flight Hazard Analysis (§ 450.109)

In the NPRM, the FAA proposed in § 450.109 that, unless an operator uses physical containment, wind weighting, or flight abort as a hazard control strategy, an operator would be required to perform and document a flight hazard analysis and continue to maintain it throughout the lifecycle of the launch or reentry system. As explained in the NPRM, the use of a flight hazard analysis to derive hazard controls would provide flexibility that does not currently exist under the prescriptive requirements in part 417 and is broadly consistent with the practice in parts 431 and 435.Start Printed Page 79628

As proposed in § 450.109(a), the flight hazard analysis would need to identify, describe, and analyze all reasonably foreseeable hazards to public safety and safety of property resulting from the flight of a launch or reentry vehicle. Each flight hazard analysis would need to: (1) Identify all reasonably foreseeable hazards, and the corresponding vehicle response mode for each hazard, associated with the launch or reentry system relevant to public safety and safety of property; (2) assess each hazard's likelihood and severity; (3) ensure that the risk associated with each hazard would meet certain defined criteria; (4) identify and describe the risk elimination and mitigation measures required to satisfy the criteria; and (5) demonstrate that the risk elimination and mitigation measures would achieve the necessary risk levels through validation and verification.

In the final rule, the FAA revises § 450.109 by adding a new applicability paragraph (a) and by re-designating proposed § 450.109(a) through (e) as § 450.109(b) through (f).[106] The FAA adds an applicability paragraph in § 450.109(a) that applies to the use of a flight hazard analysis as a hazard control strategy to derive hazard controls for the flight, or phase of flight, of a launch or reentry vehicle. Hazards associated with computing systems and software are further addressed in § 450.141. This revised language reflects that performing a flight hazard analysis is included as one of the hazard control strategies in § 450.107(c) of the final rule.

Proposed § 450.109 included several provisions that required the flight hazard analysis to address hazards to property. For instance, the FAA proposed in the introductory language to § 450.109(a) that operators identify, describe, and analyze all reasonably foreseeable hazards to public safety and safety of property. The FAA proposed in § 450.109(a)(1) that an operator identify all reasonably foreseeable hazards, and the corresponding vehicle response mode for each hazard, associated with the launch or reentry system relevant to public safety and safety of property. The FAA also proposed in § 450.109(a)(3)(ii) that the likelihood of any hazardous condition that may cause major damage to public property or critical assets must be remote.

Blue Origin and Virgin Galactic commented on the property protection requirements in proposed § 450.109. Blue Origin acknowledged the FAA's statutory authority to protect property but noted that FAA regulations do not define property nor the criteria for the safety of property. Blue Origin also expressed concern that the requirements in § 450.109 extended to critical assets and property located in controlled areas. Blue Origin requested clarity on these issues. Virgin Galactic commented that the protection of property was a new requirement and also expressed concerns about the criteria requiring an operator to mitigate the likelihood of any hazardous condition that can cause a major property damage to “remote.”

In response, the FAA has not adopted the requirement to identify, describe, and analyze all reasonably foreseeable hazards to property resulting from the flight of a launch or reentry vehicle. Although property protection is codified in current licensing requirements for reusable launch vehicles in § 431.35(c), launch and reentry operators have not in the past been required to account for hazards to property due to flight. However, the FAA retains in the final rule specific requirements for critical assets and property on orbit, which have specific safety criteria in § 450.101 and § 450.169, respectively. The FAA notes that the emergency response requirements in § 450.173(d), which address fire hazards, may also mitigate hazards to property. The FAA may address other property and property hazards in a future rulemaking if launch and reentry flight operations dictate such a need.

Blue Origin also recommended proposed § 450.109(a) be revised to require that a flight hazard analysis identify, describe, and analyze all reasonably foreseeable hazards to public safety and safety of critical assets and safety of property resulting from the flight of a launch or reentry vehicle.

The FAA declines to adopt this recommended language because, as discussed in the preamble section dedicated to critical assets, the FAA will determine whether an asset is critical in consultation with the entity responsible for the asset, and either the FAA or a Federal launch or reentry site will determine whether the proposed activity would expose critical assets to a risk of loss of functionality that exceeds the risk criterion in § 450.101(a)(4) or (b)(4), and convey any necessary constraints to the operator.

Virgin Galactic commented on proposed § 450.109(a)(1)(i) through (a)(1)(x) and noted the list of error sources, or very similar, shows up in four other locations: (1) § 437.55, (2) AC 431.35-2A, (3) FAA Flight Safety Handbook, and (4) the AIAA Safety Critical RLV guide. Virgin Galactic noted that the wording differed slightly from one source to another and recommended that the FAA harmonize the various lists. The FAA notes this comment is outside the scope of this rulemaking.

Proposed § 450.109(a)(3) stated that a flight hazard analysis must ensure that the risk associated with each hazard would meet the following criteria: (1) The likelihood of any hazardous condition that may cause death or serious injury to the public must be extremely remote; and (2) the likelihood of any hazardous condition that may cause major damage to public property or critical assets must be remote.

In the final rule, the FAA revises this requirement to remove the property protection requirement in proposed § 450.109(a)(3)(ii), as discussed earlier. Section 450.109(b)(3) states that a flight hazard analysis must ensure that the likelihood of any hazardous condition that may cause death or serious injury to the public is extremely remote.

Proposed § 450.109(a)(5) stated a flight hazard analysis must demonstrate that the risk elimination and mitigation measures would achieve the risk levels of proposed § 450.109(a)(3) through validation and verification. Verification includes analysis, test, demonstration, or inspection. The FAA adopts and re-designates proposed § 450.109(a)(5) as § 450.109(b)(5) in the final rule, with one revision. In § 450.109(b)(5), the FAA changes the term “demonstrate” in the introductory paragraph to “document.”

Virgin Galactic noted that the NPRM used the term “demonstrate” as both part of the introductory paragraph in proposed § 450.109(a)(5) and as a verification method in proposed § 450.109(a)(5)(iii). Virgin Galactic commented that demonstration is a standard verification method, and use of the word in both places could drive confusion. Virgin Galactic recommended changing the term “demonstrate” in § 450.109(a)(5) to “verify and validate” to clarify that demonstration is not the only method of completing validation and verification.

The FAA agrees that the proposed language could cause confusion, and that demonstration is not the only method of completing validation and verification. The FAA changes “demonstrate” to “document” to avoid that confusion. The FAA does not adopt Virgin Galactic's specific suggestion because “verification” and “validation” are terms used later in the sentence, and are defined in § 401.7.

Virgin Galactic commented on proposed § 450.109(c) and recommended that there be an exclusion Start Printed Page 79629for vehicles that follow the same standard trajectory each flight.

The FAA disagrees with Virgin Galactic's recommendation. Even if an operator follows a stable trajectory, vehicle design changes or other operational changes may introduce new hazards. An operator must confirm that the flight hazard analysis is valid for each mission in order to ensure that all hazards are identified and mitigated to an acceptable level. That said, the FAA expects that operators with stable vehicle designs and operations will typically not have major updates to their flight hazard analyses.

The FAA re-designates proposed § 450.109(d) as § 450.109(e) in the final rule, and removes the term “operational” to reflect that an operator must continually update the flight hazard analysis throughout the lifecycle of the launch or reentry system, rather than just address operational changes. As discussed in the preamble discussion on the system safety program (§ 450.103), design and operational changes to a system can have an impact on public safety.

Virgin Galactic commented that the term “continually” in § 450.109(d) is not defined and is vague. In addition, Virgin Galactic noted that the requirement appears to duplicate the current continuing accuracy requirements in part 413 and the proposed continuing accuracy requirements in proposed § 450.211. Virgin Galactic recommends this requirement be removed.

The FAA notes that, for the purposes of the flight hazard analysis, “continually” means that the operator must update the flight hazard analysis as aspects of the mission change or as new information is learned about an operation, if potential impacts to the analysis are identified. Although somewhat redundant with the requirement in § 450.211 for a licensee to maintain the continuing accuracy of representations in its application, proposed § 450.109(d) (re-designated § 450.109(e) in the final rule) provides the specific expectation that the flight hazard analysis must be complete and all hazards must be mitigated to an acceptable level for every launch or reentry.

SpinLaunch commented that the requirements in proposed § 450.109(c) and (d) were an onerous burden, and that to achieve a regulatory framework that can effectively and efficiently oversee multi-site, multi-vehicle operations, a shift away from the traditional regulatory verification of each component to a more practical method would be necessary. SpinLaunch recommended that an applicant just demonstrate knowledge and skills to perform safe and accepted operations.

Operators have a responsibility to ensure that public safety analyses are consistent with their proposed operations and that all hazards are mitigated to an acceptable level. This practice is consistent with system safety practices and current commercial space regulations. The framework recommended by SpinLaunch would not achieve these public safety outcomes because it is too broad and lacks performance metrics.

In the final rule, the FAA re-designates proposed § 450.109(e) as § 450.109(f), (Application requirements). Except for number re-designations, the FAA adopts the requirements as proposed.

j. Physical Containment (§ 450.110)

As discussed earlier, unlike other hazard control strategies, the FAA did not propose a separate section for the physical containment hazard control strategy in the NPRM. Rather, proposed § 450.107(b) simply contained the requirements for physical containment as a hazard control strategy. The FAA proposed that, to use physical containment as a hazard control strategy, an operator would be required to ensure that the launch vehicle does not have sufficient energy for any hazards associated with its flight to reach outside the flight hazard area developed in accordance with proposed § 450.133 (Flight Hazard Area Analysis), and would be required to apply other mitigation measures to ensure no public exposure to hazards as agreed to by the Administrator on a case-by-case basis. In addition, proposed § 450.107(e) included specific application requirements for an operator using physical containment as a hazard control strategy; namely, that it must (1) demonstrate that the launch vehicle does not have sufficient energy for any hazards associated with its flight to reach outside the flight hazard area developed in accordance with § 450.133, and (2) describe the methods used to ensure that flight hazard areas are cleared of the public and critical assets.

In the final rule, the FAA places the requirements for the physical containment hazard control strategy in a separate section, § 450.110. With one exception, the proposed requirements are unchanged in the final rule. The one exception, as discussed next in response to a comment, is that the FAA clarifies that the hazard area must be clear of the public and critical assets.

As noted earlier in the discussion of § 450.107, Blue Origin commented that the FAA amend proposed § 450.107(e)(2)(ii), which proposed to require an applicant to describe the methods used to ensure that flight hazard areas are cleared of the public and critical assets, and to require that an applicant describe the methods used to ensure that risk to the public and critical assets in flight hazard areas meet allowable criteria. Blue Origin pointed out that critical assets cannot be cleared from a flight hazard area. In addition, Blue Origin stated that the proposed definition of “flight hazard area” in § 401.5 already captured that the area would be controlled to risk limits and that can be achieved through methods other than clearing the area.

The FAA disagrees with Blue Origin that proposed § 450.107(e)(2)(ii), now § 450.110(c)(2), should be amended to require an applicant to describe the methods used to ensure that risk to the public and critical assets in flight hazard areas meet allowable criteria, as opposed to ensuring that the area is cleared of the public and critical assets. Although Blue Origin is correct in noting that the definition of “flight hazard area” is not limited to clearing the area,[107] the physical containment hazard control strategy is designed to be a simple method of protecting public safety by launching within an area that is cleared of the public and critical assets, and within an area that contains hazards based on the potential energy of the vehicle. The FAA modifies what was proposed in § 450.107(b)(1) and (b)(2), now § 450.110(b)(1) and (b)(2), from what was proposed in the NPRM, to clarify that the hazard area must be clear of the public and critical assets.

The FAA also modifies the definition of “flight hazard area” in § 401.7 to change the language from “in order to protect public health and safety and the safety of property” to “in order to ensure compliance with the safety criteria in § 450.101.” The FAA makes this change to tie flight hazard areas to the safety criteria in § 450.101.

k. Wind Weighting (§ 450.111)

In the NPRM, the FAA proposed wind weighting requirements in § 450.141. As discussed earlier, the wind weighting requirements have been moved to § 450.111 in order to group all hazard control strategies together. Although the FAA did not receive any comments on this hazard control strategy, the FAA Start Printed Page 79630has made a few changes in the final rule.

In the applicability section, the FAA specifies that an operator may use wind weighting as a hazard control strategy to meet the safety criteria of § 450.101 to § 450.101(a), (b), and (c), which address launch risk criteria, reentry risk criteria, and high consequence event protection. The FAA makes this change because the criteria in § 450.101(d), (e), (f), and (g)—addressing disposal safety criteria, the protection of people and property on orbit, the notification of planned impacts, and the validity of analyses, respectively—are not relevant to wind weighting. Therefore, an operator does not need to demonstrate that wind weighting satisfies these requirements.

In the NPRM, proposed § 450.141(b) would require that for the flight of an unguided suborbital launch vehicle that uses a wind weighting safety system, the launcher azimuth and elevation settings must be wind weighted to correct for the effects of wind conditions at the time of flight to provide a safe impact location. The FAA has replaced “to provide a safe impact location” with “to provide impact locations that will ensure compliance with the safety criteria in § 450.101.” This change removes any ambiguity as to the meaning of “safe impact location.”

Also in the NPRM, proposed § 450.141(b) would require that for the flight of an unguided suborbital launch vehicle that uses a wind weighting safety system, an operator must use launcher azimuth and elevation angle settings that ensures the rocket will not fly in an unintended direction given wind uncertainties. The FAA has replaced “given wind uncertainties” with “accounting for uncertainties in vehicle and launcher design and manufacturing, and atmospheric uncertainties.” This change acknowledges that the uncertainties that affect an unguided suborbital launch vehicle's ability to fly in an unintended direction are broader than just wind uncertainties—they include uncertainties in vehicle and launcher design and manufacturing, and other atmospheric uncertainties. The FAA makes two grammatical changes to the application requirements, which in the final rule are in § 450.111(e). First, in § 450.111(e)(2), the FAA replaces “and identify” with “including.” In § 450.111(e)(3), the FAA removes the word “provide.”

Lastly, similar to other sections in this rule, the FAA removes the proposed requirement for an applicant to provide additional products that allow an independent analysis as requested by the Administrator because the requirement was redundant with § 450.45(e)(7)(ii).

l. Flight Safety Analysis (§§ 450.113 to 450.139)

Regardless of the hazard control strategy chosen or mandated, the FAA anticipates that an operator will be required to conduct an FSA for at least some phases of flight. For example, an FSA must determine flight hazard areas for any vehicle with planned debris impacts capable of causing a casualty. Also, an FSA must quantitatively demonstrate that a launch or reentry meets the safety criteria for debris, far-field overpressure, and toxic hazards. An operator may be required to conduct additional analyses to use flight abort or wind weighting hazard control strategies.

Generally, an FSA consists of a set of quantitative analyses used to determine flight commit criteria, flight abort rules, flight hazard areas, and other mitigation measures and to demonstrate compliance with the safety criteria in § 450.101. In the NPRM, the FAA proposed 15 sections associated with FSA requirements in §§ 450.113 through 450.141. The final rule moves requirements associated with flight safety limits to § 450.108, such that 11 interrelated sections remain component parts of an FSA.

There are 11 performance-based sections with FSA requirements that fall into three groups. The first group, §§ 450.113 and 450.115, provides requirements on the scope and fidelity of the analyses required by the remaining nine sections. The second group, which consists of five sections from § 450.117 through § 450.131, specifies the requirements for analyses necessary to develop quantitative input data used by the last four sections. The last group consists of four sections that specify quantitative risk analyses with products necessary to evaluate compliance with the safety criteria in § 450.101. All of the FSA sections must use methods that comply with § 450.101(g) because they are essential to demonstrating compliance with the safety criteria in § 450.101.

To aid in holistically understanding the substance of, and relationships between, the FSA sections, the following provides a brief overview, before a more detailed discussion of each FSA section. Section 450.113 specifies the overall scope of the subsequent analyses in terms of the period of flight for which the public risks must be quantified. For example, for an orbital launch, an FSA must account for all phases of flight from liftoff through orbital insertion and through all component impacts or landings. Section 450.115 specifies that the operator's analysis methods must account for all reasonably foreseeable events and failures of safety-critical systems during nominal and non-nominal launch or reentry that could jeopardize public health and safety, and the safety of property. Section 450.115 also specifies that the operator's methods must have a level of fidelity sufficient (1) to demonstrate compliance with the safety criteria of § 450.101, accounting for all known sources of uncertainty, using means of compliance accepted by the Administrator; and (2) to identify the dominant source of each type of public risk with a criterion in § 450.101(a) or (b) in terms of phase of flight, source of hazard (such as toxic exposure, inert, or explosive debris), and failure mode. An operator must comply with these foundational sections when performing any of the separate analyses that together comprise the FSA.

Sections 450.117 and 450.119 specify the constraints and objectives of analyses sufficient to characterize the trajectory of the vehicle during normal and malfunction flight. Section 450.121 specifies the constraints and objectives of an analysis sufficient to quantify the physical, aerodynamic, and harmful characteristics of hazardous debris, including impact probability distributions generated from normal and malfunction flight. Section 450.123 specifies requirements to characterize the population exposed to a significant probability of impact by hazardous debris, including the vulnerability of people in various structure types. Section 450.131 specifies requirements for statistically valid estimates of the probability of reasonably foreseeable failures based on the outcomes of previous flights. Depending on the type of operation or the hazard control strategy used, an operator may be required to perform some or all of these analyses in developing its FSA.

Finally, §§ 450.133, 450.135, 450.137, and 450.139 specify the requirements for quantitative risk analyses to demonstrate that the risks to the public from debris, far-field overpressure, and toxic hazards are consistent with the safety criteria in § 450.101. Generally, the analyses conducted under §§ 450.117 through 450.131 are used to inform the analyses for these final portions of the FSA. Flight commit criteria, flight hazard areas, flight abort rules, and other mitigation measures are typically derived as necessary to demonstrate compliance with the safety criteria in § 450.101, and thus are typical byproducts of the risk analyses Start Printed Page 79631performed to satisfy the requirements in §§ 450.133, 450.135, 450.137, and 450.139. The requirements for each of the FSA sections are described in more detail in the following sections.

m. Flight Safety Analysis Requirements—Scope (§ 450.113)

In the NPRM, proposed § 450.113 stated the scope and applicability of FSA requirements. Proposed § 450.113(a), which covered scope, stated an operator would be required to perform and document an FSA: (1) For orbital launch, from liftoff through orbital insertion, and any component or stage landings; (2) for suborbital launch, from liftoff through final impact; (3) for disposal, from the beginning of the deorbit burn through final impact; (4) for reentry, from the beginning of the deorbit burn through landing; and (5) for hybrid vehicles, for all phases of flight, unless the Administrator determines otherwise based on demonstrated reliability. Proposed § 450.113(b), which covered applicability, identified what sections needed to be included in an FSA depending on the type of operation or hazard control strategy being used.

In the final rule, the FAA has removed the proposed applicability provision and adopted the scope provisions with some changes and reorganization. The FAA revised § 450.113(a) to state that an operator must perform and document an FSA for all phases of flight, except as specified in § 450.113(b). The FAA also revised § 450.113 to add in paragraph (b) an operator is not required to perform and document an FSA for a phase of flight if agreed to by the Administrator based on demonstrated reliability. An operator demonstrates reliability by using operational and flight history to show compliance with the risk criteria in § 450.101(a) and (b). Operational history includes the flight time and/or cycles of an aircraft, which may have an airworthiness certificate, operating under part 91, part 135 or part 121 as an example. Flight history could be represented by flight time accumulated through a period of developmental and flight tests of a vehicle that does not have an airworthiness certificate. Although the demonstrated reliability language was limited to hybrid vehicles in the proposed rule, the FAA is providing additional flexibility by expanding it to all vehicles. Some vehicles other than hybrids could conceivably have an extensive and safe enough flight history to demonstrate compliance with the risk criteria in § 450.101(a) and (b) based on empirical data in lieu of the traditional risk analysis.

In the final rule, the FAA modifies § 450.113(a)(1), which addresses orbital launches, to clarify that an FSA covers from liftoff through orbital insertion and through “all component impacts or landings” instead of proposed “any component or stage landings or final impacts.” Likewise, for the scope of an FSA for suborbital launches, the FAA changes § 450.113(a)(2) to “through all component impacts or landings” instead of proposed “through final impact.” These changes reflect the reality that orbital and suborbital launch vehicles often have multiple components that can either impact the Earth or land intact. An FSA should address all such impacts or landings.

The FAA modifies § 450.113(a)(4) for a similar reason. For the scope of a reentry analysis, the FAA changes § 450.113(a)(4) to include “through all component impacts or landings” instead of proposed “through landing.” This change reflects the reality that reentry vehicles often have multiple components that can either impact the Earth or land intact.

The FAA modifies § 450.113(a)(3) and (4) by replacing the term “the beginning of the deorbit burn” with “the initiation of the deorbit.” The FAA notes not all deorbit operations will include a “burn.” The FAA notes that, for a disposal, an operator could discontinue the analysis prior to final impact and demonstrate an equivalent level of safety by presenting evidence of complete demise due to aerothermal heating. The scope of the FSA is consistent with the risk criteria in § 450.101 and the long-standing definition of “reentry” in § 401.7. The FAA clarifies here that, for the purposes of the FSA and risk criteria, the initiation of the deorbit for a reentry or disposal from orbit generally coincides with the final health check prior to the final command to commit the vehicle to a perigee below 70 nautical miles.

The final rule removes the language proposed in § 450.113(b) covering applicability, because the reorganization of the flight abort related sections means that all FSA sections are applicable, unless otherwise agreed to by the Administrator based on demonstrated reliability. Instead, § 450.113(b) in the final rule addresses how an operator demonstrates reliability, as discussed.

n. Flight Safety Analysis Methods (§ 450.115)

In the NPRM, proposed § 450.115 outlined the methods for conducting FSA. The FAA did not receive comments on this proposal unique to this section.

In the final rule, the FAA adopts § 450.115 as proposed with one change. The term “vehicle response mode” is changed to “failure mode” to be consistent with the changes to this term made elsewhere in the final rule. Consistent with the NPRM, § 450.115(c)(4) requires that an FSA methodology must identify the evidence for validation and verification required by § 450.101(g), which addresses the required accuracy and validity of data and scientific principles. For example, the “accounting for all known sources of uncertainty” requirement specified in § 450.115(b)(1) must produce results consistent with or more conservative than the results available from previous mishaps, tests, or other valid benchmarks, such as higher-fidelity methods.

o. Trajectory Analysis for Normal Flight (§ 450.117)

In the NPRM, proposed § 450.117 (Trajectory Analysis for Normal Flight) set requirements for an FSA for normal trajectories. The proposed provision was meant to distinguish between variability in the intended trajectory and uncertainties due to random sources of dispersion such as winds and vehicle performance. The FAA explained that all FSAs depend on some form of analysis of the trajectory under normal conditions, otherwise known as a normal trajectory. That is, a vehicle's trajectory when it performs as intended and under normal conditions must be understood to determine the effects of malfunctions along its flight path.

Proposed § 450.117(a)(1) required an FSA to include a trajectory analysis that established, for any phase of flight within the scope of proposed § 450.113(a), the limits of a launch or reentry vehicle's normal flight as defined by the nominal trajectory, and sets of trajectories sufficient to characterize variability and uncertainty during normal flight. First, proposed § 450.117(a)(1)(i) required a set of trajectories to characterize vulnerability. This set would be required to describe how the intended trajectory could vary due to the conditions known prior to initiation of flight. Second, proposed § 450.117(a)(1)(ii) required a set of trajectories to characterize uncertainty. This set would be required to describe how the actual trajectory could differ from the intended trajectory due to random uncertainties. The FAA also proposed to require an FSA to include a trajectory analysis establishing a fuel exhaustion trajectory in proposed § 450.117(a)(2) and, for vehicles with an Start Printed Page 79632FSS, trajectory data or parameters that describe the limits of a useful mission in proposed § 450.117(a)(3).

In the final rule, the FAA adopts proposed § 450.117 with revisions. The FAA makes clarifying changes for a number of requirements regarding trajectory analysis; removes and relocates the fuel exhaustion trajectory requirement to § 450.119; and removes and relocates references to “limits of a useful mission” to § 450.119. The FAA also makes changes to remove prescriptiveness in favor of more performance-based language.

