[Federal Register Volume 71, Number 165 (Friday, August 25, 2006)]
[Rules and Regulations]
[Pages 50508-50727]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 06-6743]



[[Page 50507]]

-----------------------------------------------------------------------

Part II





Department of Transportation





-----------------------------------------------------------------------



Federal Aviation Administration



-----------------------------------------------------------------------



14 CFR Parts 401, 406, 413, et al.



Licensing and Safety Requirements for Launch; Final Rule

  Federal Register / Vol. 71, No. 165 / Friday, August 25, 2006 / Rules 
and Regulations  

[[Page 50508]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Parts 401, 406, 413, 415, and 417

[Docket No. FAA-2000-7953; Amendment Nos. 401-4, 406-3, 413-7, 415-4 , 
417-0]
RIN 2120-AG37


Licensing and Safety Requirements for Launch

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule amends commercial space transportation 
regulations governing the launch of expendable launch vehicles. This 
action is necessary to codify current launch practices at Federal 
launch ranges and codify rules for launches from a non-Federal launch 
site. These safety requirements currently apply to a launch operator 
through its FAA license. The intended effect of this action is to 
ensure that the public continues to be protected from the hazards of 
launch from either a Federal launch range or a non-Federal launch site.

DATES: These amendments become effective September 25, 2006. Compliance 
is required by August 27, 2007.

FOR FURTHER INFORMATION CONTACT: Ren[eacute] Rey, Licensing and Safety 
Division, AST-200, Federal Aviation Administration, 800 Independence 
Avenue, SW., Washington, DC 20591; telephone (202) 267-7538; e-mail 
[email protected]. For questions regarding legal interpretation, contact 
Laura Montgomery, AGC-200, (202) 267-3150; e-mail 
[email protected].

SUPPLEMENTARY INFORMATION:

Availability of Rulemaking Documents

    You can get an electronic copy using the Internet by:
    (1) Searching the Department of Transportation's electronic Docket 
Management System (DMS) Web page (http://dms.dot.gov/search);
    (2) Visiting the FAA's Regulations and Policies Web page at http://www.faa.gov/regulations_policies/; or
    (3) Accessing the Government Printing Office's Web page at http://www.gpoaccess.gov/fr/index.html.
    You can also get a copy by sending a request to the Federal 
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence 
Avenue, SW., Washington, DC 20591, or by calling (202) 267-9680. Make 
sure to identify the amendment number or docket number of this 
rulemaking.
    Anyone is able to search the electronic form of all comments 
received into any of our dockets by the name of the individual 
submitting the comment (or signing the comment, if submitted on behalf 
of an association, business, labor union, etc.). You may review DOT's 
complete Privacy Act statement in the Federal Register published on 
April 11, 2000 (Volume 65, Number 70; Pages 19477-78) or you may visit 
http://dms.dot.gov.

Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996 requires FAA to comply with small entity requests for information 
or advice about compliance with statutes and regulations within its 
jurisdiction. If you are a small entity and you have a question 
regarding this document, you may contact a local FAA official, or the 
person listed under FOR FURTHER INFORMATION CONTACT. You can find out 
more about SBREFA on the Internet at http://www.faa.gov/regulations_policies/rulemaking/sbre_act.

Authority for This Rulemaking

    The Commercial Space Launch Act of 1984, as codified and amended at 
49 U.S.C. Subtitle IX--Commercial Space Transportation, ch. 701, 
Commercial Space Launch Activities, 49 U.S.C. 70101-70121 (the Act), 
authorizes the Department of Transportation and thus the FAA, through 
delegations (64 FR 19586, Apr. 21, 1999), to oversee, license, and 
regulate commercial launch and reentry activities and the operation of 
launch and reentry sites as carried out by U.S. citizens or within the 
United States. 49 U.S.C. 70104, 70105. The Act directs the FAA to 
exercise this responsibility consistent with public health and safety, 
safety of property, and the national security and foreign policy 
interests of the United States. 49 U.S.C. 70105. The FAA is also 
responsible for encouraging, facilitating and promoting commercial 
space launches by the private sector. 49 U.S.C. 70103. A 1996 National 
Space Policy recognizes the Department of Transportation as the lead 
Federal agency for regulatory guidance regarding commercial space 
transportation activities. The FAA's authority to issue rules regarding 
commercial space transportation safety is found under the general 
rulemaking authority, 49 U.S.C. 322(a), of the Secretary of 
Transportation to carry out Subtitle IX, Chapter 701, 49 U.S.C. 70101-
70121 (Chapter 701).

Background

    This final rule addressing licensing and safety requirements for 
launch was preceded by two proposals and a draft rule made available to 
the public through the docket. The FAA published a comprehensive notice 
of proposed rulemaking (NPRM) on October 25, 2000. 65 FR 63921. The FAA 
received comments until April 23, 2001. The FAA addressed commenters' 
concerns in a supplemental notice of proposed rulemaking (SNPRM) 
published on July 30, 2002. 67 FR 49456 (``2002 SNPRM''). The FAA held 
a public meeting on the SNPRM on September 6, 2002 and received 
comments until October 28, 2002. Commenters were concerned with the 
anticipated cost of complying with the proposal. On February 28, 2005, 
the FAA placed a series of documents in the docket, including draft 
regulatory text, a draft analysis of comments (February 2005 Analysis 
of Comments), a summary of major changes since the SNPRM, and an 
independent economic assessment from SAIC. 70 FR 9885 (Mar. 1, 2005).
    SAIC estimated that the rule would cost the industry a discounted 
$3.8 million \1\ over the years 2005 through 2009. This is less than 
the $7.3 million discounted cost to industry estimated by this 
Regulatory Evaluation. SAIC estimated recurring costs ranging from 
$110,000 to $165,000 per launch and fixed costs of either $0 or 
$100,000. However, in deriving the total industry cost of $3.8 million 
(discounted at 7%), SAIC estimated that there would be four to six 
launches per year. The current FAA launch forecast is about twelve per 
year. SAIC also estimated and discounted costs over the period 2005 
through 2009, while the FAA estimated and discounted costs over the 
period 2006 through 2010. SAIC costs are in 2002 dollars while FAA 
estimates are in 2004 dollars.
---------------------------------------------------------------------------

    \1\ Using a discount rate of 7%.
---------------------------------------------------------------------------

    The FAA converted the SAIC cost estimates to 2004 dollars, used the 
latest FAA ELV forecast and discounted costs over the five-year period 
2006 through 2010. The result was an estimated cost of $10.5 million 
(discounted to $8.6 million) over the period. This estimate is a 
conservative one because it uses the higher per launch cost of 
$165,000.\2\ It is also very close to the estimate derived

[[Page 50509]]

independently in FAA's own Regulatory Evaluation.
---------------------------------------------------------------------------

    \2\ We did not estimate a lower range using the lower per launch 
estimate.
---------------------------------------------------------------------------

    The FAA held a public meeting on March 29-30, 2005 and received 
public comment on these documents until June 1, 2005. The draft 
analysis of comments in the docket is a detailed analysis of voluminous 
comments the FAA received during this rulemaking process. The FAA 
encourages the public to review this analysis of comments for specific 
concerns regarding this rule. The resolution of those comments is part 
of the record of this rulemaking.
    This final rule codifies the successful safety measures that the 
Department of Defense and NASA have implemented at Federal launch 
ranges in the U.S. A launch operator must comply with both FAA 
commercial space transportation regulations and Federal range launch 
safety requirements, the latter through its launch license. In 
addition, some Federal range safety practices are incorporated into 
vehicle specific documents, also known as ``tailored documents,'' and 
these practices need to be codified to give all launch operators notice 
regarding other permissible alternatives. Until this rulemaking, the 
FAA has not adopted clear safety requirements for launches from a non-
Federal launch site. The FAA evaluates applications for launch from a 
non-Federal launch site on a case-by-case basis, weighing the safety of 
launches from non-Federal launch sites against Federal launch range 
practices, procedures and requirements, including the safety 
requirements of the U.S. Air Force. See 14 CFR part 415, subpart F.
    This final rule identifies and establishes the requirements for a 
launch operator launching from a Federal launch range or a non-Federal 
launch site. This rule allows a launch operator to interact with a 
Federal launch range in the same manner it does now. This rule also 
adopts the latest safety practices of Federal ranges, determined 
through the Common Standards Working Group (CSWG), a joint FAA and Air 
Force task force. By standardizing safety requirements between the 
Federal ranges and the FAA, the same level of safety is achieved 
throughout the United States. This standardization also improves 
efficiency in the launch industry, because launch operators have one 
set of clear rules. Codification improves transparency in the 
regulatory process for both established launch operators and new 
entrants.

Summary of the Final Rule

    This final rule establishes requirements for obtaining a license to 
launch an expendable launch vehicle (ELV) from a non-Federal launch 
site. This rule also codifies safety responsibilities and requirements 
that apply to any licensed launch, regardless of where it takes place. 
The rule prescribes standardized application requirements and clarifies 
safety issues that an applicant must address. These application 
requirements, contained in 14 CFR part 415, subpart F, require an 
applicant to demonstrate how it would satisfy the safety requirements 
of the new part 417 in order to obtain a launch license.
    A launch operator currently supplies a Federal launch range much of 
the information needed for the various safety analyses and 
verifications that a Federal launch range performs. However, the 
Federal launch range staffs and controls the launch. Launch operators 
will do more of their own safety work at a non-Federal launch site than 
they have at the Federal launch ranges because they will not be able to 
take advantage of the Federal range personnel and oversight as they do 
now. This does not mean that the requirements adopted today are new, 
only that a launch operator at a non-Federal launch site must work with 
the FAA to determine how to satisfy the safety requirements normally 
performed by a Federal launch range.

Definitions

    The FAA adopts new definitions in this final rule. They include:
    Equivalent level of safety. The FAA adopts a different definition 
than was proposed in the 2002 NPRM. An equivalent level of safety now 
means an approximately equal level of safety as determined by 
qualitative or quantitative means. The FAA does not adopt its proposed 
reference to risk in this definition, because demonstration by 
qualitative or quantitative means need not be risk based. The 
definition is now broad enough to adapt to new circumstances.
    Launch site safety assessment. The FAA adopts a definition of a 
Launch Site Safety Assessment (LSSA), formerly called a baseline 
assessment. The FAA will assess each Federal launch range and determine 
if the range meets FAA safety requirements. If there are any 
differences between range practice and FAA requirements, the 
differences will be documented in the LSSA. The FAA does not anticipate 
many, if any, differences for Federal launch ranges because it derived 
most of the requirements for part 417 from the safety requirements of 
the Federal launch ranges themselves. A launch operator relying on a 
LSSA to demonstrate compliance with FAA regulations should pay 
particular attention to any differences because a launch operator will 
still be responsible for satisfying FAA safety requirements but may 
have to perform work or conduct analysis previously performed by a 
Federal launch range.

Requirements for Obtaining a Launch License for an Expendable Launch 
Vehicle

    Part 415 contains requirements that an applicant must meet in order 
to obtain a license, and part 417 contains requirements that a licensee 
must comply with during the term of the license. The FAA moved all 
post-licensing requirements and responsibilities out of part 415 and 
placed them in part 417, subpart A to group them together. Part 415 
references part 417 requirements where appropriate. The FAA did not 
change its part 415, subpart C application requirements for launching 
from a Federal launch range, except to clarify the role of a LSSA, and 
to consolidate and clarify the flight readiness requirements of section 
415.37, as discussed in the docketed draft analysis of comments.

Safety Review and Approval for Launch From a Federal Launch Range

    Subpart C of part 415 describes how the FAA reviews the safety of 
licensed launches from Federal launch ranges. Subpart C contains safety 
requirements and recognizes that a launch operator may use a LSSA to 
demonstrate compliance of FAA safety-related launch services and 
property provisions.
    Section 415.31 explains how the FAA conducts a safety review of an 
applicant proposing to launch from a Federal launch range. The FAA 
clarified section 415.31 and other sections in part 417 to make it 
absolutely clear that an applicant may contract with a Federal range 
for many Federal range safety-related launch services and property. 
These provisions should clarify that a launch operator will maintain 
the same relationship it has with a Federal launch range.

Safety Review and Approval for Launch From a Non-Federal Launch Site

    Subpart F of part 415 contains requirements that an applicant must 
meet to obtain a safety approval for a launch from a non-Federal launch 
site. Subpart F requires an applicant to demonstrate how it would 
satisfy the safety requirements of part 417 in order to obtain a launch 
license.

[[Page 50510]]

Launch Safety Generally

    Part 417 contains the standards by which the FAA assesses the 
adequacy of both a licensee and a Federal launch range. The FAA 
assesses a launch operator through the licensing process and a Federal 
launch range through a LSSA. The FAA developed the standards in part 
417 after extensive negotiation in the CSWG. These standards include 
not only current Federal launch range standards but also current 
practice at the Federal ranges. This rulemaking incorporates any 
lessons learned through tailoring of launch operator requirements. 
Therefore, the FAA anticipates that the LSSA for each Federal launch 
range will disclose few, if any, range differences with part 417 
requirements. Nonetheless, it is possible some FAA requirements may 
differ from range requirements. In such a case, any differences will be 
documented in a LSSA.

General and License Terms and Conditions

    The FAA moved existing part 415 subpart E, Post-Licensing 
Requirements--Launch License Terms and Conditions into subpart A of 
part 417. This change enables a launch operator to reference one 
source, instead of two or more for the post-licensing responsibilities 
and requirements. The requirements of part 417, subpart A apply to 
launch operators launching from both Federal and non-Federal launch 
sites, except where noted. As a result, part 415 includes all the 
responsibilities and requirements that an applicant needs to fulfill in 
order to obtain a license, and part 417 includes all the 
responsibilities and requirements that a launch operator needs to 
fulfill in order to keep a license.

Requests for Relief and Tailoring

    The Federal ranges permit tailoring of requirements. With 
tailoring, range and launch operator personnel produce a document that 
details all areas where the Air Force grants some form of relief 
without a degradation of safety. The FAA will accept prior agreements 
between the Air Force and a launch operator, as long as the FAA and the 
Air Force determine there is no change in circumstance that would 
degrade safety.
    The FAA will utilize equivalent level of safety determinations, 
similar to the Air Force tailoring process, and FAA waivers to grant 
relief to launch operators. The FAA will also accept written evidence 
of Air Force ``meets intent'' certifications (MIC) and previously 
granted Air Force waivers. The FAA will also accept Air Force 
grandfathering of prior practices.

Definition of Public

    This final rule does not change the existing FAA definition of the 
``public.'' As discussed in greater detail in the draft final rule in 
the docket, it is impossible for industry to determine the implications 
of a change in definition at this time because there has not been 
opportunity to discuss concerns in depth. Commenters pointed out that a 
change may impose burdens, place logistical, schedule, and programmatic 
activities at risk, and adversely impact the cost or availability of 
insurance. The current FAA definition of public is different from the 
definition of public that the ranges use. However, recent Federal range 
safety analysis determined that commercially licensed launches from the 
Eastern and Western ranges complied with the risk criterion of less 
than 30 x 10-6 when using the FAA definition of the public. 
In addition, the Western Range has not assessed the impact of the 
current FAA definition of public for launches of the Evolved Expendable 
Launch Vehicle scheduled to launch from that range in the near future. 
The Western Range will conduct a similar safety analysis once the EELV 
operators provide the appropriate data.

Launch Services and Liability

    As discussed in the public meeting, the FAA seeks to clarify that a 
launch operator is responsible for its launches, including launches 
from a Federal range or from a non-Federal launch site. Even if a 
launch operator contracts with a Federal range to perform many 
services, the launch operator must still conduct a launch that complies 
with part 417. In addition, although a launch operator may contract 
certain duties and responsibilities required by part 417, the launch 
operator cannot delegate its accountability for safe operations under 
part 417.

Launch Reporting Requirements

    A launch operator is required to provide launch specific 
information at various times to the FAA after receiving a launch 
license. All information updates not covered by section 417.17 should 
be filed under the license modification requirements of section 417.11. 
The FAA will work with launch operators concerning the availability of 
information at various points in the launch schedule and the FAA is 
willing to consider waiver requests for certain reporting requirements.

Post Launch Report

    This rule requires a launch operator to identify discrepancies or 
anomalies that occur during the launch countdown or flight, including 
any deviations from the terms of the launch license or to the operating 
environments. This rule requires post launch reporting for every 
launch.

Launch Safety Responsibilities

    Subpart B of part 417 is a road map describing the responsibilities 
of a launch operator when conducting a licensed launch of an ELV. 
Subpart B covers all of the safety issues that a launch operator's 
safety program needs to address. A launch operator should pay 
particular attention to section 417.107, because its requirements rely 
on many of the analyses covered in other subparts. Subpart B contains 
the requirement to implement the results of analysis, other subparts 
contain the performance requirements governing those analyses and the 
appendices include the methodologies to satisfy the performance 
requirements.
    The FAA has clarified in this rule that a launch operator launching 
from a Federal launch range and contracting with a range for certain 
safety-related launch services and property may use a LSSA to 
demonstrate compliance with part 417 requirements. In essence, use of a 
LSSA preserves the current relationship a launch operator has with a 
range. If a LSSA finds differences between part 417 requirements and 
range requirements, the FAA will document any differences in the LSSA, 
and the FAA and the Air Force will work with a launch operator to 
resolve these differences.
    It is also important to reinforce the change from the FAA's 
original proposal concerning public risk criteria in paragraph 
417.107(b). As discussed in the SNPRM, the FAA originally proposed to 
aggregate the risks attributable to all mission hazards and set a cap 
on the total mission risk of all hazards at an expected average 
casualty of 30 x 10-6. The FAA now limits the acceptable 
risk attributable to each hazard, rather than to an aggregate of the 
risk for all hazards.

Flight Safety Analysis

    A flight safety analysis is one of the cornerstones of a safe 
launch. A flight safety analysis determines where a launch vehicle may 
safely fly, where it may not, and monitors and controls risk to the 
public from normal and malfunctioning launch vehicle flight. A launch 
operator is required to conduct a flight safety analysis by section

[[Page 50511]]

417.107(f). Subpart C of part 417 contains the performance requirements 
for conducting such an analysis. Appendices A, B, C, and I contain the 
methodologies for meeting the performance requirements of Subpart C.
    This final rule does not change current practice between a launch 
operator and a Federal launch range. A launch operator launching from a 
Federal launch range may still contract with that range to provide 
flight safety analyses. Any launch operator contracting with a Federal 
launch range for flight safety analysis may rely on a LSSA to determine 
whether the range can ensure compliance with this subpart. That launch 
operator must ensure that it satisfies any requirement that a range 
does not meet. The FAA and the Air Force will work with the launch 
operator to ensure compliance. A launch operator may also file an 
alternate flight safety analysis for FAA approval.
    Under a flight safety analysis the FAA requires a launch operator 
to use a flight safety system, a wind-weighting safety system for any 
unguided suborbital launch vehicle, or an alternative flight safety 
system approved by the FAA during the licensing process. The chart 
below describes the flight safety analysis requirements for each type 
of system.
[GRAPHIC] [TIFF OMITTED] TR25AU06.000

    The performance requirements for a flight safety system and a wind-
weighting system are both located in subpart C. However, the 
methodologies for meeting the performance requirements are different 
for each system. Appendices A, B, and I contain the methodologies for a 
flight safety system and Appendices B, C, and I contain the 
methodologies for a wind-weighting system. All of the following 
performance requirements adopt current range practices, as identified 
through FAA consultation with range safety personnel. Below is a 
description of each of the analyses that together constitute a flight 
safety analysis. The results of a flight safety analysis using a flight 
safety system or a wind-weighting safety system are then used to 
establish rules governing when it is safe to launch, which are referred 
to as flight commit criteria. A flight safety analysis using a flight 
safety system also establishes rules governing the termination of 
flight.
    A trajectory analysis establishes, for any time after lift-off, the 
limits of a launch vehicle's normal flight, as defined by the nominal 
trajectory and potential three-sigma trajectory dispersions about the 
nominal trajectory. The trajectory analysis must also establish a fuel 
exhaustion trajectory and a straight up trajectory. A fuel exhaustion 
trajectory produces instantaneous impact points with the greatest range 
for any given time-after-liftoff for any stage that has the potential 
to impact the Earth and does not burn to propellant depletion before a 
programmed thrust termination. For example, a stage that fails to 
terminate at its programmed thrust termination point will continue 
flight until burnout if the stage contains residual fuel. A straight-up 
trajectory projects the results that would occur if a launch vehicle 
malfunctioned and flew in a vertical or near vertical direction above 
the launch point.

[[Page 50512]]

    A malfunction turn analysis describes a launch vehicle's turning 
capability in the event of a malfunction during flight. This analysis 
accounts for where a vehicle would go in the event of a malfunction by 
plotting a series of malfunction turns that must account for numerous 
factors. This analysis determines, for any point in flight, how far off 
course a vehicle can travel before either the flight safety system 
takes action or the vehicle breaks apart due to aerodynamic forces.
    A debris analysis accounts for the debris produced by both normal 
events, such as the planned jettison of stages in an ocean, and 
abnormal events, such as destruction of the launch vehicle. This 
analysis must identify the inert, explosive and other hazardous launch 
vehicle debris that results from normal and malfunctioning launch 
vehicle flight. A debris analysis also requires a debris list, which is 
commonly referred to as a ``debris model,'' and must account for each 
cause of launch vehicle breakup. The debris lists describe and account 
for all debris fragments and their physical characteristics. A debris 
model categorizes, or groups, debris fragments into classes where the 
characteristics of the mean fragment in each class represent every 
fragment in the class. These debris lists are used as input to other 
flight safety analyses, such as those performed to establish flight 
safety limits and hazard areas and to determine whether a launch 
satisfies the public risk criteria of section 417.107.
    A flight safety limits analysis identifies when flight must 
terminate to limit the hazardous effects of debris impacts on any 
populated or other protected area, establishes designated impact limits 
to bound the area where debris with a ballistic coefficient of three or 
more is allowed to impact without a flight safety system failure, and 
ensures that a launch satisfies the public risk criteria.
    A straight-up time analysis accounts for how long a vehicle may fly 
straight up before it poses a hazard to the public if it fails to turn 
downrange. This analysis also identifies the point in flight where 
termination is no longer required. This analysis establishes the latest 
time after liftoff, assuming a launch vehicle malfunctioned and flew in 
a vertical or near vertical direction above the launch point, that 
activation of the launch vehicle's flight termination system or breakup 
of the launch vehicle would not cause hazardous debris or critical 
overpressure to affect any populated or other protected area.
    Data loss flight time and no longer terminate time analyses 
establish time periods during the nominal flight of a launch vehicle 
when flight termination is not necessary even if tracking data is not 
available. Generally, termination is not required because either the 
data loss is so brief a vehicle could not reach a populated or 
protected area or the vehicle has reached a point where the remaining 
thrusting potential, in a worst case scenario, does not let the vehicle 
reach a populated or protected area.
    A time delay analysis establishes the mean elapsed time between the 
violation of a flight termination rule and the time it takes a flight 
safety system to terminate flight. This analysis is used in 
establishing a vehicle's flight safety limits.
    A flight hazard area analysis determines what areas of land, air, 
and sea must be controlled, by evacuation or notices to mariners and 
airmen, because of the risk to the public from debris impact hazards. 
The FAA does not adopt a specific impact probability or casualty 
expectation protection criterion for ship and aircraft hazard areas 
because the different federal ranges use different criterion. The FAA 
simply requires a launch operator to provide the same level of 
protection as that of a federal range when performing the analysis. The 
FAA does require a launch operator to conduct a hazard analysis and 
inform the public as to the location of any resulting hazardous areas. 
In addition, the FAA provides a methodology in appendix B for 
quantitatively constructing these hazard areas as part of the hazard 
analysis using the same construction methods that a federal ranges 
uses.
    A probability of failure analysis requires a launch operator to 
establish a launch vehicle failure probability, regardless of hazard or 
phase of flight, in a consistent manner, using accurate data, 
scientific principles, and a statistically valid method. For a launch 
vehicle with fewer than two flights, the failure probability estimate 
must account for the outcome of all previous launches of vehicles 
developed and launched in similar circumstances. For a launch vehicle 
with two or more flights, launch vehicle failure probability estimates 
must account for the outcomes of all previous flights of the vehicle in 
a statistically valid manner.
    A debris risk analysis determines the expected number of casualties 
(Ec) to the collective members of the public, if the public 
were exposed to inert and explosive debris hazards from the proposed 
flight of a launch vehicle.
    A toxic release hazard analysis determines any potential public 
hazards from any toxic release during the proposed flight of a launch 
vehicle or that would occur in the event of a flight mishap. A launch 
operator performs a toxic release hazard analysis using the 
methodologies of appendix I of part 417. The FAA requires a toxic 
release analysis to establish flight commit criteria to protect the 
public from any toxic release, and to demonstrate compliance with the 
public risk criterion of section 417.107(b).
    A launch operator's flight safety analysis must also establish 
flight commit criteria that will protect the public from any hazard 
associated with far field blast overpressure effects due to potential 
explosions during flight, and to demonstrate compliance with the public 
risk criterion of section 417.107(b). This analysis applies to any far-
field overpressure blast effects analysis such as the potential for 
overpressure effects based upon meteorological conditions and terrain 
characteristics, potential for broken windows, launch vehicle explosive 
capability, population shelter types, window characteristics, and 
hazard characteristics of glass shards.
    A collision avoidance analysis requires a launch operator to 
establish a period in a planned launch window during which a launch 
operator could not initiate flight, so as to maintain a 200-kilometer 
separation from any habitable orbiting object. This analysis must 
account for all variances associated with launch vehicle performance 
and timing and ensure that any calculated launch hold incorporates all 
additional time periods associated with such variances. This standard 
is in keeping with current practice because a Federal range launch wait 
already accounts for such variances. A launch vehicle performing 
nominally within its three-sigma performance envelope could have a 
different separation distance or intercept time with a resident space 
object as compared to the same launch vehicle performing on its nominal 
trajectory. A launch wait, as part of a collision avoidance analysis, 
accounts for these variances.
    An overflight gate analysis determines whether a vehicle can 
overfly populated areas. This analysis requires a launch operator to 
file information to explain why it is safe to allow flight through a 
flight safety limit, the limit that protects populated or protected 
areas, without terminating a flight. This analysis accounts for the 
fact that it is potentially more dangerous to populated or protected 
areas to destroy a malfunctioning vehicle during certain

[[Page 50513]]

portions of a launch than not to destroy it. In some circumstances, a 
destroyed vehicle may disperse debris over a wider area affecting more 
people than if the vehicle were to impact intact.
    A hold and resume gate analysis may, in the event a launch operator 
has lost tracking data information, still allow a normally performing 
launch vehicle to overfly or nearly overfly a populated or otherwise 
protected area to avoid dispersing debris over a populated area when a 
launch vehicle might still be performing normally. This analysis would 
expand the range of acceptable trajectories for coastal launch sites 
whose flight corridors could contain isolated populated or protected 
islands. It would also increase the availability of inland launch 
locations by allowing a normally performing vehicle to overfly 
populated or otherwise protected areas from a site that is wholly 
contained within a populated or otherwise protected area.
    The launch of an unguided suborbital launch vehicle (USLV) flown 
with a wind weighting safety system also requires analysis to establish 
wind constraints and other corrections for wind effects on a launch. 
The flight safety analysis of such a flight must also demonstrate 
compliance with the safety criteria and operational requirements for 
the launch of a USLV contained in section 417.125. A launch operator 
must also ensure the flight safety analysis for a USLV is conducted in 
accordance with the methodologies in Appendices B, C, and I.

Flight Safety System

    The FAA also adopts standards for a flight safety system. As 
discussed earlier, subpart B of part 417 describes when a launch 
operator must use a flight safety system. Subpart D of part 417 
contains the performance requirements of any flight safety system that 
a launch operator must use. Appendix D has methodologies for meeting 
the performance requirements of a flight termination system. Appendix E 
has the test requirements for a flight termination system.
    A flight safety system is a system that provides a means of control 
during flight for preventing a hazard from a launch vehicle, including 
any payload hazard, from reaching any populated or other protected area 
in the event of a launch vehicle failure. A flight safety system 
includes all hardware and software used to protect the public in the 
event of a launch vehicle failure, and the functions of any flight 
safety crew. A typical flight safety system is composed of a flight 
termination system (FTS) and a command control system. The FAA adopts 
requirements for the flight termination system components onboard a 
launch vehicle as well as command control components that are typically 
ground based. This final rule also defines a process for determining 
the reliability of a flight safety system. The reliability process 
consists of specific flight termination system design standards and 
criteria, a reliability analysis of the FTS design, and comprehensive 
testing to qualify the FTS design and certify and accept FTS 
components.
    A launch operator may employ an alternate flight safety system if 
approved by the FAA. An alternate flight safety system must undergo 
analysis and testing that is comparable to that required by Subpart D 
of part 417 to demonstrate its reliability to perform its intended 
functions. In addition, the FAA built flexibility into this area by 
permitting entities, other than a launch operator to conduct required 
tests or analysis. The FAA recognizes that a vendor, contractor, or 
Federal range may perform the required tests and analysis of this 
subpart. However, the FAA notes that a launch operator is ultimately 
responsible for employing a flight termination system that satisfies 
all FAA requirements of subpart D and appendices D and E of part 417.
    For launch from a non-Federal launch site, compliance with the 
flight safety system requirements is demonstrated through the licensing 
process. For a launch from a Federal launch range, the FAA will accept 
the flight safety system used or approved on a Federal launch range, if 
a launch operator has contracted with a Federal launch range for the 
provision of flight safety system services and property, and the FAA 
has assessed the range through a LSSA and found that the range's 
property and services satisfy the requirements of this subpart. In this 
case, the FAA will treat the Federal launch range's flight safety 
system's property and services as that of a launch operator. This is 
consistent with the FAA's current practice for launches from Federal 
ranges. Under this provision, the FAA expects that launch operators at 
Federal ranges will continue to rely on the Federal range to approve 
flight termination systems and provide command control and support 
systems that comply with the requirements of this part.
    A flight safety system must have a command control system to 
transmit a command signal that has the radio frequency characteristics 
and power needed for receipt of the signal by the flight termination 
system onboard the launch vehicle. The command control system must 
include equipment to ensure that an onboard vehicle termination system 
will receive a transmitted command signal and must meet subpart D's 
performance requirements, including those addressing reliability 
prediction, fault tolerance, configuration control, electromagnetic 
interference, command transmitter failover, the ability to switch 
between transmitter systems, radio carrier, command control system 
monitoring, command transmitter system, and command control antennas. 
Each command control system, subsystem, component, and part that can 
affect the reliability of a component must have written performance 
specifications that demonstrate, and contain the details of, how each 
satisfies the performance requirements of subpart D.
    Testing requirements apply to a new or modified command control 
system. This testing includes preflight testing. Each test must follow 
a written plan that specifies procedures and test parameters, and must 
include instructions on how to handle procedural deviations and react 
to test failures. A launch operator must also prepare written test 
reports for each test. In accordance with a launch site safety 
assessment, for a launch from a Federal launch range, a launch operator 
may continue to rely on the range's verification that the system 
satisfies all the test requirements. Appendix D of part 417 contains 
methodologies that a launch operator can use to conduct the tests. 
Appendix D provides one means of satisfying the requirements of this 
rule. A launch operator may also file an alternative means for FAA 
review and approval.
    A flight safety system must also have design, test, and functional 
requirements for systems that support the functions of a flight safety 
crew, including any determination to terminate a flight. The vehicle 
tracking system is one of these support systems. It must include two 
independent tracking sources and provide the launch vehicle position 
and status to the flight safety crew from liftoff until the vehicle 
reaches its planned safe flight state. Other support systems include 
telemetry, a communications network, data processing, display and 
recording, displays and controls, support equipment calibration, 
destruct initiator simulator, and timing. The data processing, display 
and recording system must display and record raw input and processed 
data at no less than 0.1 second intervals. Again, appendices D and E of 
part 417 provide the methodologies that a launch operator

[[Page 50514]]

must use, absent an equivalent alternative, to conduct the above tests.
    This rule also requires a launch operator to demonstrate the 
predicted reliability of a flight safety system, including a flight 
termination system, command and control system, and each of its 
components. This reliability analysis must use a reliability model that 
is statistically valid and that accurately represents the actual 
system. These analyses must identify all possible failure points and 
undesired events, the probability that they would occur, and their 
effects on system performance. The analyses must demonstrate the 
reliability of a radio frequency link, any software or firmware, any 
battery, and the survivability of a flight termination system, when 
exposed to various hostile environments.
    A flight safety system must be operated by a qualified flight 
safety crew. The flight safety crew's capabilities are verified through 
a training program and approved during the licensing process. The FAA's 
training and qualification approach is an adaptation of Federal launch 
range practices.

Ground Safety

    The FAA also adopts ground safety standards governing the 
preparation of a launch vehicle for flight. The FAA recognizes that 
other Federal agencies regulate various aspects of ground safety. This 
final rule addresses ground safety issues not otherwise addressed by 
other Federal regulations, that are unique to space launch processing 
and that could affect the general public. A launch operator licensee is 
responsible for developing and implementing a ground safety program in 
compliance with the specified standards. This final rule does not 
supersede the ground safety requirements of other regulatory agencies.
    In order for a launch operator to meet the ground safety 
requirements of subpart E of part 417 and the methodologies of 
appendices I and J, a launch operator must conduct a ground safety 
analysis. In addition to the Subpart E requirements, a launch operator 
is also required to conduct a toxic release hazard analysis as part of 
subpart C, flight safety analysis. For a launch from a range, a launch 
operator may rely on a launch site safety assessment to demonstrate 
compliance with both the ground safety analysis and the toxic release 
analysis. In addition, a launch operator may also demonstrate the 
acceptability of an alternative method of compliance.
    A ground safety analysis consists of identifying each potential 
hazard, each associated cause, and each hazard control that a launch 
operator must establish and maintain to keep each identified hazard 
from affecting the public. A launch operator not relying on a LSSA must 
conduct this analysis for launch vehicle hardware, ground hardware 
(including launch site and ground support equipment), launch 
processing, and post-launch operations. A launch operator not relying 
on a LSSA must record all of this analysis in a ground safety report, 
the format for which is located in appendix J.
    A launch operator must classify each hazard in the analysis 
described above as a public hazard, a launch location hazard, an 
employee hazard, or a non-credible hazard. For some hazards capable of 
creating catastrophic consequences, a launch operator must implement a 
dual fault system, so that no single act could cause the catastrophic 
event. Once a hazard is identified, classified, and a corresponding 
control is in place, a launch operator must also conduct periodic 
inspections to ensure safety devices and hazard controls remain in 
working order. A launch operator must also establish a safety clear 
zone and prohibit public access during hazardous operations.

Discussion of Comments

    At the conclusion of the public comment period on June 1, 2005 the 
FAA received written comments from The Boeing Company, Lockheed Martin 
Corp., NASA, Orbital Sciences Corp., Sea Launch Company, Space 
Exploration Technologies, XCOR Aerospace, and three comments from 
private citizens. The following discussion responds to substantive 
comments that explain the reasons for the comment and that were not 
already submitted and responded to in the past.

General Comments

    A number of comments repeat suggested changes for several sections. 
We address these comments here, instead of in every section. First, for 
several sections commenters suggested repeating the FAA's willingness 
to accept alternative approaches that provide an equivalent level of 
safety.\3\ However, it is better to state this only once at the 
beginning of each subpart, so that a finding of an equivalent level of 
safety may be made for any requirement in a subpart, rather than just 
in a few select sections.
---------------------------------------------------------------------------

    \3\ See Lockheed comments concerning sections 417.1(c), 
D417.1(a) E417.1(a).
---------------------------------------------------------------------------

    Second, if a comment submitted in 2005 repeats a comment submitted 
in response to earlier notices, but raises no new issues or adds no new 
information, the FAA will continue to rely on its own earlier response, 
including those placed in the docket on February 28, 2005. For example, 
XCOR Aerospace, in addition to providing new comments, also submitted a 
copy of the same comments given in response to the 2001 NPRM.\4\
    Third, the FAA is unable to respond to comments that do not provide 
an explanation or a reason for a suggested change for a comment.\5\ 
Likewise, a number of comments request a change to the proposal based 
on cost concerns, but do not provide cost data to substantiate that 
concern.\6\ In addition, we do not specifically address requests for 
clarifying or editorial changes, even though we may accept some of 
those changes.\7\
---------------------------------------------------------------------------

    \4\ See also, Lockheed comments concerning sections 417.1(g), 
417.105(a) and (b), 417.111(d)(4), 417.231(a), 417.303(c), 
417.303(d), 417.307(b)(8), 417.307(h)(4), 417.309(b)(2), 
417.309(c)(4), 417.309(j), 417.407(a), 417.407(b), 417.417(b), 
D417.5(c)(3), D417.13(c), D417.17(b)(6), D417.29(b)(2)(ii), 
D417.33(d), D417.33(g)(6), D417.31(h), D417.31 (i), E417.1(d)(3), 
Lockheed proposed E417.1(j), E417.3(f)(3), E417.11(g)(1), 
E417.19(e)(2)(ii), E417.19(e)(2)(vi), E417.25(f)(2), E417.29(b)(6); 
Boeing's comments concerning sections D417.41(c), D417.45(m), 
D417.47(b), E417.1(d)(3).
    \5\ See Lockheed comments concerning sections 417.3, 417.107(f), 
417.111(e)(2), 417.207(b), 417.303(l)(6), D417.3(b), D417.21(a), 
E417.9(l), E417.19(d), E417.25(c)(2), E417.25(i), E417.25(j)(4); 
Boeing comments concerning D417.7(l), E417.15(b), E417.21(b)(iii), 
E417.25(c)(2), E417.25(i), E417.35(b).
    \6\ See Lockheed comments concerning sections 417.1(f), 
E417.35(c).
    \7\ See Lockheed comments concerning sections 417.11(c)(2)(ii), 
417.301(c)(1), 417.307(b)(4), 417.307(e)(2), 417.3079(e)(7), 
417.307(f)(8), 417.309(b), 417.309(c), 417.309(f)(3)(i), 
417.311(b)(2), 417.402(e), 417.403(c), 417.405(e), 417.405(f), 
417.405(g)(3), 417.405(j)(5), D417.5(i), D417.9(b) & (d), 
D417.21(e), D417.25(b), D417.29(a)(1), D417.29(b)(1)(i), 
D417.33(h)(2), E417.1(g), E417.5(g)(3), E417.7(d), E417.9(a), (b), 
and (e), E417.11(f)(2), E417.11(h)(1), E417.19(d)(1), E417.19(d)(5), 
E417.9(e)(1); Boeing comment concerning B417.13.
---------------------------------------------------------------------------

    Fourth, some commenters continue to suggest that they do not 
satisfy the part 417 requirements or they are currently operating to a 
different standard. This is because a range found an equivalent level 
of safety through tailoring or a meets intent certification. The FAA's 
grandfathering policies should address these concerns. Also, as noted 
in the Analysis of Comments the FAA placed in the docket on February 
28, 2005, the FAA did consult with the ranges regarding a number of 
these concerns when they were raised earlier in the rulemaking, and 
operators are

[[Page 50515]]

apparently in compliance, but unaware that they are.\8\
---------------------------------------------------------------------------

    \8\ See, e.g., Boeing comments concerning sections 
417.209(a)(6), A417.7(2)(g)(1), D417.5(c), D417.7(c)(1), 
D417.7(c)(4), D417.7(g)(1)(i), D417.13(c), D417.15(b)(1), 
D417.35(d), D417.45(b) and (o), D417.47(i), E417.33(c), 
E417.41(e)(1); Lockheed comments concerning sections 417.301(d)(2), 
D417.7(g)(1)(i), D417.19(g)(2), D417.27(h), D417.29(b)(9), D417.53 
(d), E417.9(j), E417.11 (b)(3), E417.11(c)(2), E417.11(c)(3), 
E417.11(c)(6), E417.11(e)(2), E417.11(e)(4), E417.11 (h)(1)(ii), 
E417.11 (h)(4)(ii), E417.11(i)(2)(ii), E417.13(d)(2)(v), 
E417.13(e)(1)(i), E417.13(e)(2)(ii), Table E417.17-2, Table E417.19-
1, E417.19(e)(2)(i), E417.19(e)(2)(v)(A), E417.19 (e)(2)(xiii), 
E417.19(f)(2), E417.19(f)(10), E417.19(f)(11), all Lockheed comments 
concerning section E417.19(j), E417.21(b)(iv), E417.21 (g)(2), 
E417.21(j)(4)(i), (j)(4)(ii) E417.21(p)(1), E417.21(p)(3)(ii), 
E417.21(q)(6), E417.21(r)(5), E417.22(a), E417.25(g)(4), E417.25(h), 
E417.31(b)(4), E417.33(c), E417.37(b)(2), E417.41(h)(1)(ii), 
E417.41(h)(2)(i)(1)(i), E417.41(h)(2)(i)(1)(iii), 
E417.41(h)(2)(i)(5)(i), E417.41(h)(2)(i)(6).
---------------------------------------------------------------------------

    Fifth, the FAA received several comments concerning requirements 
for a launch operator to file information during a particular time 
period, e.g., thirty days before a launch. The FAA did not change the 
suggested timing requirement because the FAA already provides a process 
for granting waivers under part 404. As noted at the 2005 public 
meeting, the FAA routinely grants waivers to administrative timing 
requirements. Additionally, the FAA plans to permit the coordination of 
timing issues at Federal launch ranges to be taken care of by the 
Federal launch ranges.\9\
    Sixth, the FAA received some comments claiming that a proposed 
requirement was not current practice. The FAA reviewed current practice 
with the Federal launch ranges, and received confirmation that the 
commenters suggestion is current practice at the ranges. The FAA 
therefore adopts the commenters suggestions.\10\ In addition, some 
comments simply claimed that a proposed requirement is not current 
practice, without further explaining what the commenter considers 
current practice.\11\ The FAA was able to confirm with the Federal 
ranges that the FAA requirement is current practice. In this regard, 
commenters who questioned whether a requirement was current practice in 
this latest round of comments may be assured that the FAA checked again 
with U.S. Air Force range safety personnel on each comment discussed in 
detail below.
---------------------------------------------------------------------------

    \9\ See Boeing comments concerning sections 417.117(b)(2), 
E417.41(e)(1); Lockheed comments concerning sections 417.17(c)(4), 
417.17(c)(7), E417.41(d)(2), E417.41(e)(1), E417.41(h)(2), 
E417.41(h)(2)(i), E417.41(h)(2)(i)(1)(v), E417.41(h)(2)(i)(2)(i), 
E417.41(h)(2)(i)(3), and Sea Launch comments concerning sections 
415.115 and 415.121.
    \10\ See Lockheed comments concerning sections 417.9(c), 
E417.3(e)(1), E417.11(b)(4)(iii).
    \11\ See Lockheed comments concerning sections 417.303(b), 
417.307(a)(2), 417.309(c)(6), D417.5(e), D417.7(c)(6), D417.19(e), 
E417.5(g), E417.7 (f)(5), E417.25(f)(4).
---------------------------------------------------------------------------

    Finally, XCOR submitted general comments concerning the latest 
draft documents placed in the docket on February 28, 2005. These 
comments included the general statement that the FAA should abandon 
this rulemaking, start over, and engage industry in real dialogue 
because this rulemaking will destroy industry, is too burdensome, and 
actually decreases public safety. The FAA notes that this rulemaking 
adopts current practice, so there is no degradation to public safety. 
In addition, the industry's relationship with the Federal launch ranges 
will not change. To the extent that XCOR is concerned that current 
practice is too burdensome, the FAA is not proposing any changes.

Launch Site Safety Assessments

    In accordance with comments from industry, if the FAA has assessed 
a Federal launch range, through its launch site safety assessment, and 
found that an applicable range safety-related launch service or 
property satisfies FAA requirements, then the FAA will treat the 
Federal launch range's launch service or property as that of a launch 
operator's, and there will be no need for further demonstration of 
compliance to the FAA. The FAA agrees with most commenters that 
existing Federal launch range safety requirements and processes have 
worked well in protecting the safety of the public and property. The 
March 2005 Draft Regulatory Language and Analysis of Comments, at 106, 
stated that the FAA had assessed the Federal launch ranges through the 
FAA's launch site safety assessment, and found that applicable range 
safety-related launch analyses, services or property satisfied the 
requirements. Therefore, the FAA proposal intended to treat a Federal 
launch range's launch service or property as that of a launch 
operator's. The FAA remains committed to this position. Participants at 
the 2005 public meeting referred to this practice as an ``off-ramp.''
    The FAA discussed the sufficiency of the launch site assessment 
process at a public meeting held on March 29-30, 2005 (``2005 public 
meeting''). At that public meeting, FAA officials thoroughly briefed, 
discussed, and entertained multiple questions from industry 
representatives in an attempt to assure the launch operators of the 
FAA's plan to allow launch operators to continue using the ranges as 
their primary interface. The FAA encouraged the launch operators to 
work with the FAA in determining appropriate language if the proposed 
language did not satisfy industry concerns. Industry was encouraged to 
act immediately and not wait until the end of the comment period. 
Industry responded at the close of the comment period.
    Orbital \12\ described the FAA's previously established approach to 
accepting a Federal launch range's range safety-related launch service 
or property as an ``off-ramp'' for launch operators operating on a 
Federal launch range. Orbital requested that the FAA expressly provide 
that no further demonstration of compliance to the FAA be required of a 
launch operator, and the FAA adopts this clarification. Lockheed 
suggested similar language for section 417.1(g). The FAA provides this 
assurance at the beginning of every substantive subpart of this rule.
---------------------------------------------------------------------------

    \12\ See also, Boeing, at 1, and Lockheed, subpart A at 1-2, 7-
9, subpart B at 1-2, 4-6, 8-13, subpart C at 1-2, subpart D at 1-3, 
subpart E at 1-4, 7-9, Appendix A at 1, Appendix B at 1, Appendix D 
at 2-3, Appendix E at 1-2, Appendix G at 1, Appendix I at 1, 
Appendix J at 1, also commented on the off-ramp process.
---------------------------------------------------------------------------

    Boeing suggested removing any suggestion that a Federal launch 
range's analyses might not satisfy an FAA requirement, and that the 
provision should not entertain that possibility. The FAA does not 
accept this suggestion. Federal launch range practices change over 
time. Ideally, the FAA's launch site safety assessment reflects those 
changes. However, a Federal launch range could change a requirement 
without the agreement of the FAA. This is highly unlikely due to the 
CSWG goal of maintaining common standards. A Federal launch range 
could, however, decide that it no longer will perform a flight safety 
analysis or some other service for launch operators due to a decreasing 
budget or other reasons. Therefore, the FAA's acceptance of Federal 
launch range work must recognize that theoretical possibility.

Application Requirements

    Section 415.111 requires that an applicant's safety review document 
identify all persons with whom the applicant has contracted to provide 
goods or services for the launch of the launch vehicle. Sea Launch 
commented that this is an overly detailed requirement and it would be 
nearly impossible to meet because it includes all persons with whom the 
applicant has contracted. Sea Launch recommends that the requirement be 
limited to only persons who provide safety-related services. The FAA 
agrees

[[Page 50516]]

and adopts the requirement as suggested.
    Section 415.123 contains requirements for computing systems and 
software. Sea Launch commented that these requirements are not current 
practice. AFSPCMAN 91-710, Volume 1, Attachment 2 , ``System Safety 
Program Requirements,'' requires analysis of software and computing 
systems hazards and risks as part of a comprehensive analysis of system 
safety, and verification and validation. Therefore, the FAA did not 
change this section in response to this comment.

Launch Safety

Requests for Relief

    Paragraphs (c) and (d) of section 417.1 require written evidence of 
a meets intent certification or waiver for a launch operator to be 
eligible for relief. Lockheed and Boeing commented at the 2005 public 
meeting that such evidence may not exist in the way of a meets intent 
certification. The FAA clarifies that other forms of written evidence 
are acceptable and now provides examples
    Section 417.1(c) provides a launch operator with an alternative 
means to satisfy an FAA requirement through an equivalent level of 
safety if written evidence demonstrates that a Federal launch range 
has, by the effective date of this part, granted a ``meets intent 
certification.'' Section 417.1(d) states that a requirement of this 
part does not apply to a launch if written evidence demonstrates that a 
Federal launch range has, by the effective date of this part, granted a 
waiver that allows noncompliance with the requirement. Lockheed 
requested the FAA strike the term, ``by the effective date of this 
part.'' Lockheed stated that suspension of the ``meets intent'' 
certification process and waiver process as of the effective date of 
the final rule promulgated by the FAA would result in a significant 
impact to the Atlas program, although Lockheed did not state in its 
written comments how or why this impact might occur.
    As discussed in the 2005 public meeting, the FAA cannot eliminate 
the reference to the effective date. This effective date is retained 
because any relief granted before the effective date requires proof 
that the Federal launch range granted such relief. After the effective 
date, the FAA will coordinate with the Federal launch range to 
determine whether relief should be granted. Also, as discussed in the 
SNPRM, agencies cannot waive each other's requirements. This rulemaking 
remedies that problem. The effective date requirement must remain 
because the requirement applies to all previously grandfathered 
requirements. The effective date does not terminate the relief process, 
as suggested by Lockheed and Boeing.
    Lockheed Martin also suggested that the FAA add a new section 
adopting the practice of ``tailoring'' at the Federal ranges. The FAA 
does not need to add the section because although the FAA in practice 
will continue the tailoring process, it will do so through the use of 
an equivalent level of safety determination.

License Terms and Conditions

    Section 417.7 states that a launch operator is responsible for 
ensuring public safety and the safety of property at all times during 
the conduct of a licensed launch. Lockheed requested the FAA add that 
for licensed launches from a Federal launch range, compliance with 
section 417.13, which says a launch operator must enter into an 
agreement with and comply with range requirements, satisfies the launch 
operator's public safety requirements. Lockheed reasoned that the 
Federal launch ranges play a key role in conducting launch activities 
and the range has its own authorities and responsibility with regard to 
ensuring public safety. A launch operator cannot subsume these 
responsibilities. Although Lockheed is correct about the important role 
of the Federal launch ranges, the role of the range does not detract 
from a launch operator's responsibilities for safety under its license. 
A Federal launch range cannot subsume a launch operator's 
responsibilities either. The FAA's description of the launch operator's 
responsibility has been part of the regulations for years. See 14 CFR 
415.71. That a range has responsibilities does not mean that a launch 
operator does not have these same responsibilities. As explained in 
previous rulemakings, a launch operator must comply with the 
requirements of both the ranges and the FAA. See, Commercial Space 
Transportation Licensing Regulations, NPRM, 62 FR 13234 (Mar. 19, 
1997).

Scheduling

    Proposed section 417.17(b)(1) would have required that for each 
launch, a launch operator must file a launch schedule that identified 
each point of contact by name and position for each scheduled activity. 
The FAA proposed that the points of contact be filed no later than six 
months before flight. Sea Launch commented at the 2005 public meeting 
and both Boeing and Sea Launch commented in written comments, that a 
single schedule point of contact is current practice and that requiring 
the information six months before flight was excessive. The FAA agrees 
and instead requires a single point of contact for the schedule and 
that the launch schedule must be filed and updated in time to allow FAA 
personnel to participate in the reviews, rehearsals, and safety 
critical launch processing.
    Proposed paragraph (b) of section 417.25 would have required that 
for a launch operator launching from a non-Federal launch site, a 
launch operator must file a post launch report with the FAA 90 days 
after the launch. Sea Launch commented that current practice requires a 
30 and 60 day report and that the 90 day report is not current 
practice. The reports filed by Sea Launch under current practice meet 
the requirement of section 417.25(b). To clarify, the FAA now requires 
the report be filed no later than 90 days after launch. The 
clarification is also made to section 417.25(a).

Launch Safety Responsibilities

    Section 417.103(b)(2) requires that a safety official have direct 
access to a launch operator's launch director. The FAA had proposed 
that a safety official report directly to the launch director, but 
Lockheed pointed out that these employees may be stationed in different 
parts of the country. The FAA clarifies that direct access means a 
safety official can communicate safety concerns to the launch director. 
This provision does not mandate the organizational structure of a 
launch operator.

Flight Safety

    Section 417.107(b) requires a launch operator to demonstrate that 
any risk to the public satisfies public risk criteria of Ec 
<= 30 x 10-6 for each hazard before initiating the flight of 
a launch vehicle. Boeing suggested that the FAA use 30 x 
10-6 as a level defining acceptable launch risk without high 
management review. As it has in the past, Boeing suggested that the 
Ec criterion lacks mathematical justification and therefore 
should not represent a hard limit. The acceptable risk criterion for 
debris at 30x10-6 is current practice and has been an FAA 
requirement since 1999 under section 415.35(a), which is not changed by 
this rulemaking. Previous FAA discussions in the July 2002 SNPRM, the 
February 2005 Analysis of Comments, and the FAA's 2005 public meeting 
discussed the 30 x 10-6 criterion and its acceptability.
    Section 417.107(e) requires a launch operator to ensure that a 
launch vehicle, any jettisoned components, and its payload do not pass 
any closer than 200

[[Page 50517]]

kilometer to a habitable orbital object and to obtain a collision 
avoidance analysis for each launch. Lockheed \13\ requested that the 
FAA change ``habitable'' to ``known inhabitable'' on the grounds that 
if there is uncertainty about whether an object is habitable the 
required collision avoidance distance may be less. The FAA will not 
adopt the suggested change because it would not change the separation 
distance or reflect current practice in classification of these types 
of orbital objects. Even if an object is not known to be habitable with 
absolute certainty, safety errs on the side of being conservative and 
claims of habitability are taken at face value. If an object is 
designed to be habitable the separation distances must be maintained.
---------------------------------------------------------------------------

    \13\ See also, Lockheed comments regarding Sec. Sec.  417.3, 
417.107(e)(1), 417.107(e)(1)(ii)(B), 417.231(b), (c), and (d), 
A417.31(a)(3), A417.31(c)(7)(iv), A417.31(c)(8), A417.31(c)(8)(i).
---------------------------------------------------------------------------

    Instead, the FAA requires a 200 km separation distance for ``manned 
or mannable'' objects to match the current terminology of the Federal 
launch ranges in AFSCMAN 91-710 and the United States Strategic 
Command. Mannable objects include all orbital objects that are designed 
for manned spaceflight. Habitable, or mannable, objects are known and 
the FAA requirement only applies to those known objects and not to all 
resident space objects. Current manned or mannable objects include the 
Space Transportation System (STS), International Space Station (ISS), 
and Chinese Shenzou spacecraft. The FAA can adjust the miss distance 
through an equivalent level of safety on a case-by-case basis similar 
to Federal launch range current practice.
    Section 417.111(e)(2) and (g)(4) require a launch operator to 
identify personnel, by position, who have authority to approve design 
changes, maintain documentation of the most current approved design and 
conduct piece parts tests. Lockheed Martin objected to these 
requirements on the grounds that a launch operator is responsible for 
design changes, the requirement might conflict with other hiring, 
certification and qualification requirements (although Lockheed does 
not describe the conflicts), and with a launch operator's ability to 
make personnel decisions. Because the FAA only requires that a launch 
operator identify such positions, the FAA does not believe that these 
concerns are well founded. To the contrary, for purposes of 
configuration management and control, a launch operator should know 
which position is responsible for design changes, document control and 
conducting piece parts tests as a matter of prudent business practice.
    Section 417.111(h)(2) requires that an accident investigation plan 
(AIP) contain procedures that ensure the containment and minimization 
of the consequences of a launch accident, launch incident or other 
mishap. Boeing comments that this type of procedure is usually in an 
accident response plan not an accident investigation plan because 
different personnel perform these tasks. The FAA disagrees because this 
requirement is consistent with existing FAA regulations as found in 14 
CFR 415.41(d), 420.59(c), and 431.45(c).
    Sea Launch, commenting on sections 417.117(b)(1) and 417.121(a), 
recommends against requiring a launch operator to review its hazardous 
operations or identify safety critical pre-flight operations. Because 
of its unique circumstances, these requirements do not apply to Sea 
Launch. The FAA does not regulate launch processing operations on the 
ground outside of the United States. Chapter 701 of Subtitle IX, 
defines launch to include ``* * * activities involved in the 
preparation of a launch vehicle * * * for launch, when those activities 
take place at a launch site in the United States.'' 49 U.S.C. 70102(4). 
The launch processing requirements do not apply to Sea Launch because 
its preparatory activities take place at a launch site outside the U.S. 
To some extent the comments address flight safety. Sea Launch claims 
that identifying safety critical preflight operations in a launch 
schedule is too detailed, and that the FAA has always been informed 
when such an operation occurred. The FAA agrees that under current 
practice Sea Launch keeps the FAA informed of safety critical pre-
flight operations, but notes that to be informed of them, they must be 
identified. The FAA and Sea Launch work closely through e-mail and 
phone contact to identify schedule updates as safety critical preflight 
operations change. Sea Launch provides a weekly schedule to the FAA via 
e-mail and also responds immediately to all FAA phone requests for 
status on safety critical preflight operations. This process has worked 
well in the past and the FAA recommends that Sea Launch continue this 
process of notifying the FAA of schedule changes. However, the FAA 
believes identifying safety critical preflight operations in a launch 
schedule is critical to maintaining the current level of safety and 
adopts the requirement.

Rehearsals

    Section 417.119(a)(3) would have required each person with a public 
safety critical role who will participate in the launch processing or 
flight of a launch vehicle to participate in at least one related 
rehearsal that exercises all that person's functions. Sea Launch agreed 
that personnel must rehearse, but stated it would be impossible to 
exercise all the functions of a public safety critical role in a 
rehearsal. The FAA does not agree with Sea Launch's proposal that 
personnel should only participate actively in one related rehearsal, 
because a single rehearsal does not necessarily exercise personnel in 
all disciplines of responsibility. Some rehearsals include deliberate 
anomalous inputs while others exercise normal countdown flow. Personnel 
may have to participate in more than one rehearsal to exercise their 
functions. The FAA does agree, however, that it could be impossible to 
exercise all the functions of a public safety critical role. Therefore, 
section 417.119(a)(3) requires that each person with a public safety 
critical role who will participate in the launch processing or flight 
of a launch vehicle must participate in at least one related rehearsal 
that exercises his or her role during nominal and non-nominal 
conditions so that the launch vehicle will not harm the public.
    Section 417.119(c) requires a launch operator to conduct a 
rehearsal of the emergency response section of the accident 
investigation plan for a first launch of a new vehicle, for any 
additional launch that involves a new safety hazard, or for any launch 
where more than a year has passed since the last rehearsal. Sea Launch 
stated this requirement was not current practice. This requirement does 
not apply to Sea Launch until such time as it launches a new vehicle, 
identifies a new safety hazard, or more than a year has passed since 
the last rehearsal. The FAA currently accepts the rehearsal methodology 
employed by Sea Launch.
    Section 417.119(d) requires a launch operator to rehearse each part 
of the communications plan required by section 417.111(k), either as 
part of another rehearsal or during a communications rehearsal. Sea 
Launch stated these requirements are not current practice and are 
impractical. Each launch operator will have different plans. The FAA 
agrees that each launch operator has a different communications plan, 
but each launch operator must rehearse each part of its communications 
plan to validate every part of the communications plan. The differences 
matter only if they do not

[[Page 50518]]

satisfy the requirements. The FAA currently accepts Sea Launch's 
communications training sessions.

Flight Safety Analysis

Malfunction Turn Analysis

    Section 417.209 requires that a flight safety analysis include a 
malfunction turn analysis that establishes the launch vehicle's turning 
capability in the event of a malfunction during flight. Section 
417.209(a)(6) requires the turning behavior from the time when a 
malfunction begins to cause a turn until aerodynamic breakup, inertial 
breakup, or ground impact. The analysis must contain trajectory time 
intervals, during the malfunction turn, that are sufficient to 
establish turn curves that are smooth and continuous.
    Boeing needed to confirm with the FAA that its current practice 
provided an equivalent level of safety. The Federal launch ranges at 
the Eastern Range and Western Range have accepted the current Boeing 
practice and find that the data provided allows them to conduct their 
safety analyses in a manner that satisfies the Federal launch range 
requirements. The Federal launch range and the FAA have common 
requirements in this area and both of these ranges have an FAA approved 
launch site safety assessment. Therefore, the FAA accepts this 
equivalent level of safety as one that satisfies the FAA requirement.

Flight Safety System

    Lockheed requested that in the event of a vehicle failure, a flight 
termination system (FTS) prevent exceeding a casualty expectation, 
instead of preventing a vehicle hazard from reaching a populated or 
otherwise protected area. The FAA does not accept this recommendation 
because it is current practice to require use of an FTS to prevent a 
vehicle from reaching vulnerable areas and to prevent a low 
probability, high consequence event. Risk criteria are separate from 
the safety requirements for a flight termination system and are not 
interchangeable.
    For section 417.303(l)(1), Lockheed inquired whether the 
requirement for two or more command signals, which are signals to 
destroy a vehicle, requires at least two antennas. This rule requires 
two or more command signals, which requirement is a performance 
standard that only requires the launch operator to use at least two 
command destruct signals. The method of compliance is up to the launch 
operator. Redundant antennas may be used to meet this requirement.
    Lockheed suggested that section 417.303(l)(2)(iii) should require 
each antenna beam width to extend out to the boundaries of ``the 
destruct limit lines'' instead of ``normal flight'' as the FAA 
proposed. The FAA did not accept the suggestion because the boundaries 
of normal flight could extend beyond the destruct lines. Normal flight 
is not necessarily along the nominal path.
    Section 417.305(a)(1) requires a command control system, including 
its subsystems and components, to undergo performance testing when new 
or modified. Lockheed commented that it is unclear how ``modified'' is 
defined, and suggested the FAA specify the level of change that 
triggers the need for acceptance testing. A command control system 
component will undergo performance testing at acceptance level 
environments after completion of the manufacturing processes. The 
extent of the modification for a particular system will determine the 
amount of additional retesting that will be required. Extensive 
modifications to the component may require full or limited performance 
testing at qualification environments using the qualification test 
article. In such a case, after successful performance testing of the 
qualification unit, the flight units subjected to acceptance testing 
under pre-modification test requirements and environments may require 
full or limited acceptance testing. In some cases, there may be no 
additional performance testing at either qualification or acceptance 
environments. There are modifications that are so minor as to avoid the 
need for new performance testing. The qualification test for the 
original systems sets the bar for retesting changes. If the change 
falls within the qualification envelope of the original system, the 
operator need not retest the system. A qualification of the modified 
system by similarity to the original system is also acceptable.
    The FAA cannot specify a single level of modification that triggers 
retesting because the level may differ from system to system. The FAA 
will determine post modification testing requirements jointly with the 
Air Force and the launch operator.
    For section 417.305(d), Lockheed suggested that a launch operator 
not be required to obtain a range's verification that a command control 
system satisfies all test requirements. The FAA agrees that for 
launches from a Federal range where the range provides and tests the 
command and control system, the FAA will assess this process in the 
LSSA and the launch operator will not have to obtain the verification.

Support Systems

    Section 417.307 contains design, test, and functional requirements 
that apply to those systems that are required to be part of a flight 
safety system to support the functions of a flight safety crew, 
including making a flight termination decision.
    Section 417.307(b)(1) requires a launch vehicle tracking system 
that provides launch vehicle position and status data to the flight 
safety crew from the first data loss flight time until the planned safe 
flight state for launch. Lockheed questioned the meaning of ``first 
data loss flight time,'' and asked whether it was the same as ``time to 
endanger.'' ``First data loss flight time'' is simply the first flight 
time associated with a loss in data. This equates with the time at 
which the Federal launch range's ``green numbers'' or ``critical time'' 
would begin counting down. ``First data loss flight time'' has the same 
meaning as ``time to endanger.''
    Proposed section 417.307(b)(2) would have required that a tracking 
system consist of two sources of launch vehicle position data. Lockheed 
recommended allowing more than two tracking sources. The FAA agrees 
that more than two tracking sources may be used. This rule only states 
what is required, and an operator may use more than two tracking 
sources if it desires. The requirement does not limit the number of 
tracking sources to two.
    Section 417.307(b)(6) requires that each tracking source undergo 
validation of its accuracy for each launch. Paragraph (b)(6) also 
requires that for each stage of flight that a launch vehicle guidance 
system be used as a tracking source. A tracking source that is 
independent of any system used to aid the guidance system must validate 
the guidance system data before the data is used in the flight 
termination decision process. Lockheed recommended against requiring 
that a tracking source be validated for each stage of flight. The FAA 
does not accept the recommendation because validation of guidance 
system data during one stage of flight does not necessarily validate it 
for any subsequent stages of flight. A shock event, such as staging, 
can affect the accuracy of guidance system data.
    Proposed section 417.307(e)(5) would have required that a flight 
safety data processing, display, and recording system both display and 
record raw input and processed data at a rate that maintains the 
validity of the data and at no less than 0.1-second intervals. Lockheed 
recommended against requiring intervals of 0.1-second. The FAA did not 
change this standard

[[Page 50519]]

because it is current practice. However, the FAA expects that some 
systems may be granted an equivalent level of safety determination that 
allows a sample rate of more than 0.1-second.
    Section 417.307(h)(1) requires a destruct initiator simulator to 
have electrical and operational characteristics matching those of the 
actual destruct initiator. Lockheed recommended replacing 
characteristics with a performance margin. Lockheed says that it is not 
practical to fire live ordnance and, under current practice, the 
simulators exceed the requirement. The FAA disagrees and adopts section 
417.307(h)(1) as proposed because live fire is not required. Simulation 
is allowed. In addition, a simulator that exceeds the actual destruct 
initiator or that demonstrates a performance margin, as Lockheed 
suggested, meets this requirement.

Flight Safety System Analysis

    Section 417.309, contains requirements for the system analyses that 
would apply to the design of a flight termination system and a command 
control system, including their components. Proposed section 
417.309(a)(2) would have required that a flight safety system analysis 
follow a standard industry system safety and reliability analysis 
methodology. Sea Launch requested that, because a U.S. standard may not 
apply globally, the FAA require an analysis to follow an approved FAA 
system safety and reliability analysis or an equivalent methodology. 
The FAA agrees and will assess a methodology against the performance 
requirements of this section.
    Section 417.309(c)(1) requires a command control system to undergo 
an analysis that demonstrates that the system satisfies fault tolerance 
requirements by following a standard industry methodology such as a 
fault tree analysis or a failure modes effects and criticality 
analysis. Lockheed suggested adding fishbone analysis to the list of 
examples. The FAA agrees that fishbone analysis can be used to satisfy 
this requirement, but the example list is not intended to be all 
inclusive.
    Section 417.309(f)(1) requires each flight termination system and 
command control system to undergo a radio frequency link analysis to 
demonstrate that each system satisfies the required margins. Lockheed 
recommends clarifying that the margin is for the flight safety system, 
not individual segments of the system. The FAA agrees and adopts the 
recommendation.
    Section 417.309(j)(3) requires that a flight termination system 
undergo an analysis that demonstrates that each subsystem and 
component, including their location on the launch vehicle, provide for 
the flight termination system to complete all its required functions 
when exposed to launch vehicle staging, ignition, or any other normal 
or abnormal event that, when it occurs, could damage flight termination 
system hardware or inhibit the functionality of any subsystem or 
component, including any inadvertent separation destruct system. 
Lockheed suggested tying breakup survival requirements to the shock 
requirements of section D417.7(g). The FAA does not adopt the suggested 
change because the breakup environment should include more than just 
shock.
    Proposed section 417.311 (b)(1) would have required that all safety 
crew members have knowledge of systems and operations. Lockheed 
commented that not all safety crew members have knowledge of all 
systems and operations. The safety crew as a whole has the required 
knowledge but individual safety crew members may not be familiar with 
all systems and operations. The FAA agrees and has clarified that the 
safety crew as a whole must have knowledge of systems and operations.

Ground Safety

    Section 417.405(b) contains the qualification requirements for 
personnel who prepare a ground safety analysis. Lockheed commented that 
the proposed experience and training requirements were too stringent. 
The FAA agrees and the requirements for education, training, and 
experience are instead adopted as a performance requirement. The FAA 
believes the individual who performs the ground safety analysis must 
possess background and experience qualifications in the engineering 
disciplines associated with launch vehicle ground operations, ground 
processing hazards, and the precautions required to prevent mishaps.
    Lockheed suggested basing safety clear zones on the ``credible 
effects'' for a possible explosive event for section 417.411(a)(1)(i) 
and for a possible toxic event for section 417.411(a)(1)(ii), instead 
of basing each safety clear zone on a worst case scenario. The FAA does 
not adopt this suggestion because public safety and current range 
practice require use of the worst case standard. In addition, it is 
unclear what ``credible effects'' include.
    Section 417.415(b)(3) requires a launch operator to establish 
procedures for controlling hazards associated with a failed flight 
attempt where a start command was sent to a solid- or liquid-fueled 
launch vehicle, but the launch vehicle did not liftoff. These 
procedures must include prohibiting individuals' entry into the launch 
complex until the launch pad area safing procedures are complete. 
Lockheed comments that the range permits pad entry on a case-by-case 
basis. The FAA clarifies that this requirement is intended to prevent 
entry by the public into the launch complex during a failed attempt. 
The FAA further clarifies that this requirement does not apply to 
launch operator personnel.

Flight Safety Analyses Methodologies and Products for a Launch Vehicle 
Flown With a Flight Safety System

Trajectory

    For section A417.7, Boeing suggested the FAA allow a launch 
operator to define the longitude as positive degrees East or positive 
degrees West without requiring a specific reference. In response, the 
FAA will not adopt the proposed specification on the geodetic longitude 
reference. Section A417.7 corresponds to current requirements at the 
Federal launch ranges as documented in AFSPCM 91-710, Tables A1.1 
through A1.4.

Debris

    Section A417.11(b) requires that a debris analysis produce a debris 
model that accounts for all launch vehicle debris fragments, 
individually or in groupings. Section A417.11(b)(3) requires a 
description of the immediate post-breakup or jettison environment of 
the launch vehicle debris, and any change in debris characteristics 
over time from launch vehicle breakup or jettison until debris impact. 
Boeing stated the FAA should encourage one set of simplified ``worst-
case'' estimates of debris characteristics applicable over time. 
Simplified estimates should be acceptable as long as they were 
conservative, according to Boeing. Boeing made similar comments 
regarding sections A417.11(c)(7), A417.11(c)(8), A417.11(d)(5) and 
A417.11(d)(17). Section 417.211 contains the performance requirement 
for a debris analysis. Section 417.211 responded to earlier industry 
comments for a more performance-based requirement. Appendix A provides 
one suggested method of meeting the performance requirement. A launch 
operator's analysis may always be more conservative as long as the 
final analysis meets the public risk criteria of section 417.107(b).

[[Page 50520]]

Flight Termination System Components

    Section D417.5(a) requires that a flight termination system have a 
predicted reliability of 0.999 at a confidence level of 95 percent. A 
launch operator would demonstrate the system's predicted reliability by 
satisfying the requirements for system reliability analysis of section 
417.309(b). Lockheed states that flight termination system reliability 
of 0.999 at a confidence level of 95% has been implemented at the 
Federal ranges as a goal and that this reliability is of limited value. 
The analysis required by section 417.309(b), however, reflects current 
practice. This provision does not require demonstration by testing; 
therefore, a launch operator can meet the proposed standard through 
analyses.
    Section D417.5(c) requires that a flight termination system use 
redundant components that are structurally, electrically, and 
mechanically separated. Paragraph (c) also requires that each redundant 
component's mounting on a launch vehicle, including location or 
orientation, ensure that any failure that will damage, destroy or 
otherwise inhibit the operation of one redundant component will not 
inhibit the operation of the other redundant component and will not 
inhibit functioning of the flight termination system. Lockheed 
commented that this requirement will have to be tailored frequently if 
left unchanged. Boeing commented that the redundancy requirement as 
written would require significant vehicle redesign. The FAA will not 
change this requirement because separation of redundant components 
maximizes the reliability of a flight termination system. This is a 
flexible performance requirement which a launch operator may satisfy 
through different methods. The FAA may grandfather certain vehicles and 
a launch operator may also apply for relief.
    Proposed section D417.7(b) would have required a launch operator to 
determine all maximum predicted non-operating and operating 
environments that a flight termination system, including each 
component, will experience. Lockheed suggested clarifying that 
environments experienced after the planned safe flight state has been 
achieved should not be included in the maximum predicted environment 
determination. The FAA agrees because when a launch vehicle reaches its 
safe state, which typically is when a vehicle reaches orbit, it can no 
longer endanger the public. The FAA adopts the clarification.
    Section D417.7(b)(1) requires that for a launch vehicle 
configuration for which there have been fewer than three flights, the 
test margin for the maximum predicted environments must be no less than 
plus 3 dB for vibration, plus 4.5 dB for shock, and plus or minus 11 
[deg]C for thermal range. Lockheed suggested the FAA work closely with 
industry to establish criteria for what level of change constitutes a 
new vehicle configuration. The FAA agrees and intends to work closely 
with industry and the Federal launch range on this issue.
    Section D417.7(c) contains component thermal cycle requirements. 
Lockheed suggested deleting the language that states how a thermal 
cycle is to be performed and moving the language to appendix E. 
Although the tests in appendix D appear to be out of place, they 
provide the standard to which a component must be designed. 
Accordingly, appendix D is the proper place for them.
    Section D417.7(c) requires a component satisfy all its performance 
specifications when exposed to preflight and flight thermal cycle 
environments. Paragraph (c)(1) of section D417.7 requires that, for 
each component, the acceptance-number of thermal cycles be no less than 
eight thermal cycles or 1.5 times the maximum number of thermal cycles 
that the component could experience during launch processing and 
flight, including all launch delays and recycling, rounded up to the 
nearest whole number, whichever is greater. Lockheed recommends 
clarifying that the requirement only applies to components that are 
exposed to significant temperature variations during preflight 
processing. The FAA disagrees with Lockheed's conclusion because 
temperature variation may occur during launch processing and flight and 
must be accounted for. Regardless of whether temperature variations 
occur during launch processing or flight, they may still affect the 
performance of a component.
    Section D417.7(c)(3) contains thermal cycle requirements that apply 
to any electronic component that contains active electronic piece-parts 
such as microcircuits, transistors, and diodes. Section D417.7(c)(3)(i) 
requires that an electronic component satisfy all its performance 
specifications when subjected to the sum of ten thermal cycles and the 
number of thermal cycles required for acceptance testing from one 
extreme of the maximum predicted thermal range to the other extreme. 
Lockheed suggested limiting the number of thermal cycles to 18. The FAA 
does not accept this proposal because ten cycles and the number of 
thermal cycles required for acceptance testing would typically result 
in 18 for electronic components. Test data on existing systems often 
shows failures after eight thermal cycles. The additional 10 
acceptance-thermal cycles for a complete electronic component allows 
for burn-in of electronic piece-parts that make up the electronic 
component, minimizes the amount of testing required for the individual 
piece-parts, and is consistent with the approach used at the Federal 
ranges.
    Lockheed also questioned whether section D417.7(c)(4)(iii) is a 
catch-all for other batteries. The FAA confirms that this section is a 
catch-all for ``any other power source,'' including lithium ion 
batteries.
    Section D417.7(e) identifies the sinusoidal vibration environments 
that would apply to the design of a flight termination system 
component. Lockheed suggested changing the frequency range from +/-50% 
to covering the half-power points of the predicted sinusoidal vibration 
levels. Lockheed stated that the requirement as written could result in 
over testing. The FAA does not adopt the suggested change because the 
+/-50% frequency range provides a margin that ensures proper operation 
of the component under the predicted sinusoidal vibration environment.
    Section D417.7(f) contains the requirements for transportation 
vibration levels. Lockheed suggested using the transportation vibration 
requirement of appendix E, instead of the levels of section D417.7(f). 
The FAA does not adopt this suggestion because appendix D contains 
design requirements and appendix E contains testing requirements. 
Appendix E permits either test or analysis which should remove concerns 
about burdensome testing. Appendix D is adopted as proposed, because it 
contains the design requirements that are based on all predicted 
environments. The transportation vibration testing requirements of 
appendix E are not based on predicted environments.
    Proposed section D417.7(g)(1)(ii) would have required a flight 
termination system component to satisfy all its performance 
specifications when exposed to the workmanship screening forces and 
frequencies required by Table E417.11-2. Lockheed commented that this 
table is for minimum breakup shock, not for workmanship. Lockheed is 
correct and the FAA identifies the table as such here.
    Lockheed suggested that the flight termination system installation 
procedures of section D417.15(b)(1) should only list training or 
certifications

[[Page 50521]]

required to safely perform hazardous tasks, instead of a list of 
personnel required to perform each task as proposed by section 
D417.15(b)(3). The FAA adopts the requirement as proposed, because a 
list of personnel is used to ensure each task is assigned a person, 
even if the same person is responsible for a number of different tasks.
    Section D417.17(b)(2) requires telemetry data to show whether the 
power to an electronic FTS component is off or on. Lockheed suggested 
allowing for status of the source of power in addition to whether the 
power is on or off. The FAA does not adopt this suggestion because it 
would exceed current requirements. A launch operator may include this 
information in its data.
    Section D417.19(c) requires a flight termination system to satisfy 
all its performance specifications and not sustain any damage when 
subjected to a maximum input voltage of no less than the maximum open 
circuit voltage of the component's power source. The component must 
satisfy all its performance specifications and not sustain any damage 
when subjected to a minimum input voltage of no greater than the 
minimum loaded voltage of the component's power source. Lockheed 
recommended requiring a flight termination system not sustain any 
damage when subjected to a maximum power input voltage of no less than 
the maximum open circuit voltage of the component's power source as 
measured at the input to the component for no less than twice the 
expected duration. The component must satisfy all its performance 
specifications when subjected to a minimum power input voltage of no 
greater than the minimum loaded voltage of the component's power source 
or the maximum loaded voltage of the component's power source as 
measured at the input to the component for an indefinite time. The FAA 
agrees that performance specifications should be met for a loaded 
output of the power source and should account for voltage drops in the 
harness. Current practice, however, is to apply the open circuit 
voltage. This applies a safety margin that the Federal ranges have 
relied upon over time.
    Section D417.19(h) requires each circuit, element, component, and 
subsystem of a flight termination system to satisfy all its performance 
specifications when subjected to repetitive functioning for five times 
the expected number of cycles required for all acceptance testing, 
checkout, and operations, including re-tests caused by schedule or 
other delays. Lockheed suggested requiring that only components that 
are subject to performance degradation due to repetitive cycling 
satisfy this requirement. The FAA does not adopt the suggestion because 
all components could be subject to degradation due to repetitive 
cycling.
    Section D417.19(j) requires a flight termination system component 
that uses a microprocessor to perform self-tests during flight. 
Lockheed suggested that during flight the self-test would be performed 
continuously in the background. Although the FAA agrees that a 
component that uses a microprocessor typically performs continuous 
background tests, this provision does not preclude continuous 
background tests.
    Section D417.21 defines the requirements for flight termination 
system monitor checkout circuits. Lockheed requested that the FAA 
clarify the meaning of the term ``checkout circuit,'' and to add 
clarifying language. ``Checkout circuits'' mean the circuitries which 
provide the telemetry, in either analog or digital format, for the 
internal health status of a component. We did not add the suggested 
language because the term ``checkout circuit'' means the same as 
monitor circuits.
    Section D417.21(c) requires that a monitor, checkout, or control 
circuit not route through a safe-and-arm plug. Lockheed commented that 
this requirement appears to be addressed in the section D417.21(b), 
which requires that a monitor, control, or checkout circuit may not 
share a connector with a firing circuit. The FAA disagrees because 
there may be designs that could employ the safe and arm plugs in a way 
that they are not part of a firing circuit but would either enable or 
disable the function.
    Section D417.23 applies to a flight termination system ordnance 
train. Section D417.23(d) requires that an ordnance train include 
initiation devices that can be connected or removed from a destruct 
charge. Paragraph (d) also requires that the design of an ordnance 
train provide for easy access to each initiation device. Boeing 
commented that it is unclear what is required, because Boeing has 
remote safing of the systems, and would not need to disconnect the 
transfer lines in the destruct changes. Boeing claims it could not 
accomplish this on the pad, or after the tunnel covers are installed in 
the horizontal integration facility or high pressure test facility. 
Boeing's comment is focused on a specific case and the FAA reiterates 
that tailoring may be available for specific cases. This requirement 
facilitates end-to-end testing where a simulator replaces an initiator. 
A safe-and-arm device provides only one inhibit to inadvertent 
initiation of flight termination system ordnance. One inhibit is not 
generally sufficient for most launch processing, depending on public 
access to the vehicle and the potential secondary effects on public 
safety, such as fire or toxic release, due to inadvertent initiation of 
flight termination system ordnance.
    Proposed section D417.25(d)(4) would have required that all input 
ports be isolated from all output ports. Lockheed commented that if the 
inputs are isolated from the outputs, then the radio frequency (RF) 
cannot get through the coupler. Lockheed also commented that if the 
intent is to require directional isolation for each port using RF 
circulators to prevent back feeding in the unintended direction, Atlas 
does not do this. The FAA agrees that the requirement does not address 
all types of RF couplers and may not apply to some couplers currently 
in use. For this reason, section D417.25(d)(4) is not adopted. Section 
D417.25(d)(1)-(3) still requires isolation.
    Lockheed suggested adding proscriptive self test requirements for 
electronic components in a flight termination system in D417.27(e) by 
distinguishing between continuous and commanded self tests. The FAA 
does not adopt the suggestion; however, the performance standard will 
allow different approaches, including those proposed by Lockheed, to 
meet this requirement.
    Lockheed suggested deleting paragraphs D417.27(f), D417.27(i)(1), 
(i)(2), and (i)(3) because they duplicate D417.19(h), D417.19(c), 
D417.19(e), and D417.19(i) respectively. The FAA adopts these sections 
because the requirements of section D417.19 apply more generally to a 
flight termination system, whereas the requirements of section D417.27 
focus on individual components, instead of a whole system.
    Lockheed suggested altering the section D417.27(j) design 
requirements for an electronic component used in a flight termination 
system so that each electronic component would have to be compatible 
with the electromagnetic environment it will be exposed to during 
preflight or flight. Lockheed also recommended against prohibiting an 
electronic component from producing inadvertent command outputs. The 
FAA does not adopt these suggestions because compatibility alone does 
not ensure that an electronic component will reject rogue or extraneous 
signals and not produce inadvertent command outputs so as to avoid 
inadvertent destruct actions.