Boeing, Lockheed Martin, Northrop Grumman, Sierra Nevada, and ULA recommended changing the term “normal” flight to “nominal” flight in numerous parts of proposed § 450.117. The FAA does not agree with this recommendation because both of these terms are defined by the FAA and are distinct. Section 401.7 defines “nominal” to mean, in reference to launch vehicle performance, trajectory, or stage impact point, a launch vehicle flight for which all vehicle aerodynamic parameters are as expected, all vehicle internal and external systems perform as planned, and there are no external perturbing influences other than atmospheric drag and gravity. Section 401.7 defines “normal flight” to mean the flight of a properly performing vehicle whose real-time vacuum IIP does not deviate from the nominal vacuum instantaneous impact point by more than the sum of the wind effects and the three-sigma guidance and performance deviations in the uprange, downrange, left-crossrange, or right-crossrange directions. Thus, in simple terms, a nominal trajectory is a single trajectory that the vehicle would fly in the absence of wind effects and guidance and performance variability. Section 401.7 defines “normal trajectory” to mean “a trajectory that describes normal flight.” The FAA retains the definitions of these terms. It is virtually impossible for flights to be nominal such that all aerodynamic parameters and systems are as expected without the influence of any uncertainties. To replace “normal” with “nominal” would substantively change the meaning of the rule, as uncertainty does not apply to a nominal trajectory. Requiring normal flight trajectories is a more permissive range of trajectories than nominal flight and allows the rule to be performance based within safe parameters. The FAA retains the use of the terms as proposed.

In the final rule, the FAA narrows the scope of the set of trajectories to characterize uncertainty due to random uncertainties “in all parameters with a significant influence on the vehicle's behavior through normal flight” in § 450.117(a)(2). Generally, the FAA considers “a significant influence” to include any parametric uncertainties within three-sigma that affect the crossrange IIP location or downrange IIP rate by at least one percent because the IIP location and rate is often a convenient surrogate for the potential impact locations of hazardous debris. One percent is a typical threshold value used in RCC 321-20 Standard and Supplement. Thus, the final rule does not intend for applicants to characterize the influence of all random uncertainties or variability, but only those with a significant influence on the potential impact locations for hazardous debris.

The FAA removes the NPRM requirements for a fuel exhaustion trajectory in proposed § 450.117(a)(2) and its associated application requirement in proposed § 450.117(d)(3)(ii). The requirements for this analysis are more appropriately located in the malfunction flight section because a fuel exhaustion trajectory is a malfunction trajectory that results when thrust termination does not occur as planned. A fuel exhaustion trajectory is not always required; however, such an analysis could be necessary for certain operations. For example, a fuel exhaustion trajectory will be necessary under the final rule § 450.119(a)(2) for a return to launch site scenario. As a result of this removal, the FAA combines proposed § 450.117 paragraph (a) with paragraph (a)(1) as a new paragraph (a), and re-designates proposed § 450.117(a)(1)(i) and (a)(1)(ii) as § 450.117(a)(1) and (a)(2), respectively.

The NPRM referenced the limits of a useful mission in proposed § 450.117(a)(3). In the final rule, the FAA moves all references to the limits of a useful mission from § 450.117, including proposed § 450.117(a)(3), to § 450.119 (Trajectory Analysis for Malfunction Flight). The FAA finds that the requirements associated with the limits of a useful mission belong in the malfunction flight section because limits of a useful mission can exceed the bounds of normal flight.

The FAA received several comments on the proposed use of the term “limits of a useful mission.” A summary of the comments and FAA's responses can be found in the preamble section on Trajectory Analysis for Malfunction Flight.

The FAA adopts § 450.117(b) as proposed. A final trajectory analysis must use a six-degree of freedom trajectory model to satisfy the requirements of § 450.117(a). The FAA did not receive comments on this proposal.

Proposed § 450.117(c) would have required a trajectory analysis to account for all wind effects including profiles of winds that are not less severe than the worst wind conditions under which flight might be attempted and for uncertainty of the wind conditions. In the final rule, the FAA revises the requirement to state that a trajectory analysis must account for “atmospheric conditions that have an effect on the trajectory” rather than “all wind effects.” The FAA notes that the revision captures the intent of (1) the proposed requirement to account specifically for wind effects under all foreseeable conditions within the flight commit criteria and consistent with the flight abort rules, and (2) the proposed requirement in § 450.117(a) to establish sets of trajectories sufficient to characterize variability and uncertainty during normal flight.

The FAA recognizes that wind is the primary atmospheric consideration for most vehicles, but, for some (non-traditional) vehicles, other atmospheric parameters such as density, humidity, or temperature may affect trajectory and be part of the flight commit criteria. Although these other conditions would have necessarily been accounted for in the trajectory analysis for normal flight as “uncertainties” in the introductory language to § 450.117(a), the final rule expressly refers to all atmospheric conditions in § 450.117(c). The FAA also notes that flight in the context of this section refers to the period of launch or reentry within the scope of § 450.113.

Boeing commented that it is impossible to account for all wind effects, as wind models were local and limited in altitude. Boeing recommended incorporating an altitude limit of 60,000 feet, and modifying the requirement to state, “a trajectory analysis must account for launch and, if different, reentry site wind effects, as applicable, including profiles of winds that are no less severe than the worst wind conditions under which flight might be attempted, and for uncertainty in the wind conditions.”

The FAA notes that the proposed requirement concerning wind effects, revised to “atmospheric effects” in the final rule, specifies profiles under which flight may be attempted based on the launch commit criteria and flight abort rules. The NPRM and the final rule set performance level requirements that avoid placing an arbitrary altitude limit that may not encompass all the conditions that may have an effect on a Start Printed Page 79633normal trajectory. Accordingly, the final rule requires a trajectory analysis to account not for all wind effects, but instead for atmospheric conditions that have an effect on the trajectory, including any uncertainty. Accounting for atmospheric effects on the trajectory will be addressed in guidance.

Blue Origin stated the requirements in proposed § 450.117(b) through (d)(2) amount to translating complex vehicle trajectory models into verbiage for delivery to FAA for licensing. Blue Origin proposed revising the language to specify vehicle state vector parameters in terms of position, attitude, velocity, thrust, and mass. In terms of a statistical distribution of each parameter, Blue Origin recommends providing a covariance matrix describing vehicle guidance and performance uncertainty as meeting the intent of the requirement.

The FAA notes Blue Origin's recommendation to specify the vehicle's position and velocity during normal flight using covariance matrices would satisfy the requirement in § 450.117(a)(2) because that approach was identified in Appendix A to part 417 under A417.7(g)(7)(xiii). The approach in Appendix A to part 417 under A417.7(g)(7)(xiii) meets the requirement in § 450.117(a)(2) because a set of covariance matrices for the vehicle position coordinates and velocity component magnitudes are an acceptable means to describe how the actual trajectory could differ from the intended trajectory due to random uncertainties in all parameters with a significant influence on the vehicle's behavior throughout normal flight. However, the FAA recognizes that other approaches, including a sufficiently large [108] set of Monte Carlo sample trajectories,[109] may also satisfy the requirement. The FAA does not intend to prescribe a specific method to characterize normal flight. Therefore, the FAA declines Blue Origin's recommendation to revise the requirement to specify vehicle state vector and covariance parameters. Instead, the final rule implements performance-based trajectory analysis requirements as proposed, such that an applicant must submit a description of the methods and input data used to characterize the vehicle's flight behavior throughout normal flight.

The FAA proposed application requirements for trajectory analysis for normal flight in § 450.117(d). In the final rule, the FAA adopts proposed § 450.117(d) with revisions. Specifically, the FAA removes the proposed requirement to describe the methodology used to determine the limits of a useful mission in § 450.117(d)(1). Instead, an equivalent requirement appears in § 450.119(c)(2) of the final rule. The FAA also removes the items proposed in § 450.117(d)(1)(i) through (d)(1)(iv) because they were redundant with the performance-based requirements that apply to all FSA in accordance with § 450.115(c).[110] The FAA removes the prescriptive requirements in § 450.117(d)(2)(ii) through (d)(2)(iv) proposed in the NPRM because these requirements are captured with the final rule requirement in § 450.117(d)(2), as explained later in this preamble section. In addition, the FAA re-designates proposed § 450.117(d)(2)(i) as (d)(3), and 450.117(d)(3) as (d)(4) with a minor revision. The FAA removed proposed § 450.117(d)(4), which required an applicant to submit additional products that allow an independent analysis, as requested by the Administrator, because the requirement was redundant with § 450.45(e)(7)(ii).

In the NPRM, proposed § 450.117(d)(2) required an applicant to submit a description of the input data used to characterize the vehicle's flight behavior throughout normal flight and limits of a useful mission. The proposal would have required a description of the wind input data, including uncertainties (§ 450.117(d)(2)(ii)); a description of the parameters with a significant influence on the vehicle's behavior throughout normal flight, including a quantitative description of the nominal value for each significant parameter throughout normal flight (§ 450.117(d)(2)(iii)); and a description of the random uncertainties with a significant influence on the vehicle's behavior throughout normal flight, including a quantitative description of the statistical distribution for each significant parameter (§ 450.117(d)(2)(iv)).

Commenters asserted these proposed requirements were too prescriptive, and the FAA agrees. The FAA revises § 450.117(d)(2) to require an applicant to submit the quantitative input data, including uncertainties, used to model the vehicle's normal flight in six degrees of freedom. This revision in the final rule captures the parameters of the proposed requirements in § 450.117(d)(2)(ii) through (d)(2)(iv), while allowing for more flexibility in the application of the regulatory requirements. Quantitative input data used to model the vehicle's normal flight in six degrees of freedom includes comprehensive sets of aerodynamic and mass properties. Explanation and details on how to comply with these requirements will be included in Advisory Circular 450.117-1, “Trajectory Analysis.”

The FAA retains the requirement proposed in § 450.117(d)(2)(i) and re-designates it as § 450.117(d)(3) in the final rule. In addition, the FAA changes the term “wind effects” to “atmospheric effects” to be consistent with § 450.117(c) of the final rule.

The FAA revises proposed § 450.117(d)(3) as discussed in this paragraph and re-designates it as § 450.117(d)(4) in the final rule. The proposal required an applicant to submit representative normal flight trajectory analysis outputs, including the position, velocity, and vacuum IIP, for each second of flight. Blue Origin commented that this requirement created an unnecessary burden to calculate vacuum IIP for potentially hundreds or thousands of normal and malfunction vehicle trajectories. Blue Origin stated that vacuum IIP was not representative of where vehicle hazards may impact the Earth and believed this requirement should only apply to the nominal trajectory.

The FAA disagrees that the IIP application requirement would have created an unnecessary burden; however, the final rule removes the application requirement because vacuum IIP can be readily computed if necessary from the position and velocity vectors, which are a part of the application materials. In the final rule, § 450.117(d)(4) specifies that the representative normal flight trajectory analysis outputs include orientation of the vehicle in addition to the position and velocity data specified in the proposal. The FAA notes that orientation is inherent in any six-degree of freedom trajectory model, as required by both the proposed and final § 450.117(b). Orientation is important to Start Printed Page 79634public safety when the induced velocities have a preferred direction.

The FAA also removes the requirement proposed in § 450.117(d)(3)(ii) that applies to fuel exhaustion trajectory under otherwise nominal conditions, because a fuel exhaustion trajectory is merely one specific type of malfunction trajectory and is not necessarily required for all applicants. For example, a fuel exhaustion trajectory would be necessary under the final rule for a return to launch site scenario but not for a typical unguided suborbital rocket. The requirement in § 450.119(a)(2) of the final rule is used to determine whether an applicant must include a fuel exhaustion trajectory.

p. Trajectory Analysis for Malfunction Flight (§ 450.119)

In the NPRM, the FAA proposed requirements associated with trajectory analysis for malfunction flight in § 450.119. As stated in the NPRM, a malfunction trajectory analysis is necessary to determine how far a vehicle can deviate from normal flight. This analysis helps determine potential impact points in the case of a malfunction and is therefore a vital input for the analyses needed to demonstrate compliance with risk criteria.

In the final rule, the FAA adopts proposed § 450.119 with revisions. The FAA removes, as unnecessary, proposed § 450.119(a)(1), which required that an FSA include a trajectory analysis that establishes the vehicle's capability to depart from normal flight, formally defined in terms of IIP in § 401.7. Proposed § 450.119(a)(2) is re-designated (a)(1) and requires that a trajectory analysis establish the vehicle's deviation capability in the event of a malfunction during flight. The FAA adds a new requirement, designated as § 450.119(a)(2), which requires that an FSA must include a trajectory analysis that establishes the trajectory dispersion resulting from reasonably foreseeable malfunctions. This language retains the concept of proposed § 450.119(a)(1), but revises the regulatory language to allow for a medium-fidelity FSA approach (e.g., corridor method) for which the vehicle vacuum IIP during a malfunction is not specified, as explained in the FAA's Flight Safety Analysis Handbook.[111] More specifically, the proposed requirement in § 450.119(a)(1) to establish the vehicle's capability to depart from normal flight would have required the analysis to account for the IIP in modeling of a malfunction trajectory because normal flight is defined in terms of IIP. Thus, the proposed requirement in § 450.119(a)(1) would have foreclosed a valid medium-fidelity FSA approach. In the final rule, § 450.119(a)(1) and § 450.119(a)(2) provide flexibility and permit at least one approach that allows a simpler computation of risk but still preserves safety. Not all operations are eligible for this corridor method, but it is valid when the vehicle debris risks are due to flight phases where the IIP is moving steadily downrange, and when the failure modes do not involve distorted impact distributions.[112] In the final rule, the FAA amended the requirement to allow this and other simplified methods for those operations for which they may be valid.

The FAA adds § 450.119(a)(3) in the final rule. Section 450.119(a)(3) states that an FSA must include a trajectory analysis that establishes, for vehicles using flight abort as a hazard control strategy under § 450.108, trajectory data or parameters that describe the limits of a useful mission. This requirement was found in § 450.117(a)(3) of the NPRM. The FAA finds that trajectory analysis requirements associated with the limits of a useful mission belong in the malfunction flight section because presumably normal flight can attain the one or more objectives within the flight azimuth limits.

The requirement in § 450.119(a)(3) is related to the requirement proposed in § 450.119(a)(1) because trajectories that are outside of the normal envelope can still be “useful,” even though they involve a malfunction.[113] The FAA notes that an operator can elect to designate the normal mission trajectories as the limits of a useful mission and meet the application requirement to submit data that describes the limits of a useful mission, but this may result in the termination of a flight that could still achieve a mission objective.

The FAA received several comments on the NPRM's proposal to use the “limits of a useful mission” to inform the development of flight safety limits and when flight abort was necessary, and to establish the width of a gate. Microcosm requested that the FAA define “a useful mission.” Boeing, Lockheed Martin, Northrop Grumman, and ULA recommended changing the definition of “limits of a useful mission” to mean the trajectory or other parameters that bound performance of a mission that can attain its primary objective. Blue Origin disagreed with the addition of “limits of a useful mission” to the regulation and stated that regulating what is considered a useful mission was outside of the FAA's jurisdiction.

In the final rule, the FAA adopts a new definition of a “useful mission” in § 401.7 and amends the proposed definition of “limits of a useful mission” to mean the trajectory data or other parameters that bound the performance of a useful mission, including flight azimuth limits. A “useful mission” means a mission that can attain one or more objectives and is based on the definition of “limits of a useful mission” proposed in the NPRM. The definition of “limits of a useful mission” adopted in the final rule removes the language “describe the limits of a mission that can attain the primary objective” and replaces it with “bound the performance of a useful mission,” consistent with the commenters' recommendation. In this context, bounding the performance will include flight azimuth limits and could include limits on the altitude versus distance downrange or other physics-based limits depending on the nature of the operation. The FAA makes these changes because it recognizes that pursuit of objectives other than the primary objective may be considered a useful mission. However, when all other objectives can no longer be achieved the FAA does not consider the collection of data related to a failure in and of itself to be a useful mission. This is because mere failure data collection alone does not justify continued risk to the public. Therefore, the final rule states in § 450.119(a)(3) that the FAA does not consider the collection of data related to a failure to be a useful mission.

The FAA finds the requirements associated with “useful mission” and “limits of a useful mission” are central to the hazard control strategies. The FAA is not attempting to regulate what the operator or its customer considers a useful mission. The FAA instead is simply requiring that the applicant identify which missions are useful so that vehicles that fly outside of these parameters erroneously are not permitted to threaten the public. The FAA finds it necessary to include a Start Printed Page 79635requirement that would prevent a launch or reentry vehicle from continued flight that would increase risk to the public if that vehicle can no longer achieve an objective of the operator, outside of the collection of data related to a failure.

Blue Origin recommended replacing “limits of a useful mission” with “limits to meet public risk criteria.” The FAA does not agree with this recommendation. As described in the section on CEC, public risk criteria alone are inadequate to establish the need for an FSS, the reliability of the FSS, or the timing of an FSS activation to ensure public safety. Similarly, while some might consider risk-based flight safety limits as a reasonable approach to risk management when a vehicle is on a potentially useful mission, once a malfunction results in a mission that can no longer achieve an objective, then hazard containment should be the goal and flight abort must be used to protect the public against high consequence events. Application of the limits of a useful mission benefits the operator because flights with trajectories that are outside of the normal envelope, but still useful according to the operator, will be permitted to continue without flight abort as long as they comply with § 450.108(d)(7), including trajectories that overfly the public. This was the intent of proposed § 450.123(b)(6) in the NPRM, and remains the intent of § 450.108(d)(7) in the final rule.

Boeing, Lockheed Martin, Northrop Grumman, and ULA commented that limits of a useful mission were already addressed in flight termination triggers, and that proposed § 450.117(a)(3) requiring trajectory data or parameters that describe the limits of a useful mission should be replaced with limits that trigger flight termination.

The FAA declines to adopt this recommendation because of the relationship between the limits of a useful mission and flight safety limits. Pursuant to § 450.108(c)(2) in the final rule (similar to proposed § 450.123(a)(2) of the NPRM), flight safety limits define when an operator must initiate flight abort to prevent continued flight from increasing public risk in uncontrolled areas if the vehicle is unable to achieve a useful mission. Under the final rule, flight safety limits will be developed after the limits of a useful mission are identified. An operator can elect to designate the normal mission trajectories as the limits of a useful mission and meet the application requirement to submit data describing the limits of a useful mission, but this may result in the termination of a flight that could still achieve a mission objective. As an example, during an operation for which a gate width was determined using only a vehicle's normal trajectory envelope, a failure before the gate resulted in the flight nearly being terminated at the gate, even though it went on to achieve the mission's primary objective. In that instance, if the limits of a useful mission data included flight azimuth limits, this vehicle would have had more margin in the form of a wider gate. Under the final rule, if an operator decides that placing a payload in any orbit or withholding abort for crewed flights is more useful than terminating a flight, it may declare that flight is useful at any azimuth or altitude and may fly the vehicle on any trajectory that meets § 450.108(d)(7). However, flight safety limits that terminate flights that are no longer useful should be placed so that they do not increase risk compared to continued flight, pursuant to § 450.108(d)(6).

The FAA found it necessary to move all references to the limits of a useful mission from § 450.117 to § 450.119 (Trajectory Analysis for Malfunction Flight), including proposed § 450.117(a)(3). The FAA finds that the requirements associated with the limits of a useful mission belong in the malfunction flight section because limits of a useful mission can exceed the bounds of normal flight.

In the NPRM, the FAA proposed in § 450.119(b) that a malfunction trajectory analysis must account for each cause of a malfunction flight, including software and hardware failures. For each cause of a malfunction trajectory, the analysis would have been required to characterize the foreseeable trajectories resulting from a malfunction. The proposal included six items in § 450.119(b)(1) through (b)(6) that would be required to be included in the analysis.

In the final rule, the FAA adopts proposed § 450.119(b) with revisions. The FAA removes proposed § 450.119(b)(1) through (b)(3) because they are no longer needed due to the adoption of performance-based standards and re-designates proposed § 450.119(b)(4) through (b)(6) as (b)(1) through (b)(3). Also, the FAA revises the introductory language in § 450.119(b) to improve clarity and remove prescriptive language.

Blue Origin commented that it was not feasible to model a malfunction turn trajectory for each software or hardware cause, only for vehicle responses to the cause as proposed in § 450.119(b). Blue Origin recommended striking the phrase, “for each cause of a malfunction trajectory,” and instead indicate that a malfunction trajectory analysis must characterize the foreseeable trajectories resulting from a malfunction.

The FAA partially agrees with Blue Origin's recommendations. The FAA deletes the proposed language in § 450.119(b), “for each cause of a malfunction trajectory, the analysis must characterize the foreseeable trajectories resulting from a malfunction,” but retains the phrase “for each cause of a malfunction flight” in the first sentence of § 450.119(b). The FAA notes the analysis must account for the probability of each set of trajectories that characterize a type of malfunction flight, and that probability must account for each cause of a malfunction flight, including software and hardware failures, for every period of normal flight.

The FAA notes that use of the phrase “for each type of malfunction” in § 450.119(b) of the final rule addresses Blue Origin's comment that it is not feasible to model a malfunction turn trajectory for each cause, but only for vehicle responses to the cause. The term “each type of malfunction” refers to the vehicle response to the cause and multiple causes could result in a similar vehicle response. For example, under part 417 a malfunction turn analysis would account for a series of “tumble turns,” as enumerated in Appendix A to part 417 under A417.9(d)(5), which result in the launch vehicle rotating due to a constant thrust vector offset angle. The FAA recognizes that there could be multiple causes for a constant thrust vector offset, such as a jammed mechanism, loss of electrical power, or loss of hydraulic fluid pressure. Thus, the probability of a tumble turn must account for “each cause of a malfunction flight, including software and hardware failures,” in accordance with § 450.119(b). Furthermore, the FAA recognizes that multiple sets of trajectories are necessary to characterize the vehicle behavior in response to a malfunction. An example is a malfunction that results in a constant thrust vector offset, because a range of thrust vector offsets is reasonably foreseeable (from very small angles that would cause a slow departure from normal flight up to the maximum feasible thrust offset that would typically result in a rapid tumble of the vehicle). Thus, there is a natural question regarding the appropriate resolution of the malfunction trajectory analysis. The intent of the requirements in § 450.119 is to produce sets of trajectories that are sufficient to characterize the public risks posed by each type of malfunction. Thus, the final rule sets a performance standard in § 450.119(b) that the analysis for each Start Printed Page 79636type of malfunction must have sufficient temporal and spatial resolution to establish flight safety limits, if any, and individual risk contours that are smooth and continuous.

In order to be less prescriptive, the FAA further amends § 450.119(b) in response to Blue Origin's comment. The NPRM proposed in § 450.119(b)(1) through (b)(3) that the malfunction trajectory analysis must account for (1) all trajectory times during the thrusting phases, or when the lift vector is controlled, during flight; (2) the duration, starting when a malfunction begins to cause each flight deviation throughout the thrusting phases of flight; and (3) trajectory time intervals between malfunction turn start times that are sufficient to establish flight safety limits, if any, and individual risk contours that are smooth and continuous. The FAA removes proposed § 450.119(b)(1) through (b)(3) and consolidates these requirements into § 450.119(b). This revision sets more performance-based requirements for the scope and resolution of the malfunction trajectory analysis to create flexibility in demonstrating the trajectory dispersion resulting from reasonably foreseeable malfunctions. In the final rule, § 450.119(b) will require the analysis for each type of malfunction to have sufficient temporal and spatial resolution to establish flight safety limits, if any, and individual risk contours that are smooth and continuous.

In the NPRM, proposed § 450.119(b)(2) required that a malfunction trajectory analysis account for the duration, starting when a malfunction begins to cause each flight deviation throughout the thrusting phases of flight. Virgin Galactic commented that a malfunction turn analysis would not apply to operations for which a pilot is in control of a winged vehicle because the pilots act as an FSS.

The FAA is aware that having pilots onboard and in control of a vehicle during flight may mitigate the need for certain malfunction analyses; however, there may still be instances when pilots may become incapacitated during flight. In any such instances, a trajectory analysis for malfunction flight would still potentially be necessary to identify impact points as an essential input for risk analyses to demonstrate compliance with risk criteria in § 450.101. The FAA notes that flight simulators can facilitate the development of representative malfunction trajectory analysis outputs in cases in which pilot responses have a significant influence on the trajectory dispersion resulting from reasonably foreseeable malfunctions.

Virgin Galactic also recommended a wording change to § 450.119(b)(2) to define the duration as, “starting when a malfunction begins . . . until such time the effects of the malfunction are mitigated.” As previously discussed, the FAA does not adopt proposed § 450.119(b)(2) in the final rule. However, the FAA notes in the final rule, the combination of the requirement for sufficient temporal resolution to establish smooth and continuous individual risk contours, along with the requirement to account for the timing of each malfunction trajectory's termination due to means other than flight abort, including vehicle breakup, ground impact, or orbital insertion, provide a sufficient performance-based specification to establish the duration of the malfunction trajectory analysis. In addition, the FAA finds that the commenter's suggestion that the duration of the analysis continue only “until such time the effects of the malfunction are mitigated” would not analyze both the success and the failure of the mitigation necessary to quantify the risk and consequence in the event that the FSS fails.

As a result of removing proposed § 450.119(b)(1) through (b)(3), the FAA re-designates proposed § 450.119(b)(4) as § 450.119(b)(1) in the final rule. Proposed § 450.119(b)(4) required that a trajectory analysis for malfunction flight account for the relative probability of occurrence of each malfunction turn for which the vehicle is capable. In the final rule, the FAA revises § 450.119(b)(1) to reflect that the analysis must account for the relative probability of occurrence of each malfunction, and not specifically a malfunction turn. The FAA views the term “malfunction turn” as outdated. The requirement in the final rule is consistent with the proposal.

The FAA re-designates proposed § 450.119(b)(5) as § 450.119(b)(2) in the final rule. The FAA also revises § 450.119(b)(2) to correct an omission of the word “trajectory.” Furthermore, the FAA adds ground impact and orbital insertion as potential termination states. The FAA found the exclusion of these states in the NPRM to be a deficiency that would have resulted in an operator's inability to meet regulatory requirements for quantifying the risk because malfunctions can result in trajectories that result in ground impact or orbital insertion, as well as vehicle break-up, and those additional outcomes can pose significant public risks as well.

The FAA re-designates proposed § 450.119(b)(6) as § 450.119(b)(3) in the final rule and revises the requirements. Section 450.119(b)(3) requires that a malfunction trajectory analysis account for the parameters with a significant influence on a vehicle's flight behavior from the time when a malfunction begins to cause a flight deviation until each malfunction trajectory will terminate due to vehicle breakup, ground impact, or orbital insertion. The FAA adds the phrase “parameters with a significant influence on vehicle's flight behavior” because the analysis must account for these parameters to characterize sufficiently the vehicle's flight behavior. This language was proposed in the application requirements in § 450.119(c)(2)(iii) and has been added to paragraph (b)(3) in the final rule. The FAA received no comments on this language. The FAA also clarifies that a malfunction trajectory can terminate due to orbital insertion, not just ground impact or predicted structural failure (vehicle breakup), as specified in the NPRM, for the same reason that those outcomes were added to § 450.119(b)(2). Finally, the FAA replaces the proposed term “predicted structural failure” with the term “vehicle break-up” in the final rule. This change is consistent with the terminology used in § 450.121 (Debris Analysis).

Blue Origin commented that smooth and continuous contours were not typically feasible unless flight limits were also included in the malfunction turn analysis. Blue Origin also recommended adding flight abort to the list of vehicle end state conditions.

The FAA did not add flight abort to the list of vehicle end state conditions based on Blue Origin's comment because of the relationship between trajectory analysis for malfunction flight and risk analyses that produce risk contours. Risk analyses must consider outcomes of flight abort and FSS inaction, whether through failure of the FSS or because no flight abort rules were violated, which could result in vehicle breakup, ground impact, or orbital insertion. If the trajectories for malfunction flight were terminated when flight abort was predicted, no trajectory data would exist for cases when the FSS failed. The rule ensures that complete trajectory data exists to account for flight abort action and inaction in risk analyses. More specifically, ending the malfunction trajectories at the flight safety limits conflicts with the requirement in § 450.108(d)(5) to account for proper functioning of the FSS and failure of the FSS in individual, collective, and conditional risk evaluations. It was not necessary to amend the rule according Start Printed Page 79637to Blue Origin's comment because flight abort is already a necessary end case to be analyzed when producing risk contours in accordance with § 450.133(e)(2)(iii), which is a separate analysis from producing trajectories for malfunction flight.

Section 450.119(b)(4) explicitly requires a malfunction trajectory analysis to account for potential FSS failure, if an FSS is used, because that can also influence the termination condition of a malfunction trajectory. For example, if a malfunction trajectory triggers a flight abort rule, potential outcomes of the trajectory are abort (through destruct, thrust termination, or other method) or continued flight resulting in aerodynamic breakup, intact impact, or orbital insertion if the FSS fails. The requirement in § 450.119(b)(4) is consistent with the proposal because both the proposed and final § 450.115(a) explicitly require that an operator's FSA method must account for all failures of safety-critical systems during nominal and non-nominal launch or reentry that could jeopardize public health and safety and the safety of property. Furthermore, any FSS required to comply with § 450.143 or § 450.145 necessarily will meet the definition of a safety-critical system. Therefore, the proposed requirement § 450.123(a) would have necessitated that the malfunction trajectory analysis account for the potential failure of the FSS.

In the NPRM, § 450.119(c) addressed the application requirements associated with trajectory analysis for malfunction flight. In the final rule, the FAA adopts the application requirements in proposed § 450.119(c) with revisions. The revisions include adding a new § 450.119(c)(2), re-designating proposed § 450.119(c)(2) through (c)(4), and removing proposed § 450.119(c)(1)(i) through (c)(1)(iv).

Proposed § 450.119(c)(1) required an applicant to submit a description of the methodology used to characterize the vehicle's flight behavior throughout malfunction flight. In the final rule, the FAA adopts the proposal and adds a reference to the requirements in § 450.115(c), which sets the standards for the methodologies used in the FSA. Also, the FAA removes the items proposed in § 450.119(c)(1)(i) through (c)(1)(iv) because they were redundant with the performance-based requirements that apply to all FSA in accordance with § 450.115(c).

In the final rule, a new § 450.119(c)(2) requires an applicant to submit a description of the methodology used to determine the limits of a useful mission, in accordance with § 450.115(c). This requirement was proposed as § 450.117(d)(1) in the NPRM. Moving this application requirement to § 450.119 is consistent with the relocation of its associated analysis requirement to § 450.119(a)(3). The FAA re-designates proposed § 450.119(c)(2) as § 450.119(c)(3) in the final rule. The FAA captures the requirements of proposed § 450.119(c)(2)(i) and (c)(2)(ii) and relocates them in § 450.119(c)(3)(i) and (c)(3)(ii).

The FAA re-designates proposed § 450.119(c)(2)(iii) as § 450.119(c)(3)(iii) in the final rule and revises the final § 450.119(c)(3)(iii) to specify the need for an applicant to submit a quantitative description of the parameters, including uncertainties, with significant influence on the vehicle's malfunction behavior for each type of malfunction flight characterized. Proposed § 450.119(c)(2)(iii) required an applicant to submit a description of the input data used to characterize the vehicle's malfunction flight behavior, including a description of the parameters with a significant influence on the vehicle's behavior throughout malfunction flight for each type of malfunction flight characterized. Proposed § 450.119(c)(2)(iii) also required a quantitative description of the nominal value for each significant parameter throughout normal flight. The FAA specifically replaces the proposed requirements in § 450.119(c)(2)(iii) and (c)(2)(iv) [114] with the requirement in § 450.119(c)(3)(iii) in the final rule. This revision retains the intent of the requirements proposed in the NPRM but is more flexible in its application because, although it still requires a quantitative description, the regulation permits something other than the statistical distribution that would have been required by the proposal.

The FAA re-designates proposed § 450.119(c)(3) as § 450.119(c)(4) in the final rule. The FAA also removes the need for the vacuum IIP for each second of flight. The FAA makes this change in response to Blue Origin's comment on computing vacuum IIP for a large number of trajectories, as addressed in the preamble section on § 450.117.

The FAA adopts the requirements in § 450.119(c)(4)(i) as proposed in § 450.119(c)(3)(i) in the NPRM. The FAA received no comments on proposed § 450.119(c)(3)(i). The FAA adopts, with revisions, the requirements in § 450.119(c)(4)(ii) as proposed in § 450.119(c)(3)(ii) in the NPRM. Proposed § 450.119(c)(3)(ii) required submission of the probability of each trajectory that characterizes a type of malfunction flight. Blue Origin commented that delivering probabilities for each trajectory modelled was not practical or useful for independent assessment. Instead, Blue Origin proposed revising the regulatory language to require the applicant to submit the probability of each set of malfunction trajectories. The FAA agrees with this comment and revises § 450.119(c)(4)(ii) in the final rule to reflect Blue Origin's recommendation.

In the final rule, § 450.119(c)(4)(iii) requires an applicant to submit a representative malfunction flight trajectory analysis output, including the position and velocity as a function of flight time for a set of trajectories that characterize the limits of a useful mission as described in § 450.119(a)(3) of this section. This requirement was proposed as § 450.117(d)(3)(v) in the NPRM. As discussed earlier, the FAA moves the limits of a useful mission requirement from proposed § 450.117 to § 450.119 in the final rule.

Lastly, similar to other sections in this rule, the FAA removes the requirement for an applicant to provide additional products that allow an independent analysis, as requested by the Administrator. The FAA finds the requirement redundant with § 450.45(e)(7)(ii). Blue Origin and the CSF objected to proposed § 450.119(c)(4). Blue Origin strongly disagreed that the FAA should be in the business of recreating analysis completed by operators. It submitted that the FAA should vet the process used by the operator to conduct the analysis, along with the products of the analysis, to determine whether approval was warranted. Blue Origin further stated that such independent recreation of the analysis could lead to protracted back and forth between an operator and the FAA that was unnecessary if the FAA had vetted the process used by the operator to conduct the analysis. Blue Origin proposed to delete this requirement in order to limit the scope to what was required to establish confidence in the validity of an operator's analysis. CSF stated that the FAA's practice of recreating an applicant's analysis should be ended, as it was expensive and burdensome. CSF recommended that an AC should guide and inform this analysis.

Virgin Galactic noted that numerous regulations under part 450, including proposed § 450.119(c)(4), call for additional products that allow an Start Printed Page 79638independent analysis, as requested by the Administrator. Virgin Galactic stated that “additional products” was neither defined nor constrained, permitting the FAA to request any information from operators at any time. This would create uncertainty regarding the kind of products an applicant or operator would need to prepare for the FAA. Virgin Galactic recommended striking the above references in their entirety. Virgin Galactic commented that, based on prior experience under part 431 with the FAA requesting additional information, these regulations may have a significant time and monetary impact on an operator, if implemented.

The FAA does not agree with the commenters' recommendation to delete this requirement in its entirety from the final rule. The goal is for the FAA to evaluate, in an efficient and thorough manner, the validity of an analysis, along with the products of the analysis submitted by an operator. The FAA finds that at times it may be necessary to conduct an independent analysis of the process used by the operator in order to ensure safety. Additional product requests under part 431 may have been more frequent due to a lack of well-defined application requirements. However, under part 450, the FAA expects the application requirements are sufficient and will generally not request additional products beyond those that are necessary to protect public safety. Furthermore, as noted in the NPRM, the FAA has evaluated the validity of an applicant's proposed methods by comparing the results to valid benchmarks such as data from mishaps, tests, or validated high-fidelity methods. Once that has occurred, the FAA can issue an operator's license for a repeatable operation at a specific site for a specified range of trajectory azimuths.

Using published benchmarks, the FAA intends to facilitate the validation and verification of FSA methods to alleviate some of the needs for the FAA to perform independent analyses. However, the FAA finds that relying on an approved process alone is insufficient when certain critical variables may change that affect flight safety or the MPL determination, or in cases in which the operator proposes launch or reentry operations that are so unique that relevant benchmarks are unavailable. Also, the FAA will continue to verify flight operations for new vehicles, for existing vehicles conducting operations at new sites, for vehicles flying a trajectory outside the accepted range of trajectory azimuths, and vehicles that have undergone significant modifications to vehicle design or flight safety critical systems. Thus, the FAA foresees continuing to perform independent analyses in certain circumstances to assure that it has met its statutory obligation to ensure public health and safety and safety of property.

Although the FAA declines to remove the “additional products” reference in § 450.45(e)(7)(ii) of the final rule, the FAA does not include the redundant references proposed in other sections. “Additional products” refers to data that will allow the FAA to conduct an independent safety analysis in support of its application assessment and licensing determination. It would be impractical to list everything needed for every independent analysis. As explained in the NPRM, the FAA's decision to conduct an independent analysis is usually reserved for new vehicle concepts, new analysis methods, or proposals involving unique public safety cases. In all instances, the request for information is bounded by the regulatory requirements for obtaining a license and the FAA's need to ensure compliance with the safety criteria. The FAA adopts the requirement that an applicant submit additional products to facilitate an independent analysis, as requested by the Administrator in § 450.45(e)(7)(ii).

q. Debris Analysis (§ 450.121)

The NPRM proposed in § 450.121 to require a debris analysis that characterized the debris generated for each foreseeable vehicle response mode as a function of vehicle flight time, accounting for the effects of fuel burn and any configuration changes. The proposal required that the debris analysis account for each foreseeable cause of vehicle breakup, including any breakup caused by an FSS activation or by impact of an intact vehicle. As noted in the NPRM, this would include debris from a vehicle's jettisoned components and payloads because such debris could cause a casualty due to impact with an aircraft or waterborne vessel or could pose a toxic or fire hazard.[115] Under proposed § 450.121(c), the debris analysis would include inert, explosive, and other hazardous vehicle debris from both normal and malfunctioning flight during launch or reentry.

In the final rule, the FAA adopts proposed § 450.121 with revisions. Specifically, the FAA preserves the scope of the debris analysis from the NPRM but consolidates, clarifies, and increases the flexibility of the regulations in this section. The final rule's revisions include (1) replacing the requirement to characterize the debris from “each foreseeable vehicle response mode” with “debris generated from normal and malfunctioning vehicle flight,” (2) relying upon a new definition for “hazardous debris,” (3) replacing “flight time” with “flight sequence,” and (4) removing prescriptive thresholds for various debris hazards in favor of a performance-based standard of “capable of causing a casualty or loss of functionality to a critical asset.” Each of these changes is discussed in the following paragraphs.

Proposed § 450.121(a) required that an FSA include a debris analysis that characterizes the debris generated for each foreseeable vehicle response mode as a function of vehicle flight time, accounting for the effects of fuel burn and any configuration changes. The NPRM noted that an operator's debris list generally changes over time with variations in the amount of available propellant and the jettisoning of hardware.

In the final rule, the FAA adopts proposed § 450.121(a) with revisions. The FAA replaces the proposed requirement to characterize “the debris generated for each foreseeable vehicle response mode as a function of vehicle flight time, accounting for the effects of fuel burn and any configuration changes” with a more flexible and performance-based requirement to characterize “the hazardous debris generated from normal and malfunctioning vehicle flight as a function of vehicle flight sequence.”

Several commenters suggested changing the term “foreseeable” vehicle response modes in § 450.121(a) of the NPRM to “credible” vehicle response modes. The commenters stated that credibility was determined during the system safety analysis, and that the debris analysis should not have to include extremely improbable, non-credible failure modes.

The FAA does not agree that the term “foreseeable” should be replaced by the term “credible” in this section or throughout the final rule. The term “foreseeable” is used in § 431.35 and also commonly used in system safety; therefore, the FAA is not changing these references. The FAA finds that the term “credible” is unacceptably prone to errors in judgment whereas the term “foreseeable” is more readily discerned by analysis (e.g., fault trees). With regard to § 450.121(a) of the final rule, the FAA adopts the more flexible and performance-based requirement recommended by the commenters to characterize the hazardous debris generated from normal and malfunctioning vehicle flight as a Start Printed Page 79639function of vehicle flight sequence. With the removal of the reference to “each foreseeable vehicle response mode” in § 450.121(a), the final rule standard for the scope is set by the language in § 450.115(a), specifically by the reference to reasonably foreseeable events. In addition, the resolution of the failure modes accounted for in the debris analysis is set by the level of fidelity necessary to comply with § 450.115(b). The FAA also notes that, in the context of § 450.121, reasonably foreseeable events that can generate hazardous debris during malfunctioning vehicle flight generally include engine/motor explosion, exceeding structural limits due to aerodynamic loads, inertial loads, aerothermal heating, and activation of a flight termination system.

In reference to the use of the term “hazardous debris” in § 450.121(a), the final rule in § 401.7 includes a definition of this term. Hazardous debris means any object or substance capable of causing a casualty or loss of functionality to a critical asset. Hazardous debris includes inert debris and explosive debris such as an intact vehicle, vehicle fragments, any detached vehicle component, whether intact or in fragments, payload, and any planned jettisoned bodies. This definition is based on proposed § 450.121(c)(1), which required a debris analysis to identify all inert debris that could cause a casualty or loss of functionality of a critical asset. The FAA clarifies that the clause “whether intact or in fragments” applies to the payload and jettisoned bodies as well.

The final rule's definition of “hazardous debris” facilitated streamlining in proposed §§ 450.113 through 450.139. For example, the term hazardous debris in § 450.121(a) establishes a performance-based threshold, which resulted in the elimination of the prescriptive debris thresholds proposed in § 450.121(c)(1)(i) through (v).[116] Section 450.121(a) retains the essential performance standards in proposed § 450.121(c)(1) and (c)(2) (i.e., that the analysis must identify all inert and explosive debris capable of causing a casualty or loss of functionality to a critical asset), and allows operators to propose impact vulnerability models appropriate for the materials used in their licensed operations.

For example, recent research and development sponsored by the FAA demonstrates that the threshold kinetic energy capable of causing a casualty from a collision with a rigid object is substantially lower than for a collision with an object made of certain composite materials.[117] The FAA will provide an AC with valid debris impact thresholds, such as those proposed in § 450.121(c)(1)(i) and (ii). Thus, in the final rule, § 450.121(a) uses the definition of “hazardous debris” in a way that will enable those debris impact thresholds to be updated as appropriate based on future research and development. In addition, the definition of “hazardous debris” is used in § 450.121(a) in a way that replaces the relatively verbose requirement in proposed § 450.121(c) that “a debris analysis must account for all inert, explosive, and other hazardous vehicle, vehicle component, and payload debris foreseeable from normal and malfunctioning vehicle flight.”

In summary, the final rule uses the performance-based definition of “hazardous debris” that currently equates to the same debris thresholds as proposed in the NPRM because “hazardous debris” means any object or substance capable of causing a casualty, including people in aircraft or waterborne vessels or loss of functionality to a critical asset. Thus, by relying on the definition of “hazardous debris,” the final rule retains the standard in proposed § 450.121(c) of debris capable of causing a casualty or loss of functionality to a critical asset and allows operators to propose impact vulnerability models appropriate for the materials used in their vehicle.

In the final rule, the FAA replaces the term “flight time” in § 450.121(a) with the more flexible term “flight sequence” because it is a better independent variable. For example, during a reentry operation, the transitions between phases of flight, which generally produce substantially different hazardous debris, such as prior to and after peak aero-thermal heating, can occur at widely variable flight times. Also, imparted velocities due to break-up typically correlate with propellant load better than flight time does. Therefore, the final rule uses “flight sequence” as a less prescriptive and more accurate independent variable. The FAA notes that the term “sequence” is used in the common meaning of the word, which is a series of related things or events, or the order in which things or events follow each other. The phrase “as a function of vehicle flight sequence” would naturally include “accounting for the effects of fuel burn and any configuration changes,” so the final rule deletes those elements of the proposed requirement as redundant.

In § 450.121(b) of the NPRM, the FAA proposed to require that the debris analysis account for each foreseeable cause of vehicle breakup, including any breakup caused by FSS activation, and for impact of an intact vehicle. Consistent with § 450.133(a)(4), this proposal included debris from a vehicle's jettisoned components and payloads because such debris could cause a casualty due to impact with an aircraft or waterborne vessel or could pose a toxic or fire hazard.[118]

Section 450.121(b) retains the requirement that a debris analysis account for each reasonably foreseeable cause of vehicle breakup and intact impact. As explained in the NPRM, this would include “engine or motor explosion, or exceeding structural limits due to aerodynamic loads, inertial loads, or aerothermal heating.” [119]

In addition, the final rule requires an operator to account for vehicle structural characteristics and materials and energetic effects during break-up or at impact. Although these items would be necessary considerations in any debris analysis, the FAA has added them expressly in § 450.121(b). The requirement to account for energetic effects in § 450.121(b)(3) is consistent with the requirement in proposed § 450.135(d)(3)(iii) which addresses “indirect or secondary effects such as bounce, splatter, skip, slide, or ricochet.” [120] Moreover, accounting for the fundamental physical phenomena identified in § 450.121(b)(2) of the final rule would logically be necessary to comply with the requirement in Start Printed Page 79640proposed § 450.135(d) to “model the casualty area, and compute the predicted consequences of each reasonably foreseeable vehicle response mode.” As explained in the NPRM, “the casualty area and consequence analysis would be required to account for all relevant debris fragment characteristics.” The characteristics of all relevant debris fragments, such as the size and kinetic energy at impact, depend on the three fundamental physical phenomena identified in the final rule.

As noted earlier, the NPRM proposed to require in § 450.121(c) that a debris analysis account for all inert, explosive, and other hazardous vehicle, vehicle component, and payload debris foreseeable from normal and malfunctioning vehicle flight. The NPRM also specified a set of items for which a debris analysis would be required to account, at a minimum. These items included highly specific and prescriptive debris thresholds requirements. With the addition of the hazardous debris definition, § 450.121 no longer requires a specific subsection establishing debris thresholds.

In the final rule, new § 450.121(c) contains requirements associated with the propagation of debris that are relocated from the proposed debris risk analysis requirements in § 450.135(b). Specifically, a debris analysis must compute statistically valid debris impact probability distributions. The propagation of debris from each predicted breakup location to impact must account for all foreseeable forces that can influence any debris impact location, and all foreseeable sources of impact dispersion, including, at a minimum: The uncertainties in atmospheric conditions; debris aerodynamic parameters, including uncertainties; pre-breakup position and velocity, including uncertainties; and breakup-imparted velocities, including uncertainties. The FAA notes that a quantitative description of the physical, aerodynamic, and harmful characteristics of hazardous debris is a prerequisite to compute statistically valid debris impact probability distributions and to quantify the risks to the public.

The propagation of debris is a physics-based analysis that predicts where debris impacts will occur given a debris event while the vehicle is in flight, such as jettison of a vehicle stage or an explosion. The FAA moves the requirements in proposed § 450.135(b) to § 450.121(c) because the computation of statistically-valid debris impact distributions naturally depends on the nature of the debris and the trajectory analysis products from §§ 450.117 and 450.119. Similarly, the final rule requirements in § 450.121(c) are nearly identical to those in proposed § 450.135(b), except that the final rule removes the term “including uncertainties” from the regulation. The FAA finds inclusion of this term to be superfluous, as accounting for foreseeable sources of impact dispersion naturally includes the uncertainties in the debris aerodynamic parameters, pre-breakup state vectors, and breakup-imparted velocities. The FAA notes that the debris analysis must compute statistically valid debris impact probability distributions of all hazardous debris to be consistent with the scope identified in § 450.121(a).

Virgin Galactic recommended that the FAA allow operators to provide their own assessments of casualty causing debris. The FAA agrees that the specific impact vulnerability thresholds specified in the NPRM were overly prescriptive and potentially overly conservative for some non-rigid debris impacts. Thus, the final rule removes these proposed requirements in § 450.121(c) entirely.

In the NPRM, § 450.121(d) provided the debris analysis application requirements. In the final rule, the FAA relocates and revises proposed § 450.121(d)(1), which was a requirement to submit a description of the debris analysis methodology, to § 450.121(d)(2). The FAA re-designates and revises proposed § 450.121(d)(2) as § 450.121(d)(1) in the final rule. In the NPRM, proposed § 450.121(d)(2) required an operator submit a description of all vehicle breakup modes and the development of debris lists. In the final rule, the re-designated § 450.121(d)(1) makes use of the formal definition of “hazardous debris,” requiring a description of all scenarios that can lead to hazardous debris.