[[Page 50522]]

    Lockheed suggested limiting the performance requirements for a 
monitoring circuit used to receive radio frequencies for flight 
termination system commands to the manufacturer's specifications of 
section D417.29(b)(5)(ii). The FAA does not adopt this change because 
the current text adopts a performance standard which allows flexibility 
and does not require use of only the manufacturer's specifications.
    For section D417.29(c), Lockheed suggested deleting several 
performance requirements for a command receiver decoder used to receive 
and then send commands for a flight termination system. This section 
requires a command receiver decoder to distinguish between valid and 
errant signals. Lockheed suggested these requirements do not reflect 
current practice. The FAA does not adopt the suggested deletions 
because it is extremely important that command receiver decoders can 
distinguish valid commands from similar but errant signals. A launch 
operator can apply for relief for alternative systems. The FAA also 
confirmed that these requirements reflect current practice.
    Section D417.31(f) requires that the insulation resistance between 
wire shields and conductors and between each connector pin withstand a 
minimum workmanship voltage of at least 1500 volts, direct current, or 
150 percent of the rated output voltage, whichever is greater. Lockheed 
recommends that direct current at 500 volts is sufficient to perform an 
adequate workmanship screening of wire harnesses. Lockheed's suggestion 
is already required by the workmanship screening tests of appendix E of 
this part.

Flight Termination System Component Testing and Analysis

    Lockheed and Boeing requested that the FAA not require testing of a 
component in Appendix E to the statistical reliability of 0.999 at a 
95% confidence level. This requirement appears in sections governing 
exploding bridgewires, percussion actuated devices and ordnance 
interrupters and interfaces. These sections allow the use of a 
statistical firing series, which include Bruceton, Langlie and Neyer 
tests, to comply with the above standard. Because there are different 
acceptable firing series, the FAA used ``firing series'' to permit 
greater flexibility, instead of naming individual tests. Bruceton tests 
do not require almost 3000 tests to demonstrate a reliability of 0.999 
at a 95% confidence level. Instead, they capture the distribution of 
responses by incrementally varying energy levels. The FAA adopts the 
requirements as proposed.
    Section E417.1(b) requires a launch operator to identify and 
implement any additional test or analysis for any new technology or any 
unique application of an existing technology. Lockheed suggested 
clarifying that the need for a new requirement may be identified by 
either the launch operator or the range. No change is required because 
under section 417.127, the FAA is able to identify and impose a unique 
safety policy, requirement, or practice as needed to protect the 
public.
    Section E417.1(d)(4) identifies any change in the performance of a 
component sample occurring at any time during testing as a test failure 
even if the component satisfies other test criteria. Lockheed proposed 
that such changes should be evaluated and not considered an automatic 
failure. The FAA adopts this requirement because changes in component 
performance frequently result in discovery of a flaw that could lead to 
failure during flight.
    Section E417.1(h) contains requirements for rework, repair and 
retesting of components that failed acceptance testing. Lockheed 
proposes to replace the amount of time a component is retested with an 
analysis of fatigue damage to the component. The FAA now requires that 
the total number of acceptance tests experienced by a repaired 
component must not exceed the environments for which the component is 
qualified. Lockheed's proposed fatigue equivalence satisfies the 
requirement.
    Section E417.5(f) contains requirements that apply to X-ray or N-
ray examination of components. Lockheed suggested that X-ray and N-ray 
examinations are not required for all production hardware and would 
limit what photo angles must be used. The FAA agrees that these exams 
are not required for all production hardware, but only for those 
required by the test tables. Photo angles are used not only as a 
recurring inspection technique; they may be required in other 
situations. Therefore, Lockheed's suggestion concerning photo angles is 
too limiting.
    Section E417.7(c) requires that a component undergo each 
qualification test in a flight representative configuration, with all 
flight representative hardware such as connectors, cables, and any 
cable clamps, and with all attachment hardware, such as dynamic 
isolators, brackets and bolts, as part of that flight representative 
configuration. Lockheed suggested that this requirement was redundant 
with the requirements of section E417.11(c). The FAA does not delete 
this requirement because it is not redundant. Section E417.7(c) 
includes operating and non-operating qualification testing and 
analysis, whereas section E417.11(c) only applies to an operating 
environment.
    Lockheed suggested replacing an age limit for requalifying a 
component proposed in section E417.7(f)(3)(i) \14\ with a general 
exception. The proposed requirement would have prohibited qualifying or 
re-qualifying a component that was produced more than three years 
earlier. Under current practice, if a component is qualified and there 
are no design or material changes, the production time limit does not 
apply. The FAA does not, however, adopt Lockheed's suggested exception 
because doing so would make the exception automatic, and, as is the 
case now under current practice, a launch operator must first 
demonstrate an equivalent level of safety to qualify for an exception 
to this requirement.
---------------------------------------------------------------------------

    \14\ Lockheed inadvertently cited this as a comment to 
E417.7(i)(6).
---------------------------------------------------------------------------

    Lockheed and Boeing recommended against the storage temperature 
analysis requirements in non-operating environments of subparagraphs 
E417.9(b)(1) & (b)(2), (b)(2)(i), (b)(2)(ii) because they believe the 
requirement does not represent current practice. The FAA disagrees 
because this section only requires a launch operator to show that the 
storage temperatures for a component are less than the temperatures 
associated with a thermal cycle or flight. This requirement may be 
satisfied by showing the storage temperatures are within the range of 
flight temperatures. No testing is required, and this is current 
practice.
    Section E417.9(d) requires that an analysis must demonstrate that 
the qualification operating shock environment is more severe than the 
transportation shock environment. Lockheed suggested requiring that an 
analysis also demonstrate that acceleration environment is more severe. 
The FAA does not adopt this suggestion because shock includes 
acceleration.
    Section E417.9(f) requires that any transportation vibration test 
subject a component to vibration in three mutually perpendicular axes 
for 60 minutes per axis. Lockheed suggested requiring vibration for 60 
minutes per 1000 miles traveled per axis. The FAA does not adopt the 
suggestion because it could result in longer tests than currently 
required.

[[Page 50523]]

    Lockheed suggested permitting equivalent acceleration under section 
E417.9(f)(2) as an alternative test method to the transportation 
vibration tests, which test the effect of vibrations during the 
transportation of components. The FAA does not adopt the suggestion 
because there are different ways to meet this requirement. The FAA does 
not want to limit the method of compliance for this requirement. 
Equivalent acceleration is only one possible way to satisfy the 
requirement; fatigue equivalence analysis is another method of 
compliance.
    Section E417.9(i) requires a fine sand test or analysis for a 
component that will be exposed to sand. Lockheed suggested limiting the 
fine sand test to components with moving mechanical parts or exposed 
electrical contacts. The FAA does not adopt Lockheed's suggestion 
because a launch operator may meet this requirement by analysis.
    Section E417.9(k) requires a component to survive the maximum 
predicted drop and resulting impact that could occur and go undetected 
during storage, transportation, or installation. Lockheed requested 
clarification. The FAA clarifies that the maximum predicted drop that 
could go undetected is a drop that does not cause visible damage.
    Section E417.11 contains requirements that apply to each 
qualification operating environment test or analysis identified by any 
table of appendix E. Paragraph (b)(2) of section E417.11 requires that 
qualification sinusoidal vibration environment be no less than 6 dB 
greater than the maximum predicted sinusoidal vibration environment for 
no less than three times the maximum predicted duration. Lockheed 
suggested that the qualification sinusoidal vibration environment must 
account for test tolerances by allowing a nominal test level. The FAA 
does not adopt the suggested change because the 6 dB requirement 
applies to the theoretical level of the maximum predicted environment 
regardless of test tolerances.
    Section E417.11(c)(4)(i)(A) requires that any qualification random 
vibration test, where a component is hard-mounted, must account for the 
isolator attenuation and amplification due to the maximum predicted 
operating random vibration environment, including any thermal effects 
and acceleration pre-load performance variability, and must add a 1.5 
dB margin to account for any isolator attenuation variability.
    Lockheed recommended against accounting for thermal effects, 
acceleration pre-load performance variability, and the 1.5 dB margin 
because this is not current practice. The FAA disagrees because this is 
current practice and these requirements account for isolator 
variability.
    Lockheed suggested removing a test requirement, found in many 
sections, to monitor performance during the test at a sample rate of 
once every millisecond. Lockheed suggested replacing the above 
requirement with a performance standard of a sample rate that will 
detect any component performance degradation. The FAA agrees that a 
performance standard will maintain the current level of safety and 
adopts the proposed change.\15\
---------------------------------------------------------------------------

    \15\ The performance standard is adopted in E417.11(c)8), 
E417.11(d)(5), E417.11(e)(7), E417.11(f)(6), E417.13(b)(6), 
E417.13(c)(2)(i), E417.17(e), E417.21(k)(2), E417.21(p)(4), Table 
E417.21-2, Note 3, E417.22(a)(2)(iv), Table 417.22-2 Note 5, 
E417.25(g)(2), (g)(3), E417.27(e)(2), E417.27(f) and, Table 417.37-
1, Note 5.
---------------------------------------------------------------------------

    Lockheed suggested clarifying the qualification acoustic vibration 
test to clarify that lot acceptance components under E417.11(d)(3) do 
not have to meet the minimum workmanship screening test level of 144 
dBA for each frequency band from 20 to 2000 Hz. This rule does not 
require the 144 dBA level for each frequency band from 20 to 2000 Hz. 
The 144 dBA level applies to all frequencies in the 20 to 2000 Hz 
range.
    Section E417.11(g)(3)(ii) requires a humidity test to measure each 
electrical performance parameter at the cold and hot temperatures 
during the first, middle and last thermal cycles. Lockheed suggested 
clarifying what is meant by the middle cycle. The middle cycle is the 
cycle with an approximately equal number of cycles between the first 
cycle to the middle cycle and the middle cycle to the last cycle.
    Lockheed suggested several changes to the qualification thermal 
vacuum test for a component covered by E417.11(i)(1) and (2). Lockheed 
suggested changing the environmental conditions required to conduct 
this test by including an exception to the pressure gradient provision. 
The FAA does not adopt this suggestion because the pressure gradient 
requirement may be met several ways, not just in the manner Lockheed 
suggested.
    Lockheed also suggested eliminating a final vacuum dwell time 
because it is too long. The FAA does not adopt this suggestion because 
the required dwell time provides a margin necessary to ensure a 
component will not degrade during the thermal vacuum phase of flight.
    Lockheed suggested that the FAA clarify that there is only one 
dwell time. The FAA does not adopt this suggestion because there may be 
more than one dwell time; therefore it is appropriate to identify a 
``final dwell time.''
    Lockheed also sought to limit the final vacuum dwell time for an 
acceptance thermal vacuum test in E417.13(e)(1)(ii) to be consistent 
with the recommended changes with E417.11(i)(2). The FAA does not adopt 
this suggestion because the final vacuum dwell time provides a margin 
and ensures that a component will not degrade during the thermal vacuum 
phase of flight.
    Section E417.13(a) requires an acceptance test of a component to 
subject the component to one or more of the component's maximum 
predicted environments as determined under section D417.7. Lockheed 
suggested referring to the matrix of section 415.129(b) instead of 
D417.7 because the requirement could otherwise be interpreted to mean 
that only one of the environments must be tested. The FAA does not 
refer to section 415.129(b) because section D417.7 determines the 
maximum predicted environments to which a component must be tested. 
Section 415.129(b) does not determine maximum predicted environment 
levels. It only requires a compliance matrix.
    Section E417.13(d)(1) requires the acceptance thermal cycles test 
to subject each component to no less than the greater of eight thermal 
cycles or 1.5 times the maximum number of thermal cycles that the 
component could experience during launch processing and flight, 
including all launch delays and recycling, rounded up to the nearest 
whole number. Lockheed described this as a new requirement that should 
only apply to components that experience extreme temperature 
variations. This requirement is current practice and applies to 
components that experience temperature variations that can affect their 
performance, regardless of whether a temperature meets an unidentified 
``extreme.''
    Section E417.13(d)(2)(ii) requires that an acceptance thermal 
cycles test subject each component to no fewer than 10 plus the 
acceptance-number of thermal cycles. Lockheed suggested clarifying that 
the 10 cycles are for burn-in only, which is intended to identify 
faulty components. The FAA agrees that the 10 cycles are usually for 
burn-in, but there are exceptions. The 10 cycles may also be used to 
identify mechanical failures due to thermal stress.
    Section E417.13(e)(1)(iii) requires that during a final vacuum 
dwell-time, the environment must include no less than the maximum 
predicted number of thermal cycles. Lockheed suggested that

[[Page 50524]]

the requirement only account for in-flight thermal cycles and for the 
period of launch through the planned safe flight state. The FAA does 
not adopt the proposed modification because thermal cycles experienced 
on the ground must be accounted for. There could be significant thermal 
variations on the ground. For instance, fueling a launch vehicle with 
liquid hydrogen or oxygen exposes components to very low temperatures.
    Section E417.17(b) requires that a status-of-health test of a radio 
frequency receiving system satisfy section E417.3(f) and include 
antenna voltage standing wave ratio testing that measures the assigned 
operating frequency at the high and low frequencies of the operating 
bandwidth to verify that the antenna satisfies all its performance 
specifications. Lockheed suggested that the FAA require the testing of 
components, instead of testing for a system or an antenna. The FAA does 
not adopt the suggestion because testing of individual components does 
not verify the functioning of a system into which those components are 
integrated.
    Lockheed suggested changes to the link performance test of a radio 
frequency component of section E417.17(c). Lockheed stated that it is 
impossible to conduct this test at every possible trajectory. Testing 
of the receiving system does not, however, require testing every 
trajectory: it requires 95% of the radiation sphere surrounding the 
launch vehicle, which can be achieved while the vehicle is on the 
ground.\16\ Second, Lockheed seeks to clarify which portions of 
paragraph (c) require analysis and which require tests. Paragraph (c) 
governs testing standards, not analysis. These tests may relate to 
required analysis, but this provision only provides test requirements.
---------------------------------------------------------------------------

    \16\ This response also applies to Lockheed's comment on the 
testing of an antenna pattern of section E417.17(f)(1).
---------------------------------------------------------------------------

    Section E417.17(f) requires an antenna pattern test to demonstrate 
that the radiation gain pattern of the entire radio frequency receiving 
system, including the antenna, radio frequency cables, and radio 
frequency coupler will satisfy all the system's performance 
specifications during vehicle flight. Lockheed commented that the 
antenna pattern test does not verify link margin, but provides data 
used to determine the margin. Lockheed suggested referencing the link 
margin analysis requirement. The FAA does not adopt Lockheed's 
suggestion because the antenna pattern test results are used to verify 
the radiation gain pattern used to satisfy the gain levels of the link 
analysis.
    Section E417.17(f)(2) requires all antenna pattern test conditions 
to emulate flight conditions, including ground transmitter 
polarization, using a simulated flight vehicle and a flight configured 
radio frequency command destruct system. Lockheed was concerned that 
this requires the use of an actual receiver. An actual receiver is not 
required, however, because the test can be performed with a simulated 
flight vehicle.
    Section E417.17(f)(3) requires an antenna pattern test to measure 
the radiation gain for 360 degrees around the launch vehicle in degree 
increments that are small enough to identify any deep pattern null and 
to verify that the required 12 dB link margin is maintained throughout 
flight. Each degree increment must not exceed two degrees. Lockheed 
commented that link analysis determines link margin and that current 
practice at Federal ranges is to use 2-degree increments for the 
antenna pattern test. The FAA agrees that the link analysis determines 
the link margin. This test verifies the gain required by the link 
analysis. Using 2-degree increments for antenna patterns meets the 
requirement.
    Lockheed suggested eliminating the fine sand test for a command 
receiver decoder (CRD) qualification test in Table E417.19-2 claiming 
that the test is not useful. The FAA does not accept the suggestion as 
it is possible a CRD may be exposed to fine sand at launch. If a launch 
operator can show that a CRD will not be exposed to fine sand, the 
launch operator may be able to obtain relief from this test.
    Section E417.19(b) requires each measurement of a status-of-health 
test of a command receiver decoder to demonstrate that all wiring and 
connectors are installed according to the manufacturer's design. 
Lockheed commented that the test as proposed would not demonstrate that 
all wiring is installed according to the manufacturer's design. The FAA 
disagrees because a test failure indicates whether wiring is installed 
according to a manufacturer's design and helps identify any problems 
caused by improper wire installation. This section only requires 
verification that specific parameters related to the design are within 
required specifications.
    Section E417.19(c)(3) requires that a command receiver decoder 
functional performance test demonstrate that the maximum leakage 
current through any command output port is at a level that cannot 
degrade performance of down-string electrical or ordnance initiation 
systems or result in an unsafe condition. The test must demonstrate no 
less than a 20 dB safety margin between the receiver leakage output and 
the lowest level that could degrade performance of down-string 
electrical or ordnance initiation systems or result in an unsafe 
condition. Lockheed suggested requiring that the maximum current must 
be shown by analysis to demonstrate no less than a 20 dB margin. The 
FAA adopts this test because the test verifies functional performance, 
which analysis will not accomplish.
    Lockheed suggested relaxing the power dropout portion of the 
circuit protection test of section E417.19(d)(2) for solid state power 
transfer switches. The FAA does not adopt the change because Lockheed 
did not provide a safety justification for allowing solid state power 
transfer switches to comply with a new standard. It is unclear whether 
the standard Lockheed proposed would maintain an equivalent level of 
safety to the current standard.
    Lockheed suggested permitting a launch operator to use analysis to 
meet the memory test for a receiver decoder of section E417.19(d)(6). 
The FAA adopts this suggestion because analysis is adequate to fulfill 
this requirement. At the time command codes are loaded into a receiver, 
the launch operator verifies the codes are loaded correctly in the 
memory. Memory devices used in a receiver decoder typically do not 
degrade. The launch operator must still use analysis to demonstrate the 
construction and characteristics of the memory device.
    Section E417.19(e)(2)(viii) requires that a radio frequency 
processing test demonstrate that any radio frequency losses within a 
receiver decoder interface to the antenna system satisfy the required 
12 dB margin. Lockheed suggested permitting this requirement be 
satisfied by analysis. The FAA adopts the requirement because this test 
is necessary to confirm the ratio which analysis generates.
    Section E417.19(e)(2)(ix) requires a radio frequency processing 
test to demonstrate that the receiver decoder satisfies all its 
performance specifications within the specified tone filter frequency 
bandwidth using a frequency modulated tone deviation from 2 dB to 20 dB 
above the measured threshold level. Lockheed suggested that the 
requirement was new. The requirement is current practice, and command 
transmitter tone variations must be accounted for.
    Section E417.19(e)(2)(xi) requires that a radio frequency 
processing test demonstrate that a receiver decoder can process 
commands at twice the

[[Page 50525]]

maximum and one-half the minimum timing specification of the ground 
system. Lockheed suggested requiring processing commands at the maximum 
and the minimum timing variance specification of the ground system, 
claiming that the requirement was new and too restrictive. The 
requirement is current practice and is used at the ranges to test the 
timing tolerance of the receiver decoder.
    Section E417.19(f)(3) requires that an inadvertent command output 
test demonstrate that a receiver decoder rejects any out-of-band 
command tone frequency. The test must demonstrate that each tone filter 
will not respond to another tone outside the specified tone filter 
frequency bandwidth, using a frequency modulated tone deviation from 2 
dB to 20 dB above the measured threshold level. Paragraph (f)(4) of 
section E417.19 requires an inadvertent command output test demonstrate 
that none of the tone decoder channels responds to any adjacent 
frequency modulated tone channel when they are frequency modulated with 
a minimum of 150% of the expected tone deviation. Lockheed commented 
that these are new requirements and that they are the same test. The 
FAA confirms these are current practice and are different tests because 
(f)(3) tests tone signal strength and (f)(4) tests tone channel 
frequency modulation.
    For tests of a command receiver decoder and its individual 
components, Lockheed objected to treating as a failure any test results 
that showed fluctuation or variation. Fluctuation and variation are 
treated as failures in tests such as the input current monitor test, 
output functions test, and radio frequency monitor test in section 
E417.19(g), (h), and (i). Lockheed argued that variation or fluctuation 
alone should not constitute a test failure, especially because this 
variation could be within a components' performance standards. The FAA 
adopts the requirement because variations or fluctuations often 
indicate internal component damage, which is a potential problem that 
warrants further investigation.
    Section E417.21(j)(3) requires that a silver-zinc battery 
activation procedure include verification that the electrolyte 
satisfies the manufacturer's specification for percentage of potassium 
hydroxide. Lockheed sought clarification that a chemical analysis in an 
acceptance data package met this requirement. The FAA confirms that a 
launch operator need not provide an additional chemical analysis if one 
is included in the acceptance data package.
    Lockheed suggested clarifying an exception to the leakage test in 
Note 3 of Table E417.23-1. Lockheed would have permitted analysis 
instead of a leakage test. The FAA does not adopt this suggestion 
because Note 3 requires certain testing to confirm launch operator 
analysis; analysis cannot confirm another set of analyses for these 
purposes.
    Section E417.25(f)(2) requires that the thermal performance test 
for a safe-and-arm device must continuously monitor bridgewire 
continuity with the safe-and-arm device in its arm position to detect 
each and any variation in amplitude. Paragraph (g)(2) requires that the 
dynamic performance test for a safe-and-arm device continuously monitor 
the bridgewire continuity with the safe-and-arm device in its arm 
position to detect each and any variation in amplitude. Any variation 
in amplitude in either (f)(2) or (g)(2) constitutes a test failure. 
Boeing commented that the requirement to continuously monitor the safe-
and-arm electro explosive device during environmental exposure in these 
sections is new. Boeing notes that any variation in amplitude 
constitutes a test failure and the test fails to acknowledge that 
resistance changes with temperature. The FAA agrees that resistance 
changes with temperature. However, the change in resistance due to 
temperature is well understood and is accounted for in the nominal 
value. Only significant variations from the nominal value are 
considered test failures. The FAA would consider a launch operator's 
demonstration that variation in amplitude would not constitute a test 
failure.
    Section E417.25(j) contains firing test requirements for a safe-
and-arm device, electro-explosive device, rotor lead, or booster 
charge. Paragraph (j)(1)(iv) requires that each test measure ordnance 
output using a measuring device, such as a swell cap or dent block, to 
demonstrate that the output satisfies all its performance 
specifications. Lockheed suggested that this requirement should apply 
only to an EED. The FAA does not accept this change because there are 
other types of ordinance devices such as percussion activated devices 
that must be tested to make sure its performance requirements are met.
    Lockheed suggested adopting a performance standard for the high 
temperature firing test of an ordnance interrupter, percussion 
activated device, explosive transfer system, ordnance manifold, and a 
destruct charge of sections E417.29(f)(3), E417.31(d)(3), and 
E417.33(b)(3) respectively, instead of the +71 [deg]C standard in the 
rule. The FAA adopts the +71 [deg]C standard because it is a 
temperature at which electronic components performance start to 
degrade, making it critical to conduct tests at or above this 
temperature.
    Section E417.35(a) contains requirements for shock isolators that 
are part of a flight termination system. Paragraph (b)(4)(i)(A) 
requires a 1.5 dB margin for any hard-mounted acceptance random 
vibration test for components. Lockheed suggested not requiring the 
margin for shock isolators, arguing it is unnecessary, the requirements 
reduce the use of isolators, and that discouraging the use of isolators 
could adversely affect public safety. The intent of the shock isolator 
requirements is not to discourage their use, but rather to account for 
uncertainties introduced by the use of isolators. The requirements for 
shock isolators are the product of years of experience and capture the 
best current practice. Lockheed also suggested changing the status-of-
health shock or vibration isolator test of section E417.35(c) to 
exclude vibrations representative of the maximum predicted operating 
environment because this was not current practice and isolators are 
expensive. The FAA does not adopt this proposal because the requirement 
is current practice, and a launch operator may satisfy it by testing 
only to the maximum predicted operating environment rather than having 
to test to many different vibration levels, which might otherwise have 
required additional isolators.
    Table E417.37-1 requires each electrical connector or harness that 
is critical to the functioning of a flight termination system during 
flight, but is not otherwise part of a flight termination system 
component, to satisfy each test or analysis identified by table 
E417.37-1. Lockheed commented that this is a new requirement and that 
testing for salt fog and humidity is not done. The requirements for 
electrical connectors and harnesses are current practice. The 
requirements can be met by analysis.
    Lockheed recommended deleting the status of health test for a 
harness or connector of section E417.37(b) because the test is pass/
fail and Lockheed does not see much value in comparing past test data 
with a current pass/fail test. The FAA disagrees about the value of 
comparing test data. Although the test is pass/fail, the test produces 
a value. Comparison shows whether there is a wide variation in results, 
which may indicate further investigation is necessary.

[[Page 50526]]

    Lockheed suggested deleting the wire and harness insulation 
resistance test of section E417.37(b)(4) because Lockheed did not see 
its value and questioned whether this applies to any wire. The FAA 
clarifies that this test applies to any wire and does not make the 
suggested change because this test is current practice and is necessary 
to establish whether a wire will survive its performance 
specifications.
    Lockheed commented that the pre-flight component tests of section 
E417.41(b) capture current practice but suggested that the test apply 
to all of Appendix E. These tests do not apply throughout appendix E, 
but only in specific situations, such as for pre-flight components.
    Lockheed suggested that the command receiver decoder of section 
E417.41(h)(2)(i)(4)(iii) need not be powered only by ground power or 
launch vehicle power. Another power source may be used. The FAA 
disagrees because current technology only allows for a ground or launch 
vehicle power source, and relief is available for future developments 
in power sources.
    Appendix F as proposed would have contained requirements for 
electronic piece-parts used in critical components of a flight 
termination system. SpaceX commented that the current Federal range 
safety process is extremely expensive and time consuming for a small 
launch provider such as SpaceX. Current practices consume approximately 
18 to 24 months. The Air Force and Army are striving to expedite the 
process and move towards a goal of truly operationally responsive space 
systems. SpaceX claimed that codifying current practices would impede 
the competitiveness of the industry. Instead, SpaceX said, the FAA 
should strive to mirror or reduce the normal requirements used at the 
respective launch ranges and work directly with industry to adopt the 
best current practices used at the Federal ranges, whether they come 
from the Air Force, the Army or NASA. A specific example of this is the 
Army's use of RCC 319 instead of EWR127-1, which allows for the use of 
qualified COTS hardware instead of highly specialized, much higher-
priced piece parts currently required by the Air Force. The FAA does 
not adopt appendix F because it is not current practice at all ranges, 
only at the Air Force ranges. Air Force requirements are still 
available to an operator as a way to meet the reliability requirement. 
For a launch from an Air Force range, a launch operator will have to 
comply with Air Force requirements.

Lightning Commit Critiera

    Appendix G requires that a launch operator apply flight commit 
criteria to protect against natural lightning and lightning triggered 
by the flight of a launch vehicle. A launch operator must apply these 
criteria under section 417.113 (c) for any launch vehicle that utilizes 
a flight safety system.
    NASA's Kennedy Space Center Weather Office suggested adding certain 
definitions to section G417.3. The FAA adopts NASA's suggested 
definitions for specified volume and volume-averaged, height-integrated 
radar reflectivity (VAHIRR) because the definitions are integral to 
other changes that NASA suggested and that the FAA is adopting.
    Sections G417.9 and G417.11 prohibit launch through and near non-
transparent parts of attached and detached anvil clouds under certain 
conditions for certain time periods. Originally, the FAA proposed 
restrictions matching current practice at the time of the FAA's 
proposal. Current practice has evolved in response to new measurements 
and data obtained as described in comments from NASA. Accordingly, the 
FAA adopts NASA's proposed exceptions to these prohibitions.
    As originally proposed, section G417.9 would have required that, a 
launch operator not initiate flight if the flight path would carry a 
launch vehicle through a nontransparent part of any attached anvil 
cloud. The FAA also proposed that for a flight path within five 
nautical miles (nm) of any attached anvil cloud, a launch operator 
would have to wait three hours after the last lightning discharge in or 
from a parent or anvil cloud.
    NASA suggested allowing a launch operator to launch a vehicle 
through an attached anvil cloud within three hours after the last 
lightning discharge in or from the parent cloud or anvil cloud if two 
conditions were met: (1) The temperature along the flight path within 5 
nm of the anvil cloud was colder than zero degrees Celsius, and; (2) 
the volume averaged height integrated radar reflectivity (VAHIRR) was 
below 33 dBZ-kft. NASA also suggested reducing the wait time for a 
flight path within 5 nm of any attached anvil cloud from 3 hours, to 30 
minutes if the same two conditions were met. The FAA agrees with these 
exceptions because they identify additional safe launch opportunities 
as based on the data described in NASA's comments. The Eastern and 
Western Federal launch ranges already apply these exceptions. The 
following table describes the changes:
[GRAPHIC] [TIFF OMITTED] TR25AU06.001

G417.11 Detached Anvil Clouds

    For detached anvil clouds, the FAA proposed that a launch operator 
not initiate flight if the flight path would carry the launch vehicle 
through a non-transparent part of any detached anvil cloud for the 
first three hours after the anvil cloud was observed to be detached 
from the parent cloud or the first four hours after the last lightning 
discharge from the detached anvil cloud. For a flight path within 5 nm 
of a non-transparent part of a detached anvil cloud, a launch operator 
would have to wait at least 3 hours after a lightning

[[Page 50527]]

discharge or an observed cloud detachment or meet three conditions.\17\
---------------------------------------------------------------------------

    \17\ The conditions are: (1) There is at least one working field 
mill within 5 nm of the detached anvil cloud; (2) the absolute 
values of all electric field measurements made at the Earth's 
surface within 5 nm of the flight path and measurements made at each 
field mill have been less than 1000 volts/meter for 15 minutes or 
longer, and; (3) the maximum radar return from any part of the 
detached anvil cloud within 5 nm of the flight path has been less 
than 10 dBZ for 15 minutes or longer. See G417.11(c).
---------------------------------------------------------------------------

    NASA suggested allowing an additional option for launch through or 
within 10 nautical miles of a non-transparent detached anvil cloud. 
Accordingly, under this rule, a launch operator can launch within 30 
minutes from when an anvil cloud detaches from its parent, rather than 
the 3 hours originally proposed, if the temperature and VAHIRR 
conditions discussed in section G417.9 are satisfied. (1) the 
temperature along the flight path within 5 nm of the detached anvil 
cloud must be colder than zero degrees Celsius.
    In accordance with the new current practice described by NASA a 
launch operator may launch within 5 nm of a detached anvil cloud if a 
launch operator can satisfy the requirements originally proposed and 
adopted here or if it can meet the two new conditions: (1) the 
temperature along the flight path within 5 nautical miles of the 
detached anvil cloud must be colder than zero degrees Celsius, and (2) 
the VAHIRR must be below 33dbZ-kft. The table below describes the 
changes:
[GRAPHIC] [TIFF OMITTED] TR25AU06.002

Effective Date

    This final rule will become effective on August 27, 2007. The fact 
that these regulations are not effective for one year does not affect 
existing launch operator licenses.

Paperwork Reduction Act

    As required by the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 
et seq., the Federal Aviation Administration has reviewed the 
information collection requirements of this final rule. The FAA has 
determined that this final rule has no additional burden to respondents 
over and above that which the Office of Management and Budget has 
already approved under the existing rule titled, ``Commercial Space 
Transportation Licensing Regulations'' (OMB control number 2120-0608). 
Under the existing rule, the FAA considers license applications to 
launch from non-federal launch sites on a case-by-case basis. In 
conducting a case-by-case review, the FAA gives due consideration to 
current practices in space transportation, generally involving launches 
from federal sites, and collects information accordingly. Accordingly, 
the FAA believes that, under this final rule, there is no additional 
information collection not already included in the previously approved 
information collection activity. This rule would eliminate the case-by-
case review, thereby streamlining the licensing process, and would not 
place any additional burden on the respondent.
    An agency may not collect or sponsor the collection of information, 
nor may it impose an information collection requirement unless it 
displays a currently valid Office of Management and Budget (OMB) 
control number.

Regulatory Evaluation Summary; Introduction

    Proposed and final rule changes to Federal regulations must undergo 
several economic analyses. First, Executive Order 12866 directs that 
each Federal agency propose or adopt a regulation only upon a reasoned 
determination that the benefits of the intended regulation justify its 
costs. Second, the Regulatory Flexibility Act of 1980 requires agencies 
to analyze the economic impact of regulatory changes on small entities. 
Third, the Trade Agreements Act prohibits agencies from setting 
standards that create unnecessary obstacles to the foreign commerce of 
the United States. In developing U.S. standards, the Trade Agreements 
Act also requires agencies to consider international standards and, 
where appropriate, use them as the basis of U.S. standards. Fourth, the 
Unfunded Mandates Reform Act of 1995 requires agencies to prepare a 
written assessment of the costs, benefits, and other effects of 
proposed or final rules that include a Federal mandate likely to result 
in the expenditure by State, local, or tribal governments, in the 
aggregate, or by the private sector, of $100 million or more annually 
(adjusted for inflation).
    In conducting these analyses, the FAA has determined that the final 
rule: (1) Has benefits that justify its costs; while not economically 
significant, is ``a significant regulatory action'' as defined

[[Page 50528]]

in the Executive Order; and is ``significant'' as defined in the 
Department of Transportation's Regulatory Policies and Procedures; (2) 
does not have a significant impact on a substantial number of small 
entities; (3) does not impose barriers to international trade; and (4) 
does not impose an unfunded mandate on State, local, or tribal 
governments, or on the private sector. These analyses are available in 
the docket, and are summarized below.

Total Costs and Benefits of This Rulemaking

    The estimated cost of this final rule to industry and the FAA is 
$9.5 million ($7.9 million discounted). Potential benefits, which have 
not been quantified, include: increased transparency of licensing 
requirements, reduced likelihood that operators will deviate from the 
existing high level of safety achieved at federal ranges, operating 
efficiencies and associated cost savings, reduced uncertainties and 
increased confidence among the business communities, and a faster 
return to flight in event of a mishap. Following paragraphs provide 
more details on costs and benefits.

Who is Potentially Affected by This Rulemaking

Private Sector

     Commercial space transportation launch operators.
     Users of commercial space transportation.
     Users of services provided by users of commercial space 
transportation.
     Federal range operating contractors.

Government

     Federal Aviation Administration.
     Other Federal organizations such as DOD, NASA.

Our Cost Assumptions and Sources of Information

     Discount rate--7%.
     Period of analysis--2006 through 2010.
     All monetary values are expressed in 2004 dollars.
     Five commercial space transportation launch operators 
would each assign two personnel annually to review Federal range 
implementation of certain regulatory requirements contained in the 
proposed rule.
     Five commercial space transportation launch operators 
would each assign two industry personnel in 2006 to ensure that its 
records would satisfy an FAA request to provide written evidence of 
meets intent certifications or waivers granted previously by a Federal 
range.
     Annual base salary per industry personnel $116,939.
     Fringe benefit factor 23.45%.
     FAA would expend 1.5 full time personnel per year to 
administer and implement the proposed requirement.

Benefits

    Benefits were not quantified but it is expected that the rule will:
     Increase transparency of existing requirements for 
established launch operators and new entrants;
     Preserve the high level of safety demonstrated by 
commercial space launch operators by reducing the likelihood that 
operators will deviate from current practice;
     Yield operating efficiencies by establishing standardized 
requirements for commercial launch operators;
     Reduce uncertainties and promote confidence among the 
commercial space investor and insurance communities which might 
stimulate business;
     Facilitate a faster return to flight in the event of a 
mishap because the rule will yield documentation that may be critical 
to mishap investigation;
     Result in industry cost savings by ensuring consistency in 
implementing the licensing process.

Total Costs

    The estimated cost of this final rule is $9.5 million ($7.9 
million, discounted) for five years after publication of the rule. The 
launch industry is expected to incur $8.7 million ($7.3 million, 
discounted) in costs over the five-year period. The FAA believes that a 
commercial space transportation launch operator will assign as many as 
two personnel to review Federal launch range implementation of certain 
regulatory requirements contained in the final rule. This will result 
in industry spending $7.2 million ($5.9 million, discounted) over the 
five-year period to increase its involvement in reviewing Federal 
launch range implementation of safety requirements in the final rule. 
Also, the final rule will require a licensed launch operator to provide 
written evidence, on request, demonstrating that a Federal launch range 
has granted a meets intent certification or waiver. Although a licensed 
launch operator is already required to do so by range requirements and 
the terms of its license, the FAA believes that the commercial space 
transportation industry would incur an additional $1.4 million ($1.3 
million, discounted) to comply with the requirements to ensure that its 
records are adequate.
    The FAA is expected to incur $812,000 ($666,000, discounted) in 
costs over the five-year period to perform more rigorous and timely 
launch site safety assessments.
[GRAPHIC] [TIFF OMITTED] TR25AU06.003

Changes From the SNPRM to the Final Rule

    The final rule differs from the SNPRM because it incorporates 
industry comments to the SNPRM to better capture the current practice 
and guidelines of the federal ranges. It better accomplishes an FAA 
purpose in publishing this rule: to codify current practice at the 
federal ranges and non-federal launch sites.
    The costs estimated by the final rule regulatory evaluation differ 
from costs estimated by the SNPRM regulatory

[[Page 50529]]

evaluation. This is because better modeling techniques and better 
information on potential cost impacts have become available since the 
SNPRM was published. A summary of the differences between the SNPRM 
costs and the final rule costs follow.
     The regulatory evaluation for the SNPRM estimated that the 
proposed rule would cause two launches from the Eastern range to be 
delayed, at an estimated cost to industry of $700,000. The delay was 
attributable to modeling techniques indicating that toxic risks would 
exist greater than 30 x 10-6, which would cause two launches 
to be delayed. Application of more refi0ned modeling techniques since 
publication of the SNPRM regulatory evaluation indicates that there 
would be no toxic risk level equal to or greater than 30 x 10 
-6 associated with these launches. Accordingly, the launches 
would be allowed to proceed without delay under the final rule.
     The final rule regulatory evaluation estimates industry 
costs of approximately $1.4 million per annum, or $7.2 million 
(undiscounted) over a five-year period from 2006 through 2010. These 
costs are based on the assumption that the rule will motivate launch 
operators to take a more aggressive role in understanding and reviewing 
many of the safety-related responsibilities performed by the federal 
ranges; this will be accomplished by performing oversight. These costs 
were not included in the SNPRM regulatory evaluation and are included 
here to recognize launch operator concerns (of note, at a March 2005 
public meeting, one commenter observed that such oversight might not 
take place.)
     The final rule regulatory evaluation also estimates 
industry costs of approximately $1.4 million (or $1.3 million 
undiscounted) in 2006 to comply with the final rule requirements and 
ensure that its records are adequate. These costs would fulfill the 
rule requirements for commercial launch operators to provide written 
evidence, on request, demonstrating that a federal range has granted a 
meets intent certification or waiver. These costs were not included in 
the SNPRM regulatory evaluation and are included here because better 
information and insight is available.
     The rule will result in the FAA performing more extensive 
reviews of federal range flight safety programs. In performing more 
rigorous and timely baseline assessments, the FAA will incur additional 
administrative cost of approximately $162,000 per annum, or $812,000 
($665,721 discounted) over the five-year period from 2006 to 2010. 
These costs were not included in the SNPRM regulatory evaluation and 
are included here because better information and insight is available.

Regulatory Flexibility Determination

    The Regulatory Flexibility Act of 1980 establishes ``as a principle 
of regulatory issuance that agencies shall endeavor, consistent with 
the objective of the rule and of applicable statutes, to fit regulatory 
and informational requirements to the scale of the business, 
organizations, and governmental jurisdictions subject to regulation.'' 
To achieve that principle, the Act requires agencies ``to solicit and 
consider flexible regulatory proposals and to explain the rationale for 
their actions.'' The Act covers a wide-range of small entities, 
including small businesses, not-for-profit organizations and small 
governmental jurisdictions. Agencies must perform a review to determine 
whether a final rule would have a significant economic impact on a 
substantial number of small entities. If the determination is that it 
will, then the agency must prepare a regulatory flexibility analysis. 
In contrast, if an agency determines that a final rule is not expected 
to have a significant economic impact on a substantial number of small 
entities, then Section 605(b) of the 1980 act provides that the head of 
the agency may so certify and a regulatory flexibility analysis is not 
required.
    The Small Business Administration (SBA) has defined small business 
entities engaged in commercial space transportation vehicles as those 
employing no more than 1,000 employees, using the North American 
Industry Classification System codes 336414, Guided Missile and Space 
Vehicle Manufacturing, 336415, Guided Missile and Space Vehicle 
Propulsion Unit and Parts Manufacturing, and 336419, Other Guided 
Missile and Space Vehicle Parts and Auxiliary Equipment Manufacturing. 
The SBA does not apply a size standard based on maximum annual receipts 
to define small business entities engaged in the commercial space 
transportation industry.
    The final rule will cause commercial entities, operating in the 
commercial space launch industry prior to this proposed rulemaking, to 
perform more rigorous oversight of Federal launch range safety 
performance and to maintain adequate records of launch deviations from 
EWR 127-1 requirements granted by a Federal launch range. The FAA 
recognizes that these good business practices may not have been always 
performed in current practice, and also recognizes that the final rule 
(1) highlights commercial launch operator accountability for launch 
safety and oversight by commercial entities of Federal launch range 
performance, and (2) requires written documentation for meets intent 
certifications and waivers granted by the Federal launch ranges as 
already mandated by Federal launch range requirements. Ordinarily these 
activities would be expected to be performed as a matter of good 
business practice.
    The FAA believes that the following large business entities are the 
principal entities currently comprising the ELV commercial space 
transportation launch operator industry: The Boeing Company, Lockheed 
Martin Corporation, International Launch Services, Incorporated, 
Orbital Sciences Corporation, and Sea Launch Company, L.L.C. Further, 
the FAA has determined that there are no existing small firms, but that 
there is one small business entity that is planning to enter the ELV 
commercial space transportation launch industry--Space Exploration 
Technologies Corporation (which has 20 employees). As a potential new 
entrant to this industry, this small business entity has neither 
established a launch history nor established current practices. One 
potential new entrant as the sole small entity does not constitute a 
substantial number. Accordingly, pursuant to the Regulatory Flexibility 
Act, 5 U.S.C. 605(b), I certify that the final rule will not have a 
significant economic impact on a substantial number of small entities.

International Trade Impact Assessment

    The Trade Agreement Act of 1979 prohibits Federal agencies from 
promulgating any standards or engaging in any related activities that 
create unnecessary obstacles to the foreign commerce of the United 
States. Legitimate domestic objectives, such as safety, are not 
unnecessary obstacles; however, because the final rule will codify the 
intent of current practice requirements, it will not create obstacles. 
The statute also requires consideration of international standards and 
where appropriate, that they be the basis for U.S. standards. In 
accordance with this statute, the FAA has assessed the potential effect 
of the final rule and has determined that it will impose the same costs 
on domestic and international entities, and thus has a neutral trade 
impact.

Unfunded Mandates Assessment

    The Unfunded Mandates Reform Act of 1995 (the Act) is intended, 
among other things, to curb the practice of

[[Page 50530]]

imposing unfunded Federal mandates on State, local, and tribal 
governments. Title II of the Act requires each Federal agency to 
prepare a written statement assessing the effects of any Federal 
mandate in a proposed or final agency rule that may result in an 
expenditure of $100 million or more (adjusted annually for inflation) 
in any one year by State, local, and tribal governments, in the 
aggregate, or by the private sector; such a mandate is deemed to be a 
``significant regulatory action.'' The FAA currently uses an inflation-
adjusted value of $120.7 million in lieu of $100 million.
    This final rule does not contain such a mandate. The requirements 
of Title II do not apply.

Executive Order 13132, Federalism

    The FAA has analyzed this final rule under the principles and 
criteria of Executive Order 13132, Federalism. We determined that this 
action will not have a substantial direct effect on the States, or the 
relationship between the national Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government, and therefore does not have Federalism implications.

Environmental Analysis

    FAA Order 1050.1E identifies FAA actions that are categorically 
excluded from preparation of an environmental assessment or 
environmental impact statement under the National Environmental Policy 
Act in the absence of extraordinary circumstances. The FAA has 
determined this rulemaking action qualifies for the categorical 
exclusion identified in paragraph 312(d) and involves no extraordinary 
circumstances.

Regulations That Significantly Affect Energy Supply, Distribution, or 
Use

    The FAA has analyzed this final rule under Executive Order 13211, 
Actions Concerning Regulations that Significantly Affect Energy Supply, 
Distribution, or Use (May 18, 2001). We have determined that it is not 
a ``significant energy action'' under the executive order because it is 
not a ``significant regulatory action'' under Executive Order 12866, 
and it is not likely to have a significant adverse effect on the 
supply, distribution, or use of energy.

List of Subjects

14 CFR Part 401

    Organization and functions (Government agencies), Space 
transportation and exploration.

14 CFR Part 406

    Administrative practice and procedure, Confidential business 
information, Investigations, Penalties, Space transportation and 
exploration.

14 CFR Part 413

    Confidential business information, Space transportation and 
exploration.

14 CFR Part 415

    Aviation safety, Environmental protection, Space transportation and 
exploration.

14 CFR Part 417

    Aviation safety, Reporting and recordkeeping requirements, Rockets, 
Space transportation and exploration.

The Amendment

0
In consideration of the foregoing, the Federal Aviation Administration 
amends Chapter III of Title 14, Code of Federal Regulations as follows:

Licensing and Safety Requirements for Launch

PART 401--ORGANIZATION AND DEFINITIONS

0
1. The authority citation for part 401 continues to read as follows:

    Authority: 49 U.S.C. 70101-70121.


0
2. Amend Sec.  401.5 by adding the following definitions in 
alphabetical order and revising the definition of ``Safety critical'' 
to read as follows:


Sec.  401.5  Definitions.

* * * * *
    Casualty means serious injury or death.
* * * * *
    Equivalent level of safety means an approximately equal level of 
safety as determined by qualitative or quantitative means.
    Expendable launch vehicle means a launch vehicle whose propulsive 
stages are flown only once.
* * * * *
    Instantaneous impact point means an impact point, following thrust 
termination of a launch vehicle, calculated in the absence of 
atmospheric drag effects.
* * * * *
    Launch site safety assessment means an FAA assessment of a Federal 
launch range to determine if the range meets FAA safety requirements. A 
difference between range practice and FAA requirements is documented in 
the LSSA.
* * * * *
    Nominal means, in reference to launch vehicle performance, 
trajectory, or stage impact point, a launch vehicle flight where all 
vehicle aerodynamic parameters are as expected, all vehicle internal 
and external systems perform exactly as planned, and there are no 
external perturbing influences other than atmospheric drag and gravity.
* * * * *
    Populated area means--
    (1) An outdoor location, structure, or cluster of structures that 
may be occupied by people;
    (2) Sections of roadways and waterways that are frequented by 
automobile and boat traffic; or
    (3) Agricultural lands, if routinely occupied by field workers.
    Public safety means, for a particular licensed launch, the safety 
of people and property that are not involved in supporting the launch 
and includes those people and property that may be located within the 
boundary of a launch site, such as visitors, individuals providing 
goods or services not related to launch processing or flight, and any 
other launch operator and its personnel.
* * * * *
    Risk means a measure that accounts for both the probability of 
occurrence of a hazardous event and the consequence of that event to 
persons or property.
    Safety critical means essential to safe performance or operation. A 
safety critical system, subsystem, component, condition, event, 
operation, process, or item is one whose proper recognition, control, 
performance, or tolerance is essential to ensuring public safety. 
Something that is safety critical item creates a safety hazard or 
provide protection from a safety hazard
* * * * *
    Sigma means a single standard deviation from a fixed value, such as 
a mean.
* * * * *

PART 406--INVESTIGATIONS, ENFORCEMENT AND ADMINISTRATIVE REVIEW

0
3. The authority citation for part 406 continues to read as follows:

    Authority: 49 U.S.C. 70101-70121.


0
4. Revise Sec.  406.3(b) to read as follows:


Sec.  406.3  Submissions; oral presentation in license and payload 
actions; standard of proof.

* * * * *
    (b) Submissions must include a detailed exposition of the evidence 
or arguments supporting the petition. Where an applicant must 
demonstrate an equivalent level of safety or fidelity,

[[Page 50531]]

the applicant must make a clear and convincing demonstration.
* * * * *

PART 413--LICENSE APPLICATION PROCEDURES

0
5. The authority citation for part 413 continues to read as follows:

    Authority: 49 U.S.C. 70101-70121.


0
6. Amend Sec.  413.7 by adding paragraph (d) to read as follows:


Sec.  413.7  Application.

* * * * *
    (d) Measurement system consistency. For each analysis, an applicant 
must employ a consistent measurements system, whether English or 
metric, in its application and licensing information.

PART 415--LAUNCH LICENSE

0
7. The authority citation for part 415 continues to read as follows:

    Authority: 49 U.S.C. 70101-70121.


0
8. Revise Sec.  415.1 to read as follows:


Sec.  415.1  Scope.

    This part establishes requirements for obtaining a license to 
launch an expendable launch vehicle. Requirements for preparing a 
license application are contained in part 413 of this chapter. Post 
licensing requirements governing launch from a Federal launch range and 
a non-Federal launch site are contained in part 417 of this chapter.


Sec.  415.9  [Amended]

0
9. Amend Sec.  415.9(b) to add the following to the end of the 
paragraph: ``, and part 417 of this chapter.''


0
10. Revise Sec.  415.31(a) to read as follows:


Sec.  415.31  General.

    (a) The FAA conducts a safety review to determine whether an 
applicant is capable of launching a launch vehicle and its payload 
without jeopardizing public health and safety and safety of property. 
The FAA issues a safety approval to a license applicant proposing to 
launch from a Federal launch range if the applicant satisfies the 
requirements of this subpart and has contracted with the Federal launch 
range for the provision of safety-related launch services and property, 
as long as an FAA launch site safety assessment shows that the range's 
launch services and launch property satisfy part 417 of this chapter. 
The FAA evaluates on an individual basis all other safety-related 
launch services and property associated with an applicant's proposal, 
in accordance with part 417 of this chapter. A safety approval is part 
of the licensing record on which the FAA's licensing determination is 
based.
* * * * *

0
11. Revise Sec.  415.35 to read as follows:


Sec.  415.35  Acceptable flight risk.

    (a) Flight risk through orbital insertion or impact. Acceptable 
flight risk through orbital insertion for an orbital launch vehicle, 
and through impact for a suborbital launch vehicle, is measured in 
terms of the expected average number of casualties (cc) to 
the collective members of the public exposed to debris hazards from any 
one launch. To obtain safety approval, an applicant must demonstrate 
that the risk level associated with debris from an applicant's proposed 
launch meets the public risk criteria of Sec.  417.107(b)(1) of this 
chapter for impacting inert and impacting explosive debris.
    (b) Hazard identification and risk assessment. To demonstrate 
compliance with paragraph (a) of this section, an applicant must file 
an analysis that identifies hazards and assesses risks to public health 
and safety and safety of property associated with nominal and non-
nominal flight of its proposed launch.
    (c) Design. A launch vehicle must be designed to ensure that flight 
risks meet the criteria of paragraph (a) of this section. An applicant 
must identify and describe the following:
    (1) Launch vehicle structure, including physical dimensions and 
weight;
    (2) Hazardous and safety critical systems, including propulsion 
systems; and
    (3) Drawings and schematics for each system identified under 
paragraph (c)(2) of this section.
    (d) Operation. A launch vehicle must be operated in a manner that 
ensures that flight risks meet the criteria of paragraph (a) of this 
section. An applicant must identify all launch operations and 
procedures that must be performed to ensure acceptable flight risk.

0
12. Revise Sec.  415.37 to read as follows:


Sec.  415.37  Flight readiness and communications plan.

    (a) Flight readiness requirements. An applicant must designate an 
individual responsible for flight readiness. The applicant must file 
the following procedures for verifying readiness for safe flight:
    (1) Launch readiness review procedures involving the applicant's 
flight safety personnel and Federal launch range personnel involved in 
the launch, as required by Sec.  417.117(g) of this chapter.
    (2) Procedures that ensure mission constraints, rules and abort 
procedures are listed and consolidated in a safety directive or 
notebook approved by licensee flight safety and Federal launch range 
personnel.
    (3) Procedures that ensure currency and consistency of licensee and 
Federal launch range countdown checklists.
    (4) Dress rehearsal procedures that--
    (i) Ensure crew readiness under nominal and non-nominal flight 
conditions;
    (ii) Contain criteria for determining whether to dispense with one 
or more dress rehearsals; and
    (iii) Verify currency and consistency of licensee and Federal 
launch range countdown checklists.
    (5) Procedures for ensuring the licensee's flight safety personnel 
adhere to the crew rest rules of Sec.  417.113(f) of this chapter.
    (b) Communications plan requirements. An applicant must file a 
communications plan that meets Sec.  417.111(k) of this chapter, and 
that provides licensee and Federal launch range personnel 
communications procedures during countdown and flight.
    (c) An applicant must file procedures that ensure that licensee and 
Federal launch range personnel receive a copy of the communications 
plan required by paragraph (b) of this section, and that the Federal 
launch range concurs in the communications plan.

0
13. Revise Sec.  415.39 to read as follows:


Sec.  415.39  Safety at end of launch.

    To obtain safety approval, an applicant must demonstrate compliance 
with Sec.  417.129 of this chapter, for any proposed launch of a launch 
vehicle with a stage or component that will reach Earth orbit.

0
14. Revise Sec.  415.41 to read as follows:


Sec.  415.41  Accident investigation plan.

    An applicant must file an accident investigation plan (AIP), that 
satisfies Sec.  417.111(g) of this chapter, and contains the 
applicant's procedures for reporting and responding to launch 
accidents, launch incidents, or other mishaps, as defined by Sec.  
401.5 of this chapter.

0
15. Amend Sec.  415.51 by adding a sentence to the end of this section 
to read as follows:


Sec.  415.51  General.

    * * * The safety requirements of subpart C and F of this part and 
of part 417 of this chapter apply to all

[[Page 50532]]

payloads, whether or not the payload is otherwise exempt.

Subpart E--[Removed and Reserved]

0
16. Remove and reserve subpart E, consisting of Sec. Sec.  415.71 
through 415.90.


Sec. Sec.  415.101 and 415.103  [Redesignated as Sec. Sec.  415.201 and 
415.203]

0
17. Redesignate Sec. Sec.  415.101 and 415.103 as Sec. Sec.  415.201 
and 415.203, respectively.

0
18. Revise subpart F to read as follows:
Subpart F--Safety Review and Approval for Launch of an Expendable 
Launch Vehicle From a Non-Federal Launch Site
Sec.
415.91 through 415.100 [Reserved]
415.101 Scope and applicability.
415.102 Definitions.
415.103 General.
415.105 Pre-application consultation.
415.107 Safety review document.
415.109 Launch description.
415.111 Launch operator organization.
415.113 Launch personnel certification program.
415.115 Flight safety.
415.117 Ground safety.
415.119 Launch plans.
415.121 Launch schedule.
415.123 Computing systems and software.
415.125 Unique safety policies, requirements and practices.
415.127 Flight safety system design and operation data.
415.129 Flight safety system test data.
415.131 Flight safety system crew data.
415.133 Safety at end of launch.
415.135 Denial of safety approval.
415.136 through 415.200 [Reserved]

Subpart F--Safety Review and Approval for Launch of an Expendable 
Launch Vehicle From a Non-Federal Launch Site


Sec. Sec.  415.91 through 415.100  [Reserved]


Sec.  415.101  Scope and applicability.

    (a) This subpart F contains requirements that an applicant must 
meet to obtain a safety approval when applying for a license to launch 
an expendable launch vehicle from a non-Federal launch site. This 
subpart also contains administrative requirements for a safety review, 
such as when and how an applicant files the required information, and 
the requirements for the form and content of each submission.
    (b) The requirements of this subpart apply to both orbital and 
suborbital expendable launch vehicles.
    (c) An applicant must demonstrate, through the material filed with 
the FAA, its ability to comply with the requirements of part 417 of 
this chapter. To facilitate production of the information required by 
this subpart, an applicant should become familiar with the requirements 
of part 417 of this chapter.
    (d) For a launch from an exclusive use launch site, where there is 
no licensed launch site operator, a launch operator must satisfy the 
requirements of this part and the public safety application 
requirements of part 420 of this chapter.


Sec.  415.102  Definitions.

    For the purposes of this subpart, the definitions of Sec.  417.3 
and Sec.  401.5 of this chapter apply.


Sec.  415.103  General.

    (a) The FAA conducts a safety review to determine whether an 
applicant is capable of conducting launch processing and flight without 
jeopardizing public health and safety and safety of property. The FAA 
issues a safety approval to a license applicant if the applicant 
satisfies the requirements of this subpart and demonstrates that it 
will meet the safety responsibilities and requirements of part 417 of 
this chapter.
    (b) The FAA advises an applicant, in writing, of any issue raised 
during a safety review that would impede issuance of a safety approval. 
The applicant may respond, in writing, or amend its license application 
as required by Sec.  413.17 of this chapter.
    (c) An applicant must make available to the FAA upon request a copy 
of any information incorporated into a license application by 
reference.
    (d) A safety approval is part of the licensing record on which the 
FAA bases its licensing determination.


Sec.  415.105  Pre-application consultation.

    (a) An applicant must participate in a pre-application consultation 
meeting, as required by Sec.  413.5 of this chapter, prior to an 
applicant's preparation of the initial flight safety analysis required 
by Sec.  415.115.
    (b) At a pre-application consultation meeting, an applicant must 
provide as complete a description of the planned launch or series of 
launches as available at the time. An applicant must provide the FAA 
the following information:
    (1) Launch vehicle. Description of:
    (i) Launch vehicle;
    (ii) Any flight termination system; and
    (iii) All hazards associated with the launch vehicle and any 
payload, including the type and amounts of all propellants, explosives, 
toxic materials and any radionuclides.
    (2) Proposed mission. 
    (i) For an applicant applying for a launch specific license under 
Sec.  415.3(a), the apogee, perigee, and inclination of any orbital 
objects and each impact location of any stage or other component.
    (ii) For an applicant applying for a launch operator license under 
Sec.  415.3(b), the planned range of trajectories and flight azimuths, 
and the range of apogees, perigees, and inclinations of any orbital 
objects and each impact location of any stage or other component.
    (3) Potential launch site.
    (i) Name and location of the proposed launch site, including 
latitude and longitude of the proposed launch point;
    (ii) Identity of any launch site operator of that site; and
    (iii) Identification of any facilities at the launch site that will 
be used for launch processing and flight.


Sec.  415.107  Safety review document.

    (a) An applicant must file a safety review document that contains 
all the information required by Sec. Sec.  415.109--415.133. An 
applicant must file the information for a safety review document as 
required by the outline in appendix B of this part. An applicant must 
file a sufficiently complete safety review document, except for the 
ground safety analysis report, no later than six months before the 
applicant brings any launch vehicle to the proposed launch site.
    (b) A launch operator's safety review document must:
    (1) Contain a glossary of unique terms and acronyms used in 
alphabetical order;
    (2) Contain a listing of all referenced standards, codes, and 
publications;
    (3) Be logically organized, with a clear and consistent page 
numbering system and must identify cross-referenced topics;
    (4) Use equations and mathematical relationships derived from or 
referenced to a recognized standard or text, and must define all 
algebraic parameters;
    (5) Include the units of all numerical values provided; and
    (6) Include a legend or key that identifies all symbols used for 
any schematic diagrams.
    (c) An applicant's safety review document may include sections not 
required by appendix B of this part. An applicant must identify each 
added section by using the word ``added'' in front of the title of the 
section. In the first paragraph of the section, an applicant must 
explain any addition to the outline in appendix B of this part.
    (d) If a safety review document section required by appendix B of 
this part does not apply to an applicant's proposed launch, an 
applicant must identify the sections in the application

[[Page 50533]]

by the words ``not applicable'' preceding the title of the section. In 
the first paragraph of the section, an applicant must describe and 
justify why the section does not apply.
    (e) An applicant may reference documentation previously filed with 
the FAA.


Sec.  415.109  Launch description.

    An applicant's safety review document must contain the following 
information:
    (a) Launch site description. An applicant must identify the 
proposed launch site and include the following:
    (1) Boundaries of the launch site;
    (2) Launch point location, including latitude and longitude;
    (3) Identity of any launch site operator of that proposed site; and
    (4) Identification of any facilities at the launch site that will 
be used for launch processing and flight.
    (b) Launch vehicle description. An applicant must provide the 
following:
    (1) A written description of the launch vehicle. The description 
must include a table specifying the type and quantities of all 
hazardous materials on the launch vehicle and must include propellants, 
explosives, and toxic materials; and
    (2) A drawing of the launch vehicle that identifies:
    (i) Each stage, including strap-on motors;
    (ii) Physical dimensions and weight;
    (iii) Location of all safety critical systems, including any flight 
termination hardware, tracking aids, or telemetry systems;
    (iv) Location of all major launch vehicle control systems, 
propulsion systems, pressure vessels, and any other hardware that 
contains potential hazardous energy or hazardous material; and
    (v) For an unguided suborbital launch vehicle, the location of the 
rocket's center of pressure in relation to its center of gravity for 
the entire flight profile.
    (c) Payload description. An applicant must include or reference 
documentation previously filed with the FAA that contains the payload 
information required by Sec.  415.59 for any payload or class of 
payload.
    (d) Trajectory. An applicant must provide two drawings depicting 
trajectory information. An applicant must file additional trajectory 
information as part of the flight safety analysis data required by 
Sec.  415.115.
    (1) One drawing must depict the proposed nominal flight profile 
with downrange depicted on the abscissa and altitude depicted on the 
ordinate axis. The nominal flight profile must be labeled to show each 
planned staging event and its time after liftoff from launch through 
orbital insertion or final impact; and
    (2) The second drawing must depict instantaneous impact point 
ground traces for each of the nominal trajectory, the three-sigma left 
lateral trajectory and the three-sigma right lateral trajectory 
determined under Sec.  417.207 of this chapter. The trajectories must 
be depicted on a latitude/longitude grid, and the grid must include the 
outlines of any continents and islands.
    (e) Staging events. An applicant must provide a table of nominal 
and  three-sigma times for each major staging event and 
must describe each event, including the predicted impact point and 
dispersion of each spent stage.
    (f) Vehicle performance graphs. An applicant must provide graphs of 
the nominal and  three-sigma values as a function of time 
after liftoff for the following launch vehicle performance parameters: 
thrust, altitude, velocity, instantaneous impact point arc-range 
measured from the launch point, and present position arc-range measured 
from the launch point.


Sec.  415.111  Launch operator organization.

    An applicant's safety review document must contain organizational 
charts and a description that shows that the launch operator's 
organization satisfies the requirements of Sec.  417.103 of this 
chapter. An applicant's safety review document must also identify all 
persons with whom the applicant has contracted to provide safety-
related goods or services for the launch of the launch vehicle.


Sec.  415.113  Launch personnel certification program.

    (a) A safety review document must describe how the applicant will 
satisfy the personnel certification program requirements of Sec.  
417.105 of this chapter and identify by position those individuals who 
implement the program.
    (b) An applicant's safety review document must contain a copy of 
its documentation that demonstrates how the launch operator implements 
the personnel certification program.
    (c) An applicant's safety review document must contain a table 
listing each hazardous operation or safety critical task that certified 
personnel must perform. For each task, the table must identify by 
position the individual who reviews personnel qualifications and 
certifies personnel for performing the task.


Sec.  415.115  Flight safety.

    (a) Flight safety analysis. An applicant's safety review document 
must describe each analysis method employed to meet the flight safety 
analysis requirements of part 417, subpart C, of this chapter. An 
applicant's safety review document must demonstrate how each analysis 
method satisfies the flight safety analysis requirements of part 417, 
subpart C, of this chapter. An applicant's safety review document must 
contain analysis products and other data that demonstrate the 
applicant's ability to meet the public risk criteria of Sec.  417.107 
of this chapter and to establish launch safety rules as required by 
Sec.  417.113 of this chapter. An applicant's flight safety analysis 
must satisfy the following requirements:
    (1) An applicant must file the proposed flight safety analysis 
methodology and the preliminary flight safety analysis products no 
later than 18 months for any orbital or guided suborbital launch 
vehicle, and nine months for any unguided suborbital launch vehicle, 
prior to bringing any launch vehicle to the proposed launch site.
    (2) For a launch operator license, an applicant must file flight 
safety analysis products that account for the range of launch vehicles 
and flight trajectories applied for, or the worst case vehicle and 
trajectory under which flight will be attempted, no later than 6 months 
before the applicant brings any launch vehicle to the proposed launch 
site. For a launch specific license, an applicant must file flight 
safety analysis products that account for the actual flight conditions, 
no later than 6 months before the applicant brings any launch vehicle 
to the proposed launch site.
    (3) The flight safety analysis performed by an applicant must be 
completed as required by subpart C of part 417 of this chapter. An 
applicant may identify those portions of the analysis that it expects 
to refine as the first proposed flight date approaches. An applicant 
must identify any analysis product subject to change, describe what 
needs to be done to finalize the product, and identify when before 
flight it will be finalized. If a license allows more than one launch, 
an applicant must demonstrate the applicability of the analysis methods 
to each of the proposed launches and identify any expected differences 
in the flight safety analysis methods among the proposed launches. Once 
licensed, a launch operator must perform a flight safety analysis for 
each launch using final launch vehicle performance and other data as 
required by subpart C of part 417

[[Page 50534]]

of this chapter and using the analysis methods approved by the FAA 
through the licensing process.
    (b) Radionuclides. An applicant's safety review document must 
identify the type and quantity of any radionuclide on a launch vehicle 
or payload. For each radionuclide, an applicant must include a 
reference list of all documentation addressing the safety of its 
intended use and describe all approvals by the Nuclear Regulatory 
Commission for launch processing. An applicant must provide 
radionuclide information to the FAA at the pre-application consultation 
as required by Sec.  415.105. The FAA will evaluate launch of any 
radionuclide on a case-by-case basis, and issue an approval if the FAA 
finds that the launch is consistent with public health and safety.
    (c) Flight safety plan. An applicant's safety review document must 
contain a flight safety plan that satisfies Sec.  417.111(b) of this 
chapter. The plan need not be restricted to public safety related 
issues and may combine other flight safety issues as well, such as 
employee safety, so as to be all-inclusive.
    (d) Natural and triggered lightning. For any orbital or guided 
suborbital expendable launch vehicle, an applicant must demonstrate 
that it will satisfy the flight commit criteria of Sec.  417.113(c) of 
this chapter and appendix G of part 417 of this chapter for natural and 
triggered lightning. If an applicant's safety review document states 
that any flight commit criterion that is otherwise required by appendix 
G of part 417 of this chapter does not apply to a proposed launch or 
series of launches, the applicant's safety review document must 
demonstrate that the criterion does not apply.


Sec.  415.117  Ground safety.

    (a) General. An applicant's safety review document must include a 
ground safety analysis report, and a ground safety plan for its launch 
processing and post-flight operations as required by this section, 
Sec.  417.109 of this chapter, and subpart E of part 417 of this 
chapter when launching from a launch point in the United States. Launch 
processing and post-launch operations at a launch point outside the 
United States may be subject to the requirements of the governing 
jurisdiction.
    (b) Ground safety analysis. A ground safety analysis must review 
each system and operation used in launch processing and post-flight 
operations as required by Sec.  417.109 of this chapter, and subpart E 
of part 417 of this chapter.
    (1) An applicant must file an initial ground safety analysis report 
no later than 12 months for any orbital or guided suborbital launch 
vehicle, and nine months for an unguided suborbital launch vehicle, 
before the applicant brings any launch vehicle to the proposed launch 
site. An initial ground safety analysis report must be in a proposed 
final or near final form and identify any incomplete items. An 
applicant must document any incomplete items and track them to 
completion. An applicant must resolve any FAA comments on the initial 
report and file a complete ground safety analysis report, no later than 
two months before the applicant brings any launch vehicle to the 
proposed launch site. Furthermore, an applicant must keep its ground 
safety analysis report current. Any late developing change to a ground 
safety analysis report must be coordinated with the FAA as an 
application amendment as required by Sec.  413.17 of this chapter as 
soon as the applicant identifies the need for a change.
    (2) An applicant must file a ground safety analysis report that 
satisfies the ground safety analysis requirements of Sec.  417.109 of 
this chapter, and subpart E of part 417 of this chapter.
    (3) The person designated under Sec.  417.103(b)(1) of this chapter 
and the person designated under Sec.  417.103(b)(2) of this chapter 
must approve and sign the ground safety analysis report.
    (c) Ground safety plan. An applicant's safety review document must 
contain a ground safety plan that satisfies Sec.  417.111(c) of this 
chapter. The applicant must file this plan with the FAA no later than 
six months prior to bringing the launch vehicle to the proposed launch 
site. This ground safety plan must describe implementation of the 
hazard controls identified by an applicant's ground safety analysis and 
implementation of the ground safety requirements of subpart E of part 
417 of this chapter. A ground safety plan must address all public 
safety related issues and may include other ground safety issues if an 
applicant intends it to have a broader scope.


Sec.  415.119  Launch plans.

    An applicant's safety review document must contain the plans 
required by Sec.  417.111 of this chapter, except for the countdown 
plan of Sec.  417.111(l) of this chapter. An applicant's launch plans 
do not have to be separate documents, and may be part of other 
applicant documentation. An applicant must incorporate each launch 
safety rule established under Sec.  417.113 of this chapter into a 
related launch safety plan.


Sec.  415.121  Launch schedule.

    An applicant's safety review document must contain a generic launch 
processing schedule that identifies each review, rehearsal, and safety 
critical preflight operation to be conducted as required by Sec. Sec.  
417.117, 417.119, and 417.121 of this chapter. The launch schedule must 
also identify day of flight activities. The launch processing schedule 
must show each of these activities referenced to liftoff, such as 
liftoff minus three days.


Sec.  415.123  Computing systems and software.

    (a) An applicant's safety review document must describe all 
computing systems and software that perform a safety-critical computer 
system function for any operation performed during launch processing or 
flight that could have a hazardous effect on the public as required by 
Sec.  417.123 of this chapter.
    (b) An applicant's safety review document must list and describe 
all safety-critical computer system functions involved in a proposed 
launch, including associated hardware and software interfaces. For each 
system with a safety-critical computer system function, an applicant's 
safety review document must:
    (1) Describe all safety-critical computer system functions, 
including each safety-critical interface with any other system;
    (2) Describe all systems, including all hardware and software, and 
the layout of each operator console and display;
    (3) Provide flow charts or diagrams that show all hardware data 
busses, hardware interfaces, software interfaces, data flow, and power 
systems, and all operations of each safety-critical computer system 
function;
    (4) Provide all logic diagrams and software designs;
    (5) List all operator user manuals and documentation by title and 
date;
    (6) Describe the computing system and software system safety 
process as required by Sec.  417.123(a).
    (7) Provide all results of computing system and software hazard 
analyses as required by Sec.  417.123(c).
    (8) Provide all plans and results of computing systems and software 
validation and verification as required by Sec.  417.123(d).
    (9) Provide all plans for software development as required by Sec.  
417.123(e).


Sec.  415.125  Unique safety policies, requirements and practices.

    An applicant's safety review document must identify any public 
safety-related policy, requirement, or

[[Page 50535]]

practice that is unique to the proposed launch, or series of launches, 
as required by Sec.  417.127 of this chapter. An applicant's safety 
review document must describe how each unique safety policy, 
requirement, or practice ensures the safety of the public.


Sec.  415.127  Flight safety system design and operation data.