In the final rule, § 450.121(d)(2) and (d)(3) require an operator to submit a description of the methods used to perform the vehicle impact and breakup analysis in accordance with § 450.115(c), which is consistent with similar changes in other FSA sections. The final rule also moves the requirements relevant to the debris propagation analysis from proposed § 450.135(e)(2) and (e)(5) to § 450.121(d)(3) and (d)(4).

The FAA re-designates and revises proposed § 450.121(d)(3) as § 450.121(d)(5). In the NPRM, proposed § 450.121(d)(3) required an applicant to submit all debris fragment lists necessary to describe the physical, aerodynamic, and harmful characteristics of each debris fragment or fragment class quantitatively. Section 450.121(d)(5) of the final rule requires a quantitative description of the physical, aerodynamic, and harmful characteristics of hazardous debris. The FAA finds that “quantitative description” will allow alternative approaches for the applicant to demonstrate compliance with this section.

Virgin Galactic stated the proposal would introduce additional workload to the company. Virgin Galactic raised concern that proposed § 450.121 introduced requirements for waterborne vessels that were not referenced in other parts of the rule. The NPRM proposed, and the final rule requires in § 450.133(b), that a flight hazard area analysis must determine waterborne vessel hazard areas. Also, the NPRM preamble explained that the requirement includes people on ships in the collective risk computation (see proposed § 450.101(a)(1) and (b)(1)), and thus explicitly allows the application of risk management principles to protect people on waterborne vessels. The FAA finds that the scope of the FSA requirements in the final rule are consistent with current practice and will not introduce additional workload.

Virgin Galactic stated that the FAA should quantify the debris that could cause a casualty on a waterborne vessel. The FAA notes that it provided guidance on debris thresholds for waterborne vessels in Table 10 of the draft AC on High-Fidelity FSA published with the NPRM.

r. Population Exposure Analysis (§ 450.123)

In the NPRM, the exposure model requirements were addressed in the debris risk analysis section in proposed § 450.135(c) and (d) because a complete risk analysis must account for the distribution of people and how those people may be sheltered. The FAA received numerous comments stating the proposed requirements were too prescriptive. The FAA agrees and has revised the requirements to be more performance-based.

In the final rule, the FAA revises the exposure model requirements and moves them from proposed § 450.135(c) and (d) to § 450.123 (Population Exposure Analysis). The FAA moves the population exposure analysis requirements out of the proposed debris risk analysis section because this analysis informs other sections of the FSA. A population exposure analysis must also be used to provide input to other public risk analyses to address toxic hazards and far-field overpressure blast effects, if any. This change does Start Printed Page 79641not an expand the scope of the final rule beyond what was proposed in the NPRM because the NPRM identified the need for population exposure input to address toxic hazards for flight and far-field overpressure blast effects.[121] The rationale for the final rule requirements remains the same as proposed in the NPRM: An exposure model provides critical input data on the geographical location of people and critical assets at various times when the launch or reentry operation could occur. While the rationale remains the same, the FAA makes two changes in § 450.123. Consistent with the change discussed in the critical assets section of the preamble, the FAA removes the requirement for an operator to characterize the distribution and vulnerability of critical assets. The FAA also revises the population exposure analysis to require that input data must account for the vulnerability of people to hazardous debris effects. The FAA will issue a Population Exposure Assessment AC to describe a possible means of compliance.

Section 450.123(a) requires that an FSA must account for the distribution of people for the entire region where there is a significant probability of impact of hazardous debris. This final rule is consistent with the requirement in proposed § 450.135(c)(1) that the population exposure data would be required to include the entire region where there is a significant probability of impact of hazardous debris. The definition of “hazardous debris” in § 401.7 informs the scope of this requirement. In § 450.123(a), the standard of “significant” means that the scope of the population exposure analysis is bounded by what is necessary to demonstrate compliance with the risk criteria in § 450.101(a) and (b), consistent with the scope requirements set in §§ 450.113 and 450.115.

Section 450.123(b) sets constraints on the population exposure analysis consistent with proposed § 450.135(c)(2) through (c)(7). Specifically, § 450.123(b) requires that the exposure analysis must characterize the distribution of people both geographically and temporally; account for the distribution of people among structures and vehicle types; and use reliable, accurate, and timely source data.

Section 450.123(b)(1) relocates the requirements in proposed § 450.135(c)(2), but removes the term “vulnerability” and the reference to critical assets, as discussed earlier.[122] The final rule removes proposed § 450.135(c)(4), which would have required the exposure model to have sufficient temporal and spatial resolution that a uniform distribution of people within each defined region can be treated as a single average set of characteristics without degrading the accuracy of any debris analysis output. By removing this requirement, an operator may demonstrate compliance with § 450.123(b) in the manner set forth in proposed § 450.135(c)(4), but also has flexibility to demonstrate compliance through other means.

Section 450.123(b)(2) replaces the more prescriptive requirements in proposed § 450.135(c)(3) by removing the requirement that, in accounting for the distribution of people among structures and vehicle types, an exposure analysis includes “a resolution consistent with the characteristic size of the impact probability distributions for relevant fragment groups.” The language removed from the final rule remains a valid means for an operator to demonstrate compliance with § 450.123(b)(2) in the final rule.

Section 450.123(b)(3) replaces the more prescriptive requirements in proposed § 450.135(c)(5) and (c)(6) so that an exposure analysis must use reliable, accurate, and timely source data.

Section 450.123(b)(4) consolidates and replaces the requirements to account for the vulnerability of people to hazardous debris effects that were proposed in § 450.135(d)(3)(i) and (ii), as well as proposed in § 450.137(b)(4). In the final rule, the FAA removes the requirement in proposed § 450.135(c)(7) altogether. Proposed § 450.135(c)(7) is redundant in conjunction with the requirements in § 450.115(b), which specify the necessary fidelity of any FSA, and the requirement in § 450.101(g) that an operator must use accurate data and scientific principles and the analysis must be statistically valid.

The FAA moves and revises the application requirements in proposed § 450.135(e)(3) as § 450.123(c)(1) in the final rule. The FAA revises the final § 450.123(c)(1), which requires an applicant to submit a description of the FSA methodology, to reference § 450.115(c). As previously noted, the population exposure analysis must also be used to provide input to other public risk analyses to address toxic hazards and far-field overpressure blast effects, if any. Section 450.123(c)(2) requires an applicant to submit complete population exposure data, in tabular form, which is a more concise statement equivalent to proposed § 450.135(e)(4). In the final rule, the FAA specifies that the complete population exposure data must be in tabular form and deletes the requirement that the description of the exposure input data include, for each population center, a geographic definition and the distribution of population among shelter types as a function of time of day, week, month, or year. The population exposure data provided under § 450.123(c)(2) may reflect some or all of the information described in proposed § 450.135(e)(4).

s. Probability of Failure Analysis (§ 450.131)

In the NPRM, proposed § 450.131 covered probability of failure analysis requirements for all launch and reentry vehicles. In the final rule, the FAA adopts proposed § 450.131 with minor revisions codifying current practices and eliminating the proposed classes of mishaps referenced in § 450.131.

Section 450.131(a) proposed that for each hazard and phase of flight, an FSA for a launch or reentry would be required to account for vehicle failure probability. The probability of failure would be required to be consistent for all hazards and phases of flight. For a vehicle stage with fewer than two flights, the failure probability estimate would be required to account for the outcome of all previous flights of vehicles developed and launched or reentered in similar circumstances. For a vehicle or vehicle stage with two or more flights, vehicle failure probability estimates would be required to account for the outcomes of all previous flights of the vehicle or vehicle stage in a statistically valid manner. The outcomes of all previous flights of the vehicle or vehicle stage would be required to account for data on any partial failure and anomalies, including Class 3 and Class 4 mishaps, as defined in proposed § 401.5. The FAA adopts § 450.131(a) as proposed with a minor change to the language pertaining to mishaps to reflect revisions to the definition of “mishap” in § 401.7. The FAA notes that the final rule replaced the term “partial failures” with “mishap” in § 450.131(a)(2) Start Printed Page 79642 because the proposed language referenced both anomalies and mishaps, and “partial failure” is redundant since any partial failure could qualify as an anomaly or a mishap under § 401.7, depending on the nature of the failure.

Virgin Galactic commented that the proposed requirements to gather and account for anomaly data in the probability of failure analysis introduced additional workload compared to the current regulation. It recommended the FAA adopt a performance-based standard in an SNPRM.

The FAA does not agree that this requirement results in additional workload from current regulations. The FAA notes that the final rule requirement in § 450.101(g) is relevant here because it requires that a method must produce results consistent with, or more conservative than, the results available from previous mishaps, tests, or other valid benchmarks, such as higher-fidelity methods.[123] Hence, an operator has the option to use a more conservative approach to avoid any unnecessary additional workload. For example, an operator can assume one more failure than the actual outcomes of all previous flights of the vehicle or vehicle stage. Therefore, the FAA does not find that the requirements in the final rule constitute additional workload compared to current regulations.

Boeing requested clarification on what is meant by a “consistent” probability of failure in this section. The FAA clarifies that the vehicle or vehicle stage probability of failure must be consistent internally with outcomes of previous flights, as described in § 450.131(a)(1) and (a)(2). Furthermore, the probability of failure input data must be consistent for all phases of flight and hazards. In this context, “consistent” does not mean identical and does not preclude an operator from varying the probability of failure within statistical confidence limits for the same event in different contexts, in order to bias an analysis towards a conservative outcome.[124] The probability of failure input data should be reasonably conservative and consistent across phases of flight and for various hazards given the uncertainty in each probability of failure.

A hypothetical example is a proposed launch of a two-stage launch vehicle from both CCAFS and Vandenberg Air Force Base (VAFB). In this case, the best-available data indicates the mean conditional probability of a failure during first stage and second stages of flight are both 50 percent, with plus or minus 10 percent uncertainty at a minimal level of confidence (e.g., 60 percent lower and upper bound confidence limits at 40 percent and 60 percent based on the binomial distribution).

Given the fact that the public exposure to hazardous debris effects for launches from VAFB is relatively high during stage one, and the opposite is true for launches from CCAFS, a consistent and reasonably conservative probability of failure analysis would use a 60-40 split in the conditional probability of failure during stage one and stage two flight for launches from VAFB, but a 40-60 split in the conditional probability of failure during stage one and stage two flight for launches from CCAFS. Furthermore, the conditional probability of a failure applied to different hazards, such as debris and toxics, must be consistent with each other. More details on means of compliance are provided in the High Fidelity FSA Methods AC published with this rule, and a future AC on probability of failure.

Leo Aerospace asked if the FAA would consider a balloon platform to be a stage.

The FAA will discuss project-specific information, including whether a balloon platform is part of a launch vehicle stage, during pre-application consultation.

Boeing, Blue Origin, and Sierra Nevada commented on the lack of availability of previous flight information for vehicles not operated or owned by the applicant.

The FAA responded to this comment in the FAA's “Responses to the Public's Clarifying Questions Received by July 12, 2019,” [125] which is posted in the docket. An operator should use the best-available data, which in many cases would be limited to publicly available data. The FAA will also provide data and guidance on failure mode and phase of flight allocations in the High Fidelity FSA Methods AC, which will be finalized with this rule.

In the final rule, the FAA replaces all references to Class 3 and Class 4 mishaps in § 450.131 with the term “mishap.” As previously noted, the FAA eliminates the proposed classes of mishaps in the revised definition of mishap in § 401.7 of the final rule.

In the NPRM, the FAA proposed that, for FSA purposes, a failure occurs when a vehicle does not complete any phase of normal flight or when any anomalous condition exhibits the potential for a stage or its debris to impact the Earth or reenter the atmosphere outside the normal trajectory envelope during the mission or any future mission of similar vehicle capability. It further stated that Class 1 or Class 2 mishaps would constitute failures.

Blue Origin commented that defining failure as not completing any phase of normal flight is “overly punitive” as proposed in § 450.131(b). Operators may define secondary mission objectives for research and development purposes that, if not achieved, do impact mission success but do not impact safety. Blue Origin proposed deleting the language “when a vehicle does not complete any phase of normal flight or” and anchor the definition in impacts outside the normal envelope. Virgin Galactic recommended that the FAA should only account for failures, partial failures, and anomalies that affect public safety. Blue Origin also commented that including anomalies that might impact a future mission conflicts with the causal logic that an anomaly experienced on a given mission will be subject to corrective actions prior to the next mission.

The FAA understands the concerns raised by the commenters but finds it unnecessary to change the regulatory text to address these concerns. An operator may adjust its final failure probability estimates to account for various extenuating circumstances, as will be described in a future Probability of Failure Analysis AC. For example, the probability of failure may be adjusted based on extenuating circumstances with justification (e.g., if the failure is not public safety related or if corrective actions implemented after a failure were demonstrated to be successful). If an operator makes any adjustments to the final failure probability estimates to account for various extenuating circumstances, it can update its FSA in accordance with § 450.103(d).

The FAA notes that, for FSA purposes, the vehicle failure probability accounts for any failure of the launch or reentry system because of the way failure is defined in § 450.131(b). Specifically, for FSA purposes, a failure occurs when a vehicle does not complete any phase of normal flight or when any anomalous condition exhibits the potential for a stage or its debris to impact the Earth or reenter the atmosphere outside the normal trajectory envelope during the mission or any future mission of similar vehicle Start Printed Page 79643capability. Therefore, in the context of FSA, any failure of the launch or reentry system, including pilot error, that produced vehicle failure as defined in § 450.131(b) must be taken into account.[126]

Proposed § 450.131(c) defined “previous flight” by stating that the flight of a launch vehicle begins at a time when a launch vehicle normally or inadvertently lifts off from a launch platform and the flight of a reentry vehicle or deorbiting upper stage begins at a time when a vehicle attempts to initiate a deorbit. The FAA adopts § 450.131(c)(1) as proposed with a minor change. The FAA strikes the words “normally or inadvertently” as redundant, since any lift off, whether normal or inadvertent, would count as a flight under the proposed and final rule requirements in § 450.131(c)(1).

Boeing, Lockheed Martin, Northrop Grumman, ULA, and Virgin Galactic requested explanation on whether the proposed requirement in § 450.131(c) would apply to hybrid vehicles.

In the final rule, the FAA revises the regulatory text in response to these comments. The FAA changes “launch platform” to “surface of the Earth” as the point at which flight begins for a probability of failure analysis. This change reflects the fact that various types of vehicles, such as hybrids, do not lift off from launch platforms. The probability of failure analysis must account for the probability of failure during all phases of flight to ensure public safety, including captive carry, unless the exception in § 450.113(b) applies to that phase of flight. For example, an aircraft crash with a rocket attached can present much higher risks to the public from an explosion, toxic release, or inert impact, than the risks posed by an aircraft crash without a rocket attached.

For the purposes of § 450.131(c)(1) and (c)(2), a previous flight may include flights conducted outside FAA licensed activity, such as amateur, permitted, U.S. government, or foreign launches, reentries, or flights. For the purposes of § 450.131(c)(1) and (c)(2), a previous flight may include FAA-licensed activity, such as the Falcon 9 launch vehicle anomaly which destroyed the vehicle and its AMOS-6 payload,[127] if the outcome exhibited the potential for a stage or its debris to impact the Earth or reenter the atmosphere outside the normal trajectory envelope during the mission or any future mission of similar vehicle capability. The FAA also changes the word “deorbit” to “reentry” to accommodate a reentry that starts on a suborbital trajectory.

In the NPRM, § 450.131(d) proposed to require that a vehicle probability of failure be distributed across flight times and vehicle response modes. The distribution would be consistent with the data available from all previous flights of vehicles developed and launched or reentered in similar circumstances and data from previous flights of vehicles, stages, or components developed and launched or reentered by the subject vehicle developer or operator. As proposed, the data could include previous experience involving, among other things, a similar level of experience of the vehicle operation and development team members.

The FAA adopts § 450.131(d) with revisions. Specifically, the FAA changes “flight time” to “flight phase.” “Flight phase” gives applicants more flexibility in their analysis because it is less specific than “flight time.” The FAA also changes “vehicle response mode” to “failure mode,” consistent with similar changes throughout the final rule. Finally, the FAA replaces the phrase “launched or reentered” in § 450.131(d)(2) to “launched, reentered, flown, or tested.” This change will enable the probability of failure allocation across flight phases and failure modes to account for data from previous flights of vehicles, stages, or components by the subject vehicle developer or operator that did not qualify as launch or reentry operations, such as drop tests or glide flights. The FAA also revises “flight phases” and “failure modes” to be plural in the final rule. This amended language is a minor grammatical change and is consistent with the intent of the proposed requirement.

Virgin Galactic commented that the FAA should not employ a subjective measure of “level of experience” and requested this language be stricken.

The FAA asserts that this measure is not subjective. The High Fidelity FSA Methods draft AC contained specific quantitative thresholds that have been used for many years as guidelines to distinguish new versus experienced developers for the purposes of probability of failure analyses. Because the quantitative thresholds are in guidance, the FAA may consider other quantitative thresholds as appropriate. Furthermore, the data available from previous flights of ELVs developed by experienced and inexperienced operators demonstrates a statistically significant difference between the relative frequency of failures during the first and second phases of flight. Therefore, because the required input data may involve a similar level of experience of the vehicle operation and development team members, the final rule in § 450.131(d)(2)(iii) retains that consideration.

The FAA adopts the observed and conditional failure rate requirements in § 450.131(e) as proposed and the application requirements in § 450.131(f) with revisions. Section 450.131(f)(1) to require methods used in probability of failure analysis be in accordance with § 450.115(c) because that section sets out the requirements for FSA methodologies. In § 450.131(f)(2), the FAA changes the term “vehicle response mode” to “failure mode,” which is consistent with similar changes throughout this final rule.

t. Flight Hazard Area Analysis (§ 450.133)

In § 450.133, the NPRM proposed general requirements for the flight hazard area analysis as well as requirements specific to waterborne vessel hazard areas, land hazard areas, airspace hazard volumes, and the license application. In the final rule, the FAA adopts § 450.133 with revisions. The revisions include changing terms proposed in the NPRM and removing redundant requirements.

Proposed § 450.133(a) stated that an FSA would be required to include a flight hazard area analysis that identifies any region of land, sea, or air that would be required to be surveyed, publicized, controlled, or evacuated in order to control the risk to the public. A flight hazard area analysis would be required to account for all reasonably foreseeable vehicle response modes during nominal and non-nominal flight that could result in a casualty. The NPRM specified six items that would be required to be included in a flight hazard area analysis, at a minimum.

The FAA adopts § 450.133(a) with revisions. The FAA moves the requirement in § 450.133(a) that a flight hazard area analysis must account for all reasonably foreseeable vehicle response modes during nominal and non-nominal flight that could result in a casualty to § 450.133(a)(1). This text is also revised, as discussed below. The replacement of “vehicle response modes” with “failure modes” was discussed in the preamble section on § 450.101(c)(2).

In § 450.133(a)(1), the FAA proposed that the flight hazard analysis must account for the regions of land, sea, and air potentially exposed to debris impact resulting from normal flight events and from debris hazards resulting from any Start Printed Page 79644potential malfunction. The FAA revises proposed § 450.133(a)(1) by adding the term “hazardous debris” as discussed in the preamble section for § 450.121 (Debris Analysis). As defined, hazardous debris includes any object or substance capable of causing a casualty or loss of functionality to a critical asset, such as an intact vehicle, vehicle fragments, any detached vehicle component, whether intact or in fragments, payload, and any planned jettison bodies. The FAA also replaces “vehicle response mode” with “failure modes” for consistency throughout the final rule.

In § 401.7, the FAA modifies the definition of “flight hazard area” as applied to part 450. The NPRM proposed that flight hazard area means any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to “protect public health and safety and the safety of property.” This language was inconsistent with the language in § 450.133. As such, in the final rule, the definition has been revised in § 401.7 for consistency to state that a flight hazard area is any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to “ensure compliance with the safety criteria in § 450.101.”

Boeing, Lockheed Martin, Northrop Grumman, and ULA suggested replacing “all reasonably foreseeable” with “credible” because credibility is established in the system safety analysis. As discussed previously, the FAA does not agree with the recommendation because the term credible is prone to errors in judgment whereas the term foreseeable is more readily discerned by analysis (e.g., fault trees). The final rule moves the term “reasonably foreseeable” from proposed § 450.133(a) to § 450.133(a)(1), where it more appropriately modifies the language in § 450.133(a)(1) that specifies the analysis must account for the regions of land, sea, and air potentially exposed to hazardous debris generated during normal flight events and all reasonably foreseeable failure modes.

The FAA adopts § 450.133(a)(2) with a minor correction. The FAA replaces “control risk to any hazard” in the NPRM with “control risk from any hazard” in the final rule.

In § 450.133(a)(3), the FAA proposed that the analysis account for the limits of a launch or reentry vehicle's normal flight, including winds that were no less severe than the worst wind conditions under which flight might be attempted and uncertainty in the wind conditions. The FAA adopts § 450.133(a)(3) with revisions. The FAA changes “wind conditions” to “atmospheric conditions” because in some cases, such as far-field overpressure blast and toxics analyses, the temperature profile is an atmospheric condition that may also be stipulated as part of the flight commit criteria (in addition to the wind profile). This change does not create any additional burden to the operator because the proposed and final requirements in § 450.135(e)(1) and § 450.165(b)(2) already require an operator to account for and identify the conditions immediately prior to enabling the flight of a launch vehicle or the reentry of a reentry vehicle that are necessary to demonstrate compliance with the safety criteria in § 450.101, such as the atmospheric conditions and any meteorological conditions. The final rule in § 450.133(a)(3) clarifies that all atmospheric conditions are considerations when the operator establishes the worst conditions under which flight might be attempted.

In § 450.133(a)(4), the FAA proposed that the analysis account for the debris identified for each foreseeable cause of breakup, and any planned jettison of debris, launch or reentry vehicle components, or payload. The FAA adopts § 450.133(a)(4) with a revision. For reasons previously discussed, the FAA replaces this section with “all hazardous debris,” which uses the term defined in § 401.7 of the final rule. This revision does not change the intent of the requirement.

In § 450.133(a)(5), the FAA proposed that the analysis account for all foreseeable sources of debris dispersion during freefall, including wind effects, guidance and control, velocity imparted by breakup or jettison, lift, and drag forces. The FAA adopts § 450.133(a)(5) with revisions. In the final rule, the analysis must account for sources of debris dispersion in accordance with § 450.121(c). The FAA makes this revision to avoid replication of requirements between §§ 450.133(a)(5) and 450.121(c) and to ensure consistency in the FSA.

AOPA commented that the FAA should provide the public an authoritative source of flight hazard area information as well as guidance on various flight hazard area analysis methodology. The FAA is working on the NOTAM/Aeronautical Information Service (AIS) Modernization effort, which will redesign the current NOTAM management information system with a single technology gateway for entering, processing, and retrieving all NOTAM data, making it easier for all users of the airspace to access safety-critical information. The FAA finds that the issue raised by AOPA is best addressed by the NOTAM/AIS Modernization effort rather than this rulemaking. Industry can provide input on this effort through the Aeronautical Information Systems Coalition. Information regarding temporary flight restrictions (TFR) can be found at: https://tfr.faa.gov/​tfr2/​list.html and is searchable by the type of TFR being implemented. The FAA plans to complete the NOTAM/AIS Modernization effort by late 2022. In addition, an acceptable flight hazard area analysis methodology is addressed in the High Fidelity FSA AC.

Boeing, Lockheed Martin, Northrop Grumman, and ULA also provided suggested regulatory text that stated the airspace hazard volume was only necessary for airspace up to 60,000 feet mean sea level. The FAA agrees that the analysis only needs to account for reasonably expected air traffic in a given region, but, in order to account for operations in different regions, does not change the text to a specific altitude.

The FAA adopts § 450.133(b), (c), and (d) as proposed. Section § 450.133(b)(1), (c)(1), and (d)(1) state that flight hazard areas must be determined as necessary to contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty to any person located on land, sea, or air. In the NPRM, the FAA explained that proposed § 450.133(b)(1), (c)(1), and (d)(1) would align FAA regulations with practices at the Federal launch or reentry sites by allowing operators to reduce or otherwise optimize the size of the regions for warnings of potential hazardous debris resulting from normal flight events.

Virgin Galactic stated that, given the currently available information and tools regarding debris, the 97 percent probability of containment requirement in proposed § 450.133(b)(1), (c)(1), and (d)(1) would result in inflated hazard area determinations. Boeing, Lockheed Martin, Northrop Grumman, and ULA commented on proposed § 450.133(b)(1) and suggested it reference current 3-sigma standards. Boeing stated that, given the new limitation on debris, changing from 99.7 percent to 97 percent containment appeared less safe.

The final rule retains the 97 percent containment requirement proposed in the NPRM. The FAA notes that the comments demonstrate a difference of opinion in the industry regarding the appropriate probability of containment requirement for flight hazard areas, with Virgin Galactic claiming the proposal would result in inflated hazard area determinations, as opposed to the other commenters calling for more stringent Start Printed Page 79645hazard area requirements to maintain public safety. The FAA finds the 97 percent containment requirement strikes an appropriate balance, particularly when coupled with the requirement to include the collective risk contribution from people in waterborne vessels in the public risk criteria in § 450.101. As noted in the NPRM, the FAA adopts flight hazard area regulations for waterborne vessels consistent with past waivers that the FAA granted to ensure they align with current practices at the Federal launch ranges, where most commercial launches take place currently. Recent experience from commercial and U.S. Government launch and reentry operations demonstrates that the requirements adopted eliminate unnecessary launch delays while ensuring that the overall level of safety provided to the public remains consistent with the public risk criteria in § 450.101. The FAA notes that the application of a risk management approach to ensure the safety of people in waterborne vessels is consistent with recommendations made by the National Academy of Sciences.[128] The FAA finds that public safety is not compromised by changing 99.7 percent containment to 97 percent containment because the overall public risk criteria must also be met, irrespective of the size of the hazard areas. From a policy perspective, the final rule approach to protect people in waterborne vessels achieves the goal of common standards for launches from any U.S. launch site, Federal or non-Federal. Both industry and the National Space Council have urged government agencies involved in the launch and reentry of vehicles by commercial operators to work towards common standards.

Boeing also requested clarification on how containment boxes for nominal impacts can use the same standard as hazard areas intended to contain debris in the much less likely event of a failure. The FAA notes that planned hazardous debris impacts must use a probability of 1 in the analysis in accordance with § 450.133(a)(6), while hazardous debris impacts due to a failure will have a probability applied as determined from the § 450.131 probability of failure analysis.

The FAA adopts § 450.133(b)(2), (c)(2), and (d)(2) as proposed. These sections use probability of impact contours or probability of casualty contours to meet the risk requirements in § 450.101 for sea, land, and air.

Blue Origin commented that the intent of these requirements seems to be to establish hazard areas for normal operations and mishaps, but the requirements do not explicitly state that the risk criteria applies to malfunction trajectories. Blue Origin proposed that the FAA should specify that risk contours should be conducted for malfunction trajectories.

The FAA notes the proposed requirement in § 450.133(a) that a flight hazard area analysis must account for all reasonably foreseeable vehicle response modes during nominal and non-nominal flight that could result in a casualty also specified that the risk contours required in proposed § 450.133(e)(2)(iii) through (v) must account for malfunction trajectories. However, the FAA revises the requirement to state in § 450.133(a)(1) that the flight hazard area analysis must account for the regions of land, sea, and air potentially exposed to hazardous debris generated during normal flight events and “all reasonably foreseeable failure modes,” which includes malfunction trajectories. In addition, the FAA revises the risk contour requirement in § 450.133(e)(2)(iii), which is explained below in the discussion on that requirement. The FAA notes that the High-Fidelity FSA Methods AC describes one acceptable methodology for flight hazard areas, which accounts for malfunction trajectories.

Virgin Galactic commented that requirements for waterborne vessels should also be in § 450.101. The FAA notes that the operator must meet individual and collective risk requirements, as stated in § 450.101. People on waterborne vessels are included in the collective and individual risk calculations. However, as explained in the NPRM, operators have the option to use the current approach in part 417 as a means of compliance, which requires surveillance to ensure no ship is exposed to more than 1 × 105 probability of impact, because that will be generally sufficient to ensure compliance with § 450.101.

In § 450.133(e)(1), the FAA proposed that the applicant submit a description of the methodology to be used in the flight hazard area analysis including all assumptions and justifications for the assumptions, vulnerability models, analysis methods, and input data. In the final rule, the FAA revises this requirement by adding that the analysis must be done in accordance with § 450.115(c) to avoid replication of requirements and ensure consistency throughout subpart C of part 450.

In § 450.133(e)(1)(i), the FAA proposed that an applicant provide input wind data and justification in the application. The FAA did not adopt this proposal in the final rule. Rather, the FAA deletes proposed § 450.133(e)(1)(i) because this application requirement is covered in § 450.117(c). Section 450.117(c) accounts for all atmospheric conditions that have an effect on the trajectory, including worst case atmospheric profile conditions under which flight might be attempted.

In § 450.133(e)(2), the FAA proposed that an applicant submit tabular data and graphs of the results of the flight hazard area analysis, including in § 450.133(e)(2)(iv) and (v) the following: if applicable, representative 1 × 10[5] and 1 × 10[6] probability of impact contours for all debris capable of causing a casualty to persons on a waterborne vessel regardless of location; and representative 1 × 10[6] and 1 × 10[7] probability of impact contours for all debris capable of causing a casualty to persons on an aircraft regardless of location.[129]

Blue Origin commented that, by requiring 1 × 106 and 1 × 107 risk contours for waterborne vessels and aircraft, respectively, the FAA was extending application requirements beyond those either currently codified in part 400 or proposed in part 450.

The FAA notes that, as stated in the NPRM preamble, these contours are necessary for the applicant to demonstrate to the FAA sufficient computational resolution and analysis fidelity for the results that are critical to public safety. Thus, the FAA declines to adopt the recommended change. For these reasons, the FAA adopts § 450.133(e)(2)(iv) and (e)(2)(v) as proposed.

In § 450.133(e)(2)(iii), the FAA proposed that an applicant would be required to submit representative individual probability of casualty contours regardless of location.

Virgin Galactic requested clarification on the meaning of the term “regardless of location.” Based on the context in proposed § 450.133(a), which required the flight hazard area analysis to identify any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to control the risk to the public, the term “regardless of location” referred to whether the contours are on land, sea, Start Printed Page 79646or air. In the final rule, the FAA changes the term “regardless of location” to “for all locations specified in paragraph (a)” for more specificity. The FAA further specifies that “representative probability of casualty contours” must account for both neighboring operations personnel (at the 1 × 105 probability of casualty level) and other members of the public (at the 1 × 106 probability of casualty level). Hence, the requirement in § 450.133(e)(2)(iii) of the final rule specifies that representative individual probability of casualty contours include tabular data and graphs showing the hypothetical location of any member of the public that could be exposed to a probability of casualty of 1 × 105 or greater for neighboring operations personnel, and 1 × 106 or greater for other members of the public, given all foreseeable conditions within the flight commit criteria.

The FAA adds this explicit language to the application requirement to reflect what is necessary to demonstrate compliance with the substantive requirements for flight hazard area analysis as proposed in the NPRM and as set forth in the final rule. Specifically, the substantive requirements proposed in § 450.133(b)(2) and (c)(2), which required an operator to determine the areas of water and land where the individual probability of casualty for any person on a vessel or on land would exceed the criterion in § 450.101(a)(2) or (b)(2), would necessarily have required a demonstration consistent with the revised application requirements.

u. Debris Risk Analysis (§ 450.135)

In the NPRM, the FAA proposed to require that a debris risk analysis be performed to determine whether the individual and collective risk of public casualties meet the safety criteria in § 450.101. The debris risk analysis would be required to compute statistically-valid debris impact probability distributions using the input data produced by FSAs required in proposed §§ 450.117 through 450.133. In the final rule, the FAA adopts § 450.135 with revisions.

Proposed § 450.135(a) stated that a debris risk analysis would be required to demonstrate compliance with safety criteria in proposed § 450.101, either prior to the day of the operation, by accounting for all foreseeable conditions within the flight commit criteria or during the countdown using the best available input data. The FAA adopts § 450.135(a) with revisions. Specifically, the FAA adds in § 450.135(a)(2) that the “best available input data” used during the countdown must include any applicable “flight commit criteria and flight abort rules” if such controls are necessary to ensure compliance with the public risks as required in proposed and final § 450.165(b).

There is no additional burden on the operator due to the updated language in § 450.135(a)(2), because this requirement is consistent with the proposed requirements in §§ 450.135(e)(1) and 450.165(b)(2). An operator is required to account for and identify the conditions immediately prior to enabling the flight of a launch vehicle or the reentry of a reentry vehicle that are necessary to demonstrate compliance with the safety criteria in § 450.101, such as the atmospheric conditions and any other commit criteria. The final rule in § 450.135(a)(2) now explicitly acknowledges that a valid debris risk analysis must account for any applicable flight commit criteria and flight abort rules when the operator establishes if the present conditions produce public risks consistent with the safety criteria in § 450.101.

In § 450.135(b), the FAA proposed performance-based requirements to address the physical phenomena that influence the propagation of debris, which the analysis would be required to account for to compute the probability of impact of debris on people and critical assets. In the final rule, the FAA adopts and moves these requirements with revisions to § 450.121(c), as discussed in the section of this preamble on Debris Analysis. There were two reasons for moving the proposed propagation of debris requirements in § 450.135(b) to § 450.121(c). First, the computation of valid impact probability distributions is relevant to more than the debris risk analyses; for example, valid impact probability distributions are necessary for the development of flight hazard areas and the yield-probability pairs used as input to the far-field overpressure analysis. Second, although the relationships between the FSA sections are complex and interdependencies exist, the FAA sought to lay out the FSA requirements in a sequential order.

In § 450.135(c), the FAA proposed the features of a valid population exposure analysis. In the final rule, the FAA adopts and moves these requirements with revisions to § 450.123, as discussed in the preamble associated with that section. As noted, the FAA moved the population exposure analysis requirements out of the proposed debris risk analysis section because a population exposure analysis must also be used to provide input to other public risk analyses to address toxic hazards and far-field overpressure blast effects, if any. As discussed earlier, this is not an expansion of the scope because the NPRM identified the need for population exposure input to address toxic hazards for flight and far-field overpressure blast effects.

In proposed § 450.135(d), the FAA set forth the features of a valid casualty area and consequence analysis. Proposed § 450.135(d) stated that a debris risk analysis would be required to model the casualty area and compute the predicted consequences of each reasonably foreseeable vehicle response mode in any one-second period of flight in terms of CEC. The NPRM also specified that the contents of a casualty area and consequence analysis must account for, at a minimum, the items proposed in § 450.135(d)(1) through (d)(3).[130]

In the final rule, the FAA revises and re-designates the requirements proposed in § 450.135(d) to § 450.135(b). In addition, the FAA replaces the term “vehicle response mode” with “failure mode,” consistent with similar changes made throughout the final rule and discussed further in § 450.101(c)(2) of this preamble. The FAA also replaces the term “one-second period of flight” with “significant period of flight,” as discussed in the preamble section associated with high consequence event protection.

In the NPRM, the FAA included a definition of “casualty area” in § 401.5, defined as the area surrounding each potential debris or vehicle impact point where serious injuries, or worse, can occur. The FAA adopts this definition as proposed.

SpaceX commented the FAA should modify proposed § 450.135(d) to require that the casualty area and consequence analysis not only account for the items in proposed § 450.135(d)(1) through (d)(3) but also model them conservatively. The FAA notes that the term “account for” already includes using conservative data or assumptions for all inputs and results of an analysis, pursuant to § 450.101(g). Thus, this change would be redundant.

As previously discussed, the requirements for debris propagation in § 450.135(b) have been relocated in the final rule to § 450.121(c). As a result, the FAA adds a requirement in § 450.135(b)(2) that a casualty area and consequence analysis must account for Start Printed Page 79647statistically-valid debris impact probability distributions. This requirement is derived from the requirements in proposed § 450.135(b). The FAA notes that without statistically-valid impact probability distributions it would be impossible to compute the predicted consequences of each reasonably foreseeable failure mode in any significant period of flight in terms of conditional expected casualties, as required in proposed § 450.135(d) and § 450.135(b) of the final rule, because the consequence of any failure depends on the characteristics of the debris (such as the casualty area) predicted to impact exposed populations. Thus, the FAA finds the final rule is consistent with the NPRM in requiring this information as part of a debris risk analysis.

In the NPRM, the FAA proposed to require that the casualty area and consequence analysis account for any direct impacts of debris fragments, intact impact, or indirect impact effects, in proposed § 450.135(d)(2). It also proposed that the analysis account for the vulnerability of people and critical assets to debris impacts including all hazard sources, such as the potential for any toxic or explosive energy releases, in proposed § 450.135(d)(3)(ii) and indirect or secondary effects such as bounce, splatter, skip, slide or ricochet, including accounting for terrain, in proposed § 450.135(d)(3)(iii).

In the final rule, the FAA consolidates the three proposed requirements into § 450.135(b)(3). Section 450.135(b)(3) more simply states that the analysis must account for “any impact or effects of hazardous debris,” because the new definition of “hazardous debris” in § 401.7 reflects the scope of the NPRM requirements. In the final rule, the use of the defined term “hazardous debris” in § 450.135(b)(3) replaces the requirement in proposed § 450.135(d)(3)(ii) to account for all hazard sources, such as the potential for any toxic or explosive energy releases. It also replaces the requirement in proposed § 450.135(d)(2) to account for any direct impacts of debris fragments, intact impact, or indirect impact effects. Also, the final rule uses the phrase “any impact or effects” of hazardous debris to replace the proposed requirements to account for any direct or indirect effects, including indirect or secondary effects such as bounce, splatter, skip, slide, or ricochet, including accounting for terrain. The FAA's use of the defined term hazardous debris, discussed previously, allows for consistency throughout the final rule with regard to the scope of the FSA requirements. This revision does not change the scope of the proposed requirements because the definition includes the concept of all hazard sources and the direct impacts of debris fragments, intact impact, or indirect impact effects.

In the NPRM, the FAA required in proposed § 450.135(d)(3) that the analysis account for the vulnerability of people and critical assets to debris impacts. In the final rule, the FAA moves proposed § 450.135(d)(3) as § 450.135(b)(4) and strikes the reference to critical assets, as explained in the preamble section on critical assets. The FAA also re-designates and adopts proposed § 450.135(d)(3)(i) as § 450.135(b)(4)(i) in the final rule. As discussed, the proposed requirements in § 450.135(d)(3)(ii) and (d)(3)(iii) are captured in § 450.135(b)(3) in the final rule.

In the NPRM, the FAA proposed in § 450.135(d)(3)(iv) that the analysis must account for the effect of wind on debris impact vector and toxic releases. In the final rule, the FAA re-designates proposed § 450.135(d)(3)(iv) as § 450.135(b)(4)(ii). The FAA also revises the requirement so that the analysis must account for the effect of atmospheric conditions on debris impact and effects known to influence the vulnerability of people to hazardous debris impacts. For example, wind can typically have a pronounced effect on the debris impact vector as illustrated in the FAA FSA Handbook. In addition, other atmospheric conditions, such as the presence of a temperature inversion can have a significant effect on the vulnerability of people to toxic releases.[131]

The change from the proposed § 450.135(d)(3)(iv) implemented in the final rule in § 450.135(b)(4)(ii) does not create any additional burden to the operator because this requirement is consistent with the proposed requirements in §§ 450.135(e)(1) and 450.165(b)(2). An operator is required to account for and identify the conditions immediately prior to enabling the flight of a launch vehicle or the reentry of a reentry vehicle that are necessary to demonstrate compliance with the safety criteria in § 450.101, such as the atmospheric conditions and any meteorological conditions. Furthermore, given the proposed requirement in § 450.135(d)(vi) to account for the uncertainty in fragment impact parameters in assessing the vulnerability of people to debris impacts, an operator already would have contemplated the need to account for the effect of atmospheric conditions on debris impact effects now explicitly required under § 450.135(b)(4)(ii).

In the NPRM, proposed § 450.135(d)(3)(vi) specified that the analysis account for uncertainty in fragment impact parameters. In the final rule, the FAA re-designates proposed § 450.135(d)(3)(vi) as § 450.135(b)(4)(iv). The FAA also requires in the final rule that the analysis account for uncertainty in the input data, such as fragment impact parameters. Although the uncertainty in fragment impact parameters typically has a pronounced effect, it is conceivable that uncertainties in the input data more generally could affect the vulnerability of people to hazardous debris effects. The FAA finds these changes consistent with the proposed and final requirements in § 450.115(b)(1) that an operator's FSA method must have a level of fidelity sufficient to account for all known sources of uncertainty.[132]

In the NPRM, proposed § 450.135(e) listed the application requirements associated with the debris risk analysis, including the casualty area and consequence analysis. Proposed § 450.135(e)(1) required an applicant to submit a description of the methods used to compute the parameters required to demonstrate compliance with the safety criteria in proposed § 450.101, including a description of how the operator would account for the conditions immediately prior to enabling the flight of a launch vehicle or the reentry of a reentry vehicle, such as the final trajectory, atmospheric conditions, and the exposure of people and critical assets.

In the final rule, the FAA re-designates and adopts proposed § 450.135(e)(1) as § 450.135(c)(1) with revisions. The FAA removes the proposed requirement to submit a description of the methods “used to compute the parameters” required to demonstrate compliance with the safety criteria in § 450.101. Instead, the FAA replaces this requirement with a requirement to submit a description of the methods used to demonstrate compliance with the safety criteria in § 450.101, in accordance with § 450.115(c). This change is consistent with other FSA sections. Also, the FAA strikes the reference to critical assets as explained in the preamble section associated with critical assets.Start Printed Page 79648

In the NPRM, the application requirements in § 450.135(e)(2) addressed the methods used to compute debris impact distributions. In the final rule, the FAA moves proposed § 450.135(e)(2) to § 450.121(d)(3). Proposed § 450.135(e)(3) and (e)(4) addressed population exposure data. In the final rule, those requirements are moved to § 450.123(c). These changes are described in the preamble sections associated with those sections.[133]

The FAA moves the application requirements in proposed § 450.135(e)(8)(i) through (iii) regarding the collective and individual debris risk outputs to § 450.135(c)(5)(i) through (iii) and removes the proposed requirement to report critical asset results in § 450.135(e)(8)(iv), as discussed further in the critical asset section of this preamble.

The FAA revises and re-designates the application requirements in proposed § 450.135(e)(9) on the collective and individual debris risk outputs as § 450.135(c)(6). The FAA replaces the term “vehicle response mode” with “failure mode.” This revision is consistent with changes throughout the final rule. The FAA also changes the term “one-second interval” to “significant period,” as explained in the preamble section on CEC.

SpaceX commented that it was not clear why proposed § 450.135(e)(8) and (9) would require debris risk analysis to include both representative conditions and the worst foreseeable conditions, arguing that if the worst foreseeable conditions meet requirements, then representative conditions are of no consequence. The FAA responds that, for the purposes of § 450.135(c)(5) and (c)(6), worst foreseeable conditions means those conditions that produce the highest individual, collective, and conditional risks under which the operator would initiate the launch or reentry. An operator can submit the same debris risk analysis results for representative conditions and the worst foreseeable conditions in cases where there is no difference between representative conditions and the worst foreseeable conditions that are significant to public safety.

However, the FAA foresees the potential for situations where the differences between the representative conditions and the worst foreseeable conditions would require additional operational mitigations. An example would be running the debris risk analysis using input data for atmospheric conditions that lead to risks just below the limits set in § 450.101 (i.e., worst foreseeable conditions) and running the debris risk analysis using more typical atmospheric conditions that produce risks clearly below the limits. Under the worst foreseeable conditions, the collective risk results for people on land could be such that the operator would need to perform additional surveillance of areas to ensure the absence of waterborne vessels, whereas under representative conditions such surveillance would not be necessary to ensure compliance with collective risk limits in § 450.101(a)(1) and (b)(1). The FAA does not anticipate that there will be significant additional burden in providing the analysis for representative conditions.

v. Far-Field Overpressure Blast Effect Analysis, or Distant Focus Overpressure (DFO) (§ 450.137)

In the NPRM, § 450.137 proposed requirements for far-field overpressure blast effects analysis. Proposed § 450.137(a) required that a far-field overpressure blast effect analysis demonstrate compliance with safety criteria in proposed § 450.101 either prior to the day of the operation, accounting for all foreseeable conditions within the flight commit criteria, or during the countdown using the best available input data. In the final rule, the FAA adopts § 450.137(a) with one revision.

The final rule in § 450.137(a)(2) specifies that far-field overpressure analysis performed during the countdown using the best available input data must also include flight commit criteria and flight abort rules. The FAA notes that the best available input data specified in proposed § 450.137(a)(2) would naturally include flight commit criteria and flight abort rules because those would generally have a significant influence on the public risks posed by hazardous debris effects. Hence, the phrase “including flight commit criteria and flight abort rules” is consistent with the requirement for a debris risk analysis in § 450.135(a)(2).

Virgin Galactic commented that § 450.137(a)(1) appeared to require an FSA the day before launch for the portion of its launches involving its carrier aircraft's captive carriage of the spaceship. Virgin Galactic expressed a concern about the operational impact and additional workload of a day of launch analysis. Microcosm requested clarification on whether the regulations required a day of launch analysis if meteorological conditions did not present an environment conducive to far-field overpressure.

Section 450.137(a)(1) does not require a full FSA the day before launch. Instead, § 450.137(a) requires the far-field overpressure blast effect analysis be performed either as a “screening” analysis prior to the day of the operation, accounting for all foreseeable conditions within the flight commit criteria, or during the countdown using the best available input data. The requirement in § 450.137(a)(1) does not have a time constraint for when the “screening analysis” must be completed. In response to Microcosm's comment, the FAA notes that, in order to determine that local meteorological conditions do not present an environment conducive to far-field overpressure, an operator would necessarily be required to perform an analysis under § 450.137(a)(1). As such, § 450.137(a)(1), as proposed and adopted without change, allows an operator to demonstrate that a far-field overpressure analysis need not be performed during the countdown if the flight commit criteria are sufficient to ensure compliance with § 450.101.

In the NPRM, the FAA proposed requirements associated with analysis constraints in § 450.137(b) that set required performance outcomes and the specific factors that a far-field overpressure blast effect analysis must consider. Blue Origin commented that the proposed requirements in § 450.137(b) were prescriptive. The FAA agrees that the proposal was unnecessarily specific in § 450.137(b)(3) through (5) and revises these requirements.

In the NPRM, § 450.137(b)(3) proposed that the analysis account for the explosive capability of the vehicle at impact and at altitude, and potential explosions resulting from debris impacts, including the potential for mixing of liquid propellants. In the final rule, the FAA revises the language in proposed § 450.137(b)(3) and relocates it to § 450.137(b)(1) to reflect the order in which the FAA expects the analysis will be conducted. As rewritten, § 450.137(b)(1) in the final rule requires the analysis to account for the explosive capability of the vehicle and hazardous debris at impact and at altitude. As discussed previously, the FAA uses the definition for “hazardous debris” to reflect the scope of the NPRM requirements. The final rule also removes the phrase “potential for mixing of liquid propellant” because it is redundant with “explosive capability,” which is already included in the requirement. The FAA has also removed reference to solid propellant Start Printed Page 79649impacts because they are part of the explosive capability.

In the NPRM, proposed § 450.137(b)(1) required that the analysis account for the potential for distant focus overpressure or overpressure enhancement given current meteorological conditions and terrain characteristics. In the final rule, the FAA re-designates proposed § 450.137(b)(1) as § 450.137(b)(2). The FAA also requires in § 450.137(b)(2) that the analysis must account for the influence of meteorological conditions and terrain characteristics. The FAA notes meteorological conditions are known to have a potentially substantial influence on the propagation and attenuation of blast waves with peak incident overpressures at or below 1.0 psi. In the final rule, the FAA removes the reference to current meteorological conditions in proposed § 450.137(b)(1) to reflect that an applicant may use a screening analysis pursuant to § 450.137(a)(1) to demonstrate additional analysis is not required by accounting for all foreseeable conditions within the flight commit criteria.