    (a) General. This part applies to an applicant launching an orbital 
or guided sub-orbital expendable launch vehicle that uses a flight 
safety system to protect public safety as required by Sec.  417.107(a) 
of this chapter. An applicant's safety review document must contain the 
flight safety system data identified by this section. The applicant 
must file all data required by this section no later than 18 months 
before bringing any launch vehicle to a proposed launch site.
    (b) Flight safety system description. A safety review document must 
describe an applicant's flight safety system and its operation. Part 
417, subpart D of this chapter and appendices D, E, and F of part 417 
of this chapter contain the flight safety system and subsystems design 
and operational requirements.
    (c) Flight safety system diagram. An applicant's safety review 
document must contain a block diagram that identifies all flight safety 
system subsystems. The diagram must include the following subsystems 
defined in part 417, subpart D of this chapter: flight termination 
system; command control system; tracking; telemetry; communications; 
flight safety data processing, display, and recording system; and 
flight safety official console.
    (d) Subsystem design information. An applicant's safety review 
document must contain all of the following data that applies to each 
subsystem identified in the block diagram required by paragraph (c) of 
this section:
    (1) Subsystem description. A physical description of each subsystem 
and its components, its operation, and interfaces with other systems or 
subsystems.
    (2) Subsystem diagram. A physical and functional diagram of each 
subsystem, including interfaces with other systems and subsystems.
    (3) Component location. Drawings showing the location of all 
subsystem components, and the details of the mounting arrangements, as 
installed on the vehicle, and at the launch site.
    (4) Electronic components. A physical description of each subsystem 
electronic component, including operating parameters and functions at 
the system and piece-part level. An applicant must also provide the 
name of the manufacturer and any model number of each component and 
identify whether the component is custom designed and built or off-the-
shelf-equipment.
    (5) Mechanical components. An illustrated parts breakdown of all 
mechanically operated components for each subsystem, including the name 
of the manufacturer and any model number.
    (6) Subsystem compatibility. A demonstration of the compatibility 
of the onboard launch vehicle flight termination system with the 
command control system.
    (7) Flight termination system component storage, operating, and 
service life. A listing of all flight termination system components 
that have a critical storage, operating, or service life and a summary 
of the applicant's procedures for ensuring that each component does not 
exceed its storage, operating, or service life before flight.
    (8) Flight termination system element location. For a flight 
termination system, a description of where each subsystem element is 
located, where cables are routed, and identification of mounting attach 
points and access points.
    (9) Flight termination system electrical connectors and connections 
and wiring diagrams and schematics. For a flight termination system, a 
description of all subsystem electrical connectors and connections, and 
any electrical isolation. The safety review document must also contain 
flight termination system wiring diagrams and schematics and identify 
the test points used for integrated testing and checkout.
    (10) Flight termination system batteries. A description of each 
flight termination system battery and cell, the name of the battery or 
cell manufacturer, and any model numbers.
    (11) Controls and displays. For a flight safety official console, a 
description of all controls, displays, and charts depicting how real 
time vehicle data and flight safety limits are displayed. The 
description must identify the scales used for displays and charts.
    (e) System analyses. An applicant must perform the reliability and 
other system analyses for a flight termination system and command 
control system of Sec.  417.309 of this chapter. An applicant's safety 
review document must contain the results of each analysis.
    (f) Environmental design. An applicant must determine the flight 
termination system maximum predicted environment levels required by 
section D417.7 of appendix D of part 417 of this chapter, and the 
design environments and design margins of section D417.3 of appendix D 
of part 417 of this chapter. An applicant's safety review document must 
summarize the analyses and measurements used to derive the maximum 
predicted environment levels. The safety review document must contain a 
matrix that identifies the maximum predicted environment levels and the 
design environments.
    (g) Flight safety system compliance matrix. An applicant's safety 
review document must contain a compliance matrix of the function, 
reliability, system, subsystem, and component requirements of part 417 
of this chapter and appendix D of part 417 of this chapter. This matrix 
must identify each requirement and indicate compliance as follows:
    (1) ``Yes'' if the applicant's system meets the requirement of part 
417 of this chapter. The matrix must reference documentation that 
demonstrates compliance;
    (2) ``Not applicable'' if the applicant's system design and 
operational environment are such that the requirement does not apply. 
For each such case, the applicant must demonstrate, in accordance with 
section 406.3(b), the non-applicability of that requirement as an 
attachment to the matrix; or
    (3) ``Equivalent level of safety'' in each case where the applicant 
proposes to show that its system provides an equivalent level of safety 
through some means other than that required by part 417 of this 
chapter. For each such case, an applicant must clearly and convincingly 
demonstrate, as required by Sec.  406.3(b), through a technical 
rationale within the matrix, or as an attachment, that the proposed 
alternative provides a level of safety equivalent to satisfying the 
requirement that it would replace.
    (h) Flight termination system installation procedures. An 
applicant's safety review document must contain a list of the flight 
termination system installation procedures and a synopsis of the 
procedures that demonstrates how each of those procedures meet the 
requirements of section D417.15 of appendix D of part 417 of this 
chapter. The list must reference each procedure by title, any document 
number, and date.
    (i) Tracking validation procedures. An applicant's safety review 
document must contain the procedures identified by Sec.  417.121(h) of 
this chapter for validating the accuracy of the launch vehicle tracking 
data supplied to the flight safety crew.

[[Page 50536]]

Sec.  415.129  Flight safety system test data.

    (a) General. An applicant's safety review document must contain the 
flight safety system test data required by this section for the launch 
of an orbital and guided suborbital expendable launch vehicle that uses 
a flight safety system to protect public safety as required by Sec.  
417.107(a) of this chapter. This section applies to all testing 
required by part 417, subpart D of this chapter and its appendices, 
including qualification, acceptance, age surveillance, and preflight 
testing of a flight safety system and its subsystems and individual 
components. An applicant must file all required test data, no later 
than 12 months before the applicant brings any launch vehicle to the 
proposed launch site. An applicant may file test data earlier to allow 
greater time for addressing issues that the FAA may identify to avoid 
possible impact on the proposed launch date. Flight safety system 
testing need not be completed before the FAA issues a launch license. 
Prior to flight, a licensee must successfully complete all required 
flight safety system testing and file the completed test reports or the 
test report summaries required by Sec.  417.305(d) of this chapter and 
section E417.1(i) of appendix E of part 417 of this chapter.
    (b) Testing compliance matrix. An applicant's safety review 
document must contain a compliance matrix of all the flight safety 
system, subsystem, and component testing requirements of part 417 of 
this chapter and appendix E to part 417 of this chapter. This matrix 
must identify each test requirement and indicate compliance as follows:
    (1) ``Yes'' if the applicant performs the system or component 
testing required by part 417 of this chapter. The matrix must reference 
documentation that demonstrates compliance;
    (2) ``Not applicable'' if the applicant's system design and 
operational environment are such that the test requirement does not 
apply. For each such case, an applicant must demonstrate, as required 
by Sec.  406.3(b), of the non-applicability of that requirement as an 
attachment to the matrix;
    (3) ``Similarity'' if the test requirement applies to a component 
whose design is similar to a previously qualified component. For each 
such case, an applicant must demonstrate similarity by performing the 
analysis required by appendix E of part 417 of this chapter. The 
matrix, or an attachment, must contain the results of each analysis; or
    (4) ``Equivalent level of safety'' in each case where the applicant 
proposes to show that its test program provides an equivalent level of 
safety through some means other than that required by part 417 of this 
chapter. For each such case, an applicant must clearly and convincingly 
demonstrate through a technical rationale, within the matrix or as an 
attachment, that the alternative provides a level of safety equivalent 
to satisfying the requirement that it replaces, as required by Sec.  
406.3(c).
    (c) Test program overview and schedule. A safety review document 
must contain a summary of the applicant's flight safety system test 
program that identifies the location of the testing and the personnel 
who ensure the validity of the results. A safety review document must 
contain a schedule for successfully completing each test before flight. 
The applicant must reference the schedule to the time of liftoff for 
the first proposed flight attempt.
    (d) Flight safety system test plans and procedures. An applicant's 
safety review document must contain test plans that satisfy the flight 
safety system testing requirements of subpart D of part 417 of this 
chapter and appendix E of part 417 of this chapter. An applicant's 
safety review document must contain a list of all flight termination 
system test procedures and a synopsis of the procedures that 
demonstrates how they meet the test requirements of part 417 of this 
chapter. The list must reference each procedure by title, any document 
number, and date.
    (e) Test reports. An applicant's safety review document must 
contain either the test reports, or a summary of the test report which 
captures the overall test results, including all test discrepancies and 
their resolution, prepared as required by Sec.  417.305(d) of this 
chapter and section E417.1(i) of appendix E of part 417 of this 
chapter, for each flight safety system test completed at the time of 
license application. An applicant must file any remaining test reports 
or summaries before flight as required by Sec.  417.305(d) and section 
E417.1(i) of appendix E of part 417 of this chapter. Upon request, the 
launch operator must file the complete test report with the FAA for 
review, if the launch operator previously filed test report summaries 
with the FAA.
    (f) Reuse of flight termination system components. An applicant's 
safety review document must contain a reuse qualification test, 
refurbishment plan, and acceptance test plan for the use of any flight 
termination system component on more than one flight. This test plan 
must define the applicant's process for demonstrating that the 
component can satisfy all its performance specifications when subjected 
to the qualification test environmental levels plus the total number of 
exposures to the maximum expected environmental levels for each of the 
flights to be flown.


Sec.  415.131  Flight safety system crew data.

    (a) An applicant's safety review document must identify each flight 
safety system crew position and the role of that crewmember during 
launch processing and flight of a launch vehicle.
    (b) An applicant's safety review document must describe the 
certification program for flight safety system crewmembers established 
to ensure compliance with Sec. Sec.  417.105 and 417.311 of this 
chapter.


Sec.  415.133  Safety at end of launch.

    An applicant must demonstrate compliance with Sec.  417.129 of this 
chapter, for any proposed launch of a launch vehicle with a stage or 
component that will reach Earth orbit.


Sec.  415.135  Denial of safety approval.

    The FAA notifies an applicant, in writing, if it has denied safety 
approval for a license application. The notice states the reasons for 
the FAA's determination. The applicant may respond to the reasons for 
the determination and request reconsideration.

Subpart G--[Amended]


Sec. Sec.  415.136 through 415.200  [Reserved]

0
19. Subpart G is amended by adding and reserving Sec. Sec.  415.204 
through 415.400.

0
20. Add appendix B of part 415 to read as follows:

Appendix B of Part 415--Safety Review Document Outline

    This appendix contains the format and numbering scheme for a 
safety review document to be filed as part of an application for a 
launch license as required by subpart F of part 415. The applicable 
sections of parts 413, 415, and 417 of this chapter are referenced 
in the outline below.

Safety Review Document

1.0 Launch Description (Sec.  415.109)
1.1 Launch Site Description
1.2 Launch Vehicle Description
1.3 Payload Description
1.4 Trajectory
1.5 Staging Events
1.6 Vehicle Performance Graphs
2.0 Launch Operator Organization (Sec.  415.111)
2.1 Launch Operator Organization (Sec.  415.111 and Sec.  417.103 of 
this chapter)
2.1.1 Organization Summary
2.1.3 Organization Charts
2.1.4 Office Descriptions and Safety Functions

[[Page 50537]]

3.0 Launch Personnel Certification Program (Sec.  415.113 and Sec.  
417.105 of this chapter)
3.1 Program Summary
3.2 Program Implementation Document(s)
3.3 Table of Safety Critical Tasks Performed by Certified Personnel
4.0 Flight Safety (Sec.  415.115)
4.1 Initial Flight Safety Analysis
4.1.1 Flight Safety Sub-Analyses, Methods, and Assumptions
4.1.2 Sample Calculation and Products
4.1.3 Launch Specific Updates and Final Flight Safety Analysis Data
4.2 Radionuclide Data (where applicable)
4.3 Flight Safety Plan
4.3.1 Flight Safety Personnel
4.3.2 Flight Safety Rules
4.3.3 Flight Safety System Summary and Preflight Tests
4.3.4 Trajectory and Debris Dispersion Data
4.3.5 Flight Hazard Areas and Safety Clear Zones
4.3.6 Support Systems and Services
4.3.7 Flight Safety Operations
4.3.8 Unguided Suborbital Launch Vehicles (where applicable)
5.0 Ground Safety (Sec.  415.117)
5.1 Ground Safety Analysis Report
5.2 Ground Safety Plan
6.0 Launch Plans (Sec.  415.119 and Sec.  417.111 of this chapter)
6.1 Launch Support Equipment and Instrumentation Plan
6.2 Configuration Management and Control Plan
6.3 Frequency Management Plan
6.4 Flight Termination System Electronic Piece Parts Program Plan
6.5 Accident Investigation Plan
6.6 Local Agreements and Public Coordination Plan
6.7 Hazard Area Surveillance and Clearance Plan
6.8 Communications Plan
7.0 Launch Schedule (Sec.  415.121)
7.1 Launch Processing Schedule
8.0 Computing Systems and Software (Sec.  415.123)
8.1 Hardware and Software Descriptions
8.2 Flow Charts and Diagrams
8.3 Logic Diagrams and Software Design Descriptions
8.4 Operator User Manuals and Documentation
8.5 Software Hazard Analyses
8.6 Software Test Plans, Test Procedures, and Test Results
8.7 Software Development Plan
9.0 Unique Safety Policies, Requirements and Practices (Sec.  
415.125)
10.0 Flight Safety System Design and Operation Data (Sec.  415.127)
10.1 Flight Safety System Description
10.2 Flight Safety System Diagram
10.3 Flight Safety System Subsystem Design Information
10.4 Flight Safety System Analyses
10.5 Flight Termination System Environmental Design
10.6 Flight Safety System Compliance Matrix
10.7 Flight Termination System Installation Procedures
10.8 Tracking System Validation Procedures
11.0 Flight Safety System Test Data (Sec.  415.129)
11.1 Testing Compliance Matrix
11.2 Test Program Overview and Schedule
11.3 Flight Safety System Test Plans and Procedures
11.4 Test Reports
11.5 Reuse of Flight Termination System Components
12.0 Flight Safety System Crew Data (Sec.  415.131)
12.1 Position Descriptions
12.2 Certification and Training Program Description
13.0 Safety at End of Launch (Sec.  415.133)
21. Add part 417 to read as follows:

PART 417--LAUNCH SAFETY

Subpart A--General and License Terms and Conditions
Sec.
417.1 General information.
417.3 Definitions and acronyms.
417.5 [Reserved]
417.7 Public safety responsibility.
417.9 Launch site responsibility.
417.11 Continuing accuracy of license application; application for 
modification of license.
417.13 Agreement with Federal launch range.
417.15 Records.
417.17 Launch reporting requirements and launch specific updates.
417.19 Registration of space objects.
417.21 Financial responsibility requirements.
417.23 Compliance monitoring.
417.25 Post launch report.
417.26 through 417.100 [Reserved]
Subpart B--Launch Safety Responsibilities
417.101 Scope.
417.103 Safety organization.
417.105 Launch personnel qualifications and certification.
417.107 Flight safety.
417.109 Ground safety.
417.111 Launch plans.
417.113 Launch safety rules.
417.115 Tests.
417.117 Reviews.
417.119 Rehearsals.
417.121 Safety critical preflight operations.
417.123 Computing systems and software.
417.125 Launch of an unguided suborbital launch vehicle.
417.127 Unique safety policies, requirements, and practices.
417.129 Safety at end of launch.
417.130 through 417.200 [Reserved]
Subpart C--Flight Safety Analysis
417.201 Scope and applicability.
417.203 Compliance
417.205 General.
417.207 Trajectory analysis.
417.209 Malfunction turn analysis.
417.211 Debris analysis.
417.213 Flight safety limits analysis.
417.215 Straight-up time analysis.
417.217 Overflight gate analysis.
417.218 Hold-and-resume gate analysis.
417.219 Data loss flight time and planned safe flight state 
analyses.
417.221 Time delay analysis.
417.223 Flight hazard area analysis.
417.224 Probability of failure analysis.
417.225 Debris risk analysis.
417.227 Toxic release hazard analysis.
417.229 Far-field overpressure blast effects analysis.
417.231 Collision avoidance analysis.
417.233 Analysis for an unguided suborbital launch vehicle flown 
with a wind weighting safety system.
Subpart D--Flight Safety System
417.301 General.
417.303 Command control system requirements.
417.305 Command control system testing.
417.307 Support systems.
417.309 Flight safety system analysis.
417.311 Flight safety system crew roles and qualifications.
Subpart E--Ground Safety
417.401 Scope.
417.402 Compliance.
417.403 General.
417.405 Ground safety analysis.
417.407 Hazard control implementation.
417.409 System hazard controls.
417.411 Safety clear zones for hazardous operations.
417.413 Hazard areas.
417.415 Post-launch and post-flight-attempt hazard controls.
417.417 Propellants and explosives.

Appendix A of Part 417--Flight Safety Analysis Methodologies and 
Products for a Launch Vehicle Flown with a Flight Safety System
Appendix B of Part 417--Flight Hazard Area Analysis for Aircraft and 
Ship Protection
Appendix C of Part 417--Flight Safety Analysis Methodologies and 
Products for an Unguided Suborbital Launch Vehicle Flown With a Wind 
Weighting Safety System
Appendix D of Part 417--Flight Termination Systems, Components, 
Installation, and Monitoring
Appendix E of Part 417--Flight Termination System Testing and 
Analysis
Appendix F of Part 417--[Reserved]
Appendix G of Part 417--Natural and Triggered Lightning Flight 
Commit Criteria
Appendix H of Part 417--[Reserved]
Appendix I of Part 417--Methodologies for Toxic Release Hazard 
Analysis and Operational Procedures
Appendix J of Part 417--Ground Safety Analysis Report

    Authority: 49 U.S.C. 70101-70121.

Subpart A--General and License Terms and Conditions

Sec.  417.1 General information.

    (a) Scope. This part sets forth--
    (1) The responsibilities of a launch operator conducting a licensed 
launch of an expendable launch vehicle; and
    (2) The requirements for maintaining a launch license obtained 
under part 415 of this chapter. Parts 413 and 415 of this chapter 
contain requirements for preparing a license application to

[[Page 50538]]

conduct a launch, including information reviewed by the FAA to conduct 
a policy, safety, payload, and environmental review., and a payload 
determination.
    (b) Applicability.
    (1) The administrative requirements for filing material with the 
FAA in subpart A of this part apply to all licensed launches from a 
Federal launch range or a non-Federal launch site, except where noted.
    (2) The safety requirements of subparts B through E of this part 
apply to all licensed launches of expendable launch vehicles. See 
paragraphs (d) and (e) of this section for exceptions to this 
provision.
    (c) ``Meets intent'' certification. For a licensed launch from a 
Federal launch range, a launch operator need not demonstrate to the FAA 
that an alternative means of satisfying a requirement of this part 
provides an equivalent level of safety for a launch if written evidence 
demonstrates that a Federal launch range has, by the effective date of 
this part, granted a ``meets intent certification,'' including through 
``tailoring,'' that applies to the requirement and that launch. See 
paragraph (f) of this section for exceptions to this provision. Written 
evidence includes:
    (1) Range flight plan approval,
    (2) Missile system pre-launch safety package,
    (3) Preliminary and final flight data packages,
    (4) A tailored version of EWR 127-1,
    (5) Range email to the FAA stating that the MIC was approved, or
    (6) Operation approval.
    (d) Waiver. For a licensed launch from a Federal launch range, a 
requirement of this part does not apply to a launch if written evidence 
demonstrates that a Federal launch range has, by the effective date of 
this part, granted a waiver that allows noncompliance with the 
requirement for that launch. See paragraph (f) of this section for 
exceptions to this provision. Written evidence includes:
    (1) Range flight plan approval,
    (2) Missile system pre-launch safety package,
    (3) Preliminary and final flight data packages,
    (4) A tailored version of EWR 127-1,
    (5) Range email to the FAA stating that the waiver was approved, or
    (6) Operation approval.
    (e) Grandfathering. For a licensed launch from a Federal launch 
range, a requirement of this part does not apply to the launch if the 
Federal launch range's grandfathering criteria allow noncompliance with 
the requirement for that launch. See paragraph (f) of this section for 
exceptions to this provision.
    (f) Exceptions to Federal launch range meets intent certifications, 
waivers, and grandfathering. Even if a licensed launch from a Federal 
launch range satisfies paragraph (c), (d), or (e) of this section for a 
requirement of this part, the requirement applies and a launch operator 
must satisfy the requirement, obtain FAA approval of any alternative, 
or obtain FAA approval for any further noncompliance if--
    (1) The launch operator modifies the launch vehicle's operation or 
safety characteristics;
    (2) The launch operator uses the launch vehicle, component, system, 
or subsystem in a new application;
    (3) The FAA or the launch operator determines that a previously 
unforeseen or newly discovered safety hazard exists that is a source of 
significant risk to public safety; or
    (4) The Federal launch range previously accepted a component, 
system, or subsystem, but did not then identify a noncompliance to a 
Federal launch range requirement.
    (g) Equivalent level of safety. The requirements of this part apply 
to a launch operator and the launch operator's launch unless the launch 
operator clearly and convincingly demonstrates that an alternative 
approach provides an equivalent level of safety.

Sec.  417.3 Definitions and acronyms.

    For the purpose of this part,
    Command control system means the portion of a flight safety system 
that includes all components needed to send a flight termination 
control signal to an onboard vehicle flight termination system. A 
command control system starts with any flight termination activation 
switch at a flight safety crew console and ends at each command-
transmitting antenna. It includes all intermediate equipment, linkages, 
and software and any auxiliary transmitter stations that ensure a 
command signal will reach the onboard vehicle flight termination system 
from liftoff until the launch vehicle achieves orbit or can no longer 
reach a populated or other protected area.
    Command destruct system means a portion of a flight termination 
system that includes all components on board a launch vehicle that 
receive a flight termination control signal and achieve destruction of 
the launch vehicle. A command destruct system includes all receiving 
antennas, receiver decoders, explosive initiating and transmission 
devices, safe and arm devices and ordnance necessary to achieving 
destruction of the launch vehicle upon receipt of a destruct command.
    Conjunction on launch means the approach of a launch vehicle or any 
launch vehicle component or payload within 200 kilometers of a manned 
or mannable orbiting object--
    (1) During the flight of an unguided suborbital rocket; or
    (2) For an orbital launch vehicle during--
    (i) The ascent to initial orbital insertion and through at least 
one complete orbit; and
    (ii) Each subsequent orbital maneuver or burn from initial park 
orbit, or direct ascent to a higher or interplanetary orbit.
    Countdown means the timed sequence of events that must take place 
to initiate flight of a launch vehicle.
    Crossrange means the distance measured along a line whose direction 
is either 90 degrees clockwise (right crossrange) or counter-clockwise 
(left crossrange) to the projection of a launch vehicle's planned 
nominal velocity vector azimuth onto a horizontal plane tangent to the 
ellipsoidal Earth model at the launch vehicle's sub-vehicle point. The 
terms right crossrange and left crossrange may also be used to indicate 
direction.
    Data loss flight time means the shortest elapsed thrusting time 
during which a launch vehicle flown with a flight safety system can 
move from its normal trajectory to a condition where it is possible for 
the launch vehicle to endanger the public.
    Destruct means the act of terminating the flight of a launch 
vehicle flown with a flight safety system in a way that destroys the 
launch vehicle and disperses or expends all remaining propellant and 
renders remaining energy sources non-propulsive before the launch 
vehicle or any launch vehicle component or payload impacts the Earth's 
surface.
    Downrange means the distance measured along a line whose direction 
is parallel to the projection of a launch vehicle's planned nominal 
velocity vector azimuth into a horizontal plane tangent to the 
ellipsoidal Earth model at the launch vehicle sub-vehicle point. The 
term downrange may also be used to indicate direction.
    Drag impact point means a launch vehicle instantaneous impact point 
corrected for atmospheric drag.
    Dwell time means--
    (1) The period during which a launch vehicle instantaneous impact 
point is over a populated or other protected area; or
    (2) The period during which an object is subjected to a test 
condition.

[[Page 50539]]

    Explosive debris means solid propellant fragments or other pieces 
of a launch vehicle or payload that result from break up of the launch 
vehicle during flight and that explode upon impact with the Earth's 
surface and cause overpressure.
    Fail-over means a method of ensuring continuous or near continuous 
operation of a command transmitter system by automatically switching 
from a primary transmitter to a secondary transmitter when a condition 
exists that indicates potential failure of the primary transmitter.
    Family performance data means--
    (1) Results of launch vehicle component and system tests that 
represent similar characteristics for a launch vehicle component or 
system; and
    (2) Data that is continuously updated as additional samples of a 
given component or system are tested.
    Flight safety limit means criteria to ensure a set of impact limit 
lines established for the flight of a launch vehicle flown with a 
flight safety system bound the area where debris with a ballistic 
coefficient of three or more is allowed to impact when a flight safety 
system functions.
    Flight safety system means the system that provides a means of 
control during flight for preventing a hazard from a launch vehicle, 
including any payload hazard, from reaching any populated or other 
protected area in the event of a launch vehicle failure. A flight 
safety system includes:
    (1) All hardware and software used to protect the public in the 
event of a launch vehicle failure; and
    (2) The functions of any flight safety crew.
    Flight safety crew means the personnel, designated by a launch 
operator, who operate flight safety system hardware and software to 
monitor the flight of a launch vehicle and make a flight termination 
decision.
    Flight termination system means all components, onboard a launch 
vehicle, that provide the ability to end a launch vehicle's flight in a 
controlled manner. A flight termination system consists of all command 
destruct systems, inadvertent separation destruct systems, or other 
systems or components that are onboard a launch vehicle and used to 
terminate flight.
    Gate means the portion of a flight safety limit boundary through 
which the tracking icon of a launch vehicle flown with a flight safety 
system may pass without flight termination.
    In-family means a launch vehicle component or system test result 
that indicates that the component or system's performance conforms to 
the family performance data that was established by previous test 
results.
    Inadvertent separation destruct system means an automatic destruct 
system that uses mechanical means to trigger the destruction of a 
launch vehicle stage.
    Launch azimuth means the horizontal angular direction initially 
taken by a launch vehicle at liftoff, measured clockwise in degrees 
from true north.
    Launch crew means all personnel who control the countdown and 
flight of a launch vehicle or who make irrevocable operational 
decisions that have the potential for impacting public safety. A launch 
crew includes members of the flight safety crew.
    Launch processing means all preflight preparation of a launch 
vehicle at a launch site, including buildup of the launch vehicle, 
integration of the payload, and fueling.
    Launch wait means a relatively short period of time when launch is 
not permitted in order to avoid a conjunction on launch or to safely 
accommodate temporary intrusion into a flight hazard area. A launch 
wait can occur within a launch window, can delay the start of a launch 
window, or terminate a launch window early.
    Launch window means a period of time during which the flight of a 
launch vehicle may be initiated.
    ``Meets intent'' certification means a decision by a Federal launch 
range to accept a substitute means of satisfying a safety requirement 
where the substitute provides an equivalent level of safety to that of 
the original requirement.
    Normal flight means the flight of a properly performing launch 
vehicle whose real-time instantaneous impact point does not deviate 
from the nominal instantaneous impact point by more than the sum of the 
wind effects and the three-sigma guidance and performance deviations in 
the uprange, downrange, left-crossrange, or right-crossrange 
directions.
    Normal trajectory means a trajectory that describes normal flight.
    Non-operating environment means an environment that a launch 
vehicle component experiences before flight and when not otherwise 
being subjected to acceptance tests. Non-operating environments 
include, but need not be limited to, storage, transportation, and 
installation.
    Operating environment means an environment that a launch vehicle 
component will experience during acceptance testing, launch countdown, 
and flight. Operating environments include shock, vibration, thermal 
cycle, acceleration, humidity, and thermal vacuum.
    Operating life means, for a flight safety system component, the 
period of time beginning with activation of the component or 
installation of the component on a launch vehicle, whichever is 
earlier, for which the component is capable of satisfying all its 
performance specifications through the end of flight.
    Operation hazard means a hazard derived from an unsafe condition 
created by a system or operating environment or by an unsafe act.
    Out-of-family means a component or system test result where the 
component or system's performance does not conform to the family 
performance data that was established by previous test results and is 
an indication of a potential problem with the component or system 
requiring further investigation and possible corrective action.
    Passive component means a flight termination system component that 
does not contain active electronic piece parts.
    Performance specification means a statement prescribing the 
particulars of how a component or part is expected to perform in 
relation to the system that contains the component or part. A 
performance specification includes specific values for the range of 
operation, input, output, or other parameters that define the 
component's or part's expected performance.
    Protected area means an area of land not controlled by a launch 
operator that:
    (1) Is a populated area;
    (2) Is environmentally sensitive; or
    (3) Contains a vital national asset.
    Safety-critical computer system function means any computer system 
function that, if not performed, if performed out of sequence, or if 
performed incorrectly, may directly or indirectly cause a public safety 
hazard.
    Service life means, for a flight termination system component, the 
sum total of the component's storage life and operating life.
    Storage life means, for a flight termination system component, the 
period of time after manufacturing of the component is complete until 
the component is activated or installed on a launch vehicle, whichever 
is earlier, during which the component may be subjected to storage 
environments and must remain capable of satisfying all its performance 
specifications.
    Sub-vehicle point means the location on an ellipsoidal Earth model 
where the normal to the ellipsoid passes through the launch vehicle's 
center of gravity. The term is the same as the weapon system term 
``sub-missile point.''

[[Page 50540]]

    System hazard means a hazard associated with a system and generally 
exists even when no operation is occurring.
    Tracking icon means the representation of a launch vehicle's 
instantaneous impact point, debris footprint, or other vehicle 
performance metric that is displayed to a flight safety crew during 
real-time tracking of the launch vehicle's flight.
    Uprange means the distance measured along a line that is 180 
degrees to the downrange direction. The term uprange may also be used 
to indicate direction.
    Waiver means a decision that allows a launch operator to continue 
with a launch despite not satisfying a specific safety requirement and 
where the launch operator is not able to demonstrate an equivalent 
level of safety.

Sec.  417.5 [Reserved].

Sec.  417.7 Public safety responsibility.

    A launch operator is responsible for ensuring the safe conduct of a 
licensed launch and for ensuring public safety and safety of property 
at all times during the conduct of a licensed launch.

Sec.  417.9 Launch site responsibility.

    (a) A launch operator must ensure that launch processing at a 
launch site in the United States satisfies the requirements of this 
part. Launch processing at a launch site outside the United States may 
be subject to the requirements of the governing jurisdiction.
    (b) For a launch from a launch site licensed under part 420 of this 
chapter, a launch operator must--
    (1) Conduct its operations as required by any agreements that the 
launch site operator has with any Federal and local authorities under 
part 420 of this chapter; and
    (2) Coordinate with the launch site operator and provide any 
information on its activities and potential hazards necessary for the 
launch site operator to determine how to protect any other launch 
operator, person, or property at the launch site as required by the 
launch site operator's obligations under Sec.  420.55 of this chapter.
    (c) For a launch from an exclusive-use site, where there is no 
licensed launch site operator, a launch operator must satisfy the 
requirements of this part and the public safety requirements of part 
420 of this chapter. This subpart does not apply to licensed launches 
occurring from Federal launch ranges.

Sec.  417.11 Continuing accuracy of license application; application 
for modification of license.

    (a) A launch operator must ensure the representations contained in 
its application are accurate for the entire term of the license. A 
launch operator must conduct a licensed launch and carry out launch 
safety procedures in accordance with its application.
    (b) After the FAA issues a launch license, a launch operator must 
apply to the FAA for modification of a launch license if--
    (1) A launch operator proposes to conduct a launch or carry out a 
launch safety procedure or operation in a manner that is not authorized 
by the license; or
    (2) Any representation contained in the license application that is 
material to public health and safety or safety of property would no 
longer be accurate and complete or would not reflect the launch 
operator's procedures governing the actual conduct of a launch. A 
representation is material to public health and safety or safety of 
property if it alters or affects the launch operator's launch plans or 
procedures, class of payload, orbital destination, type of launch 
vehicle, flight path, launch site, launch point, or any safety system, 
policy, procedure, requirement, criteria or standard.
    (c) A launch operator must prepare and file an application to 
modify a launch license under part 413 of this chapter. The launch 
operator must identify any part of its license or license application 
that a proposed modification would change or affect.
    (d) The FAA reviews all approvals and determinations required by 
this chapter to determine whether they remain valid in light of a 
proposed modification. The FAA approves a modification that satisfies 
the requirements of this part.
    (e) Upon approval of a modification, the FAA issues to a launch 
operator either a written approval or a license order modifying the 
license if a stated term or condition of the license is changed, added 
or deleted. A written approval has the full force and effect of a 
license order and is part of the licensing record.

Sec.  417.13 Agreement with Federal launch range.

    Before conducting a licensed launch from a Federal launch range, a 
launch operator must--
    (a) Enter into an agreement with a Federal launch range to provide 
access to and use of U.S. Government property and services required to 
support a licensed launch from the facility and for public safety 
related operations and support. The agreement must be in effect for the 
conduct of any licensed launch; and
    (b) Comply with any requirements of the agreement with the Federal 
launch range that may affect public safety and safety of property 
during the conduct of a licensed launch, including flight safety 
procedures and requirements.

Sec.  417.15 Records.

    (a) A launch operator must maintain all records necessary to verify 
that it conducts licensed launches according to representations 
contained in the licensee's application. A launch operator must retain 
records for three years after completion of all launches conducted 
under the license.
    (b) If a launch accident or launch incident occurs, as defined by 
Sec.  405.1 of this chapter, a launch operator must preserve all 
records related to the event until completion of any Federal 
investigation and the FAA advises the licensee not to retain the 
records. The launch operator must make available to Federal officials 
for inspection and copying all records that these regulations require 
the launch operator to maintain.

Sec.  417.17 Launch reporting requirements and launch specific updates.

    (a) General. A launch operator must satisfy the launch reporting 
requirements and launch specific updates required by this section and 
by the terms of the launch operator's license. A launch operator must 
file any change to the information in the license application, not 
identified by this section, with the FAA as a request for license 
modification as required by Sec.  417.11.
    (b) Launch reporting requirements for a launch from a Federal 
launch range or a non-Federal launch site.
    (1) Launch schedule and point of contact. For each launch, a launch 
operator must file a launch schedule that identifies each review, 
rehearsal, and safety critical launch processing. A launch operator 
must file a point of contact for the schedule. The launch schedule must 
be filed and updated in time to allow FAA personnel to participate in 
the reviews, rehearsals, and safety critical launch processing.
    (2) Sixty-day report. Not later than 60 days before each flight 
conducted under a launch operator license, a launch operator must 
provide the FAA the following launch-specific information:
    (i) Payload information required by Sec.  415.59 of this chapter; 
and

[[Page 50541]]

    (ii) Flight information, including the launch vehicle, planned 
flight path, staging and impact locations, and any on-orbit activity of 
the launch vehicle, including each payload delivery point.
    (3) U.S. Space Command Launch Notification. Not later than noon, 
EST, 15 days before each licensed flight, a launch operator must file a 
completed Federal Aviation Administration/U.S. Space Command (FAA/
USSPACECOM) Launch Notification Form (OMB No. 2120-0608) with the FAA.
    (c) Launch specific updates for a launch from a non-Federal launch 
site. A launch operator must file a launch specific update, required by 
this part, and any required by the terms of the launch license, for 
every substantive change to the information outlined in this part. For 
each launch, a launch operator must file the following launch specific 
updates:
    (1) Flight safety system test schedule. For each launch of a launch 
vehicle flown with a flight safety system, a launch operator must file 
an updated flight safety system test schedule and points of contact no 
later than six months before flight. A launch operator must immediately 
file any later change to ensure that the FAA has the most current data.
    (2) Launch plans. A launch operator must file any changes or 
additions to its launch plans required by Sec.  417.111 to the FAA no 
later than 15 days before the associated activity is to take place. A 
launch operator must file the countdown plan with the FAA no later than 
15 days before the countdown is to take place. If a change involves the 
addition of a new public hazard or the elimination of any control for a 
previously identified public hazard, a launch operator must request a 
license modification under Sec.  417.11.
    (3) Thirty-day flight safety analysis update. A launch operator 
must file updated flight safety analysis products, using previously 
approved methodologies, for each launch no later than 30 days before 
flight.
    (i) The launch operator:
    (A) Must account for vehicle and mission specific input data;
    (B) May reference previously approved analysis products and data 
that are applicable to the launch or data that is applicable to a 
series of launches;
    (C) Must account for potential variations in input data that may 
affect any analysis product within the final 30 days before flight;
    (D) Must file the analysis products using the same format and 
organization used in its license application; and
    (E) May not change an analysis product within the final 30 days 
before flight unless the launch operator identified a process for 
making a change in that period as part of the launch operator's flight 
safety analysis process and the FAA approved the process by grant of a 
license to the launch operator.
    (ii) A launch operator need not file the 30-day analysis if the 
launch operator:
    (A) Demonstrates that the analysis filed during the license 
application process satisfies all the requirements of this subpart; and
    (B) Demonstrates the analysis does not need to be updated to 
account for launch specific factors.
    (4) Flight termination system qualification test reports. For the 
launch of a launch vehicle flown with a flight safety system, a launch 
operator must file all flight termination system qualification test 
reports, or test report summaries, as required by section E417.1(i) of 
appendix E of this part, with the FAA no later than six months before 
the first flight attempt . The summary must identify when and where the 
tests were performed and provide the results. Complete qualification 
test reports must be made available to the FAA upon request.
    (5) Flight termination system acceptance and age surveillance test 
report summaries. For the launch of a launch vehicle flown with a 
flight safety system, a launch operator must file a summary of the 
results of each flight termination system acceptance and age 
surveillance test, or the complete test report, as required by section 
E417.1(i) of appendix E of this part, no later than 30 days before the 
first flight attempt for each launch . The summary must identify when 
and where the tests were performed and provide the results. Complete 
acceptance and age surveillance test reports must be made available to 
the FAA upon request.
    (6) Command control system acceptance test reports. For the launch 
of a launch vehicle flown with a flight safety system, a launch 
operator must file all command control system acceptance test reports, 
or test report summaries, as required by Sec.  417.305(d), with the FAA 
no later than 30 days before the first flight attempt. The summary must 
identify when and where the tests were performed and provide the 
results. Complete acceptance test reports must be made available to the 
FAA upon request.
    (7) Ground safety analysis report updates. A launch operator must 
file ground safety analysis report updates with the FAA as soon as the 
need for the change is identified and at least 30 days before the 
associated activity takes place. A launch operator must file a license 
modification request with the FAA for each change that involves the 
addition of a hazard that can affect public safety or the elimination 
of a previously identified hazard control for a hazard that still 
exists.

Sec.  417.19 Registration of space objects.

    (a) To assist the U.S. Government in implementing Article IV of the 
1975 Convention on Registration of Objects Launched into Outer Space, 
each launch operator must provide to the FAA the information required 
by paragraph (b) of this section for all objects placed in space by a 
licensed launch, including a launch vehicle and any components, except:
    (1) Any object owned and registered by the U.S. Government; and
    (2) Any object owned by a foreign entity.
    (b) For each object that must be registered in accordance with this 
section, not later than 30 days following the conduct of a licensed 
launch, an operator must file the following information:
    (1) The international designator of the space object(s);
    (2) Date and location of launch;
    (3) General function of the space object; and
    (4) Final orbital parameters, including:
    (i) Nodal period;
    (ii) Inclination;
    (iii) Apogee; and
    (iv) Perigee.

Sec.  417.21 Financial responsibility requirements.

    A launch operator must comply with financial responsibility 
requirements as required by part 440 of this chapter and as specified 
in a license or license order.

Sec.  417.23 Compliance monitoring.

    (a) A launch operator must allow access by, and cooperate with, 
Federal officers or employees or other individuals authorized by the 
FAA to observe any of its activities, or of its contractors or 
subcontractors, associated with the conduct of a licensed launch.
    (b) For each licensed launch, a launch operator must provide the 
FAA with a console for monitoring the progress of the countdown and 
communication on all channels of the countdown communications network. 
A launch operator must also provide the FAA with the capability to 
communicate with the person designated by Sec.  417.103(b)(1).

Sec.  417.25 Post launch report.

    (a) For a launch operator launching from a Federal launch range, a 
launch

[[Page 50542]]

operator must file a post launch report with the FAA no later than 90 
days after the launch, unless an FAA launch site safety assessment 
shows that the Federal launch range creates a post launch report that 
contains the information required by this section.
    (b) For a launch operator launching from a non-Federal launch site, 
a launch operator must file a post launch report with the FAA no later 
than 90 days after the launch.
    (c) The post launch report must:
    (1) Identify any discrepancy or anomaly that occurred during the 
launch countdown and flight;
    (2) Identify any deviation from any term of the license or any 
event otherwise material to public safety, and each corrective action 
to be implemented before any future flight;
    (3) For the launch of launch vehicle flown with a flight safety 
system, identify any flight environment not consistent with the maximum 
predicted environment as required by Sec.  417.307(b) and any measured 
wind profiles not consistent with the predictions used for the launch, 
as required by Sec.  417.217(d)(2); and
    (4) For the launch of an unguided suborbital launch vehicle, 
identify the actual impact location of all impacting stages and any 
impacting components, and provide a comparison of actual and predicted 
nominal performance.

Sec. Sec.  417.26 through 417.100 [Reserved]

Subpart B--Launch Safety Responsibilities

Sec.  417.101 Scope.

    This subpart contains public safety requirements that apply to the 
launch of an orbital or suborbital expendable launch vehicle from a 
Federal launch range or other launch site. If the FAA has assessed the 
Federal launch range, through its launch site safety assessment, and 
found that an applicable range safety-related launch service or 
property satisfies the requirements of this subpart, then the FAA will 
treat the Federal launch range's launch service or property as that of 
a launch operator without need for further demonstration of compliance 
to the FAA if:
    (a) A launch operator has contracted with a Federal launch range 
for the provision of the safety-related launch service or property; and
    (b) The FAA has assessed the Federal launch range, through its 
launch site safety assessment, and found that the Federal launch 
range's safety-related launch service or property satisfy the 
requirements of this subpart. In this case, the FAA will treat the 
Federal launch range's process as that of a launch operator.

Sec.  417.103 Safety organization.

    (a) A launch operator must maintain and document a safety 
organization. A launch operator must identify lines of communication 
and approval authority for all public safety decisions, including those 
regarding design, operations, and analysis. A launch operator must 
describe its lines of communication, both within the launch operator's 
organization and between the launch operator and any federal launch 
range or other launch site operator providing launch services, in 
writing. Documented approval authority shall also be employed by the 
launch operator throughout the life of the launch system to ensure 
public safety and compliance with this part.
    (b) A launch operator's safety organization must include, but need 
not be limited to, the following launch management positions:
    (1) An employee of the launch operator who has the launch 
operator's final approval authority for launch. This employee, referred 
to as the launch director in this part, must ensure compliance with 
this part.
    (2) An employee of the launch operator who is authorized to examine 
all aspects of the launch operator's launch safety operations and to 
monitor independently personnel compliance with the launch operator's 
safety policies and procedures. This employee, referred to as the 
safety official in this part, shall have direct access to the launch 
director, who shall ensure that all of the safety official's concerns 
are addressed prior to launch.

Sec.  417.105 Launch personnel qualifications and certification.

    (a) General. A launch operator must employ a personnel 
certification program that documents the qualifications, including 
education, experience, and training, for each member of the launch 
crew.
    (b) Personnel certification program. A launch operator's personnel 
certification program must:
    (1) Conduct an annual personnel qualifications review and issue 
individual certifications to perform safety related tasks.
    (2) Revoke individual certifications for negligence or failure to 
satisfy certification requirements.

Sec.  417.107 Flight safety.

    (a) Flight safety system. For each launch vehicle, vehicle 
component, and payload, a launch operator must use a flight safety 
system that satisfies subpart D of this part as follows, unless Sec.  
417.125 applies.
    (1) In the vicinity of the launch site. For each launch vehicle, 
vehicle component, and payload, a launch operator must use a flight 
safety system in the vicinity of the launch site if the following 
exist:
    (i) Any hazard from a launch vehicle, vehicle component, or payload 
can reach any protected area at any time during flight; or
    (ii) A failure of the launch vehicle would have a high consequence 
to the public.
    (2) In the downrange area. For each launch vehicle, vehicle 
component, and payload, a launch operator must provide a flight safety 
system downrange if the absence of a flight safety system would 
significantly increase the accumulated risk from debris impacts.
    (b) Public risk criteria. A launch operator may initiate the flight 
of a launch vehicle only if flight safety analysis performed under 
paragraph (f) of this section demonstrates that any risk to the public 
satisfies the following public risk criteria:
    (1) A launch operator may initiate the flight of a launch vehicle 
only if the risk associated with the total flight to all members of the 
public, excluding persons in waterborne vessels and aircraft, does not 
exceed an expected average number of 0.00003 casualties (Ec <= 30 x 
10-\6\) from impacting inert and impacting explosive debris, 
(Ec <= 30 x 10-\6\) for toxic release, and (Ec <= 30 x 
10-\6\) for far field blast overpressure. The FAA will 
determine whether to approve public risk due to any other hazard 
associated with the proposed flight of a launch vehicle on a case-by-
case basis. The Ec criterion for each hazard applies to each launch 
from lift-off through orbital insertion, including each planned impact, 
for an orbital launch, and through final impact for a suborbital 
launch.
    (2) A launch operator may initiate flight only if the risk to any 
individual member of the public does not exceed a casualty expectation 
(Ec of 0.000001 per launch (Ec <= 1 x 10-\6\) for each 
hazard.
    (3) A launch operator must implement water borne vessel hazard 
areas that provide an equivalent level of safety to that provided by 
water borne vessel hazard areas implemented for launch from a Federal 
launch range.
    (4) A launch operator must establish aircraft hazard areas that 
provide an equivalent level of safety to that provided by aircraft 
hazard areas implemented for launch from a Federal launch range.

[[Page 50543]]

    (c) Debris thresholds. A launch operator's flight safety analysis, 
performed as required by paragraph (f) of this section, must account 
for any inert debris impact with a mean expected kinetic energy at 
impact greater than or equal to 11 ft-lbs and, except for the far field 
blast overpressure effects analysis of Sec.  417.229, a peak incident 
overpressure greater than or equal to 1.0 psi due to any explosive 
debris impact.
    (1) When using the 11 ft-lbs threshold to determine potential 
casualties due to blunt trauma from inert debris impacts, the analysis 
must:
    (i) Incorporate a probabilistic model that accounts for the 
probability of casualty due to any debris expected to impact with 
kinetic energy of 11 ft-lbs or greater and satisfy paragraph (d) of 
this section; or
    (ii) Count each expected impact with kinetic energy of 11 ft-lbs or 
greater to a person as a casualty.
    (2) When applying the 1.0 psi threshold to determine potential 
casualties due to blast overpressure effects, the analysis must:
    (i) Incorporate a probabilistic model that accounts for the 
probability of casualty due to any blast overpressures of 1.0 psi or 
greater and satisfy paragraph (d) of this section; or
    (ii) Count each person within the 1.0 psi overpressure radius of 
the source explosion as a casualty. When using this approach, the 
analysis must compute the peak incident overpressure using the Kingery-
Bulmash relationship and may not take into account sheltering, 
reflections, or atmospheric effects. For persons located in buildings, 
the analysis must compute the peak incident overpressure for the 
shortest distance between the building and the blast source. The 
analysis must count each person located anywhere in a building 
subjected to peak incident overpressure equal to or greater than 1.0 
psi as a casualty.
    (d) Casualty modeling. A probabilistic casualty model must be based 
on accurate data and scientific principles and must be statistically 
valid. A launch operator must obtain FAA approval of any probabilistic 
casualty model that is used in the flight safety analysis. If the 
launch takes place from a Federal launch range, the analysis may employ 
any probabilistic casualty model that the FAA accepts as part of the 
FAA's launch site safety assessment of the Federal launch range's 
safety process.
    (e) Collision avoidance.
    (1) A launch operator must ensure that a launch vehicle, any 
jettisoned components, and its payload do not pass closer than 200 
kilometers to a manned or mannable orbital object--
    (i) Throughout a sub-orbital launch; or
    (ii) For an orbital launch:
    (A) During ascent to initial orbital insertion and through at least 
one complete orbit; and
    (B) During each subsequent orbital maneuver or burn from initial 
park orbit, or direct ascent to a higher or interplanetary orbit or 
until clear of all manned or mannable objects, whichever occurs first.
    (2) A launch operator must obtain a collision avoidance analysis 
for each launch from United States Strategic Command or from a Federal 
range having an approved launch site safety assessment. United States 
Strategic Command calls this analysis a conjunction on launch 
assessment. Sections 417.231 and A417.31 of appendix A of this part 
contain the requirements for obtaining a collision avoidance analysis. 
A launch operator must use the results of the collision avoidance 
analysis to develop flight commit criteria for collision avoidance as 
required by Sec.  417.113(b).
    (f) Flight safety analysis. A launch operator must perform and 
document a flight safety analysis as required by subpart C of this 
part. A launch operator must not initiate flight unless the flight 
safety analysis demonstrates that any risk to the public satisfies the 
public risk criteria of paragraph (b) of this section. For a licensed 
launch that involves a Federal launch range, the FAA will treat an 
analysis performed and documented by the Federal range, and which has 
an FAA approved launch site safety assessment, as that of the launch 
operator as provided in Sec.  417.203(d) of subpart C of this part. A 
launch operator must use the flight safety analysis products to develop 
flight safety rules that govern a launch. Section 417.113 contains the 
requirements for flight safety rules.

Sec.  417.109 Ground safety.

    (a) Ground safety requirements apply to launch processing and post-
launch operations at a launch site in the United States.
    (b) A launch operator must protect the public from adverse effects 
of hazardous operations and systems associated with preparing a launch 
vehicle for flight at a launch site.
    (c) Sec. Sec.  417.111(c), 417.113(b), and 417.115(c), and subpart 
E of this part provide launch operator ground safety requirements.

Sec.  417.111 Launch plans.

    (a) General. A launch operator must implement written launch plans 
that define how launch processing and flight of a launch vehicle will 
be conducted without adversely affecting public safety and how to 
respond to a launch mishap. A launch operator's launch plans must 
include those required by this section. A launch operator's launch 
plans do not have to be separate documents, and may be part of other 
applicant documentation. A launch operator must incorporate each launch 
safety rule established under Sec.  417.113 into a related launch 
safety plan. The launch operator must follow each launch plan.
    (b) Flight Safety Plan. A launch operator must implement a plan 
that includes the following:
    (1) Flight safety personnel. Identification of personnel by 
position who:
    (i) Approve and implement each part of the flight safety plan and 
any modifications to the plan; and
    (ii) Perform the flight safety analysis and ensure that the 
results, including the flight safety rules and establishment of flight 
hazard areas, are incorporated into the flight safety plan.
    (2) Flight safety rules. All flight safety rules required by Sec.  
417.113.
    (3) Flight safety system. A description of any flight safety system 
and its operation, including any preflight safety tests that a launch 
operator will perform.
    (4) Trajectory and debris dispersion data. A description of the 
launch trajectory. For an orbital expendable launch vehicle, the 
description must include each planned orbital parameter, stage burnout 
time and state vector, and all planned stage impact times, locations, 
and downrange and crossrange dispersions. For a guided or unguided 
suborbital launch vehicle, the description must include each planned 
stage impact time, location, and downrange and crossrange dispersion.
    (5) Flight hazard areas. Identification and location of each flight 
hazard area established for each launch as required by Sec.  417.223, 
and identification of procedures for surveillance and clearance of 
these areas and zones as required by paragraph (j) of this section.
    (6) Support systems and services. Identification of any support 
systems and services that are part of ensuring flight safety, including 
any aircraft or ship that a launch operator will use during flight.
    (7) Flight safety operations. A description of the flight safety 
related tests, reviews, rehearsals, and other flight safety operations 
that a launch operator will conduct under Sec. Sec.  417.115 through 
417.121. A flight safety plan must contain or incorporate by reference

[[Page 50544]]

written procedures for accomplishing all flight safety operations.
    (8) Unguided suborbital launch vehicles. A launch operator's flight 
safety plan for the launch of an unguided suborbital rocket must meet 
the requirements of paragraph (b) of this section and provide the 
following data:
    (i) Launch angle limits, as required by Sec.  417.125(c)(3); and
    (ii) All procedures for measurement of launch day winds and for 
performing wind weighting as required by Sec. Sec.  417.125 and 
417.233.
    (c) Ground safety plan. A launch operator must implement a ground 
safety plan that describes implementation of the hazard controls 
identified by a launch operator's ground safety analysis and 
implementation of the ground safety requirements of subpart E of this 
part. A ground safety plan must address all public safety related 
issues and may include other ground safety issues if a launch operator 
intends it to have a broader scope. A ground safety plan must include 
the following:
    (1) A description of the launch vehicle and any payload, or class 
of payload, identifying each hazard, including explosives, propellants, 
toxics and other hazardous materials, radiation sources, and 
pressurized systems. A ground safety plan must include figures that 
show the location of each hazard on the launch vehicle, and indicate 
where at the launch site a launch operator performs hazardous 
operations during launch processing.
    (2) Propellant and explosive information including:
    (i) Total net explosive weight of each of the launch operator's 
liquid and solid propellants and other explosives for each explosive 
hazard facility as defined by part 420 of this chapter.
    (ii) For each toxic propellant, any hazard controls and process 
constraints determined under the launch operator's toxic release hazard 
analysis for launch processing performed as required by Sec.  417.229 
and appendix I of this part.
    (iii) The explosive and occupancy limits for each explosive hazard 
facility.
    (iv) Individual explosive item information, including configuration 
(such as, solid motor, motor segment, or liquid propellant container), 
explosive material, net explosive weight, storage hazard classification 
and compatibility group as defined by part 420 of this chapter.
    (3) A graphic depiction of the layout of a launch operator's launch 
complex and other launch processing facilities at the launch site. The 
depiction must show separation distances and any intervening barriers 
between explosive items that affect the total net explosive weight that 
each facility is sited to accommodate. A launch operator must identify 
any proposed facility modifications or operational changes that may 
affect a launch site operator's explosive site plan.
    (4) A description of the process for ensuring that the person 
designated under Sec.  417.103(b)(2) reviews and approves any 
procedures and procedure changes for safety implications.
    (5) Procedures that launch personnel will follow when reporting a 
hazard or mishap to a launch operator's safety organization.
    (6) Procedures for ensuring that personnel have the qualifications 
and certifications needed to perform a task involving a hazard that 
could affect public safety.
    (7) A flow chart of launch processing activities, including a list 
of all major tasks. The flow chart must include all hazardous tasks and 
identify where and when, with respect to liftoff, each hazardous task 
will take place.
    (8) Identification of each safety clear zone and hazard area 
established as required by Sec. Sec.  417.411 and 417.413, 
respectively.
    (9) A summary of the means for announcing when any hazardous 
operation is taking place, the means for making emergency announcements 
and alarms, and identification of the recipients of each type of 
announcement.
    (10) A summary of the means of prohibiting access to each safety 
clear zone, and implementing access control to each hazard area, 
including any procedures for prohibiting or allowing public access to 
such areas.
    (11) A description of the process for ensuring that all safety 
precautions and verifications are in place before, during, and after 
hazardous operations. This includes the process for verification that 
an area can be returned to a non-hazardous work status.
    (12) Description of each hazard control required by the ground 
safety analysis for each task that creates a public or launch location 
hazard. The hazard control must satisfy Sec.  417.407(b).
    (13) A procedure for the use of any safety equipment that protects 
the public, for each task that creates a public hazard or a launch 
location hazard.
    (14) The requirement and procedure for coordinating with any launch 
site operator and local authorities, for each task creating a public or 
launch location hazard.
    (15) Generic emergency procedures that apply to all emergencies and 
the emergency procedures that apply to each specific task that may 
create a public hazard, including any task that involves hazardous 
material, as required by Sec.  417.407.
    (16) A listing of the ground safety plan references, by title and 
date, such as the ground safety analysis report, explosive quantity-
distance site plan and other ground safety related documentation.
    (d) Launch support equipment and instrumentation plan. A launch 
operator must implement a plan that ensures the reliability of the 
equipment and instrumentation involved in protecting public safety 
during launch processing and flight. A launch support equipment and 
instrumentation plan must:
    (1) List and describe support equipment and instrumentation;
    (2) Identify all certified personnel, by position, as required by 
Sec.  417.105, who operate and maintain the support equipment and 
instrumentation;
    (3) Contain, or incorporate by reference, written procedures for 
support equipment and instrumentation operation, test, and maintenance 
that will be implemented for each launch;
    (4) Identify equipment and instrumentation reliability; and
    (5) Identify any contingencies that protect the public in the event 
of a malfunction.
    (e) Configuration management and control plan. A launch operator 
must implement a plan that:
    (1) Defines the launch operator's process for managing and 
controlling any change to a safety critical system to ensure its 
reliability;
    (2) Identifies, for each system, each person by position who has 
authority to approve design changes and the personnel, by position, who 
maintain documentation of the most current approved design; and
    (3) Contains, or incorporates by reference, all configuration 
management and control procedures that apply to the launch vehicle and 
each support system.
    (f) Frequency management plan. A launch operator must implement a 
plan that:
    (1) Identifies each frequency, all allowable frequency tolerances, 
and each frequency's intended use, operating power, and source;
    (2) Provides for the monitoring of frequency usage and enforcement 
of frequency allocations; and
    (3) Identifies agreements and procedures for coordinating use of 
radio frequencies with any launch site operator and any local and 
Federal authorities, including the Federal Communications Commission.
    (g) Flight termination system electronic piece parts program plan. 
A

[[Page 50545]]

launch operator must implement a plan that describes the launch 
operator's program for selecting and testing all electronic piece parts 
used in any flight termination system to ensure their reliability. This 
plan must--
    (1) Demonstrate compliance with the requirements of Sec.  
417.309(b)(2);
    (2) Describe the program for selecting piece parts for use in a 
flight termination system;
    (3) Identify performance of any derating, qualification, screening, 
lot acceptance testing, and lot destructive physical analysis for 
electronic piece parts;
    (4) Identify all personnel, by position, who conduct the piece part 
tests;
    (5) Identify the pass/fail criteria for each test for each piece 
part;
    (6) Identify the levels to which each piece part specification will 
be derated; and
    (7) Contain, or incorporate by reference, test procedures for each 
piece part.
    (h) Accident investigation plan (AIP). A launch operator must 
implement a plan containing the launch operator's procedures for 
reporting and responding to launch accidents, launch incidents, or 
other mishaps, as defined by Sec.  401.5 of this chapter. An 
individual, authorized to sign and certify the application as required 
by Sec.  413.7(c) of this chapter, and the person designated under 
Sec.  417.103(b)(2) must sign the AIP.
    (1) Reporting requirements. An AIP must provide for--
    (i) Immediate notification to the Federal Aviation Administration 
(FAA) Washington Operations Center in case of a launch accident, a 
launch incident or a mishap that involves a fatality or serious injury 
(as defined by 49 CFR 830.2).
    (ii) Notification within 24 hours to the Associate Administrator 
for Commercial Space Transportation or the Federal Aviation 
Administration (FAA) Washington Operations Center in the event of a 
mishap, other than those in Sec.  415.41 (b) (1) of this chapter, that 
does not involve a fatality or serious injury (as defined in 49 CFR 
830.2).
    (iii) Submission of a written preliminary report to the FAA, 
Associate Administrator for Commercial Space Transportation, in the 
event of a launch accident or launch incident, as defined by Sec.  
401.5 of this chapter, within five days of the event. The report must 
identify the event as either a launch accident or launch incident, and 
must include the following information:
    (A) Date and time of occurrence;
    (B) Description of event;
    (C) Location of launch;
    (D) Launch vehicle;
    (E) Any payload;
    (F) Vehicle impact points outside designated impact lines, if 
applicable;
    (G) Number and general description of any injuries;
    (H) Property damage, if any, and an estimate of its value;
    (I) Identification of hazardous materials, as defined by Sec.  
401.5 of this chapter, involved in the event, whether on the launch 
vehicle, payload, or on the ground;
    (J) Action taken by any person to contain the consequences of the 
event; and
    (K) Weather conditions at the time of the event.
    (2) Response plan. An AIP must--
    (i) Contain procedures that ensure the containment and minimization 
of the consequences of a launch accident, launch incident or other 
mishap;
    (ii) Contain procedures that ensure the preservation of the data 
and physical evidence;
    (3) Investigation plan. An AIP must contain--
    (i) Procedures for investigating the cause of a launch accident, 
launch incident or other mishap;
    (ii) Procedures for reporting investigation results to the FAA; and
    (iii) Delineated responsibilities, including reporting 
responsibilities for personnel assigned to conduct investigations and 
for any one retained by the licensee to conduct or participate in 
investigations.
    (4) Cooperation with FAA and NTSB. An AIP must contain procedures 
that require the licensee to report to and cooperate with FAA and 
National Transportation Safety Board (NTSB) investigations and 
designate one or more points of contact for the FAA and NTSB.
    (5) Preventive measure. An AIP must contain procedures that require 
the licensee to identify and adopt preventive measures for avoiding 
recurrence of the event.
    (i) Local agreements and public coordination plans. 
    (1) Where there is a licensed launch site operator, a launch 
operator must implement and satisfy the launch site operator's local 
agreements and plans with local authorities at or near a launch site 
whose support is needed to ensure public safety during all launch 
processing and flight, as required by part 420 of this chapter.
    (2) For a launch from an exclusive-use site, where there is no 
licensed launch site operator, a launch operator must develop and 
implement any agreements and plans with local authorities at or near 
the launch site whose support is needed to ensure public safety during 
all launch processing and flight, as required by part 420 of this 
chapter.
    (3) A launch operator must implement a schedule and procedures for 
the release of launch information before flight, after flight, and in 
the event of an mishap.
    (4) A launch operator must develop and implement procedures for 
public access to any launch viewing areas that are under a launch 
operator's control.
    (5) A launch operator must describe its procedures for and 
accomplish the following for each launch--
    (i) Inform local authorities of each designated hazard areas near 
the launch site associated with a launch vehicle's planned trajectory 
and any planned impacts of launch vehicle components and debris as 
defined by the flight safety analysis required by subpart C of this 
part;
    (ii) Provide any hazard area information prepared as required by 
Sec.  417.225 or Sec.  417.235 to the local United States Coast Guard 
or equivalent local authority for issuance of the notices to mariners;
    (iii) Provide hazard area information prepared as required by Sec.  
417.223 or Sec.  417.233 for each aircraft hazard area within a flight 
corridor to the FAA Air Traffic Control (ATC) office or equivalent 
local authority having jurisdiction over the airspace through which the 
launch will take place for the issuance of notices to airmen;
    (iv) Communicate with the local Coast Guard and the FAA ATC office 
or equivalent local authorities, either directly or through any launch 
site operator, to ensure that notices to airmen and mariners are issued 
and in effect at the time of flight; and
    (v) Coordinate with any other local agency that supports the 
launch, such as local law enforcement agencies, emergency response 
agencies, fire departments, National Park Service, and Mineral 
Management Service.
    (j) Hazard area surveillance and clearance plan. A launch operator 
must implement a plan that defines the process for ensuring that any 
unauthorized persons, ships, trains, aircraft or other vehicles are not 
within any hazard areas identified by the flight safety analysis or the 
ground safety analysis. In the plan, the launch operator must--
    (1) List each hazard area that requires surveillance under 
Sec. Sec.  417.107 and 417.223;
    (2) Describe how the launch operator will provide for day-of-flight 
surveillance of the flight hazard area to ensure that the presence of 
any member of the public in or near a flight hazard area is consistent 
with flight commit

[[Page 50546]]

criteria developed for each launch as required by Sec.  417.113;
    (3) Verify the accuracy of any radar or other equipment used for 
hazard area surveillance and account for any inaccuracies in the 
surveillance system when enforcing the flight commit criteria;
    (4) Identify the number of security and surveillance personnel 
employed for each launch and the qualifications and training each must 
have;
    (5) Identify the location of roadblocks and other security 
checkpoints, the times that each station must be manned, and any 
surveillance equipment used; and
    (6) Contain, or incorporate by reference, all procedures for launch 
personnel control, handling of intruders, communications and 
coordination with launch personnel and other launch support entities, 
and implementation of any agreements with local authorities and any 
launch site operator.
    (k) Communications plan. A launch operator must implement a plan 
providing licensee personnel and Federal launch range personnel, if 
applicable, communications procedures during countdown and flight. 
Effective issuance and communication of safety-critical information 
during countdown must include hold/resume, go/no go, and abort commands 
by licensee personnel and any Federal launch range personnel, during 
countdown. For all launches from Federal launch ranges, the Federal 
launch range must concur with the communications plan. The 
communications plan must:
    (1) Describe the authority of licensee personnel and any Federal 
launch range personnel by individual or position title, to issue these 
commands;
    (2) Ensure the assignment of communication networks, so that 
personnel identified under this paragraph have direct access to real-
time safety-critical information required for issuing hold/resume, go/
no go, and abort decisions and commands;
    (3) Ensure personnel, identified under this paragraph, monitor each 
common intercom channel during countdown and flight; and
    (4) Ensure the implementation of a protocol for using defined radio 
telephone communications terminology.
    (l) Countdown plan. A launch operator must develop and implement a 
countdown plan that verifies that each launch safety rule and launch 
commit criterion is satisfied, verifies that personnel can communicate 
during the countdown and that the communication is available after the 
flight; and verifies that a launch operator will be able to recover 
from a launch abort or delay. A countdown plan must:
    (1) Cover the period of time when any launch support personnel are 
to be at their designated stations through initiation of flight.
    (2) Include procedures for handling anomalies that occur during a 
countdown and events and conditions that may result in a constraint to 
initiation of flight.
    (3) Include procedures for delaying or holding a launch when 
necessary to allow for corrective actions, to await improved 
conditions, or to accommodate a launch wait.
    (4) Describe a process for resolving issues that arise during a 
countdown and identify each person, by position, who approves 
corrective actions.
    (5) Include a written countdown checklist that provides a formal 
decision process leading to flight initiation. A countdown checklist 
must include the flight day preflight tests of a flight safety system 
required by subpart D of this part and must contain:
    (i) Identification of operations and specific actions completed, 
verification that there are no constraints to flight, and verification 
that a launch operator satisfied all launch safety rules and launch 
commit criteria;
    (ii) Time of each event;
    (iii) Identification of personnel, by position, who perform each 
operation or specific action, including reporting to the person 
designated under Sec.  417.103(b)(3);
    (iv) Identification of each communication channel that a launch 
operator uses for reporting each event;
    (v) Identification of all communication and event reporting 
protocols;
    (vi) Polling of personnel, by position, who oversee all safety 
critical systems and operations, to verify that the systems and the 
operations are ready to proceed with the launch; and
    (vii) Record of all critical communications network channels that 
are used for voice, video, or data transmission that support the flight 
safety system, during each countdown.
    (6) In case of a launch abort or delay:
    (i) Identify each condition that must exist in order to make 
another launch attempt;
    (ii) Include a schedule depicting the flow of tasks and events in 
relation to when the abort or delay occurred and the new planned launch 
time; and
    (iii) Identify each interface and supporting entity needed to 
support recovery operations.

Sec.  417.113 Launch safety rules.

    (a) General. For each launch, a launch operator must satisfy 
written launch safety rules that govern the conduct of the launch.
    (1) The launch safety rules must identify the meteorological 
conditions and the status of the launch vehicle, launch support 
equipment, and personnel under which launch processing and flight may 
be conducted without adversely affecting public safety.
    (2) The launch safety rules must satisfy the requirements of this 
section.
    (3) A launch operator must follow all the launch safety rules.
    (b) Ground safety rules. The launch safety rules must include 
ground safety rules that govern each preflight ground operation at a 
launch site that has the potential to adversely affect public safety. 
The ground safety rules must implement the ground safety analysis of 
subpart E of this part.
    (c) Flight-commit criteria. The launch safety rules must include 
flight-commit criteria that identify each condition that must be met in 
order to initiate flight.
    (1) The flight-commit criteria must implement the flight safety 
analysis of subpart C of this part. These must include criteria for:
    (i) Surveillance of any region of land, sea, or air necessary to 
ensure the number and location of members of the public are consistent 
with the inputs used for the flight safety analysis of subpart C of 
this part;
    (ii) Monitoring of any meteorological condition and implementing 
any flight constraint developed using appendix G of this part. The 
launch operator must have clear and convincing evidence that the 
lightning flight commit criteria of appendix G, which apply to the 
conditions present at the time of lift-off, are not violated. If any 
other hazardous conditions exist, other than those identified by 
appendix G, the launch weather team will report the hazardous condition 
to the official designated under Sec.  417.103(b)(1), who will 
determine whether initiating flight would expose the launch vehicle to 
a lightning hazard and not initiate flight in the presence of the 
hazard; and
    (iii) Implementation of any launch wait in the launch window for 
the purpose of collision avoidance.
    (2) For a launch that uses a flight safety system, the flight-
commit criteria must ensure that the flight safety system is ready for 
flight. This must include criteria for ensuring that:
    (i) The flight safety system is operating to ensure the launch 
vehicle will launch within all flight safety limits;
    (ii) Any command transmitter system required by section D417.9 has 
sufficient coverage from lift-off to the

[[Page 50547]]

point in flight where the flight safety system is no longer required by 
Sec.  417.107(a);
    (iii) The launch vehicle tracking system has no less than two 
tracking sources prior to lift-off. The launch vehicle tracking system 
has no less than one verified tracking source at all times from lift-
off to orbit insertion for an orbital launch, to the end of powered 
flight for a suborbital launch; and
    (iv) The launch operator will employ its flight safety system as 
designed in accordance with this part.
    (3) For each launch, a launch operator must document the actual 
conditions used for the flight-commit criteria at the time of lift-off 
and verify whether the flight-commit criteria are satisfied.
    (d) Flight termination rules. For a launch that uses a flight 
safety system, the launch safety rules must identify the conditions 
under which the flight safety system, including the functions of the 
flight safety system crew, must terminate flight to ensure public 
safety. These flight termination rules must implement the flight safety 
analysis of subpart C of this part and include each of the following:
    (1) The flight safety system must terminate flight when valid, 
real-time data indicate the launch vehicle has violated any flight 
safety limit of Sec.  417.213;
    (2) The flight safety system must terminate flight at the straight-
up-time required by Sec.  417.215 if the launch vehicle continues to 
fly a straight up trajectory and, therefore, does not turn downrange 
when it should;
    (3) The flight safety system must terminate flight when all of the 
following conditions exist:
    (i) Real-time data indicate that the performance of the launch 
vehicle is erratic;
    (ii) The potential exists for the loss of flight safety system 
control of the launch vehicle and further flight has the potential to 
endanger the public.
    (4) The flight termination rules must incorporate the data-loss 
flight times and planned safe flight state of Sec.  417.219, including 
each of the following:
    (i) The flight safety system must terminate flight no later than 
the first data-loss flight time if, by that time, tracking of the 
launch vehicle is not established and vehicle position and status is 
unknown; and
    (ii) Once launch vehicle tracking is established and there is a 
subsequent loss of verified tracking data before the planned safe 
flight state and verified tracking data is not received again, the 
flight safety system must terminate flight no later than the expiration 
of the data-loss flight time for the point in flight that the data was 
lost.
    (5) For any gate established under Sec.  417.217, both of the 
following apply:
    (i) The flight safety system must terminate flight if the launch 
vehicle is performing erratically immediately prior to entering the 
gate.
    (ii) The flight termination rules may permit the instantaneous 
impact point or other tracking icon to cross the gate only if there is 
no indication that the launch vehicle's performance has become erratic 
and the launch vehicle is either flying parallel to the nominal 
trajectory or converging to the nominal trajectory.
    (6) For any hold-and-resume gate established under Sec.  417.218;
    (i) The flight safety system must terminate flight if the launch 
vehicle is performing erratically immediately prior to entering a hold 
gate.
    (ii) The flight termination rules may permit the instantaneous 
impact point or other tracking icon to cross a hold gate only if there 
is no indication that the launch vehicle's performance has become 
erratic and the vehicle is either flying parallel to the nominal 
trajectory or converging to the nominal trajectory.
    (iii) The flight termination rules of paragraphs (d)(1), (d)(3), 
and (d)(4) of this section apply after the instantaneous impact point 
or other tracking icon exits a resume gate.
    (e) Flight safety system safing. For a launch that uses a flight 
safety system, the launch safety rules must ensure that any safing of 
the flight safety system occurs on or after the point in flight where 
the flight safety system is no longer required by Sec.  417.107(b).
    (f) Launch crew work shift and rest rules. For any operation with 
the potential to have an adverse effect on public safety, the launch 
safety rules must ensure the launch crew is physically and mentally 
capable of performing all assigned tasks. These rules must govern the 
length, number, and frequency of work shifts, including the rest 
afforded the launch crew between shifts.

Sec.  417.115 Tests.

    (a) General. All flight, communication, and ground systems and 
equipment that a launch operator uses to protect the public from any 
adverse effects of a launch, must undergo testing as required by this 
part, and any corrective action and re-testing necessary to ensure 
reliable operation. A launch operator must--
    (1) Coordinate test plans and all associated test procedures with 
any launch site operator or local authorities, as required by local 
agreements, associated with the operation; and
    (2) Make test results, test failure reports, information on any 
corrective actions implemented and the results of re-test available to 
the FAA upon request.
    (b) Flight safety system testing. A launch operator must only use a 
flight safety system and all flight safety system components, including 
any onboard launch vehicle flight termination system, command control 
system, and support system that satisfy the test requirements of 
subpart D of this part.
    (c) Ground system testing. A launch operator must only use a system 
or equipment used to support hazardous ground operations identified by 
the ground safety analysis required by Sec.  417.405 that satisfies the 
test requirements of paragraph (a) of this section.

Sec.  417.117 Reviews.

    (a) General. A launch operator must--
    (1) Review the status of operations, systems, equipment, and 
personnel required by part 417;
    (2) Maintain and implement documented criteria for successful 
completion of each review;
    (3) Track to completion and document any corrective actions or 
issues identified during a review; and
    (4) Ensure that launch operator personnel who oversee a review 
attest to successful completion of the review's criteria in writing.
    (b) A launch operator must conduct the following reviews:
    (1) Hazardous operations safety readiness reviews. A launch 
operator must conduct a review before performing any hazardous 
operation with the potential to adversely affect public safety. The 
review must determine a launch operator's readiness to perform the 
operation and ensure that safety provisions are in place. The review 
must determine the readiness status of safety systems and equipment and 
verify that the personnel involved satisfy certification and training 
requirements.
    (2) Launch safety review. For each launch, a launch operator must 
conduct a launch safety review no later than 15 days before the planned 
day of flight, or as agreed to by the FAA during the application 
process. This review must determine the readiness of ground and flight 
safety systems, safety equipment, and safety personnel to support a 
flight attempt. Successful completion of a launch safety review must 
ensure satisfaction of the following criteria:
    (i) A launch operator must verify that all safety requirements have 
been or will

[[Page 50548]]

be satisfied before flight. The launch operator must resolve all safety 
related action items.
    (ii) A launch operator must assign and certify flight safety 
personnel as required by Sec.  417.105.
    (iii) The flight safety rules and flight safety plan must 
incorporate a final flight safety analysis as required by subpart C of 
this part.
    (iv) A launch operator must verify, at the time of the review, that 
the ground safety systems and personnel satisfy or will satisfy all 
requirements of the ground safety plan for support of flight.
    (v) A launch operator must accomplish the safety related 
coordination with any launch site operator or local authorities as 
required by local agreements.
    (vi) A launch operator must verify the filing of all safety related 
information for a specific launch with the FAA, as required by FAA 
regulations and any special terms of a license. A launch operator must 
verify that information filed with the FAA reflects the current status 
of safety-related systems and processes for each specific launch.
    (3) Launch readiness review for flight. A launch operator must 
conduct a launch readiness review for flight as required by this 
section within 48 hours of flight. A person, identified as required by 
Sec.  417.103(b)(1), must review all preflight testing and launch 
processing conducted up to the time of the review; and review the 
status of systems and support personnel to determine readiness to 
proceed with launch processing and the launch countdown. A decision to 
proceed must be in writing and signed by the person identified as 
required by Sec.  417.103(b)(1), and any launch site operator or 
Federal launch range. A launch operator, during the launch readiness 
review, must poll the FAA to verify that the FAA has identified no 
issues related to the launch operator's license. During a launch 
readiness review, the launch operator must account for the following 
information:
    (i) Readiness of launch vehicle and payload.
    (ii) Readiness of any flight safety system and personnel and the 
results of flight safety system testing.
    (iii) Readiness of safety-related launch property and services to 
be provided by a Federal launch range.
    (iv) Readiness of all other safety-related equipment and services.
    (v) Readiness of launch safety rules and launch constraints.
    (vi) Status of launch weather forecasts.
    (vii) Readiness of abort, hold and recycle procedures.
    (viii) Results of rehearsals conducted as required by Sec.  
417.119.
    (ix) Unresolved safety issues as of the time of the launch 
readiness review and plans for their resolution.
    (x) Additional safety information that may be required to assess 
readiness for flight.
    (xi) To review launch failure initial response actions and 
investigation roles and responsibilities.

Sec.  417.119 Rehearsals.

    (a) General. A launch operator must rehearse its launch crew and 
systems to identify corrective actions needed to ensure public safety. 
The launch operator must conduct all rehearsals as follows:
    (1) A launch operator must assess any anomalies identified by a 
rehearsal, and must incorporate any changes to launch processing and 
flight needed to correct any anomaly that is material to public safety.
    (2) A launch operator must inform the FAA of any public safety 
related anomalies and related changes in operations performed during 
launch processing or flight resulting from a rehearsal.
    (3) For each launch, each person with a public safety critical role 
who will participate in the launch processing or flight of a launch 
vehicle must participate in at least one related rehearsal that 
exercises his or her role during nominal and non-nominal conditions so 
that the launch vehicle will not harm the public.
    (4) A launch operator must conduct the rehearsals identified in 
this section for each launch.
    (5) At least one rehearsal must simulate normal and abnormal 
preflight and flight conditions to exercise the launch operator's 
launch plans.
    (6) A launch operator may conduct rehearsals at the same time if 
joint rehearsals do not create hazardous conditions, such as changing a 
hardware configuration that affects public safety, during the 
rehearsal.
    (b) Countdown rehearsal. A launch operator must conduct a rehearsal 
using the countdown plan, procedures, and checklist required by Sec.  
417.111(l). A countdown rehearsal must familiarize launch personnel 
with all countdown activities, demonstrate that the planned sequence of 
events is correct, and demonstrate that there is adequate time allotted 
for each event. A launch operator must hold a countdown rehearsal after 
the assembly of the launch vehicle and any launch support systems into 
their final configuration for flight and before the launch readiness 
review required by Sec.  417.117.
    (c) Emergency response rehearsal. A launch operator must conduct a 
rehearsal of the emergency response section of the accident 
investigation plan required by Sec.  417.111(h)(2). A launch operator 
must conduct an emergency response rehearsal for a first launch of a 
new vehicle, for any additional launch that involves a new safety 
hazard, or for any launch where more than a year has passed since the 
last rehearsal.
    (d) Communications rehearsal. A launch operator must rehearse each 
part of the communications plan required by Sec.  417.111(k), either as 
part of another rehearsal or during a communications rehearsal.

Sec.  417.121 Safety critical preflight operations.