In the NPRM, proposed § 450.137(b)(2) required that the analysis account for the potential for broken windows due to peak incident overpressures below 1.0 psi and related casualties. In the final rule, the FAA re-designates proposed § 450.137(b)(2) as § 450.137(b)(3) and adds the essential elements from proposed § 450.137(b)(4) through (b)(6). Those sections contained unnecessary details regarding shelter types, time of day, characteristics of potentially affected windows including size, location, glazing material, and characteristics of potential glass shards.

Section 450.137(b)(3) removes these details and captures the concept of the requirements proposed in § 450.137(b)(4) through (b)(6) by adding language to reflect that the potential for broken windows due to peak incident overpressures below 1.0 psi and related casualties must “be based on the characteristics of exposed windows and the population's susceptibility to injury, with considerations including, at a minimum, shelter types, window types, and the time of day of the proposed operation.”

Blue Origin commented that the constraints could be accomplished by an analysis tool available only to the government. The FAA disagrees that the far-field overpressure analyses can only be accomplished using a tool available to the U.S. government. Currently available materials contain a detailed technical description of a valid approach.[134] Furthermore, the FAA confirms that the analysis tool in use by the U.S. government has been used by the U.S. commercial space transportation industry at non-Federal sites as well.

The FAA adopts § 450.137(c) with only two minor modifications. In the NPRM, § 450.137(c)(6) explicitly identified that an applicant would be required to submit the analysis results given foreseeable meteorological conditions, yields, and population exposures.

In the final rule, § 450.137(c)(6) requires that the application include the individual risk data given foreseeable conditions. The FAA also revises § 450.137(c)(7) in this manner. The FAA notes generally that the same elements of the foreseeable conditions listed in the NPRM influence the results of the far-field overpressure blast effects analysis. Thus, the reworded final rule maintains the same scope and intent of the NPRM application requirements. The FAA adds this language because the proposal was unnecessarily limited.

w. Toxic Hazards (§§ 450.139 and 450.187)

In the NPRM, the FAA proposed to consolidate requirements for toxic release analysis into two performance-based regulations: §§ 450.139 (Toxic Hazards for Flight) and 450.187 (Toxic Hazards Mitigation for Ground Operations). Although the two proposed sections contained a number of similarities, the FAA divided them into two sections because ground operations and flight operations had different proposed criteria to establish an acceptable level of public safety.

Proposed §§ 450.139(a) and 450.187(a) made the sections applicable to any launch or reentry vehicle, including all vehicle components and payloads, that use toxic propellants or other toxic chemicals.

Virgin Galactic requested that the FAA create an exception to §§ 450.139 and 450.187 for carrier aircraft on hybrid systems that already possess a standard airworthiness certificate or experimental airworthiness certificate from FAA, as these aircraft most commonly carry jet fuel. Virgin Galactic commented that, although jet fuel may be considered a toxic substance, it is carried by thousands of aircraft every day and thus performing a toxic release hazard analysis for jet fuel would not have a material effect on public safety.

The FAA acknowledges that, historically, no toxic release hazard analysis has been required for kerosene-based fuels, such as jet fuel, and agrees that such an analysis would be unnecessary in most instances. Therefore, in the final rule, the FAA revises the applicability language in §§ 450.139(a) and 450.187(a) to create an exception from the toxic release hazard analysis for kerosene-based fuels unless the Administrator determines that an analysis is necessary to protect the public safety. The FAA anticipates that such an analysis will be required for uses of kerosene-based fuels that are novel or inconsistent with standard industry practices. The FAA will work with operators during pre-application consultation to identify any kerosene-based propellants requiring a toxic release hazard analysis under §§ 450.139 or 450.187.

Proposed § 450.139(b) required an operator to conduct a toxic release hazard analysis and manage the risk of casualties from exposure to toxic release either through containing hazards in accordance with proposed § 450.139(d) or by performing a toxic risk assessment, under proposed § 450.139(e), that protects the public consistent with the safety criteria proposed in § 450.101. Furthermore, proposed § 450.139(b)(3) required an operator to establish flight commit criteria based on the results of its toxic release hazard analysis, containment analysis, or toxic risk assessment for any necessary evacuation of the public from any toxic hazard area. The FAA adopts § 450.139(b) as proposed.

In the NPRM, paragraph (b) was inadvertently omitted from the regulatory text to § 450.187; however, the preamble discussed that proposed § 450.187(b) would, like proposed § 450.139(b), require an operator to manage the risk of casualties from exposure to toxic release by either containing the hazards or performing a toxic risk assessment. The preamble stated that for ground operations, an operator using a toxic risk assessment must demonstrate compliance with proposed § 450.109(a)(3), rather than § 450.185(c).[135] The FAA adds paragraph (b) to § 450.187 in the final rule. As discussed later in this section, Start Printed Page 79650the FAA revises the toxic risk assessment criteria for ground operations by replacing the reference to proposed § 450.109(b)(3) with a reference to § 450.185(c). The FAA also revises § 450.139(b)(3) to refer to “toxic containment,” rather than a “toxic containment analysis,” as this term does not appear in the regulation.

Proposed §§ 450.139(c) and 450.187(b) set forth the requirements for toxic release hazard analysis. The FAA adopts the substance of those provisions in the final rule, but re-designates proposed § 450.187(b) as § 450.187(c), to account for the addition of new § 450.187(b).

As noted, §§ 450.139(b) and 450.187(b) in the final rule require an operator to manage the risk of casualties that could arise from the exposure to toxic release through toxic containment or by using a toxic risk assessment. Toxic containment, as proposed in §§ 450.139(d) and 450.187(c), required an operator to manage the risk of casualty from the exposure to toxic release either by evacuating, or being prepared to evacuate, the public from a toxic hazard area, or by employing meteorological constraints. In either scenario—evacuation or employment of meteorological constraints—the operator would be required to demonstrate that an average member of the public would not be exposed to greater than one percent conditional individual probability of casualty in the event of a worst-case release or maximum credible release scenario. The FAA received a formal comment from NASA during the interagency review on proposed § 450.139(d) and § 450.187(c). The FAA revised these provisions in the final rule consistent with the updated definition of toxic hazard area described below. Specifically, § 450.139(d)(1) and § 450.187(c)(1) require an operator using toxic containment to manage the risk of casualty from the exposure to toxic release either by evacuating, or being prepared to evacuate, the public from any toxic hazard area. These revisions are consistent with current practice. The FAA also re-designates proposed § 450.187(c) as § 450.187(d) to account for the addition of new § 450.187(b).

The FAA proposed to define “toxic hazard area” in § 401.5 (§ 401.7 in the final rule) as “a region on the Earth's surface where toxic concentrations and durations may be greater than approved toxic thresholds for acute casualty, in the event of a release during launch or reentry.”

In the final rule, the FAA revises the proposed definition of “toxic hazard area” to include the language from proposed §§ 450.139(d) and 450.187(c) regarding the “a worst-case toxic or maximum credible release scenario.” Thus, in the final rule, a “toxic hazard area” means “a region on the Earth's surface where toxic concentrations and durations may be greater than accepted toxic thresholds for acute casualty in the event of a worst-case toxic or maximum credible release scenario during launch or reentry.” The FAA revises this definition to ensure that the toxic hazard area is consistent whether the operator performs a toxic risk assessment or toxic containment. The revised definition of “toxic hazard area” is consistent with the approach taken in current regulation in Appendix I to part 417 under I417.5(c), which directly links the toxic concentration thresholds to the size of the toxic hazard area. The FAA anticipates that the toxic concentration thresholds used in an accepted means of compliance for §§ 450.139 and 450.187 will generally be consistent with those in Appendix I to part 417 under I417.5(c).

The final rule's requirements for a toxic risk assessment under § 450.139(e) are unchanged from the proposal. A toxic risk assessment must meet the safety criteria of § 450.101 and account for: Airborne concentration and duration thresholds of toxic propellants or other chemicals; physical phenomena expected to influence any toxic concentration and duration; the toxic hazard area and the meteorological conditions involved; and all members of the public that may be exposed to the toxic release.

In the final rule, § 450.187(e), which contains the requirements for a toxic risk assessment for ground operations, includes one revision from the proposal. As mentioned, proposed § 450.187(d) required an operator using toxic risk assessment to manage the risk from any toxic release hazard and demonstrate compliance with the criteria in § 450.109(a)(3). The FAA replaces the reference to proposed § 450.109(a)(3) with a reference to § 450.185(c) because the flight hazard analysis risk criteria were removed from § 450.109. The standard in § 450.185(c) is the same as in proposed § 450.109(a)(3); therefore, there is no substantive change in the criteria. As a result, an operator complies with the requirements for a toxic risk assessment by demonstrating no more than an extremely remote likelihood of toxic exposure causing death or serious injury to the public, using toxic concentration and duration thresholds accepted by the Administrator as a means of compliance.

In the final rule, the FAA amends the application requirements proposed in §§ 450.139(f) and 450.187(e). Although proposed §§ 450.139(d) and 450.187(c) detailed the two ways in which an operator could perform toxic containment, the NPRM did not specify how an operator would demonstrate compliance with the toxic containment requirements in their application. In the final rule, the FAA adds an application requirement for toxic containment, in §§ 450.139(f)(8)(i) and 450.187(f)(8), which reflects the substantive requirements for performing toxic containment. That is, if toxic containment is selected, the applicant must identify the evacuation plans or meteorological constraints and associated launch commit criteria or ground hazard controls that it will employ to ensure that the public will not be within a toxic area in the event of a worst-case or maximum credible release scenario. The FAA notes that an applicant will need to submit the information required by this subsection in order to demonstrate compliance with the substantive requirements for toxic containment in §§ 450.139(d) and 450.187(c).

The FAA revises the application requirements, in §§ 450.139(f)(8)(ii) and 450.187(f)(9), to reflect the substantive requirements of toxic risk assessment. If a toxic risk assessment is performed, then the applicant must account for the public that may be exposed to airborne concentrations above the toxic concentration and duration thresholds, describe any risk mitigations applied in the toxic risk assessment, describe the population exposure input data used in accordance with § 450.123 (Population Exposure Analysis), and demonstrate compliance with the applicable public risk criteria (for flight, the risk criteria in § 450.101; for ground operations, the risk criteria in § 450.185(c)). Lastly, the FAA replaced the term “population density” with “population characteristics” in § 450.139(f)(8)(ii)(2) and § 450.187(f)(9)(ii) because characteristics other than density (e.g., vulnerability of population) would be relevant to assessing potential effects of toxic release, as indicated by the Population Exposure Analysis criteria in § 450.123.

Blue Origin commented that toxic risk analysis tools were not currently available to operators, and that, unless the FAA facilitated access to these tools, a sole-source provider of this service may arise. One individual commenter asked what dispersion models were acceptable to the FAA and commented that the FAA should provide specific examples of allowable and acceptable toxic release and dispersion mitigations.Start Printed Page 79651

The FAA disagrees that the tools needed to analyze risks associated with a potential release of toxic substances during launch or reentry are not currently available to operators. However, the FAA will issue an AC entitled, “Toxic Hazards for Flight,” that will provide guidance and examples of publicly available tools for conducting the required toxic release hazard analyses, as well as a toxic risk assessment and toxic containment. This guidance will include information on:

  • Determining the airborne toxic concentration threshold or level of concern (LOC) for each toxic propellant or toxic combustion by-product;
  • Determining the worst-case quantity of any toxic release that might occur during the proposed flight of a launch vehicle, or that might occur in the event of a flight mishap;
  • Determining the worst-case quantity of any toxic release that might occur during normal launch processing, and that might occur in the event of a mishap during launch processing;
  • Characterizing the terrain, as a precursor for modeling the atmospheric transport of a toxic release from its source to downwind receptor locations;
  • Determining the meteorological conditions for the atmospheric transport of any toxic release from its source to downwind receptor locations;
  • Performing air quality dispersion modeling to predict concentrations at selected downwind receptor locations (by characterizing the atmospheric processes that disperse a toxic substance emitted by a source); and
  • Determining the population density in receptor locations that could potentially be identified by air quality dispersion modeling as toxic hazard areas.[136]

x. Computing Systems (§ 450.141)

In the NPRM, the FAA proposed in § 450.111 (Computing Systems and Software) to require operators to develop a process that identifies and assesses hazards to public safety and the safety of property arising from computing systems and software. Operators would have needed to identify all safety-critical functions associated with its computing systems and software and to classify software based on degree of autonomy. In the NPRM, software safety requirements would have increased in rigor with the rise in the degree of autonomy of the software. Conversely, software safety requirements would have decreased in rigor with reductions in the software's degree of autonomy.

In the final rule, the FAA revises proposed § 450.111 and re-designates it as § 450.141 (Computing Systems). Although the scope of the requirements for operators under § 450.141 does not differ substantially from the proposed version, the FAA replaces prescriptive requirements with performance-based standards and provides increased flexibility for operators to demonstrate compliance with § 450.141. The final rule levies requirements for computing system safety items in proportion to their criticality rather than their autonomy; requires independent verification and validation for safety-critical computing system safety items; and retains the NPRM's focus on development and testing processes instead of direct inspection of software by the FAA. The FAA removed the term, “software,” from the section heading since “computing systems” would include software. The FAA also removes the definition of “control entity” proposed in § 401.5 because the term is no longer used in the final rule.

A number of commenters stated the requirements proposed in § 450.111 were overly prescriptive or difficult to meet. SpaceX stated that the proposed software process would be more burdensome and costly for applicants than it had been under current regulations and would prevent applicants from utilizing safer methods to construct a safety case. Blue Origin and SpaceX argued the proposed requirement would hinder technological advances that could improve safety. Blue Origin stated the proposal threatened innovation towards lower cost, higher quality, and safer software approaches, but did not specify the approaches that would be impeded by the NPRM. Rocket Lab similarly asserted that the proposal would hinder the development of software for FSS, the automation of which is currently a major area for innovation. Rocket Lab commented that the proposal did not allow flexibility to use other means of functional system safety from equivalent industries or government standards, and that the requirements would become quickly outdated as software technologies and best practices evolve. CSF also viewed the proposal as highly prescriptive and uneconomical for the FAA or for industry.

CSF and SpaceX specifically rejected the degree of autonomy approach proposed in § 450.111, noting that human involvement did not always produce a safer system. CSF suggested the FAA scale the levels of rigor based on hazard effects and architectural mitigations. Virgin Galactic stated that software need not be categorized by levels of consequence and degrees of control if the software development process was linked to a system safety program.

The FAA agrees that some of the requirements proposed in § 450.111 were too prescriptive, potentially overly burdensome, and could have the effect of discouraging technological innovation to improve safety.[137] The FAA also agrees with the commenters' discussion of the limitations of autonomy as a criterion for level of rigor. In the final rule, the FAA revises the requirements for computing systems, which are now located in § 450.141 to address the commenters' concerns. Section 450.141 scales level of rigor for computing system requirements based on system-level criticality rather than on degree of autonomy, and is designed to parallel the requirements of computing system safety responses to the existing regulations. The existing regulations require plans for software development and validation and verification plans but remain silent on the acceptable content of those plans. The final rule requirements are designed to align with current software safety submissions. The FAA also removes prescriptive requirements from § 450.141, as detailed in the following paragraphs, to increase flexibility in application to current and future computing system designs.

Section 450.141 requires the identification and assessment of the public safety-related computing system requirements, functions, and data items, in order to streamline the evaluation of computing system safety. The final rule retains the requirement proposed in § 450.111 to identify and assess the public safety implications of computing systems, which derives from the current requirements in §§ 417.123(a) and 431.35(c) to perform this assessment as part of a system safety process. The explicit identification of the public safety related aspects of computing systems enables a reduction in the scope of FAA's evaluation compared to the current regulations.

In the final rule, § 450.141(a) requires an operator to identify computing system safety items, meaning any software or data that implements a capability that could present a hazard to Start Printed Page 79652the public, and the criticality of each computing system safety item, commensurate with its degree of control over hazards to the public and the severity of those hazards. For purposes of this section, a computing system safety item is any item that is a computing system or software that has some degree of control over hazards to the public; a computing system that is either a cause of or a mitigation for a hazard that can affect the public. Computing system safety items include not only software, but also software elements, including data, and interfaces that present or control risks to the public (e.g., software/hardware interfaces, and software/human interfaces). The FAA uses the term “computing system safety item” in order to provide a clean interface between software safety, which controls risks due to flaws in logic, and system safety, which controls risk. Software runs on hardware in response to commands and inputs, so a computing system safety item is often more than just software. “Level of criticality” here means the combination of a computing system safety item's importance in the causal chain for a given hazard, which is commensurate to its degree of control, and the severity of that hazard. Computing system safety items that are more influential on a causal chain for a hazard of a given severity would be subject to a proportionally higher level of rigor in development and testing. The degree of control may be evident in (1) a system's tolerance to a given computing system fault, (2) the computing system's autonomy in causing or preventing a hazard, (3) the number and characteristics of other system faults or failures required for the hazard to manifest itself, or (4) some other measure devised by the applicant.

The requirement proposed in § 450.111(c) to allocate development process rigor according to degree of autonomy has been replaced with the requirement in § 450.141(a)(2) to use system-level criticality to set the minimum level of rigor in developing and testing each computing system safety item. The FAA agrees with the comments received on the shortcomings of allocation by degree of autonomy and the recommendation to use a system safety approach to computing system safety. System safety allocates level of rigor according to the criticality of each item in the system, and the revised regulation aligns software and computing system level of rigor allocation with system safety's level of rigor allocation, erasing a difference between the two safety analyses.[138] For some systems, system-level criticality and degree of autonomy will produce the same or similar allocations of rigor in computing system development. An applicant can propose to use degree of autonomy as a proxy for system-level criticality based on that similarity, as it is an industry standard method of determining level of rigor allocation. This revision achieves the objective stated in the NPRM of tailoring safety requirements based on criticality but eliminates the prescriptive criticality levels proposed in the NPRM. The criticality of each computing system or function must be assessed at the system level so the applicant can clearly demonstrate to the FAA how the system uses computing systems and the influence of each computing system safety item on public safety.

Section 450.141(b) requires an operator to develop safety requirements for each computing system safety item. A safety requirement specifies the implementation of one or more public safety-related functions, capabilities, or attributes in a computing system safety item. The FAA notes that it uses the phrase “safety requirements” in the final rule differently than it did in the NPRM. In the NPRM, “software safety requirements” referred to regulatory requirements for software. In § 450.141 of the final rule, “safety requirements” means computing system requirements that specify computing system attributes or functionality that have public safety significance. Identification of this subset of computing system requirements related to public safety is essential to focus an operator's safety efforts on those parts of the computing system safety item that have public safety consequences. It will also streamline the scope and depth of data required of applicants and the FAA's evaluation process relative to current requirements, to the same extent as proposed § 450.111.

Section 450.141(b)(1) requires an operator to identify and evaluate safety requirements for each computing system safety item. Safety requirements are the subset of requirements that define features, capabilities, or behaviors that have public safety implications. This identification and evaluation process may identify new computing system safety items if safety requirements are identified for items that did not previously have known safety requirements.

Section 450.141(b)(2) requires an operator to ensure the safety requirements are complete and correct. A computing system requirement set is complete if it contains all of the requirements necessary to specify all of the functions and attributes needed for the computing system to perform its required tasks. A computing system requirement is correct if it specifies the correct functionality or attributes for the item to perform its intended system-level functions. This can be accomplished as part of an applicant's normal software and computing system requirement review process. The FAA does not require the applicant to conduct a separate public safety-specific review, provided the applicant's computing system requirement review process accomplishes the intent of § 450.141(b)(2).

Section 450.141(b)(3) requires an operator to implement each safety requirement. That is, the safety requirements reviewed in accordance with § 450.141(b)(2) must be built into the system for verification in § 450.141(b)(4). Requirements are normally implemented by operators, and no special implementation process is required for safety requirements.

Section 450.141(b)(4) requires that the applicant verify and validate the implementation of each safety requirement using a method appropriate for the level of criticality of the computing system safety item. Computing system requirements are normally verified and validated by a combination of testing, analysis, and inspection. The NPRM proposed to require specific testing and verification methods that have not been retained in the final rule due to the removal of specific criticality levels for software. The final rule allows sufficient flexibility for operators to implement methods and levels of rigor appropriate for their operations. For example, a development process that traces from computing system requirements to verification and validation evidence is necessary but may not be the only process for adequate verification and validation; a process that traces from verification and validation tests to the intended computing system functionality may be more appropriate for third-party products. Operators may use many different processes that accomplish traceability as long as the process demonstrates that the verification and validation evidence is sufficient to verify and validate all of Start Printed Page 79653the computing system safety requirements.

Section 450.141(b)(4) further specifies that, for each computing system safety item that meets the definition of “safety critical” in § 401.7, verification and validation must include testing by a test team independent of the development division or organization. As defined in § 401.7, a safety-critical item means a system, subsystem, component, condition, event, operation, process, or item, whose proper recognition, control, performance, or tolerance, is essential to ensuring public safety. A safety-critical computing system safety item is a computing system safety item of which proper recognition, control, performance, or tolerance is essential to ensuring public safety. As described in the NPRM, the FAA uses the term “independent” to designate a verification and validation group that has substantial and credible independence from the development team. This independent group has a separate personnel structure through at least senior leadership, operates under distinct performance, technical, schedule, and incentive pressures, and has the latitude to develop and test requirements independently. This independent verification and validation group can be a third party or an in-house group but in either case must have the technical, managerial, schedule, and incentive independence [139] to carry out its functions without undue pressure from the development team. The requirement for independent verification and validation of safety-critical computing system safety items is broadly aligned with current practices for verification and validation. Specifically, the minimum expectation is that safety-critical computing systems, such as autonomous FSS, are subjected to a level of verification and validation rigor that can only be achieved by verification and validation staff that are independent of the development organization.

The requirement in proposed § 450.111(b) to identify all safety-critical functions involving software is revised and included in § 450.141(b) of the final rule. Section 450.141(b) requires the applicant to identify all safety requirements performed by computing system safety items, check that the safety requirements are complete and correct, implement the safety requirements, and verify and validate their implementation including independent verification and validation for safety-critical computing system safety items. These regulatory requirements have the net effect of identifying all safety-critical functions involving computing systems, since safety requirements necessarily include all safety-critical functions, capabilities, and attributes of computing systems.

Section 450.141(c) requires operators to implement and document a development process for computing system safety items identified in § 450.141(a) appropriate for the level of criticality of the computing system safety item. The requirement to implement and document such a development process for all computing system safety items is substantially similar to both existing rules and the requirements proposed in § 450.111, except in the final rule the requirement is no longer contained in separate subsections for each level of autonomy (proposed § 450.111(d) through (g)). As explained in the NPRM preamble, the FAA needs to understand the computing system development processes used for each computing system safety item, relative to its effect on public safety, in order to assess computing system safety. The final rule calls for a development “process,” rather than a “plan,” that achieves the same objectives key to a development plan but affords applicants greater flexibility to structure their processes as needed to satisfy § 450.141(c). Operators need not employ a separate development process for each computing system item. However, the development process must be appropriate to the level of criticality of each computing system safety item to which it is applied, and must satisfy the criteria listed in § 450.141(c), at a minimum.

In order to demonstrate that a development process is appropriate to the level of criticality of each computing system safety item, an operator would need to identify the tasks associated with each safety item, along with its processes for reviewing, verifying, and validating computing system safety requirements. Section 450.141(c)(1) requires a development process to define responsibilities for each task associated with a computing system safety item. This requirement derives from the requirement proposed in § 450.111(d)(5) for a software development plan; in order to be acceptable, the development process must assign responsibilities for its execution. This requirement intends to ensure that development tasks for computing system safety items are carried out by defined personnel in the organization, though not necessarily individuals by name.

Under § 450.141(c)(2), a development process must include processes for internal review and approval, including review that evaluates the implementation of all safety requirements, such that no person approves their own work. This is consistent with proposed § 450.111(d)(4), which required independent verification and validation, and proposed § 450.111(d)(5)(i), which required coding standards. Neither of those requirements could be met in absence of a review and approval process that meets § 450.141(c)(2) of the final rule, since acceptable performance of those tasks inherently includes review and approval by a person independent of those who did the work. Software and computing system development is a complex set of actions, and some subsets of those actions are milestones that require review and approval. This requirement means that those reviews and approvals must have some degree of independence such that no person approves their own work, and requires that the minimum set of reviews and approvals contains reviews of the implementation of safety requirements. This association is defined by generation, such as code written to implement a safety requirement, or by interaction, such as code that must function in order for a safety requirement to be met. Code reviews conducted to meet this requirement need not be single events but may be modularized in a manner similar to the code itself as long as comprehensive understanding is communicated between modular reviews. Computing system development efforts that use pre-commit and post-commit reviews to conduct a modularized code review process could meet § 450.141(c)(2). The intent is that code developed to implement safety requirements should be checked by at least one independent technical reviewer prior to its release.

Section 450.141(c)(3) requires the operator to ensure that development personnel are trained, qualified, and capable of performing their roles. This is consistent with § 450.111(d)(5)(i) of the NPRM, which required coding standards, which are an implicit part of the training of development personnel. The final rule makes this implicit requirement in the NPRM explicit. Personnel responsible for public safety tasks must have training and experience that enables them to discharge their responsibilities effectively. In its Start Printed Page 79654application review, the FAA does not intend to verify the qualifications of individual development personnel, but rather to verify that the operator has a process in place to put appropriately-trained and experienced personnel in public safety roles.

Section 450.141(c)(4) requires a development process to define processes that trace requirements to verification and validation evidence. This requirement is a performance criterion that was implicit in the proposed § 450.111(d)(5) software development plan; FAA is making this criterion explicit and performance-based in the final rule to address commenters' concerns. Traceability from computing system requirement to verification and validation evidence significantly streamlines computing system safety evaluations by connecting the requirements that define a computing system's capabilities to evidence of their implementation. Importantly, this requirement applies to all requirements for computing system safety items, as a lack of rigor inmanaging requirements on any computing system safety item is an opportunity for undocumented or unintended computing system safety requirements to be introduced into the system.

Section 450.141(c)(5) requires a development process to define processes for configuration management that specify the content of each released version of a computing system safety item. This requirement is a performance-based version of proposed § 450.111(d)(5)(ii), which required configuration control. Configuration management at this level of performance is the baseline expectation for any computing system safety item because a known configuration with a known history is required to provide adequately for safety. The revised requirement contains the performance criteria that were implicit in the NPRM.

Section 450.141(c)(6) requires a development process to define processes for testing that verify and validate all safety requirements to the extent required by § 450.141(b)(4). This means that safety requirements must be tested in a manner consistent with their level of criticality. The FAA removed a prescriptive requirement proposed in the NPRM for testing on flight-like hardware [140] to increase flexibility. The FAA requires verification and validation that is appropriate for the level of criticality of the computing system safety item, and allows the operator to define the levels of criticality that are appropriate for its operations. The operator must determine, and the FAA will verify, which of the operator's levels of criticality affect public safety and which of the computing systems described in the proposed operation are in each of those public safety levels. Operators must then define verification and validation procedures to test computing system safety items in appropriately representative environments.

Section 450.141(c)(7) requires a development process to define reuse policies that verify and validate the safety requirements for reused computing system safety items. This requirement was retained from proposed § 450.111(d)(5)(v), which similarly required an operator to develop and implement software development plans, to include descriptions of a policy on software reuse. In essence, the applicant is required to have processes in place to understand the safety implications of any computing system safety item developed for a different project or purpose.

Section 450.141(c)(8) requires a development process to define third-party product use policies that verify and validate the safety requirements for any third-party product. This requirement was retained from proposed § 450.111(d)(5)(iv), which required an operator to develop and implement software development plans, to include a description of a policy on use of any commercial-off-the-shelf software. The FAA replaces the term “commercial-off-the-shelf software” in the proposal with “third-party product” because commercial software is not the only kind of third-party computing system that an applicant could use; government-off-the-shelf and free, open source products need strategies for safe use, and the policy does not need to vary based on the nature of the third party. The important characteristic is that the computing system was not developed by the applicant, so FAA now uses “third-party” to describe it. The final rule sets performance criteria for this requirement with the addition of the phrase “that verify and validate the safety requirements in any third-party product.” This means that the safety requirements implemented by third-party products must be subjected to verification and validation just like applicant-developed computing system safety items.

Section 450.141(d) contains the application requirements for this section. Each of the first five requirements in paragraph (d) mirrors a key aspect of computing system safety, allowing the applicant and FAA to understand the rigor of development in terms of public safety. This structure is meant to reflect the typical formats of computing system safety data submissions received by the FAA to date. The regulation requires an applicant to describe the computing system safety items, identify the safety requirements implemented by each computing system safety item, provide the development processes that generated them, provide evidence that the development process was followed, and provide data verifying the correct implementation of the safety requirements. These application requirements need not be met in separate documents.

The application requirements of § 450.141(d) essentially replicate those proposed in § 450.111(h), except that the revised regulation allows greater latitude to implement development processes that achieve the same goals by different means. An example of such an alternative process would be a formal mathematical proof that the code will function only as designed and that the design meets all of its requirements. A formal proof is preferable to an iterative development and testing process, whenever practical, because a formal proof demonstrates that every possible action that a computing system system can take is safe whereas iterative development can only approximate that demonstration. A formal proof would have required waivers under proposed § 450.111 but will not under § 450.141.

Several commenters recommended that hazards associated with computing systems and software be addressed through other sections in part 450, rather than in a dedicated section on computing systems and software. CSF, SpaceX, Virgin Galactic, and Virgin Orbit stated that hazards associated with computing systems and software should be addressed through the system safety requirements for flight hazard analyses, proposed § 450.109. CSF commented that a computing system was just one of many critical subsystems integrated into a larger complex system, that all systems and subsystems should be analyzed and controlled for hazards, and that the fact that a particular system may contain software should be irrelevant to top level performance-based safety requirements. Blue Origin and CSF recommended that the requirements for safety-critical systems in § 450.143 be used for software Start Printed Page 79655systems. SpaceX recommended that hazard analyses be limited to demonstrating one fault tolerance for safety-critical functions, including tolerance to faults in any inputs to the functions (e.g., data loss, data corruption) and any downstream hardware or software effects required for public safety (e.g., effecting thrust termination).

The FAA will retain a separate section for computing system requirements in the final rule. As stated in the NPRM preamble, the FAA consolidated the computing system safety requirements applicable to launch or reentry operations under a single section in § 450.141 of the final rule to address software, firmware, and data, and the way they operate in computing systems. The FAA based this approach on a determination that software safety cannot be evaluated outside of the computing system in which it operates. Software and computing systems are decision engines that, like humans, control other vehicle systems that can present hazards to the public and therefore merit analysis of their control logic. Although computing systems and software must be factored into an operator's system safety process and hazard control strategies, the FAA has determined that computing systems warrant separate consideration due to distinct characteristics that make them uniquely ill-suited to most traditional system safety methods.

Software assurance is often a more appropriate mitigation strategy than fault tolerance for software faults. The FAA anticipates that any emergent method for system safety analysis that handles software and computing systems well will meet § 450.141 because such a method would necessarily produce the essential elements of computing system safety embodied in the regulation. That is, § 450.141 applies equally well to dedicated computing system safety analyses and to system safety analyses that handle computing systems in an integrated manner.

Furthermore, although computing systems can be “safety critical,” as defined in § 401.7, the FAA declines to apply the requirements set forth in § 450.143 regarding safety-critical system design, test, and documentation to computing systems because those requirements do not adequately address the idiosyncrasies of computing systems. For example, § 450.143(b) in the final rule requires an operator to design safety-critical systems to be fault-tolerant, fail safe, damage-tolerant, or otherwise designed such that no fault can lead to increased risk to the public beyond nominal safety-critical system operation. Fault tolerance is not achievable for many software faults. Similarly, the predicted environments are defined and evaluated very differently for software than for other safety-critical systems under § 450.143. The predicted operating environment for computing systems is defined in computing system requirements, but those requirements are derived from the mathematical relationships that the software must embody, so the requirement to provide predicted environments for computing systems is indistinguishable from providing the computing system requirements and design documentation for computing systems.

Blue Origin, CSF, Sierra Nevada, Virgin Galactic, and Virgin Orbit commented that any prescription in the regulation should be moved to an AC as a means of compliance. Virgin Galactic commented that guidance material should be based on industry standard development assurance processes. CSF suggested that ACs reference industry standards and to refer to new or existing FAA ACs, such as AC 20-115C, AC 20-152, AC 20-153, AC 20-170, and AC 20-174, to provide a detailed means of compliance to performance-based regulations for computing systems.

As discussed, the FAA has revised the proposed requirements to be less prescriptive in the final rule. The FAA regulates software assurance only to the extent that it is used as a mitigation strategy for computing system hazards. The FAA plans to issue guidance that will provide further clarity on the requirements in § 450.141, including the integration of existing software assurance standards, such as the referenced ACs, with computing system safety processes. The FAA considers these changes in the final rule to be consistent with the comments received.

Blue Origin, CSF, Rocket Lab, SpaceX, and Virgin Galactic commented that the requirements in proposed § 450.111 did not integrate well with most industry applications and best practices. CSF and SpaceX commented that the methods prescribed by the proposal were incompatible with proven industry standards such as ISO 26262 [141] and DO-178C.[142]

The FAA revises the regulation in a way that aligns better with the system safety process and replaces the prescriptive requirements identified by commenters with performance-based metrics. The final rule also aligns better with industry standards, including ISO 26262 and DO-178C. Virgin Galactic noted similarities between proposed § 450.111 and existing standards, and this similarity is intentional as the FAA was attempting to codify those parts of industry standards that were well suited to standardization. The final rule bears less similarity to existing standards, instead specifying the goals of those standards as requirements in § 450.141. The FAA has revised the computing systems and software safety requirements to contain the minimum set of performance requirements necessary to address the public safety implications of a given operation. The FAA also removed many prescriptive requirements from the regulation. This revision allows for more flexibility and thus consistency with industry standards.

CSF, SpaceX, and Virgin Galactic commented that the proposed rule was not comprehensive enough and was missing items such as aeronautical databases, integrated modular avionics, regression testing, and other details. Blue Origin, CSF, and SpaceX stated that the proposal failed to address object-oriented technology, model-based development, machine learning, tool qualification, load control, formal methods, robust protection and partitioning, integrated modular avionics, and integration with the system process.

As discussed, the final rule has been revised to remove prescriptiveness and increase flexibility. Therefore, because such prescription was removed from the final rule, the FAA does not find the changes recommended by these comments to be necessary. The FAA will address items like aeronautical databases, integrated modular avionics, regression testing, and other details in guidance documents. These items will be addressed by § 450.141(c), which implements safety requirements for these and all other computing system safety items.

An individual commenter suggested that all hardware dependent on software be vertically integrated and signal proof to protect against issues posed by cyber Start Printed Page 79656security or signal interference. The FAA does not believe a change to the regulations is necessary. Issues posed by cyber security or signal interference that could pose a threat to public safety are adequately addressed by the hazard identification and mitigation requirements in § 450.141.

SpinLaunch recommended that the proposed set of software requirements, compliance plans, and test data be replaced with the requirement either to submit a software plan and sample results or to demonstrate the capability of the software to perform as required.

The requirement that an operator either submit a software plan and sample results or demonstrate the capability of the software would not protect public safety adequately for three reasons. First, a software plan is insufficient without evidence of its execution. Section 450.141 requires an operator to document a development process for all computing system safety items and provide evidence of its execution. Second, the minimum set of sample results that would be sufficient to verify protection of the public is the set that meets the requirements in § 450.141(b)(4) for verification of public safety-related functionality. Third, an adequate demonstration of software capability necessarily will include the level of testing specified by § 450.141. For these reasons, the FAA does not see a distinction between § 450.141 and either the submission of a software plan and sample results or a demonstration of software capability.

y. Safety-Critical Systems Design, Test, and Documentation (§ 450.143)

In the NPRM, the FAA proposed standalone performance-based requirements for safety-critical systems in § 450.143. The proposed requirements covered fault tolerance, qualification testing, acceptance of hardware, and lifecycle management for all safety-critical systems including FSS.[143] In the NPRM, the FAA noted that applicants using an FSS of any reliability threshold would be required to meet the proposed § 450.143 safety-critical system design, test, and documentation requirements.[144] In addition, under proposed § 450.143(a), operators required to use an FSS under § 450.101(c) would be required to meet the standards in § 450.145.

The FAA also proposed to revise the definition of “safety critical” in § 401.5. As proposed, “safety critical” retained the longstanding definition of being something “essential to safe performance or operation,” and the proposed definition further explained that a safety-critical system, subsystem, component, condition, event, operation, process, or item, is one whose proper recognition, control, performance, or tolerance, is essential to ensuring public safety. The FAA proposed to remove language in the existing definition stating that something is “safety critical” if it creates a safety hazard or provides protection from a safety hazard, because that language is redundant.

In the final rule, the FAA adopts § 450.143 with some revisions discussed later in this section. The FAA also adopts the proposed definition of “safety critical” without substantive change and relocates it to § 401.7. Based on the change to the definition of “public” in the final rule, the FAA changes the reference to “public safety” in the definition of “safety critical” to “public safety and the safety of property.”

Blue Origin, CSF, and one individual commented that the term “safety critical” was ambiguous in light of the proposed revision to § 401.5.

A system is safety critical if its performance is essential to safe performance or operation. If the failure of a system can create a hazard to the public, then the system is a safety-critical system. Section 450.143 would apply to a safety-critical system unless an operator demonstrates through its flight hazard analysis that the likelihood of any hazardous condition associated with the system that may cause death or serious injury to the public is extremely remote, pursuant to § 450.109(b)(3). Due to the inherent risk to the public, an operator must demonstrate the reliability of a safety-critical system by meeting the requirements of § 450.143.[145]

The applicant's identification and proper management of safety-critical systems is fundamental to mitigating potential hazards and ensuring public safety, and the FAA will work with an applicant if it believes the applicant has failed to identify all safety-critical systems. The potential failure of safety-critical systems is integral to the FSA, and the vulnerabilities of safety-critical systems must be accounted for in the flight commit criteria, hazard analyses, lightning protection criteria, management of radio frequency to prevent interference, and communications plans.

Virgin Galactic commented that the requirements of § 450.143 are costly, time-consuming, burdensome, and contrary to the Commercial Space Launch Act requirement to only regulate to the extent necessary. Virgin Galactic requested that an applicant not be mandated to comply with § 450.143 if it can provide proof that a safety-critical system meets the safety criteria.

The FAA acknowledges that, under certain circumstances, an operator could demonstrate that a safety-critical system would not need to have the robust design and testing required of § 450.143. The FAA considered relieving an operator from the requirements in § 450.143 if the safety criteria in § 450.101 were met. However, the FAA found that use of the safety criteria for this purpose is not appropriate because whereas the requirements in § 450.143 apply to safety critical systems—which, as defined, can be a system, subsystem, component, condition, event, operation, process, or item—the safety criteria in § 450.101 measure the effects of the failure modes of the vehicle as a whole, as analyzed in the FSA. Therefore, demonstrating compliance with the safety criteria in § 450.101 is not sufficient to relieve an operator from the requirements in § 450.143, because that alternative would relieve the operator from analyzing the vehicle's discrete systems, subsystems, components, conditions, events, operations, processes, and items. The FAA finds that analysis at this more discrete level is necessary to ensure safety of the public.

The FAA finds that a more appropriate method to provide flexibility and be responsive to Virgin Galactic's concern is to rely on the flight hazard analysis in § 450.109. Specifically, the FAA revises § 450.143(a) to exclude safety-critical systems for which an operator demonstrates through its flight hazard analysis that the likelihood of any hazardous condition specifically associated with the system that may cause death or serious injury to the public is extremely remote, pursuant to § 450.109(b)(3). As explained in the preamble section associated with Start Printed Page 79657§ 450.109, the flight hazard analysis focuses on the reasonably foreseeable hazards to public safety resulting from the flight of a launch or reentry vehicle. In performing the flight hazard analysis, the operator is required in § 450.109(b)(1)(ii) to identify reasonably foreseeable hazards and corresponding failure modes relevant to public safety resulting from system, subsystem, and component failures or faults. Therefore, unlike the safety criteria in § 450.101, the flight hazard analysis explicitly requires the operator to examine the hazards associated with the discrete systems, subsystems, and components of the vehicle.

Thus, to provide increased flexibility without reducing safety, the final rule excludes certain safety-critical systems from the requirements of § 450.143 if an operator demonstrates through its flight hazard analysis that the likelihood of any hazardous condition specifically associated with the system that may cause death or serious injury to the public is extremely remote, pursuant to § 450.109(b)(3). That is, the operator must show that specific requirements in § 450.143, which ensure that the system will function reliably, are not entirely necessary to mitigate the hazards specifically associated with the system to an extremely remote level.

For example, an operator's launch vehicle may have a number of systems whose failure could potentially cause hazardous debris to impact the public. If an operator chooses to launch in a sparsely populated area and limit propellant loading to minimize risk to the public to an extremely remote level despite the failure of one or more safety-critical systems, then those systems would not need to be designed or tested to the level set forth in § 450.143. The operator must show that the exception in § 450.143(a)(2) applies for a particular safety-critical system through its flight hazard analysis. If the operator cannot show that all hazards involving the system are sufficiently mitigated to an extremely remote level despite a failure of that system, then that system must meet the design and testing requirements in § 450.143.

However, the FAA anticipates that certain systems will not qualify for the exception in § 450.143(a)(2). Specifically, safety critical systems that prevent hazards from reaching the public given other system failures would likely be required to meet § 450.143. This is also true of systems that create hazards to the public that are not otherwise mitigated by other hazard controls. The FAA anticipates that it is unlikely that an operator would be able to demonstrate that the hazards associated with these systems meet the “extremely remote” standard in § 450.109(b)(3) without subjecting them to the reliability requirements in § 450.143. Furthermore, FSS required by § 450.108(b)(2) must meet § 450.143 without exception.

The FAA also revises § 450.143(a) and removes the proposed requirement that all FSS required by § 450.101(c) must meet §§ 450.143 and 450.145. Instead, § 450.143(a) requires all safety-critical systems except for the highly reliable FSS required by § 450.108(b)(1) to meet the requirements in § 450.143. As discussed in the flight abort section of this preamble, an FSS required by § 450.108(b)(2) must comply only with § 450.143 rather than meeting the additional requirements proposed in § 450.145. Likewise, an operator who chooses to use flight abort as a hazard control strategy for reasons other than protecting against a high consequence event under § 450.101(c)(1) must also satisfy the requirements of § 450.143 for its FSS. For reasons explained later in this section, highly reliable FSS under § 450.145 do not need to comply with the general safety-critical systems requirements of § 450.143 as was proposed in the NPRM.

The FAA proposed in § 450.143(b) to require that all safety-critical systems follow reliable design principles. Specifically, an operator would be required to design those systems to be fault-tolerant so that no single credible fault could lead to increased risk to the public.

Both Sierra Nevada and Virgin Galactic commented that requiring fault tolerance would be so burdensome to the applicant that several current operators would not be able to meet the requirement for systems on existing vehicles. Sierra Nevada commented that using fault tolerance as a catch-all hazard control can add risk in certain cases, and the determination regarding whether something is fault-tolerant is not straightforward.

Fault tolerance [146] is the idea that a system must be designed so that it is able to perform its function in the event of a failure of one or more of its components. In a fault-tolerant design of a safety-critical system, no single credible fault should be capable of increasing the risk to public safety beyond that of a nominal operation. Although the FAA proposed fault tolerance for the design of safety-critical systems in the regulatory text, the FAA intended to accept other methods of safety design, including fail-safe [147] and damage-tolerant [148] systems like primary structures that generally cannot be redundant. This broader view of safe design allows an operator to factor planned operational restrictions, testing, and inspection into the design to demonstrate that a system is broadly fault-tolerant.

The FAA acknowledges that its articulation of a fault-tolerant design requirement in the proposed regulation did not accurately reflect the FAA's statements in the NPRM preamble allowing other methods of safe design, like fail-safe systems, damage-tolerant systems, or other designs for graceful degradation.[149] A system that is designed to be fail-safe or degrade gracefully, whether it functions at a reduced level or fails completely, does so in a way that protects people and property from injury or damage, or generally prevents a more serious failure event. Such design is desirable, and was intended to be captured in the FAA's design requirements for safety-critical systems. In the final rule, the FAA amends § 450.143(b) to state only that safety-critical systems must be designed such that no credible fault can lead to increased risk to the public beyond nominal safety-critical system operation. The final rule gives the operator flexibility to achieve this requirement through a design that is fault-tolerant, fail-safe, damage-tolerant, or any other solution.

The FAA views design for reduced risk as a necessary characteristic of any reliable system. The FAA recognizes there may be other acceptable design principles that protect the public adequately from or in spite of a credible fault. In the final rule, the FAA removed the word “single” from § 450.143(b) to clarify that some design concepts may allow faults, but that the faults should not lead to increased risk to the public. The FAA also removed “safety” from § 450.143(b) because ensuring no increased risk to the public necessarily addresses public safety. An applicant Start Printed Page 79658may demonstrate that no credible fault can lead to increased risk through analysis, identification of possible failure modes, implementation of redundant systems or other mitigation measures, and verification that the mitigation measures will not fail simultaneously.

Safety-critical systems requirements necessitate testing that accounts for the operating environment the system will encounter. For that reason, the FAA proposed to define “operating environment” in § 401.5 (§ 401.7 in the final rule) as “an environment that a launch or reentry vehicle component will experience during its lifecycle.” The proposed definition further stated that operating environments include shock, vibration, thermal cycle, acceleration, humidity, and thermal vacuum.

In the final rule, the FAA adopts the proposed definition with additional language indicating that operating environments also include other environments relevant to system or material degradation. As stated in the NPRM, the list of examples in the definition is not exhaustive, and the additional language in the final rule establishes a standard for operators to consider in assessing relevant environmental factors when qualifying an FSS or other safety-critical system design through testing and analysis.

In addition to meeting the design requirements of § 450.143(b), the FAA proposed qualification testing [150] requirements in § 450.143(c) that required, in part, that an operator demonstrate the design of the vehicle's safety-critical systems functionally at conditions beyond its predicted operating environment. An operator must select environmental test levels that ensure the design is sufficiently stressed to demonstrate that system performance is not degraded due to design tolerances, manufacturing variances, or uncertainties in the environment. Qualification testing will demonstrate margin over all operating and non-operating environments to which the flight unit can be exposed, including margin over all component acceptance tests. Valid qualification testing environments should—

  • Account for material variation, because all materials have properties that have a variance from nominal values.
  • Account for manufacturing variation, because the functionality of a system is not only dictated by the quality of materials used, but also the quality of the manufacturing processes employed.
  • Account for environmental variation, because environmental predictions can have a great deal of uncertainty, particularly early in a program.
  • Demonstrate margin against failure, because safety-critical systems often fail in complex and unpredictable ways.

The FAA also proposed requirements for acceptance [151] of hardware in § 450.143(d) that required, in part, an operator to demonstrate any safety-critical system functionally while exposed to its predicted operating environment with margin to demonstrate that it is free of defects, free of integration and workmanship errors, and ready for operational use. Acceptance testing on flight units should uncover critical workmanship errors, and damaged, weak, or out-of-specification components before they fail in flight. Because this testing is done on flight units, valid acceptance testing should avoid over-testing safety-critical components. This avoidance is accomplished by testing significantly under qualification levels and durations, but still over nominal operation levels and durations. The FAA adopts these requirements as proposed, with minor editorial corrections.