    (a) General. A launch operator must perform safety critical 
preflight operations that protect the public from the adverse effects 
of hazards associated with launch processing and flight of a launch 
vehicle. The launch operator must identify all safety critical 
preflight operations in the launch schedule required by Sec.  
417.17(b)(1). Safety critical preflight operations must include those 
defined in this section.
    (b) Countdown. A launch operator must implement its countdown plan, 
of Sec.  417.111(l), for each launch. A launch operator must 
disseminate a countdown plan to all personnel responsible for the 
countdown and flight of a launch vehicle, and each person must follow 
that plan.
    (c) Collision avoidance. A launch operator must coordinate with 
United States Strategic Command to obtain a collision avoidance 
analysis, also referred to as a conjunction on launch assessment, as 
required by Sec.  417.231. A launch operator must implement flight 
commit criteria as required by Sec.  417.113(b) to ensure that each 
launch meets all the criteria of Sec.  417.107(e).
    (d) Meteorological data. A launch operator must conduct operations 
and coordinate with weather organizations, as needed, to obtain 
accurate meteorological data to support the flight safety analysis 
required by subpart C of this part and to ensure compliance with the 
flight commit criteria required by Sec.  417.113.
    (e) Local notification. A launch operator must implement its local 
agreements and public coordination plan of Sec.  417.111(i).
    (f) Hazard area surveillance. A launch operator must implement its 
hazard area surveillance and clearance plan, of Sec.  417.111(j), to 
meet the public safety criteria of Sec.  417.107(b) for each launch.

[[Page 50549]]

    (g) Flight safety system preflight tests. A launch operator must 
conduct preflight tests of any flight safety system as required by 
section E417.41 of appendix E of this part.
    (h) Launch vehicle tracking data verification. For each launch, a 
launch operator must implement written procedures for verifying the 
accuracy of any launch vehicle tracking data provided. For a launch 
vehicle flown with a flight safety system, any source of tracking data 
must satisfy the requirements of Sec.  417.307(b).
    (i) Unguided suborbital rocket preflight operations. For the launch 
of an unguided suborbital rocket, in addition to meeting the other 
requirements of this section, a launch operator must perform the 
preflight wind weighting and other preflight safety operations required 
by Sec. Sec.  417.125, 417.233, and appendix C of this part.

Sec.  417.123 Computing systems and software.

    (a) A launch operator must document a system safety process that 
identifies the hazards and assesses the risks to public health and 
safety and the safety of property related to computing systems and 
software.
    (b) A launch operator must identify all safety-critical functions 
associated with its computing systems and software. Safety-critical 
computing system and software functions must include the following:
    (1) Software used to control or monitor safety-critical systems.
    (2) Software that transmits safety-critical data, including time-
critical data and data about hazardous conditions.
    (3) Software used for fault detection in safety-critical computer 
hardware or software.
    (4) Software that responds to the detection of a safety-critical 
fault.
    (5) Software used in a flight safety system.
    (6) Processor-interrupt software associated with previously 
designated safety-critical computer system functions.
    (7) Software that computes safety-critical data.
    (8) Software that accesses safety-critical data.
    (9) Software used for wind weighting.
    (c) A launch operator must conduct computing system and software 
hazard analyses for the integrated system.
    (d) A launch operator must develop and implement computing system 
and software validation and verification plans.
    (e) A launch operator must develop and implement software 
development plans, including descriptions of the following:
    (1) Coding standards used;
    (2) Configuration control;
    (3) Programmable logic controllers;
    (4) Policy on use of any commercial-off-the-shelf software; and
    (5) Policy on software reuse.

Sec.  417.125 Launch of an unguided suborbital launch vehicle.

    (a) Applicability. This section applies only to a launch operator 
conducting a launch of an unguided suborbital launch vehicle.
    (b) Need for flight safety system. A launch operator must launch an 
unguided suborbital launch vehicle with a flight safety system in 
accordance with Sec.  417.107 (a) and subpart D of this part unless one 
of the following exceptions applies:
    (1) The unguided suborbital launch vehicle, including any component 
or payload, does not have sufficient energy to reach any populated area 
in any direction from the launch point; or
    (2) A launch operator demonstrates through the licensing process 
that the launch will be conducted using a wind weighting safety system 
that meets the requirements of paragraph (c) of this section.
    (c) Wind weighting safety system. A launch operator's wind 
weighting safety system must consist of equipment, procedures, analysis 
and personnel functions used to determine the launcher elevation and 
azimuth settings that correct for the windcocking and wind drift that 
an unguided suborbital launch vehicle will experience during flight due 
to wind effects. The launch of an unguided suborbital launch vehicle 
that uses a wind weighting safety system must meet the following 
requirements:
    (1) The unguided suborbital launch vehicle must not contain a 
guidance or directional control system.
    (2) The launcher azimuth and elevation settings must be wind 
weighted to correct for the effects of wind conditions at the time of 
flight to provide a safe impact location. A launch operator must 
conduct the launch in accordance with the wind weighting analysis 
requirements and methods of Sec.  417.233 and appendix C of this part.
    (3) A launch operator must use a launcher elevation angle setting 
that ensures the rocket will not fly uprange. A launch operator must 
set the launcher elevation angle in accordance with the following:
    (i) The nominal launcher elevation angle must not exceed 85[deg]. 
The wind corrected launcher elevation setting must not exceed 86[deg].
    (ii) For an unproven unguided suborbital launch vehicle, the 
nominal launcher elevation angle must not exceed 80[deg]. The wind 
corrected launcher elevation setting must not exceed 84[deg]. A proven 
unguided suborbital launch vehicle is one that has demonstrated, by two 
or more launches, that flight performance errors are within all the 
three-sigma dispersion parameters modeled in the wind weighting safety 
system.
    (d) Public risk criteria. A launch operator must conduct the launch 
of an unguided suborbital launch vehicle in accordance with the public 
risk criteria of Sec.  417.107(b). The risk to the public determined 
prior to the day of flight must satisfy the public risk criteria for 
the area defined by the range of nominal launch azimuths. A launch 
operator must not initiate flight until a launch operator has verified 
that the wind drifted impacts of all planned impacts and their five-
sigma dispersion areas satisfy the public risk criteria after wind 
weighting on the day of flight.
    (e) Stability. An unguided suborbital launch vehicle, in all 
configurations, must be stable in flexible body to 1.5 calibers and 
rigid body to 2.0 calibers throughout each stage of powered flight. A 
caliber, for a rocket configuration, is defined as the distance between 
the center of pressure and the center of gravity divided by the largest 
frontal diameter of the rocket configuration.
    (f) Tracking. A launch operator must track the flight of an 
unguided suborbital launch vehicle. The tracking system must provide 
data to determine the actual impact locations of all stages and 
components, to verify the effectiveness of a launch operator's wind 
weighting safety system, and to obtain rocket performance data for 
comparison with the preflight performance predictions.
    (g) Post-launch review. A launch operator must ensure that the 
post-launch report required by Sec.  417.25 includes:
    (1) Actual impact location of all impacting stages and each 
impacting component.
    (2) A comparison of actual and predicted nominal performance.
    (3) Investigation results of any launch anomaly. If flight 
performance deviates by more than a three-sigma dispersion from the 
nominal trajectory, a launch operator must conduct an investigation to 
determine the cause of the rocket's deviation from normal flight and 
take corrective action before the next launch. A launch operator must 
file any corrective actions with the FAA as a request for license 
modification before

[[Page 50550]]

the next launch in accordance with Sec.  417.11.

Sec.  417.127 Unique safety policies, requirements and practices.

    For each launch, a launch operator must review operations, system 
designs, analysis, and testing, and identify any unique hazards not 
otherwise addressed by this part. A launch operator must implement any 
unique safety policy, requirement, or practice needed to protect the 
public from the unique hazard. A launch operator must demonstrate 
through the licensing process that any unique safety policy, 
requirement, or practice ensures the safety of the public. For any 
change to a unique safety policy, requirement, or practice, with the 
exception of a launch specific update, the launch operator must file a 
request for license modification as required by Sec.  417.11. The FAA 
may identify and impose a unique safety policy, requirement, or 
practice as needed to protect the public.

Sec.  417.129 Safety at end of launch.

    A launch operator must ensure for any proposed launch that for all 
launch vehicle stages or components that reach Earth orbit--
    (a) There is no unplanned physical contact between the vehicle or 
any of its components and the payload after payload separation;
    (b) Debris generation does not result from the conversion of energy 
sources into energy that fragments the vehicle or its components. 
Energy sources include chemical, pressure, and kinetic energy; and
    (c) Stored energy is removed by depleting residual fuel and leaving 
all fuel line valves open, venting any pressurized system, leaving all 
batteries in a permanent discharge state, and removing any remaining 
source of stored energy.

Sec. Sec.  417.130 through 417.200 [Reserved]

Subpart C--Flight Safety Analysis

Sec.  417.201 Scope and applicability.

    (a) This subpart contains requirements for performing the flight 
safety analysis required by Sec.  417.107(f).
    (b) The flight safety analysis requirements of this subpart apply 
to the flight of any launch vehicle that must use a flight safety 
system as required by Sec.  417.107(a), except as permitted by 
paragraph (d) of this section.
    (c) The flight safety analysis requirements of Sec. Sec.  417.203, 
417.205, 417.207, 417.211, 417.223, 417.224, 417.225, 417.227, 417.229, 
417.231, and 417.233 apply to the flight of any unguided suborbital 
launch vehicle that uses a wind-weighting safety system. Appendices B, 
C, and I of this part also apply.
    (d) For any alternative flight safety system approved by the FAA 
under Sec.  417.301(b), the FAA will determine during the licensing 
process which of the analyses required by this subpart apply.

Sec.  417.203 Compliance.

    (a) General. A launch operator's flight safety analysis must 
satisfy the performance requirements of this subpart. The flight safety 
analysis must also meet the requirements for methods of analysis 
contained in appendices A and B of this part for a launch vehicle flown 
with a flight safety system and appendices B and C of this part for an 
unguided suborbital launch vehicle that uses a wind-weighting safety 
system except as otherwise permitted by this section. A flight safety 
analysis for a launch may rely on an earlier analysis from an identical 
or similar launch if the analysis still applies to the later launch.
    (b) Method of analysis.
    (1) For each launch, a launch operator's flight safety analysis 
must use--
    (i) A method approved by the FAA during the licensing process;
    (ii) A method approved as a license modification by the FAA; or,
    (iii) If the launch takes place from a Federal launch range, a 
method approved as part of the FAA's launch site safety assessment of 
the Federal range's processes.
    (2) Appendix A of this part contains requirements that apply to all 
methods of flight safety analysis. A licensee must notify the FAA for 
any change to the flight safety analysis method. A licensee must file 
any material change with the FAA as a request for license modification 
before the launch to which the proposed change would apply. Section 
417.11 contains requirements governing a license modification.
    (c) Alternate analysis method. The FAA will approve an alternate 
flight safety analysis method if a launch operator demonstrates, in 
accordance with Sec.  406.3(b), that its proposed analysis method 
provides an equivalent level of fidelity to that required by this 
subpart. A launch operator must demonstrate that an alternate flight 
safety analysis method is based on accurate data and scientific 
principles and is statistically valid. The FAA will not find a launch 
operator's application for a license or license modification 
sufficiently complete to begin review under Sec.  413.11 of this 
chapter until the FAA approves the alternate flight safety analysis 
method.
    (d) Analyses performed by a Federal launch range. This provision 
applies to all sections of this subpart. The FAA will accept a flight 
safety analysis used by a Federal launch range without need for further 
demonstration of compliance to the FAA, if:
    (1) A launch operator has contracted with a Federal launch range 
for the provision of flight safety analysis; and
    (2) The FAA has assessed the Federal launch range, through its 
launch site safety assessment, and found that the range's analysis 
methods satisfy the requirements of this subpart. In this case, the FAA 
will treat the Federal launch range's analysis as that of a launch 
operator.
    (e) Analysis products. For a licensed launch that does not satisfy 
paragraph (d) of this section, a launch operator must demonstrate to 
the FAA compliance with the requirements of this subpart, and must 
include in its demonstration the analysis products required by part 415 
subpart F of this chapter, part 417 subpart A, and appendices A, B, C, 
and I of this part, depending on whether the launch vehicle uses a 
flight safety system or a wind-weighting safety system.

Sec.  417.205 General.

    (a) Public risk management. A flight safety analysis must 
demonstrate that a launch operator will, for each launch, control the 
risk to the public from hazards associated with normal and 
malfunctioning launch vehicle flight. The analysis must employ risk 
assessment, hazard isolation, or a combination of risk assessment and 
partial isolation of the hazards, to demonstrate control of the risk to 
the public.
    (1) Risk assessment. When demonstrating control of risk through 
risk assessment, the analysis must demonstrate that any risk to the 
public satisfies the public risk criteria of Sec.  417.107(b). The 
analysis must account for the variability associated with:
    (i) Each source of a hazard during flight;
    (ii) Normal flight and each failure response mode of the launch 
vehicle;
    (iii) Each external and launch vehicle flight environment;
    (iv) Populations potentially exposed to the flight; and
    (v) The performance of any flight safety system, including time 
delays associated with the system.
    (2) Hazard isolation. When demonstrating control of risk through 
hazard isolation, the analysis must

[[Page 50551]]

establish the geographical areas from which the public must be excluded 
during flight and any operational controls needed to isolate all 
hazards from the public.
    (3) Combination of risk assessment and partial isolation of 
hazards. When demonstrating control of risk through a combination of 
risk assessment and partial isolation of the hazards from the public, 
the analysis must demonstrate that the residual public risk due to any 
hazard not isolated from the public under paragraph (a)(2) of this 
section satisfies the public risk criteria of Sec.  417.107(b).
    (b) Dependent analyses. Because some analyses required by this 
subpart are inherently dependent on one another, the data output of any 
one analysis must be compatible in form and content with the data input 
requirements of any other analysis that depends on that output. Figure 
417.205-1 illustrates the flight safety analyses that might be 
performed for a launch flown with a flight safety system and the 
typical dependencies that might exist among the analyses.
BILLING CODE 4910-13-P

[[Page 50552]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.004

BILLING CODE 4910-13-C

[[Page 50553]]

Sec.  417.207 Trajectory analysis.

    (a) General. A flight safety analysis must include a trajectory 
analysis that establishes:
    (1) For any time after lift-off, the limits of a launch vehicle's 
normal flight, as defined by the nominal trajectory and potential 
three-sigma trajectory dispersions about the nominal trajectory.
    (2) A fuel exhaustion trajectory that produces instantaneous impact 
points with the greatest range for any given time after liftoff for any 
stage that has the potential to impact the Earth and does not burn to 
propellant depletion before a programmed thrust termination.
    (3) For launch vehicles flown with a flight safety system, a 
straight-up trajectory for any time after lift-off until the straight-
up time that would result if the launch vehicle malfunctioned and flew 
in a vertical or near vertical direction above the launch point.
    (b) Trajectory model. A final trajectory analysis must use a six-
degree of freedom trajectory model to satisfy the requirements of 
paragraph (a) of this section.
    (c) Wind effects. A trajectory analysis must account for all wind 
effects, including profiles of winds that are no less severe than the 
worst wind conditions under which flight might be attempted, and must 
account for uncertainty in the wind conditions.

Sec.  417.209 Malfunction turn analysis.

    (a) General. A flight safety analysis must include a malfunction 
turn analysis that establishes the launch vehicle's turning capability 
in the event of a malfunction during flight. A malfunction turn 
analysis must account for each cause of a malfunction turn, such as 
thrust vector offsets or nozzle burn-through. For each cause of a 
malfunction turn, the analysis must establish the launch vehicle's 
turning capability using a set of turn curves. The analysis must 
account for:
    (1) All trajectory times during the thrusting phases of flight.
    (2) When a malfunction begins to cause each turn throughout the 
thrusting phases of flight. The analysis must account for trajectory 
time intervals between malfunction turn start times that are sufficient 
to establish flight safety limits and hazard areas that are smooth and 
continuous.
    (3) The relative probability of occurrence of each malfunction turn 
of which the launch vehicle is capable.
    (4) The time, as a single value or a probability time distribution, 
when each malfunction turn will terminate due to vehicle breakup.
    (5) What terminates each malfunction turn, such as, aerodynamic 
breakup or inertial breakup.
    (6) The launch vehicle's turning behavior from the time when a 
malfunction begins to cause a turn until aerodynamic breakup, inertial 
breakup, or ground impact. The analysis must account for trajectory 
time intervals during the malfunction turn that are sufficient to 
establish turn curves that are smooth and continuous.
    (7) For each malfunction turn, the launch vehicle velocity vector 
turn angle from the nominal launch vehicle velocity vector.
    (8) For each malfunction turn, the launch vehicle velocity turn 
magnitude from the nominal velocity magnitude that corresponds to the 
velocity vector turn angle.
    (9) For each malfunction turn, the orientation of the launch 
vehicle longitudinal axis measured relative to the nominal launch 
vehicle longitudinal axis or Earth relative velocity vector at the 
start of the turn.
    (b) Set of turn curves for each malfunction turn cause. For each 
cause of a malfunction turn, the analysis must establish a set of turn 
curves that satisfies paragraph (a) of this section and must establish 
the associated envelope of the set of turn curves. Each set of turn 
curves must describe the variation in the malfunction turn 
characteristics for each cause of a turn. The envelope of each set of 
curves must define the limits of the launch vehicle's malfunction turn 
behavior for each cause of a malfunction turn. For each malfunction 
turn envelope, the analysis must establish the launch vehicle velocity 
vector turn angle from the nominal launch vehicle velocity vector. For 
each malfunction turn envelope, the analysis must establish the vehicle 
velocity turn magnitude from the nominal velocity magnitude that 
corresponds to the velocity vector turn angle envelope.

Sec.  417.211 Debris analysis.

    (a) General. A flight safety analysis must include a debris 
analysis. For an orbital or suborbital launch, a debris analysis must 
identify the inert, explosive, and other hazardous launch vehicle 
debris that results from normal and malfunctioning launch vehicle 
flight.
    (b) Launch vehicle breakup. A debris analysis must account for each 
cause of launch vehicle breakup, including at a minimum:
    (1) Any flight termination system activation;
    (2) Launch vehicle explosion;
    (3) Aerodynamic loads;
    (4) Inertial loads;
    (5) Atmospheric reentry heating; and
    (6) Impact of intact vehicle.
    (c) Debris fragment lists. A debris analysis must produce lists of 
debris fragments for each cause of breakup and any planned jettison of 
debris, launch vehicle components, or payload. The lists must account 
for all launch vehicle debris fragments, individually or in groupings 
of fragments whose characteristics are similar enough to be described 
by a single set of characteristics. The debris lists must describe the 
physical, aerodynamic, and harmful characteristics of each debris 
fragment, including at a minimum:
    (1) Origin on the vehicle, by vehicle stage or component, from 
which each fragment originated;
    (2) Whether it is inert or explosive;
    (3) Weight, dimensions, and shape;
    (4) Lift and drag characteristics;
    (5) Properties of the incremental velocity distribution imparted by 
breakup; and
    (6) Axial, transverse, and tumbling area.

Sec.  417.213 Flight safety limits analysis.

    (a) General. A flight safety analysis must identify the location of 
populated or other protected areas, and establish flight safety limits 
that define when a flight safety system must terminate a launch 
vehicle's flight to prevent the hazardous effects of the resulting 
debris impacts from reaching any populated or other protected area and 
ensure that the launch satisfies the public risk criteria of Sec.  
417.107(b).
    (b) Flight safety limits. The analysis must establish flight safety 
limits for use in establishing flight termination rules. Section 
417.113(c) contains requirements for flight termination rules. The 
flight safety limits must account for all temporal and geometric 
extents on the Earth's surface of a launch vehicle's hazardous debris 
impact dispersion resulting from any planned or unplanned event for all 
times during flight. Flight safety limits must account for all 
potential contributions to the debris impact dispersions, including at 
a minimum:
    (1) All time delays, as established by the time delay analysis of 
Sec.  417.221;
    (2) Residual thrust remaining after flight termination 
implementation or vehicle breakup due to aerodynamic and inertial 
loads;
    (3) All wind effects;
    (4) Velocity imparted to vehicle fragments by breakup;
    (5) All lift and drag forces on the malfunctioning vehicle and 
falling debris;
    (6) All launch vehicle guidance and performance errors;

[[Page 50554]]

    (7) All launch vehicle malfunction turn capabilities; and
    (8) Any uncertainty due to map errors and launch vehicle tracking 
errors.
    (c) Gates. If a launch involves flight over any populated or other 
protected area, the flight safety analysis must establish a gate as 
required by Sec. Sec.  417.217 and 417.218.
    (d) Designated debris impact limits. The analysis must establish 
designated impact limit lines to bound the area where debris with a 
ballistic coefficient of three or more is allowed to impact if the 
flight safety system functions properly.

Sec.  417.215 Straight-up time analysis.

    A flight safety analysis must establish the straight-up time for a 
launch for use as a flight termination rule. Section 417.113(c) 
contains requirements for flight termination rules. The analysis must 
establish the straight-up time as the latest time after liftoff, 
assuming a launch vehicle malfunctioned and flew in a vertical or near 
vertical direction above the launch point, at which activation of the 
launch vehicle's flight termination system or breakup of the launch 
vehicle would not cause hazardous debris or critical overpressure to 
affect any populated or other protected area.

Sec.  417.217 Overflight gate analysis.

    For a launch that involves flight over a populated or other 
protected area, the flight safety analysis must include an overflight 
gate analysis. The analysis must establish the portion of a flight 
safety limit, a gate, through which a normally performing launch 
vehicle's tracking icon will be allowed to proceed. A tracking icon 
must enable the flight safety crew to determine whether the launch 
vehicle's flight is in compliance with the flight safety rules 
established under Sec.  417.113. When establishing that portion of a 
flight safety limit, the analysis must demonstrate that the launch 
vehicle flight satisfies the flight safety requirements of Sec.  
417.107.

Sec.  417.218 Hold-and-resume gate analysis.

    (a) For a launch that involves overflight or near overflight of a 
populated or otherwise protected area prior to the planned safe flight 
state calculated as required by Sec.  417.219, the flight safety 
analysis must construct a hold-and-resume gate for each populated or 
otherwise protected area. After a vehicle's tracking icon crosses a 
hold-and-resume gate, flight termination must occur as required by 
sections 417.113(d)(6).
    (b) The hold-and-resume gate analysis must account for:
    (1) Overflight of a wholly contained populated or otherwise 
protected area. A hold-and-resume gate must be a closed, continuous 
contour that encompasses any populated or otherwise protected area 
located wholly within the impact limit lines. The hold-and-resume gate 
must encompass a populated or otherwise protected area such that flight 
termination or breakup of the launch vehicle while the tracking icon is 
outside the gate would not cause hazardous debris or overpressure to 
endanger the populated or otherwise protected area.
    (2) Overflight of an uncontained populated or otherwise protected 
area. A hold-and-resume gate must be a closed, continuous contour that 
encompasses any area in which flight termination is allowed to occur. 
The hold-and-resume gate must encompass all hazard areas such that 
flight termination or breakup of the launch vehicle while the vehicle's 
tracking icon is inside the gate would not cause hazardous debris or 
critical overpressure to endanger any populated or otherwise protected 
area.

Sec.  417.219 Data loss flight time and planned safe flight state 
analyses.

    (a) General. For each launch, a flight safety analysis must 
establish data loss flight times, as identified by paragraph (b) of 
this section, and a planned safe flight state to establish each flight 
termination rule that applies when launch vehicle tracking data is not 
available for use by the flight safety crew. Section 417.113(d) 
contains requirements for flight termination rules.
    (b) Data loss flight times. A flight safety analysis must establish 
the shortest elapsed thrusting time during which a launch vehicle can 
move from normal flight to a condition where the launch vehicle's 
hazardous debris impact dispersion extends to any protected area as a 
data loss flight time. The analysis must establish a data loss flight 
time for all times along the nominal trajectory from liftoff through 
that point during nominal flight when the minimum elapsed thrusting 
time is no greater than the time it would take for a normal vehicle to 
reach the overflight gate, or the planned safe flight state established 
under paragraph (c) of this section, whichever occurs earlier.
    (c) Planned safe flight state. For a launch vehicle that performs 
normally during all portions of flight, the planned safe flight state 
is the point during the nominal flight of a launch vehicle where:
    (1) No launch vehicle component, debris, or hazard can impact or 
affect a populated or otherwise protected area for the remainder of the 
launch;
    (2) The launch vehicle achieves orbital insertion; or
    (3) The launch vehicle's state vector reaches a state where the 
absence of a flight safety system would not significantly increase the 
accumulated risk from debris impacts and maintains positive flight 
safety system control to the maximum extent feasible.

Sec.  417.221 Time delay analysis.

    (a) General. A flight safety analysis must include a time delay 
analysis that establishes the mean elapsed time between the violation 
of a flight termination rule and the time when the flight safety system 
is capable of terminating flight for use in establishing flight safety 
limits as required by Sec.  417.213.
    (b) Analysis constraints. A time delay analyses must determine a 
time delay distribution that accounts for the following:
    (1) The variance of all time delays for each potential failure 
scenario, including but not limited to, the range of malfunction turn 
characteristics and the time of flight when the malfunction occurs;
    (2) A flight safety official's decision and reaction time, 
including variation in human response time; and
    (3) Flight termination hardware and software delays including all 
delays inherent in:
    (i) Tracking systems;
    (ii) Data processing systems, including all filter delays;
    (iii) Display systems;
    (iv) Command control systems; and
    (v) Flight termination systems.

Sec.  417.223 Flight hazard area analysis.

    (a) General. A flight safety analysis must include a flight hazard 
area analysis that identifies any regions of land, sea, or air that 
must be surveyed, publicized, controlled, or evacuated in order to 
control the risk to the public from debris impact hazards. The risk 
management requirements of Sec.  417.205(a) apply. The analysis must 
account for, at a minimum:
    (1) All trajectory times from liftoff to the planned safe flight 
state of Sec.  417.219(c), including each planned impact, for an 
orbital launch, and through final impact for a suborbital launch;
    (2) Regions of land potentially exposed to debris resulting from 
normal flight events and events resulting from any potential 
malfunction;

[[Page 50555]]

    (3) Regions of sea and air potentially exposed to debris from 
normal flight events, including planned impacts;
    (4) In the vicinity of the launch site, any waterborne vessels, 
populated offshore structures, or aircraft exposed to debris from 
events resulting from any potential abnormal flight events, including 
launch vehicle malfunction;
    (5) Any operational controls implemented to control risk to the 
public from debris hazards;
    (6) Debris identified by the debris analysis of Sec.  417.211; and
    (7) All launch vehicle trajectory dispersion effects in the surface 
impact domain.
    (b) Public notices. A flight hazard areas analysis must establish 
the ship hazard areas for notices to mariners that encompass the three-
sigma impact dispersion area for each planned debris impact. A flight 
hazard areas analysis must establish the aircraft hazard areas for 
notices to airmen that encompass the 3-sigma impact dispersion volume 
for each planned debris impact. Section 417.121(e) contains procedural 
requirements for issuing notices to mariners and airmen.

Sec.  417.224 Probability of failure analysis.

    (a) General. All flight safety analyses for a launch, regardless of 
hazard or phase of flight, must account for launch vehicle failure 
probability in a consistent manner. A launch vehicle failure 
probability estimate must use accurate data, scientific principles, and 
a method that is statistically or probabilistically valid. For a launch 
vehicle with fewer than two flights, the failure probability estimate 
must account for the outcome of all previous launches of vehicles 
developed and launched in similar circumstances. For a launch vehicle 
with two or more flights, launch vehicle failure probability estimates 
must account for the outcomes of all previous flights of the vehicle in 
a statistically valid manner.
    (b) Failure. For flight safety analysis purposes, a failure occurs 
when a launch vehicle does not complete any phase of normal flight or 
when any anomalous condition exhibits the potential for a stage or its 
debris to impact the Earth or reenter the atmosphere during the mission 
or any future mission of similar launch vehicle capability. Also, 
either a launch incident or launch accident constitutes a failure.
    (c) Previous flight. For flight analysis purposes, flight begins at 
a time in which a launch vehicle normally or inadvertently lifts off 
from a launch platform. Lift-off occurs with any motion of the launch 
vehicle with respect to the launch platform.

Sec.  417.225 Debris risk analysis.

    A flight safety analysis must demonstrate that the risk to the 
public potentially exposed to inert and explosive debris hazards from 
any one flight of a launch vehicle satisfies the public risk criterion 
of Sec.  417.107(b) for debris. A debris risk analysis must account for 
risk to populations on land, including regions of launch vehicle flight 
following passage through any gate in a flight safety limit established 
as required by Sec.  417.217. A debris risk analysis must account for 
any potential casualties to the public as required by the debris 
thresholds and requirements of Sec.  417.107(c).

Sec.  417.227 Toxic release hazard analysis.

    A flight safety analysis must establish flight commit criteria that 
protect the public from any hazard associated with toxic release and 
demonstrate compliance with the public risk criterion of Sec.  
417.107(b). The analysis must account for any toxic release that will 
occur during the proposed flight of a launch vehicle or that would 
occur in the event of a flight mishap. The analysis must account for 
any operational constraints and emergency procedures that provide 
protection from toxic release. The analysis must account for all 
members of the public that may be exposed to the toxic release, 
including all members of the public on land and on any waterborne 
vessels, populated offshore structures, and aircraft that are not 
operated in direct support of the launch.

Sec.  417.229 Far-field overpressure blast effects analysis.

    (a) General. A flight safety analysis must establish flight commit 
criteria that protect the public from any hazard associated with far 
field blast overpressure effects due to potential explosions during 
launch vehicle flight and demonstrate compliance with the public risk 
criterion of Sec.  417.107(b).
    (b) Analysis constraints. The analysis must account for:
    (1) The potential for distant focus overpressure or overpressure 
enhancement given current meteorological conditions and terrain 
characteristics;
    (2) The potential for broken windows due to peak incident 
overpressures below 1.0 psi and related casualties;
    (3) The explosive capability of the launch vehicle at impact and at 
altitude and potential explosions resulting from debris impacts, 
including the potential for mixing of liquid propellants;
    (4) Characteristics of the launch vehicle flight and the 
surroundings that would affect the population's susceptibility to 
injury, such as, shelter types and time of day of the proposed launch;
    (5) Characteristics of the potentially affected windows, including 
their size, location, orientation, glazing material, and condition; and
    (6) The hazard characteristics of the potential glass shards, such 
as falling from upper building stories or being propelled into or out 
of a shelter toward potentially occupied spaces.

Sec.  417.231 Collision avoidance analysis.

    (a) General. A flight safety analysis must include a collision 
avoidance analysis that establishes each launch wait in a planned 
launch window during which a launch operator must not initiate flight, 
in order to protect any maned or mannable orbiting object. A launch 
operator must account for uncertainties associated with launch vehicle 
performance and timing and ensure that any calculated launch waits 
incorporate all additional time periods associated with such 
uncertainties. A launch operator must implement any launch waits as 
flight commit criteria according to Sec.  417.113(b).
    (b) Orbital launch. For an orbital launch, the analysis must 
establish any launch waits needed to ensure that the launch vehicle, 
any jettisoned components, and its payload do not pass closer than 200 
kilometers to a manned or mannable orbiting object during ascent to 
initial orbital insertion through at least one complete orbit.
    (c) Suborbital launch. For a suborbital launch, the analysis must 
establish any launch waits needed to ensure that the launch vehicle, 
any jettisoned components, and any payload do not pass closer than 200 
kilometers to a manned or mannable orbital object throughout the 
flight.
    (d) Analysis not required. A collision avoidance analysis is not 
required if the maximum altitude attainable by a launch operator's 
unguided suborbital launch vehicle is less than the altitude of the 
lowest manned or mannable orbiting object. The maximum altitude 
attainable must be obtained using an optimized trajectory, assuming 3-
sigma maximum performance.

Sec.  417.233 Analysis for an unguided suborbital launch vehicle flown 
with a wind weighting safety system.

    For each launch of an unguided suborbital launch vehicle flown with 
a

[[Page 50556]]

wind weighting safety system, in addition to the other requirements in 
this subpart outlined in Sec.  417.201(c), the flight safety analysis 
must:
    (a) Establish flight commit criteria and other launch safety rules 
that a launch operator must implement to control the risk to the public 
from potential adverse effects resulting from normal and malfunctioning 
flight;
    (b) Establish any wind constraints under which launch may occur; 
and
    (c) Include a wind weighting analysis that establishes the launcher 
azimuth and elevation settings that correct for the windcocking and 
wind-drift effects on the unguided suborbital launch vehicle.

Subpart D--Flight Safety System

Sec.  417.301 General.

    (a) Applicability. This subpart applies to any flight safety system 
that a launch operator uses. The requirements of Sec.  417.107(a) 
define when a launch operator must use a flight safety system. A launch 
operator must ensure that its flight safety system satisfies all the 
requirements of this subpart, including the referenced appendices. 
Paragraph (b) of this section provides an exception to this.
    (b) Alternate flight safety system. A flight safety system need not 
satisfy one or more of the requirements of this subpart for a launch if 
a launch operator demonstrates, in accordance with Sec.  406.3(b), that 
the launch achieves an equivalent level of safety as a launch that 
satisfies all the requirements of this part. The flight safety system 
must undergo analysis and testing that is comparable to that required 
by this part to demonstrate that the system's reliability to perform 
each intended function is comparable to that required by this subpart.
    (c) Functions, subsystems, and components. When initiated in the 
event of a launch vehicle failure, a flight safety system must prevent 
any launch vehicle hazard, including any payload hazard, from reaching 
a populated or other protected area. A flight safety system must 
consist of all of the following:
    (1) A flight termination system that satisfies appendices D, E, and 
F of this part;
    (2) A command control system that satisfies Sec. Sec.  417.303 and 
417.305;
    (3) Each support system required by Sec.  417.307; and
    (4) The functions of any personnel who operate flight safety system 
hardware or software including a flight safety crew that satisfies 
Sec.  417.311.
    (d) Compliance.
    (1) Non-Federal launch site. For launch from a non-Federal launch 
site, any flight safety system, including all components, must:
    (i) Comply with a launch operator's flight safety system compliance 
matrix of Sec.  415.127(g) that accounts for all the design, 
installation, and monitoring requirements of this subpart, including 
the referenced appendices; and
    (ii) Comply with a launch operator's testing compliance matrix of 
Sec.  415.129(b) that accounts for all the test requirements of this 
subpart, including the referenced appendices.
    (2) Federal launch range. This provision applies to all sections of 
this subpart. The FAA will accept a flight safety system used or 
approved on a Federal launch range without need for further 
demonstration of compliance to the FAA if:
    (i) A launch operator has contracted with a Federal launch range 
for the provision of flight safety system property and services; and
    (ii) The FAA has assessed the Federal launch range, through its 
launch site safety assessment, and found that the Federal launch 
range's flight safety system property and services satisfy the 
requirements of this subpart. In this case, the FAA will treat the 
Federal launch range's flight safety system property and services as 
that of a launch operator.

Sec.  417.303 Command control system requirements.

    (a) General. When initiated by a flight safety official, a command 
control system must transmit a command signal that has the radio 
frequency characteristics and power needed for receipt of the signal by 
the onboard vehicle flight termination system. A command control system 
must include all of the following:
    (1) All flight termination system activation switches;
    (2) All intermediate equipment, linkages, and software;
    (3) Any auxiliary stations;
    (4) Each command transmitter and transmitting antenna; and
    (5) All support equipment that is critical for reliable operation, 
such as power, communications, and air conditioning systems.
    (b) Performance specifications. A command control system and each 
subsystem, component, and part that can affect the reliability of a 
component must have written performance specifications that 
demonstrate, and contain the details of, how each satisfies the 
requirements of this section.
    (c) Reliability prediction. A command control system must have a 
predicted reliability of 0.999 at the 95 percent confidence level when 
operating, starting with completion of the preflight testing and system 
verification of Sec.  417.305(c) through initiation of flight and until 
the planned safe flight state for each launch. Any demonstration of the 
system's predicted reliability must satisfy Sec.  417.309(b).
    (d) Fault tolerance. A command control system must not contain any 
single-failure-point that, upon failure, would inhibit the required 
functioning of the system or cause the transmission of an undesired 
flight termination message. A command control system's design must 
ensure that the probability of transmitting an undesired or inadvertent 
command during flight is less than 1 x 10-7.
    (e) Configuration control. A command control system must undergo 
configuration control to ensure its reliability and compatibility with 
the flight termination system used for each launch.
    (f) Electromagnetic interference. Each command control system 
component must function within the electromagnetic environment to which 
it is exposed. A command control system must include protection to 
prevent interference from inhibiting the required functioning of the 
system or causing the transmission of an undesired or inadvertent 
flight termination command. Any susceptible remote control data 
processing or transmitting system that is part of the command control 
system must prevent electromagnetic interference.
    (g) Command transmitter failover. A command control system must 
include independent, redundant transmitter systems that automatically 
switch, or ``fail-over,'' from a primary transmitter to a secondary 
transmitter when a condition exists that indicates potential failure of 
the primary transmitter. The switch must be automatic and provide all 
the same command control system capabilities through the secondary 
transmitter system. The secondary transmitter system must respond to 
any transmitter system configuration and radio message orders 
established for the launch. The fail-over criteria that trigger 
automatic switching from the primary transmitter to the secondary 
transmitter must account for each of the following transmitter 
performance parameters and failure indicators:
    (1) Low transmitter power;
    (2) Center frequency shift;
    (3) Out of tolerance tone frequency;
    (4) Out of tolerance message timing;
    (5) Loss of communication between central control and transmitter 
site;

[[Page 50557]]

    (6) Central control commanded status and site status disagree;
    (7) Transmitter site fails to respond to a configuration or 
radiation order within a specified period of time; and
    (8) For a tone-based system, tone deviation and tone imbalance.
    (h) Switching between transmitter systems. Any manual or automatic 
switching between transmitter systems, including fail-over, must not 
result in the radio carrier being off the air long enough for any 
command destruct system to be captured by an unauthorized transmitter. 
The time the radio carrier is off the air must account for any loss of 
carrier and any simultaneous multiple radio carrier transmissions from 
two transmitter sites during switching.
    (i) Radio carrier. For each launch, a command control system must 
provide all of the following:
    (1) The radio frequency signal and radiated power density that each 
command destruct system needs to activate during flight;
    (2) The 12-dB power density margin required by section D417.9(d) of 
appendix D of this part under nominal conditions; and
    (3) A 6-dB power density margin under worst-case conditions.
    (j) Command control system monitoring and control. A command 
control system must provide for monitoring and control of the system 
from the flight safety system displays and controls required by Sec.  
417.307(g), including real-time selection of a transmitter, transmitter 
site, communication circuits, and antenna configuration.
    (k) Command transmitter system. For each launch, a command 
transmitter system must:
    (1) Transmit signals that are compatible with any command destruct 
system's radio frequency receiving system of section D417.25 and 
command receiver decoder of section D417.29 of appendix D of this part;
    (2) Ensure that all arm and destruct commands transmitted to a 
flight termination system have priority over any other commands 
transmitted;
    (3) Employ an authorized radio carrier frequency and bandwidth with 
a guard band that provides the radio frequency separation needed to 
ensure that the system does not interfere with any other flight safety 
system that is required to operate at the same time;
    (4) Transmit an output bandwidth that is consistent with the signal 
spectrum power used in the link analysis of Sec.  417.309(f); and
    (5) Not transmit other frequencies that could degrade the airborne 
flight termination system's performance.
    (l) Command control system antennas. A command control system 
antenna or antenna system must satisfy all of the following:
    (1) The antenna system must provide two or more command signals to 
any command destruct system throughout normal flight and in the event 
of a launch vehicle failure regardless of launch vehicle orientation;
    (2) Each antenna beam-width must:
    (i) Allow for complete transmission of the command destruct 
sequence of signal tones before a malfunctioning launch vehicle can 
exit the 3-dB point of the antenna pattern;
    (ii) When the vehicle is centered in the antenna pattern at the 
beginning of the malfunction, account for the launch vehicle's 
malfunction turn capability determined by the analysis of Sec.  
417.209, the data loss flight times of Sec.  417.219, and the time 
delay of Sec.  417.221.
    (iii) Encompass the boundaries of normal flight for the portion of 
flight that the antenna is scheduled to support; and
    (iv) Account for any error associated with launch vehicle tracking 
and pointing of the antenna;
    (3) The location of each antenna must provide for an unobstructed 
line of site between the antenna and the launch vehicle;
    (4) The antenna system must provide a continuous omni-directional 
radio carrier pattern that covers the launch vehicle's flight from the 
launch point to no less than an altitude of 50,000 feet above sea 
level, unless the system uses a steerable antenna that satisfies 
paragraphs (l)(1) and (2) of this section for the worst-case launch 
vehicle malfunction that could occur during that portion of flight;
    (5) An antenna must radiate circularly polarized radio waves that 
are compatible with the flight termination system antennas on the 
launch vehicle; and
    (6) Any steerable antenna must allow for control of the antenna 
manually at the antenna site or by remote slaving data from a launch 
vehicle tracking source. A steerable antenna's positioning lag, 
accuracy, and slew rates must allow for tracking a nominally performing 
launch vehicle within one half of the antenna's beam-width and for 
tracking a malfunctioning launch vehicle to satisfy paragraph (l)(2) of 
this section.

Sec.  417.305 Command control system testing.

    (a) General.
    (1) A command control system, including its subsystems and 
components must undergo the acceptance testing of paragraph (b) of this 
section when new or modified. For each launch, a command control system 
must undergo the preflight testing of paragraph (c) of this section.
    (2) Each acceptance and preflight test must follow a written test 
plan that specifies the procedures and test parameters for the test and 
the testing sequence. A test plan must include instructions on how to 
handle procedural deviations and how to react to test failures.
    (3) If hardware or software is redesigned or replaced with a 
different hardware or software that is not identical to the original, 
the system must undergo all acceptance testing and analysis with the 
new hardware or software and all preflight testing for each launch with 
the new hardware or software.
    (4) After a command control system passes all acceptance tests, if 
a component is replaced with an identical component, the system must 
undergo testing to ensure that the new component is installed properly 
and is operational.
    (b) Acceptance testing.
    (1) All new or modified command control system hardware and 
software must undergo acceptance testing to verify that the system 
satisfies the requirements of Sec.  417.303.
    (2) Acceptance testing must include functional testing, system 
interface validation testing, and integrated system-wide validation 
testing.
    (3) Each acceptance test must measure the performance parameters 
that demonstrate whether the requirements of Sec.  417.303 are 
satisfied.
    (4) Any computing system, software, or firmware that performs a 
software safety critical function must undergo validation testing and 
satisfy Sec.  417.123. If command control system hardware interfaces 
with software, the interface must undergo validation testing.
    (c) Preflight testing.
    (1) General. For each launch, a command control system must undergo 
preflight testing to verify that the system satisfies the requirements 
of Sec.  417.303 for the launch.
    (2) Coordinated command control system and flight termination 
system testing. For each launch, a command control system must undergo 
preflight testing during the preflight testing of the associated flight 
termination system under section E417.41 of appendix E of this part.
    (3) Command transmitter system carrier switching tests. A command

[[Page 50558]]

transmitter system must undergo a test of its carrier switching system 
no earlier than 24 hours before a scheduled flight. The test must 
satisfy all of the following:
    (i) Automatic carrier switching. For any automatic carrier 
switching system, the test must verify that the switching algorithm 
selects and enables the proper transmitter site for each portion of the 
planned flight; and
    (ii) Manual carrier switching. For any manual carrier switching, 
the test must verify that the flight safety system crew can select and 
enable each transmitter site planned to support the launch.
    (4) Independent radio frequency open loop verification tests. A 
command control system must undergo an open loop end-to-end 
verification test for each launch as close to the planned flight as 
operationally feasible and after any modification to the system or 
break in the system configuration. The test must:
    (i) Verify the performance of each element of the system from the 
flight safety system displays and controls to each command transmitter 
site;
    (ii) Measure all system performance parameters received and 
transmitted using measuring equipment that does not physically 
interface with any elements of the operational command control system;
    (iii) Verify the performance of each flight safety system display 
and control and remote command transmitter site combination by 
repeating all measurements for each combination, for all strings and 
all operational configurations of cross-strapped equipment; and
    (iv) Verify that all critical command control system performance 
parameters satisfy all their performance specifications. These 
parameters must include:
    (A) Transmitter power output;
    (B) Center frequency stability;
    (C) Tone deviation;
    (D) Tone frequency;
    (E) Message timing;
    (F) Status of each communication circuit between the flight safety 
system display and controls and any supporting command transmitter 
sites;
    (G) Status agreement between the flight safety system display and 
controls and each and any supporting command transmitter sites;
    (H) Fail-over conditions;
    (I) Tone balance; and
    (J) Time delay from initiation of a command at each flight safety 
system control to transmitter output of the command signal.
    (d) Test reports. If a Federal launch range oversees the safety of 
a launch, the range's requirements are consistent with this subpart, 
and the range provides and tests the command control system, a launch 
operator need only obtain the range's verification that the system 
satisfies all the test requirements. For any other case a launch 
operator must prepare or obtain one or more written reports that:
    (1) Verify that the command control system satisfies all the test 
requirements;
    (2) Describe all command control system test results and test 
conditions;
    (3) Describe any analysis performed instead of testing;
    (4) Identify by serial number or other identification each test 
result that applies to each system or component;
    (5) Describe any test failure or anomaly, including any variation 
from an established performance baseline, each corrective action taken, 
and all results of any additional tests; and
    (6) Identify any test failure trends.

Sec.  417.307 Support systems.

    (a) General.
    (1) A flight safety system must include the systems required by 
this section to support the functions of the flight safety system crew, 
including making a flight termination decision.
    (2) Each support system and each subsystem, component, and part 
that can affect the reliability of the support system must have written 
performance specifications that demonstrate, and contain the details 
of, how each satisfies the requirements of this section.
    (3) For each launch, each support system must undergo testing to 
ensure it functions according to its performance specifications.
    (b) Launch vehicle tracking.
    (1) A flight safety system must include a launch vehicle tracking 
system that provides launch vehicle position and status data to the 
flight safety crew from the first data loss flight time until the 
planned safe flight state for the launch.
    (2) The tracking system must consist of at least two sources of 
launch vehicle position data. The data sources must be independent of 
one another, and at least one source must be independent of any vehicle 
guidance system.
    (3) All ground tracking systems and components must be compatible 
with any tracking system components onboard the launch vehicle.
    (4) If a tracking system uses radar as one of the independent 
tracking sources, the system must:
    (i) Include a tracking beacon onboard the launch vehicle; or
    (ii) If the system relies on skin tracking, it must maintain a 
tracking margin of no less than 6 dB above noise throughout the period 
of flight that the radar is used. The flight safety limits must account 
for the larger tracking errors associated with skin tracking.
    (5) The tracking system must provide real-time data to the flight 
safety data processing, display, and recording system required by 
paragraph (e) of this section.
    (6) For each launch, each tracking source must undergo validation 
of its accuracy. For each stage of flight that a launch vehicle 
guidance system is used as a tracking source, a tracking source that is 
independent of any system used to aid the guidance system must validate 
the guidance system data before the data is used in the flight 
termination decision process.
    (7) The launch vehicle tracking error from all sources, including 
data latency and any possible gaps or dropouts in tracking coverage, 
must be consistent with the flight safety limits of Sec.  417.213 and 
the flight safety system time delay of Sec.  417.221.
    (8) Any planned gap in tracking coverage must not occur at the same 
time as any planned switching of command transmitters.
    (c) Telemetry.
    (1) A flight safety system must include a telemetry system that 
provides the flight safety crew with accurate flight safety data during 
preflight operations and during flight until the planned safe flight 
state.
    (2) The onboard telemetry system must monitor and transmit the 
flight termination system monitoring data of section D417.17 and any 
launch vehicle tracking data used to satisfy paragraph (b) of this 
section.
    (3) The telemetry receiving system must acquire, store, and provide 
real-time data to the flight safety data processing, display, and 
recording system required by paragraph (e) of this section.
    (d) Communications network. A flight safety system must include a 
communications network that connects all flight safety functions with 
all launch control centers and any down-range tracking and command 
transmitter sites. The system must provide for recording all required 
data and all voice communications channels during launch countdown and 
flight.
    (e) Data processing, display, and recording. A flight safety system 
must include one or more subsystems that process, display, and record 
flight safety data to support the flight safety crew's monitoring of 
the launch, including the data that the crew uses to make a flight 
termination decision. The system must:

[[Page 50559]]

    (1) Satisfy Sec.  417.123 for any computing system, software, or 
firmware that must operate properly to ensure the accuracy of the data;
    (2) Receive vehicle status data from tracking and telemetry, 
evaluate the data for validity, and provide valid data for display and 
recording;
    (3) Perform any reformatting of the data as appropriate and forward 
it to display and recording devices;
    (4) Display real-time data against background displays of the 
nominal trajectory and flight safety limits established in accordance 
with the flight safety analysis required by subpart C of this part;
    (5) Display and record raw input and processed data at a rate that 
maintains the validity of the data and at no less than 0.1-second 
intervals;
    (6) Record the timing of when flight safety system commands are 
input by the flight safety crew; and
    (7) Record all health and status parameters of the command control 
system, including the transmitter failover parameters, command outputs, 
check channel or pilot tone monitor, and status of communications.
    (f) Displays and controls.
    (1) A flight safety system must include the displays of real-time 
data and controls that the flight safety crew needs to perform all its 
functions, such as to monitor and evaluate launch vehicle performance, 
communicate with other flight safety and launch personnel, and initiate 
flight termination.
    (2) A flight safety system must present all data that the flight 
safety crew needs to ensure that all flight commit criteria are 
satisfied for each launch, such as hazard area surveillance, any 
aircraft and ship traffic information, meteorological conditions, and 
the flight termination system monitoring data of section D417.17.
    (3) The real-time displays must include all data that the flight 
safety crew needs to ensure the operational functionality of the flight 
safety system, including availability and quality, and that all flight 
termination rules are satisfied for each launch, such as:
    (i) Launch vehicle tracking data, such as instantaneous vacuum 
impact point, drag corrected debris footprint, or present launch 
vehicle position and velocities as a function of time;
    (ii) Vehicle status data from telemetry, including yaw, pitch, 
roll, and motor chamber pressure;
    (iii) The flight termination system monitoring data of section 
D417.17;
    (iv) Background displays of nominal trajectory, flight safety 
limits, data loss flight times, planned safe flight state, and any 
overflight gate through a flight safety limit all as determined by the 
flight safety analysis required by subpart C of this part; and
    (v) Any video data when required by the flight safety crew to 
perform its functions, such as video from optical program and flight 
line cameras.
    (4) The controls must allow the flight safety crew to turn a 
command transmitter on and off, manually switch from primary to backup 
transmitter antenna, and switch between each transmitter site. These 
functions may be accomplished through controls available to command 
transmitter support personnel and communications between those 
personnel and the flight safety crew.
    (5) Each set of command transmitter system controls must include a 
means of identifying when it has primary control of the system.
    (6) The displays must include a means of immediately notifying the 
flight safety system crew of any automatic fail-over of the system 
transmitters.
    (7) All flight safety system controls must be dedicated to the 
flight safety system and must not rely on time or equipment shared with 
other systems.
    (8) All data transmission links between any control, transmitter, 
or antenna must consist of two or more complete and independent duplex 
circuits. The routing of these circuits must ensure that they are 
physically separated from each other to eliminate any potential single 
failure point in the command control system in accordance with Sec.  
417.303(d).
    (9) The system must include hardware or procedural security 
provisions for controlling access to all controls and other related 
hardware. These security provisions must ensure that only the flight 
safety crew can initiate a flight safety system transmission.
    (10) The system must include two independent means for the flight 
safety crew to initiate arm and destruct messages. The location and 
functioning of the controls must provide the crew easy access to the 
controls and prevent inadvertent activation.
    (11) The system must include a digital countdown for use in 
implementing the flight termination rules of Sec.  417.113 that apply 
data loss flight times and the planned safe flight state. The system 
must also include a manual method of applying the data loss flight 
times in the event that the digital countdown malfunctions.
    (g) Support equipment calibration. Each support system and any 
equipment used to test flight safety system components must undergo 
calibration to ensure that measurement and monitoring devices that 
support a launch provide accurate indications.
    (h) Destruct initiator simulator. A flight safety system must 
include one or more destruct initiator simulators that simulate each 
destruct initiator during the flight termination system preflight 
tests. Each destruct initiator simulator must:
    (1) Have electrical and operational characteristics matching those 
of the actual destruct initiator;
    (2) Monitor the firing circuit output current, voltage, or energy, 
and indicate whether the firing output occurs. The indication that the 
output occurred must remain after the output is removed;
    (3) Have the ability to remain connected throughout ground 
processing until the electrical connection of the actual initiators is 
accomplished;
    (4) Include a capability that permits the issuance of destruct 
commands by test equipment only if the simulator is installed and 
connected to the firing lines; and
    (5) For any low voltage initiator, provide a stray current 
monitoring device in the firing line. The stray current monitoring 
device, such as a fuse or automatic recording system, must be capable 
of indicating a minimum of one-tenth of the maximum no-fire current.
    (i) Timing. A flight safety system must include a timing system 
that is synchronized to a universal time coordinate. The system must:
    (1) Initiate first motion signals;
    (2) Synchronize flight safety system instrumentation, including 
countdown clocks; and
    (3) Identify when, during countdown or flight, a data measurement 
or voice communication occurs.

Sec.  417.309 Flight safety system analysis.

    (a) General.
    (1) Each flight termination system and command control system, 
including each of their components, must satisfy the analysis 
requirements of this section.
    (2) Each analysis must follow an FAA approved system safety and 
reliability analysis methodology.
    (b) System reliability. Each flight termination system and command 
control system must undergo an analysis that demonstrates the system's 
predicted reliability. Each analysis must:
    (1) Account for the probability of a flight safety system anomaly 
occurring and all of its effects as determined by the single failure 
point analysis and the

[[Page 50560]]

sneak circuit analysis required by paragraphs (c) and (g) of this 
section;
    (2) Demonstrate that each system satisfies the predicted 
reliability requirement of 0.999 at the 95 percent confidence level;
    (3) Use a reliability model that is statistically valid and 
accurately represents the system;
    (4) Account for the actual or predicted reliability of all 
subsystems and components;
    (5) Account for the effects of storage, transportation, handling, 
maintenance, and operating environments on component predicted 
reliability; and
    (6) Account for the interface between the launch vehicle systems 
and the flight termination system.
    (c) Single failure point. A command control system must undergo an 
analysis that demonstrates that the system satisfies the fault 
tolerance requirements of Sec.  417.303(d). A flight termination system 
must undergo an analysis that demonstrates that the system satisfies 
the fault tolerance requirements of section D417.5(b). Each analysis 
must:
    (1) Follow a standard industry methodology such as a fault tree 
analysis or a failure modes effects and criticality analysis;
    (2) Identify all possible failure modes and undesired events, their 
probability of occurrence, and their effects on system performance;
    (3) Identify single point failure modes;
    (4) Identify areas of design where redundancy is required and 
account for any failure mode where a component and its backup could 
fail at the same time due to a single cause;
    (5) Identify functions, including redundancy, which are not or 
cannot be tested;
    (6) Account for any potential system failures due to hardware, 
software, test equipment, or procedural or human errors;
    (7) Account for any single failure point on another system that 
could disable a command control system or flight termination system, 
such as any launch vehicle system that could trigger safing of a flight 
termination system; and
    (8) Provide input to the reliability analysis of paragraph (b) of 
this section.
    (d) Fratricide. A flight termination system must undergo an 
analysis that demonstrates that the flight termination of any stage, at 
any time during flight, will not sever interconnecting flight 
termination system circuitry or ordnance to other stages until flight 
termination on all the other stages has been initiated.
    (e) Bent pin. Each component of a flight termination system and 
command control system must undergo an analysis that demonstrates that 
any single short circuit occurring as a result of a bent electrical 
connection pin will not result in inadvertent system activation or 
inhibiting the proper operation of the system.
    (f) Radio frequency link.
    (1) The flight safety system must undergo a radio frequency link 
analysis to demonstrate that it satisfies the required 12-dB margin for 
nominal system performance and 6-dB margin for worst-case system 
performance.
    (2) When demonstrating the 12-dB margin, each link analysis must 
account for the following nominal system performance and attenuation 
factors:
    (i) Path losses due to plume or flame attenuation;
    (ii) Vehicle trajectory;
    (iii) Ground system and airborne system radio frequency 
characteristics; and
    (iv) The antenna gain value that ensures that the margin is 
satisfied over 95% of the antenna radiation sphere surrounding the 
launch vehicle.
    (3) When demonstrating the 6-dB margin, each link analysis must 
account for the following worst-case system performance and attenuation 
factors:
    (i) The system performance and attenuation factors of paragraph 
(f)(2) of this section;
    (ii) The command transmitter failover criteria of Sec.  417.303(g) 
including the lowest output power provided by the transmitter system;
    (iii) Worst-case power loss due to antenna pointing inaccuracies; 
and
    (iv) Any other attenuation factors.
    (g) Sneak circuit. Each electronic component that contains an 
electronic inhibit that could inhibit the functioning, or cause 
inadvertent functioning of a flight termination system or command 
control system, must undergo a sneak circuit analysis. The analysis 
must demonstrate that there are no latent paths of an unwanted command 
that could, when all components otherwise function properly, cause the 
occurrence of an undesired, unplanned, or inhibited function that could 
cause a system anomaly. The analysis must determine the probability of 
an anomaly occurring for input to the system reliability analysis of 
paragraph (b) of this section.
    (h) Software and firmware. Any computing system, software, or 
firmware that performs a software safety critical function must undergo 
the analysis needed to ensure reliable operation and satisfy Sec.  
417.123.
    (i) Battery capacity. A flight termination system must undergo an 
analysis that demonstrates that each flight termination system battery 
has a total amp hour capacity of no less than 150% of the capacity 
needed during flight plus the capacity needed for load and activation 
checks, preflight and launch countdown checks, and any potential launch 
hold time. For a launch vehicle that uses any solid propellant, the 
analysis must demonstrate that the battery capacity allows for an 
additional 30-minute hang-fire hold time. The battery analysis must 
also demonstrate each flight termination system battery's ability to 
meet the charging temperature and current control requirements of 
appendix D of this part.
    (j) Survivability. A flight termination system must undergo an 
analysis that demonstrates that each subsystem and component, including 
their location on the launch vehicle, provides for the flight 
termination system to complete all its required functions when exposed 
to:
    (1) Breakup of the launch vehicle due to aerodynamic loading 
effects at high angle of attack trajectories during early stages of 
flight, including the effects of any automatic or inadvertent destruct 
system;
    (2) An engine hard-over nozzle induced tumble during each phase of 
flight for each stage; or
    (3) Launch vehicle staging, ignition, or any other normal or 
abnormal event that, when it occurs, could damage flight termination 
system hardware or inhibit the functionality of any subsystem or 
component, including any inadvertent separation destruct system.

Sec.  417.311 Flight safety crew roles and qualifications.

    (a) A flight safety crew must operate the flight safety system 
hardware. A flight safety crew must document each flight safety crew 
position description and maintain documentation on individual crew 
qualifications, including education, experience, and training as part 
of the personnel certification program required by Sec.  417.105.
    (b) A flight safety crew must be able to demonstrate the knowledge, 
skills, and abilities needed to operate the flight safety system 
hardware in accordance with Sec.  417.113.
    (1) A flight safety crew must have knowledge of:
    (i) All flight safety system assets and responsibilities, 
including:
    (A) Communications systems and launch operations procedures;
    (B) Both voice and data systems;
    (C) Graphical data systems;
    (D) Tracking; and
    (E) Telemetry real time data;
    (ii) Flight termination systems; and

[[Page 50561]]

    (iii) Contingency operations, including hold, recycle and abort 
procedures.
    (2) An individual who monitors vehicle performance and performs 
flight termination must have knowledge of and be capable of resolving 
malfunctions in:
    (i) The application of safety support systems such as position 
tracking sources;
    (ii) Digital computers;
    (iii) Displays;
    (iv) Command destruct;
    (v) Communications;
    (vi) Telemetry;
    (vii) All electrical functions of a flight termination system;
    (viii) The principles of radio frequency transmission and 
attenuation;
    (ix) The behavior of ballistic and aerodynamic vehicles in flight 
under the influence of aerodynamic forces; and
    (x) The application of flight termination rules.
    (3) An individual who operates flight safety support systems must 
have knowledge of and be capable of resolving malfunctions in:
    (i) The design and assembly of the flight safety support system 
hardware;
    (ii) The operation of electromechanical systems; and
    (iii) The nature and inherent tendencies of the flight safety 
system hardware being operated.
    (4) An individual who performs flight safety analysis must have 
knowledge of orbital mechanics and be proficient in the calculation and 
production of range safety displays, impact probabilities, and casualty 
expectations.
    (c) Flight safety crew members must complete a training and 
certification program to ensure launch site familiarization, launch 
vehicle familiarization, flight safety system functions, equipment, and 
procedures related to a launch before being called upon to support that 
launch. Each flight safety crew member must complete a preflight 
readiness training and certification program. This preflight readiness 
training and certification program must include:
    (1) Mission specific training programs to ensure team readiness.
    (2) Launch simulation exercises of system failure modes, including 
nominal and failure modes, that test crew performance, flight 
termination criteria, and flight safety data display integrity.

Subpart E--Ground Safety

Sec.  417.401 Scope.

    This subpart contains public safety requirements that apply to 
launch processing and post-launch operations at a launch site in the 
United States. Ground safety requirements in this subpart apply to 
activities performed by, or on behalf of, a launch operator at a launch 
site in the United States. A licensed launch site operator must satisfy 
the requirements of part 420 of this chapter.

Sec.  417.402 Compliance.

    (a) General. A launch operator's ground safety process must satisfy 
this subpart.
    (b) Ground safety analysis conducted for launch at a Federal launch 
range. This provision applies to all sections of this subpart. The FAA 
will accept a ground safety process conducted for a launch from a 
Federal launch range without need for further demonstration of 
compliance to the FAA if:
    (1) A launch operator has contracted with a Federal launch range 
for the provision of the ground safety process; and
    (2) The FAA has assessed the Federal launch range, through its 
launch site safety assessment, and found that the Federal launch 
range's ground safety process satisfies the requirements of this 
subpart. In this case, the FAA will treat the Federal launch range's 
process as that of a launch operator.
    (c) Toxic release hazard analysis conducted for launch processing 
at a Federal launch range. The FAA will accept a toxic release hazard 
analysis conducted for launch processing from a Federal launch range 
provided the toxic release analysis satisfies the Federal launch 
range's requirements, and the FAA has assessed the Federal launch 
range, through its launch site safety assessment, and found that the 
applicable Federal launch range safety-related launch services and 
property satisfy the requirements of this subpart.
    (d) Demonstration of compliance. For a licensed launch that does 
not satisfy paragraphs (b) and (c) of this section, a launch operator 
must demonstrate compliance to the FAA with the requirements of this 
subpart, and must include in its demonstration the analysis products 
required by subparts A and E of this part, and appendices I and J of 
this part.
    (e) Alternate methods. The FAA will approve an alternate hazard 
control method if a launch operator demonstrates, in accordance with 
Sec.  406.3(b), that its proposed hazard control method provides an 
equivalent level of safety to that required by this subpart.

Sec.  417.403 General.

    (a) Public safety. A launch operator must ensure that each hazard 
control is in place to protect the public from each potential hazard 
associated with launch processing and post-launch operations.
    (b) Ground safety analysis. A launch operator must perform and 
document a ground safety analysis that satisfies Sec.  417.405 and 
appendix J of this part.
    (c) Local agreements. A launch operator must coordinate and perform 
launch processing and post-launch operations that satisfy local 
agreements to ensure the responsibilities and requirements in this part 
and Sec.  420.57 of this chapter are met. A launch operator, when using 
a launch site of a licensed launch site operator, must coordinate the 
launch operator's operations with the launch site operator and with any 
agreements that the launch site operator has with local authorities 
that form a basis for the launch site operator's license.
    (d) Launch operator's exclusive use of a launch site. For a launch 
conducted from a launch site exclusive to its own use, a launch 
operator must satisfy the requirements of this subpart and of part 420 
of this chapter, including subpart D of part 420.

Sec.  417.405 Ground safety analysis.

    (a) A launch operator must perform a ground safety analysis for 
launch vehicle hardware, ground hardware including launch site and 
ground support equipment, launch processing, and post-launch operations 
at a launch site in the United States. The requirements of this section 
apply to the performance of the ground safety analysis and to the 
ground safety analysis products that a launch operator must file with 
the FAA as required by Sec.  417.402(d). This analysis must identify 
each potential hazard, each associated cause, and each hazard control 
that a launch operator must establish and maintain to keep each 
identified hazard from affecting the public. A launch operator must 
incorporate the launch site operator's systems and operations involved 
in ensuring public safety into the ground safety analysis.
    (b) Technical personnel who are knowledgeable of launch vehicle 
systems, launch processing, ground systems, operations, and their 
associated hazards must prepare the ground safety analysis. These 
individuals must be qualified to perform the ground safety analysis 
through training, education, and experience.
    (c) A launch operator must ensure personnel performing a ground 
safety analysis or preparing a ground safety

[[Page 50562]]

analysis report will have the cooperation of the entire launch 
operator's organization. A launch operator must maintain supporting 
documentation and it must be available upon request.
    (d) A launch operator must:
    (1) Begin a ground safety analysis by identifying the systems and 
operations to be analyzed;
    (2) Define the extent of each system and operation being assessed 
to ensure there is no miscommunication as to what the hazards are, and 
who, in a launch operator's organization or other organization 
supporting the launch, controls those hazards; and
    (3) Ensure that the ground safety analysis accounts for each launch 
vehicle system and operation involved in launch processing and post-
launch operations, even if only to show that no hazard exists.
    (e) A ground safety analysis need not account for potential hazards 
of a component if a launch operator demonstrates that no hazard to the 
public exists at the system level. A ground safety analysis need not 
account for an operation's individual task or subtask level if a launch 
operator demonstrates that no hazard to the public exists at the 
operation level. A launch operator must provide verifiable controls for 
hazards that are confined within the boundaries of a launch operator's 
facility to ensure the public will not have access to the associated 
hazard area while the hazard exists.
    (f) A launch operator must identify each potential hazard, 
including non-credible hazards. The probability of occurrence is not 
relevant with respect to identifying a hazard. Where an assertion is 
made that no hazard exists for a particular system or operation, the 
ground safety analysis must provide the rationale. A launch operator 
must identify the following hazards of each launch vehicle system, 
launch site and ground support equipment, launch processing, and post-
launch operations:
    (1) System hazards, including explosives and other ordnance, solid 
and liquid propellants, toxic and radioactive materials, asphyxiants, 
cryogens, and high pressure. System hazards generally exist even when 
no operation is occurring; and
    (2) Operation hazards derived from an unsafe condition created by a 
system, operating environment, or an unsafe act.
    (g) A launch operator must categorize identified system and 
operation hazards as follows:
    (1) Public hazard. A hazard that extends beyond the launch location 
under the control of a launch operator. Public hazards include the 
following:
    (i) Blast overpressure and fragmentation resulting from an 
explosion;
    (ii) Fire and deflagration, including hazardous materials such as 
radioactive material, beryllium, carbon fibers, and propellants. A 
launch operator must assume that in the event of a fire, hazardous 
smoke from systems containing hazardous materials will reach the 
public;
    (iii) Sudden release of a hazardous material into the air, water, 
or ground; and
    (iv) Inadvertent ignition of a propulsive launch vehicle payload, 
stage, or motor.
    (2) Launch location hazard. A hazard that stays within the confines 
of the location under the control of a launch operator but extends 
beyond individuals doing the work. The confines may be bounded by a 
wall or a fence line of a facility or launch complex, or by a fenced or 
unfenced boundary of an entire industrial complex or multi-user launch 
site. A launch location hazard may affect the public depending on 
public access controls. Launch location hazards that may affect the 
public include the hazards listed in paragraphs (g)(1)(i)-(iv) of this 
section and additional hazards in potentially unsafe locations 
accessible to the public such as:
    (i) Unguarded electrical circuits or machinery;
    (ii) Oxygen deficient environments;
    (iii) Falling objects;
    (iv) Potential falls into unguarded pits or from unguarded elevated 
work platforms; and
    (v) Sources of ionizing and non-ionizing radiation such as x-rays, 
radio transmitters, and lasers.
    (3) Employee hazard. A hazard to individuals performing a launch 
operator's work, but not to other people in the area. A launch operator 
must comply with all applicable Federal, state, and local employee 
safety regulations. A launch operator's ground safety analysis must 
identify employee hazards and demonstrate that there are no associated 
public safety issues.
    (4) Non-credible hazard. A hazard for which possible adverse 
effects on people or property would be negligible and where the 
possibility of adverse effects on people or property is remote. A 
launch operator's ground safety analysis must identify non-credible 
hazards and demonstrate that the hazard is non-credible.
    (h) A ground safety analysis must identify each hazard cause for 
each public hazard and launch location hazard. The ground safety 
analysis must account for conditions, acts, or chain of events that can 
result in a hazard. The ground safety analysis must account for the 
possible failure of any control or monitoring circuitry within hardware 
systems that can cause a hazard.
    (i) A ground safety analysis must identify the hazard controls to 
be established by a launch operator for each hazard cause identified in 
paragraph (h) of this section. A launch operator's hazard controls 
include the use of engineering controls for the containment of hazards 
within defined areas and the control of public access to those areas.
    (j) A launch operator must verify all information in a ground 
safety analysis, including design margins, fault tolerance and 
successful completion of tests. A launch operator must:
    (1) Trace any identified hardware to an engineering drawing or 
other document that describes hardware configuration;
    (2) Trace any test or analysis used in developing the ground safety 
analysis to a report or memorandum that describes how the test or 
analysis was performed;
    (3) Ensure the accuracy of the test or analysis and the associated 
results;
    (4) Trace any procedural hazard control identified to a written 
procedure, and approved by the person designated under Sec.  
417.103(b)(2) or the person's designee, with the paragraph or step 
number of the procedure specified;
    (5) Identify a verifiable hazard control for each hazard; if a 
hazard control is not verifiable, a launch operator may include it as 
an informational note on the hazard analysis form;
    (6) For each hazard control, reference a released drawing, report, 
procedure or other document that verifies the existence of the hazard 
control; and
    (7) Maintain records, as required by Sec.  417.15, of the 
documentation that verifies the information in the ground safety 
analysis.
    (k) A launch operator must ensure the continuing accuracy of its 
ground safety analysis. The analysis of systems and operations must not 
end upon submission of a ground safety analysis report to the FAA 
during the license application process. A launch operator must analyze 
each new or modified system or operation for potential hazards that can 
affect the public. A launch operator must ensure that each existing 
system and operation is subject to continual scrutiny and that the 
information in a ground safety analysis report is kept current.

Sec.  417.407 Hazard control implementation.

    (a) General. A launch operator must establish and maintain the 
hazard

[[Page 50563]]

controls identified by the ground safety analysis including:
    (1) System hazard controls that satisfy Sec.  417.409;
    (2) Safety clear zones for hazardous operations that satisfy Sec.  
417.411;
    (3) Hazard areas and controls for allowing public access that 
satisfy Sec.  417.413;
    (4) Hazard controls after launch or an attempt to launch that 
satisfy Sec.  417.415; and
    (5) Controls for propellant and explosive hazards that satisfy 
Sec.  417.417.
    (b) Hazard control verification. A launch operator must establish a 
hazard tracking process to ensure that each identified hazard has a 
verifiable hazard control. Verification status must remain ``open'' for 
an individual hazard control until the hazard control is verified to 
exist in a released drawing, report, procedure, or similar document.
    (c) Hazard control configuration control. A launch operator must 
establish and maintain a configuration control process for safety 
critical hardware. Procedural steps to verify hazard controls, and 
their associated documentation, cannot be changed without coordination 
with the person designated in Sec.  417.103(b)(2).
    (d) Inspections. When a potential hazard exists, a launch operator 
must conduct periodic inspections of related hardware, software, and 
facilities. A launch operator must ensure qualified and certified 
personnel, as required by Sec.  417.105, conduct the inspection. A 
launch operator must demonstrate that the time interval between 
inspections is sufficient to ensure satisfaction of this subpart. A 
launch operator must ensure safety devices and other hazard controls 
must remain in place for that hazard, and that safety devices and other 
hazard controls must remain in working order so that no unsafe 
conditions exist.
    (e) Procedures. A launch operator must conduct each launch 
processing or post-launch operation involving a public hazard or a 
launch location hazard pursuant to written procedures that incorporate 
the hazard controls identified by a launch operator's ground safety 
analysis and as required by this subpart. The person designated in 
Sec.  417.103(b)(2) must approve the procedures. A launch operator must 
maintain an ``as-run'' copy of each procedure. The ``as-run'' procedure 
copy must include changes, start and stop dates, and times that each 
procedure was performed and observations made during the operations.
    (f) Hazardous materials. A launch operator must establish 
procedures for the receipt, storage, handling, use, and disposal of 
hazardous materials, including toxic substances and sources of ionizing 
radiation. A launch operator must establish procedures for responding 
to hazardous material emergencies and protecting the public that 
complies with the accident investigation plan as defined in Sec.  
417.111(h)(2). These procedures must include:
    (1) Identification of each hazard and its effects;
    (2) Actions to be taken in response to release of a hazardous 
material;
    (3) Identification of protective gear and other safety equipment 
that must be available in order to respond to a release;
    (4) Evacuation and rescue procedures;
    (5) Chain of command; and
    (6) Communication both on-site and off-site to surrounding 
communities and local authorities.
    (g) Toxic release hazard notifications and evacuations. A launch 
operator must perform a toxic release hazard analysis for launch 
processing performed at the launch site that satisfies section I417.7 
of this part. A launch operator must apply toxic plume modeling 
techniques that satisfy section I417.7 of this part and ensure that 
notifications and evacuations are accomplished to protect the public 
from potential toxic release.

Sec.  417.409 System hazard controls.

    (a) General. A launch operator must establish and maintain hazard 
controls for each system that presents a public hazard as identified by 
the ground safety analysis and satisfy the requirements of this 
section. A launch operator must:
    (1) Ensure a system be at least single fault tolerant to creating a 
public hazard unless other hazard control criteria are specified for 
the system by the requirements of this part. A system capable of 
creating a catastrophic public hazard must be at least dual fault 
tolerant. Dual fault tolerant system hazard controls include: Switches, 
valves, or similar components that prevent an unwanted transfer or 
release of energy or hazardous materials;
    (2) Ensure each hazard control used to provide fault tolerance is 
independent from other hazard controls so that no single action or 
event can remove more than one inhibit. A launch operator must prevent 
inadvertent activation of hazard control devices such as switches and 
valves;
    (3) Provide at least two fully redundant safety devices if a safety 
device must function in order to control a public hazard. A single 
action or event must not be capable of disabling both safety devices; 
and
    (4) Ensure computing systems and software used to control a public 
hazard satisfy the requirements of Sec.  417.123.
    (b) Structures and material handling equipment. A launch operator 
must ensure safety factors applied in the design of a structure or 
material handling equipment account for static and dynamic loads, 
environmental stresses, expected wear, and duty cycles. A launch 
operator must:
    (1) Inspect structures and material handling equipment to verify 
workmanship, proper operations, and maintenance;
    (2) Prepare plans to ensure proper operations and maintenance of 
structures and material handling equipment;
    (3) Assess structures and material handling equipment for potential 
single point failure;
    (4) Eliminate single point failures from structures and material 
handling equipment or subject the structures and material handling 
equipment to specific inspection and testing to ensure proper 
operation. Single point failure welds must undergo both surface and 
volumetric non-destructive inspection to verify that no rejectable 
discontinuities exist;
    (5) Establish other non-destructive inspection techniques if a 
volumetric inspection cannot be performed. A launch operator, in such a 
case, must demonstrate through the licensing process that the 
inspection processes used accurately verify the absence of rejectable 
discontinuities; and
    (6) Ensure qualified and certified personnel, as defined in Sec.  
417.105, conduct the inspections.
    (c) Pressure vessels and pressurized systems. A launch operator 
must apply the following hazard controls to a pressurized flight or 
ground pressure vessel, component, or systems:
    (1) Qualified and certified personnel, as defined in Sec.  417.105, 
must test each pressure vessel, component, or system upon installation 
and before being placed into service, and periodically inspect to 
ensure that no rejectable discontinuities exists;
    (2) Safety factors applied in the design of a pressure vessel, 
component, or system must account for static and dynamic loads, 
environmental stresses, and expected wear;
    (3) Pressurized system flow-paths, except for pressure relief and 
emergency venting, must be single fault tolerant to causing pressure 
ruptures and material releases during launch processing; and
    (4) Provide pressure relief and emergency venting capability to 
protect

[[Page 50564]]

against pressure ruptures. Pressure relief devices must provide the 
flow rate necessary to prevent a rupture in the event a pressure vessel 
is exposed to fire.
    (d) Electrical and mechanical systems. A launch operator must apply 
the following hazard controls to electrical or mechanical systems that 
can release electrical or mechanical energy during launch processing:
    (1) A launch operator must ensure electrical and mechanical 
systems, including systems that generate ionizing or non-ionizing 
radiation, are single fault tolerant to providing or releasing 
electrical or mechanical energy;
    (2) In areas where flammable material exists, a launch operator 
must ensure electrical systems and equipment are hermetically sealed, 
explosion proof, intrinsically safe, purged, or otherwise designed so 
as not to provide an ignition source. A launch operator must assess 
each electrical system as a possible source of thermal energy and 
ensure that the electrical system can not act as an ignition source; 
and
    (3) A launch operator must prevent unintentionally conducted or 
radiated energy due to possible bent pins in a connector, a mismated 
connector, shorted wires, or unshielded wires within electrical power 
and signal circuits that interface with hazardous subsystems.
    (e) Propulsion systems. A propulsion system must be dual fault 
tolerant to inadvertently becoming propulsive. Propulsion systems must 
be single fault tolerant to inadvertent mixing of fuel and oxidizer. 
Each material in a propulsion system must be compatible with other 
materials that may contact the propulsion system during launch 
processing including materials used to assemble and clean the system. A 
launch operator must use engineering controls, including procedures, to 
prevent connecting incompatible systems. A launch operator must comply 
with Sec.  417.417 for hazard controls applicable to propellants and 
explosives.
    (f) Ordnance systems. An ordnance system must be at least single 
fault tolerant to prevent a hazard caused by inadvertent actuation of 
the ordnance system. A launch operator must comply with Sec.  417.417 
for hazard controls applicable to ordnance. In addition, an ordnance 
system must satisfy the following requirements;
    (1) A launch operator must ensure ordnance electrical connections 
are disconnected until final preparations for flight;
    (2) An ordnance system must provide for safing and arming of the 
ordnance. An electrically initiated ordnance system must include 
ordnance initiation devices and arming devices, also referred to as 
safe and arm devices, that provide a removable and replaceable 
mechanical barrier or other positive means of interrupting power to 
each ordnance firing circuit to prevent inadvertent initiation of 
ordnance. A mechanical safe and arm device must have a safing pin that 
locks the mechanical barrier in a safe position. A mechanical actuated 
ordnance device must also have a safing pin that prevents mechanical 
movement within the device. A launch operator must comply with section 
D417.13 of this part for specific safing and arming requirements for a 
flight termination system;
    (3) Protect ordnance systems from stray energy through grounding, 
bonding, and shielding; and
    (4) Current limit any monitoring or test circuitry that interfaces 
with an ordnance system to protect against inadvertent initiation of 
ordnance. Equipment used to measure bridgewire resistance on electro-
explosive devices must be special purpose ordnance system 
instrumentation with features that limit current.

Sec.  417.411 Safety clear zones for hazardous operations.

    (a) A launch operator must define a safety clear zone that confines 
the adverse effects of each operation involving a public hazard or 
launch location hazard. A launch operator's safety clear zones must 
satisfy the following:
    (1) A launch operator must establish a safety clear zone that 
accounts for the potential blast, fragment, fire or heat, toxic and 
other hazardous energy or material potential of the associated systems 
and operations. A launch operator must base a safety clear zone on the 
following criteria:
    (i) For a possible explosive event, base a safety clear zone on the 
worst case event, regardless of the fault tolerance of the system;
    (ii) For a possible toxic event, base a safety clear zone on the 
worst case event. A launch operator must have procedures in place to 
maintain public safety in the event toxic releases reach beyond the 
safety clear zone; and
    (iii) For a material handling operation, base a safety clear zone 
on a worst case event for that operation.
    (2) A launch operator must establish a safety clear zone when the 
launch vehicle is in a launch command configuration with the flight 
safety systems fully operational and on internal power.
    (b) A launch operator must establish restrictions that prohibit 
public access to a safety clear zone during a hazardous operation. A 
safety clear zone may extend to areas beyond the launch location 
boundaries if local agreements provide for restricting public access to 
such areas and a launch operator verifies that the safety clear zone is 
clear of the public during the hazardous operation.
    (c) A launch operator's procedures must verify that the public is 
outside of a safety clear zone prior to a launch operator beginning a 
hazardous operation.
    (d) A launch operator must control a safety clear zone to ensure no 
public access during the hazardous operation. Safety clear zone 
controls include:
    (1) Use of security guards and equipment;
    (2) Physical barriers; and
    (3) Warning signs, and other types of warning devices.

Sec.  417.413 Hazard areas.

    (a) General. A launch operator must define a hazard area that 
confines the adverse effects of a hardware system should an event occur 
that presents a public hazard or launch location hazard. A launch 
operator must prohibit public access to the hazard area whenever a 
hazard is present unless the requirements for public access of 
paragraph (b) of this section are met.
    (b) Public access. A launch operator must establish a process for 
authorizing public access if visitors or members of the public must 
have access to a launch operator's facility or launch location. The 
process must ensure that each member of the public is briefed on the 
hazards within the facility and related safety warnings, procedures, 
and rules that provide protection, or a launch operator must ensure 
that each member of the public is accompanied by a knowledgeable 
escort.
    (c) Hazard controls during public access. A launch operator must 
establish procedural controls that prevent hazardous operations from 
taking place while members of the public have access to the launch 
location and must verify that system hazard controls are in place that 
prevent initiation of a hazardous event. Hazard controls and procedures 
that prevent initiation of a hazardous event include the following:
    (1) Use of lockout devices or other restraints on system actuation 
switches or other controls to eliminate the possibility of inadvertent 
actuation of a hazardous system.
    (2) Disconnect ordnance systems from power sources, incorporate the 
use of

[[Page 50565]]

safing plugs, or have safety devices in place that prevent inadvertent 
initiation. Activity involving the control circuitry of electrically 
activated safety devices must not be ongoing while the public has 
access to the hazard area. Install safing pins on safe and arm devices 
and mechanically actuated devices. Disconnect explosive transfer lines, 
not protected by a safe and arm device or a mechanically actuated 
device or equivalent.
    (3) When systems or tanks are loaded with hypergols or other toxic 
materials, close the system or tank and verify it is leak-tight with 
two verifiable closures, such as a valve and a cap, to every external 
flow path or fitting. Such a system must also be in a steady-state 
condition.
    (4) Keep each pressurized system below its maximum allowable 
working pressure and do not allow it to be in a dynamic state. Activity 
involving the control circuitry of electrically activated pressure 
system valves must not be ongoing while the public has access to the 
associated hazard area. Launch vehicle systems must not be pressurized 
to more than 25% of the system's design burst pressure, when the public 
has access to the associated hazard area.
    (5) Do not allow sources of ionizing or non-ionizing radiation, 
such as, x-rays, nuclear power sources, high-energy radio transmitters, 
radar, and lasers to be present or verify they are to be inactive when 
the public has access to the associated hazard area.
    (6) Guard physical hazards to prevent potential physical injury to 
visiting members of the public. Physical hazards include the following:
    (i) Potential falling objects;
    (ii) Falls from an elevated height; and
    (iii) Protection from potentially hazardous vents, such as pressure 
relief discharge vents.
    (7) Maintain and verify that safety devices or safety critical 
systems are operating properly prior to permitting public access.

Sec.  417.415 Post-launch and post-flight-attempt hazard controls.

    (a) A launch operator must establish, maintain and perform 
procedures for controlling hazards and returning the launch facility to 
a safe condition after a successful launch. Procedural hazard controls 
must include:
    (1) Provisions for extinguishing fires;
    (2) Re-establishing full operational capability of safety devices, 
barriers, and platforms; and
    (3) Access control.
    (b) A launch operator must establish procedures for controlling 
hazards associated with a failed flight attempt where a solid or liquid 
launch vehicle engine start command was sent, but the launch vehicle 
did not liftoff. These procedures must include the following:
    (1) Maintaining and verifying that each flight termination system 
remains operational until verification that the launch vehicle does not 
represent a risk of inadvertent liftoff. If an ignition signal has been 
sent to a solid rocket motor, the flight termination system must remain 
armed and active for a period of no less than 30 minutes. During this 
time, flight termination system batteries must maintain sufficient 
voltage and current capacity for flight termination system operation. 
The flight termination system receivers must remain captured by the 
command control system transmitter's carrier signal;
    (2) Assuring that the vehicle is in a safe configuration, including 
its propulsion and ordnance systems. The flight safety system crew must 
have access to the vehicle status. Re-establish safety devices and 
bring each pressurized system down to safe pressure levels; and
    (3) Prohibiting launch complex entry until the launch pad area 
safing procedures are complete.
    (c) A launch operator must establish procedural controls for 
hazards associated with an unsuccessful flight where the launch vehicle 
has a land or water impact. These procedures must include the following 
provisions:
    (1) Evacuation and rescue of members of the public, to include 
modeling the dispersion and movement of toxic plumes, identification of 
areas at risk, and communication with local government authorities;
    (2) Extinguishing fires;
    (3) Securing impact areas to ensure that personnel and the public 
are evacuated, and ensure that no unauthorized personnel or members of 
the public enter, and to preserve evidence; and
    (4) Ensuring public safety from hazardous debris, such as plans for 
recovery and salvage of launch vehicle debris and safe disposal of 
hazardous materials.

Sec.  417.417 Propellants and explosives.

    (a) A launch operator must comply with the explosive safety 
criteria in part 420 of this chapter.
    (b) A launch operator must ensure that:
    (1) The explosive site plan satisfies part 420 of this chapter;
    (2) Only those explosive facilities and launch points addressed in 
the explosive site plan are used and only for their intended purpose; 
and
    (3) The total net explosive weight for each explosive hazard 
facility and launch point must not exceed the maximum net explosive 
weight limit indicated on the explosive site plan for each location.
    (c) A launch operator must establish, maintain, and perform 
procedures that ensure public safety for the receipt, storage, 
handling, inspection, test, and disposal of explosives.
    (d) A launch operator must establish and maintain each procedural 
system control to prevent inadvertent initiation of propellants and 
explosives. These controls must include the following:
    (1) Protect ordnance systems from stray energy through methods of 
bonding, grounding, and shielding, and controlling radio frequency 
radiation sources in a radio frequency radiation exclusion area. A 
launch operator must determine the vulnerability of its electro-
explosive devices and systems to radio frequency radiation and 
establish radio frequency radiation power limits or radio frequency 
radiation exclusion areas as required by the launch site operator or to 
ensure safety.
    (2) Keep ordnance safety devices, as required by Sec.  417.409, in 
place until the launch complex is cleared as part of the final launch 
countdown. No members of the public may re-enter the complex until each 
safety device is re-established.
    (3) Do not allow heat and spark or flame producing devices in an 
explosive or propellant facility without written approval and oversight 
from a launch operator's safety organization.
    (4) Do not allow static producing materials in close proximity to 
solid or liquid propellants, electro-explosive devices, or systems 
containing flammable liquids.
    (5) Use fire safety measures including:
    (i) Elimination or reduction of flammable and combustible 
materials;
    (ii) Elimination or reduction of ignition sources;
    (iii) Fire and smoke detection systems;
    (iv) Safe means of egress; and
    (v) Timely fire suppression response.
    (6) Include lightning protection on each facility used to store or 
process explosives to prevent inadvertent initiation of propellants and 
explosives due to lightning unless the facility complies with the 
lightning protection criteria of Sec.  420.71 of this part.
    (e) A launch operator, in the event of an emergency, must perform 
the accident investigation plan as defined in Sec.  417.111(h).

[[Page 50566]]

Appendix A of Part 417--Flight Safety Analysis Methodologies and 
Products for a Launch Vehicle Flown with a Flight Safety System

A417.1 Scope.

    The requirements of this appendix apply to the methods for 
performing the flight safety analysis required by Sec.  417.107(f) 
and subpart C of this part. The methodologies contained in this 
appendix provide an acceptable means of satisfying the requirements 
of subpart C and provide a standard and a measure of fidelity 
against which the FAA will measure any proposed alternative analysis 
approach. This appendix also identifies the analysis products that a 
launch operator must file with the FAA as required by Sec.  
417.203(e).

A417.3 Applicability.

    The requirements of this appendix apply to a launch operator and 
the launch operator's flight safety analysis unless the launch 
operator clearly and convincingly demonstrates that an alternative 
approach provides an equivalent level of safety. If a Federal launch 
range performs the launch operator's analysis, Sec.  417.203(d) 
applies. Section A417.33 applies to the flight of any unguided 
suborbital launch vehicle that uses a wind-weighting safety system. 
All other sections of this appendix apply to the flight of any 
launch vehicle required to use a flight safety system as required by 
Sec.  417.107(a). For any alternative flight safety system approved 
by the FAA as required by Sec.  417.301(b), the FAA will determine 
the applicability of this appendix during the licensing process.

A417.5 General.

    A launch operator's flight safety analysis must satisfy the 
requirements for public risk management and the requirements for the 
compatibility of the input and output of dependent analyses of Sec.  
417.205.

A417.7 Trajectory.

    (a) General. A flight safety analysis must include a trajectory 
analysis that satisfies the requirements of Sec.  417.207. This 
section applies to the computation of each of the trajectories 
required by Sec.  417.207 and to each trajectory analysis product 
that a launch operator must file with the FAA as required by Sec.  
417.203(e).
    (b) Wind standards. A trajectory analysis must incorporate wind 
data in accordance with the following:
    (1) For each launch, a trajectory analysis must produce ''with-
wind'' launch vehicle trajectories pursuant to paragraph (f)(6) of 
this section and do so using composite wind profiles for the month 
that the launch will take place or composite wind profiles that are 
as severe or more severe than the winds for the month that the 
launch will take place.
    (2) A composite wind profile used for the trajectory analysis 
must have a cumulative percentile frequency that represents wind 
conditions that are at least as severe as the worst wind conditions 
under which flight would be attempted for purposes of achieving the 
launch operator's mission. These worst wind conditions must account 
for the launch vehicle's ability to operate normally in the presence 
of wind and accommodate any flight safety limit constraints.
    (c) Nominal trajectory. A trajectory analysis must produce a 
nominal trajectory that describes a launch vehicle's flight path, 
position and velocity, where all vehicle aerodynamic parameters are 
as expected, all vehicle internal and external systems perform 
exactly as planned, and no external perturbing influences other than 
atmospheric drag and gravity affect the launch vehicle.
    (d) Dispersed trajectories. A trajectory analysis must produce 
the following dispersed trajectories and describe the distribution 
of a launch vehicle's position and velocity as a function of winds 
and performance error parameters in the uprange, downrange, left-
crossrange and right-crossrange directions.
    (1) Three-sigma maximum and minimum performance trajectories. A 
trajectory analysis must produce a three-sigma maximum performance 
trajectory that provides the maximum downrange distance of the 
instantaneous impact point for any given time after lift-off. A 
trajectory analysis must produce a three-sigma minimum performance 
trajectory that provides the minimum downrange distance of the 
instantaneous impact point for any given time after lift-off. For 
any time after lift-off, the instantaneous impact point dispersion 
of a normally performing launch vehicle must lie between the 
extremes achieved at that time after lift-off by the three-sigma 
maximum and three-sigma minimum performance trajectories. The three-
sigma maximum and minimum performance trajectories must account for 
wind and performance error parameter distributions as follows:
    (i) For each three-sigma maximum and minimum performance 
trajectory, the analysis must use composite head wind and composite 
tail wind profiles that represent the worst wind conditions under 
which a launch would be attempted as required by paragraph (b) of 
this section.
    (ii) Each three-sigma maximum and minimum performance trajectory 
must account for all launch vehicle performance error parameters 
identified as required by paragraph (f)(1) of this section that have 
an effect upon instantaneous impact point range.
    (2) Three-sigma left and right lateral trajectories. A 
trajectory analysis must produce a three-sigma left lateral 
trajectory that provides the maximum left crossrange distance of the 
instantaneous impact point for any time after lift-off. A trajectory 
analysis must produce a three-sigma right lateral trajectory that 
provides the maximum right crossrange distance of the instantaneous 
impact point for any time after lift-off. For any time after lift-
off, the instantaneous impact point dispersion of a normally 
performing launch vehicle must lie between the extremes achieved at 
that time after liftoff by the three-sigma left lateral and three-
sigma right lateral performance trajectories. The three-sigma 
lateral performance trajectories must account for wind and 
performance error parameter distributions as follows:
    (i) In producing each left and right lateral trajectory, the 
analysis must use composite left and composite right lateral-wind 
profiles that represent the worst wind conditions under which a 
launch would be attempted as required by paragraph (b) of this 
section.
    (ii) The three-sigma left and right lateral trajectories must 
account for all launch vehicle performance error parameters 
identified as required by paragraph (f)(1) of this section that have 
an effect on the lateral deviation of the instantaneous impact 
point.
    (3) Fuel-exhaustion trajectory. A trajectory analysis must 
produce a fuel-exhaustion trajectory for the launch of any launch 
vehicle with a final suborbital stage that will terminate thrust 
nominally without burning to fuel exhaustion. The analysis must 
produce the trajectory that would occur if the planned thrust 
termination of the final suborbital stage did not occur. The 
analysis must produce a fuel-exhaustion trajectory that extends 
either the nominal trajectory taken through fuel exhaustion of the 
last suborbital stage or the three-sigma maximum trajectory taken 
through fuel exhaustion of the last suborbital stage, whichever 
produces an instantaneous impact point with the greatest range for 
any time after liftoff.
    (e) Straight-up trajectory. A trajectory analysis must produce a 
straight-up trajectory that begins at the planned time of ignition, 
and that simulates a malfunction that causes the launch vehicle to 
fly in a vertical or near vertical direction above the launch point. 
A straight-up trajectory must last no less than the sum of the 
straight-up time determined as required by section A417.15 plus the 
duration of a potential malfunction turn determined as required by 
section A417.9(b)(2).
    (f) Analysis process and computations. A trajectory analysis 
must produce each three-sigma trajectory required by this appendix 
using a six-degree-of-freedom trajectory model and an analysis 
method, such as root sum-square or Monte Carlo, that accounts for 
all individual launch vehicle performance error parameters that 
contribute to the dispersion of the launch vehicle's instantaneous 
impact point.
    (1) A trajectory analysis must identify all launch vehicle 
performance error parameters and each parameter's distribution to 
account for all launch vehicle performance variations and any 
external forces that can cause offsets from the nominal trajectory 
during normal flight. A trajectory analysis must account for, but 
need not be limited to, the following performance error parameters:
    (i) Thrust;
    (ii) Thrust misalignment;
    (iii) Specific impulse;
    (iv) Weight;
    (v) Variation in firing times of the stages;
    (vi) Fuel flow rates;
    (vii) Contributions from the guidance, navigation, and control 
systems;
    (ix) Steering misalignment; and
    (x) Winds.
    (2) Each three-sigma trajectory must account for the effects of 
wind from liftoff through the point in flight where the launch 
vehicle attains an altitude where wind no longer affects the launch 
vehicle.
    (g) Trajectory analysis products. The products of a trajectory 
analysis that a launch operator must file with the FAA include the 
following:

[[Page 50567]]

    (1) Assumptions and procedures. A description of all 
assumptions, procedures and models, including the six-degrees-of-
freedom model, used in deriving each trajectory.
    (2) Three-sigma launch vehicle performance error parameters. A 
description of each three-sigma performance error parameter 
accounted for by the trajectory analysis and a description of each 
parameter's distribution determined as required by paragraph (f)(1) 
of this section.
    (3) Wind profile. A graph and tabular listing of each wind 
profile used in performing the trajectory analysis as required by 
paragraph (b)(1) of this section and the worst case winds required 
by paragraph (b)(2) of this section. The graph and tabular wind data 
must provide wind magnitude and direction as a function of altitude 
for the air space regions from the Earth's surface to 100,000 feet 
in altitude for the area intersected by the launch vehicle 
trajectory. Altitude intervals must not exceed 5000 feet.
    (4) Launch azimuth. The azimuthal direction of the trajectory's 
''X-axis'' at liftoff measured clockwise in degrees from true north.
    (5) Launch point. Identification and location of the proposed 
launch point, including its name, geodetic latitude, geodetic 
longitude, and geodetic height.
    (6) Reference ellipsoid. The name of the reference ellipsoid 
used by the trajectory analysis to approximate the average curvature 
of the Earth and the following information about the model:
    (i) Length of semi-major axis;
    (ii) Length of semi-minor axis;
    (iii) Flattening parameter;
    (iv) Eccentricity;
    (v) Gravitational parameter;
    (vi) Angular velocity of the Earth at the equator; and
    (vii) If the reference ellipsoid is not a WGS-84 ellipsoidal 
Earth model, the equations that convert the filed ellipsoid 
information to the WGS-84 ellipsoid.
    (7) Temporal trajectory items. A launch operator must provide 
the following temporal trajectory data for time intervals not in 
excess of one second and for the discrete time points that 
correspond to each jettison, ignition, burnout, and thrust 
termination of each stage. If any stage burn time lasts less than 
four seconds, the time intervals must not exceed 0.2 seconds. The 
launch operator must provide the temporal trajectory data from 
launch up to a point in flight when effective thrust of the final 
stage terminates, or to thrust termination of the stage or burn that 
places the vehicle in orbit. For an unguided sub-orbital launch 
vehicle flown with a flight safety system, the launch operator must 
provide these data for each nominal quadrant launcher elevation 
angle and payload weight. The launch operator must provide these 
data on paper in text format and electronically in ASCII text, space 
delimited format. The launch operator must provide an electronic 
``read-me'' file that identifies the data and their units of measure 
in the individual disk files.
    (i) Trajectory time-after-liftoff. A launch operator must 
provide trajectory time-after liftoff measured from first motion of 
the first thrusting stage of the launch vehicle. The tabulated data 
must identify the first motion time as T-0 and as the ``0.0'' time 
point on the trajectory.
    (ii) Launch vehicle direction cosines. A launch operator must 
provide the direction cosines of the roll axis, pitch axis, and yaw 
axis of the launch vehicle. The roll axis is a line identical to the 
launch vehicle's longitudinal axis with its origin at the nominal 
center of gravity positive towards the vehicle nose. The roll plane 
is normal to the roll axis at the vehicle's nominal center of 
gravity. The yaw axis and the pitch axis are any two orthogonal axes 
lying in the roll plane. The launch operator must provide roll, 
pitch and yaw axes of right-handed systems so that, when looking 
along the roll axis toward the nose, a clockwise rotation around the 
roll axis will send the pitch axis toward the yaw axis. The right-
handed system must be oriented so that the yaw axis is positive in 
the downrange direction while in the vertical position (roll axis 
upward from surface) or positive at an angle of 180 degrees to the 
downrange direction. The axis may be related to the vehicle's normal 
orientation with respect to the vehicle's trajectory but, once 
defined, remain fixed with respect to the vehicle's body. The launch 
operator must indicate the positive direction of the yaw axis 
chosen. The analysis products must present the direction cosines 
using the EFG reference system described in paragraph (g)(7)(iv) of 
this section.
    (iii) X, Y, Z, XD, YD, ZD trajectory coordinates. A launch 
operator must provide the launch vehicle position coordinates (X, Y, 
Z) and velocity magnitudes (XD, YD, ZD) referenced to an orthogonal, 
Earth-fixed, right-handed coordinate system. The XY plane must be 
tangent to the ellipsoidal Earth at the origin, which must coincide 
with the launch point. The positive X-axis must coincide with the 
launch azimuth. The positive Z-axis must be directed away from the 
ellipsoidal Earth. The Y-axis must be positive to the left looking 
downrange.
    (iv) E, F, G, ED, FD, GD trajectory coordinates. A launch 
operator must provide the launch vehicle position coordinates (E, F, 
G) and velocity magnitudes (ED, FD, GD) referenced to an orthogonal, 
Earth fixed, Earth centered, right-handed coordinate system. The 
origin of the EFG system must be at the center of the reference 
ellipsoid. The E and F axes must lie in the plane of the equator and 
the G-axis coincides with the rotational axis of the Earth. The E-
axis must be positive through 0[deg] East longitude (Greenwich 
Meridian), the F-axis positive through 90' East longitude, and the 
G-axis positive through the North Pole. This system must be non-
inertial and rotate with the Earth.
    (v) Resultant Earth-fixed velocity. A launch operator must 
provide the square root of the sum of the squares of the XD, YD, and 
ZD components of the trajectory state vector.
    (vi) Path angle of velocity vector. A launch operator must 
provide the angle between the local horizontal plane and the 
velocity vector measured positive upward from the local horizontal. 
The local horizontal must be a plane tangent to the ellipsoidal 
Earth at the sub-vehicle point.
    (vii) Sub-vehicle point. A launch operator must provide sub-
vehicle point coordinates that include present position geodetic 
latitude and present position longitude. These coordinates must be 
at each trajectory time on the surface of the ellipsoidal Earth 
model and located at the intersection of the line normal to the 
ellipsoid and passing through the launch vehicle center of gravity.
    (viii) Altitude. A launch operator must provide the distance 
from the sub-vehicle point to the launch vehicle's center of 
gravity.
    (ix) Present position arc-range. A launch operator must provide 
the distance measured along the surface of the reference ellipsoid, 
from the launch point to the sub-vehicle point.
    (x) Total weight. A launch operator must provide the sum of the 
inert and propellant weights for each time point on the trajectory.
    (xi) Total vacuum thrust. A launch operator must provide the 
total vacuum thrust for each time point on the trajectory.
    (xii) Instantaneous impact point data. A launch operator must 
provide instantaneous impact point geodetic latitude, instantaneous 
impact point longitude, instantaneous impact point arc-range, and 
time to instantaneous impact. The instantaneous impact point arc-
range must consist of the distance, measured along the surface of 
the reference ellipsoid, from the launch point to the instantaneous 
impact point. For each point on the trajectory, the time to 
instantaneous impact must consist of the vacuum flight time 
remaining until impact if all thrust were terminated at the time 
point on the trajectory.
    (xiii) Normal trajectory distribution. A launch operator must 
provide a description of the distribution of the dispersed 
trajectories required under paragraph (d) of this section, such as 
the elements of covariance matrices for the launch vehicle position 
coordinates and velocity component magnitudes.

A417.9 Malfunction turn.

    (a) General. A flight safety analysis must include a malfunction 
turn analysis that satisfies the requirements of Sec.  417.209. This 
section applies to the computation of the malfunction turns and the 
production of turn data required by Sec.  417.209 and to the 
malfunction turn analysis products that a launch operator must file 
with the FAA as required by Sec.  417.203(e).
    (b) Malfunction turn analysis constraints. The following 
constraints apply to a malfunction turn analysis:
    (1) The analysis must produce malfunction turns that start at a 
given malfunction start time. The turn must last no less than 12 
seconds. These duration limits apply regardless of whether or not 
the vehicle would breakup or tumble before the prescribed duration 
of the turn.
    (2) A malfunction turn analysis must account for the thrusting 
periods of flight along a nominal trajectory beginning at first 
motion until thrust termination of the final thrusting stage or 
until the launch vehicle achieves orbit, whichever occurs first.
    (3) A malfunction turn must consist of a 90-degree turn or a 
turn in both the pitch and yaw planes that would produce the largest

[[Page 50568]]

deviation from the nominal instantaneous impact point of which the 
launch vehicle is capable at any time during the malfunction turn as 
required by paragraph (d) of this section.
    (4) The first malfunction turn must start at liftoff. The 
analysis must account for subsequent malfunction turns initiated at 
regular nominal trajectory time intervals not to exceed four 
seconds.
    (5) A malfunction turn analysis must produce malfunction turn 
data for time intervals of no less than one second over the duration 
of each malfunction turn.
    (6) The analysis must assume that the launch vehicle performance 
is nominal up to the point of the malfunction that produces the 
turn.
    (7) A malfunction turn analysis must not account for the effects 
of gravity.
    (8) A malfunction turn analysis must ensure the tumble turn 
envelope curve maintains a positive slope throughout the malfunction 
turn duration as illustrated in figure A417.9-1. When calculating a 
tumble turn for an aerodynamically unstable launch vehicle, in the 
high aerodynamic region it often turns out that no matter how small 
the initial deflection of the rocket engine, the airframe tumbles 
through 180 degrees, or one-half cycle, in less time than the 
required turn duration period. In such a case, the analysis must use 
a 90-degree turn as the malfunction turn.
    (c) Failure modes. A malfunction turn analysis must account for 
the significant failure modes that result in a thrust vector offset 
from the nominal state. If a malfunction turn at a malfunction start 
time can occur as a function of more than one failure mode, the 
analysis must account for the failure mode that causes the most 
rapid and largest launch vehicle instantaneous impact point 
deviation.
    (d) Type of malfunction turn. A malfunction turn analysis must 
establish the maximum turning capability of a launch vehicle's 
velocity vector during each malfunction turn by accounting for a 90-
degree turn to estimate the vehicle's turning capability or by 
accounting for trim turns and tumble turns in both the pitch and yaw 
planes to establish the vehicle's turning capability. When 
establishing the turning capability of a launch vehicle's velocity 
vector, the analysis must account for each turn as follows:
    (1) 90-degree turn. A 90-degree turn must constitute a turn 
produced at the malfunction start time by instantaneously re-
directing and maintaining the vehicle's thrust at 90 degrees to the 
velocity vector, without regard for how this situation can be 
brought about.
    (2) Pitch turn. A pitch turn must constitute the angle turned by 
the launch vehicle's total velocity vector in the pitch-plane. The 
velocity vector's pitch-plane must be the two dimensional surface 
that includes the launch vehicle's yaw-axis and the launch vehicle's 
roll-axis.
    (3) Yaw turn. A yaw turn must constitute the angle turned by the 
launch vehicle's total velocity vector in the lateral plane. The 
velocity vector's lateral plane must be the two dimensional surface 
that includes the launch vehicle's pitch axis and the launch 
vehicle's total velocity.
    (4) Trim turn. A trim turn must constitute a turn where a launch 
vehicle's thrust moment balances the aerodynamic moment while a 
constant rotation rate is imparted to the launch vehicle's 
longitudinal axis. The analysis must account for a maximum-rate trim 
turn made at or near the greatest angle of attack that can be 
maintained while the aerodynamic moment is balanced by the thrust 
moment, whether the vehicle is stable or unstable.
    (5) Tumble turn. A tumble turn must constitute a turn that 
results if the launch vehicle's airframe rotates in an uncontrolled 
fashion, at an angular rate that is brought about by a thrust vector 
offset angle, and if the offset angle is held constant throughout 
the turn. The analysis must account for a series of tumble turns, 
each turn with a different thrust vector offset angle, that are 
plotted on the same graph for each malfunction start time.
    (6) Turn envelope. A turn envelope must constitute a curve on a 
tumble turn graph that has tangent points to each individual tumble 
turn curve computed for each malfunction start time. The curve must 
envelope the actual tumble turn curves to predict tumble turn angles 
for each area between the calculated turn curves. Figure A417.9-1 
depicts a series of tumble turn curves and the tumble turn envelope 
curve.
    (7) Malfunction turn capabilities. When not using a 90-degree 
turn, a malfunction turn analysis must establish the launch vehicle 
maximum turning capability as required by the following malfunction 
turn constraints:
    (i) Launch vehicle stable at all angles of attack. If a launch 
vehicle is so stable that the maximum thrust moment that the vehicle 
could experience cannot produce tumbling, but produces a maximum-
rate trim turn at some angle of attack less than 90 degrees, the 
analysis must produce a series of trim turns, including the maximum-
rate trim turn, by varying the initial thrust vector offset at the 
beginning of the turn. If the maximum thrust moment results in a 
maximum-rate trim turn at some angle of attack greater than 90 
degrees, the analysis must produce a series of trim turns for angles 
of attack up to and including 90 degrees.
    (ii) Launch vehicle aerodynamically unstable at all angles of 
attack. If flying a trim turn is not possible even for a period of 
only a few seconds, the malfunction turn analysis need only 
establish tumble turns. Otherwise, the malfunction turn analysis 
must establish a series of trim turns, including the maximum-rate 
trim turn, and the family of tumble turns.
    (iii) Launch vehicle unstable at low angles of attack but stable 
at some higher angles of attack. If large engine deflections result 
in tumbling, and small engine deflections do not, the analysis must 
produce a series of trim and tumble turns as required by paragraph 
(d)(7)(ii) of this section for launch vehicles aerodynamically 
unstable at all angles of attack. If both large and small constant 
engine deflections result in tumbling, regardless of how small the 
deflection might be, the analysis must account for the malfunction 
turn capabilities achieved at the stability angle of attack, 
assuming no upsetting thrust moment, and must account for the turns 
achieved by a tumbling vehicle.
    (e) Malfunction turn analysis products. The products of a 
malfunction turn analysis that a launch operator must file with the 
FAA include:
    (1) A description of the assumptions, techniques, and equations 
used in deriving the malfunction turns.
    (2) A set of sample calculations for at least one flight hazard 
area malfunction start time and one downrange malfunction start 
time. The sample computation for the downrange malfunction must 
start at a time at least 50 seconds after the flight hazard area 
malfunction start time or at the time of nominal thrust termination 
of the final stage minus the malfunction turn duration.
    (3) A launch operator must file malfunction turn data in 
electronic tabular and graphic formats. The graphs must use scale 
factors such that the plotting and reading accuracy do not degrade 
the accuracy of the data. For each malfunction turn start time, a 
graph must use the same time scales for the malfunction velocity 
vector turn angle and malfunction velocity magnitude plot pairs. A 
launch operator must provide tabular listings of the data used to 
generate the graphs in digital ASCII file format. A launch operator 
must file the data items required in this paragraph for each 
malfunction start time and for time intervals that do not exceed one 
second for the duration of each malfunction turn.
    (i) Velocity turn angle graphs. A launch operator must file a 
velocity turn angle graph for each malfunction start time. For each 
velocity turn angle graph, the ordinate axis must represent the 
total angle turned by the velocity vector, and the abscissa axis 
must represent the time duration of the turn and must show 
increments not to exceed one second. The series of tumble turns must 
include the envelope of all tumble turn curves. The tumble turn 
envelope must represent the tumble turn capability for all possible 
constant thrust vector offset angles. Each tumble turn curve 
selected to define the envelope must appear on the same graph as the 
envelope. A launch operator must file a series of trim turn curves 
for representative values of thrust vector offset. The series of 
trim turn curves must include the maximum rate trim turn. Figure 
A417.9-1 depicts an example family of tumble turn curves and the 
tumble turn velocity vector envelope.
BILLING CODE 4910-13-P

[[Page 50569]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.005

    (ii) Velocity magnitude graphs. A launch operator must file a 
velocity magnitude graph for each malfunction start time. For each 
malfunction velocity magnitude graph, the ordinate axis must 
represent the magnitude of the velocity vector and the abscissa axis 
must represent the time duration of the turn. Each graph must show 
the abscissa divided into increments not to exceed one second. Each 
graph must show the total velocity magnitude plotted as a function 
of time starting with the malfunction start time for each thrust 
vector offset used to define the corresponding velocity turn-angle 
curve. A launch operator must provide a corresponding velocity 
magnitude curve for each velocity tumble turn angle curve and each 
velocity trim-turn angle curve. For each individual tumble turn 
curve selected to define the tumble turn envelope, the corresponding 
velocity magnitude graph must show the individual tumble turn 
curve's point of tangency to the envelope. The point of tangency 
must consist of the point where the tumble turn envelope is tangent 
to an individual tumble turn curve produced with a discrete thrust 
vector offset angle. A launch operator must transpose the points of 
tangency to the velocity magnitude curves by plotting a point on the 
velocity magnitude curve at the same time point where tangency 
occurs on the corresponding velocity tumble-turn angle curve. Figure 
A417.9-2 depicts an example tumble turn velocity magnitude curve.

[[Page 50570]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.006

    (iii) Vehicle orientation. The launch operator must file tabular 
or graphical data for the vehicle orientation in the form of roll, 
pitch, and yaw angular orientation of the vehicle longitudinal axis 
as a function of time into the turn for each turn initiation time. 
Angular orientation of a launch vehicle's longitudinal axis is 
illustrated in figures A417.9-3 and A417.9-4.

[[Page 50571]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.007

[GRAPHIC] [TIFF OMITTED] TR25AU06.008

BILLING CODE 4910-13-C

[[Page 50572]]

    (iv) Onset conditions. A launch operator must provide launch 
vehicle state information for each malfunction start time. This 
state data must include the launch vehicle thrust, weight, velocity 
magnitude and pad-centered topocentric X, Y, Z, XD, YD, ZD state 
vector.
    (v) Breakup information. A launch operator must specify whether 
its launch vehicle will remain intact throughout each malfunction 
turn. If the launch vehicle will break up during a turn, the launch 
operator must identify the time for launch vehicle breakup on each 
velocity magnitude graph. The launch operator must show the time 
into the turn at which vehicle breakup would occur as either a 
specific value or a probability distribution for time until breakup.
    (vi) Inflection point. A launch operator must identify the 
inflection point on each tumble turn envelope curve and maximum rate 
trim turn curve for each malfunction start time as illustrated in 
figure A417.9-1. The inflection point marks the point in time during 
the turn where the slope of the curve stops increasing and begins to 
decrease or, in other words, the point were the concavity of the 
curve changes from concave up to concave down. The inflection point 
on a malfunction turn curve must identify the time in the 
malfunction turn that the launch vehicle body achieves a 90-degree 
rotation from the nominal position. On a tumble turn curve the 
inflection point must represent the start of the launch vehicle 
tumble.

A417.11 Debris.

    (a) General. A flight safety analysis must include a debris 
analysis that satisfies the requirements of Sec.  417.211. This 
section applies to the debris data required by Sec.  417.211 and the 
debris analysis products that a launch operator must file with the 
FAA as required by Sec.  417.203(e).
    (b) Debris analysis constraints. A debris analysis must produce 
the debris model described in paragraph (c) of this section. The 
analysis must account for all launch vehicle debris fragments, 
individually or in groupings of fragments called classes. The 
characteristics of each debris fragment represented by a class must 
be similar enough to the characteristics of all the other debris 
fragments represented by that class that all the debris fragments of 
the class can be described by a single set of characteristics. 
Paragraph (c)(10) of this section applies when establishing a debris 
class. A debris model must describe the physical, aerodynamic, and 
harmful characteristics of each debris fragment either individually 
or as a member of a class. A debris model must consist of lists of 
individual debris or debris classes for each cause of breakup and 
any planned jettison of debris, launch vehicle components, or 
payload. A debris analysis must account for:
    (1) Launch vehicle breakup caused by the activation of any 
flight termination system. The analysis must account for:
    (i) The effects of debris produced when flight termination 
system activation destroys an intact malfunctioning vehicle.
    (ii) Spontaneous breakup of the launch vehicle, if the breakup 
is assisted by the action of any inadvertent separation destruct 
system.
    (iii) The effects of debris produced by the activation of any 
flight termination system after inadvertent breakup of the launch 
vehicle.
    (2) Debris due to any malfunction where forces on the launch 
vehicle may exceed the launch vehicle's structural integrity limits.
    (3) The immediate post-breakup or jettison environment of the 
launch vehicle debris, and any change in debris characteristics over 
time from launch vehicle breakup or jettison until debris impact.
    (4) The impact overpressure, fragmentation, and secondary debris 
effects of any confined or unconfined solid propellant chunks and 
fueled components containing either liquid or solid propellants that 
could survive to impact, as a function of vehicle malfunction time.
    (5) The effects of impact of the intact vehicle as a function of 
failure time. The intact impact debris analysis must identify the 
trinitrotoluene (TNT) yield of impact explosions, and the numbers of 
fragments projected from all such explosions, including non-launch 
vehicle ejecta and the blast overpressure radius. The analysis must 
use a model for TNT yield of impact explosion that accounts for the 
propellant weight at impact, the impact speed, the orientation of 
the propellant, and the impacted surface material.
    (c) Debris model. A debris analysis must produce a model of the 
debris resulting from planned jettison and from unplanned breakup of 
a launch vehicle for use as input to other analyses, such as 
establishing flight safety limits and hazard areas and performing 
debris risk, toxic, and blast analyses. A launch operator's debris 
model must satisfy the following:
    (1) Debris fragments. A debris model must provide the debris 
fragment data required by this section for the launch vehicle flight 
from the planned ignition time until the launch vehicle achieves 
orbital velocity for an orbital launch. For a sub-orbital launch, 
the debris model must provide the debris fragment data required by 
this section for the launch vehicle flight from the planned ignition 
time until impact of the last thrusting stage. A debris model must 
provide debris fragment data for the number of time periods 
sufficient to meet the requirements for smooth and continuous 
contours used to define hazard areas as required by section A417.23.
    (2) Inert fragments. A debris model must identify all inert 
fragments that are not volatile and that do not burn or explode 
under normal and malfunction conditions. A debris model must 
identify all inert fragments for each breakup time during flight 
corresponding to a critical event when the fragment catalog is 
significantly changed by the event. Critical events include staging, 
payload fairing jettison, and other normal hardware jettison 
activities.
    (3) Explosive and non-explosive propellant fragments. A debris 
model must identify all propellant fragments that are explosive or 
non-explosive upon impact. The debris model must describe each 
propellant fragment as a function of time, from the time of breakup 
through ballistic free-fall to impact. The debris model must 
describe the characteristics of each fragment, including its origin 
on the launch vehicle, representative dimensions and weight at the 
time of breakup and at the time of impact. For any fragment 
identified as an un-contained or contained propellant fragment, 
whether explosive or non-explosive, the debris model must identify 
whether or not it burns during free fall, and provide the 
consumption rate during free fall. The debris model must identify:
    (i) Solid propellant that is exposed directly to the atmosphere 
and that burns but does not explode upon impact as ``un-contained 
non-explosive solid propellant.''
    (ii) Solid or liquid propellant that is enclosed in a container, 
such as a motor case or pressure vessel, and that burns but does not 
explode upon impact as ``contained non-explosive propellant.''
    (iii) Solid or liquid propellant that is enclosed in a 
container, such as a motor case or pressure vessel, and that 
explodes upon impact as ``contained explosive propellant fragment.''
    (iv) Solid propellant that is exposed directly to the atmosphere 
and that explodes upon impact as ``un-contained explosive solid 
propellant fragment.''
    (4) Other non-inert debris fragments. In addition to the 
explosive and flammable fragments required by paragraph (c)(3) of 
this section, a debris model must identify any other non-inert 
debris fragments, such as toxic or radioactive fragments, that 
present any other hazards to the public.
    (5) Fragment weight. At each modeled breakup time, the 
individual fragment weights must approximately add up to the sum 
total weight of inert material in the vehicle and the weight of 
contained liquid propellants and solid propellants that are not 
consumed in the initial breakup or conflagration.
    (6) Fragment imparted velocity. A debris model must identify the 
maximum velocity imparted to each fragment due to potential 
explosion or pressure rupture. When accounting for imparted 
velocity, a debris model must:
    (i) Use a Maxwellian distribution with the specified maximum 
value equal to the 97th percentile; or
    (ii) Identify the distribution, and must state whether or not 
the specified maximum value is a fixed value with no uncertainty.
    (7) Fragment projected area. A debris model must include each of 
the axial, transverse, and mean tumbling areas of each fragment. If 
the fragment may stabilize under normal or malfunction conditions, 
the debris model must also provide the projected area normal to the 
drag force.
    (8) Fragment ballistic coefficient. A debris model must include 
the axial, transverse, and tumble orientation ballistic coefficient 
for each fragment's projected area as required by paragraph (c)(7) 
of this section.
    (9) Debris fragment count. A debris model must include the total 
number of each type of fragment required by paragraphs (c)(2), 
(c)(3), and (c)(4) of this section and created by a malfunction.
    (10) Fragment classes. A debris model must categorize each 
malfunction debris fragment into classes where the characteristics 
of the mean fragment in each

[[Page 50573]]

class conservatively represent every fragment in the class. The 
model must define fragment classes for fragments whose 
characteristics are similar enough to be described and treated by a 
single average set of characteristics. A debris class must 
categorize debris by each of the following characteristics, and may 
include any other useful characteristics:
    (i) The type of fragment, defined by paragraphs (c)(2), (c)(3), 
and (c)(4) of this section. All fragments within a class must be the 
same type, such as inert or explosive.
    (ii) Debris subsonic ballistic coefficient 
([beta]sub). The difference between the smallest 
log10([beta]sub) value and the largest 
log10([beta]sub) value in a class must not exceed 0.5, 
except for fragments with [beta]sub less than or equal to 
three. Fragments with [beta]sub less than or equal to 
three may be grouped within a class.
    (iii) Breakup-imparted velocity ([Delta]V). A debris model must 
categorize fragments as a function of the range of [Delta]V for the 
fragments within a class and the class's median subsonic ballistic 
coefficient. For each class, the debris model must keep the ratio of 
the maximum breakup-imparted velocity ([Delta]Vmax) to 
minimum breakup-imparted velocity ([Delta]Vmin) within 
the following bound:
[GRAPHIC] [TIFF OMITTED] TR25AU06.106

    Where: [beta]'sub is the median subsonic ballistic 
coefficient for the fragments in a class.
    (d) Debris analysis products. The products of a debris analysis 
that a launch operator must file with the FAA include:
    (1) Debris model. The launch operator's debris model that 
satisfies the requirements of this section.
    (2) Fragment description. A description of the fragments 
contained in the launch operator's debris model. The description 
must identify the fragment as a launch vehicle part or component, 
describe its shape, representative dimensions, and may include 
drawings of the fragment.
    (3) Intact impact TNT yield. For an intact impact of a launch 
vehicle, for each failure time, a launch operator must identify the 
TNT yield of each impact explosion and blast overpressure hazard 
radius.
    (4) Fragment class data. The class name, the range of values for 
each parameter used to categorize fragments within a fragment class, 
and the number of fragments in any fragment class established as 
required by paragraph (c)(10) of this section.
    (5) Ballistic coefficient. The mean ballistic coefficient 
([beta]) and plus and minus three-sigma values of the [beta] for 
each fragment class. A launch operator must provide graphs of the 
coefficient of drag (Cd) as a function of Mach number for 
the nominal and three-sigma [beta] variations for each fragment 
shape. The launch operator must label each graph with the shape 
represented by the curve and reference area used to develop the 
curve. A launch operator must provide a Cd vs. Mach curve 
for any axial, transverse, and tumble orientations for any fragment 
that will not stabilize during free-fall conditions. For any 
fragment that may stabilize during free-fall, a launch operator must 
provide Cd vs. Mach curves for the stability angle of 
attack. If the angle of attack where the fragment stabilizes is 
other than zero degrees, a launch operator must provide both the 
coefficient of lift (CL) vs. Mach number and the 
Cd vs. Mach number curves. The launch operator must 
provide the equations for each Cd vs. Mach curve.
    (6) Pre-flight propellant weight. The initial preflight weight 
of solid and liquid propellant for each launch vehicle component 
that contains solid or liquid propellant.
    (7) Normal propellant consumption. The nominal and plus and 
minus three-sigma solid and liquid propellant consumption rate, and 
pre-malfunction consumption rate for each component that contains 
solid or liquid propellant.
    (8) Fragment weight. The mean and plus and minus three-sigma 
weight of each fragment or fragment class.
    (9) Projected area. The mean and plus and minus three-sigma 
axial, transverse, and tumbling areas for each fragment or fragment 
class. This information is not required for those fragment classes 
classified as burning propellant classes under section 
A417.25(b)(8).
    (10) Imparted velocities. The maximum incremental velocity 
imparted to each fragment class created by flight termination system 
activation, or explosive or overpressure loads at breakup. The 
launch operator must identify the velocity distribution as 
Maxwellian or must define the distribution, including whether or not 
the specified maximum value is a fixed value with no uncertainty.
    (11) Fragment type. The fragment type for each fragment 
established as required by paragraphs (c)(2), (c)(3), and (c)(4) of 
this section.
    (12) Origin. The part of the launch vehicle from which each 
fragment originated.
    (13) Burning propellant classes. The propellant consumption rate 
for those fragments that burn during free-fall.
    (14) Contained propellant fragments, explosive or non-explosive. 
For contained propellant fragments, whether explosive or non-
explosive, a launch operator must provide the initial weight of 
contained propellant and the consumption rate during free-fall. The 
initial weight of the propellant in a contained propellant fragment 
is the weight of the propellant before any of the propellant is 
consumed by normal vehicle operation or failure of the launch 
vehicle.
    (15) Solid propellant fragment snuff-out pressure. The ambient 
pressure and the pressure at the surface of a solid propellant 
fragment, in pounds per square inch, required to sustain a solid 
propellant fragment's combustion during free-fall.
    (16) Other non-inert debris fragments. For each non-inert debris 
fragment identified as required by paragraph (c)(4) of this section, 
a launch operator must describe the diffusion, dispersion, 
deposition, radiation, and other hazard exposure characteristics 
used to determine the effective casualty area required by paragraph 
(d)(13) of this section.
    (17) Residual thrust dispersion. For each thrusting or non-
thrusting stage having residual thrust capability following a launch 
vehicle malfunction, a launch operator must provide either the total 
residual impulse imparted or the full-residual thrust as a function 
of breakup time. For any stage not capable of thrust after a launch 
vehicle malfunction, a launch operator must provide the conditions 
under which the stage is no longer capable of thrust. For each stage 
that can be ignited as a result of a launch vehicle malfunction on a 
lower stage, a launch operator must identify the effects and 
duration of the potential thrust, and the maximum deviation of the 
instantaneous impact point, which can be brought about by the 
thrust. A launch operator must provide the explosion effects of all 
remaining fuels, pressurized tanks, and remaining stages, 
particularly with respect to ignition or detonation of upper stages 
if the flight termination system is activated during the burning 
period of a lower stage.

A417.13 Flight safety limits.

    (a) General. A flight safety analysis must include a flight 
safety limits analysis that satisfies the requirements of Sec.  
417.213. This section applies to the computation of the flight 
safety limits and identifying the location of populated or other 
protected areas as required by Sec.  417.213 and to the analysis 
products that the launch operator must file with the FAA as required 
by Sec.  417.203(e).
    (b) Flight safety limits constraints. The analysis must 
establish flight safety limits as follows:
    (1) Flight safety limits must account for potential malfunction 
of a launch vehicle during the time from launch vehicle first motion 
through flight until the planned safe flight state determined as 
required by section A417.19.
    (2) For a flight termination at any time during launch vehicle 
flight, the impact limit lines must:
    (i) Represent no less than the extent of the debris impact 
dispersion for all debris fragments with a ballistic coefficient 
greater than or equal to three; and
    (ii) Ensure that the debris impact area on the Earth's surface 
that is bounded by the debris impact dispersion in the uprange, 
downrange and crossrange directions does not extend to any populated 
or other protected area.
    (3) Each debris impact area determined by a flight safety limits 
analysis must be offset in a direction away from populated or other 
protected areas. The size of the offset must account for all 
parameters that may contribute to the impact dispersion. The 
parameters must include:
    (i) Launch vehicle malfunction turn capabilities.
    (ii) Effective casualty area produced as required by section 
A417.25(b)(8).
    (iii) All delays in the identification of a launch vehicle 
malfunction.
    (iv) Malfunction imparted velocities, including any velocity 
imparted to vehicle fragments by breakup.
    (v) Wind effects on the malfunctioning vehicle and falling 
debris.
    (vi) Residual thrust remaining after flight termination.
    (vii) Launch vehicle guidance and performance errors.

[[Page 50574]]

    (viii) Lift and drag forces on the malfunctioning vehicle and 
falling debris including variations in drag predictions of fragments 
and debris.
    (ix) All hardware and software delays during implementation of 
flight termination.
    (x) All debris impact location uncertainties caused by 
conditions prior to, and after, activation of the flight termination 
system.
    (xi) Any other impact dispersion parameters peculiar to the 
launch vehicle.
    (xii) All uncertainty due to map error and launch vehicle 
tracking error.
    (c) Risk management. The requirements for public risk management 
of Sec.  417.205(a) apply to a flight safety limits analysis. When 
employing risk assessment, the analysis must establish flight safety 
limits that satisfy paragraph (b) of this section, account for the 
products of the debris risk analysis performed as required by 
section A417.25, and ensure that any risk to the public satisfies 
the public risk criteria of Sec.  417.107(b). When employing hazard 
isolation, the analysis must establish flight safety limits in 
accordance with the following:
    (1) The flight safety limits must account for the maximum 
deviation impact locations for the most wind sensitive debris 
fragment with a minimum of 11 ft-lbs of kinetic energy at impact.
    (2) The maximum deviation impact location of the debris 
identified in paragraph (c)(1) of this section for each trajectory 
time must account for the three-sigma impact location for the 
maximum deviation flight, and the launch day wind conditions that 
produce the maximum ballistic wind for that debris.
    (3) The maximum deviation flight must account for the 
instantaneous impact point, of the debris identified in paragraph 
(c)(1) of this section at breakup, that is closest to a protected 
area and the maximum ballistic wind directed from the breakup point 
toward that protected area.
    (d) Flight safety limits analysis products. The products of a 
flight safety limits analysis that a launch operator must file with 
the FAA include:
    (1) A description of each method used to develop and implement 
the flight safety limits. The description must include equations and 
example computations used in the flight safety limits analysis.
    (2) A description of how each analysis method meets the analysis 
requirements and constraints of this section, including how the 
method produces a worst-case scenario for each impact dispersion 
area.
    (3) A description of how the results of the analysis are used to 
protect populated and other protected areas.
    (4) A graphic depiction or series of depictions of the flight 
safety limits, the launch point, all launch site boundaries, 
surrounding geographic area, all protected area boundaries, and the 
nominal and three-sigma launch vehicle instantaneous impact point 
ground traces from liftoff to orbital insertion or the end of 
flight. Each depiction must have labeled geodetic latitude and 
longitude lines. Each depiction must show the flight safety limits 
at trajectory time intervals sufficient to depict the mission 
success margin between the flight safety limits and the protected 
areas. The launch vehicle trajectory instantaneous impact points 
must be plotted with sufficient frequency to provide a conformal 
representation of the launch vehicle's instantaneous impact point 
ground trace curvature.
    (5) A tabular description of the flight safety limits, including 
the geodetic latitude and longitude for any flight safety limit. The 
table must contain quantitative values that define flight safety 
limits. Each quantitative value must be rounded to the number of 
significant digits that can be determined from the uncertainty of 
the measurement device used to determine the flight safety limits 
and must be limited to a maximum of six decimal places.
    (6) A map error table of direction and scale distortions as a 
function of distance from the point of tangency from a parallel of 
true scale and true direction or from a meridian of true scale and 
true direction. A launch operator must provide a table of tracking 
error as a function of downrange distance from the launch point for 
each tracking station used to make flight safety control decisions. 
A launch operator must file a description of the method, showing 
equations and sample calculations, used to determine the tracking 
error. The table must contain the map and tracking error data points 
within 100 nautical miles of the reference point at an interval of 
one data point every 10 nautical miles, including the reference 
point. The table must contain map and tracking error data points 
beyond 100 nautical miles from the reference point at an interval of 
one data point every 100 nautical miles out to a distance that 
includes all populated or other areas protected by the flight safety 
limits.
    (7) A launch operator must provide the equations used for 
geodetic datum conversions and one sample calculation for converting 
the geodetic latitude and longitude coordinates between the datum 
ellipsoids used. A launch operator must provide any equations used 
for range and bearing computations between geodetic coordinates and 
one sample calculation.

A417.15 Straight-up time.

    (a) General. A flight safety analysis must include a straight-up 
time analysis that satisfies the requirements of Sec.  417.215. This 
section applies to the computation of straight-up time as required 
by Sec.  417.215 and to the analysis products that the launch 
operator must file with the FAA as required by Sec.  417.203(e). The 
analysis must establish a straight-up time as the latest time-after-
liftoff, assuming a launch vehicle malfunctioned and flew in a 
vertical or near vertical direction above the launch point, at which 
activation of the launch vehicle's flight termination system or 
breakup of the launch vehicle would not cause hazardous debris or 
critical overpressure to affect any populated or other protected 
area.
    (b) Straight-up time constraints. A straight-up time analysis 
must account for the following:
    (1) Launch vehicle trajectory. The analysis must use the 
straight-up trajectory determined as required by section A417.7(e).
    (2) Sources of debris impact dispersion. The analysis must use 
the sources described in section A417.13(b)(3)(iii) through (xii).
    (c) Straight-up time analysis products. The products of a 
straight-up-time analysis that a launch operator must file with the 
FAA include:
    (1) The straight-up-time.
    (2) A description of the methodology used to determine straight-
up time.

A417.17 Overflight gate.

    (a) General. The flight safety analysis for a launch that 
involves flight over a populated or other protected area must 
include an overflight gate analysis that satisfies the requirements 
of Sec.  417.217. This section applies to determining a gate as 
required by Sec.  417.217 and the analysis products that the launch 
operator must file with the FAA as required by Sec.  417.203(e). The 
analysis must determine the portion, referred to as a gate, of a 
flight safety limit, through which a launch vehicle's tracking 
representation will be allowed to proceed without flight 
termination.
    (b) Overflight gate analysis constraints. The following analysis 
constraints apply to a gate analysis.
    (1) For each gate in a flight safety limit, all the criteria 
used for determining whether to allow passage through the gate or to 
terminate flight at the gate must use all the same launch vehicle 
flight status parameters as the criteria used for determining 
whether to terminate flight at a flight safety limit. For example, 
if the flight safety limits are a function of instantaneous impact 
point location, the criteria for determining whether to allow 
passage through a gate in the flight safety limit must also be a 
function of instantaneous impact point location. Likewise, if the 
flight safety limits are a function of drag impact point, the gate 
criteria must also be a function of drag impact point.
    (2) When establishing a gate in a flight safety limit, the 
analysis must ensure that the launch vehicle flight satisfies the 
flight safety requirements of Sec.  417.107.
    (3) For each established gate, the analysis must account for:
    (i) All launch vehicle tracking and map errors.
    (ii) All launch vehicle plus and minus three-sigma trajectory 
limits.
    (iii) All debris impact dispersions.
    (4) The width of a gate must restrict a launch vehicle's normal 
trajectory ground trace.
    (c) Overflight gate analysis products. The products of a gate 
analysis that a launch operator must file with the FAA include:
    (1) A description of the methodology used to establish each 
gate.
    (2) A description of the tracking representation.
    (3) A tabular description of the input data.
    (4) Example analysis computations performed to determine a gate. 
If a launch involves more than one gate and the same methodology is 
used to determine each gate, the launch operator need only file the 
computations for one of the gates.
    (5) A graphic depiction of each gate. A launch operator must 
provide a depiction or

[[Page 50575]]

depictions showing flight safety limits, protected area outlines, 
nominal and 3-sigma left and right trajectory ground traces, 
protected area overflight regions, and predicted impact dispersion 
about the three-sigma trajectories within the gate. Each depiction 
must show latitude and longitude grid lines, gate latitude and 
longitude labels, and the map scale.

A417.19 Data loss flight time and planned safe flight state.

    (a) General. A flight safety analysis must include a data loss 
flight time analysis that satisfies the requirements of Sec.  
417.219. This section applies to the computation of data loss flight 
times and the planned safe flight state required by Sec.  417.219, 
and to the analysis products that the launch operator must file with 
the FAA as required by Sec.  417.203(e).
    (b) Planned safe flight state. The analysis must establish a 
planned safe flight state for a launch as follows:
    (1) For a suborbital launch, the analysis must determine a 
planned safe flight state as the nominal state vector after liftoff 
that a launch vehicle's hazardous debris impact dispersion can no 
longer reach any protected area.
    (2) For an orbital launch where the launch vehicle's 
instantaneous impact point does not traverse a protected area prior 
to reaching orbit, the analysis must establish the planned safe 
flight state as the time after liftoff that the launch vehicle's 
hazardous debris impact dispersion can no longer reach any protected 
area or orbital insertion, whichever occurs first.
    (3) For an orbital launch where a gate permits overflight of a 
protected area and where orbital insertion occurs after reaching the 
gate, the analysis must determine the planned safe flight state as 
the time after liftoff when the time for the launch vehicle's 
instantaneous impact point to reach the gate is less than the time 
for the instantaneous impact point to reach any flight safety limit.
    (4) The analysis must account for a malfunction that causes the 
launch vehicle to proceed from its position at the trajectory time 
being evaluated toward the closest flight safety limit and protected 
area.
    (5) The analysis must account for the launch vehicle thrust 
vector that produces the highest instantaneous impact point range 
rate that the vehicle is capable of producing at the trajectory time 
being evaluated.
    (c) Data loss flight times. For each launch vehicle trajectory 
time, from the predicted earliest launch vehicle tracking 
acquisition time until the planned safe flight state, the analysis 
must determine the data loss flight time as follows:
    (1) The analysis must determine each data loss flight time as 
the minimum thrusting time for a launch vehicle to move from a 
normal trajectory position to a position where a flight termination 
would cause the malfunction debris impact dispersion to reach any 
protected area.
    (2) A data loss flight time analysis must account for a 
malfunction that causes the launch vehicle to proceed from its 
position at the trajectory time being evaluated toward the closest 
flight safety limit and protected area.
    (3) The analysis must account for the launch vehicle thrust 
vector that produces the highest instantaneous impact point range 
rate that the vehicle is capable of producing at the trajectory time 
being evaluated.
    (4) Each data loss flight time must account for the system 
delays at the time of flight.
    (5) The analysis must determine a data loss flight time for time 
increments that do not exceed one second along the launch vehicle 
nominal trajectory.
    (d) Products. The products of a data loss flight time and 
planned safe flight state analysis that a launch operator must file 
include:
    (1) A launch operator must describe the methodology used in its 
analysis, and identify all assumptions, techniques, input data, and 
equations used. A launch operator must file calculations performed 
for one data loss flight time in the vicinity of the launch site and 
one data loss flight time that is no less than 50 seconds later in 
the downrange area.
    (2) A launch operator must file a graphical description or 
depictions of the flight safety limits, the launch point, the launch 
site boundaries, the surrounding geographic area, any protected 
areas, the planned safe flight state within any applicable scale 
requirements, latitude and longitude grid lines, and launch vehicle 
nominal and three-sigma instantaneous impact point ground traces 
from liftoff through orbital insertion for an orbital launch, and 
through final impact for a suborbital launch. Each graph must show 
any launch vehicle trajectory instantaneous impact points plotted 
with sufficient frequency to provide a conformal estimate of the 
launch vehicle's instantaneous impact point ground trace curvature. 
A launch operator must provide labeled latitude and longitude lines 
and the map scale on the depiction.
    (3) A launch operator must provide a tabular description of each 
data loss flight time. The tabular description must include the 
malfunction start time and the geodetic latitude (positive north of 
the equator) and longitude (positive east of the Greenwich Meridian) 
coordinates of the intersection of the launch vehicle instantaneous 
impact point trajectory with the flight safety limit. The table must 
identify the first data lost flight time and planned safe flight 
state. The tabular description must include data loss flight times 
for trajectory time increments not to exceed one second.

A417.21 Time delay.

    (a) General. A flight safety analysis must include a time delay 
analysis that satisfies the requirements of Sec.  417.221. This 
section applies to the computation of time delays associated with a 
flight safety system and other launch vehicle systems and operations 
as required by Sec.  417.221 and to the analysis products that the 
launch operator must file with the FAA as required by Sec.  
417.203(e).
    (b) Time delay analysis constraints. The analysis must account 
for all significant causes of time delay between the violation of a 
flight termination rule and the time when a flight safety system is 
capable of terminating flight as follows:
    (1) The analysis must account for decision and reaction times, 
including variation in human response time, for flight safety 
official and other personnel that are part of a launch operator's 
flight safety system as defined by subpart D of this part.
    (2) The analyses must determine the time delay inherent in any 
data, from any source, used by a flight safety official for making 
flight termination decisions.
    (3) A time delay analysis must account for all significant 
causes of time delay, including data flow rates and reaction times, 
for hardware and software, including, but not limited to the 
following:
    (i) Tracking system. A time delay analysis must account for time 
delays between the launch vehicle's current location and last known 
location and that are associated with the hardware and software that 
make up the launch vehicle tracking system, whether or not it is 
located on the launch vehicle, such as transmitters, receivers, 
decoders, encoders, modulators, circuitry and any encryption and 
decryption of data.
    (ii) Display systems. A time delay analysis must account for 
delays associated with hardware and software that make up any 
display system used by a flight safety official to aid in making 
flight control decisions. A time delay analysis must also account 
for any manual operations requirements, tracking source selection, 
tracking data processing, flight safety limit computations, inherent 
display delays, meteorological data processing, automated or manual 
system configuration control, automated or manual process control, 
automated or manual mission discrete control, and automated or 
manual fail over decision control.
    (iii) Flight termination system and command control system. A 
time delay analysis must account for delays and response times 
associated with flight termination system and command control system 
hardware and software, such as transmitters, decoders, encoders, 
modulators, relays and shutdown, arming and destruct devices, 
circuitry and any encryption and decryption of data.
    (iv) Software specific time delays. A delay analysis must 
account for delays associated with any correlation of data performed 
by software, such as timing and sequencing; data filtering delays 
such as error correction, smoothing, editing, or tracking source 
selection; data transformation delays; and computation cycle time.
    (4) A time delay analysis must determine the time delay plus and 
minus three-sigma values relative to the mean time delay.
    (5) For use in any risk analysis, a time delay analysis must 
determine time delay distributions that account for the variance of 
time delays for potential launch vehicle failure, including but not 
limited to, the range of malfunction turn characteristics and the 
time of flight when the malfunction occurs.
    (c) Time delay analysis products. The products of a time delay 
analysis that a launch operator must file include:
    (1) A description of the methodology used to produce the time 
delay analysis.
    (2) A schematic drawing that maps the flight safety official's 
data flow time delays from the start of a launch vehicle malfunction 
through the final commanded

[[Page 50576]]

flight termination on the launch vehicle, including the flight 
safety official's decision and reaction time. The drawings must 
indicate major systems, subsystems, major software functions, and 
data routing.
    (3) A tabular listing of each time delay source and its 
individual mean and plus and minus three-sigma contribution to the 
overall time delay. The table must provide all time delay values in 
milliseconds.
    (4) The mean delay time and the plus and minus three-sigma 
values of the delay time relative to the mean value.

A417.23 Flight hazard areas.

    (a) General. A flight safety analysis must include a flight 
hazard area analysis that satisfies the requirements of Sec.  
417.223. This section applies to the determination of flight hazard 
areas for orbital and suborbital launch vehicles that use a flight 
termination system to protect the public as required by Sec.  
417.223 and to the analysis products that the launch operator must 
file with the FAA as required by Sec.  417.203(e). Requirements that 
apply to determining flight hazard areas for an unguided suborbital 
rocket that uses a wind-weighting safety system are contained in 
appendix C of this part.
    (b) Launch site flight hazard area. A flight hazard area 
analysis must establish a launch site flight hazard area that 
encompasses the launch point and:
    (1) If the flight safety analysis employs hazard isolation to 
establish flight safety limits as required by section A417.13(c), 
the launch site flight hazard area must encompass the flight safety 
limits.
    (2) If the flight safety analysis does not employ hazard 
isolation to establish the flight safety limits, the launch site 
flight hazard area must encompass all hazard areas established as 
required by paragraphs (c) through (e) of this section.
    (c) Debris impact hazard area. The analysis must establish a 
debris impact hazard area that accounts for the effects of impacting 
debris resulting from normal and malfunctioning launch vehicle 
flight, except for toxic effects, and accounts for potential impact 
locations of all debris fragments. The analysis must establish a 
debris hazard area as follows:
    (1) An individual casualty contour that defines where the risk 
to an individual would exceed an expected casualty (Ec) criteria of 
1 x 10 -6 if one person were assumed to be in the open and inside 
the contour during launch vehicle flight must bound a debris hazard 
area. The analysis must produce an individual casualty contour as 
follows:
    (i) The analysis must account for the location of a hypothetical 
person, and must vary the location of the person to determine when 
the risk would exceed the Ec criteria of 1 x 10 -6. The analysis 
must count a person as a casualty when the person's location is 
subjected to any inert debris impact with a mean expected kinetic 
energy greater than or equal to 11 ft-lbs or a peak incident 
overpressure equal to or greater than 1.0 psi due to explosive 
debris impact. The analysis must determine the peak incident 
overpressure using the Kingery-Bulmash relationship, without regard 
to sheltering, reflections, or atmospheric effects.
    (ii) The analysis must account for person locations that are no 
more than 1000 feet apart in the downrange direction and no more 
than 1000 feet apart in the crossrange direction to produce an 
individual casualty contour. For each person location, the analysis 
must sum the probabilities of casualty over all flight times for all 
debris groups.
    (iii) An individual casualty contour must consist of curves that 
are smooth and continuous. To accomplish this, the analysis must 
vary the time interval between the trajectory times assessed so that 
each location of a debris impact point is less than one-half sigma 
of the downrange dispersion distance.
    (2) The input for determining a debris impact hazard area must 
account for the results of the trajectory analysis required by 
section A417.7, the malfunction turn analysis required by section 
A417.9, and the debris analysis required by section A417.11 to 
define the impact locations of each class of debris established by 
the debris analysis, and the time delay analysis required by section 
A417.21.
    (3) The analysis must account for the extent of the impact 
debris dispersions for each debris class produced by normal and 
malfunctioning launch vehicle flight at each trajectory time. The 
analysis must also account for how the vehicle breaks up, either by 
the flight termination system or by aerodynamic forces, if the 
different breakup may result in a different probability of existence 
for each debris class. A debris impact hazard area must account for 
each impacting debris fragment classified as required by section 
A417.11(c).
    (4) The analysis must account for launch vehicle flight that 
exceeds a flight safety limit. The analysis must also account for 
trajectory conditions that maximize the mean debris impact distance 
during the flight safety system delay time determined as required by 
section A417.21 and account for a debris model that is 
representative of a flight termination or aerodynamic breakup. For 
each launch vehicle breakup event, the analysis must account for 
trajectory and breakup dispersions, variations in debris class 
characteristics, and debris dispersion due to any wind condition 
under which a launch would be attempted.
    (5) The analysis must account for the probability of failure of 
each launch vehicle stage and the probability of existence of each 
debris class. The analysis must account for the probability of 
occurrence of each type of launch vehicle failure. The analysis must 
account for vehicle failure probabilities that vary depending on the 
time of flight.
    (6) In addition to failure debris, the analysis must account for 
nominal jettisoned body debris impacts and the corresponding debris 
impact dispersions. The analysis must use a probability of 
occurrence of 1.0 for the planned debris fragments produced by 
normal separation events during flight.
    (d) Near-launch-point blast hazard area. A flight hazard area 
analysis must define a blast overpressure hazard area as a circle 
extending from the launch point with a radius equal to the 1.0 psi 
overpressure distance produced by the equivalent TNT weight of the 
explosive capability of the vehicle. In addition, the analysis must 
establish a minimum near-pad blast hazard area to provide protection 
from hazardous fragments potentially propelled by an explosion. The 
analysis must account for the maximum possible total solid and 
liquid propellant explosive potential of the launch vehicle and any 
payload. The analysis must define a blast overpressure hazard area 
using the following equations:

Rop = 45 [middot] (NEW)1/3

Where:

Rop is the over pressure distance in feet.
NEW = WE [middot] C (pounds).
WE is the weight of the explosive in pounds.
C is the TNT equivalency coefficient of the propellant being 
evaluated. A launch operator must identify the TNT equivalency of 
each propellant on its launch vehicle including any payload. TNT 
equivalency data for common liquid propellants is provided in tables 
A417-1. Table A417-2 provides factors for converting gallons of 
specified liquid propellants to pounds.

    (e) Other hazards. A flight hazard area analysis must identify 
any additional hazards, such as radioactive material, that may exist 
on the launch vehicle or payload. For each such hazard, the analysis 
must determine a hazard area that encompasses any debris impact 
point and its dispersion and includes an additional hazard radius 
that accounts for potential casualty due to the additional hazard. 
Analysis requirements for toxic release and far field blast 
overpressure are provided in Sec.  417.27 and section A417.29, 
respectively.
    (l) Aircraft hazard areas. The analysis must establish an 
aircraft hazard area for each planned debris impact for the issuance 
of notices to airmen as required by Sec.  417.121(e). Each aircraft 
hazard area must encompass an air space region, from an altitude of 
60,000 feet to impact on the Earth's surface, that contains the 
three-sigma drag impact dispersion.
    (2) Ship hazard areas. The analysis must establish a ship hazard 
area for each planned debris impact for the issuance of notices to 
mariners as required by Sec.  417.121(e). Each ship hazard area must 
encompass a surface region that contains the three-sigma drag impact 
dispersion.
    (f) Flight hazard area analysis products. The products of a 
flight hazard area analysis that a launch operator must file with 
the FAA include:
    (1) A chart that depicts the launch site flight hazard area, 
including its size and location.
    (2) A chart that depicts each hazard area required by this 
section.
    (3) A description of each hazard for which analysis was 
performed; the methodology used to compute each hazard area; and the 
debris classes for aerodynamic breakup of the launch vehicle and for 
flight termination. For each debris class, the launch operator must 
identify the number of debris fragments, the variation in ballistic 
coefficient, and the standard deviation of the debris dispersion.
    (4) A chart that depicts each of the individual casualty 
contour.
    (5) A description of the aircraft hazard area for each planned 
debris impact, the

[[Page 50577]]

information to be published in a Notice to Airmen, and all 
information required as part of any agreement with the FAA ATC 
office having jurisdiction over the airspace through which flight 
will take place.
    (6) A description of any ship hazard area for each planned 
debris impact and all information required in a Notice to Mariners.
    (7) A description of the methodology used for determining each 
hazard area.
    (8) A description of the hazard area operational controls and 
procedures to be implemented for flight.
[GRAPHIC] [TIFF OMITTED] TR25AU06.009

[GRAPHIC] [TIFF OMITTED] TR25AU06.010

A417.25 Debris risk.