Lastly, the FAA proposed requirements pertaining to the lifecycle of safety-critical systems in § 450.143(e), which required an operator to monitor the flight environments experienced by safety-critical system components to the extent necessary to validate the predicted operating environment.[152]

In the final rule, the FAA makes one minor revision to § 450.143(c), (d), and (e). In each of those subsections, the FAA has changed the term “operating environment” to “operating environments” because all systems will experience multiple operating environments. As stated in the NPRM preamble,[153] applicants must account for all operating environments that any safety-critical system is expected to encounter throughout the lifecycle of the system in accordance with § 450.143(e), including storage, transportation, installation, and flight, which generally are built into qualification and acceptance testing levels. Other than this minor revision, the FAA adopts these subsections as proposed. Note also that in the means of compliance table released with the NPRM, the FAA identified SMC-S-016, “Test Requirements For Launch, Upper-Stage and Space Vehicles,” as an acceptable means of compliance with § 450.143. SMC-S-016 is an Air Force standard that defines environmental test requirements for launch vehicles, upper-stage vehicles, space vehicles, and their subsystems and units. The FAA maintains that the environmental test levels in that standard are acceptable for safety-critical systems under § 450.143, except, as noted in the means of compliance table, protoqualification testing testing found in 4.2.3 and B.1.3-4, and protoqualification by similarity in 4.10.1.[154]

As noted earlier, FSS required pursuant to § 450.108(b)(2), when the consequence of any reasonably foreseeable failure mode in any significant period of flight is between 1 × 10[2] and 1 × 10[3] CEC for uncontrolled areas, must satisfy the requirements in § 450.143. This approach is consistent with the NPRM, which required all safety-critical systems including all FSS to satisfy the general requirements in § 450.143. For the reasons explained more fully in the next section, the final rule does not adopt the additional requirements for such an FSS that were proposed in § 450.145(a)(2), which would have required the FSS to have a design reliability of 0.975 at 95 percent confidence and commensurate design, analysis, and testing. The FAA no Start Printed Page 79659longer finds this reliability value necessary because, as a commenter noted, it was unnecessarily prescriptive.[155] Moreover, as discussed in the NPRM, there are no established standards to demonstrate the 0.975 reliability number, other than a single string FSS that otherwise meets the requirements of RCC 319.

Instead, the FAA requires § 450.108(b)(2) FSS to meet the requirements in § 450.143. This regulatory approach should support ongoing innovation in the development of FSS. As noted in the NPRM, the commercial space transportation industry has continued to mature and operators have proposed FSS alternatives. These alternative approaches include fail-safe single string systems that trade off mission assurance and redundancy, other fail-safe consequence mitigation systems, and dual-purpose systems such as FSS that reuse the output of safety-critical GPS components for primary navigation avionics. The FAA is publishing a “Safety-Critical Systems” AC to provide an acceptable means of compliance with § 450.143. However, the FAA does not claim that an FSS approved under § 450.143 necessarily has a reliability of 0.975. Although some standard in the future may be able to establish a reliability of 0.975 at 95 percent confidence, that standard does not exist today. FSS are discussed more fully in the next section of this preamble.

The FAA amends the proposed application requirements in § 450.143(f) for safety-critical systems to require that applicants describe the methods used to validate the predicted operating environments. In order to comply with § 450.143(e)(2)(i), applicants must validate the predicted operating environments for their safety-critical systems. However, the NPRM inadvertently omitted the corresponding application requirement from proposed § 450.143(f). This change results in no additional burden as an operator would have to demonstrate compliance with the substantive provision by providing this information.

The FAA also adds new § 450.143(f)(7) to the application requirements, which requires an applicant to describe the standards used in each phase of a safety-critical system's lifecycle. This addition is consistent with current practice and will not increase the burden on operators, because an operator would likely provide this information to support its finding that a safety-critical system is designed such that no credible fault can lead to increased risk to the public beyond nominal safety-critical system operation. In addition, this description of standards is necessary to help identify previous flights of a vehicle developed and launched or reentered in similar circumstances, as required under § 450.131(d)(1).

Virgin Galactic asked how the requirements of § 450.143 would apply to safety-critical systems that have been licensed previously. Virgin Galactic generally objected to proposed § 450.143, arguing its requirements were similar to aircraft certification rules and would be appropriate for a more mature industry. Virgin Galactic requested an exclusion from proposed § 450.143 for hybrid vehicles that have been issued an experimental airworthiness certificate by the FAA and operate as aircraft.

As discussed in the preamble section on Hybrid Vehicles, the FAA does not agree that an airworthiness certificate issued by the FAA should automatically exempt a vehicle used in a launch or reentry from the safety-critical system requirements in § 450.143. An applicant may make an ELOS case for a component of a launch vehicle, such as a carrier aircraft, if it holds a airworthiness certificate with an acceptable flight test history. Section 450.143 is flexible and broad enough that the FAA is not aware of any currently licensed vehicles or operators in formal pre-application consultation that would not meet the new requirements. For example, operators licensed under parts 431 or 435 use a system safety process to verify and validate the reliability and mitigation of hazards for any safety-critical system. The treatment of safety-critical systems under part 431 and 435 provides an ELOS to the safety-critical systems requirements in § 450.143. Flight Safety Systems (§§ 450.143 and 450.145)

z. Flight Safety Systems (§§ 450.143 and 450.145)

As previously discussed, proposed § 450.101(c) would have required an operator to use flight abort with an FSS that meets the requirements of § 450.145 if the consequence of any reasonably foreseeable vehicle response mode, in any one-second period of flight, was greater than 1 × 10[3] CEC for uncontrolled areas.[156]

As proposed in § 450.145(a)(1), if the consequence of any vehicle response mode was 1 × 102 CEC or greater for uncontrolled areas, an operator would have been required to employ an FSS with design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing. The FAA noted that RCC 319 is the only government standard that would meet the requirement for a design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing.

Proposed § 450.145(a)(2) required that, if the consequence of any vehicle response mode was between 1 × 10[2] and 1 × 10[3] CEC for uncontrolled areas, an operator would have been required to employ an FSS with a design reliability of 0.975 at 95 percent confidence and commensurate design, analysis, and testing. In the NPRM, the FAA acknowledged that, although no standard exists for an FSS with this design reliability, it expected individual applicants to create their own FSS requirements based on RCC 319 and have them approved as an accepted means of compliance by the FAA prior to application submittal.[157] The FAA anticipated the industry would develop voluntary consensus standards for FSS, particularly for those FSS that are only required to have a design reliability of 0.975 at 95 percent confidence.

The FAA explained the proposed lower reliability by noting that, for operations in which the consequence of a flight failure is lower, the FSS, while still being reliable, may not need to be as highly reliable as an FSS for a vehicle operating in an area where the consequence of a flight failure is higher. As such, in order to make regulations adaptable to innovative operations while maintaining appropriate levels of safety, the FAA proposed to allow an FSS with less demonstrated design reliability for operations with lower potential consequences. In the final rule, the FAA removes the proposed requirement for an FSS with design reliability of 0.975 at 95 percent confidence, as will be discussed later in this preamble section.

In the final rule, the FAA has maintained the proposed requirement Start Printed Page 79660for an operator to employ an FSS with design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing if the consequence of any reasonably foreseeable failure mode in any significant period of flight is greater than 1 × 10[2] CEC in uncontrolled areas.[158] Operators currently meet this requirement for launches conducted under legacy regulations by tailoring RCC 319, and an operator could submit a tailored version of RCC 319 to the FAA as a means of compliance for § 450.145(b).

In the final rule, the FAA has revised the section heading for § 450.145 from “Flight safety system” to “Highly reliable flight safety system” because it now contains only those requirements for an FSS required by § 450.108(b)(1) when the consequence of any reasonably foreseeable failure mode in any significant period of flight is greater than 1 × 102 CEC in uncontrolled areas. The FAA has also reorganized the section and moved the reliability requirements in proposed § 450.145(a) to § 450.145(b) with revisions.

While the design reliability required for a highly reliable FSS remains 0.999 at 95 percent confidence and commensurate design, analysis, and testing, the FAA has specified in § 450.145(b)(1) of the final rule that this reliability applies to the portion of the FSS onboard the vehicle. In addition, if a portion of an operator's FSS is ground-based, space-based, or otherwise not onboard the vehicle, the FAA has specified in § 450.145(b)(2) of the final rule that it must have the same reliability as the onboard portion; that is, 0.999 at 95 percent confidence and commensurate design, analysis, and testing. Although not all FSS have a ground portion, this requirement reflects past and current practice for launches from both Federal and non-Federal sites, in which the ground portion of an FSS and the airborne portion of an FSS are independently designed, tested, and operated to rigorous standards. This independence ensures that the appropriate command is sent by the ground-based system with a high reliability, and received and acted upon with high reliability by the onboard portion of the system, to result in the desired termination action.

The reference in § 450.145(a) to an FSS “on the launch or reentry vehicle” did not reflect the FAA's intention accurately, as stated in the NPRM, to include FSS not onboard the vehicle in the design reliability requirements in § 450.145.[159] Conventional FSS with onboard flight termination receivers and not-onboard command transmitter systems will have both onboard and not-onboard subsystems. Many current autonomous FSS only have onboard systems. As discussed previously, the final rule requires both onboard and not-onboard FSS systems independently to demonstrate 0.999 at 95 percent reliability. This requirement is because FSS with both onboard and not onboard systems that individually meet 0.999 at 95 percent reliability could have a combined reliability as low as 0.998 at 95 percent confidence, whereas FSS with only onboard systems would be required to have a reliability of at least 0.999 at 95 percent confidence. To ensure that FSS all meet the same standard required to protect public safety, the final rule requires that onboard systems and not onboard independently meet the 0.999 at 95 percent confidence level of reliability. The collective FSS design reliability requirement is not specifically stated in the final rule since the onboard FSS and not-onboard FSS design reliability requirements are independently defined in § 450.145 and the overall FSS design reliability is dependent on the type of FSS employed.[160]

For § 450.108(b)(1) FSS that must meet the requirements of § 450.145, unless alternative methods are accepted by the Administrator, the FAA has identified RCC 319 as an existing means of compliance to demonstrate FSS reliability. This standard is currently used by applicants that employ traditional flight abort under part 417. The FAA expects to continue the current practice of working with applicants to tailor RCC 319 in order to comply with § 450.145. A tailored RCC 319 that is used as a means of compliance for § 450.145(b) must be submitted to the FAA for acceptance prior to being included in a license application.

As noted in the previous preamble section, the FAA has removed the additional requirements proposed in § 450.145(a)(2), and is relying on requirements in § 450.143 to ensure that an FSS required by § 450.108(b)(2) is sufficiently reliable. As with the NPRM, the final rule reduces the burden on operators that have a lower potential for causing high consequence events. This change maintains the intent of the proposal to protect against high consequence events using a means different from the traditional highly reliable FSS.

As noted in the previous section, the Safety-Critical Systems AC will provide an approach to compliance with § 450.143 that modifies the provisions in RCC 319. The approach uses a menu of potential options that, when met, would demonstrate that an operator has met § 450.143. The AC will provide combinations of various tailored RCC 319 requirements that the FAA has determined demonstrate compliance with § 450.143. Some of the tailored requirements include:

  • Reducing the random vibration and thermal cycle qualification test margins to a level and duration that remains above acceptance test levels;
  • Reducing the number of required qualification test units;
  • Reducing the minimum required sample size for ordnance lot acceptance testing and ordnance qualification testing;
  • Allowing qualification by similarity with deviations to RCC 319 qualification by similarity criteria;
  • Reducing the required number of thermal cycles for component level qualification thermal cycle test requirements;
  • Reducing the radio frequency link margin requirements for traditional commanded FSS;
  • Allowing single string fail-safe FSS;
  • Reducing electronic piece parts requirements; and
  • Allowing use of vehicle components or systems for FSS use such as vehicle power source or flight computer.

An operator could work with the FAA to determine what combination of options would satisfy § 450.143 for specific FSS. In addition, an operator could develop its own combination of tailored RCC requirements to demonstrate compliance, or could elect to use a different means of compliance outside of the RCC 319 requirements.

An operator may demonstrate compliance with § 450.143 through other means that adequately establish Start Printed Page 79661design, qualification testing, and acceptance testing. As mentioned earlier, the environmental test levels in SMC-S-016 are acceptable for safety-critical systems under § 450.143, including some FSS components, except protoqualification testing found in 4.2.3 and B.1.3-4, and protoqualification by similarity in 4.10.1.

Lastly, the FAA also makes minor changes to the application requirements in § 450.145. In the NPRM, § 450.145(d) stated that an FSS includes any FSS located onboard a launch or reentry vehicle; any ground based command control system; any support system, including telemetry subsystems and tracking subsystems, necessary to support a flight abort decision; and the functions of any personnel who operate the FSS hardware or software. This provision has been moved to the definition of “flight safety system” and deleted from § 450.145(d).[161]

The FAA received several comments on the limited means of compliance available to demonstrate compliance with the FSS reliability requirements. Blue Origin commented that the industry had only been given one means of compliance for both tiers of FSS reliability. Blue Origin also commented that the proposal indicated the only accepted means of complying with § 450.145 would be an untailored RCC 319. Blue Origin and CSF suggested that there exist other industry and government standards that should be accepted means of compliance with the reliability requirements of § 450.145. Blue Origin and Microcosm stated that a tailored RCC 319 or SMC-S-016 should also be an accepted means of compliance. SpaceX commented that RCC 319 was an acceptable standard, but only if the document may be tailored for each operator.

The FAA clarifies that RCC 319 is a means of compliance the FAA has identified to date that ensures compliance with § 450.145, but RCC 319 is not the only possible means of compliance that the FAA will consider. The performance-based nature of § 450.145 allows an operator to submit its own unique means of compliance to the FAA. An applicant may propose a tailored version of RCC 319 prior to submitting its application as a unique means of compliance to be accepted by the Administrator. As discussed earlier, the Safety-Critical Systems AC will provide guidance to operators on how to comply with the requirements for § 450.108(b)(2) FSS. This approach uses RCC 319 as one starting point. The AC will also refer to SMC-S-016, as discussed earlier. The FAA notes that, unlike for highly reliable FSS required to meet § 450.145, for an FSS required by § 450.108(b)(2) an operator is not required to have a means of compliance with § 450.143 accepted in advance of application submittal. However, it would be advisable for an operator to consult with the FAA early in its program's development on the approach to compliance with § 450.143, whether for an FSS or other safety-critical systems.

The performance-based nature of §§ 450.143 and 450.145 also allows an industry consensus standards body to submit a proposed means of compliance to the FAA for general use. This process is discussed in more detail in the Means of Compliance section of the preamble. Applicants are encouraged to work with the FAA in pre-application consultation to discuss potential unique means of compliance. For example, for § 450.108(b)(1) FSS, an applicant could work with the FAA during pre-application consultation to tailor RCC 319 to the operation while still ensuring compliance with § 450.145. The FAA will review the documents tailored to vehicle programs and mission-specific applications as unique means of compliance for a given license.

Blue Origin, CSF, and Virgin Galactic expressed concern that a vehicle that did not require an FSS under parts 431 or 435 might require one under part 450. The FAA disagrees. This rule maintains the level of safety required under parts 415, 417, 431, and 435 for FSS. Furthermore, as discussed in the High Consequence Event Protection section of this preamble, the ACTA study results indicate that no changes would be required under the final rule regarding the need for an FSS for any currently licensed launch vehicle launched from a Federal or commercial launch or reentry site. Therefore, the FAA does not expect to require an FSS under part 450 for any launch vehicle that would not have been required to have an FSS under parts 431 and 435.

CSF commented that the NPRM's proposed structure for requiring flight abort was overly prescriptive and would not give an operator flexibility to define the type of FSS to implement. CSF recommended requiring operators to make a safety case and moving CEC and the reliability requirements for FSS of the NPRM to an AC.

The FAA disagrees that a safety case should take the place of discrete CEC thresholds and the requirements for FSS in §§ 450.143 and 450.145. Although a safety case is a potential approach to applying for an ELOS determination for many of the regulatory requirements, the FAA does not believe that requiring a safety case, by itself, provides sufficient regulatory clarity as to what is expected of a launch or reentry operator to obtain and maintain a license.

Blue Origin commented that the means of compliance for FSS requirements in the NPRM was unclear, particularly for systems not on the launch vehicle such as tracking systems, ground systems, and flight abort crew. As examples, Blue Origin mentioned RCC 324 [162] and EWR 127-1 [163] for tracking systems, AFSPCI 91-701 [164] for ground systems, and AF 13-602 [165] for flight abort crew.

As discussed above, § 450.145(b) has been amended to address more clearly the part of the FSS onboard the vehicle and the part not onboard the vehicle, such as ground-based and space-based systems. In addition, this preamble addresses means of compliance for FSS requirements specifically, as well as means of compliance used to meet the requirements of part 450 more generally. As discussed previously, an untailored RCC 319-19 is currently the only means of compliance the FAA has reviewed and accepted to meet the § 450.145 FSS requirements; however, the FAA anticipates operators will provide unique tailored versions of RCC 319-19 to the FAA for acceptance under part 450. In addition, RCC 324 is an acceptable means of compliance for the airborne tracking sources such as C-Band transponders used with ground based command systems and for GPS receivers and inertial measurement units used as airborne tracking data sources. EWR 127-1 is not a current means of compliance for tracking systems because it is out of date. AFSPCI 91-701 is an acceptable means of compliance for FSS-related ground systems. Lastly, AFI 13-602 is an acceptable means of compliance for flight abort crew.Start Printed Page 79662

Blue Origin noted that proposed § 450.143 appeared to be appropriately performance-based and applicable to all safety-critical systems, including software. Except for § 450.108(b)(1) FSS and software, the FAA agrees with Blue Origin that § 450.143 is appropriately performance-based and applicable to all safety-critical systems. The requirements in § 450.143 are not sufficient for § 450.108(b)(1) FSS because those systems require a higher reliability due to the potential for high consequence events, as measured by CEC. As discussed earlier, the unique hazards due to software have a separate set of requirements in § 450.141. Otherwise, § 450.143 is sufficient for safety-critical systems and FSS that do not fall under § 450.145 because it includes performance standards for design, testing, and lifecycle management. Note that § 450.143 covers a § 450.108(b)(2) FSS that an operator uses to comply with the high consequence protection requirements of § 450.101(c), as well as an FSS that an operator uses when it chooses flight abort as a hazard control strategy under § 450.107, notwithstanding § 450.101(c). The requirements are the same for either FSS because, although the potential for a high consequence event is less of a concern in the latter case, each FSS is critical to meeting the collective, individual, aircraft, and critical asset risk criteria in § 450.101(a) and (b).

Blue Origin sought clarification as to whether an operator would need to comply with the software requirements of RCC 319 under the requirements proposed for § 450.145, in addition to the software requirements under § 450.141. An operator is not required to comply with the software requirements of RCC 319 under the requirements for § 450.145. Section 450.141 applies to any software or data that implements a capability that, by intended operation, unintended operation, or non-operation, can present a hazard to the public. Section 450.141 applies to FSS under either § 450.108(b)(1) or (b)(2). An operator is not required to meet RCC 319 in order to satisfy § 450.141, but RCC 319 is an acceptable means of demonstrating compliance with § 450.141.

Blue Origin and CSF commented that the NPRM's assertion that to get a 0.999 design reliability at 95 percent confidence by testing at predicted environment levels, an operator would have to test 2,995 units was incorrect because it did not take into account the dual redundant string architecture traditionally implemented for an FSS. The FAA concurs that its statement in the NPRM was an oversimplification that did not describe typical FSS component testing adequately. FSS testing generally consists of testing a certain number of units of an individual component to determine its reliability and confidence level, and that testing is part of determining the overall FSS system reliability. The FAA maintains that, for most operators, testing a few units at greater than expected operating environments is significantly less burdensome than testing many units at expected operating environments. Operating environments include shock, vibration, thermal cycle, acceleration, humidity, and thermal vacuum, or other environments relevant to system or material degradation. The opportunity for operators to submit new means of compliance to be accepted by the Administrator prior to application submission will allow applicants to propose their own means of compliance if they believe that another method of FSS design reliability, testing, and analysis is less burdensome than a means of compliance currently accepted by the FAA.

Microcosm asked if all orbital operators launching from the United States would be required to have a 0.999 design reliability FSS in accordance with proposed § 450.145. The FAA does not expect that all orbital operators launching from the U.S. will have operations with a potential consequence of a reasonably foreseeable failure mode in any significant period of flight that is greater than 1 × 102 CEC in uncontrolled areas. The FAA notes that, as described in reference to the high consequence event protection requirements of § 450.101(c), operators will be required to have an FSS if the consequence of any reasonably foreseeable failure mode in any significant period of flight is greater than 1 × 103 CEC in uncontrolled areas, and, as proposed, that FSS will need to have the high design reliability of 0.999 at 95 percent confidence if the consequence of any reasonably foreseeable failure mode in any significant period of flight is greater than 1 × 102 CEC in uncontrolled areas. However, the FAA has removed the additional requirements proposed in § 450.145(a)(2) in the final rule if the consequence of any reasonably foreseeable failure mode is between 1 × 102 and 1 × 103 CEC, and in that scenario will only require an operator to use an FSS that complies with § 450.143.

SpaceX commented that RCC 319, section 1.10, allowed previously approved components and systems to be grandfathered such that they not be required to meet subsequent versions of RCC 319 unless certain criteria apply. SpaceX suggested that this approach be taken by the FAA in accepting previously tailored documents. SpaceX further recommended allowing such grandfathered acceptance of different standards such as AFSPCMAN 91-710.

The FAA's current practice is to accept FSS that have been approved under a standard such as AFSPCMAN 91-710 and RCC 319 even after updated versions of those standards are released. Licensing under part 450 should be consistent with that practice; a licensee should be able to renew its license without changes to its FSS simply because a standard that was used as a means of compliance has evolved with time. There would be exceptions, however, if a significant flaw was discovered in the earlier version of the standard.

SpaceX also commented on proposed § 450.145(d)(3), which stated that an applicant must submit any analyses and detailed analysis reports of all FSS subsystems necessary to demonstrate the reliability and confidence levels required by proposed § 450.145. SpaceX pointed out that while other government requirements, such as RCC 319, provide guidance on what analyses and reports are necessary, the proposed rule was unclear as to what specific analyses and reports are necessary.

As noted earlier, RCC 319 is an accepted means of compliance for § 450.145. An FSS design, testing, and analysis process that complies with the analysis requirements for RCC 319, or other accepted means of compliance, will satisfy the FSS analysis requirements of § 450.145.

Rocket Lab requested clarification as to whether the FSS design reliability is for hardware components only, and how to apply reliability requirements to safety systems that include software. The FAA notes that design reliability is for hardware only. The computing system safety requirements in § 450.141 do not provide an estimated reliability, but instead establish process controls that prevent or mitigate computing system faults.

The International Space Safety Foundation commented that FSS is the only system of a launcher for which the operational experience did not provide reliability significant data, because the system was ready but rarely operated. The FAA concurs with the comment that there is a lack of operational experience with FSS as far as terminating vehicles. However, operational parameters are captured throughout flights, whether the result is termination or not, and this data verifies many of the expected operating modes. Start Printed Page 79663Also, reliability is gained from design and thorough test programs, as well as review of post-flight data.

The International Space Safety Foundation also commented that to base the approval of a safety-critical system on reliability predictions was not advisable considering the key role played by software, which cannot be taken into account in the reliability prediction. The International Space Safety Foundation recommended that the FAA should instead define fault tolerance requirements for the FSS, and specific software and computing system requirements in addition to generic software development processes.

The FAA disagrees, noting that FSS reliability is also based on design architecture, component selection, and testing that accounts for fault tolerance and the overall system. Recognizing that there are some difficulties in establishing reliability standards below a design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing, the FAA removes the proposed additional requirements for § 450.108(b)(2) FSS and instead relies solely on § 450.143 for design, testing, and monitoring requirements. In addition, recognizing the importance of computing systems to system reliability and public safety, the FAA proposed, and is including in the final rule robust computing system requirements in § 450.141. Computing system requirements are further discussed in the preamble section on Computing Systems and Software.

The International Space Safety Foundation recommended that the FAA set up a multidisciplinary team of design and operation experts to draw a strategy for the definition of FSS design performance requirements, and for addressing the above issues. The FAA believes that standards for FSS should continue to evolve and that industry should be significantly involved in their development. An industry-led development of a voluntary consensus standard or standards addressing design, analysis, or testing of FSS would be particularly beneficial. These standards could become new acceptable means of compliance with FAA regulations.

aa. Hybrid Vehicles

In the NPRM, the FAA proposed one set of requirements for all vehicle types without distinction between traditional and hybrid vehicles. Hybrid vehicles are launch or reentry vehicles that have some characteristics of aircraft and other characteristics of traditional launch or reentry vehicles.

The FAA acknowledges that hybrid operations differ from traditional rocket launches. Part 450 has been revised to accommodate better all vehicle operators, including hybrid vehicle operators. The accommodations include more performance-based requirements, alternatives to flight abort, FSA requirements based on demonstrated reliability, use of equivalent level of safety, and allowing application process alternatives as agreed to by the Administrator. The regulations allow currently licensed hybrid vehicle operators to continue to use a flight hazard analysis as a ha