    (a) General. A flight safety analysis must include a debris risk 
analysis that satisfies the requirements of Sec.  417.225. This 
section applies to the computation of the average number of 
casualties (Ec) to the collective members of debris 
hazards from the proposed flight of a launch vehicle as required by 
Sec.  417.225 and to the analysis products that the launch operator 
must file with the FAA as required by Sec.  417.203(e).
    (b) Debris risk analysis constraints. The following constraints 
apply to a debris risk:
    (1) A debris risk analysis must use valid risk analysis models 
that compute Ec as the summation over all trajectory time 
intervals from lift-off through orbital insertion of the products of 
the probability of each possible event and the casualty consequences 
due to debris impacts for each possible event.
    (2) A debris risk analysis must account for the following 
populations:
    (i) The overflight of populations located inside any flight 
safety limits.
    (ii) All populations located within five-sigma left and right 
crossrange of a nominal trajectory instantaneous impact point ground 
trace and within five-sigma of each planned nominal debris impact.
    (iii) Any planned overflight of the public within any gate 
overflight areas.
    (iv) Any populations outside the flight safety limits identified 
as required by paragraph (b)(10) of this section.
    (3) A debris risk analysis must account for both inert and 
explosive debris hazards produced from any impacting debris caused 
by normal and malfunctioning launch vehicle flight. The analysis 
must account for the debris classes determined by the debris 
analysis required by section A417.11. A debris risk analysis must 
account for any inert debris impact with mean expected kinetic 
energy at impact greater than or equal to 11 ft-lbs and peak 
incident overpressure of greater than or equal to 1.0 psi due to any 
explosive debris impact. The analysis must account for all debris 
hazards as a function of flight time.
    (4) A debris risk analysis must account for debris impact points 
and dispersion for each class of debris as follows:
    (i) A debris risk analysis must account for drag corrected 
impact points and dispersions for each class of impacting debris 
resulting from normal and malfunctioning launch vehicle flight as a 
function of trajectory time from lift-off through orbital insertion, 
including each planned impact, for an orbital launch, and through 
final impact for a suborbital launch.
    (ii) The dispersion for each debris class must account for the 
position and velocity state vector dispersions at breakup, the 
variance produced by breakup imparted velocities, the effect of 
winds on both the

[[Page 50578]]

ascent trajectory state vector at breakup and the descending debris 
piece impact location the variance produced by aerodynamic 
properties for each debris class, and any other dispersion 
variances.
    (iii) A debris risk analysis must account for the survivability 
of debris fragments that are subject to reentry aerodynamic forces 
or heating. A debris class may be eliminated from the debris risk 
analysis if the launch operator demonstrates that the debris will 
not survive to impact.
    (5) A debris risk analysis must account for launch vehicle 
failure probability. The following constraints apply:
    (i) For flight safety analysis purposes, a failure occurs when a 
vehicle does not complete any phase of normal flight or exhibits the 
potential for the stage or its debris to impact the Earth or reenter 
the atmosphere during the mission or any future mission of similar 
vehicle capability. Also, either a launch incident or launch 
accident constitutes a failure.
    (ii) For a launch vehicle with fewer than 2 flights completed, 
the analysis must use a reference value for the launch vehicle 
failure probability estimate equal to the upper limit of the 60% 
two-sided confidence limits of the binomial distribution for 
outcomes of all previous launches of vehicles developed and launched 
in similar circumstances. The FAA may adjust the failure probability 
estimate to account for the level of experience demonstrated by the 
launch operator and other factors that affects the probability of 
failure. The FAA may adjust the failure probability estimate for the 
second launch based on evidence obtained from the first flight of 
the vehicle.
    (iii) For a launch vehicle with at least 2 flights completed, 
the analysis must use the reference value for the launch vehicle 
failure probability of Table A417-3 based on the outcomes of all 
previous launches of the vehicle. The FAA may adjust the failure 
probability estimate to account for evidence obtained from the 
flight history of the vehicle. The FAA may adjust the failure 
probability estimate to account for the nature of launch outcomes in 
the flight history of the vehicle, corrective actions taken in 
response to a failure of the vehicle, or other vehicle modifications 
that may affect reliability. The FAA may adjust the failure 
probability estimate to account for the demonstrated quality of the 
engineering approach to launch vehicle processing, meeting safety 
requirements in this part, and associated hazard mitigation. The 
analysis must use a final failure estimate within the confidence 
limits of Table A417-3.
    (A) Values listed on the far left of Table A417-3 apply when no 
launch failures are experienced. Values on the far right apply when 
only launch failures are experienced. Values in between apply for 
flight histories that include both failures and successes.
    (B) Reference values in Table A417-3 are shown in bold. The 
reference values are the median values between 60% two-sided 
confidence limits of the binomial distribution. For the special 
cases of zero or N failures in N launch attempts, the reference 
values may also be recognized as the median value between the 80% 
one-sided confidence limit of the binomial distribution and zero or 
one, respectively.
    (C) Upper and lower confidence bounds in Table A417-3 are shown 
directly above and below each reference value. These confidence 
bounds are based on 60% two-sided confidence limits of the binomial 
distribution. For the special cases of zero or N failures in N 
launch attempts, the upper and lower confidence bounds are based on 
the 80% one-sided confidence limit, respectively.
BILLING CODE 4910-13-P

[[Page 50579]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.011

BILLING CODE 4910-13-C

[[Page 50580]]

    (6) A debris risk analysis must account for the dwell time of 
the instantaneous impact point ground trace over each populated or 
protected area being evaluated.
    (7) A debris risk analysis must account for the three-sigma 
instantaneous impact point trajectory variations in left-crossrange, 
right-crossrange, uprange, and downrange as a function of trajectory 
time, due to launch vehicle performance variations as determined by 
the trajectory analysis performed as required by section A417.7.
    (8) A debris risk analysis must account for the effective 
casualty area as a function of launch vehicle flight time for all 
impacting debris generated from a catastrophic launch vehicle 
malfunction event or a planned impact event. The effective casualty 
area must account for both payload and vehicle systems and 
subsystems debris. The effective casualty area must account for all 
debris fragments determined as part of a launch operator's debris 
analysis as required by section A417.11. The effective casualty area 
for each explosive debris fragment must account for a 1.0 psi blast 
overpressure radius and the projected debris effects for all 
potentially explosive debris. The effective casualty area for each 
inert debris fragment must:
    (i) Account for bounce, skip, slide, and splatter effects; or
    (ii) Equal seven times the maximum projected area of the 
fragment.
    (9) A debris risk analysis must account for current population 
density data obtained from a current population database for the 
region being evaluated or by estimating the current population using 
exponential population growth rate equations applied to the most 
current historical data available. The population model must define 
population centers that are similar enough to be described and 
treated as a single average set of characteristics without degrading 
the accuracy of the debris risk estimate.
    (10) For a launch vehicle that uses a flight safety system, a 
debris risk analysis must account for the collective risk to any 
populations outside the flight safety limits during flight, 
including people who will be at any public launch viewing area 
during flight. For such populations, in addition to the constraints 
of paragraphs (b)(1) through (b)(9) of this section, a launch 
operator's debris risk analysis must account for the following:
    (i) The probability of a launch vehicle failure that would 
result in debris impact in protected areas outside the flight safety 
limits.
    (ii) The failure probability of the launch operator's flight 
safety system. A flight safety system failure rate of 0.002 may be 
used if the flight safety system complies with the flight safety 
system requirements of subpart D of this part. For an alternate 
flight safety system approved as required by Sec.  417.107(a)(3), 
the launch operator must demonstrate the validity of the probability 
of failure through the licensing process.
    (iii) Current population density data and population projections 
for the day and time of flight for the areas outside the flight 
safety limits.
    (c) Debris risk analysis products. The products of a debris risk 
analysis that a launch operator must file with the FAA include:
    (1) A debris risk analysis report that provides the analysis 
input data, probabilistic risk determination methods, sample 
computations, and text or graphical charts that characterize the 
public risk to geographical areas for each launch.
    (2) Geographic data showing:
    (i) The launch vehicle nominal, five-sigma left-crossrange and 
five-sigma right-crossrange instantaneous impact point ground 
traces;
    (ii) All exclusion zones relative to the instantaneous impact 
point ground traces; and
    (iii) All populated areas included in the debris risk analysis.
    (3) A discussion of each launch vehicle failure scenario 
accounted for in the analysis and the probability of occurrence, 
which may vary with flight time, for each failure scenario. This 
information must include failure scenarios where a launch vehicle:
    (i) Flies within normal limits until some malfunction causes 
spontaneous breakup or results in a commanded flight termination;
    (ii) Experiences malfunction turns; and
    (iii) Flight safety system fails to function.
    (4) A population model applicable to the launch overflight 
regions that contains the following: region identification, location 
of the center of each population center by geodetic latitude and 
longitude, total area, number of persons in each population center, 
and a description of the shelter characteristics within the 
population center.
    (5) A description of the launch vehicle, including general 
information concerning the nature and purpose of the launch and an 
overview of the launch vehicle, including a scaled diagram of the 
general arrangement and dimensions of the vehicle. A launch 
operator's debris risk analysis products may reference other 
documentation filed with the FAA containing this information. The 
description must include:
    (i) Weights and dimensions of each stage.
    (ii) Weights and dimensions of any booster motors attached.
    (iii) The types of fuel used in each stage and booster.
    (iv) Weights and dimensions of all interstage adapters and 
skirts.
    (v) Payload dimensions, materials, construction, and any payload 
fuel; payload fairing construction, materials, and dimensions; and 
any non-inert components or materials that add to the effective 
casualty area of the debris, such as radioactive or toxic materials 
or high-pressure vessels.
    (6) A typical sequence of events showing times of ignition, 
cutoff, burnout, and jettison of each stage, firing of any ullage 
rockets, and starting and ending times of coast periods and control 
modes.
    (7) The following information for each launch vehicle motor:
    (i) Propellant type and composition;
    (ii) Thrust profile;
    (iii) Propellant weight and total motor weight as a function of 
time;
    (iv) A description of each nozzle and steering mechanism;
    (v) For solid rocket motors, internal pressure and average 
propellant thickness, or borehole radius, as a function of time;
    (vi) Maximum impact point deviations as a function of failure 
time during destruct system delays. Burn rate as a function of 
ambient pressure;
    (vii) A discussion of whether a commanded destruct could ignite 
a non-thrusting motor, and if so, under what conditions; and
    (viii) Nozzle exit and entrance areas.
    (8) The launch vehicle's launch and failure history, including a 
summary of past vehicle performance. For a new vehicle with little 
or no flight history, a launch operator must provide all known data 
on similar vehicles that include:
    (i) Identification of the launches that have occurred;
    (ii) Launch date, location, and direction of each launch;
    (iii) The number of launches that performed normally;
    (iv) Behavior and impact location of each abnormal experience;
    (v) The time, altitude, and nature of each malfunction; and
    (vi) Descriptions of corrective actions taken, including changes 
in vehicle design, flight termination, and guidance and control 
hardware and software.
    (9) The values of probability of impact (PI) and 
expected casualty (Ec) for each populated area.

A417.27 Toxic release hazard analysis.

    A flight safety analysis must include a toxic release hazard 
analysis that satisfies the requirements of Sec.  417.227. A launch 
operator's toxic release hazard analysis must satisfy the 
methodology requirements of appendix I of this part. A launch 
operator must file the analysis products identified in appendix I of 
this part as required by Sec.  417.203(e).

A417.29 Far field blast overpressure effects analysis.

    (a) General. A flight safety analysis must include a far field 
blast overpressure effects hazard analysis that satisfies the 
requirements of Sec.  417.229. This section applies to the 
computation of far field blast overpressure effects from the 
proposed flight of a launch vehicle as required by Sec.  417.229 and 
to the analysis products that the launch operator must file with the 
FAA as required by Sec.  417.203(e). The analysis must account for 
distant focus overpressure and any overpressure enhancement to 
establish the potential for broken windows due to peak incident 
overpressures below 1.0 psi and related casualties due to falling or 
projected glass shards. The analysis must employ either paragraph 
(b) of this section or the risk analysis of paragraph (c) of this 
section.
    (b) Far field blast overpressure hazard analysis. Unless an 
analysis satisfies the requirements of paragraph (c) of this section 
a far field blast overpressure hazard analysis must satisfy the 
following:
    (1) Explosive yield factors. The analysis must use explosive 
yield factor curves for each type or class of solid or liquid 
propellant used by the launch vehicle. Each explosive yield factor 
curve must be based on the most accurate explosive yield data for 
the corresponding type or class of solid or liquid

[[Page 50581]]

propellant based on empirical data or computational modeling.
    (2) Establish the maximum credible explosive yield. The analysis 
must establish the maximum credible explosive yield resulting from 
normal and malfunctioning launch vehicle flight. The explosive yield 
must account for impact mass and velocity of impact on the Earth's 
surface. The analysis must account for explosive yield expressed as 
a TNT equivalent for peak overpressure.
    (3) Characterize the population exposed to the hazard. The 
analysis must demonstrate whether any population centers are 
vulnerable to a distant focus overpressure hazard using the 
methodology provided by section 6.3.2.4 of the American National 
Standard Institute's ANSI S2.20-1983, ``Estimating Air Blast 
Characteristics for Single Point Explosions in Air with a Guide to 
Evaluation of Atmospheric Propagation and Effects'' and as follows:
    (i) For the purposes of this analysis, a population center must 
include any area outside the launch site and not under the launch 
operator's control that contains an exposed site. An exposed site 
includes any structure that may be occupied by human beings, and 
that has at least one window, but does not include automobiles, 
airplanes, and waterborne vessels. The analysis must account for the 
most recent census information on each population center. The 
analysis must treat any exposed site for which no census information 
is available, or the census information indicates a population equal 
to or less than four persons, as a `single residence.'
    (ii) The analysis must identify the distance between the 
location of the maximum credible impact explosion and the location 
of each population center potentially exposed. Unless the location 
of the potential explosion site is limited to a defined region, the 
analysis must account for the distance between the potential 
explosion site and a population center as the minimum distance 
between any point within the region contained by the flight safety 
limits and the nearest exposed site within the population center.
    (iii) The analysis must account for all weather conditions 
optimized for a distant focus overpressure hazard by applying an 
atmospheric blast ``focus factor'' (F) of 5.
    (iv) The analysis must determine, using the methodology of 
section 6.3.2.4 of ANSI S2.20-1983, for each a population center, 
whether the maximum credible explosive yield of a launch meets, 
exceeds or is less than the ``no damage yield limit,'' of the 
population center. If the maximum credible explosive yield is less 
than the ``no damage yield limit'' for all exposed sites, the 
remaining requirements of this section do not apply. If the maximum 
credible explosive yield meets or exceeds the ``no damage yield 
limit'' for a population center then that population center is 
vulnerable to far field blast overpressure from the launch and the 
requirements of paragraphs (b)(4) and (b)(5) of this section apply.
    (4) Estimate the quantity of broken windows. The analysis must 
use a focus factor of 5 and the methods provided by ANSI S2.20-1983 
to estimate the number of potential broken windows within each 
population center determined to be vulnerable to the distant focus 
overpressure hazard as required by paragraph (b)(3) of this section.
    (5) Determine and implement measures necessary to prevent 
distant focus overpressure from breaking windows. For each 
population center that is vulnerable to far field blast overpressure 
from a launch, the analysis must identify mitigation measures to 
protect the public from serious injury from broken windows and the 
flight commit criteria of Sec.  417.113(b) needed to enforce the 
mitigation measures. A launch operator's mitigation measures must 
include one or more of the following:
    (i) Apply a minimum 4-millimeter thick anti-shatter film to all 
exposed sites where the maximum credible yield exceeds the ``no 
damage yield limit.''
    (ii) Evacuate the exposed public to a location that is not 
vulnerable to the distant focus overpressure hazard at least two 
hours prior to the planned flight time.
    (iii) If, as required by paragraph (b)(4) of this section, the 
analysis predicts that less than 20 windows will break, advise the 
public of the potential for glass breakage.
    (c) Far field blast overpressure risk analysis. If a launch 
operator does not employ paragraph (b) of this section to perform a 
far field overpressure hazard analysis, the launch operator must 
conduct a risk analysis that demonstrates that the launch will be 
conducted in accordance with the public risk criteria of Sec.  
417.107(b).
    (d) Far field blast overpressure effect products. The products 
of a far field blast overpressure analysis that a launch operator 
must file with the FAA include:
    (1) A description of the methodology used to produce the far 
field blast overpressure analysis results, a tabular description of 
the analysis input data, and a description of any far field blast 
overpressure mitigation measures implemented.
    (2) For any far field blast overpressure risk analysis, an 
example set of the analysis computations.
    (3) The values for the maximum credible explosive yield as a 
function of time of flight.
    (4) The distance between the potential explosion location and 
any population center vulnerable to the far field blast overpressure 
hazard. For each population center, the launch operator must 
identify the exposed populations by location and number of people.
    (5) Any mitigation measures established to protect the public 
from far field blast overpressure hazards and any flight commit 
criteria established to ensure the mitigation measures are enforced.

A417.31 Collision avoidance.

    (a) General. A flight safety analysis must include a collision 
avoidance analysis that satisfies the requirements of Sec.  417.231. 
This section applies to a launch operator obtaining a collision 
avoidance assessment from United States Strategic Command as 
required by Sec.  417.231 and to the analysis products that the 
launch operator must file with the FAA as required by Sec.  
417.203(e). United States Strategic Command refers to a collision 
avoidance analysis for a space launch as a conjunction on launch 
assessment.
    (b) Analysis constraints. A launch operator must satisfy the 
following when obtaining and implementing the results of a collision 
avoidance analysis:
    (1) A launch operator must provide United States Strategic 
Command with the launch window and trajectory data needed to perform 
a collision avoidance analysis for a launch as required by paragraph 
(c) of this section, at least 15 days before the first attempt at 
flight. The FAA will identify a launch operator to United States 
Strategic Command as part of issuing a license and provide a launch 
operator with current United States Strategic Command contact 
information.
    (2) A launch operator must obtain a collision avoidance analysis 
performed by United States Strategic Command 6 hours before the 
beginning of a launch window.
    (3) A launch operator may use a collision avoidance analysis for 
12 hours from the time that United States Strategic Command 
determines the state vectors of the manned or mannable orbiting 
objects. If a launch operator needs an updated collision avoidance 
analysis due to a launch delay, the launch operator must file the 
request with United States Strategic Command at least 12 hours prior 
to the beginning of the new launch window.
    (4) For every 90 minutes, or portion of 90 minutes, that pass 
between the time United States Strategic Command last determined the 
state vectors of the orbiting objects, a launch operator must expand 
each wait in a launch window by subtracting 15 seconds from the 
start of the wait in the launch window and adding 15 seconds to the 
end of the wait in the launch window. A launch operator must 
incorporate all the resulting waits in the launch window into its 
flight commit criteria established as required by Sec.  417.113.
    (c) Information required. A launch operator must prepare a 
collision avoidance analysis worksheet for each launch using a 
standardized format that contains the input data required by this 
paragraph. A launch operator must file the input data with United 
States Strategic Command for the purposes of completing a collision 
avoidance analysis. A launch operator must file the input data with 
the FAA as part of the license application process as required by 
Sec.  415.115 of this chapter.
    (1) Launch information. A launch operator must file the 
following launch information:
    (i) Mission name. A mnemonic given to the launch vehicle/payload 
combination identifying the launch mission from all others.
    (ii) Segment number. A segment is defined as a launch vehicle 
stage or payload after the thrusting portion of its flight has 
ended. This includes the jettison or deployment of any stage or 
payload. A launch operator must provide a separate worksheet for 
each segment. For each segment, a launch operator must determine the 
``vector at injection'' as defined by paragraph (c)(5) of this 
section. The data must present each segment number as a sequence 
number relative to the total number of segments for a launch, such 
as ``1 of 5.''

[[Page 50582]]

    (iii) Launch window. The launch window opening and closing times 
in Greenwich Mean Time (referred to as ZULU time) and the Julian 
dates for each scheduled launch attempt.
    (2) Point of contact. The person or office within a launch 
operator's organization that collects, analyzes, and distributes 
collision avoidance analysis results.
    (3) Collision avoidance analysis analysis results transmission 
medium. A launch operator must identify the transmission medium, 
such as voice, FAX, or e-mail, for receiving results from United 
States Strategic Command.
    (4) Requestor launch operator needs. A launch operator must 
indicate the types of analysis output formats required for 
establishing flight commit criteria for a launch:
    (i) Waits. All the times within the launch window during which 
flight must not be initiated.
    (ii) Windows. All the times within an overall launch window 
during which flight may be initiated.
    (5) Vector at injection. A launch operator must identify the 
vector at injection for each segment. ``Vector at injection'' 
identifies the position and velocity of all orbital or suborbital 
segments after the thrust for a segment has ended.
    (i) Epoch. The epoch time, in Greenwich Mean Time (GMT), of the 
expected launch vehicle liftoff time.
    (ii) Position and velocity. The position coordinates in the EFG 
coordinate system measured in kilometers and the EFG components 
measured in kilometers per second, of each launch vehicle stage or 
payload after any burnout, jettison, or deployment.
    (6) Time of powered flight. The elapsed time in seconds, from 
liftoff to arrival at the launch vehicle vector at injection. The 
input data must include the time of powered flight for each stage or 
jettisoned component measured from liftoff.
    (7) Time span for launch window file (LWF). A launch operator 
must provide the following information regarding its launch window:
    (i) Launch window. The launch window measured in minutes from 
the initial proposed liftoff time.
    (ii) Time of powered flight. The time provided as required by 
paragraph (c)(6) of this section measured in minutes rounded up to 
the nearest integer minute.
    (iii) Screen duration. The time duration, after all thrusting 
periods of flight have ended, that a collision avoidance analysis 
must screen for potential conjunctions with manned or mannable 
orbital objects. Screen duration is measured in minutes and must be 
greater than or equal to 100 minutes for an orbital launch.
    (iv) Extra pad. An additional period of time for collision 
avoidance analysis screening to ensure the entire first orbit is 
screened for potential conjunctions with manned or mannable orbital 
objects. This time must be 10 minutes unless otherwise specified by 
United States Strategic Command.
    (v) Total. The summation total of the time spans provided as 
required by paragraphs (c)(7)(i) through (c)(7)(iv) expressed in 
minutes.
    (8) Screening. A launch operator must select spherical or 
ellipsoidal screening as defined in this paragraph for determining 
any conjunction. The default must be the spherical screening method 
using an avoidance radius of 200 kilometers for manned or mannable 
orbiting objects. If the launch operator requests screening for any 
unmanned or unmannable objects, the default must be the spherical 
screening method using a miss distance of 25 kilometers.
    (i) Spherical screening. Spherical screening utilizes an impact 
exclusion sphere centered on each orbiting object's center-of-mass 
to determine any conjunction. A launch operator must specify the 
avoidance radius for manned or mannable objects and for any unmanned 
or unmannable objects if the launch operator elects to perform the 
analysis for unmanned or unmannable objects.
    (ii) Ellipsoidal screening. Ellipsoidal screening utilizes an 
impact exclusion ellipsoid of revolution centered on the orbiting 
object's center-of-mass to determine any conjunction. A launch 
operator must provide input in the UVW coordinate system in 
kilometers. The launch operator must provide delta-U measured in the 
radial-track direction, delta-V measured in the in-track direction, 
and delta-W measured in the cross-track direction.
    (9) Orbiting objects to evaluate. A launch operator must 
identify the orbiting objects to be included in the analysis.
    (10) Deliverable schedule/need dates. A launch operator must 
identify the times before flight, referred to as ``L-times,'' for 
which the launch operator requests a collision avoidance analysis.
    (d) Collision avoidance assessment products. A launch operator 
must file its collision avoidance analysis products as required by 
Sec.  417.203(e) and must include the input data required by 
paragraph (c) of this section. A launch operator must incorporate 
the result of the collision avoidance analysis into its flight 
commit criteria established as required by Sec.  417.113.

Appendix B of Part 417--Flight Hazard Area Analysis for Aircraft and 
Ship Protection

B417.1 Scope.

    This appendix contains requirements to establish aircraft hazard 
areas, ship hazard areas, and land impact hazard areas. The 
methodologies contained in this appendix represent an acceptable 
means of satisfying the requirements of Sec.  417.107 and Sec.  
417.223 as they pertain to ship, aircraft, and land hazard areas. 
This appendix provides a standard and a measure of fidelity against 
which the FAA will measure any proposed alternative approaches. 
Requirements for a launch operator's implementation of a hazard area 
are contained in Sec. Sec.  417.121(e) and (f).

B417.3 Hazard area notifications and surveillance.

    (a) A launch operator must ensure the following notifications 
have been made and adhered to at launch:
    (1) A Notice to Airmen (NOTAM) must be issued for every aircraft 
hazard area identified as required by sections B417.5 and B417.7. 
The NOTAM must be effective no less than thirty minutes prior to 
flight and effective until no sooner than thirty minutes after the 
air space volume requested by the NOTAM can no longer be affected by 
the launch vehicle or its potential hazardous effects.
    (2) A Notice to Mariners (NOTMAR) must be issued for every ship 
hazard area identified as required by sections B417.5 and B417.7. 
The NOTMAR must be effective no less than thirty minutes prior to 
flight and effective until no sooner than thirty minutes after the 
area requested by the NOTMAR can no longer be affected by the launch 
vehicle or its potential hazardous effects.
    (3) All local officials and landowners adjacent to any hazard 
area must be notified of the flight schedule no less than two days 
prior to the flight of the launch vehicle.
    (b) A launch operator must survey each of the following hazard 
areas:
    (1) Each launch site hazard area;
    (2) Each aircraft hazard area in the vicinity of the launch 
site; and
    (3) Each ship hazard area in the vicinity of the launch site.

B417.5 Launch site hazard area.

    (a) General. A launch operator must perform a launch site hazard 
area analysis that protects the public, aircraft, and ships from the 
hazardous activities in the vicinity of the launch site. The launch 
operator must evacuate and monitor each launch site hazard area to 
ensure compliance with Sec. Sec.  417.107(b)(2) and (b)(3).
    (b) Launch site hazard area analysis input. A launch site hazard 
area must encompass no less than the following:
    (1) Each land hazard area in the vicinity of the launch site 
calculated as required by section B417.13;
    (2) Each ship hazard area in the vicinity of the launch site 
calculated as required by section B417.11(c); and
    (3) The aircraft hazard area in the vicinity of the launch site 
calculated as required by section B417.9(c).

B417.7 Downrange hazard areas.

    (a) General. A launch operator must perform a downrange hazard 
area analysis that protects the public, aircraft, and ships from the 
hazardous activities in the vicinity of each scheduled impact 
location.
    (b) Downrange hazard areas analysis input. A launch hazard area 
must bound no less than the following:
    (1) The aircraft hazard area in the vicinity of each planned 
impact location calculated as required by section B417.9(d);
    (2) The ship hazard area in the vicinity of each planned water 
impact location calculated as required by section B417.11(d); and
    (3) The land hazard area in the vicinity of each planned land 
impact location calculated as required by section B417.13.

B417.9 Aircraft hazard areas analysis.

    (a) General. A launch operator must perform an aircraft hazard 
areas analysis as required by Sec.  417.223(b). A launch operator's

[[Page 50583]]

aircraft hazard areas analysis must determine the aircraft hazard 
area in the vicinity of the launch site and the aircraft hazard area 
in the vicinity of each planned impact location as required by this 
section.
    (b) Aircraft hazard areas analysis input. A launch operator must 
account for the following inputs to determine the aircraft hazard 
areas:
    (1) The trajectory analysis performed as required by section 
A417.7 or section C417.3; and
    (2) The debris risk analysis performed as required by section 
A417.25 or section C417.9.
    (c) Methodology for computing an aircraft hazard area in the 
vicinity of the launch site. An aircraft hazard area analysis must 
determine an aircraft hazard area that encompasses the launch point 
from the surface of the Earth to an altitude of 100,000 ft MSL and 
wholly contains the launch vehicle's normal trajectory plus five 
nautical miles in every radial direction. A launch operator must 
calculate an aircraft hazard area in the vicinity of the launch site 
as follows:
    (1) Using the trajectory analysis performed as required by 
section A417.7 or section C417.3, select all data locations where 
the vehicle's nominal altitude, or positional component on the z-
axis, is less than and equal to 100,000 ft MSL.
    (2) From the data locations representing the dispersed 
trajectories calculated as required by section A417.7(d) or section 
C417.3(f) and modified to incorporate a 5 nm buffer as required by 
paragraph (c)(1) of this section for the data locations selected 
below a nominal altitude of 100,000 ft MSL as required by paragraph 
(c)(1) of this section, select the location that is the farthest 
left-hand crossrange, the location that is the farthest right-hand 
crossrange, the location that is the farthest downrange, and the 
location that is the farthest uprange.
    (3) Construct a box in the xy plane that includes two lines 
parallel to the azimuth, two lines perpendicular to the azimuth, and 
contains the four locations selected as required by paragraph (c)(2) 
of this section.
    (4) Extend the box constructed as required by paragraph (c)(3) 
of this section from the surface of the Earth to an infinite 
altitude.
    (d) Methodology for computing an aircraft hazard area in the 
vicinity of each planned impact location. A launch operator must 
determine an aircraft hazard area in the vicinity of each planned 
impact location from the surface of the Earth to an altitude of 
100,000 ft MSL that wholly contains the launch vehicle's calculated 
impact dispersion with a 5 nm buffer and the normal trajectory. A 
launch operator must compute an aircraft hazard area in the vicinity 
of each planned impact location as follows:
    (1) The analysis must calculate a three-sigma dispersion ellipse 
by determining the three-sigma impact limit around a planned impact 
location.
    (2) Taking the three-sigma dispersion ellipse calculated as 
required by paragraph (d)(1) of this section, plot a co-centric 
ellipse in the xy plane where the major and minor axes are 10nm 
longer than the major and minor axes of the three-sigma dispersion 
ellipse.
    (3) Extend the ellipse calculated as required by paragraph 
(d)(2) of this section from the surface to an infinite altitude.
    (4) Using the trajectory that predicts the instantaneous impact 
locations required in section A417.7(g)(7)(xii) or section 
C417.3(d), find the location on the trajectory where the vehicle's 
nominal altitude is predicted to be 100,000 ft MSL.
    (5) At the trajectory time where the altitude is represented as 
100,000 ft MSL, select the corresponding points from the normal 
trajectory dispersion that are the farthest uprange, downrange, 
right crossrange, and left crossrange relative to the nominal 
trajectory.
    (6) Construct a box in the xy plane that includes two lines 
parallel to the azimuth, two lines perpendicular to the azimuth, and 
contains the points selected as required by paragraph (d)(5) of this 
section and the nominal impact point.
    (7) Extend the box constructed as required by paragraph (d)(6) 
of this section from the surface of the Earth to an infinite 
altitude.
    (8) Construct a volume, the aircraft hazard area, that 
encompasses the volumes calculated as required by paragraphs (d)(3) 
and (d)(7) of this section.

B417.11 Ship hazard areas analysis.

    (a) General. A flight hazard area analysis must establish ship 
hazard areas bound by the 1 x 10-5 ship impact contour in 
the vicinity of the launch site and the vehicle's three-sigma 
dispersion limit plus a 5 nm buffer in the vicinity of a planned, 
downrange impact location.
    (b) Ship hazard area analysis input. A launch operator must 
account for the following inputs to determine the ship hazard areas:
    (1) The trajectory analysis performed as required by section 
A417.7 or section C417.3;
    (2) For a launch vehicle flown with a flight safety system, the 
malfunction turn analysis required by section A417.9;
    (3) The debris analysis required by section A417.11 or section 
C417.7 to define the impact locations of each class of debris 
established by the debris analysis;
    (4) For a launch vehicle flown with a flight safety system, the 
time delay analysis required by section A417.21; and
    (5) The debris risk analysis performed as required by section 
A417.25 or section C417.9.
    (c) Methodology for computing ship hazard areas in the vicinity 
of the launch site. The analysis must establish the ship-hit 
contours as follows:
    (1) A ship-hit contour must account for the size of the largest 
ship that could be located in the ship hazard area. The analysis 
must demonstrate that the ship size used represents the largest ship 
that could be present in the ship hazard area or, if the ship size 
is unknown, the analysis must use a ship size of 120,000 square 
feet.
    (2) The analysis must first calculate the probability of 
impacting the reference ship selected as required by paragraph 
(c)(1) of this section at the location of interest. From the 
location of interest, move the ship away from the launch location 
along a single radial until the probability that debris is present 
at that location multiplied by the probability that a ship is at 
that location is less than or equal to 1 x 10-5. When 
calculating the probability of impacting a ship, an impact occurs 
when:
    (i) The analysis predicts that inert debris will directly impact 
the vessel with a mean expected kinetic energy at impact greater 
than or equal to 11 ft-lbs; or
    (ii) The analysis predicts the peak incident overpressure at the 
reference vessel will be greater than or equal to 1.0 psi due to any 
explosive debris impact.
    (3) The analysis must account for:
    (i) The variance in winds;
    (ii) The aerodynamic properties of the debris;
    (iii) The variance in velocity of the debris;
    (iv) Guidance and performance errors;
    (v) The type of vehicle breakup, either by any flight 
termination system or by aerodynamic forces that may result in 
different debris characteristics; and
    (vi) Debris impact dispersion resulting from vehicle breakup and 
the malfunction turn capabilities of the launch vehicle.
    (4) Repeat the process outlined in paragraph (c)(2) of this 
section while varying the radial direction until enough locations 
are found where the reference ship's probability of impact is less 
than or equal to 1 x 10-5 such that connecting each 
location will result in a smooth and continuous contour.
    (d) Methodology for computing ship hazard areas in the vicinity 
of each planned water impact location. A launch operator must 
compute a ship hazard area in the vicinity of each planned impact 
location as required by the following:
    (1) The analysis must calculate a three-sigma dispersion ellipse 
by determining the three-sigma impact limit around a planned impact 
location.
    (2) Taking the three-sigma dispersion ellipse calculated as 
required by paragraph (d)(1) of this section, plot a co-centric 
ellipse in the xy plane where the major and minor axes are 10 nm 
longer than the major and minor axes of the three-sigma dispersion 
ellipse.

B417.13 Land hazard areas analysis.

    (a) General. A flight hazard area analysis must establish land 
hazard areas in the vicinity of the launch site and land hazard 
areas in the vicinity of each land impact location to ensure that 
the probability of a member of the public being struck by debris 
satisfies the probability threshold of 1 x 10-6 required 
by Sec.  417.107(b) and to determine exclusion areas that may 
require entry control and surveillance prior to initiation of 
flight. The analysis must establish a land impact hazard area that 
accounts for the effects of impacting debris resulting from normal 
and malfunctioning launch vehicle flight, except for toxic effects, 
and accounts for potential impact locations of all debris fragments. 
The land hazard area must encompass all individual casualty contours 
and the near-launch-point blast hazard area calculated as required 
by paragraph (c) of this section. A launch operator may initiate 
flight only if no member of the public is present within the land 
hazard area.

[[Page 50584]]

    (b) Land hazard areas analysis input. A land hazard analysis 
must account for the following inputs to determine the land hazard 
area:
    (1) The trajectory analysis performed as required by section 
A417.7 or section C417.3;
    (2) For a launch vehicle flown with a flight safety system, the 
malfunction turn analysis required by section A417.9;
    (3) The debris analysis required by section A417.11 or section 
C417.7 to define the impact locations of each class of debris 
established by the debris analysis;
    (4) For a launch vehicle flown with a flight safety system, the 
time delay analysis required by section A417.21; and
    (5) The debris risk analysis performed as required by section 
A417.25 or section C417.9.
    (c) Methodology for computing land hazard areas in the vicinity 
of the launch site and in the vicinity of each planned land impact 
location. The analysis must establish a land hazard area as follows:
    (1) Each land hazard area must completely encompass all 
individual casualty contours that define where the risk to an 
individual would exceed the expected casualty (Ec) 
criteria of 1 x 10-6 if one person were assumed to be in 
the open and inside the contour during launch vehicle flight. The 
analysis must produce an individual casualty contour as follows:
    (i) The analysis must account for the location of a hypothetical 
person, and must vary the location of the person to determine when 
the risk would exceed the Ec criteria of 1 x 
10-6. The analysis must count a person as a casualty when 
the person's location is subjected to any inert debris impact with a 
mean expected kinetic energy greater than or equal to 11 ft-lbs or a 
peak incident overpressure equal to or greater than 1.0 psi due to 
explosive debris impact. The analysis must determine the peak 
incident overpressure using the Kingery-Bulmash relationship, 
without regard to sheltering, reflections, or atmospheric effects.
    (ii) The analysis must account for all person locations that are 
no more than 1000 feet apart in the downrange direction and no more 
than 1000 feet apart in the crossrange direction to produce an 
individual casualty contour. For each person location, the analysis 
must sum all the probabilities of casualty over all flight times for 
all debris groups.
    (iii) An individual casualty contour must consist of curves that 
are smooth and continuous. To accomplish this, the analysis must 
vary the time interval between each trajectory time assessed so that 
each location of a debris impact point is less than one-half sigma 
of the downrange dispersion distance.
    (2) The input for determining a land impact hazard area must 
account for the following in order to define the impact locations of 
each class of debris established by the debris analysis and the time 
delay analysis required by section A417.21 for a launch vehicle 
flown with a flight safety system:
    (i) The results of the trajectory analysis required by section 
A417.7 or section C417.3;
    (ii) The malfunction turn analysis required by section A417.9 
for a launch vehicle flown with a flight safety system; and
    (iii) The debris analysis required by section A417.11 or section 
C417.7.
    (3) The analysis must account for the extent of the impact 
debris dispersions for each debris class produced by normal and 
malfunctioning launch vehicle flight at each trajectory time. The 
analysis must also account for how the vehicle breaks up, either by 
any flight termination system or by aerodynamic forces, if the 
different breakup may result in a different probability of existence 
for each debris class. A land impact hazard area must account for 
each impacting debris fragment classified as required by section 
A417.11(c) or section C417.7.
    (4) For a launch vehicle flown with a flight safety system, the 
analysis must account for launch vehicle flight that exceeds a 
flight safety limit. The analysis must also account for trajectory 
conditions that maximize the mean debris impact distance during the 
flight safety system delay time determined as required by section 
A417.21 and account for a debris model that is representative of a 
flight termination or aerodynamic breakup.
    (5) For each launch vehicle breakup event, the analysis must 
account for trajectory and breakup dispersions, variations in debris 
class characteristics, and debris dispersion due to any wind 
condition under which a launch would be attempted.
    (6) The analysis must account for the probability of failure of 
each launch vehicle stage and the probability of existence of each 
debris class. The analysis must account for the probability of 
occurrence of each type of launch vehicle failure. The analysis must 
account for each vehicle failure probabilities that vary depending 
on the time of flight.
    (7) In addition to failure debris, the analysis must account for 
nominal jettisoned body debris impacts and the corresponding debris 
impact dispersions. The analysis must use a probability of 
occurrence of 1.0 for the planned debris fragments produced by 
normal separation events during flight.
    (d) Near-launch-point blast hazard area. A land hazard area 
analysis must define a blast overpressure hazard area as a circle 
extending from the launch point with a radius equal to the 1.0 psi 
overpressure distance produced by the equivalent TNT weight of the 
explosive capability of the vehicle. In addition, the analysis must 
establish a minimum near-launch point blast hazard area to provide 
protection from hazardous fragments potentially propelled by an 
explosion. The analysis must account for the maximum possible total 
solid and liquid propellant explosive potential of the launch 
vehicle and any payload. The analysis must define a blast 
overpressure hazard area using the following equations:

Rop = 45 [middot] (NEW)1/3

Where:

Rop is the over pressure distance in feet.
NEW = WE [middot] C (pounds).
WE is the weight of the explosive in pounds.
C is the TNT equivalency coefficient of the propellant being 
evaluated. A launch operator must identify the TNT equivalency of 
each propellant on its launch vehicle including any payload. TNT 
equivalency data for common liquid propellants is provided in tables 
A417-1. Table A417-2 provides factors for converting gallons of 
specified liquid propellants to pounds.

    (e) Other hazards. A flight hazard area analysis must identify 
any additional hazards, such as radioactive material, that may exist 
on the launch vehicle or payload. For each such hazard, the analysis 
must determine a hazard area that encompasses any debris impact 
point and its dispersion and includes an additional hazard radius 
that accounts for potential casualty due to the additional hazard. 
Analysis requirements for toxic release and far field blast 
overpressure are provided in sections A417.27 and A417.29, 
respectively.
    (f) Land impact dispersion ellipses. A land impact hazard area 
must contain the land impact dispersion ellipse for each planned 
land impact. A launch operator must compute a land impact dispersion 
ellipse in the vicinity of each planned land impact location as 
follows:
    (1) The analysis must calculate a one-sigma dispersion ellipse 
by determining the one-sigma impact limit around a planned impact 
location.
    (2) Taking the one-sigma dispersion ellipse calculated as 
required by paragraph (f)(1) of this section, plot a co-centric 
ellipse in the xy plane where the major and minor axes are 10nm 
longer than the major and minor axes of the one-sigma dispersion 
ellipse.

Appendix C of Part 417--Flight Safety Analysis Methodologies and 
Products for an Unguided Suborbital Launch Vehicle Flown With a Wind 
Weighting Safety System

C417.1 General.

    (a) This appendix contains methodologies for performing the 
flight safety analysis required for the launch of an unguided 
suborbital launch vehicle flown with a wind weighting safety system, 
except for the hazard area analysis required by Sec.  417.107, which 
is covered in appendix B of this part. This appendix includes 
methodologies for a trajectory analysis, wind weighting analysis, 
debris analysis, debris risk analysis, and a collision avoidance 
analysis.
    (b) The requirements of this appendix apply to a launch operator 
and the launch operator's flight safety analysis unless the launch 
operator clearly and convincingly demonstrates that an alternative 
approach provides an equivalent level of safety.
    (c) A launch operator must:
    (1) Perform a flight safety analysis to determine the launch 
parameters and conditions under which an unguided suborbital launch 
vehicle may be flown using a wind weighting safety system as 
required by Sec.  417.233.
    (2) When conducting the flight safety analysis, comply with the 
safety criteria and operational requirements contained in Sec.  
417.125; and
    (3) Conduct the flight safety analysis for an unguided 
suborbital launch vehicle using the methodologies of this appendix 
and appendix B of this part unless the launch operator demonstrates, 
in accordance with Sec.  406.3(b), through the licensing process, 
that an alternate method provides an equivalent level of fidelity.

[[Page 50585]]

C417.3 Trajectory analysis.

    (a) General. A launch operator must perform a trajectory 
analysis for the flight of an unguided suborbital launch vehicle to 
determine:
    (1) The launch vehicle's nominal trajectory;
    (2) Each nominal drag impact point; and
    (3) Each potential three-sigma dispersion about each nominal 
drag impact point.
    (b) Definitions. A launch operator must employ the following 
definitions when determining an unguided suborbital launch vehicle's 
trajectory and drag impact points:
    (1) Drag impact point means the intersection of a predicted 
ballistic trajectory of an unguided suborbital launch vehicle stage 
or other impacting component with the Earth's surface. A drag impact 
point reflects the effects of atmospheric influences as a function 
of drag forces and mach number.
    (2) Maximum range trajectory means an optimized trajectory, 
extended through fuel exhaustion of each stage, to achieve a maximum 
downrange drag impact point.
    (3) Nominal trajectory means the trajectory that an unguided 
suborbital launch vehicle will fly if all rocket aerodynamic 
parameters are as expected without error, all rocket internal and 
external systems perform exactly as planned, and there are no 
external perturbing influences, such as winds, other than 
atmospheric drag and gravity.
    (4) Normal flight means all possible trajectories of a properly 
performing unguided suborbital launch vehicle whose drag impact 
point location does not deviate from its nominal location more than 
three sigma in each of the uprange, downrange, left crossrange, or 
right crossrange directions.
    (5) Performance error parameter means a quantifiable perturbing 
force that contributes to the dispersion of a drag impact point in 
the uprange, downrange, and cross-range directions of an unguided 
suborbital launch vehicle stage or other impacting launch vehicle 
component. Performance error parameters for the launch of an 
unguided suborbital launch vehicle reflect rocket performance 
variations and any external forces that can cause offsets from the 
nominal trajectory during normal flight. Performance error 
parameters include thrust, thrust misalignment, specific impulse, 
weight, variation in firing times of the stages, fuel flow rates, 
contributions from the wind weighting safety system employed, and 
winds.
    (c) Input. A trajectory analysis requires the input necessary to 
produce a six-degree-of-freedom trajectory. A launch operator must 
use each of the following as inputs to the trajectory computations:
    (1) Launcher data, as follows--
    (i) Geodetic latitude and longitude;
    (ii) Height above sea level;
    (iii) All location errors; and
    (iv) Launch azimuth and elevation.
    (2) Reference ellipsoidal Earth model, as follows--
    (i) Name of the Earth model employed;
    (ii) Semi-major axis;
    (iii) Semi-minor axis;
    (iv) Eccentricity;
    (v) Flattening parameter;
    (vi) Gravitational parameter;
    (vii) Rotation angular velocity;
    (viii) Gravitational harmonic constants; and
    (ix) Mass of the Earth.
    (3) Vehicle characteristics for each stage. A launch operator 
must identify the following for each stage of an unguided suborbital 
launch vehicle's flight:
    (i) Nozzle exit area of each stage.
    (ii) Distance from the rocket nose-tip to the nozzle exit for 
each stage.
    (iii) Reference drag area and reference diameter of the rocket 
including any payload for each stage of flight.
    (iv) Thrust as a function of time.
    (v) Propellant weight as a function of time.
    (vi) Coefficient of drag as a function of mach number.
    (vii) Distance from the rocket nose-tip to center of gravity as 
a function of time.
    (viii) Yaw moment of inertia as a function of time.
    (ix) Pitch moment of inertia as a function of time.
    (x) Pitch damping coefficient as a function of mach number.
    (xi) Aerodynamic damping coefficient as a function of mach 
number.
    (xii) Normal force coefficient as a function of mach number.
    (xiii) Distance from the rocket nose-tip to center of pressure 
as a function of mach number.
    (xiv) Axial force coefficient as a function of mach number.
    (xv) Roll rate as a function of time.
    (xvi) Gross mass of each stage.
    (xvii) Burnout mass of each stage.
    (xviii) Vacuum thrust.
    (xix) Vacuum specific impulse.
    (xx) Stage dimensions.
    (xxi) Weight of each spent stage.
    (xxii) Payload mass properties.
    (xxiii) Nominal launch elevation and azimuth.
    (4) Launch events. Each stage ignition times, each stage burn 
time, and each stage separation time, referenced to ignition time of 
first stage.
    (5) Atmosphere. Density as a function of altitude, pressure as a 
function of altitude, speed of sound as a function of altitude, 
temperature as a function of altitude.
    (6) Wind errors. Error in measurement of wind direction as a 
function of altitude and wind magnitude as a function of altitude, 
wind forecast error, such as error due to time delay from wind 
measurement to launch.
    (d) Methodology for determining the nominal trajectory and 
nominal drag impact points. A launch operator must employ the steps 
in paragraphs (d)(1)-(d)(3) of this section to determine the nominal 
trajectory and the nominal drag impact point locations for each 
impacting rocket stage and component:
    (1) A launch operator must identify each performance error 
parameter associated with the unguided suborbital launch vehicle's 
design and operation and the value for each parameter that reflect 
nominal rocket performance. A launch operator must identify each 
performance error parameter's distribution to account for all launch 
vehicle performance variations and any external forces that can 
cause offsets from the nominal trajectory during normal flight. 
These performance error parameters include thrust misalignment, 
thrust variation, weight variation, fin misalignment, impulse 
variation, aerodynamic drag variation, staging timing variation, 
stage separation-force variation, drag error, uncompensated wind, 
launcher elevation angle error, launcher azimuth angle error, 
launcher tip-off, and launcher location error.
    (2) A launch operator must perform a no-wind trajectory 
simulation using a six-degrees-of-freedom (6-DOF) trajectory 
simulation with all performance error parameters set to their 
nominal values to determine the impact point of each stage or 
component. The 6-DOF trajectory simulation must provide rocket 
position translation along three axes of an orthogonal Earth-
centered coordinate system and rocket orientation in roll, pitch and 
yaw. The 6-DOF trajectory simulation must compute each translation 
and orientation in response to forces and moments internal and 
external to the rocket including all the effects of the input data 
required by paragraph (c) of this section. A launch operator may 
incorporate the following assumptions in a 6-DOF trajectory 
simulation:
    (i) The airframe may be treated as a rigid body.
    (ii) The airframe may have a plane of symmetry coinciding with 
the vertical plane of reference.
    (iii) The vehicle may have aerodynamic symmetry in roll.
    (iv) The airframe may have six degrees-of-freedom.
    (v) The aerodynamic forces and moments may be functions of mach 
number and may be linear with small flow incidence angles of attack.
    (3) A launch operator must tabulate the geodetic latitude and 
longitude of the launch vehicle's nominal drag impact point as a 
function of trajectory time and the final nominal drag impact point 
of each planned impacting stage or component.
    (e) Methodology for determining maximum downrange drag impact 
points. A launch operator must compute the maximum possible 
downrange drag impact point for each launch vehicle stage and 
impacting component. A launch operator must use the nominal drag 
impact point methodology, as defined by paragraph (d) of this 
section, modified to optimize the unguided suborbital launch 
vehicle's performance and flight profile to create the conditions 
for a maximum downrange drag impact point, including fuel exhaustion 
for each stage and impacting component.
    (f) Methodology for computing drag impact point dispersions. A 
launch operator must employ the steps in paragraphs (f)(1)-(f)(3) of 
this section when determining the dispersions in terms of drag 
impact point distance standard deviations in uprange, downrange, and 
crossrange direction from the nominal drag impact point location for 
each stage and impacting component:
    (1) For each stage of flight, a launch operator must identify 
the plus and minus one-sigma values for each performance error 
parameter identified as required by paragraph (d)(1) of this section 
(i.e., nominal

[[Page 50586]]

value plus one standard deviation and nominal value minus one 
standard deviation). A launch operator must determine the dispersion 
in downrange, uprange, and left and right crossrange for each 
impacting stage and component. A launch operator may either perform 
a Monte Carlo analysis that accounts for the distribution of each 
performance error parameter or determine the dispersion by a root-
sum-square method under paragraph (f)(2) of this section.
    (2) When using a root-sum-square method to determine dispersion, 
a launch operator must determine the deviations for a given stage by 
evaluating the deviations produced in that stage due to the 
performance errors in that stage and all preceding stages of the 
launch vehicle as illustrated in Table C417-1, and by computing the 
square root of the sum of the squares of each deviation caused by 
each performance error parameter's one sigma dispersion for each 
stage in each of the right crossrange, left crossrange, uprange and 
downrange directions. A launch operator must evaluate the 
performance errors for one stage at a time, with the performance of 
all subsequent stages assumed to be nominal. A launch operator's 
root-sum-square method must incorporate the following requirements:
[GRAPHIC] [TIFF OMITTED] TR25AU06.012

    (i) With the 6-DOF trajectory simulation used to determine 
nominal drag impact points as required by paragraph (d) of this 
section, perform a series of trajectory simulation runs for each 
stage and planned ejected debris, such as a fairing, payload, or 
other component, and, for each simulation, model only one 
performance error parameter set to either its plus or minus one-
sigma value. For a given simulation run, set all other performance 
error parameters to their nominal values. Continue until achieving a 
trajectory simulation run for each plus one-sigma performance error 
parameter value and each minus one-sigma performance error parameter 
value for the stage or the planned ejected debris being evaluated. 
For each trajectory simulation run and for each impact being 
evaluated, tabulate the downrange, uprange, left crossrange, and 
right crossrange drag impact point distance deviations measured from 
the nominal drag impact point location for that stage or planned 
debris.
    (ii) For uprange, downrange, right crossrange, and left 
crossrange, compute the square root of the sum of the squares of the 
distance deviations in each direction. The square root of the sum of 
the squares distance value for each direction represents the one-
sigma drag impact point dispersion in that direction. For a multiple 
stage rocket, perform the first stage series of simulation runs with 
all subsequent stage performance error parameters set to their 
nominal value. Tabulate the uprange, downrange, right crossrange, 
and left crossrange distance deviations from the nominal impact for 
each subsequent drag impact point location caused by the first stage 
one-sigma performance error parameter. Use these deviations in 
determining the total drag impact point dispersions for the 
subsequent stage impacts as described in paragraph (f)(2)(iii) of 
this section.
    (iii) For each subsequent stage impact of an unguided suborbital 
launch vehicle, determine the one-sigma impact dispersions by first 
determining the one-sigma distance deviations for that stage impact 
caused by each preceding stage as described in paragraph (f)(2)(ii) 
of this section. Then perform a series of simulation runs and 
tabulate the uprange, downrange, right crossrange, and left 
crossrange drag impact point distance deviations as described in 
paragraph (f)(2)(i) of this section for that stage's one-sigma 
performance error parameter values with the preceding stage 
performance parameters set to nominal

[[Page 50587]]

values. For each uprange, downrange, right crossrange, and left 
crossrange direction, compute the square root of the sum of the 
squares of the stage impact distance deviations due to that stage's 
and each preceding stage's one-sigma performance error parameter 
values. This square root of the sum of the squares distance value 
for each direction represents the total one-sigma drag impact point 
dispersion in that direction for the nominal drag impact point 
location of that stage. Use these deviations when determining the 
total drag impact point dispersions for the subsequent stage 
impacts.
    (3) A launch operator must determine a three-sigma dispersion 
area for each impacting stage or component as an ellipse that is 
centered at the nominal drag impact point location and has semi-
major and semi-minor axes along the uprange, downrange, left 
crossrange, and right crossrange axes. The length of each axis must 
be three times as large as the total one-sigma drag impact point 
dispersions in each direction.
    (g) Trajectory analysis products for a suborbital launch 
vehicle. A launch operator must file the following products of a 
trajectory analysis for an unguided suborbital launch vehicle with 
the FAA as required by Sec.  417.203(e):
    (1) A description of the process that the launch operator used 
for performing the trajectory analysis, including the number of 
simulation runs and the process for any Monte Carlo analysis 
performed.
    (2) A description of all assumptions and procedures the launch 
operator used in deriving each of the performance error parameters 
and their standard deviations.
    (3) Launch point origin data: name, geodetic latitude (+N), 
longitude (+E), geodetic height, and launch azimuth measured 
clockwise from true north.
    (4) Name of reference ellipsoid Earth model used. If a launch 
operator employs a reference ellipsoid Earth model other than WGS-
84, Department of Defense World Geodetic System, Military Standard 
2401 (Jan. 11, 1994), the launch operator must identify the semi-
major axis, semi-minor axis, eccentricity, flattening parameter, 
gravitational parameter, rotation angular velocity, gravitational 
harmonic constants (e.g., J2, J3, J4), and mass of Earth.
    (5) If a launch operator converts latitude and longitude 
coordinates between different ellipsoidal Earth models to complete a 
trajectory analysis, the launch operator must file the equations for 
geodetic datum conversions and a sample calculation for converting 
the geodetic latitude and longitude coordinates between the models 
employed.
    (6) A launch operator must file tabular data that lists each 
performance error parameter used in the trajectory computations and 
each performance error parameter's plus and minus one-sigma values. 
If the launch operator employs a Monte Carlo analysis method for 
determining the dispersions about the nominal drag impact point, the 
tabular data must list the total one-sigma drag impact point 
distance deviations in each direction for each impacting stage and 
component. If the launch operator employs the square root of the sum 
of the squares method of paragraph (f)(2) of this section, the 
tabular data must include the one-sigma drag impact point distance 
deviations in each direction due to each one-sigma performance error 
parameter value for each impacting stage and component.
    (7) A launch operator must file a graphical depiction showing 
geographical landmasses and the nominal and maximum range 
trajectories from liftoff until impact of the final stage. The 
graphical depiction must plot trajectory points in time intervals of 
no greater than one second during thrusting flight and for times 
corresponding to ignition, thrust termination or burnout, and 
separation of each stage or impacting body. If there are less than 
four seconds between stage separation or other jettison events, a 
launch operator must reduce the time intervals between plotted 
trajectory points to 0.2 seconds or less. The graphical depiction 
must show total launch vehicle velocity as a function of time, 
present-position ground-range as a function of time, altitude above 
the reference ellipsoid as a function of time, and the static 
stability margin as a function of time.
    (8) A launch operator must file tabular data that describes the 
nominal and maximum range trajectories from liftoff until impact of 
the final stage. The tabular data must include the time after 
liftoff, altitude above the reference ellipsoid, present position 
ground range, and total launch vehicle velocity for ignition, 
burnout, separation, booster apogee, and booster impact of each 
stage or impacting body. The launch operator must file the tabular 
data for the same time intervals required by paragraph (g)(7) of 
this section.
    (9) A launch operator must file a graphical depiction showing 
all geographical landmasses and the unguided suborbital launch 
vehicle's drag impact point for the nominal trajectory, the maximum 
impact range boundary, and the three-sigma drag impact point 
dispersion area for each impacting stage or component. The graphical 
depiction must show the following in relationship to each other: The 
nominal trajectory, a circle whose radius represents the range to 
the farthest downrange impact point that results from the maximum 
range trajectory, and the three-sigma drag impact point dispersions 
for each impacting stage and component.
    (10) A launch operator must file tabular data that describes the 
nominal trajectory, the maximum impact range boundary, and each 
three-sigma drag impact point dispersion area. The tabular data must 
include the geodetic latitude (positive north of the equator) and 
longitude (positive east of the Greenwich Meridian) of each point 
describing the nominal drag impact point positions, the maximum 
range circle, and each three-sigma impact dispersion area boundary. 
Each three-sigma dispersion area must be described by no less than 
20 coordinate pairs. All coordinates must be rounded to the fourth 
decimal point.

C417.5 Wind weighting analysis.

    (a) General. As part of a wind weighting safety system, a launch 
operator must perform a wind weighting analysis to determine 
launcher azimuth and elevation settings that correct for the 
windcocking and wind-drift effects on an unguided suborbital launch 
vehicle due to forecasted winds in the airspace region of flight. A 
launch operator's wind weighting safety system and its operation 
must comply with Sec.  417.125(c). The launch azimuth and elevation 
settings resulting from a launch operator's wind weighting analysis 
must produce a trajectory, under actual wind conditions, that 
results in a final stage drag impact point that is the same as the 
final stage's nominal drag impact point determined according to 
section C417.3(d).
    (b) Wind weighting analysis constraints.
    (1) A launch operator's wind weighting analysis must:
    (i) Account for the winds in the airspace region through which 
the rocket will fly. A launch operator's wind weighting safety 
system must include an operational method of determining the wind 
direction and wind magnitude at all altitudes that the rocket will 
reach up to the maximum altitude defined by dispersion analysis as 
required by section C417.3.
    (ii) Account for all errors due to the methods used to measure 
the winds in the airspace region of the launch, delay associated 
with wind measurement, and the method used to model the effects of 
winds. The resulting sum of these error components must be no 
greater than those used as the wind error dispersion parameter in 
the launch vehicle trajectory analysis performed as required by 
section C417.3.
    (iii) Account for the dispersion of all impacting debris, 
including any uncorrected wind error accounted for in the trajectory 
analysis performed as required by section C417.3.
    (iv) Establish flight commit criteria that are a function of the 
analysis and operational methods employed and reflect the maximum 
wind velocities and wind variability for which the results of the 
wind weighting analysis are valid.
    (v) Account for the wind effects during each thrusting phase of 
an unguided suborbital launch vehicle's flight and each ballistic 
phase of each rocket stage and component until burnout of the last 
stage.
    (vi) Determine the impact point location for any parachute 
recovery of a stage or component or the launch operator must perform 
a wind drift analysis to determine the parachute impact point 
location.
    (2) A launch operator must perform a wind weighting analysis 
using a six-degrees-of-freedom (6-DOF) trajectory simulation that 
targets an impact point using an iterative process. The 6-DOF 
simulation must account for launch day wind direction and wind 
magnitude as a function of altitude.
    (3) A launch operator must perform a wind weighting analysis 
using a computer program or other method of editing wind data, 
recording the time the data was obtained, and recording the balloon 
number or identification of any other measurement device used for 
each wind altitude layer.
    (c) Methodology for performing a wind weighting analysis. A 
launch operator's method for performing a wind weighting analysis on 
the day of flight must account for the following:

[[Page 50588]]

    (1) A launch operator must measure the winds on the day of 
flight to determine wind velocity and direction. A launch operator's 
process for measuring winds must provide wind data that is 
consistent with any assumptions made in the launch operator's 
trajectory and drag impact point dispersion analysis, as required by 
section C417.3, regarding the actual wind data available on the day 
of flight. Wind measurements must be made at altitude increments 
such that the maximum correction between any two measurements does 
not exceed 5%. Winds must be measured from the ground level at the 
launch point to a maximum altitude that is consistent with the 
launch operator's drag impact point dispersion analysis. The maximum 
wind measurement altitude must be that necessary to account for 99% 
of the wind effect on the impact dispersion point. A launch 
operator's wind measuring process must employ the use of balloons 
and radar tracking or balloons fitted with a Global Positioning 
System transceiver, and must account for the following:
    (i) Measure winds from ground level to an altitude of at least 
that necessary to account for 99% of the wind effect on the impact 
dispersion point within six hours before flight and after any 
weather front passes the launch site before liftoff. Repeat a wind 
measurement up to the maximum altitude whenever a wind measurement, 
for any given altitude, from a later balloon release is not 
consistent with a wind measurement, for the same altitude, from an 
earlier balloon release.
    (ii) Measure winds from ground level to an altitude of at least 
that necessary to account for 95% of the wind effect on the impact 
dispersion point within four hours before flight and after any 
weather front passes the launch site before liftoff. Repeat a wind 
measurement to the 95% wind effect altitude whenever a wind 
measurement, for any given altitude, from a later lower altitude 
balloon release is not consistent with the wind measurement, for the 
same altitude, from the 95% wind effect altitude balloon release.
    (iii) Measure winds from ground level to an altitude of no less 
than that necessary to account for 80% of the wind effect on the 
impact dispersion point twice within 30 minutes of liftoff. Use the 
first measurement to set launcher azimuth and elevation, and the 
second measurement to verify the first measurement data.
    (2) A launch operator must perform runs of the 6-DOF trajectory 
simulation using the flight day measured winds as input and 
targeting for the nominal final stage drag impact point. In an 
iterative process, vary the launcher elevation angle and azimuth 
angle settings for each simulation run until the nominal final stage 
impact point is achieved. The launch operator must use the resulting 
launcher elevation angle and azimuth angle settings to correct for 
the flight day winds. The launch operator must not initiate flight 
unless the launcher elevation angle and azimuth angle settings after 
wind weighting are in accordance with the following:
    (i) The launcher elevation angle setting resulting from the wind 
weighting analysis must not exceed  5[deg] from the 
nominal launcher elevation angle setting and must not exceed a total 
of 86[deg] for a proven launch vehicle, and 84[deg] for an unproven 
launch vehicle. A launch operator's nominal launcher elevation angle 
setting must be as required by Sec.  417.125(c)(3).
    (ii) The launcher azimuth angle setting resulting from the wind 
weighting analysis must not exceed +30[deg] from the nominal 
launcher azimuth angle setting unless the launch operator 
demonstrates clearly and convincingly, through the licensing 
process, that its unguided suborbital launch vehicle has a low 
sensitivity to high wind speeds, and the launch operator's wind 
weighting analysis and wind measuring process provide an equivalent 
level of safety.
    (3) Using the trajectory produced in paragraph (c)(2) of this 
section, for each intermediate stage and planned ejected component, 
a launch operator must compute the impact point that results from 
wind drift by performing a run of the 6-DOF trajectory simulation 
with the launcher angles determined in paragraph (c)(2) of this 
section and the flight day winds from liftoff until the burnout time 
or ejection time of the stage or ejected component. The resulting 
impact point(s) must be accounted for when performing flight day 
ship-hit operations defined in section B417.11(c).
    (4) If a parachute is used for any stage or component, a launch 
operator must determine the wind drifted impact point of the stage 
or component using a trajectory simulation that incorporates 
modeling for the change in aerodynamics at parachute ejection. 
Perform this simulation run in addition to any simulation of spent 
stages without parachutes.
    (5) A launch operator must verify that the launcher elevation 
angle and azimuth angle settings at the time of liftoff are the same 
as required by the wind weighting analysis.
    (6) A launch operator must monitor and verify that any wind 
variations and maximum wind limits at the time of liftoff are within 
the flight commit criteria established according to Sec.  
417.113(c).
    (7) A launch operator must generate output data from its wind 
weighting analysis for each impacting stage or component in printed, 
plotted, or computer medium format. This data must include:
    (i) Launch day wind measurement data, including magnitude and 
direction.
    (ii) The results of each computer run made using the launch day 
wind measurement data, including but not limited to, launcher 
settings, and impact locations for each stage or component.
    (iii) Final launcher settings recorded.
    (d) Wind weighting analysis products. The products of a launch 
operator's wind weighting analysis filed with the FAA as required by 
Sec.  417.203(e) must include the following:
    (1) A launch operator must file a description of its wind 
weighting analysis methods, including its method and schedule of 
determining wind speed and wind direction for each altitude layer.
    (2) A launch operator must file a description of its wind 
weighting safety system and identify all equipment used to perform 
the wind weighting analysis, such as any wind towers, balloons, or 
Global Positioning System wind measurement system employed and the 
type of trajectory simulation employed.
    (3) A launch operator must file a sample wind weighting analysis 
using actual or statistical winds for the launch area and provide 
samples of the output required by paragraph (c)(7) of this section.

C417.7 Debris analysis.

    (a) General. A flight safety analysis must include a debris 
analysis that satisfies the requirements of Sec.  417.211. This 
section applies to the debris data required by Sec.  417.211 and the 
debris analysis products that a launch operator must file with the 
FAA as required by Sec.  417.203(e).
    (b) Debris analysis constraints. A debris analysis must produce 
the debris model described in paragraph (c) of this section. The 
analysis must account for all launch vehicle debris fragments, 
individually or in groupings of fragments called classes. The 
characteristics of each debris fragment represented by a class must 
be similar enough to the characteristics of all the other debris 
fragments represented by that class that all the debris fragments of 
the class can be described by a single set of characteristics. 
Paragraph (c)(10) of this section applies when establishing a debris 
class. A debris model must describe the physical, aerodynamic, and 
harmful characteristics of each debris fragment either individually 
or as a member of a class. A debris model must consist of lists of 
individual debris or debris classes for each cause of breakup and 
any planned jettison of debris, launch vehicle components, or 
payload. A debris analysis must account for:
    (1) Debris due to any malfunction where forces on the launch 
vehicle may exceed the launch vehicle's structural integrity limits.
    (2) The immediate post-breakup or jettison environment of the 
launch vehicle debris, and any change in debris characteristics over 
time from launch vehicle breakup or jettison until debris impact.
    (3) The impact overpressure, fragmentation, and secondary debris 
effects of any confined or unconfined solid propellant chunks and 
fueled components containing either liquid or solid propellants that 
could survive to impact, as a function of vehicle malfunction time.
    (4) The effects of impact of the intact vehicle as a function of 
failure time. The intact impact debris analysis must identify the 
trinitrotoluene (TNT) yield of impact explosions, and the numbers of 
fragments projected from all such explosions, including non-launch 
vehicle ejecta and the blast overpressure radius. The analysis must 
use a model for TNT yield of impact explosion that accounts for the 
propellant weight at impact, the impact speed, the orientation of 
the propellant, and the impacted surface material.
    (c) Debris model. A debris analysis must produce a model of the 
debris resulting from planned jettison and from unplanned breakup of 
a launch vehicle for use as input to other analyses, such as 
establishing hazard areas and performing debris risk and toxic 
analyses. A launch operator's debris model must satisfy the 
following:
    (1) Debris fragments. A debris model must provide the debris 
fragment data required by

[[Page 50589]]

this section for the launch vehicle flight from the planned ignition 
time until thrust termination of the last thrusting stage. A debris 
model must provide debris fragment data for the number of time 
periods sufficient to meet the requirements for smooth and 
continuous contours used to define hazard areas as required by 
appendix B of this part.
    (2) Inert fragments. A debris model must identify all inert 
fragments that are not volatile and that do not burn or explode 
under normal and malfunction conditions. A debris model must 
identify all inert fragments for each breakup time during flight 
corresponding to a critical event when the fragment catalog is 
significantly changed by the event. Critical events include staging, 
payload fairing jettison, and other normal hardware jettison 
activities.
    (3) Explosive and non-explosive propellant fragments. A debris 
model must identify all propellant fragments that are explosive or 
non-explosive upon impact. The debris model must describe each 
propellant fragment as a function of time, from the time of breakup 
through ballistic free-fall to impact. The debris model must 
describe the characteristics of each fragment, including its origin 
on the launch vehicle, representative dimensions and weight at the 
time of breakup and at the time of impact. For any fragment 
identified as an un-contained or contained propellant fragment, 
whether explosive or non-explosive, the debris model must identify 
whether or not it burns during free fall, and provide the 
consumption rate during free fall. The debris model must identify:
    (i) Solid propellant that is exposed directly to the atmosphere 
and that burns but does not explode upon impact as ``un-contained 
non-explosive solid propellant.''
    (ii) Solid or liquid propellant that is enclosed in a container, 
such as a motor case or pressure vessel, and that burns but does not 
explode upon impact as ``contained non-explosive propellant.''
    (iii) Solid or liquid propellant that is enclosed in a 
container, such as a motor case or pressure vessel, and that 
explodes upon impact as ``contained explosive propellant fragment.''
    (iv) Solid propellant that is exposed directly to the atmosphere 
and that explodes upon impact as ``un-contained explosive solid 
propellant fragment.''
    (4) Other non-inert debris fragments. In addition to the 
explosive and flammable fragments identified under paragraph (c)(3) 
of this section, a debris model must identify any other non-inert 
debris fragments, such as toxic or radioactive fragments, that 
present any other hazards to the public.
    (5) Fragment weight. At each modeled breakup time, the 
individual fragment weights must approximately add up to the sum 
total weight of inert material in the vehicle and the weight of 
contained liquid propellants and solid propellants that are not 
consumed in the initial breakup or conflagration.
    (6) Fragment imparted velocity. A debris model must identify the 
maximum velocity imparted to each fragment due to potential 
explosion or pressure rupture. When accounting for imparted 
velocity, a debris model must:
    (i) Use a Maxwellian distribution with the specified maximum 
value equal to the 97th percentile; or
    (ii) Identify the distribution, and state whether or not the 
specified maximum value is a fixed value with no uncertainty.
    (7) Fragment projected area. A debris model must include each of 
the axial, transverse, and mean tumbling areas of each fragment. If 
the fragment may stabilize under normal or malfunction conditions, 
the debris model must also provide the projected area normal to the 
drag force.
    (8) Fragment ballistic coefficient. A debris model must include 
the axial, transverse, and tumble orientation ballistic coefficient 
for each fragment's projected area as required by paragraph (c)(7) 
of this section.
    (9) Debris fragment count. A debris model must include the total 
number of each type of fragment required by paragraphs (c)(2), 
(c)(3), and (c)(4) of this section and created by a malfunction.
    (10) Fragment classes. A debris model must categorize 
malfunction debris fragments into classes where the characteristics 
of the mean fragment in each class conservatively represent every 
fragment in the class. The model must define fragment classes for 
fragments whose characteristics are similar enough to be described 
and treated by a single average set of characteristics. A debris 
class must categorize debris by each of the following 
characteristics, and may include any other useful characteristics:
    (i) The type of fragment, defined by paragraphs (c)(2), (c)(3), 
and (c)(4) of this section. All fragments within a class must be the 
same type, such as inert or explosive.
    (ii) Debris subsonic ballistic coefficient 
([beta]sub). The difference between the smallest 
log10([beta]sub) value and the largest 
log10([beta]sub) value in a class must not 
exceed 0.5, except for fragments with [beta]sub less than 
or equal to three. Fragments with [beta]sub less than or 
equal to three may be grouped within a class.
    (iii) Breakup-imparted velocity ([Delta]V). A debris model must 
categorize fragments as a function of the range of [Delta]V for the 
fragments within a class and the class's median subsonic ballistic 
coefficient. For each class, the debris model must keep the ratio of 
the maximum breakup-imparted velocity ([Delta]Vmax) to 
minimum breakup-imparted velocity ([Delta]Vmin) within 
the following bound:
[GRAPHIC] [TIFF OMITTED] TR25AU06.107

Where:

[beta]'sub is the median subsonic ballistic coefficient 
for the fragments in a class.

    (d) Debris analysis products. The products of a debris analysis 
that a launch operator must file with the FAA as required by Sec.  
417.203(e) must include:
    (1) Debris model. The launch operator's debris model that 
satisfies the requirements of this section.
    (2) Fragment description. A description of the fragments 
contained in the launch operator's debris model. The description 
must identify the fragment as a launch vehicle part or component, 
describe its shape, representative dimensions, and may include 
drawings of the fragment.
    (3) Intact impact TNT yield. For an intact impact of a launch 
vehicle, for each failure time, a launch operator must identify the 
TNT yield of each impact explosion and blast overpressure hazard 
radius.
    (4) Fragment class data. The class name, the range of values for 
each parameter used to categorize fragments within a fragment class, 
and the number of fragments in any fragment class established as 
required by paragraph (c)(10) of this section.
    (5) Ballistic coefficient. The mean ballistic coefficient 
([beta]) and plus and minus three-sigma values of the [beta] for 
each fragment class. A launch operator must provide graphs of the 
coefficient of drag (Cd) as a function of Mach number for 
the nominal and three-sigma [beta] variations for each fragment 
shape. The launch operator must label each graph with the shape 
represented by the curve and reference area used to develop the 
curve. A launch operator must provide a Cd vs. Mach curve 
for any axial, transverse, and tumble orientations for any fragment 
that will not stabilize during free-fall conditions. For any 
fragment that may stabilize during free-fall, a launch operator must 
provide Cd vs. Mach curves for the stability angle of 
attack. If the angle of attack where the fragment stabilizes is 
other than zero degrees, a launch operator must provide both the 
coefficient of lift (CL) vs. Mach number and the 
Cd vs. Mach number curves. The launch operator must 
provide the equations for each Cd vs. Mach curve.
    (6) Pre-flight propellant weight. The initial preflight weight 
of solid and liquid propellant for each launch vehicle component 
that contains solid or liquid propellant.
    (7) Normal propellant consumption. The nominal and plus and 
minus three-sigma solid and liquid propellant consumption rate, and 
pre-malfunction consumption rate for each component that contains 
solid or liquid propellant.
    (8) Fragment weight. The mean and plus and minus three-sigma 
weight of each fragment or fragment class.
    (9) Projected area. The mean and plus and minus three-sigma 
axial, transverse, and tumbling areas for each fragment or fragment 
class. This information is not required for those fragment classes 
classified as burning propellant classes under section 
A417.25(b)(8).
    (10) Imparted velocities. The maximum incremental velocity 
imparted to each fragment class created by explosive or overpressure 
loads at breakup. The launch operator must identify the velocity 
distribution as Maxwellian or must define the distribution, 
including whether or not the specified maximum value is a fixed 
value with no uncertainty.
    (11) Fragment type. The fragment type for each fragment 
established as required by paragraphs (c)(2), (c)(3), and (c)(4) of 
this section.
    (12) Origin. The part of the launch vehicle from which each 
fragment originated.
    (13) Burning propellant classes. The propellant consumption rate 
for those fragments that burn during free-fall.
    (14) Contained propellant fragments, explosive or non-explosive. 
For contained

[[Page 50590]]

propellant fragments, whether explosive or non-explosive, a launch 
operator must provide the initial weight of contained propellant and 
the consumption rate during free-fall. The initial weight of the 
propellant in a contained propellant fragment is the weight of the 
propellant before any of the propellant is consumed by normal 
vehicle operation or failure of the launch vehicle.
    (15) Solid propellant fragment snuff-out pressure. The ambient 
pressure and the pressure at the surface of a solid propellant 
fragment, in pounds per square inch, required to sustain a solid 
propellant fragment's combustion during free-fall.
    (16) Other non-inert debris fragments. For each non-inert debris 
fragment identified as required by paragraph (c)(4) of this section, 
a launch operator must describe the diffusion, dispersion, 
deposition, radiation, and other hazard exposure characteristics 
used to determine the effective casualty area required by paragraph 
(c)(9) of this section.
    (17) Residual thrust dispersion. For each thrusting or non-
thrusting stage having residual thrust capability following a launch 
vehicle malfunction, a launch operator must provide either the total 
residual impulse imparted or the full-residual thrust in foot-pounds 
as a function of breakup time. For any stage not capable of thrust 
after a launch vehicle malfunction, a launch operator must provide 
the conditions under which the stage is no longer capable of thrust. 
For each stage that can be ignited as a result of a launch vehicle 
malfunction on a lower stage, a launch operator must identify the 
effects and duration of the potential thrust, and the maximum 
deviation of the instantaneous impact point which can be brought 
about by the thrust.

C417.9 Debris risk.

    (a) General. A launch operator must perform a debris risk 
analysis that satisfies the requirements of Sec.  417.225. This 
section applies to the computation of the average number of 
casualties (Ec) to the collective members of the public 
exposed to inert and explosive debris hazards from the proposed 
flight of an unguided suborbital launch vehicle as required by Sec.  
417.225 and to the analysis products that the launch operator must 
file with the FAA as required by Sec.  417.203(e).
    (b) Debris risk analysis constraints. The following constraints 
apply to debris risk:
    (1) A debris risk analysis must use valid risk analysis models 
that compute Ec as the summation over all trajectory time 
intervals from lift-off through impact of the products of the 
probability of each possible event and the casualty consequences due 
to debris impacts for each possible event.
    (2) A debris risk analysis must account for the following 
populations:
    (i) The overflight of populations located inside any flight 
hazard area.
    (ii) All populations located within five-sigma left and right 
crossrange of a nominal trajectory instantaneous impact point ground 
trace and within five-sigma of each planned nominal debris impact.
    (3) A debris risk analysis must account for both inert and 
explosive debris hazards produced from any impacting debris caused 
by normal and malfunctioning launch vehicle flight. The analysis 
must account for the debris classes determined by the debris 
analysis required by section A417.11. A debris risk analysis must 
account for any inert debris impact with mean expected kinetic 
energy at impact greater than or equal to 11 ft-lbs and peak 
incident overpressure of greater than or equal to 1.0 psi due to any 
explosive debris impact. The analysis must account for all debris 
hazards as a function of flight time.
    (4) A debris risk analysis must account for debris impact points 
and dispersion for each class of debris in accordance with the 
following:
    (i) A debris risk analysis must account for drag corrected 
impact points and dispersions for each class of impacting debris 
resulting from normal and malfunctioning launch vehicle flight as a 
function of trajectory time from lift-off through final impact.
    (ii) The dispersion for each debris class must account for the 
position and velocity state vector dispersions at breakup, the 
variance produced by breakup imparted velocities, the effects of 
winds on both the ascent trajectory state vector at breakup and the 
descending debris piece impact location, the variance produced by 
aerodynamic properties for each debris class, and any other 
dispersion variances.
    (iii) A debris risk analysis must account for the survivability 
of debris fragments that are subject to reentry aerodynamic forces 
or heating. A debris class may be eliminated from the debris risk 
analysis if the launch operator demonstrates that the debris will 
not survive to impact.
    (5) A debris risk analysis must account for launch vehicle 
failure probability. The following constraints apply:
    (i) For flight safety analysis purposes, a failure occurs when a 
vehicle does not complete any phase of normal flight or exhibits the 
potential for the stage or its debris to impact the Earth or reenter 
the atmosphere during the mission or any future mission of similar 
vehicle capability. Also, either a launch incident or launch 
accident constitutes a failure.
    (ii) For a launch vehicle with fewer than 2 flights completed, 
the analysis must use a reference value for the launch vehicle 
failure probability estimate equal to the upper limit of the 60% 
two-sided confidence limits of the binomial distribution for 
outcomes of all previous launches of vehicles developed and launched 
in similar circumstances. The FAA may adjust the failure probability 
estimate to account for the level of experience demonstrated by the 
launch operator and other factors that affects the probability of 
failure. The FAA may adjust the failure probability estimate for the 
second launch based on evidence obtained from the first flight of 
the vehicle.
    (iii) For a launch vehicle with at least 2 flights completed, 
the analysis must use the reference value for the launch vehicle 
failure probability of Table C417-2 based on the outcomes of all 
previous launches of the vehicle. The FAA may adjust the failure 
probability estimate to account for evidence obtained from the 
flight history of the vehicle. Failure probability estimate 
adjustments to the reference value may account for the nature of 
launch outcomes in the flight history of the vehicle, corrective 
actions taken in response to a failure of the vehicle, or other 
vehicle modifications that may affect reliability. The FAA may 
adjust the failure probability estimate to account for the 
demonstrated quality of the engineering approach to launch vehicle 
processing. The analysis must use a final failure estimate within 
the confidence limits of Table C417-2.
    (A) Values listed on the far left of Table C417-2 apply when no 
launch failures are experienced. Values on the far right apply when 
only launch failures are experienced. Values in between apply for 
flight histories that include both failures and successes.
    (B) Reference values in Table C417-2 are shown in bold. The 
reference values are the median values between 60% two-sided 
confidence limits of the binomial distribution. For the special 
cases of zero or N failures in N launch attempts, the reference 
values may also be recognized as the median value between the 80% 
one-sided confidence limit of the binomial distribution and zero or 
one, respectively.
    (C) Upper and lower confidence bounds in Table C417-2 are shown 
directly above and below each reference value. These confidence 
bounds are based on 60% two-sided confidence limits of the binomial 
distribution. For the special cases of zero or N failures in N 
launch attempts, the upper and lower confidence bounds are based on 
the 80% one-sided confidence limit, respectively.

[[Page 50591]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.013

    (6) A debris risk analysis must account for the dwell time of 
the instantaneous impact point ground trace over each populated or 
protected area being evaluated.
    (7) A debris risk analysis must account for the three-sigma 
instantaneous impact point trajectory variations in left-crossrange, 
right-crossrange, uprange, and downrange as a function of trajectory 
time, due to launch vehicle performance variations as determined by 
the trajectory analysis performed as required by section C417.3.
    (8) A debris risk analysis must account for the effective 
casualty area as a function of launch vehicle flight time for all 
impacting debris generated from a catastrophic launch vehicle 
malfunction event or a planned impact event. The effective casualty 
area must:
    (i) Account for both payload and vehicle systems and subsystems 
debris;
    (ii) Account for all debris fragments determined as part of a 
launch operator's debris analysis as required by section A417.11;
    (iii) For each explosive debris fragment, account for a 1.0 psi 
blast overpressure radius and the projected debris effects for all 
potentially explosive debris; and
    (iv) For each inert debris fragment, account for bounce, skip, 
slide, and splatter effects; or equal seven times the maximum 
projected area of the fragment.
    (9) A debris risk analysis must account for current population 
density data obtained from a current population database for the 
region being evaluated or by estimating the current population using 
exponential population growth rate equations applied to the most 
current historical data available. The population model must define 
population centers that are similar enough to be described and 
treated as a single average set of characteristics without degrading 
the accuracy of the debris risk estimate.
    (c) Debris risk analysis products. The products of a debris risk 
analysis that a launch operator must file with the FAA must include:
    (1) A debris risk analysis report that provides the analysis 
input data, probabilistic risk determination methods, sample 
computations, and text or graphical charts that characterize the 
public risk to geographical areas for each launch.
    (2) Geographic data showing:
    (i) The launch vehicle nominal, five-sigma left-crossrange and 
five-sigma right-crossrange instantaneous impact point ground 
traces;
    (ii) All exclusion zones relative to the instantaneous impact 
point ground traces; and
    (iii) All populated areas included in the debris risk analysis.
    (3) A discussion of each launch vehicle failure scenario 
accounted for in the analysis and the probability of occurrence, 
which may vary with flight time, for each failure scenario. This 
information must include failure scenarios where a launch vehicle:
    (i) Flies within normal limits until some malfunction causes 
spontaneous breakup; and
    (ii) Experiences malfunction turns.
    (4) A population model applicable to the launch overflight 
regions that contains the following: Region identification, location 
of the center of each population center by geodetic latitude and 
longitude, total area, number of persons in each population center, 
and a description of the shelter characteristics within the 
population center.
    (5) A description of the launch vehicle, including general 
information concerning the nature and purpose of the launch and an 
overview of the launch vehicle, including a scaled diagram of the 
general arrangement and dimensions of the vehicle. A launch 
operator's debris risk analysis products may reference other 
documentation filed with the FAA containing this information. The 
description must include:
    (i) Weights and dimensions of each stage.
    (ii) Weights and dimensions of any booster motors attached.
    (iii) The types of fuel used in each stage and booster.
    (iv) Weights and dimensions of all interstage adapters and 
skirts.
    (v) Payload dimensions, materials, construction, and any payload 
fuel; payload fairing construction, materials, and dimensions; and 
any non-inert components or materials that add to the effective 
casualty area of the debris, such as radioactive or toxic materials 
or high-pressure vessels.
    (6) A typical sequence of events showing times of ignition, 
cutoff, burnout, and jettison of each stage, firing of any ullage 
rockets, and starting and ending times of coast periods and control 
modes.
    (7) The following information for each launch vehicle motor:
    (i) Propellant type and composition;
    (ii) Vacuum thrust profile;
    (iii) Propellant weight and total motor weight as a function of 
time;
    (iv) A description of each nozzle and steering mechanism;

[[Page 50592]]

    (v) For solid rocket motors, internal pressure and average 
propellant thickness, or borehole radius, as a function of time;
    (vi) Burn rate; and
    (vii) Nozzle exit and entrance areas.
    (8) The launch vehicle's launch and failure history, including a 
summary of past vehicle performance. For a new vehicle with little 
or no flight history, a launch operator must provide all known data 
on similar vehicles that include:
    (i) Identification of the launches that have occurred;
    (ii) Launch date, location, and direction of each launch;
    (iii) The number of launches that performed normally;
    (iv) Behavior and impact location of each abnormal experience;
    (v) The time, altitude, and nature of each malfunction; and
    (vi) Descriptions of corrective actions taken, including changes 
in vehicle design, flight termination, and guidance and control 
hardware and software.
    (9) The values of probability of impact (PI) and expected 
casualty (Ec) for each populated area.

C417.11 Collision avoidance.

    (a) General. A flight safety analysis must include a collision 
avoidance analysis that satisfies the requirements of Sec.  417.231. 
This section applies to a launch operator obtaining a collision 
avoidance assessment from United States Strategic Command as 
required by Sec.  417.231 and to the analysis products that the 
launch operator must file with the FAA as required by Sec.  
417.203(e). United States Strategic Command refers to a collision 
avoidance analysis for a space launch as a conjunction on launch 
assessment.
    (b) Analysis not required. A collision avoidance analysis is not 
required if the maximum altitude attainable by the launch operator's 
unguided suborbital launch vehicle is less than the altitude of the 
lowest manned or mannable orbiting object. The maximum altitude 
attainable means an optimized trajectory, assuming 3-sigma maximum 
performance, extended through fuel exhaustion of each stage, to 
achieve a maximum altitude.
    (c) Analysis constraints. A launch operator must satisfy the 
following when obtaining and implementing the results of a collision 
avoidance analysis:
    (1) A launch operator must provide United States Strategic 
Command with the launch window and trajectory data needed to perform 
a collision avoidance analysis for a launch as required by paragraph 
(d) of this section, at least 15 days before the first attempt at 
flight. The FAA will identify a launch operator to United States 
Strategic Command as part of issuing a license and provide a launch 
operator with current United States Strategic Command contact 
information.
    (2) A launch operator must obtain a collision avoidance analysis 
performed by United States Strategic Command 6 hours before the 
beginning of a launch window.
    (3) A launch operator may use a collision avoidance analysis for 
12 hours from the time that United States Strategic Command 
determines the state vectors of the manned or mannable orbiting 
objects. If a launch operator needs an updated collision avoidance 
analysis due to a launch delay, the launch operator must file the 
request with United States Strategic Command at least 12 hours prior 
to the beginning of the new launch window.
    (4) For every 90 minutes, or portion of 90 minutes, that pass 
between the time United States Strategic Command last determined the 
state vectors of the orbiting objects, a launch operator must expand 
each wait in a launch window by subtracting 15 seconds from the 
start of the wait in the launch window and adding 15 seconds to the 
end of the wait in the launch window. A launch operator must 
incorporate all the resulting waits in the launch window into its 
flight commit criteria established as required by Sec.  417.113.
    (d) Information required. A launch operator must prepare a 
collision avoidance analysis worksheet for each launch using a 
standardized format that contains the input data required by this 
paragraph. A launch operator must file the input data with United 
States Strategic Command for the purposes of completing a collision 
avoidance analysis.
    (1) Launch information. A launch operator must file the 
following launch information:
    (i) Mission name. A mnemonic given to the launch vehicle/payload 
combination identifying the launch mission from all others.
    (ii) Segment number. A segment is defined as a launch vehicle 
stage or payload after the thrusting portion of its flight has 
ended. This includes the jettison or deployment of any stage or 
payload. A launch operator must provide a separate worksheet for 
each segment. For each segment, a launch operator must determine the 
``vector at injection'' as defined by paragraph (d)(5) of this 
section. The data must present each segment number as a sequence 
number relative to the total number of segments for a launch, such 
as ``1 of 5.''
    (iii) Launch window. The launch window opening and closing times 
in Greenwich Mean Time (referred to as ZULU time) and the Julian 
dates for each scheduled launch attempt.
    (2) Point of contact. The person or office within a launch 
operator's organization that collects, analyzes, and distributes 
collision avoidance analysis results.
    (3) Collision avoidance analysis results transmission medium. A 
launch operator must identify the transmission medium, such as 
voice, FAX, or e-mail, for receiving results from United States 
Strategic Command.
    (4) Requestor launch operator needs. A launch operator must 
indicate the types of analysis output formats required for 
establishing flight commit criteria for a launch:
    (i) Waits. All the times within the launch window during which 
flight must not be initiated.
    (ii) Windows. All the times within an overall launch window 
during which flight may be initiated.
    (5) Vector at injection. A launch operator must identify the 
vector at injection for each segment. ``Vector at injection'' 
identifies the position and velocity of all orbital or suborbital 
segments after the thrust for a segment has ended.
    (i) Epoch. The epoch time, in Greenwich Mean Time (GMT), of the 
expected launch vehicle liftoff time.
    (ii) Position and velocity. The position coordinates in the EFG 
coordinate system measured in kilometers and the EFG components 
measured in kilometers per second, of each launch vehicle stage or 
payload after any burnout, jettison, or deployment.
    (6) Time of powered flight. The elapsed time in seconds, from 
liftoff to arrival at the launch vehicle vector at injection. The 
input data must include the time of powered flight for each stage or 
jettisoned component measured from liftoff.
    (7) Time span for launch window file (LWF). A launch operator 
must provide the following information regarding its launch window:
    (i) Launch window. The launch window measured in minutes from 
the initial proposed liftoff time.
    (ii) Time of powered flight. The time provided as required by 
paragraph (d)(6) of this section measured in minutes rounded up to 
the nearest integer minute.
    (iii) Screen duration. The time duration, after all thrusting 
periods of flight have ended, that a collision avoidance analysis 
must screen for potential conjunctions with manned or mannable 
orbital objects. Screen duration is measured in minutes.
    (iv) Extra pad. An additional period of time for collision 
avoidance analysis screening to ensure the entire trajectory time is 
screened for potential conjunctions with manned or mannable orbital 
objects. This time must be 10 minutes unless otherwise specified by 
United States Strategic Command.
    (v) Total. The summation total of the time spans provided as 
required by paragraphs (d)(7)(i) through (d)(7)(iv) expressed in 
minutes.
    (8) Screening. A launch operator must select spherical or 
ellipsoidal screening as defined in this paragraph for determining 
any conjunction. The default must be the spherical screening method 
using an avoidance radius of 200 kilometers for manned or mannable 
orbiting objects. If the launch operator requests screening for any 
unmanned or unmannable objects, the default must be the spherical 
screening method using a miss-distance of 25 kilometers.
    (i) Spherical screening. Spherical screening utilizes an impact 
exclusion sphere centered on each orbiting object's center-of-mass 
to determine any conjunction. A launch operator must specify the 
avoidance radius for manned or mannable objects and for any unmanned 
or unmannable objects if the launch operator elects to perform the 
analysis for unmanned or unmannable objects.
    (ii) Ellipsoidal screening. Ellipsoidal screening utilizes an 
impact exclusion ellipsoid of revolution centered on the orbiting 
object's center-of-mass to determine any conjunction. A launch 
operator must provide input in the UVW coordinate system in 
kilometers. The launch operator must

[[Page 50593]]

provide delta-U measured in the radial-track direction, delta-V 
measured in the in-track direction, and delta-W measured in the 
cross-range direction.
    (9) Deliverable schedule/need dates. A launch operator must 
identify the times before flight, referred to as ``L-times,'' for 
which the launch operator requests a collision avoidance analysis.
    (e) Collision avoidance assessment products. A launch operator 
must file its collision avoidance analysis products as required by 
Sec.  417.203(e) and must include the input data required by 
paragraph (d) of this section. A launch operator must incorporate 
the result of the collision avoidance analysis into its flight 
commit criteria established as required by Sec.  417.113.

Appendix D of Part 417--Flight Termination Systems, Components, 
Installation, and Monitoring

D417.1 General.

    This appendix applies to each flight termination system and the 
components that make up the system for each launch. Section 417.301 
requires that a launch operator's flight safety system include a 
flight termination system that complies with this appendix. Section 
417.301 also contains requirements that apply to a launch operator's 
demonstration of compliance with the requirements of this appendix.

D417.3 Flight termination system functional requirements.

    (a) When a flight safety system terminates the flight of a 
vehicle because it has either violated a flight safety rule as 
defined in Sec.  417.113 or the vehicle inadvertently separates or 
destructs as described in section D417.11, a flight termination 
system must:
    (1) Render each propulsion system that has the capability of 
reaching a populated or other protected area, incapable of 
propulsion, without significant lateral or longitudinal deviation in 
the impact point. This includes each stage and any strap on motor or 
propulsion system that is part of any payload;
    (2) Terminate the flight of any inadvertently or prematurely 
separated propulsion system capable of reaching a populated or other 
protected area;
    (3) Destroy the pressure integrity of any solid propellant 
system to terminate all thrust or ensure that any residual thrust 
causes the propulsion system to tumble without significant lateral 
or longitudinal deviation in the impact point; and
    (4) Disperse any liquid propellant, whether by rupturing the 
propellant tank or other equivalent method, and initiate burning of 
any toxic liquid propellant.
    (b) A flight termination system must not cause any solid or 
liquid propellant to detonate.
    (c) The flight termination of a propulsion system must not 
interfere with the flight termination of any other propulsion 
system.

D417.5 Flight termination system design.

    (a) Reliability prediction. A flight termination system must 
have a predicted reliability of 0.999 at a confidence level of 95 
percent. A launch operator must demonstrate the system's predicted 
reliability by satisfying the requirements for system reliability 
analysis of Sec.  417.309(b).
    (b) Single fault tolerance. A flight termination system, 
including monitoring and checkout circuits, must not have a single 
failure point that would:
    (1) Inhibit functioning of the system during flight; or
    (2) Produce an inadvertent initiation of the system that would 
endanger the public.
    (c) Redundancy. A flight termination system must use redundant 
components that are structurally, electrically, and mechanically 
separated. Each redundant component's mounting on a launch vehicle, 
including location or orientation, must ensure that any failure that 
will damage, destroy or otherwise inhibit the operation of one 
redundant component will not inhibit the operation of the other 
redundant component and will not inhibit functioning of the system. 
Each of the following exceptions applies:
    (1) Any linear shaped charge need not be redundant if it 
initiates at both ends, and the initiation source for one end is not 
the same as the initiation source for the other end; or
    (2) Any passive component such as an antenna or radio frequency 
coupler need not be redundant if it satisfies the requirements of 
this appendix.
    (d) System independence. A flight termination system must 
operate independently of any other launch vehicle system. The 
failure of another launch vehicle system must not inhibit the 
functioning of a flight termination system. A flight termination 
system may share a component with another launch vehicle system, 
only if the launch operator demonstrates that sharing the component 
will not degrade the flight termination system's reliability. A 
flight termination system may share a connection with another system 
if the connection must exist to satisfy a flight termination system 
requirement, such as any connection needed to:
    (1) Accomplish flight termination system arming and safing;
    (2) Provide data to the telemetry system; or
    (3) Accomplish any engine shut-down.
    (e) Performance specifications for components and parts. Each 
flight termination system component and each part that can affect 
the reliability of a flight termination component during flight must 
have written performance specifications that show, and contain the 
details of, how the component or part satisfies the requirements of 
this appendix.
    (f) Ability to test. A flight termination system, including each 
component and associated ground support and monitoring equipment, 
must satisfy the tests required by appendix E of this part.
    (g) Software safety critical functions. The requirements of 
Sec.  417.123 apply to any computing system, software or firmware 
that is associated with a flight termination system and performs a 
software safety critical function as defined in Sec.  417.123.
    (h) Component storage, operating, and service life. Each flight 
termination system component must have a specified storage life, 
operating life, and service life and must satisfy all of the 
following:
    (1) Each component must satisfy all its performance 
specifications when subjected to the full length of its specified 
storage life, operating life, and service life; and
    (2) A component's storage, operating, or service life must not 
expire before flight. A launch operator may extend an ordnance 
component's service life by satisfying the service life extension 
tests of appendix E of this part.
    (i) Consistency of components. A launch operator must ensure 
that each flight component sample is manufactured using parts, 
materials, processes, quality controls, and procedures that are each 
consistent with the manufacture of each qualification test sample.

D417.7 Flight termination system environment survivability.

    (a) General. A flight termination system, including all of its 
components, mounting hardware, cables, and wires, must each satisfy 
all of their performance specifications when subjected to each 
maximum predicted operating and non-operating environment and 
environmental design margin required by this appendix. As an 
alternative to subjecting the flight termination system to the 
maximum predicted environments and margin for each dynamic operating 
environment, such as vibration or shock, a flight termination system 
need only satisfy all its performance specifications when subjected 
to an environmental level greater than the level that would cause 
structural breakup of the launch vehicle.
    (b) Maximum predicted environments. A launch operator must 
determine all maximum predicted non-operating and operating 
environments that a flight termination system, including each 
component, will experience before its safe flight state. This 
determination must be based on analysis, modeling, testing, or 
monitoring. Non-operating and operating environments include 
temperature, vibration, shock, acceleration, acoustic, and other 
environments that apply to a specific launch vehicle and launch 
site, such as humidity, salt fog, dust, fungus, explosive 
atmosphere, and electromagnetic energy. Both of the following apply:
    (1) Each maximum predicted vibration, shock, and thermal 
environment for a flight termination system component must include a 
margin that accounts for the uncertainty due to flight-to-flight 
variability and any analytical uncertainty. For a launch vehicle 
configuration for which there have been fewer than three flights, 
the margin must be no less than plus 3 dB for vibration, plus 4.5 dB 
for shock, and plus and minus 11 [deg]C for thermal range; and
    (2) For a launch vehicle configuration for which there have been 
fewer than three flights, a launch operator must monitor flight 
environments at as many locations within the launch vehicle as 
needed to verify the maximum predicted flight environments for each 
flight termination system component. An exception is that the launch 
operator may obtain empirical shock environment data through ground 
testing. A launch operator must adjust each maximum predicted flight 
environment for any future launch to account for all data obtained 
through monitoring.

[[Page 50594]]

    (c) Thermal environment. A component must satisfy all its 
performance specifications when exposed to preflight and flight 
thermal cycle environments. A thermal cycle must begin with the 
component at ambient temperature. The cycle must continue as the 
component is heated or cooled to achieve the required dwell time at 
one extreme of the required thermal range, then to achieve the 
required dwell time at the other extreme, and then back to ambient 
temperature. Each cycle, including all dwell times, must be 
continuous without interruption by any other period of heating or 
cooling. Paragraphs (c)(2) through (c)(6) of this section identify 
the required thermal range for each component. A thermal cycle must 
include no less than a one-hour dwell time at each temperature 
extreme. The thermal rate of change between the extremes must be no 
less than the maximum predicted thermal rate of change or 1 [deg]C 
per minute, whichever is greater. For an ordnance device, the 
thermal cycle must include no less than a two-hour dwell time at 
each temperature extreme. The thermal rate of change between the 
extremes for an ordnance device must be no less than the maximum 
predicted thermal rate of change or 3 [deg]C per minute, whichever 
is greater.
    (1) Acceptance-number of thermal cycles. For each component, the 
acceptance-number of thermal cycles must be no less than eight 
thermal cycles or 1.5 times the maximum number of thermal cycles 
that the component could experience during launch processing and 
flight, including all launch delays and recycling, rounded up to the 
nearest whole number, whichever is greater.
    (2) Passive components. A passive component must satisfy all its 
performance specifications when subjected to:
    (i) The acceptance-number of thermal cycles from one extreme of 
the maximum predicted thermal range to the other extreme; and
    (ii) Three times the acceptance-number of thermal cycles from 
the lower of -34 [deg]C or the predicted lowest temperature minus 10 
[deg]C, to the higher of 71 [deg]C or the predicted highest 
temperature plus 10 [deg]C.
    (3) Electronic components. An electronic flight termination 
system component, including any component that contains an active 
electronic piece-part such as a microcircuit, transistor, or diode 
must satisfy all its performance specifications when subjected to:
    (i) The sum of ten thermal cycles and the acceptance-number of 
thermal cycles from one extreme of the maximum predicted thermal 
range to the other extreme; and
    (ii) Three times the acceptance-number of thermal cycles from 
the lower of -34 [deg]C or the predicted lowest temperature minus 10 
[deg]C, to the higher of 71 [deg]C or the predicted highest 
temperature plus 10 [deg]C.
    (4) Power source thermal design. A flight termination system 
power source, including any battery, must satisfy all its 
performance specifications when exposed to preflight and flight 
thermal environments. The power source must satisfy the following:
    (i) A silver zinc battery must satisfy all its performance 
specifications when subjected to the acceptance-number of thermal 
cycles from 10 [deg]C lower than the lowest temperature of the 
battery's maximum predicted temperature range to 10 [deg]C higher 
than the highest temperature of the range. An exception is that each 
thermal cycle may range from 5.5 [deg]C lower than the lowest 
temperature of the battery's maximum predicted temperature range to 
10 [deg]C higher than the highest temperature of the range if the 
launch operator monitors the battery's operating temperature on the 
launch vehicle with an accuracy of no less than  1.5 
[deg]C.
    (ii) A nickel cadmium battery must satisfy all its performance 
specifications when subjected to three times the acceptance-number 
of thermal cycles from the lower of -20 [deg]C or the predicted 
lowest temperature minus 10 [deg]C, to the higher of 40 [deg]C or 
the predicted highest temperature plus 10 [deg]C.
    (iii) Any other power source must satisfy all its performance 
specifications when subjected to three times the acceptance-number 
of thermal cycles from 10 [deg]C lower than the lowest temperature 
of the maximum predicted temperature range to 10 [deg]C higher the 
highest temperature of the range.
    (5) Electro-mechanical safe-and-arm devices with internal 
explosives. A safe-and-arm device must satisfy all its performance 
specifications when subjected to:
    (i) The acceptance-number of thermal cycles from one extreme of 
the maximum predicted thermal range to the other extreme; and
    (ii) Three times the acceptance-number of thermal cycles from 
the lower of -34 [deg]C or the predicted lowest temperature minus 10 
[deg]C, to the higher of 71 [deg]C or the predicted highest 
temperature plus 10 [deg]C.
    (6) Ordnance thermal design. An ordnance device and any 
associated hardware must satisfy all its performance specifications 
when subjected to the acceptance-number of thermal cycles from the 
lower of -54 [deg]C or the predicted lowest temperature minus 10 
[deg]C, to the higher of 71 [deg]C or the predicted highest 
temperature plus 10 [deg]C. Each cycle must include a two-hour dwell 
time at each temperature extreme and a thermal rate of change 
between the extremes must be no less than the maximum predicted 
thermal rate of change or 3 [deg]C per minute, whichever is greater.
    (d) Random vibration. A component must satisfy all its 
performance specifications when exposed to a composite vibration 
level profile consisting of the higher of 6 dB above the maximum 
predicted flight random vibration level or a 12.2Grms workmanship 
screening level, across the 20 Hz to 2000 Hz spectrum of the two 
levels. The component must satisfy all its performance 
specifications when exposed to three times the maximum predicted 
random vibration duration time or three minutes per axis, whichever 
is greater, on each of three mutually perpendicular axes and for all 
frequencies from 20 Hz to 2000 Hz.
    (e) Sinusoidal vibration. A component must satisfy all its 
performance specifications when exposed to 6 dB above the maximum 
predicted flight sinusoidal vibration level. The component must 
satisfy all its performance specifications when exposed to three 
times the maximum predicted sinusoidal vibration duration time on 
each of three mutually perpendicular axes and for all frequencies 
from 50% lower than the predicted lowest frequency to 50% higher 
than the predicted highest frequency. The sweep rate must be no 
greater than one-third the maximum predicted sweep rate on each of 
the three axes.
    (f) Transportation vibration. A component must satisfy all its 
performance specifications when exposed to 6 dB above the maximum 
predicted transportation vibration level to be experienced when the 
component is in the configuration in which it is transported, for 
three times the maximum predicted transportation exposure time. A 
component must also satisfy all its performance specifications when 
exposed to the workmanship screening vibration levels and duration 
required by section E417.9(f).
    (g) Pyrotechnic shock.
    (1) A flight termination system component must satisfy all its 
performance specifications when exposed to the greater of:
    (i) A force of 6 dB above the maximum predicted pyrotechnic 
shock level to be experienced during flight with a shock frequency 
response range from 100 Hz to 10,000 Hz; or
    (ii) The minimum breakup qualification shock levels and 
frequencies required by Table E417.11-2 of appendix E of this part.
    (2) A component must satisfy all its performance specifications 
after it experiences a total of 18 shocks consisting of three shocks 
in each direction, positive and negative, for each of three mutually 
perpendicular axes.
    (h) Transportation shock. A flight termination system component 
must satisfy all its performance specifications after being exposed 
to the maximum predicted shock to be experienced during 
transportation while in the configuration in which it is packed for 
transport.
    (i) Bench handling shock. A flight termination system component 
must satisfy all its performance specifications after being exposed 
to the maximum predicted shock to be experienced during handling in 
its unpacked configuration.
    (j) Acceleration environment. A flight termination system 
component must satisfy all its performance specifications when 
exposed to launch vehicle breakup acceleration levels or twice the 
maximum predicted flight acceleration levels, whichever is greater. 
The component must satisfy all its performance specifications when 
exposed to three times the maximum predicted acceleration duration 
for each of three mutually perpendicular axes.
    (k) Acoustic environment. A flight termination system component 
must satisfy all its performance specifications when exposed to 6 dB 
above the maximum predicted sound pressure level. The component must 
satisfy all its performance specifications when exposed to three 
times the maximum predicted sound pressure duration time or three 
minutes, whichever is greater for each of three mutually 
perpendicular axes. The frequency must range from 20 Hz to 2000 Hz.
    (l) Other environments. A flight termination system component 
must satisfy all its performance specifications after experiencing 
any other environment that it

[[Page 50595]]

could experience during transportation, storage, preflight 
processing, or preflight system testing. Such environments include 
storage temperature, humidity, salt fog, fine sand, fungus, 
explosive atmosphere, and electromagnetic energy environments.

D417.9 Command destruct system.

    (a) A flight termination system must include a command destruct 
system that is initiated by radio command and satisfies the 
requirements of this section.
    (b) A command destruct system must have its radio frequency 
components on or above the last launch vehicle stage capable of 
reaching a populated or other protected area before the planned safe 
flight state for the launch.
    (c) The initiation of a command destruct system must result in 
accomplishing all the flight termination system functions of section 
D417.3.
    (d) At any point along the nominal trajectory from liftoff until 
no longer required by Sec.  417.107, a command destruct system must 
operate with a radio frequency input signal that has an 
electromagnetic field intensity of 12 dB below the intensity 
provided by the command transmitter system under nominal conditions 
over 95 percent of the radiation sphere surrounding the launch 
vehicle.
    (e) A command destruct system must survive the breakup of the 
launch vehicle until the system accomplishes all its flight 
termination functions or until breakup of the vehicle, including the 
use of any automatic or inadvertent separation destruct system, 
accomplishes the required flight termination.
    (f) A command destruct system must receive and process a valid 
flight termination system arm command before accepting a flight 
termination system destruct command.
    (g) For any liquid propellant, a command destruct system must 
allow a flight safety official to non-destructively shut down any 
thrusting liquid engine by command before destroying the launch 
vehicle.

D417.11 Automatic or inadvertent separation destruct system.

    (a) A flight termination system must include an automatic or 
inadvertent separation destruct system for each stage or strap-on 
motor capable of reaching a protected area before the planned safe 
flight state for each launch if the stage or strap-on motor does not 
possess a complete command destruct system. Any automatic or 
inadvertent separation destruct system must satisfy the requirements 
of this section.
    (b) The initiation of an automatic or inadvertent separation 
destruct system must accomplish all flight termination system 
functions of section D417.3 that apply to the stage or strap-on 
motor on which it is installed.
    (c) An inadvertent separation destruct system must activate when 
it senses any launch vehicle breakup or premature separation of the 
stage or strap-on motor on which the inadvertent separation destruct 
system is located.
    (d) A launch operator must locate an automatic or inadvertent 
separation destruct system so that it will survive launch vehicle 
breakup until the system activates and accomplishes all its flight 
termination functions.
    (e) For any electrically initiated automatic or inadvertent 
separation destruct system, each power source that supplies energy 
to initiate the destruct ordnance must be on the same stage or 
strap-on motor as the system.

D417.13 Flight termination system safing and arming.

    (a) General. A flight termination system must provide for safing 
and arming of all flight termination system ordnance through the use 
of a mechanical barrier or other positive means of interrupting 
power to each of the ordnance firing circuits to prevent inadvertent 
initiation of ordnance.
    (b) Flight termination system arming. A flight termination 
system must provide for each flight termination system ordnance 
initiation device or arming device to be armed and all electronic 
flight termination system components to be turned on before arming 
any launch vehicle or payload propulsion ignition circuits. For a 
launch where propulsive ignition occurs after first motion of the 
launch vehicle, the system must include an ignition interlock that 
prevents the arming of any launch vehicle or payload propulsion 
ignition circuit unless all flight termination system ordnance 
initiation devices and arming devices are armed and all electronic 
flight termination system components are turned on.
    (c) Preflight safing. A flight termination system must provide 
for remote and redundant safing of all flight termination system 
ordnance before flight and during any launch abort or recycle 
operation.
    (d) In-flight safing. Any safing of flight termination system 
ordnance during flight must satisfy all of the following:
    (1) Any onboard launch vehicle hardware or software used to 
automatically safe flight termination system ordnance must be single 
fault tolerant against inadvertent safing. Any automatic safing must 
satisfy all of the following:
    (i) Any automatic safing must occur only when the flight of the 
launch vehicle satisfies the safing criteria for no less than two 
different safing parameters or conditions, such as time of flight, 
propellant depletion, acceleration, or altitude. The safing criteria 
for each different safing parameter or condition must ensure that 
the flight termination system on a stage or strap-on-motor can only 
be safed once the stage or strap-on motor attains orbit or can no 
longer reach a populated or other protected area;
    (ii) Any automatic safing must ensure that all flight 
termination system ordnance initiation devices and arming devices 
remain armed and all electronic flight termination system components 
remain powered during flight until the requirements of paragraph 
(d)(1)(i) of this section are satisfied and the system is safed; and
    (iii) If operation of the launch vehicle could result in 
satisfaction of the safing criteria for one of the two safing 
parameters or conditions before normal thrust termination of the 
stage or strap-on motor to which the parameter or condition applies, 
the launch operator must demonstrate that the greatest remaining 
thrust, assuming a three-sigma maximum engine performance, cannot 
result in the stage or strap-on motor reaching a populated or other 
protected area;
    (2) If a radio command safes a flight termination system, the 
command control system used for in-flight safing must be single 
fault tolerant against inadvertent transmission of a safing command 
under Sec.  417.303(d).

D417.15 Flight termination system installation.

    (a) A launch operator must establish and implement written 
procedures to ensure that all flight termination system components 
are installed on a launch vehicle according to the qualified flight 
termination system design. The procedures must ensure that:
    (1) The installation of all flight termination system mechanical 
interfaces is complete;
    (2) Installation personnel use calibrated tools to install 
ordnance when a specific standoff distance is necessary to ensure 
that the ordnance has the desired effect on the material it is 
designed to cut or otherwise destroy; and
    (3) Each person involved is qualified for each task that person 
is to perform.
    (b) Flight termination system installation procedures must 
include:
    (1) A description of each task to be performed, each facility to 
be used, and each hazard involved;
    (2) A checklist of tools and equipment required;
    (3) A list of personnel required for performing each task;
    (4) Step-by-step directions written with sufficient detail for a 
qualified person to perform each task;
    (5) Identification of any tolerances that must be met during the 
installation; and
    (6) Steps for inspection of installed flight termination system 
components, including quality assurance oversight procedures.
    (c) The personnel performing a flight termination system 
installation procedure must signify that the procedure is 
accomplished, and record the outcome and any data verifying 
successful installation.

D417.17 Flight termination system monitoring.

    (a) A flight termination system must interface with the launch 
vehicle's telemetry system to provide the data that the flight 
safety system crew needs to evaluate the health and status of the 
flight termination system prior to and during flight.
    (b) The telemetry data must include:
    (1) Signal strength for each command destruct receiver;
    (2) Whether the power to each electronic flight termination 
system component is on or off;
    (3) Status of output commands for each command destruct receiver 
and each automatic or inadvertent separation destruct system;
    (4) Safe or arm status of each safe-and-arm device of sections 
D417.35 and D417.39;
    (5) Voltage for each flight termination system battery;
    (6) Current for each flight termination system battery;

[[Page 50596]]

    (7) Status of any electrical inhibit at the system level that is 
critical to the operation of a flight termination system and is not 
otherwise identified by this appendix;
    (8) Status of any exploding bridgewire firing unit, including 
arm input, power level, firing capacitor charge level, and trigger 
capacitor charge level;
    (9) Temperature of each flight termination system battery, 
whether monitored at each battery or in the immediate vicinity of 
each battery so that each battery's temperature can be derived; and
    (10) Status of each switch used to provide power to a flight 
termination system, including any switch used to change from an 
external power source to an internal power source.

D417.19 Flight termination system electrical components and electronic 
circuitry.

    (a) General. All flight termination system electrical components 
and electronic circuitry must satisfy the requirements of this 
section.
    (b) Electronic piece-parts. Each electronic piece-part that can 
affect the reliability of an electrical component or electronic 
circuitry during flight must satisfy Sec.  417.309(b)(2) of this 
part.
    (c) Over and under input voltage protection. A flight 
termination system component must satisfy all its performance 
specifications and not sustain any damage when subjected to a 
maximum input voltage of no less than the maximum open circuit 
voltage of the component's power source. The component must satisfy 
all its performance specifications and not sustain any damage when 
subjected to a minimum input voltage of no greater than the minimum 
loaded voltage of the component's power source.
    (d) Series-redundant circuit. A flight termination system 
component that uses a series-redundant branch in a firing circuit to 
satisfy the prohibition against a single failure point must possess 
one or more monitoring circuits or test points for verifying the 
integrity of each series-redundant branch after assembly and during 
testing.
    (e) Power control and switching. In the event of an input power 
dropout, a power control or switching circuit, including any solid-
state power transfer switch and arm-and-enable circuit must not 
change state for 50 milliseconds or more. Any electromechanical, 
solid-state, or relay component used in a flight termination system 
firing circuit must be capable of delivering the maximum firing 
current for no less than 10 times the duration of the intended 
firing pulse.
    (f) Circuit isolation, shielding, and grounding. The circuitry 
of a flight termination system component must be shielded, filtered, 
grounded, or otherwise isolated to preclude any energy sources, 
internal or external to the launch vehicle, such as electromagnetic 
energy, static electricity, or stray electrical currents, from 
causing interference that would inhibit the flight termination 
system from functioning or cause an undesired output of the system. 
An electrical firing circuit must have a single-point ground 
connection directly to the power source only.
    (g) Circuit protection. Any circuit protection provided within a 
flight termination system must satisfy all of the following:
    (1) Electronic circuitry must not contain protection devices, 
such as fuses, except as allowed by paragraph (g)(2) of this 
section. A destruct circuit may employ current limiting resistors;
    (2) Any electronic circuit designed to shut down or disable a 
launch vehicle engine and that interfaces with a launch vehicle 
function must use one or more devices, such as fuses, circuit 
breakers, or limiting resistors, to protect against over-current, 
including any direct short; and
    (3) The design of a flight termination system output circuit 
that interfaces with another launch vehicle circuit must prevent any 
launch vehicle circuit failure from disabling or degrading the 
flight termination system's performance.
    (h) Repetitive functioning. Each circuit, element, component, 
and subsystem of a flight termination system must satisfy all its 
performance specifications when subjected to repetitive functioning 
for five times the expected number of cycles required for all 
acceptance testing, checkout, and operations, including re-tests 
caused by schedule or other delays.
    (i) Watchdog circuits. A flight termination system or component 
must not use a watchdog circuit that automatically shuts down or 
disables circuitry during flight.
    (j) Self-test capability. If a flight termination system 
component uses a microprocessor, the component and the 
microprocessor must perform self-tests, detect errors, and relay the 
results through telemetry during flight to the launch operator. The 
execution of a self-test must not inhibit the intended processing 
function of the unit or cause any output to change.
    (k) Electromagnetic interference protection. The design of a 
flight termination system component must eliminate the possibility 
of the maximum predicted electromagnetic interference emissions or 
susceptibilities, whether conducted or radiated, from affecting the 
component's performance. A component's electromagnetic interference 
susceptibility level must ensure that the component satisfies all 
its performance specifications when subjected to the maximum 
predicted emission levels of all other launch vehicle components and 
external sources to which the component would be exposed.
    (l) Ordnance initiator circuits. An ordnance initiator circuit 
that is part of a flight termination system must satisfy all of the 
following:
    (1) An ordnance initiator circuit must deliver an operating 
current of no less than 150% of the initiator's all-fire 
qualification current level when operating at the lowest battery 
voltage and under the worse case system tolerances allowed by the 
system design limits;
    (2) For a low voltage ordnance initiator with an electro-
explosive device that initiates at less than 50 volts, the 
initiator's circuitry must limit the power at each associated 
electro-explosive device that could be produced by an 
electromagnetic environment to a level at least 20 dB below the pin-
to-pin direct current no-fire power of the electro-explosive device; 
and
    (3) For a high voltage ordnance initiator that initiates 
ordnance at greater than 1,000 volts, the initiator must include 
safe-and-arm plugs that interrupt power to the main initiator's 
charging circuits, such as the trigger and output capacitors. A high 
voltage initiator's circuitry must ensure that the power that could 
be produced at the initiator's command input by an electromagnetic 
environment is no greater than 20 dB below the initiator's firing 
level.

D417.21 Flight termination system monitor circuits.

    (a) Each parameter measurement made by a monitor circuit must 
show the status of the parameter.
    (b) Each monitor circuit must be independent of any firing 
circuit. A monitor, control, or checkout circuit must not share a 
connector with a firing circuit.
    (c) A monitor circuit must not route through a safe-and-arm 
plug.
    (d) Any monitor current in an electro-explosive device system 
firing line must not exceed one-tenth of the no-fire current of the 
electro-explosive device.
    (e) Resolution, accuracy, and data rates for each monitoring 
circuit must provide for detecting whether performance 
specifications are satisfied and detecting any out-of-family 
conditions.

D417.23 Flight termination system ordnance train.

    (a) An ordnance train must consist of all components responsible 
for initiation, transfer, and output of an explosive charge. 
Ordnance train components must include, initiators, energy transfer 
lines, boosters, explosive manifolds, and destruct charges.
    (b) The reliability of an ordnance train to initiate ordnance, 
including the ability to propagate a charge across any ordnance 
interface, must be 0.999 at a 95% confidence level.
    (c) The decomposition, cook-off, sublimation, auto-ignition, and 
melting temperatures of all flight termination system ordnance must 
be no less than 30(C higher than the maximum predicted environmental 
temperature to which the material will be exposed during storage, 
handling, installation, transportation, and flight.
    (d) An ordnance train must include initiation devices that can 
be connected or removed from the destruct charge. The design of an 
ordnance train must provide for easy access to the initiation 
devices.

D417.25 Radio frequency receiving system.

    (a) General. A radio frequency receiving system must include 
each flight termination system antenna, radio frequency coupler, any 
radio frequency cable, or other passive device used to connect a 
flight termination system antenna to a command receiver decoder. The 
system must deliver command control system radio frequency energy 
that satisfies all its performance specifications to each flight 
termination system command receiver

[[Page 50597]]

decoder when subjected to performance degradation caused by command 
control system transmitter variations, launch vehicle flight 
conditions, and flight termination system hardware performance 
variations.
    (b) Sensitivity. A radio frequency receiving system must provide 
command signals to each command receiver decoder at an 
electromagnetic field intensity of no less than 12dB above the level 
required for reliable receiver operation. The system must satisfy 
the 12-dB margin over 95% of the antenna radiation sphere 
surrounding the launch vehicle and must account for command control 
system radio frequency transmitter characteristics, airborne system 
characteristics including antenna gain, path loses due to plume or 
flame attenuation, and vehicle trajectory. For each launch, the 
system must satisfy the 12-dB margin at any point along the nominal 
trajectory until the planned safe flight state for the launch.
    (c) Antenna. All of the following apply to each flight 
termination system antenna:
    (1) A flight termination system antenna must have a radio 
frequency bandwidth that is no less than two times the total 
combined maximum tolerances of all applicable radio frequency 
performance factors. The performance factors must include frequency 
modulation deviation, command control transmitter inaccuracies, and 
variations in hardware performance during thermal and dynamic 
environments;
    (2) A launch operator must treat any thermal protection used on 
a flight termination system antenna as part of the antenna; and
    (3) A flight termination system antenna must be compatible with 
the command control system transmitting equipment.
    (d) Radio frequency coupler. A flight termination system must 
use a passive radio frequency coupler to combine radio frequency 
signals inputs from each flight termination system antenna and 
distribute the required signal level to each command receiver. A 
radio frequency coupler must satisfy all of the following:
    (1) A radio frequency coupler must prevent any single point 
failure in one redundant command receiver or antenna from affecting 
any other redundant command receiver or antenna by providing 
isolation between each port. An open or short circuit in one 
redundant command destruct receiver or antenna path must not prevent 
the functioning of the other command destruct receiver or antenna 
path;
    (2) Each input port must be isolated from all other input ports;
    (3) Each output port must be isolated from all other output 
ports; and
    (4) A radio frequency coupler must provide for a radio frequency 
bandwidth that exceeds two times the total combined maximum 
tolerances of all applicable radio frequency performance factors. 
The performance factors must include frequency modulation deviation 
of multiple tones, command control transmitter inaccuracies, and 
variations in hardware performance during thermal and dynamic 
environments.

D417.27 Electronic components.

    (a) General. The requirements in this section apply to each 
electronic component that contains piece-part circuitry and is part 
of a flight termination system, including each command receiver 
decoder. Each piece-part used in an electronic component must 
satisfy Sec.  417.309(b)(2) of this part.
    (b) Response time. Each electronic component's response time 
must be such that the total flight termination system response time, 
from receipt of a destruct command sequence to initiation of 
destruct output, is less than or equal to the response time used in 
the time delay analysis required by Sec.  417.221.
    (c) Wire and connectors. All wire and connectors used in an 
electronic component must satisfy section D417.31.
    (d) Adjustment. An electronic component must not require any 
adjustment after successful completion of acceptance testing.
    (e) Self-test. The design of an electronic component that uses a 
microprocessor must provide for the component to perform a self-
test, detect errors, and relay the results through telemetry during 
flight to the launch operator. The execution of a self-test must not 
inhibit the intended processing function of the unit or cause any 
output to change state.
    (f) Electronic component repetitive functioning. An electronic 
component, including all its circuitry and parts, must satisfy all 
its performance specifications when subjected to repetitive 
functioning for five times the total expected number of cycles 
required for acceptance tests, preflight tests, and flight 
operations, including potential retests due to schedule delays.
    (g) Acquisition of test data. The test requirements of appendix 
E of this part apply to all electronic components. Each electronic 
component must allow for separate component testing and the 
recording of parameters that verify its functional performance, 
including the status of any command output, during testing.
    (h) Warm-up time. The warm-up time that an electronic component 
needs to ensure reliable operation must be no greater than the warm-
up time that is incorporated into the preflight testing of appendix 
E of this part.
    (i) Electronic component circuit protection. An electronic 
component must include circuit protection for power and control 
circuitry, including switching circuitry. The circuit protection 
must ensure that the component satisfies all its performance 
specifications when subjected to launch processing and flight 
environments. An electronic component's circuit protection must 
satisfy all of the following:
    (1) Circuit protection must provide for an electronic component 
to satisfy all its performance specifications when subjected to the 
open circuit voltage of the component's power source for no less 
than twice the expected duration and when subjected to the minimum 
input voltage of the loaded voltage of the power source for no less 
than twice the expected duration;
    (2) In the event of an input power dropout, any control or 
switching circuit critical to the reliable operation of a component, 
including solid-state power transfer switches, must not change state 
for at least 50 milliseconds;
    (3) An electronic component must not use a watchdog circuit that 
automatically shuts down or disables the component during flight;
    (4) An electronic component must satisfy all its performance 
specifications when any of its monitoring circuits or nondestruct 
output ports are subjected to a short circuit or the highest 
positive or negative voltage capable of being supplied by the 
monitor batteries or other power supplies where the voltage lasts 
for no less than five minutes; and
    (5) An electronic component must satisfy all its performance 
specifications when subjected to any undetectable reverse polarity 
voltage that can occur during launch processing for no less than 
five minutes.
    (j) Electromagnetic interference susceptibility. The design of 
an electronic component must eliminate the possibility of 
electromagnetic interference or modulated or unmodulated radio 
frequency emissions from affecting the component's performance. 
These electromagnetic interference and radio frequency environments 
include emissions or susceptibilities, whether conducted or 
radiated.
    (1) The susceptibility level of an electronic component must be 
below the emissions of all other launch vehicle components and 
external transmitters.
    (2) Any electromagnetic emissions from an electronic component 
must not be at a level that would affect the performance of other 
flight termination system components.
    (3) An electronic component must not produce any inadvertent 
command output and must satisfy all its performance specifications 
when subjected to external radio frequency sources and modulation 
schemes to which the component could be subjected prior to and 
during flight.
    (k) Output functions and monitoring. An electronic component 
must provide for all of the following output functions and 
monitoring:
    (1) Each series redundant branch in any firing circuit of an 
electronic component that prevents a single failure point from 
issuing a destruct output must include a monitoring circuit or test 
points that verify the integrity of each redundant branch after 
assembly;
    (2) Any piece-part used in a firing circuit must have the 
capacity to output at least 1.5 times the maximum firing current for 
no less than 10 times the duration of the maximum firing pulse;
    (3) An electronic component's destruct output circuit and all 
its parts must deliver the required output power to the intended 
output load while operating with any input voltage that is within 
the component's input power operational design limits;
    (4) An electronic component must include monitoring circuits 
that provide for monitoring the health and performance of the 
component including the status of any command output; and
    (5) The maximum leakage current through an electronic 
component's destruct output port must:
    (i) Not degrade the performance of downstream circuitry;
    (ii) Be 20 dB lower than the level that could degrade the 
performance of any downstream ordnance initiation system or 
component, such as any electro-explosive device; and

[[Page 50598]]

    (iii) Be 20 dB lower than the level that could result in 
inadvertent initiation of any downstream ordnance.

D417.29 Command receiver decoder.

    (a) General. Each command receiver decoder must:
    (1) Receive radio frequency energy from the command control 
system through the radio frequency receiving system and interpret, 
process, and send commands to the flight termination system;
    (2) Be compatible with the command control system transmitting 
equipment;
    (3) Satisfy the requirements of section D417.27 for all 
electronic components;
    (4) Satisfy all its performance specifications and reliably 
process a command signal when subjected to command control system 
transmitting equipment tolerances and flight generated signal 
degradation, including:
    (i) Locally induced radio frequency noise sources;
    (ii) Vehicle plume;
    (iii) The maximum predicted noise-floor;
    (iv) Command transmitter performance variations; and
    (v) Launch vehicle trajectory.
    (b) Tone-based radio frequency processing. Each tone-based 
command receiver decoder must satisfy all of the following for all 
pre-flight and flight environments:
    (1) Decoder channel deviation. A receiver decoder must reliably 
process the intended tone deviated signal at the minimum and maximum 
number of expected tones. The receiver decoder must satisfy all its 
performance specifications when subjected to:
    (i) Plus and minus 3 KHz per tone; or
    (ii) A nominal tone deviation plus twice the maximum and minus 
half the minimum of the total combined tolerances of all applicable 
radio frequency performance factors, whichever range is greater.
    (2) Operational bandwidth.
    (i) The receiver decoder's operational bandwidth must be no less 
than plus and minus 45 KHz and must ensure that the receiver decoder 
satisfies all its performance specifications at:
    (A) Twice the worst-case command control system transmitter 
radio frequency shift;
    (B) Doppler shifts of the carrier center frequency; and
    (C) Shifts in flight hardware center frequency during flight at 
the manufacturer guaranteed receiver sensitivity.
    (ii) The operational bandwidth must account for tone deviation 
and the receiver sensitivity must not vary by more than 3dB across 
the bandwidth.
    (3) Radio frequency dynamic range. The receiver decoder must 
satisfy all its performance specifications when subjected to the 
variations of the radio frequency input signal level that will occur 
during checkout and flight. The receiver decoder must output all 
commands with input from the radio frequency threshold level up to:
    (i) The maximum radio frequency level that it will experience 
from the command control system transmitter during checkout and 
flight plus a 3-dB margin; or
    (ii) 13 dBm, whichever is greater.
    (4) Capture ratio. For each launch, the receiver decoder's 
design must ensure that no transmitter with less than 80% of the 
power of the command transmitter system for the launch, could 
capture or interfere with the receiver decoder.
    (5) Radio frequency level monitor. (i) The receiver decoder must 
include a monitoring circuit that accurately monitors and outputs 
the strength of the radio frequency input signal during flight.
    (ii) The output of the monitor circuit must be directly related 
and proportional to the strength of the radio frequency input signal 
from the threshold level to saturation.
    (iii) The dynamic range of the radio frequency input from 
threshold to saturation must be no less than 50 dB. The monitor 
circuit output amplitude from threshold to saturation must have a 
corresponding range of 18 dB or greater.
    (iv) The monitor output signal level must be compatible with 
vehicle telemetry system interfaces and provide a maximum response 
time of 100 ms.
    (v) The slope of the monitor circuit output must not change 
polarity.
    (6) Radio frequency threshold sensitivity. The receiver 
decoder's threshold sensitivity must satisfy its performance 
specifications and be repeatable within a tolerance of plus and 
minus 3 dB, to demonstrate in-family performance.
    (7) Noise level margin. The receiver decoder's guaranteed input 
sensitivity must be no less than 6 dB higher than the maximum 
predicted noise-floor.
    (8) Voltage standing wave ratio. All radio frequency losses 
within the receiver decoder interface to the antenna system must 
satisfy the 12-dB margin of Sec.  417.9(d) and be repeatable to 
demonstrate in-family performance. The radio frequency receiving 
system and the impedance of the receiver decoder must match.
    (9) Decoder channel bandwidth. The receiver decoder must provide 
for reliable recognition of the command signal when subjected to 
variations in ground transmitter tone frequency and frequency 
modulation deviation variations. The command receiver must satisfy 
all its performance specifications within the specified tone filter 
frequency bandwidth using a frequency modulation tone deviation from 
2 dB to 20 dB above the measured threshold level.
    (10) Tone balance. Any secure receiver decoder must reliably 
decode a valid command with an amplitude imbalance between two tones 
within the same message.
    (11) Message timing. Any secure receiver decoder must function 
reliably when subjected to errors in timing caused by ground 
transmitter tolerances. The receiver decoder must process commands 
at twice the maximum and one-half the minimum timing specification 
of the ground system.
    (12) Check tone. The receiver decoder must decode a tone, such 
as a pilot tone or check tone, which is representative of link and 
command closure and provide a telemetry output indicating whether 
the tone is decoded. The presence or absence of this tone signal 
must have no effect on a command receiver decoder's command 
processing and output capability.
    (c) Inadvertent command output. A command receiver decoder must 
satisfy all of the following to ensure that it does not provide an 
output other than when it receives a valid command.
    (1) Dynamic stability. The receiver decoder must not produce an 
inadvertent output when subjected to a radio frequency input short-
circuit, open-circuit, or changes in input voltage standing wave 
ratio.
    (2) Out of band rejection. The receiver decoder must not degrade 
in performance nor respond when subjected to any out-of-band vehicle 
or ground transmitter source that could be encountered from liftoff 
to the no-longer endanger time. The receiver decoder must not 
respond to frequencies, from 10 MHz to 1000 MHz except at the 
receiver specified operational bandwidth. The receiver decoder's 
radio frequency rejection of out of band signals must provide a 
minimum of 60 dB beyond eight times the maximum specified 
operational bandwidth. These frequencies must include all expected 
interfering transmitting sources using a minimum bandwidth of 20% of 
each transmitter center frequency, receiver image frequencies and 
harmonics of the assigned center frequency.
    (3) Decoder channel bandwidth rejection. The receiver decoder 
must distinguish between tones that are capable of inhibiting or 
inadvertently issuing an output command. Each tone filter must not 
respond to another tone outside the specified tone filter frequency 
bandwidth using an FM tone deviation from 2 dB to 20 dB above the 
measured threshold level.
    (4) Adjacent tone decoder channel rejection. The receiver 
decoder must not be inhibited or inadvertently issue an output 
command when subjected to any over-modulation of adjacent tones. The 
tone decoder channels must not respond to adjacent frequency 
modulation-modulated tone channels when they are modulated with a 
minimum of 150% of the expected tone deviation.
    (5) Logic sequence. Each tone sequence used for arm and destruct 
must protect against inadvertent or unintentional destruct actions.
    (6) Destruct sequence. The receiver decoder must provide a 
Destruct command only if preceded by a valid Arm command.
    (7) Receiver abnormal logic. The receiver decoder must not 
respond to any combination of tones or tone pairs other than the 
correct command sequence.
    (8) Noise immunity. The receiver decoder must not respond to a 
frequency modulated white noise radio frequency input that has a 
minimum frequency modulated deviation of 12 dB above the measured 
threshold deviation.
    (9) Tone drop. The receiver decoder must not respond to a valid 
command output when one tone in the sequence is dropped.
    (10) Amplitude modulation rejection. The receiver decoder must 
not respond to any tone or modulated input at 50% and 100% amplitude 
modulated noise when subjected to the maximum pre-flight and flight 
input power levels.
    (11) Decoder channel deviation rejection. The receiver decoder 
must not inadvertently

[[Page 50599]]

trigger on frequency modulated noise. The receiver decoder must not 
respond to tone modulations 10 dB below the nominal tone modulation 
or lower.

D417.31 Wiring and connectors.

    (a) All wiring, including any cable and all connectors, that 
interface with any flight termination system component must provide 
for the component, wiring, and connectors to satisfy the 
qualification tests required by appendix E of this part.
    (b) Each connector that interfaces with a flight termination 
system component must protect against electrical dropout and ensure 
electrical continuity as needed to ensure the component satisfies 
all its performance specifications.
    (c) All wiring and connectors must have shielding that ensures 
the flight termination system satisfies all its performance 
specifications and will not experience an inadvertent destruct 
output when subjected to electromagnetic interference levels 20 dB 
greater than the greatest electromagnetic interference induced by 
launch vehicle and launch site systems.
    (d) The dielectric withstanding voltage between mutually 
insulated portions of any component part must provide for the 
component to function at the component's rated voltage and satisfy 
all its performance specifications when subjected to any momentary 
over-potentials that could normally occur, such as due to switching 
or surge.
    (e) The insulation resistance between mutually insulated 
portions of any component must provide for the component to function 
at its rated voltage. Any insulation material must satisfy all its 
performance specifications when subjected to workmanship, heat, 
dirt, oxidation, or loss of volatile material.
    (f) The insulation resistance between wire shields and 
conductors, and between each connector pin must withstand a minimum 
workmanship voltage of at least 1,500 volts, direct current, or 150 
percent of the rated output voltage, whichever is greater.
    (g) If any wiring or connector will experience loads with 
continuous duty cycles of 100 seconds or greater, that wiring or 
connector, including each connector pin, must have a capacity of 
150% of the design load. If any wiring or connector will experience 
loads that last less than 100 seconds, all wiring and insulation 
must provide a design margin greater than the wire insulation 
temperature specification.
    (h) All wiring, including any cable or connector, must satisfy 
all its performance specifications when subjected to the pull force 
required by section E417.9(j) and any additional handling 
environment that the component could experience undetected.
    (i) Redundant circuits that can affect a flight termination 
system's reliability during flight must not share any wiring harness 
or connector with each other.
    (j) For any connector or pin connection that is not functionally 
tested once connected as part of a flight termination system or 
component, the design of the connector or pin connection must 
eliminate the possibility of a bent pin, mismating, or misalignment.
    (k) The design of a flight termination system component must 
prevent undetectable damage or overstress from occurring as the 
result of a bent connector pin. An inadvertent initiation must not 
occur if a bent connector pin:
    (1) Makes unintended contact with another pin;
    (2) Makes unintended contact with the case of the connector or 
component; or
    (3) Produces an open circuit.
    (l) Each connector that can affect a flight termination system 
component's reliability during flight must satisfy the requirements 
of Sec.  417.309(b)(2) of this part.
    (m) All connectors must positively lock to prevent inadvertent 
disconnection during launch vehicle processing and flight.
    (n) The installation of all wiring, including any cable, must 
protect against abrasion and crimping of the wiring.

D417.33 Batteries.

    (a) Capacity. A flight termination system battery must have a 
manufacturer-specified capacity of no less than the sum total amp-
hour and pulse capacity needed for:
    (1) Any self discharge;
    (2) All load and activation checks;
    (3) All launch countdown checks;
    (4) Any potential hold time;
    (5) Any potential number of preflight re-tests due to potential 
schedule delays including the number of potential launch attempts 
that the battery could experience before it would have to be 
replaced;
    (6) Two arm and two destruct command loads at the end of the 
flight; and
    (7) A flight capacity of no less than 150% of the capacity 
needed to support a normal flight from liftoff to the planned safe 
flight state. For a launch vehicle that uses solid propellant, the 
flight capacity must be no less than a 30-minute hang-fire hold 
time.
    (b) Electrical characteristics. A flight termination system 
battery, under all load conditions, including line loss, must have 
all the following electrical characteristics:
    (1) The manufacturer specified minimum voltage must be no less 
than the minimum acceptance test voltage that satisfies the 
electrical component acceptance tests of appendix E of this part. 
For a battery used in a pulse application to fire an electro-
explosive device, the manufacturer specified minimum voltage must be 
no less than the minimum qualification test voltage that satisfies 
the electro-explosive device qualification tests of appendix E of 
this part;
    (2) A battery that provides power to an electro-explosive device 
initiator, including to any initiator fired simultaneously with 
another initiator, must:
    (i) Deliver 150% of each electro-explosive device's all-fire 
current at the qualification test level. The battery must deliver 
the current to each ordnance initiator at the lowest system battery 
voltage;
    (ii) Have a current pulse that lasts ten times longer than the 
duration required to initiate the electro-explosive device or a 
minimum workmanship screening level of 200 milliseconds, whichever 
is greater; and
    (iii) Have a pulse capacity of no less than twice the expected 
number of arm and destruct command sets planned to occur during 
launch vehicle processing, preflight flight termination system end-
to-end tests, plus flight commands including load checks, 
conditioning, and firing of initiators;
    (3) The design of a battery and any activation procedures must 
ensure uniform cell voltage after activation. Activation must 
include any battery conditioning needed to ensure uniform cell 
voltage, such as peroxide removal or nickel cadmium preparation; and
    (4) The design of a battery or the system using the battery must 
protect against undetectable damage to the battery from any reverse 
polarity, shorting, overcharging, thermal runaway, or overpressure.
    (c) Service and storage life. The service and storage life of a 
flight termination system battery must satisfy all of the following:
    (1) A flight termination system battery must have a total 
activated service life that provides for the battery to meet the 
capacity and electrical characteristics required by paragraphs (a) 
and (b) of this section; and
    (2) A flight termination system battery must have a specified 
storage life. The battery must satisfy the activated service life 
requirement of paragraph (c)(1) of this section after experiencing 
its storage life, whether stored in an activated or inactivated 
state.
    (d) Monitoring capability. A battery or the system that uses the 
battery must provide for monitoring the status of the battery 
voltage and current. The monitoring must be sufficient to detect the 
smallest change in voltage or current that would indicate any health 
problem with each battery. Monitoring accuracy must be consistent 
with the minimum and maximum voltage and current limits used for 
launch countdown. The design of a battery that requires heating or 
cooling to sustain performance must provide for monitoring the 
battery's temperature with a resolution of 0.5 [deg]C.
    (e) Battery identification. Each battery must have an attached 
permanent label with the component name, type of construction 
(including chemistry), manufacturer identification, part number, lot 
and serial number, date of manufacture, and storage life.
    (f) Battery temperature control. Any battery heater must ensure 
even temperature regulation of all battery cells.
    (g) Silver zinc batteries. Any silver zinc battery that is part 
of a flight termination system must satisfy all of the following:
    (1) A silver zinc battery must consist of cells assembled from 
electrode plates that are manufactured together and without 
interruption;
    (2) The design of a silver zinc battery must allow activation of 
each individual cell within the battery;
    (3) For any silver zinc battery that may vent electrolyte mist 
as part of normal operations, the battery must satisfy all its 
performance specifications for pin-to-case and pin-to-pin 
resistances after the battery experiences the maximum normal 
venting;
    (4) The design of a silver zinc battery and its cells must allow 
for the qualification, acceptance, and storage life extension 
testing required by appendix E of this part. A launch operator must 
ensure sufficient batteries and cells are available from the same 
lot to accomplish the required testing;

[[Page 50600]]

    (5) Each silver zinc battery must have attached, no less than 
one additional cell from the same production lot, with the same lot 
date code, as the cells in the battery for use in cell acceptance 
verification tests. The cell must remain attached to the battery 
from the time of assembly until performance of the acceptance tests 
to ensure that the additional cell is subjected to all the same 
environments as the complete battery;
    (6) The design of a silver zinc battery must permit voltage 
monitoring of each cell during open circuit voltage and load tests 
of the battery; and
    (7) All cell and battery parts and materials and manufacturing 
parts, materials, and processes must undergo configuration control 
that ensures that each cell and battery has repeatable in-family 
performance unless each cell and battery undergoes lot testing that 
demonstrates repeatable in-family performance. The launch operator 
must identify and implement any lot testing that replaces 
configuration control.
    (h) Rechargeable cells and batteries.
    (1) Any rechargeable battery or cell that is part of a flight 
termination system must satisfy all the requirements of this section 
for each charge-discharge cycle.
    (2) With the exception of any silver zinc battery, a 
rechargeable battery must satisfy all its performance specifications 
for five times the number of operating charge and discharge cycles 
expected of the battery throughout its life, including all 
acceptance testing, preflight testing, and flight. A silver zinc 
rechargeable battery must satisfy all its performance specifications 
for each operating charge-discharge cycle expected of the battery 
throughout its life, including all acceptance testing, preflight 
testing, and flight.
    (3) A rechargeable battery must consist of cells from the same 
production lot. For a battery that consists of commercially produced 
nickel cadmium cells, each cell must be from the same production lot 
of no less than three thousand cells that are manufactured without 
interruption.
    (4) The design of a silver zinc or commercial nickel cadmium 
battery and each of its cells must allow for the qualification and 
acceptance tests required by appendix E of this part. A launch 
operator must ensure sufficient batteries and cells are available to 
accomplish the required testing. A launch operator must identify and 
implement design and test requirements for any other type of 
rechargeable battery proposed for use as part of a flight safety 
system.
    (i) Commercial nickel cadmium cells and batteries. Any nickel 
cadmium battery that uses one or more commercially produced nickel 
cadmium cells and is part of a flight termination system must 
satisfy each of the following to demonstrate that each cell or 
battery satisfies all its performance specifications:
    (1) The battery or cell must have repeatable capacity and 
voltage performance. Capacity must be repeatable within one percent 
for each charge and discharge cycle.
    (2) Any battery or cell venting device must ensure that the 
battery or cell does not experience a loss of structural integrity 
or create a hazardous condition when subjected to electrical 
discharge, charging and short-circuit conditions.
    (3) The battery or cell must retain its charge and provide its 
required capacity, including the required capacity margin, from the 
final charge used prior to launch to the planned safe flight state 
during flight at the maximum pre-launch and flight temperature. The 
cell or battery must not self-discharge more than 10% of its fully 
charged capacity after 72 hours at ambient temperature.
    (4) The design of the battery must prevent current leakage from 
pin-to-pin or pin-to-case from creating undesired events or battery 
self-discharge. Pin-to-pin and pin-to-case resistances must be 
repeatable so that measurements of pin-to-pin and pin-to-case 
resistances can establish in-family performance and determine 
whether all battery wiring and connectors are installed according to 
the manufacturer's design specifications.
    (5) The battery or battery case must be sealed to the required 
leak rate and not loose structural integrity or create a hazardous 
condition when subjected to the predicted operating conditions plus 
all required margins including any battery short-circuit. The 
battery or battery case must maintain its structural integrity when 
subjected to no less than 1.5 times the greatest operating pressure 
differential that could occur under qualification testing, 
preflight, or flight conditions.
    (6) Any battery voltage, current, or temperature monitoring 
circuit that is part of the battery must have resolution, accuracy, 
and data rates that all for detecting whether the performance 
specifications are satisfied and detecting any out-of-family 
conditions.
    (7) Any battery heater circuit, including any thermostat must 
ensure that all cells are heated uniformly and must allow for 
repeatable battery performance that satisfies all the battery's 
performance specifications. Any heating must ensure that cells are 
not overstressed due to excessive temperature. The thermostat 
tolerances must ensure that the battery remains within its thermal 
design limits.
    (8) The battery or cell must satisfy all its electrical 
performance specifications and be in-family while subjected to all 
pre-flight and flight environments, including hot and cold 
temperature, and all required electrical loads at the beginning, 
middle, and end of its manufacturer specified capacity.

D417.35 Electro-mechanical safe-and-arm devices with an internal 
electro-explosive device.

    (a) This section applies to any electro-mechanical safe-and-arm 
device that has an internal electro-explosive device and is part of 
a flight termination system. A safe-and-arm device must provide for 
safing and arming of the flight termination system ordnance to 
satisfy section D417.13.
    (b) A safe-and-arm device in the arm position must remain in the 
arm position and satisfy all its performance specifications when 
subjected to the design environmental levels determined under 
section D417.7.
    (c) All wiring and connectors used in a safe-and-arm device must 
satisfy section D417.31.
    (d) Each piece-part that is used in the firing circuit of a 
safe-and-arm device and that can affect the reliability of the 
device during flight must satisfy Sec.  417.309(b)(2) of this part.
    (e) A safe-and-arm device's internal electro-explosive device 
must satisfy the requirements for an ordnance initiator of section 
D417.41.
    (f) A safe-and-arm device must not require any adjustment 
throughout its service life.
    (g) A safe-and-arm device's internal electrical firing 
circuitry, such as wiring, connectors, and switch deck contacts, 
must satisfy all its performance specifications when subjected to an 
electrical current pulse with an energy level of no less than 150% 
of the internal electro-explosive device's all-fire energy level for 
10 times as long as the all-fire pulse lasts. A safe-and-arm device 
must deliver this firing pulse to the internal electro-explosive 
device without any dropout that could affect the electro-explosive 
device's performance when subjected to the design environmental 
levels.
    (h) A safe-and-arm device must satisfy all its performance 
specifications after being exposed to the handling drop required by 
section E417.9(k) and any additional transportation, handling, or 
installation environment that the device could experience 
undetected.
    (i) A safe-and-arm device must not initiate and must allow for 
safe disposal after experiencing the abnormal drop required by 
section E417.9(l).
    (j) When a safe-and-arm device's electro-explosive device is 
initiated, the safe- and arm-device's body must not fragment, 
regardless of whether the explosive transfer system is connected or 
not.
    (k) When dual electro-explosive devices are used within a single 
safe-and-arm device, the design must ensure that one electro-
explosive device does not affect the performance of the other 
electro-explosive device.
    (l) A safe-and-arm device must satisfy all its performance 
specifications when subjected to no less than five times the total 
number of safe and arm cycles required for the combination of all 
acceptance tests, preflight tests, and flight operations, including 
an allowance for potential re-tests due to schedule changes.
    (m) The design of a safe-and-arm device must allow for separate 
component testing and recording of parameters that verify its 
functional performance , and the status of any command output during 
the tests required by section E417.25.
    (n) A safe-and-arm device must be environmentally sealed to the 
equivalent of 10-4 scc/sec of helium at one atmosphere 
differential or the device must provide other means of withstanding 
non-operating environments, such as salt-fog and humidity, 
experienced during storage, transportation and preflight testing.
    (o) The safing of a safe-and-arm device must satisfy all of the 
following:
    (1) While in the safe position, a safe-and-arm device must 
protect each internal electro-explosive device from any condition 
that could degrade the electro-explosive device's performance and 
prevent inadvertent initiation during transportation,

[[Page 50601]]

storage, preflight testing, and any preflight fault conditions.
    (2) While in the safe position, a safe-and-arm device's 
electrical input firing circuit must prevent degradation in 
performance or inadvertent initiation of the electro-explosive 
device when the safe-and-arm device is subjected to any external 
energy source, such as static discharge, radio frequency energy, or 
firing voltage.
    (3) While in the safe position, a safe-and-arm device must 
prevent the initiation of its internal electro-explosive device and 
any other ordnance train component, with a reliability of 0.999 at a 
95% confidence level.
    (4) A safe-and-arm device must satisfy all its performance 
specifications when in the safe position and subjected to the 
continuous operational arming voltage required by section 
E417.25(d).
    (5) A safe-and-arm device must not initiate its electro-
explosive device or any other ordnance train component when locked 
in the safe position and subjected to the continuous operational 
arming voltage required by section E417.25(e)(3).
    (6) A safe-and-arm device must have a visual display of its 
status on the device and remote display of the status when the 
device is in the safe position. When transitioning from the arm to 
safe position, the safe indication must not appear unless the 
position of the safe-and-arm device has progressed more than 50% 
beyond the no-fire transition motion.
    (7) A safe-and-arm device must have a remote means of moving its 
rotor or barrier to the safe position from any rotor or barrier 
position.
    (8) A safe-and-arm device must have a manual means of moving its 
rotor or barrier to the safe position.
    (9) A safe-and-arm device must have a safing interlock that 
prevents movement from the safe position to the arm position while 
operational arming current is being applied. The interlock must have 
a means of positively locking into place and must allow for 
verification of proper functioning. The interlock removal design or 
procedure must eliminate the possibility of accidental disconnection 
of the interlock.
    (p) The arming of a safe-and-arm device must satisfy all of the 
following:
    (1) When a safe-and-arm device is in the arm position, all 
ordnance interfaces, such as electro-explosive device, rotor charge, 
and explosive transfer system components must align with one another 
to ensure propagation of the explosive charge with a reliability of 
0.999 at a 95% confidence level;
    (2) When in the arm position, the greatest energy supplied to a 
safe-and-arm device's electro-explosive device from electronic 
circuit leakage and radio frequency energy must be no greater than 
20 dB below the guaranteed no-fire level of the electro-explosive 
device;
    (3) A safe-and-arm device must have a visual display of its 
status on the device and provide for remote display of the status 
when the device is in the arm position. The arm indication must not 
appear unless the safe-and-arm device is armed as required by 
paragraph (o)(1) of this section; and
    (4) A safe-and-arm device must provide for remote arming of the 
device.

D417.37 Exploding bridgewire firing unit.

    (a) General. This section applies to any exploding bridgewire 
firing unit that is part of a flight termination system. An 
exploding bridgewire firing unit must provide for safing and arming 
of the flight termination system ordnance to satisfy section 
D417.13. An exploding bridgewire firing unit must satisfy the 
requirements for electronic components of section D417.29.
    (b) Charging and discharging. An exploding bridgewire firing 
unit must have a remote means of charging and discharging of the 
unit's firing capacitor and an external means of positively 
interrupting the firing capacitor charging voltage.
    (c) Input command processing. An exploding bridgewire firing 
unit's electrical input processing circuitry must satisfy all of the 
following:
    (1) An exploding bridgewire firing unit's input circuitry must 
function, when subjected to the greatest potential electromagnetic 
interference noise environments, without inadvertently triggering;
    (2) In the firing circuit of an exploding bridgewire firing 
unit, all series redundant branches that prevent any single failure 
point from issuing a destruct output must include monitoring 
circuits or test points for verifying the integrity of each 
redundant branch after assembly;
    (3) The unit input trigger circuitry of an exploding bridgewire 
firing unit must maintain a minimum 20 dB margin between the 
threshold trigger level and the worst-case noise environment;
    (4) An exploding bridgewire firing unit must have a minimum 
trigger sensitivity that provides for the unit to fire at 6 dB lower 
in amplitude and one-half the duration of the worst-case trigger 
signal that the unit could receive during flight;
    (5) In the event of a power dropout, any control or switching 
circuit critical to the reliable operation of an exploding 
bridgewire firing unit, including solid-state power transfer 
switches, must not change state for 50 milliseconds or more; and
    (6) An exploding bridgewire firing unit's response time must 
satisfy all its performance specifications for the range of input 
trigger signals from the specified minimum trigger signal amplitude 
and duration to the specified maximum trigger signal amplitude and 
duration.
    (d) High voltage output. An exploding bridgewire firing unit's 
high voltage discharge circuit must satisfy all of the following:
    (1) An exploding bridgewire firing unit must include circuits 
for capacitor charging, bleeding, charge interruption, and 
triggering;
    (2) An exploding bridgewire firing unit must have a single fault 
tolerant capacitor discharge capability;
    (3) An exploding bridgewire firing unit must deliver a voltage 
to the exploding bridgewire that is no less than 50% greater than 
the exploding bridgewire's minimum all-fire voltage, not including 
transmission losses, at the unit's worst-case high and low arming 
voltages;
    (4) The design of an exploding bridgewire firing unit must 
prevent corona and arcing on internal and external high voltage 
circuitry;
    (5) An exploding bridgewire firing unit must satisfy all its 
performance specifications at the worst-case high and low arm 
voltages that could be delivered during flight; and
    (6) Any high energy trigger circuit used to initiate exploding 
bridgewire firing unit's main firing capacitor must deliver an 
output signal of no less than a 50% voltage margin above the nominal 
voltage threshold level.
    (e) Output monitors. The monitoring circuits of an exploding 
bridgewire firing unit must provide the data for real-time checkout 
and determination of the firing unit's acceptability for flight. The 
monitored data must include the voltage level of all high voltage 
capacitors and the arming power to the firing unit.

D417.39 Ordnance interrupter safe-and-arm device without an electro-
explosive device.

    (a) This section applies to any ordnance interrupter safe-and-
arm device that does not have an internal electro-explosive device 
and is part of a flight termination system. An ordnance interrupter 
must provide for safing and arming of the flight termination system 
ordnance to satisfy section D417.13.
    (b) An ordnance interrupter must remain in the armed position 
and satisfy all its performance specifications when subjected to the 
design environmental levels determined according to section D417.7.
    (c) An ordnance interrupter must not require adjustment 
throughout its service life.
    (d) An ordnance interrupter must satisfy all its performance 
specifications after experiencing any transportation, handling, or 
installation environment that the device could experience 
undetected.
    (e) An ordnance interrupter that uses ordnance rotor leads must 
not initiate and must allow for safe disposal after experiencing the 
worst-case drop and resulting impact that it could experience during 
storage, transportation, or installation.
    (f) An ordnance interrupter must satisfy all of its performance 
specifications when subjected to repetitive functioning for five 
times the expected number of arming cycles required for acceptance 
testing, preflight checkout, and flight operations, including an 
allowance for re-tests due to potential schedule delays.
    (g) An ordnance interrupter must not fragment during ordnance 
initiation.
    (h) The design of a flight termination system must protect an 
ordnance interrupter from conditions that could degrade its 
performance or cause inadvertent initiation during transportation, 
storage, installation, preflight testing, and potential preflight 
fault conditions. Safing of an ordnance interrupter must satisfy all 
of the following:
    (1) While in the safe position, an ordnance interrupter must 
prevent the functioning of an ordnance train with a reliability of 
0.999 at a 95% confidence level;
    (2) When locked in the safe position, an ordnance interrupter 
must prevent initiation of an ordnance train. The ordnance 
interrupter must satisfy all its performance specification when 
locked in the safe position and subjected to the continuous 
operational arming voltage required by section E417.29(j);

[[Page 50602]]

    (3) An ordnance interrupter must not initiate its electro-
explosive device or any other ordnance train component when locked 
in the safe position and subjected to the continuous operational 
arming voltage required by section E417.29(e)(3);
    (4) An ordnance interrupter must have a manual and a remote 
means of safing from any rotor or barrier position;
    (5) An ordnance interrupter must have a visual display of the 
status on the device and provide for remote display of the status 
when the ordnance interrupter is in the safe position; and
    (6) An ordnance interrupter must include a safing interlock that 
prevents the interrupter from moving from the safe position to the 
arm position when subjected to an operational arming current. A 
safing interlock must have a means of positively locking into place 
and a means of verifying proper function of the interlock. A safing 
interlock and any related operation procedure must eliminate the 
possibility of inadvertent disconnection of the interlock.
    (i) Arming of an ordnance interrupter must satisfy all of the 
following:
    (1) An ordnance interrupter is armed when all ordnance 
interfaces, such as a donor explosive transfer system, rotor charge, 
and acceptor explosive transfer system are aligned with one another 
to propagate the explosive charge with a reliability of 0.999 at a 
95% confidence level;
    (2) An ordnance interrupter must have a visual display of the 
status on the device and provide for remote display of the status 
when the ordnance interrupter is in the arm position; and
    (3) An ordnance interrupter must provide for remote arming of 
the interrupter.

D417.41 Ordnance initiators.

    (a) This section applies to any low-voltage electro-explosive 
device that is part of a flight termination system or high-voltage 
exploding bridgewire ordnance initiator that is part of a flight 
termination system. An ordnance initiator must use electrical energy 
to trigger an explosive charge that initiates the flight termination 
system ordnance.
    (b) An ordnance initiator must have a manufacturer-specified 
all-fire energy level. When the all-fire energy level is applied, 
the ordnance initiator must fire with a reliability of no less than 
0.999 at a 95 percent confidence level.
    (c) An ordnance initiator must have a specified no-fire energy 
level. An ordnance initiator must not fire when exposed to 
continuous application of the no-fire energy level, with a 
reliability of no less than 0.999 at a 95 percent confidence level. 
An ordnance initiator must satisfy all its performance 
specifications when subjected to continuous application of the no-
fire energy level.
    (d) The lowest temperature at which an ordnance initiator would 
experience autoignition, sublimation, or melting or in any other way 
experience degradation in performance must be no less than 30 [deg]C 
higher than the highest temperature that the initiator could 
experience prior to or during flight.
    (e) An ordnance initiator must not fire, and must satisfy all 
its performance specifications when subjected to the maximum 
expected electrostatic discharge that it could experience from 
personnel or conductive surfaces. An ordnance initiator must not 
fire, and must satisfy all its performance specifications when 
subjected to workmanship discharges of no less than a 25-kV, 500-pF 
pin-to-pin discharge through a 5-k[Omega] resistor and a 25-kV, 500-
pF pin-to-case discharge with no resistor.
    (f) An ordnance initiator must not initiate and must satisfy all 
its performance specifications when exposed to stray electrical 
current that is at a 20-dB margin greater than the greatest stray 
electrical current that the ordnance initiator could experience 
prior to or during flight. When determining the 20-dB margin, a 
launch operator must account for all potential sources of stray 
electrical current, including leakage current from other electronic 
components and radio frequency induced electrical current.
    (g) An ordnance initiator must satisfy all its performance 
specification after being exposed to the tensile load required by 
section E417.9(j), the handling drop required by section E417.9(k), 
and any additional transportation, handling, or installation 
environment that the device could experience undetected.
    (h) An ordnance initiator must not initiate and must allow for 
safe disposal after experiencing the abnormal drop required by 
section E417.9(l).
    (i) An ordnance initiator must be hermetically sealed to the 
equivalent of 5 x 10-6 scc/sec of helium at one 
atmosphere pressure differential.
    (j) The insulation resistance between mutually insulated points 
must ensure that an ordnance initiator satisfies all its performance 
specifications when subjected to the greater of twice the maximum 
applied voltage during testing and flight or a workmanship voltage 
of no less than 500 volts. The insulation material must satisfy all 
its performance specifications when exposed to workmanship, heat, 
dirt, oxidation, and any additional expected environment.

D417.43 Exploding bridgewire.

    (a) This section applies to any exploding bridgewire that is 
part of a flight termination system. An exploding bridgewire must 
use high-voltage electrical energy of 50 volts or greater to trigger 
an explosive charge that initiates the flight termination system 
ordnance.
    (b) An exploding bridgewire must satisfy the ordnance initiator 
requirements of section D417.41.
    (c) An exploding bridgewire's electrical circuitry, such as 
connectors, pins, wiring and header assembly, must transmit an all-
fire pulse at a level 50% greater than the lowest exploding 
bridgewire firing unit's operational firing voltage. This must 
include allowances for effects such as corona and arcing of a flight 
configured exploding bridgewire exposed to altitude, thermal vacuum, 
salt-fog, and humidity environments.
    (d) An exploding bridgewire must not fragment during ordnance 
initiation.
    (e) All exploding bridgewire connector pins must withstand the 
tension and compression loads required by section E417.9(j).

D417.45 Percussion-activated device.

    (a) This section applies to any percussion-activated device that 
is part of a flight termination system. A percussion-activated 
device must use mechanical energy to trigger an explosive charge 
that initiates the flight termination system ordnance.
    (b) A percussion-activated device's lanyard pull system must 
have a protective cover or other feature that prevents inadvertent 
pulling of the lanyard.
    (c) A percussion-activated device must not fragment upon 
initiation.
    (d) A percussion-activated device must have a guaranteed no-fire 
pull force of no less than twice the largest inadvertent pull force 
that the device could experience:
    (1) Any time prior to flight that the safing interlock of 
paragraph (o) of this section is not in place; or
    (2) During flight.
    (e) A percussion-activated device must not initiate when pulled 
with its maximum no-fire pull force and then released with a 
reliability of no less than 0.999 at a 95% confidence level.
    (f) A percussion-activated device must have a primer all-fire 
energy level, including spring constant and pull distance that 
ensures initiation, with a reliability of no less than 0.999 at a 
95% confidence level when subjected to preflight and flight 
environments.
    (g) A percussion-activated device must deliver an operational 
impact force to the primer of no less than twice the all-fire energy 
level.
    (h) A percussion-activated device's primer must initiate and 
must satisfy all its performance specifications when subjected to 
two times the operational impact energy or four times the all-fire 
impact energy level.
    (i) A percussion-activated device's reliability must satisfy its 
performance specifications when subjected to a no-fire pull force 
and then released.
    (j) The lowest temperature at which a percussion-activated 
device would experience autoignition, sublimation, or melting, or in 
any other way not satisfy its performance specifications, must be no 
less than 30 [deg]C higher than the highest temperature that the 
percussion-activated device could experience prior to or during 
flight.
    (k) A percussion-activated device must satisfy all its 
performance specifications after experiencing the handling drop 
required by section E417.9(k) and any additional transportation, 
handling, or installation environment that the device could 
experience undetected.
    (l) A percussion-activated device's ordnance must be 
hermetically sealed to the equivalent of 5 x 10-6 scc/sec 
of helium at one atmosphere differential.
    (m) A percussion-activated device's structural and firing 
components must withstand 500 percent of the largest pull or jerk 
force that the device could experience during breakup of the launch 
vehicle.
    (n) A percussion-activated device must not initiate and must 
allow for safe disposal after

[[Page 50603]]

experiencing the abnormal drop required by section E417.9(l).
    (o) A percussion-activated device must include a safing 
interlock, such as a safing pin, that provides a physical means of 
preventing the percussion-activated device assembly from pulling 
more than 50% of the guaranteed no-fire pull distance. The following 
apply to a safing interlock:
    (1) A safing interlock must positively lock into place and must 
have a means of verifying proper function of the interlock.
    (2) A safing interlock must eliminate the possibility of 
inadvertent disconnection or removal of the interlock should a pre-
load condition exist on the lanyard unless the device provides a 
visual or other means of verifying that there is no load on the 
lanyard.
    (3) A safing interlock, when in place, must prevent initiation 
of the percussion actuated device when subjected to twice the 
greatest possible inadvertent pull force that could be experienced 
during launch processing.

D417.47 Explosive transfer system.

    (a) This section applies to any explosive transfer system that 
is part of a flight termination system. An explosive transfer system 
must transmit an explosive charge from an initiation source, such as 
an ordnance initiator, to other flight termination system ordnance 
such as a destruct charge.
    (b) Ordnance used in an explosive transfer system must consist 
of a secondary explosive. An exception to this is any transition 
component that contains a primary explosive that is fully contained 
within the transition component. Any transition component that 
contains a primary explosive must be no more sensitive to 
inadvertent detonation than a secondary explosive.
    (c) An explosive transfer system, including all donor, acceptor, 
and transition charges and components must transfer an explosive 
charge with a reliability of no less than 0.999 at a 95% confidence 
level.
    (d) An explosive transfer system must satisfy all its 
performance specifications with the smallest bend radius that it is 
subjected to when installed in its flight configuration.
    (e) All explosive transfer connectors must positively lock in 
place and provide for verification of proper connection through 
visual inspection.
    (f) Each explosive transfer system component must satisfy all 
its performance specifications when subjected to the tensile load 
required by section E417.9(j).
    (g) An explosive transfer system must satisfy all its 
performance specifications after experiencing the handling drop 
required by section E417.9(k) and any additional transportation, 
handling, or installation environment that the system could 
experience undetected.
    (h) An explosive transfer system must not initiate and must 
allow for safe disposal after experiencing the abnormal drop 
required by section E417.9(l).
    (i) An explosive transfer system must be hermetically sealed to 
the equivalent of 5 x 10-6 scc/sec of helium at one 
atmosphere pressure differential.

D417.49 Destruct charge.

    (a) This section applies to any destruct charge that is part of 
a flight termination system. A destruct charge must sever or 
penetrate a launch vehicle component or payload, such as a 
propellant tank or motor casing, to accomplish a flight termination 
function.
    (b) A destruct charge must use a secondary explosive.
    (c) When initiated, a destruct charge acceptor, where 
applicable, or main charge must ensure the transfer of the explosive 
charge with a reliability of 0.999 at a 95% confidence level.
    (d) Initiation of a destruct charge must result in a flight 
termination system action in accordance with the flight termination 
system functional requirements of Sec.  417.303.
    (e) A destruct charge must sever or penetrate 150% of the 
thickness of the material that must be severed or penetrated in 
order for the destruct charge to accomplish its intended flight 
termination function. A destruct charge, when initiated to terminate 
the flight of a launch vehicle, must not detonate any launch vehicle 
or payload propellant.
    (f) Each destruct charge and associated fitting must satisfy all 
its performance specifications when subjected to the tensile load 
required by section E417.9(j).
    (g) A destruct charge must satisfy all its performance 
specifications after experiencing the handling drop required by 
section E417.9(k) and any additional transportation, handling, or 
installation environment that the charge could experience 
undetected.
    (h) A destruct charge must not initiate and must allow for safe 
disposal after experiencing the abnormal drop required by section 
E417.9(l).
    (i) A destruct charge must be hermetically sealed to the 
equivalent of 5 x 10-6 scc/sec of helium at one 
atmosphere pressure differential.

D417.51 Vibration and shock isolators.

    (a) This section applies to any vibration or shock isolator that 
is part of a flight safety system. A vibration or shock isolator 
must ensure the environmental survivability of a flight termination 
system component by reducing the vibration or shock levels that the 
component experiences during flight.
    (b) A vibration or shock isolator must have repeatable natural 
frequency and resonant amplification parameters when subjected to 
flight environments.
    (c) An isolator must account for all effects that could cause 
variations in repeatability, including acceleration preloads, 
temperature, component mass, and vibration level variations.
    (d) A vibration or shock isolator must satisfy all of its 
performance specifications when subjected to the qualification test 
environments for each component that is mounted on the isolator.
    (e) All components mounted on a vibration or shock isolator must 
withstand the environments introduced by isolator amplification. In 
addition, all component interface hardware, such as connectors, 
cables, and grounding straps, must withstand any added deflection 
introduced by an isolator.

D417.53 Miscellaneous components.

    (a) This section applies to any miscellaneous flight termination 
system component that is not specifically identified by this 
appendix.
    (b) A miscellaneous component must satisfy all its performance 
specifications when subjected to the non-operating and operating 
environments of section D417.3.
    (c) The design of a miscellaneous component must provide for the 
component to be tested in accordance with appendix E of this part.
    (d) A launch operator must identify any additional requirements 
that apply to any new or unique component and demonstrate that those 
requirements ensure the reliability of the component.

Appendix E of Part 417--Flight Termination System Testing and Analysis

E417.1 General.

    (a) Scope and compliance. This appendix contains requirements 
for tests and analyses that apply to all flight termination systems 
and the components that make up each flight termination system. 
Section 417.301 requires that a launch operator's flight safety 
system employ a flight termination system that complies with this 
appendix. Section 417.301 also contains requirements that apply to a 
launch operator's demonstration of compliance with the requirement 
of this appendix. A launch operator must employ on its launch 
vehicle only those flight termination system components that satisfy 
the requirements of this appendix.
    (b) Component tests and analyses. A component must satisfy each 
test or analysis required by any table of this appendix to 
demonstrate that the component satisfies all its performance 
specifications when subjected to non-operating and operating 
environments. A launch operator must identify and implement any 
additional test or analysis for any new technology or any unique 
application of an existing technology.
    (c) Test plans. Each test of a component, subsystem, or system 
must follow a written plan that specifies the test parameters, 
including pass/fail criteria, and a testing sequence that satisfy 
the requirements of this appendix. For any component that is used 
for more than one flight, the test plan must provide for component 
reuse qualification, refurbishment, and acceptance as required by 
section E417.7(g). The test plan must include any alternate 
procedures for testing a component when it is in place on the launch 
vehicle.
    (d) Test failures. If a test of a component results in a 
failure, the component does not satisfy the test requirement. Each 
of the following is a test failure:
    (1) Any component sample that does not satisfy a performance 
specification;
    (2) Any failure to accomplish a test objective;
    (3) Any component sample with a test result that indicates that 
the component is out-of-family when compared to other samples of the 
component, even if the component satisfies other test criteria;

[[Page 50604]]

    (4) Any unexpected change in the performance of a component 
sample occurring at any time during testing;
    (5) Any component sample that exhibits any sign that a part is 
stressed beyond its design limit, such as a cracked circuit board, 
bent clamps, worn part, or loose connector or screw, even if the 
component passes the final functional test;
    (6) When component examination shows any defect that could 
adversely affect the component's performance;
    (7) Any discontinuity or dropout in a measured performance 
parameter that could prevent the component from satisfying a 
performance specification;
    (8) Any inadvertent output; or
    (9) Any indication of internal component damage.
    (e) Failure analysis. In the event of a test failure, the test 
item, procedures and equipment must undergo a written failure 
analysis. The failure analysis must identify the cause of the 
failure, the mechanism of the failure, and isolate the failure to 
the smallest replaceable item or items and ensure that there are no 
generic design, workmanship, or process problems with other flight 
components of similar configuration.
    (f) Test tolerances. Each test must apply to the nominal values 
specified by this appendix tolerances that satisfy the following:
    (1) The tolerance of any measurement taken during a functional 
test must provide the accuracy needed to detect any out-of-family or 
out-of-specification anomaly.
    (2) An environmental level, such as for vibration or 
temperature, used to satisfy a component test requirement of this 
appendix must include the environment design margin required by 
appendix D of this part. The environmental level must account for 
any test equipment tolerance to ensure that the component 
experiences the required margin.
    (g) Test equipment. All equipment used during environmental 
testing must provide for the test item to experience the required 
environmental test levels. Any test fixture used to simultaneously 
test multiple component samples must ensure that each component 
sample, at each mounting location on the fixture experiences each 
required environmental test level. Any difference in a qualification 
or acceptance test fixture or cable must undergo an evaluation to 
ensure that flight hardware is not subjected to stresses greater 
than that which the unit experiences during qualification.
    (h) Rework and repair of components. Components that fail a test 
may undergo rework and repair and must then complete the failed test 
and each remaining test. If a repair requires disassembly of the 
component or soldering operations, the component must repeat any 
test necessary to demonstrate that the repair corrected the original 
anomaly and did not cause other damage. The total number of 
acceptance tests experienced by a repaired component must not exceed 
the environments for which the component is qualified.
    (i) Test and analysis reports. A launch operator must prepare or 
obtain one or more written reports that:
    (1) Describe all flight termination system test results and test 
conditions;
    (2) Describe any analysis performed instead of testing;
    (3) Identify, by serial number or other identification, each 
test result that applies to each system or component;
    (4) Describe any family performance data to be used for 
comparison to any subsequent test of a component or system;
    (5) Describe all performance parameter measurements made during 
component testing for comparison to each previous and subsequent 
test to identify any performance variations that may indicate a 
potential workmanship or other defect that could lead to a failure 
of the component during flight; and
    (6) Identify any test failure or anomaly, including any 
variation from an established performance baseline, with a 
description of the failure or anomaly, each corrective action taken, 
and all results of additional tests.

E417.3 Component test and analysis tables.

    (a) General. This section applies to each test and analysis 
table of this appendix. Each component or system that is identified 
by a table must satisfy each test or analysis identified by the 
table. Each component or system must satisfy a test by undergoing 
and passing the test as described in the paragraph that the table 
lists. In cases where the listed paragraph allows a test or 
analysis, any analysis must satisfy any specific requirement listed 
in the paragraph and must demonstrate one of the following:
    (1) The test environment does not apply to the component;
    (2) The test environment does not degrade the component's 
performance; or
    (3) Another test or combination of tests that the component 
undergoes places equal or greater stress on the component than the 
test in question.
    (b) Test sequence. A component or system must undergo each test 
in the same order as the table identifies the test. A launch 
operator may deviate from the test sequence if the launch operator 
demonstrates that another order will detect any component anomaly 
that could occur during testing.
    (c) Quantity of sample components tested.
    (1) For a new component, each table identifies the quantity of 
component samples that must undergo each test identified by the 
table.
    (2) A launch operator may test fewer samples than the quantity 
identified for a new component if the launch operator demonstrates 
one of the following:
    (i) That the component has experienced comparable environmental 
tests; or
    (ii) The component is similar to a design that has experienced 
comparable environmental tests.
    (3) Any component that a launch operator uses for any comparison 
to a new component must have undergone all the environmental tests 
required for the new component to develop cumulative effects.
    (d) Performance verification tests. Each performance 
verification test identified by any table of this appendix must 
satisfy all of the following:
    (1) Each test must measure one or more of a component or 
system's performance parameters to demonstrate that the component or 
system satisfies all its performance specifications;
    (2) The component must undergo each test:
    (i) Before the component is exposed to each test environment; 
and
    (ii) After the component is exposed to the test environment to 
identify any performance degradation due to the environment; and
    (3) Any electronic component must undergo each performance 
verification test at:
    (i) The lowest operating voltage;
    (ii) Nominal operating voltage; and
    (iii) Highest operating voltage that the component could 
experience during pre-flight and flight operations.
    (e) Abbreviated performance verification tests. Each abbreviated 
performance verification test required by any table of this appendix 
must satisfy all of the following:
    (1) Each test must exercise all of a component's functions that 
are critical to a flight termination system's performance during 
flight
    (i) while the component is subjected to each test environment; 
or,
    (ii) for short duration environments such as shock, before and 
after each test;
    (2) Each test must measure a sampling of the component's 
critical performance parameters while the component is subjected to 
each test environment to demonstrate that the component satisfies 
all its performance specifications; and
    (3) Any electronic component must undergo each abbreviated 
performance verification test at the component's nominal operating 
voltage.
    (f) Status-of-health tests. Each status-of-health test required 
by any table of this appendix must satisfy all of the following:
    (1) Each test must measure one or more critical performance 
parameter to demonstrate that a component or system satisfies all 
its performance specifications;
    (2) The critical performance parameters must include those 
parameters that act as an indicator of an internal anomaly that a 
functional performance test might not detect; and
    (3) Each test must compare the results to any previous test 
results to identify any degradation in performance.

E417.5 Component examination.

    (a) General. This section applies to each component examination 
identified by any table of this appendix. Each component examination 
must identify any manufacturing defect that the performance tests 
might not detect. The presence of a defect that could adversely 
affect the component's performance constitutes a failure.
    (b) Visual examination. A visual examination must verify that 
good workmanship was employed during manufacture of a component and 
that the component is free of any physical defect that could 
adversely affect performance. A visual examination may include the 
use of optical magnification, mirrors, or specific lighting, such as 
ultraviolet illumination.

[[Page 50605]]

    (c) Dimension measurement. A dimension measurement of a 
component must verify that the component satisfies all its 
dimensional specifications.
    (d) Weight measurement. A weight measurement of a component must 
verify that the component satisfies its weight specification.
    (e) Identification check. An identification check of a component 
must verify that the component has one or more identification tags 
that contain information that allows for configuration control and 
tracing of the component.
    (f) X-ray and N-ray examination. An X-ray or N-ray examination 
of a component must have a resolution that allows detailed 
inspection of the internal parts of the component and must identify 
any internal anomalous condition. The examination must include 
enough photographs, taken from different angles, to allow complete 
coverage of the component's internal parts. When utilized as a 
recurring inspection technique to accept production hardware, the 
examination must use the same set of angles for each sample of a 
component to allow for comparison. A certified technician must 
evaluate X-ray and N-ray photographs.
    (g) Internal inspection. An internal inspection of a component 
must demonstrate that there is no wear or damage, including any 
internal wear or damage, to the component that could adversely 
affect its performance after exposure to any test environment. An 
internal inspection must satisfy all of the following:
    (1) All internal components and subassemblies, such as circuit 
board traces, internal connectors, welds, screws, clamps, electronic 
piece parts, battery cell plates and separators, and mechanical 
subassemblies must undergo examination to satisfy this paragraph 
using an inspection method such as a magnifying lens or radiographic 
inspection;
    (2) For a component that can be disassembled, the component must 
undergo complete disassembly to the point needed to satisfy this 
paragraph; and
    (3) For a component that cannot be disassembled, such as an 
antenna, potted component, or welded structure, the component must 
undergo any special procedures needed to satisfy this paragraph, 
such as depotting the component, cutting the component into cross-
sections, or radiographic inspection.
    (h) Leakage. A leakage test must demonstrate that a component's 
seal satisfies all its performance specifications before and after 
the component is subjected to any test environment as follows:
    (1) The test must have the resolution and sample rate to 
demonstrate that the component's leak rate is no greater than its 
design limit.
    (2) For an electronic component, the test must demonstrate a 
leak rate of no greater than the equivalent of 10-\4\ 
standard cubic centimeters/second (scc/sec) of helium.
    (3) For an ordnance component, the test must demonstrate a leak 
rate of no greater than the equivalent of 5 x 10-\6\ scc/
sec of helium.

E417.7 Qualification testing and analysis.

    (a) This section applies to each qualification non-operating and 
operating test or analysis identified by any table of this appendix. 
A qualification test or analysis must demonstrate that a component 
will satisfy all its performance specifications when subjected to 
the design environmental levels required by section D417.7.
    (b) Before a component sample undergoes a qualification 
environmental test, the component sample must pass all the required 
acceptance tests.
    (c) A component must undergo each qualification test in a flight 
representative configuration, with all flight representative 
hardware such as connectors, cables, and any cable clamps, and with 
all attachment hardware, such as dynamic isolators, brackets and 
bolts, as part of that flight representative configuration.
    (d) A component must undergo re-qualification tests if there is 
a change in the design of the component or if the environmental 
levels to which it will be exposed exceed the levels for which the 
component is qualified. A component must undergo re-qualification if 
the manufacturer's location, parts, materials, or processes have 
changed since the previous qualification. A change in the name of 
the manufacturer as a result of a sale does not require re-
qualification if the personnel, factory location or the parts, 
material and processes remain unchanged since the last component 
qualification. The extent of any re-qualification tests must be the 
same as the initial qualification tests except where paragraph (f) 
of this section applies.
    (e) A launch operator must not use for flight any component 
sample that has been subjected to a qualification test environment.
    (f) A launch operator may reduce the testing required to qualify 
or re-qualify a component's design through qualification by 
similarity to tests performed on identical or similar hardware. To 
qualify component ``A'' based on similarity to component ``B'' that 
has already been qualified for use, a launch operator must 
demonstrate that all of the following conditions are satisfied:
    (1) ``B'' must have been qualified through testing, not by 
similarity;
    (2) The environments encountered by ``B'' during its 
qualification or flight history must have been equal to or more 
severe than the qualification environments required for ``A;''
    (3) ``A'' must be a minor variation of ``B.'' The demonstration 
that A is a minor variation of B must account for all of the 
following:
    (i) Any difference in weight, mechanical configuration, thermal 
effects, or dynamic response;
    (ii) Any change in piece-part quality level; and
    (iii) Any addition or subtraction of an electronic piece-part, 
moving part, ceramic or glass part, crystal, magnetic device, or 
power conversion or distribution equipment;
    (4) ``A'' and ``B'' must perform the same functions, with ``A'' 
having equivalent or better capability; and
    (5) The same manufacturer must produce ``A'' and ``B'' in the 
same location using identical tools and manufacturing processes;
    (g) For any flight termination system component used for more 
than one flight, the component qualification tests must demonstrate 
that the component satisfies all its performance specifications when 
subjected to:
    (1) Each qualification test environment; and
    (2) The total number of exposures to each maximum predicted 
environment for the total number of flights.

E417.9 Qualification non-operating environments.

    (a) General. This section applies to each qualification non-
operating environment test or analysis identified by any table of 
this appendix. A qualification non-operating test or analysis must 
demonstrate that a component satisfies all its performance 
specifications when subjected to each maximum predicted non-
operating environment that the component could experience, including 
all storage, transportation, and installation environments.
    (b) Storage temperature. A storage temperature test or analysis 
must demonstrate that a component will satisfy all its performance 
specifications when subjected to the maximum predicted high and low 
temperatures, thermal cycles, and dwell-times at the high and low 
temperatures that the component could experience under storage 
conditions as follows:
    (1) Any storage temperature test must subject the component to 
the range of temperatures from 10 [deg]C lower than the maximum 
predicted storage thermal range to 10 [deg]C higher. The rate of 
change from one thermal extreme to the other must be no less than 
the maximum predicted thermal rate of change. All thermal dwell-
times and thermal cycles must be no less than those of the maximum 
predicted storage environment.
    (2) Any analysis must demonstrate that the qualification 
operating thermal cycle environment is more severe than the storage 
thermal environment by satisfying one of the following:
    (i) The analysis must include thermal fatigue equivalence 
calculations that demonstrate that the large change in temperature 
for a few thermal cycles experienced during flight is a more severe 
environment than the relatively small change in temperature for many 
thermal cycles that would be experienced during storage; or
    (ii) The analysis must demonstrate that the component's 
operating qualification thermal cycle range encompasses -34 [deg]C 
to 71 [deg]C and that any temperature variation that the component 
experiences during storage does not exceed 22 [deg]C.
    (c) High-temperature storage of ordnance. A component may 
undergo a high-temperature storage test to extend the service-life 
of an ordnance component production lot from one year to three or 
five years as permitted by any test table of this appendix. The test 
must demonstrate that each component sample satisfies all its 
performance specifications after being subjected to +71 [deg]C and 
40 to 60 percent relative humidity for no less than 30 days each.

[[Page 50606]]

    (d) Transportation shock. A transportation shock test or 
analysis must demonstrate that a component satisfies all its 
performance specifications after being subjected to the maximum 
predicted transportation induced shock levels that the component 
could experience when transported in its transported configuration. 
Any analysis must demonstrate that the qualification operating shock 
environment is more severe than the transportation shock 
environment.
    (e) Bench handling shock. A bench handling shock test must 
demonstrate that a component satisfies all its performance 
specifications after being subjected to maximum predicted bench 
handling induced shock levels. The test must include, for each 
orientation that could occur during servicing; a drop from the 
maximum predicted handling height onto a representative surface.
    (f) Transportation vibration. A transportation vibration test or 
analysis must demonstrate that a component satisfies all its 
performance specifications after being subjected to a maximum 
predicted transportation-induced vibration level when transported in 
its transportation configuration as follows:
    (1) Any transportation vibration test must subject a component 
to vibration in three mutually perpendicular axes for 60 minutes per 
axis. The test must subject each axis to the following vibration 
profile:
    (i) 0.01500 g2/Hz at 10 Hz to 40 Hz;
    (ii) 0.01500 g2/Hz at 40 Hz to 0.00015 g2/
Hz at 500 Hz; and
    (iii) If the component is resonant below 10 Hz, the test 
vibration profile must extend to the lowest resonant frequency.
    (2) Any analysis must demonstrate that the qualification 
operating vibration environment is more severe than the 
transportation vibration environment. The analysis must include 
vibration fatigue equivalence calculations that demonstrate that the 
high vibration levels with short duration experienced during flight 
creates a more severe environment than the relatively low-vibration 
levels with long duration that would be experienced during 
transportation.
    (g) Fungus resistance. A fungus resistance test or analysis must 
demonstrate that a component satisfies all its performance 
specifications after being subjected to a fungal growth environment. 
Any analysis must demonstrate that all unsealed and exposed surfaces 
do not contain nutrient materials for fungus.
    (h) Salt fog. For a component that will be exposed to salt fog, 
a salt fog test or analysis must demonstrate that the component 
satisfies all its performance specifications after being subjected 
to the effects of a moist, salt-laden atmosphere. The test or 
analysis must demonstrate the ability of all externally exposed 
surfaces to withstand a salt-fog environment. The test or analysis 
must demonstrate the ability of each internal part of a component to 
withstand a salt-fog environment unless the component is 
environmentally sealed, and acceptance testing verifies that the 
seal works.
    (i) Fine sand. For a component that will be exposed to fine sand 
or dust, a fine sand test or analysis must demonstrate that the 
component satisfies all its performance specifications after being 
subjected to the effects of dust or fine sand particles that may 
penetrate into cracks, crevices, bearings and joints. The test or 
analysis must demonstrate the ability of all externally exposed 
surfaces to withstand a fine sand environment. The test or analysis 
must demonstrate the ability of each internal part of a component to 
withstand a fine sand environment unless the component is 
environmentally sealed and acceptance testing verifies that the seal 
works.
    (j) Tensile load. A tensile load test must demonstrate that a 
component satisfies all its performance specifications after being 
exposed to tensile and compression loads of no less than twice the 
maximum predicted level during transportation and installation. In 
addition, the test load must satisfy one of the following where 
applicable:
    (1) For an explosive transfer system and its associated 
fittings, a pull of no less than 100 pounds unless the launch 
operator establishes procedural controls or tests that prevent or 
detect mishandling;
    (2) For a destruct charge and its associated fittings, a pull of 
no less than 50 pounds;
    (3) For a flight radio frequency connector, a pull of no less 
than one-half the manufacturer specified limit;
    (4) For an electro-explosive device wire, a pull of no less than 
18 pounds; or
    (5) For an electrical pin of an exploding bridgewire device, no 
less than an 18-pound force in axial and compression modes.
    (k) Handling drop of ordnance. A handling drop test must 
demonstrate that an ordnance component satisfies all its performance 
specifications after experiencing the more severe of the following:
    (1) The maximum predicted drop and resulting impact that could 
occur and go undetected during storage, transportation, or 
installation; or
    (2) A six-foot drop onto a representative surface in any 
orientation that could occur during storage, transportation, or 
installation.
    (l) Abnormal drop of ordnance. An abnormal drop test must 
demonstrate that an ordnance component does not initiate and allows 
for safe disposal after experiencing the maximum predicted drop and 
resulting impact onto a representative surface in any orientation, 
that could occur during storage, transportation, or installation. 
The component need not function after this drop.

E417.11 Qualification operating environments.

    (a) General. This section applies to each qualification 
operating environment test or analysis identified by any table of 
this appendix. A qualification operating environment test must 
demonstrate that a component satisfies all of its performance 
specifications when subjected to each qualification operating 
environment including each physical environment that the component 
will experience during acceptance testing, launch countdown, and 
flight. The test must employ each margin required by this section.
    (b) Qualification sinusoidal vibration. (1) A qualification 
sinusoidal vibration test or analysis of a component must 
demonstrate that the component and each connection to any item that 
attaches to the component satisfy all their performance 
specifications when subjected to the qualification sinusoidal 
vibration environment. The attached items must include any vibration 
or shock isolator, grounding strap, bracket, explosive transfer 
system, or cable to the first tie-down. Any cable that interfaces 
with the component during any test must be representative of the 
cable used for flight.
    (2) The qualification sinusoidal vibration environment must be 
no less than 6dB greater than the maximum predicted sinusoidal 
vibration environment for no less than three times the maximum 
predicted duration.
    (3) The sinusoidal frequency must range from 50% lower than the 
maximum predicted frequency range to 50% higher than the maximum 
predicted frequency range.
    (4) Any test must satisfy all of the following:
    (i) The test must subject each of three mutually perpendicular 
axes of the component to the qualification sinusoidal vibration 
environment, one axis at a time. For each axis, the duration of the 
vibration must be no less than three times the maximum predicted 
sinusoidal vibration duration.
    (ii) The sinusoidal sweep rate must be no greater than one-third 
the maximum predicted sweep rate;
    (iii) The sinusoidal vibration test amplitude must have an 
accuracy of 10%; and
    (iv) For any component that uses one or more shock or vibration 
isolators, the component must undergo the test mounted on its 
isolator or isolators as a unit. Each isolator must satisfy the 
requirements of section E417.35.
    (5) Any analysis must demonstrate that the qualification random 
vibration environment of paragraph (c) of this section encompasses 
the qualification sinusoidal vibration environment.
    (c) Qualification random vibration. (1) A qualification random 
vibration test of a component must demonstrate that the component 
and each connection to any item that attaches to the component 
satisfy all their performance specifications when subjected to the 
qualification random vibration environment. The attached items must 
include any isolator, grounding strap, bracket, explosive transfer 
system, or cable to the first tie-down. Any cable that interfaces 
with the component during any test must be representative of the 
cable used for flight.
    (2) For each component required by this appendix to undergo 100% 
acceptance testing, the minimum qualification random vibration 
environment must be no less than a 3 dB margin greater than the 
maximum acceptance random vibration test environment for all 
frequencies from 20 Hz to 2,000 Hz. The minimum and maximum test 
environments must account for all the test tolerances to ensure that 
the test maintains the 3 dB margin.
    (3) For each component that is not required by this appendix to 
undergo 100% acceptance testing, the minimum qualification random 
vibration environment must be no less than a 4.5-dB margin greater

[[Page 50607]]

than the greater of the maximum predicted random vibration 
environment or the minimum workmanship test levels of table E417.11-
1 for all frequencies from 20 Hz to 2000 Hz. The minimum 
qualification test environment must account for all the test 
tolerances to ensure that the test maintains the 4.5 dB margin.
    (4) If a component is mounted on one or more shock or vibration 
isolators during flight, the component must undergo the 
qualification random vibration test while hard-mounted or isolator-
mounted as follows:
    (i) Any qualification random vibration test with the component 
hard-mounted must subject the component to a qualification random 
vibration environment that:
    (A) Accounts for the isolator attenuation and amplification due 
to the maximum predicted operating random vibration environment, 
including any thermal effects and acceleration pre-load performance 
variability, and adds a 1.5 dB margin to account for any isolator 
attenuation variability;
    (B) Adds the required qualification random vibration margin of 
paragraph (c)(1) or (c)(2) of this section after accounting for the 
isolator effects of paragraph (c)(4)(i)(A) of this section and 
accounts for all tolerances that apply to the isolator's performance 
specifications to ensure that the qualification test margin is 
maintained; and
    (C) Is no less than the minimum workmanship screening 
qualification random vibration level of table E417.11-1.
    (ii) Any qualification random vibration test with the component 
isolator-mounted must:
    (A) Use an isolator or isolators that passed the tests required 
by section E417.35;
    (B) Have an input to each isolator of no less than the required 
qualification random vibration environment of paragraph (c)(1) or 
(c)(2) of this section; and
    (C) Subject the component to no less than the minimum 
workmanship screening qualification random vibration level of table 
E417.11-1. If the isolator or isolators prevent the component from 
experiencing the minimum workmanship level, the component must 
undergo a test while hard-mounted that subjects the component to the 
workmanship level.
    (5) The test must subject each component sample to the 
qualification random vibration environment in each of three mutually 
perpendicular axes. For each axis, the test must last three times as 
long as the acceptance test duration or a minimum workmanship 
qualification duration of 180 seconds, whichever is greater.
    (6) For a component sample that must experience the acceptance 
random vibration environment before it experiences the qualification 
random vibration environment, such as a command receiver decoder, 
the test must use the same configuration and methods for the 
acceptance and qualification environments.
    (7) If the duration of the qualification random vibration 
environment leaves insufficient time to complete any required 
performance verification test while the component is subjected to 
the full qualification environment, the test must continue at no 
less than the acceptance random vibration environment. The test need 
only continue for the additional time needed to complete the 
performance verification test.
    (8) The test must continuously monitor and record all 
performance and status-of-health parameters while the component is 
subjected to the qualification environment. This monitoring must 
have a sample rate that will detect any component performance 
degradation. Any electrical component must undergo the test while 
subjected to its nominal operating voltage.
    (9) A launch operator may substitute a random vibration test for 
another required dynamic test, such as acceleration, acoustic, or 
sinusoidal vibration if the launch operator demonstrates that the 
forces, displacements, and test duration imparted on a component 
during the random vibration test are no less severe than the other 
test environment.
[GRAPHIC] [TIFF OMITTED] TR25AU06.014

    (d) Qualification acoustic. (1) A qualification acoustic 
vibration test or analysis of a component must demonstrate that the 
component and each connection to any item that attaches to the 
component satisfy all their performance specifications when 
subjected to the qualification acoustic vibration environment. The 
attached items must include any isolator, grounding strap, bracket, 
explosive transfer system, or cable to the first tie-down. Any cable 
that interfaces with the component during any test must be 
representative of the cable used for flight.
    (2) For each component required by this appendix to undergo 100% 
acoustic acceptance testing, the minimum qualification acoustic 
vibration environment must be greater than the maximum acceptance 
acoustic vibration test environment for all frequencies from 20 Hz 
to 2000 Hz. The minimum and maximum test environments must account 
for all the test tolerances to ensure that the test maintains a 
positive margin between the minimum qualification environment and 
the maximum acceptance environment. For each acoustic vibration test 
required by this appendix to have a tolerance of 3 dB, 
the qualification test level must be 6 dB greater than the 
acceptance test level.

[[Page 50608]]

    (3) For each component that is not required by this appendix to 
undergo 100% acceptance testing, such as ordnance, the minimum 
qualification acoustic vibration environment must be no less than a 
3 dB margin greater than the maximum predicted acoustic vibration 
environment or a minimum workmanship screening test level of 144 dBA 
for all frequencies from 20 Hz to 2000 Hz. The minimum qualification 
test environment must account for all the test tolerances to ensure 
that the test maintains the 3 dB margin. For each acoustic vibration 
test required by this appendix to have a tolerance of 3.0 dB, the qualification test level must be 6 dB greater than 
the greater of the maximum predicted environment or the minimum 
workmanship test level.
    (4) For any component that uses one or more shock or vibration 
isolators during flight, the component must undergo any 
qualification acoustic vibration test mounted on its isolator or 
isolators as a unit. Each isolator must satisfy the test 
requirements of section E417.35.
    (5) Any test must continuously monitor and record all 
performance and status-of-health parameters while the component is 
subjected to the qualification environment. This monitoring must 
have a sample rate that will detect any component performance 
degradation.
    (6) Any analysis must demonstrate that the qualification random 
vibration test environment of paragraph (c) of this section 
encompasses the qualification acoustic vibration environment. The 
analysis must demonstrate that the qualification random vibration 
environment is more severe than the qualification acoustic vibration 
environment. The analysis must account for all peak vibration levels 
and durations.
    (e) Qualification shock. (1) A qualification shock test of a 
component must demonstrate that the component and each connection to 
any item that attaches to the component satisfies all their 
performance specifications when subjected to the qualification shock 
environment. The attached items must include any isolator, grounding 
strap, bracket, explosive transfer system, or cable to the first 
tie-down. Any cable that interfaces with the component during the 
test must be representative of the cable used for flight.
    (2) The minimum qualification shock environment must be no less 
than a 3 dB margin plus the greater of the maximum predicted 
environment or the minimum breakup levels identified in table 
E417.11-2 for all frequencies from 100 Hz to 10000 Hz. The minimum 
qualification test environment must account for all the test 
tolerances to ensure that the test maintains the 3dB margin. For a 
shock test required by this appendix to have a 3 dB 
tolerance, the qualification test environment must be 6 dB greater 
than the greater of the maximum predicted shock environment or the 
minimum breakup test level.
    (3) The test must subject the component simultaneously to a 
shock transient and all the required frequencies.
    (4) The test must subject each component to three shocks in each 
direction along each of the three orthogonal axes.
    (5) The shock must last as long as the maximum predicted shock 
event.
    (6) The test must continuously monitor each component's critical 
performance parameters for any discontinuity or inadvertent output 
while the component is subjected to the shock environment.
    (7) The test must continuously monitor and record all 
performance and status-of-health parameters while the component is 
subjected to the qualification environment. This monitoring must 
have a sample rate of once every millisecond or better.
    (8) For any component that uses one or more shock or vibration 
isolators during flight, the component must undergo the 
qualification shock test mounted on its isolator or isolators. Each 
isolator must satisfy the test requirements of section E417.35.
[GRAPHIC] [TIFF OMITTED] TR25AU06.015

    (f) Qualification acceleration. (1) A qualification acceleration 
test or analysis of a component must demonstrate that the component 
and each connection to any item that attaches to the component 
satisfy all their performance specifications when subjected to the 
qualification acceleration environment. The attached items must 
include any isolator, grounding strap, bracket, explosive transfer 
system, or cable to the first tie-down. Any cable that interfaces 
with the component during any test must be representative of the 
cable used for flight.
    (2) The qualification acceleration test environment must be no 
less than 200% greater than the maximum predicted acceleration 
environment.
    (3) The qualification acceleration must last three times as long 
as the maximum predicted environment lasts in each direction for 
each of the three orthogonal axes.
    (4) For any test, if the test tolerance is more than 10%, the qualification acceleration test environment of 
paragraph (f)(1) of this section must account for the test tolerance 
to ensure that the test maintains the 200% margin between the 
minimum qualification acceleration test and the maximum predicted 
environment.
    (5) Any analysis must demonstrate that the qualification 
operating random vibration test required by paragraph (c) of this 
section encompasses the qualification acceleration environment. The 
analysis must demonstrate that the qualification random vibration 
environment is equal to or more severe than the qualification 
acceleration environment. The analysis must account for the peak 
vibration and acceleration levels and durations.
    (6) Any test must continuously monitor and record all 
performance and status-of-health parameters while the component is 
subjected to the qualification environment. This monitoring must 
have a sample rate that will detect any component performance 
degradation.
    (7) For any component that uses one or more shock and vibration 
isolators during flight, the component must undergo any 
qualification acceleration test mounted on its isolator or 
isolators. Each isolator must

[[Page 50609]]

satisfy the test requirements of section E417.35.
    (g) Qualification humidity. A qualification humidity test or 
analysis must demonstrate that a component satisfies all its 
performance specifications when subjected to the maximum predicted 
relative humidity environment that the component could experience 
when stored, transported, or installed as follows:
    (1) The test or analysis must demonstrate the ability of all 
externally exposed surfaces to withstand the maximum predicted 
relative humidity environment.
    (2) The test or analysis must demonstrate the ability of each 
internal part of a component to withstand the maximum predicted 
relative humidity environment unless the component is 
environmentally sealed and an acceptance test demonstrates that the 
seal works.
    (3) Each test must satisfy all of the following:
    (i) The test must subject the component to no less than four 
thermal cycles while the component is exposed to a relative humidity 
of no less than 95%;
    (ii) The test must measure each electrical performance parameter 
at the cold and hot temperatures during the first, middle and last 
thermal cycles; and
    (iii) The test must continuously measure and record all 
performance and status-of-health parameters with a resolution and 
sample rate that will detect any component performance degradation 
throughout each thermal cycle.
    (h) Qualification thermal cycle. A qualification thermal cycle 
test must demonstrate that a component satisfies all its performance 
specifications when subjected to the qualification thermal cycle 
environment as follows:
    (1) Electronic components. For any command receiver decoder or 
other electronic component that contains piece-part circuitry, such 
as microcircuits, transistors, diodes and relays, a qualification 
thermal cycle test must satisfy all of the following:
    (i) The qualification thermal cycle environment must range from 
10 [deg]C above the acceptance test high temperature to 10 [deg]C 
below the acceptance test low temperature;
    (ii) The test must subject a component to no less than three 
times the acceptance-number of thermal cycles. For each component, 
the acceptance-number of thermal cycles must satisfy section 
E417.13(d)(1). For each cycle, the dwell-time at each of the high 
and low temperatures must last long enough for the component to 
achieve internal thermal equilibrium and must last no less than one 
hour. The test must begin each dwell-time at each high and low 
temperature with the component turned off. The component must remain 
off until the temperature stabilizes. Once the temperature 
stabilizes, the component must be turned on and the test must 
complete each dwell-time with the component turned on;
    (iii) When heating or cooling the component, the temperature 
must change at an average rate of 1 [deg]C per minute or the maximum 
predicted rate, whichever is greater;
    (iv) The test must measure all performance parameters with the 
component powered at its low and high operating voltages when the 
component is at ambient temperature before beginning the first 
thermal cycle and after completing the last cycle. The test must 
measure all performance parameters with the component powered at its 
low and high operating voltages when the component is at the high 
and low temperatures during the first, middle, and last thermal 
dwell cycles; and
    (v) The test must continuously monitor and record all critical 
performance and status-of-health parameters during all cycles and 
thermal transitions and with the component operating at its nominal 
operating voltage. The monitoring and recording must have a 
resolution and sample rate that will detect any component 
performance degradation.
    (2) Passive components. For any passive component that does not 
contain an active electronic piece-part, such as a radio frequency 
antenna, coupler, or cable, a qualification thermal cycle test must 
satisfy all of the following:
    (i) The qualification thermal cycle environment must range from 
10 [deg]C above the acceptance test high temperature to 10 [deg]C 
below the acceptance test low temperature;
    (ii) The test must subject a component to no less than three 
times the acceptance-number of thermal cycles. For each component, 
the acceptance-number of thermal cycles must satisfy section 
E417.13(d)(1). For each cycle, the dwell-time at each high and low 
temperature must last long enough for the component to achieve 
internal thermal equilibrium and must last no less than one hour;
    (iii) When heating or cooling the component, the temperature 
must change at an average rate of 1 [deg]C per minute or the maximum 
predicted rate, whichever is greater;
    (iv) The test must measure all performance parameters when the 
component is at ambient temperature before beginning the first 
thermal cycle and after completing the last cycle. The test must 
measure all performance parameters when the component is at the high 
and low temperatures during the first, middle, and last thermal 
cycles; and
    (v) The test must continuously monitor and record all critical 
performance and status-of-health parameters with a resolution and 
sample rate that will detect any component performance degradation 
during all cycles and thermal transitions.
    (3) Safe-and-Arm Devices. For any electro-mechanical safe-and-
arm device with an internal explosive, a qualification thermal cycle 
test must satisfy all of the following:
    (i) The qualification thermal cycle must range from 10 [deg]C 
above the acceptance test high temperature to 10 [deg]C below the 
acceptance test low temperature;
    (ii) The test must subject the component to no less than three 
times the acceptance-number of thermal cycles. For each component, 
the acceptance-number of thermal cycles must satisfy section 
E417.13(d)(1). For each cycle, the dwell-time at each high and low 
temperature must last long enough for the component to achieve 
internal thermal equilibrium and must last no less than one hour;
    (iii) When heating or cooling the component, the temperature 
must change at an average rate of 1 [deg]C per minute or the maximum 
predicted rate, whichever is greater;
    (iv) The test must measure all performance parameters when the 
component is at ambient temperature before beginning the first 
thermal cycle. The test must measure all performance parameters when 
the component is at the high and low temperatures during the first, 
middle, and last thermal cycles. The test must measure all 
performance parameters when the component is at ambient temperature 
after completing the last cycle; and
    (v) The test must continuously monitor and record all critical 
performance and status-of-health parameters during all temperature 
cycles and transitions using a resolution and sample rate that will 
detect any component performance degradation.
    (4) Ordnance components. For any ordnance component, a 
qualification thermal cycle test must satisfy all of the following:
    (i) The qualification thermal cycle must range from 10 [deg]C 
above the predicted highest temperature, or 71 [deg]C, whichever is 
higher, to 10 [deg]C below the predicted lowest temperature, or -54 
[deg]C, whichever is lower;
    (ii) The test must subject each ordnance component to no less 
than the acceptance-number of thermal cycles. For each component, 
the acceptance-number of thermal cycles must satisfy section 
E417.13(d)(1). For an ordnance component that is used inside a safe-
and-arm device, the test must subject the component to three times 
the acceptance-number of thermal cycles. For each cycle, the dwell-
time at each high and low temperature must last long enough for the 
component to achieve internal thermal equilibrium and must last no 
less than two hours; and
    (iii) When heating or cooling the component, the temperature 
must change at an average rate of 3 [deg]C per minute or the maximum 
predicted rate, whichever is greater.
    (i) Qualification thermal vacuum. A qualification thermal vacuum 
test or analysis must demonstrate that a component satisfies all its 
performance specifications, including structural integrity, when 
subjected to the qualification thermal vacuum environment as 
follows:
    (1) The qualification thermal vacuum environment must satisfy 
all of the following:
    (i) The thermal vacuum pressure gradient must equal or exceed 
the maximum predicted rate of altitude change that the component 
will experience during flight;
    (ii) The final vacuum dwell-time must last long enough for the 
component to achieve pressure equilibrium and equal or exceed the 
greater of the maximum predicted dwell-time or 12 hours;
    (iii) During the final vacuum dwell-time, the environment must 
include no less than three times the maximum predicted number of 
thermal cycles; and
    (iv) Each thermal cycle must range from 10 [deg]C above the 
acceptance thermal vacuum range, to 10 [deg]C below the acceptance 
thermal

[[Page 50610]]

vacuum range. The acceptance thermal vacuum temperature range is 
described in section E417.13(e);
    (2) Any test must satisfy all of the following:
    (i) The test must measure all performance parameters with the 
component powered at its low and high operating voltages when the 
component is at ambient temperature before beginning the first 
thermal cycle and after completing the last cycle;
    (ii) The test must measure all performance parameters while the 
component is powered at its low and high operating voltages when the 
component is at the high and low temperatures during the first, 
middle and last thermal cycles;
    (iii) The test must continuously monitor and record all critical 
performance and status-of-health parameters during chamber pressure 
reduction and the final vacuum dwell-time, with the component at its 
high operating voltage and using a resolution and sample rate that 
will detect any component performance degradation; and
    (3) Any analysis must satisfy all of the following:
    (i) For any low voltage component of less than 50 volts, the 
analysis must demonstrate that the component is not susceptible to 
corona, arcing, or structural failure; and
    (ii) For any high voltage component of 50 volts or greater, the 
component must undergo a thermal vacuum test unless the component is 
environmentally sealed and the analysis demonstrates that any low 
voltage externally exposed part is not susceptible to corona, 
arcing, or structural failure. A component with any high voltage 
externally exposed part of 50 volts or greater must undergo a 
thermal vacuum test.
    (j) Electromagnetic interference and electromagnetic 
compatibility. An electromagnetic interference and electromagnetic 
compatibility test must demonstrate that a component satisfies all 
its performance specifications when subjected to radiated or 
conducted emissions from all flight vehicle systems and external 
ground transmitter sources. In addition, the test must demonstrate 
that the component does not radiate or conduct electromagnetic 
interference that would degrade the performance of any other flight 
termination system component.
    (k) Explosive atmosphere. An explosive atmosphere test or 
analysis must demonstrate that a component is capable of operating 
in an explosive atmosphere without creating an explosion or that the 
component is not used in an explosive environment.

E417.13 Acceptance testing and analysis.

    (a) General. This section applies to each acceptance test or 
analysis identified by any table of this appendix. An acceptance 
test or analysis must demonstrate that a component does not have any 
material or workmanship defect that could adversely affect the 
component's performance and that the component satisfies all its 
performance specifications when subjected to each acceptance 
environment, including each workmanship and maximum predicted 
operating environment.
    (1) An acceptance test of a component must subject the component 
to one or more of the component's maximum predicted environments as 
determined under section D417.7. An acceptance test must not subject 
a component to a force or environment that is not tested during 
qualification testing.
    (2) Each component sample that is intended for flight must 
undergo each acceptance test identified by any table of this 
appendix. A single-use component, such as ordnance or a battery, 
must undergo the production lot sample acceptance tests identified 
by any tables of this appendix.
    (3) If a launch vehicle uses a previously flown and recovered 
flight termination system component, the component must undergo one 
or more reuse acceptance tests before each next flight to 
demonstrate that the component still satisfies all its performance 
specifications when subjected to each maximum predicted environment. 
Each reuse acceptance test must be the same as the initial 
acceptance test for the component's first flight. Each reuse 
acceptance test must follow a written component reuse qualification, 
refurbishment, and acceptance plan and procedures. Each acceptance 
reuse test must compare performance parameter measurements taken 
during the test to all previous acceptance test measurements to 
ensure that the data show no trends that indicate any degradation in 
performance that could prevent the component from satisfying all its 
performance specifications during flight.
    (4) Each acceptance test of a component must use test tolerances 
that are consistent with the test tolerances used by each 
qualification test of the component.
    (b) Acceptance random vibration. An acceptance random vibration 
test must demonstrate that a component satisfies all its performance 
specifications when exposed to the acceptance random vibration 
environment as follows:
    (1) The acceptance random vibration environment must equal or 
exceed the greater of the maximum predicted random vibration level 
or the minimum workmanship acceptance test level of table E417.13-1, 
for all frequencies from 20 Hz to 2000 Hz, in each of three mutually 
perpendicular axes.
    (2) For each axis, the vibration must last the greater of three 
times the maximum predicted duration or a minimum workmanship 
screening level of 60 seconds.
    (3) For a component sample that undergoes qualification testing 
and must experience the acceptance environment before it experiences 
the qualification environment, such as a command receiver decoder, 
the test must use the same configuration and methods for the 
acceptance and qualification random vibration environments. An 
acceptance random vibration test of a flight component sample must 
use a configuration and method that is representative of the 
component's qualification tests to ensure that the requirements of 
paragraph (a) of this section are satisfied.
    (4) For any component that is mounted on one or more vibration 
or shock isolators during flight, the component must undergo the 
acceptance random vibration test in the same isolator-mounted 
configuration or hard-mounted configuration as the component's 
qualification random vibration test as follows:
    (i) Any hard-mounted acceptance random vibration test must 
subject the component to an acceptance random vibration environment 
that:
    (A) Accounts for the isolator attenuation and amplification due 
to the maximum predicted operating random vibration environment, 
including any thermal effects and acceleration pre-load performance 
variability, and adds a 1.5 dB margin to account for any isolator 
attenuation variability; and
    (B) Is no less than the minimum workmanship screening acceptance 
random vibration level of table E417.13-1.
    (ii) Any isolator-mounted acceptance random vibration test must:
    (A) Use an isolator or isolators that passed the tests required 
by section E417.35;
    (B) Have an input to each isolator of no less than the required 
acceptance random vibration environment of paragraphs (b)(1) and 
(b)(2) of this section; and
    (C) Subject the component to no less than the minimum 
workmanship screening acceptance random vibration level of table 
E417.13-1. If the isolator or isolators prevent the component from 
experiencing the minimum workmanship level, the component must 
undergo a hard-mount test that subjects the component to the 
workmanship level.
    (5) If the duration of the acceptance random vibration 
environment leaves insufficient time to complete any required 
performance verification test while the component is subjected to 
the full acceptance environment, the test must continue at no lower 
than 6 dB below the acceptance environment. The test need only 
continue for the additional time needed to complete the performance 
verification test.
    (6) The test must continuously monitor all performance and 
status-of-health parameters with any electrical component at its 
nominal operating voltage. This monitoring must have a sample rate 
that will detect any component performance degradation.

[[Page 50611]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.016

    (c) Acceptance acoustic vibration. An acceptance acoustic 
vibration test or analysis must demonstrate that a component 
satisfies all its performance specifications when exposed to the 
acceptance acoustic vibration environment as follows:
    (1) The acceptance acoustic vibration environment must satisfy 
all of the following:
    (i) The vibration level must equal or exceed the maximum 
predicted acoustic level for all frequencies from 20 Hz to 2,000 Hz 
in each of three mutually perpendicular axes; and
    (ii) For each axis, the vibration must last the maximum 
predicted duration or 60 seconds, whichever is greater.
    (2) Any test must satisfy all of the following:
    (i) The test must continuously monitor all performance and 
status-of-health parameters with any electrical component at its 
nominal operating voltage. This monitoring must have a sample rate 
that will detect any component performance degradation; and
    (ii) If the duration of the acceptance acoustic vibration 
environment leaves insufficient time to complete any required 
performance verification test while the component is subjected to 
the full acceptance environment, the test must continue at no lower 
than 6 dB below the acceptance environment. The test need only 
continue for the additional time needed to complete the performance 
verification test.
    (3) Any analysis must demonstrate that the acceptance random 
vibration environment of paragraph (b) of this section encompasses 
the acceptance acoustic vibration environment. The analysis must 
demonstrate that the peak acceptance random vibration levels and 
duration are equal to or are more severe than the acceptance 
acoustic vibration environment.
    (d) Acceptance thermal cycle. An acceptance thermal cycle test 
of a component must demonstrate that the component satisfies all its 
performance specifications when exposed to the acceptance thermal 
cycle environment as follows:
    (1) Acceptance-number of thermal cycles. The acceptance-number 
of thermal cycles for a component means the number of thermal cycles 
that the component must experience during the test. The test must 
subject each component to no less than the greater of eight thermal 
cycles or 1.5 times the maximum number of thermal cycles that the 
component could experience during launch processing and flight, 
including all launch delays and recycling, rounded up to the nearest 
whole number.
    (2) Electronic components. For any electronic component, an 
acceptance thermal cycle test must satisfy all of the following:
    (i) The acceptance thermal cycle environment must range from the 
higher of the maximum predicted environment high temperature or 61 
[deg]C workmanship screening level, to the lower of the predicted 
low temperature or a -24 [deg]C workmanship screening level.
    (ii) The test must subject a component to no fewer than 10 plus 
the acceptance-number of thermal cycles. For each component, the 
acceptance-number of thermal cycles must satisfy this paragraph. For 
each cycle, the dwell-time at each high and low temperature must 
last long enough for the component to achieve internal thermal 
equilibrium and must last no less than one hour. The test must begin 
each dwell-time at each high and low temperature with the component 
turned off. The component must remain off until the temperature 
stabilizes. Once the temperature stabilizes, the test must complete 
each dwell-time with the component turned on.
    (iii) When heating or cooling the component, the temperature 
must change at an average rate of 1 [deg]C per minute or the maximum 
predicted rate, whichever is greater.
    (iv) The test must measure all performance parameters with the 
component powered at its low and high operating voltages when the 
component is at ambient temperature before beginning the first 
thermal cycle and after completing the last cycle.
    (v) The test must measure all performance parameters with the 
component at its low and high operating voltages when the component 
is at the high and low temperatures during the first, middle, and 
last thermal cycles.
    (vi) The test must continuously monitor and record all critical 
performance and status-of-health parameters during all cycles and 
thermal transitions and with the component at its nominal operating 
voltage. The monitoring and recording must have a resolution and 
sample rate that will detect any component performance degradation.
    (3) Passive components. For any passive component that does not 
contain any active electronic piece-part, such as any radio 
frequency antenna, coupler, or cable, an acceptance thermal cycle 
test must satisfy all of the following:
    (i) Unless otherwise noted, the acceptance thermal cycle 
environment must range from the higher of the maximum predicted 
environment high temperature or a 61 [deg]C workmanship screening 
temperature, to the lower of the predicted lowest temperature or a -
24 [deg]C workmanship screening temperature;
    (ii) The test must subject a component to no fewer than the 
acceptance-number of thermal cycles. For each component, the 
acceptance-number of thermal cycles must satisfy this paragraph. For 
each cycle, the dwell-time at each high and low temperature must 
last long enough for the component to achieve internal thermal 
equilibrium and must last no less than one hour;
    (iii) When heating or cooling the component, the temperature 
must change at

[[Page 50612]]

an average rate of 1 [deg]C per minute or the maximum predicted 
rate, whichever is greater;
    (iv) The test must measure all performance parameters when the 
component is at ambient temperature before beginning the first 
thermal cycle and after completing the last cycle;
    (v) The test must measure all performance parameters when the 
component is at the high and low temperatures during the first, 
middle, and last thermal cycles; and
    (vi) The test must continuously monitor and record all critical 
performance and status-of-health parameters throughout each thermal 
cycle with a resolution and sample rate that will detect any 
component performance degradation.
    (4) Safe-and-arm devices. For any electro-mechanical safe-and-
arm device with an internal explosive, an acceptance thermal cycle 
test must satisfy all of the following:
    (i) The acceptance thermal cycle environment must range from the 
higher of the maximum predicted environment high temperature or the 
minimum workmanship screening temperature of 61 [deg]C to the lower 
of the predicted lowest temperature or the minimum workmanship 
screening temperature of -24 [deg]C.
    (ii) The test must subject a component to no fewer than the 
acceptance-number of thermal cycles. For each component, the 
acceptance-number of thermal cycles must satisfy this paragraph. For 
each cycle, the dwell-time at each high and low temperature must 
last long enough for the component to achieve internal thermal 
equilibrium and must last no less than one hour.
    (iii) When heating or cooling the component, the temperature 
must change at an average rate of 1 [deg]C per minute or the maximum 
predicted rate, whichever is greater.
    (iv) The test must measure all performance parameters when the 
component is at ambient temperature before beginning the first 
thermal cycle and after completing the last cycle.
    (v) The test must measure all performance parameters including 
each critical electrical parameter, when the component is at the 
high and low temperatures during the first, middle, and last thermal 
cycles.
    (vi) The test must continuously monitor and record all critical 
performance and status-of-health parameters throughout each thermal 
cycle with a resolution and sample rate that will detect whether the 
component satisfies all its performance specifications.
    (e) Acceptance thermal vacuum. An acceptance thermal vacuum test 
or analysis must demonstrate that a component satisfies all its 
performance specifications when exposed to the acceptance thermal 
vacuum environment as follows:
    (1) The acceptance thermal vacuum environment must satisfy all 
of the following:
    (i) The thermal vacuum pressure gradient must equal or exceed 
the maximum predicted rate of altitude change that the component 
will experience during flight. The pressure gradient must allow for 
no less than ten minutes for reduction of chamber pressure at the 
pressure zone from ambient pressure to 20 Pascal;
    (ii) The final vacuum dwell-time must last long enough for the 
component to achieve pressure equilibrium and must last no less than 
the maximum predicted dwell-time or 12 hours, whichever is greater;
    (iii) During the final vacuum dwell-time, the environment must 
include no less than the maximum predicted number of thermal cycles; 
and
    (iv) Each thermal cycle must range from the higher of the 
maximum predicted environment high temperature or the workmanship 
screening high temperature of 61 [deg]C, to the lower of the 
predicted low temperature or the workmanship screening low 
temperature of -24 [deg]C.
    (2) Any test must satisfy all of the following:
    (i) The test must measure all performance parameters with the 
component powered at its low and high operating voltages when the 
component is at ambient temperature before beginning the first 
thermal cycle and after completing the last cycle.
    (ii) The test must measure all performance parameters with the 
component powered at its low and high operating voltages when the 
component is at the high and low temperatures during the first, 
middle, and last thermal cycles; and
    (iii) The test must continuously monitor all critical 
performance and status-of-health parameters during chamber pressure 
reduction and during the final vacuum dwell-time with the component 
at its high operating voltage. This monitoring must have a 
resolution and sample rate that will detect any component 
performance degradation.
    (3) Any analysis must satisfy all of the following:
    (i) For any low voltage component of less than 50 volts, any 
analysis must demonstrate that the component is not susceptible to 
corona, arcing, or structural failure; and
    (ii) Any high voltage component of 50 volts or greater must 
undergo a thermal vacuum test unless the component is 
environmentally sealed and the analysis demonstrates that any low 
voltage externally exposed part of less than 50 volts is not 
susceptible to corona, arcing, or structural failure. A component 
with any high voltage externally exposed part must undergo an 
acceptance thermal vacuum test.
    (f) Tensile loads. An acceptance tensile load test of a 
component must demonstrate that the component is not damaged and 
satisfies all its performance specifications after experiencing 
twice the maximum predicted pull-force that the component could 
experience before, during, or after installation.

E417.15 Ordnance service-life extension testing.

    (a) General. This section applies to each service-life extension 
test of an ordnance component that is identified by any table of 
this appendix. A service-life extension test must demonstrate that 
an ordnance component will satisfy all its performance 
specifications when subjected to non-operating and operating 
environments throughout its initial service-life and throughout any 
extension to the service-life. An ordnance component must undergo a 
service-life extension test to extend its service-life if its 
initial service-life and any previous extension will expire before 
the component is used for flight.
    (b) Service-life. An ordnance component must undergo any 
service-life extension test before the component's initial service-
life expires and again before each service-life extension expires. 
The initial service-life of an ordnance component, including any 
component that contains ordnance or is used to directly initiate 
ordnance, must start upon completion of the initial production lot 
sample acceptance tests and must include both storage time and time 
after installation until completion of flight. The test tables of 
this appendix identify the options for the length of any service-
life extension for each type of ordnance component.
    (c) Test samples. The tables of this appendix identify the 
number of ordnance component samples that must undergo any service-
life extension test. Each component sample must be:
    (i) From the same production lot;
    (ii) Consist of identical parts and materials;
    (iii) Manufactured through identical processes; and
    (iv) Stored with the flight ordnance component or in an 
environment that duplicates the storage conditions of the flight 
ordnance component.

E417.17 Radio frequency receiving system.

    (a) General. (1) This section applies to a radio frequency 
receiving system, which includes each flight termination system 
antenna and radio frequency coupler and any radio frequency cable or 
other passive device used to connect a flight termination system 
antenna to a command receiver.
    (2) The components of a radio frequency receiving system must 
satisfy each test or analysis identified by any table of this 
section to demonstrate that:
    (i) The system is capable of delivering command control system 
radio frequency energy to each flight termination system receiver; 
and
    (ii) The system satisfies all its performance specifications 
when subjected to each non-operating and operating environment and 
any performance degradation source. Such sources include any command 
control system transmitter variation, non-nominal launch vehicle 
flight condition, and flight termination system performance 
variation.
BILLING CODE 4910-13-P

[[Page 50613]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.017


[[Page 50614]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.018


[[Page 50615]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.019

BILLING CODE 4910-13-C

[[Page 50616]]

    (b) Status-of-health. A status-of-health test of a radio 
frequency receiving system must satisfy section E417.3(f) and 
include antenna voltage standing wave ratio testing that measures 
the assigned operating frequency at the high and low frequencies of 
the operating bandwidth to verify that the antenna satisfies all its 
performance specifications.
    (c) Link performance. A link performance test of a radio 
frequency component or subsystem must demonstrate that the component 
or subsystem satisfies all its performance specifications when 
subjected to performance degradation caused by ground transmitter 
variations and non-nominal vehicle flight. This must include 
demonstrating all of the following:
    (1) The radio frequency receiving system provides command 
signals to each command destruct receiver at an electromagnetic 
field intensity of 12 dB above the level required for reliable 
receiver operation over 95% of the antenna radiation sphere 
surrounding the launch vehicle;
    (2) The radio frequency coupler insertion loss and voltage 
standing wave ratio at the assigned operating frequency and at the 
high and low frequencies of the operating bandwidth satisfy all 
their performance specifications; and
    (3) The cable insertion loss at the assigned operating frequency 
and at the high and low frequencies of the operating bandwidth 
satisfies all its performance specifications.
    (d) Isolation. An isolation test of a radio frequency receiving 
system must demonstrate that each of the system's radio frequency 
couplers isolate the redundant antennas and receiver decoders from 
one another. The test must demonstrate that an open or short-circuit 
in one string of the redundant system, antenna or receiver decoder, 
will not prevent functioning of the other side of the redundant 
system. The test must demonstrate that the system satisfies all its 
performance specifications for isolation and is in-family.
    (e) Abbreviated status-of-health. An abbreviated status-of 
health test of a radio frequency receiving system component must 
determine any internal anomaly while the component is under 
environmental stress conditions. The test must include continuous 
monitoring of the voltage standing wave ratio and any other critical 
performance parameter that indicates an internal anomaly during 
environmental testing to detect any variations in amplitude. Any 
amplitude variation constitutes a test failure. The monitoring must 
have a sample rate that will detect any component performance 
degradation.
    (f) Antenna pattern. An antenna pattern test must demonstrate 
that the radiation gain pattern of the entire radio frequency 
receiving system, including the antenna, radio frequency cables, and 
radio frequency coupler will satisfy all the system's performance 
specifications during vehicle flight. This must include all of the 
following:
    (1) The test must determine the radiation gain pattern around 
the launch vehicle and demonstrate that the system is capable of 
providing command signals to each command receiver decoder with 
electromagnetic field intensity at a 12 dB link margin above the 
level required for reliable receiver operation. The test must 
demonstrate the 12-dB margin over 95 percent of the antenna 
radiation sphere surrounding the launch vehicle.
    (2) All test conditions must emulate flight conditions, 
including ground transmitter polarization, using a simulated flight 
vehicle and a flight configured radio frequency command destruct 
system.
    (3) The test must measure the radiation gain for 360 degrees 
around the launch vehicle in degree increments that are small enough 
to identify any deep pattern null and to verify that the required 12 
dB link margin is maintained throughout flight. Each degree 
increment must not exceed two degrees.
    (4) The test must generate each antenna pattern in a data format 
that is compatible with the format needed to perform the flight 
safety system radio frequency link analysis required by Sec.  
417.329(h).
    (g) Abbreviated antenna pattern. An abbreviated antenna pattern 
test must determine any antenna pattern changes that might have 
occurred due to damage to an antenna resulting from exposure to test 
environments. This must include all of the following:
    (1) The antenna must undergo the test before and after exposure 
to the qualification or acceptance test environments.
    (2) The test must use a standard ground plane test fixture. The 
test configuration need not generate antenna pattern data that is 
representative of the actual system-level patterns.
    (3) The test must include gain measurements in the 0[deg] and 
90[deg] plane vectors and a conical cut at 80[deg].

E417.19 Command receiver decoder.

    (a) General. A command receiver decoder must satisfy each test 
or analysis identified by any table of this section to demonstrate 
that the receiver decoder satisfies all its performance 
specifications when subjected to each non-operating and operating 
environment and any command control system transmitter variation.
BILLING CODE 4910-13-P

[[Page 50617]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.020


[[Page 50618]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.021


[[Page 50619]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.022


[[Page 50620]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.023

BILLING CODE 4910-13-C

[[Page 50621]]

    (b) Status-of-health. A status-of-health test of a command 
receiver decoder must satisfy section E417.3(f) and must measure 
each pin-to-pin and pin-to-case resistance, input current, voltage 
standing wave ratio, and radio frequency threshold sensitivity. Each 
measurement must demonstrate that all wiring and connectors are 
installed according to the manufacturer's design. The test must 
demonstrate that each pin-to-pin and pin-to-case resistance 
satisfies its performance specification and is in-family.
    (c) Functional performance. A functional performance test must 
demonstrate that a command receiver decoder satisfies all the 
requirements for an electronic component of section D417.27 that 
apply to the receiver decoder. This test must:
    (1) Response time. Demonstrate that the receiver decoder 
satisfies all its performance specifications for response time, from 
receipt of destruct sequence to initiation of destruct output;
    (2) Input current. Monitor the input current into the receiver 
decoder to demonstrate reliable functioning of all internal 
components. The test must demonstrate that the receiver decoder's 
electrical characteristics satisfy all its performance 
specifications and are in-family;
    (3) Leakage current. Demonstrate that the maximum leakage 
current through any command output port is at a level that cannot 
degrade performance of down-string electrical or ordnance initiation 
systems or result in an unsafe condition. The test must demonstrate 
no less than a 20-dB safety margin between the receiver leakage 
output and the lowest level that could degrade performance of down-
string electrical or ordnance initiation systems or result in an 
unsafe condition;
    (4) Output Functions. Function all receiver outputs to 
demonstrate that all the output performance specifications are 
satisfied. The test must include drawing the expected current at the 
receiver's low, nominal and high input specified voltages using 
output impedances that simulate the flight-configured load. The test 
must demonstrate that a command receiver is capable of 
simultaneously outputting arm, destruct, and check channel signals; 
and
    (5) Warm Up Time. Demonstrate that the receiver decoder 
satisfies all its performance specifications after being powered for 
the manufacturer specified warm-up time.
    (d) Circuit protection. A circuit protection test must 
demonstrate that a receiver decoder's circuit protection provides 
for the receiver decoder to satisfy all its performance 
specifications when subjected to any improper launch processing, 
abnormal flight condition, or any non-flight termination system 
vehicle component failure. This test must:
    (1) Abnormal voltage. Demonstrate that any circuit protection 
allows the receiver decoder to satisfy all its performance 
specifications when powered with the open circuit voltage of the 
receiver decoder's power source for no less than twice the expected 
duration of the open circuit voltage and then when powered with the 
minimum input voltage of the loaded voltage of the power source for 
no less than twice the expected duration of the loaded voltage. The 
test must also demonstrate that the receiver decoder satisfies all 
its performance specifications when subjected to increasing voltage 
from zero volts to the nominal voltage and then decreasing voltage 
from nominal back to zero;
    (2) Power dropout. Demonstrate that, in the event of an input 
power dropout, any control or switching circuit that contributes to 
the reliable operation of a receiver decoder, including solid-state 
power transfer switches, does not change state for 50 milliseconds 
or more;
    (3) Watchdog circuits. Demonstrate that any watchdog circuit 
satisfies all its performance specifications;
    (4) Output circuit protection. Demonstrate that the receiver 
decoder's performance does not degrade when any of its monitoring 
circuits or non-destruct output ports are subjected to a short 
circuit or the highest positive or negative voltage capable of being 
supplied by the monitor batteries or other power supplies, for no 
less than five minutes;
    (5) Reverse polarity. Demonstrate that the receiver decoder 
satisfies all of its performance specifications when subjected to a 
reverse polarity voltage that could occur before flight, for no less 
than five minutes; and
    (6) Memory. Demonstrate by test or analysis that any memory 
device that is part of the receiver decoder satisfies all its 
performance specifications. The test or analysis must demonstrate 
that the data stored in memory is retained in accordance with the 
performance specifications. For any secure receiver decoder, the 
test or analysis must demonstrate that the command codes remain in 
memory for the specified time interval while the receiver decoder is 
not powered.
    (e) Radio frequency processing.
    (1) General. A radio frequency processing test must demonstrate 
that a receiver decoder's radio frequency processing satisfies all 
its performance specifications when subjected to command control 
system transmitting equipment tolerances and flight generated signal 
degradation. The environment must include locally induced radio 
frequency noise sources, vehicle plume, the maximum predicted noise-
floor, ground transmitter performance variations, and abnormal 
launch vehicle flight.
    (2) Tone-based system. For any tone-based system, a radio 
frequency processing test must demonstrate that the receiver decoder 
satisfies all the design requirements of section D417.29(b) of 
appendix D of this part and must satisfy all of the following;
    (i) Decoder channel deviation. The test must demonstrate that 
the receiver decoder reliably processes the intended tone deviated 
signal at the minimum and maximum number of expected tones. The test 
must demonstrate that the receiver decoder satisfies all its 
performance specifications when subjected to a nominal tone 
deviation plus twice the maximum and minus half the minimum of the 
total combined tolerances of all applicable radio frequency 
performance factors. The tone deviation must be no less than  3 KHz per tone.
    (ii) Operational bandwidth. The testing must demonstrate that 
the receiver decoder satisfies all its performance specifications at 
twice the worst-case command control system transmitter radio 
frequency shift, Doppler shifts of the carrier center frequency, and 
shifts in flight hardware center frequency during flight at the 
manufacturer guaranteed receiver sensitivity. The test must 
demonstrate an operational bandwidth of no less than  
45KHz. The test must demonstrate that the operational bandwidth 
accounts for any tone deviation and that the receiver sensitivity 
does not vary by more than 3dB across the bandwidth.
    (iii) Radio frequency dynamic range. The test must demonstrate 
that the receiver decoder satisfies all its performance 
specifications when subjected to variations of the radio frequency 
input signal level that it will experience during checkout and 
flight. The test must subject the receiver decoder to no less than 
five uniformly distributed radio frequency input levels. The test 
must demonstrate that the receiver outputs the destruct command from 
the radio frequency threshold level up to:
    (A) The maximum radio frequency level that it will experience 
from the command control system transmitter during checkout and 
flight plus a 3 dB margin; or
    (B) 13 dBm, whichever is greater.
    (iv) Capture ratio. The test must demonstrate that the receiver 
cannot be captured by another transmitter with less than 80% of the 
power of the command transmitter system for the launch. The test 
must show that the application of any unmodulated radio frequency at 
a power level of up to 80% of the command control system 
transmitter's modulated carrier signal does not capture the receiver 
or interfere with a signal from the command control system.
    (v) Radio frequency monitor. The test must demonstrate that the 
receiver decoder's monitoring circuit accurately monitors and 
outputs the strength of the radio frequency input signal and must 
satisfy all of the following:
    (A) The test must show that the output of the monitor circuit is 
directly related and proportional to the strength of the radio 
frequency input signal from the threshold level to saturation.
    (B) The dynamic range of the radio frequency input from the 
threshold level to saturation must be no less than 50 dB. The 
monitor circuit output from threshold to saturation must have a 
corresponding range that is greater than 18 dB.
    (C) The test must perform periodic samples sufficient to 
demonstrate that the monitor satisfies all its performance 
specifications.
    (D) The test must include the following radio frequency input 
levels: Quiescent; threshold; manufacturer guaranteed; beginning of 
saturation; and 13 dBm.
    (E) The test must demonstrate that the slope of the monitor 
circuit output does not change polarity.
    (vi) Radio frequency threshold sensitivity. The test must 
determine the radio frequency threshold sensitivity or each receiver 
decoder output command to demonstrate reliable radio frequency 
processing capability. The threshold sensitivity values must satisfy 
all their performance specifications, be

[[Page 50622]]

repeatable, and be in-family. In-family performance may be met with 
a tolerance of  dB.
    (vii) Noise level margin. The test must demonstrate that the 
receiver decoder's guaranteed input sensitivity is no less than 6 dB 
higher than the maximum predicted noise-floor.
    (viii) Voltage standing wave ratio. The test must demonstrate 
that any radio frequency losses within the receiver decoder 
interface to the antenna system satisfy the required 12 dB margin. 
The test must determine the radio frequency voltage standing wave 
ratio at the high, low, and assigned operating frequencies of the 
operating bandwidth and demonstrate that it satisfies its 
performance specifications and is in-family. The test must also 
demonstrate that the impedance of the radio frequency receiving 
system and the impedance of the receiver decoder are matched closely 
enough to ensure that the receiver decoder satisfies all its 
performance specifications.
    (ix) Decoder channel bandwidth. The test must demonstrate that 
the receiver decoder provides for reliable recognition of any 
command signal when subjected to variations in ground transmitter 
tone frequency and frequency modulation deviation variations. The 
test must demonstrate that the receiver decoder satisfies all its 
performance specifications within the specified tone filter 
frequency bandwidth using a frequency modulated tone deviation from 
2 dB to 20 dB above the measured threshold level.
    (x) Tone balance. For any secure receiver decoder, the test must 
demonstrate that the receiver decoder can reliably decode a valid 
command with an amplitude imbalance between two tones within the 
same message.
    (xi) Message timing. For any secure receiver decoder, the test 
must demonstrate that the receiver decoder functions reliably during 
any errors in timing caused by any ground transmitter tolerances. 
The test must demonstrate that the receiver decoder can process 
commands at twice the maximum and one-half the minimum timing 
specification of the ground system. These tolerances must include 
character dead-time, character on-time and inter-message dead-time.
    (xii) Check tone. The test must demonstrate that the decoding 
and output of a tone, such as a pilot tone or check tone, is 
representative of link and command closure. The test must also 
demonstrate that the presence or absence of the tone signal will 
have no effect on the receiver decoder's command processing and 
output capability.
    (xiii) Self-test. The test must demonstrate that the receiver 
decoder's self-test capability functions and satisfies all its 
performance specifications and does not inhibit functionality of the 
command destruct output. The test must include initiating the self-
test while issuing valid command outputs.
    (xiv) Reset. For any receiver decoder with a reset capability, 
the test must demonstrate that the reset will unlatch any command 
output that has been latched by a previous command.
    (f) Inadvertent command output. Each of the following 
inadvertent command output tests must demonstrate that the receiver 
decoder does not provide an output other than when it receives a 
valid command.
    (1) Dynamic stability. The test must demonstrate that the 
receiver decoder does not produce an inadvertent output when 
subjected to any radio frequency input short-circuit, open-circuit, 
or change in input voltage standing wave ratio.
    (2) Out of band rejection. The test must demonstrate that the 
receiver decoder does not degrade in performance when subjected to 
any out-of-band vehicle or ground transmitter source that it could 
encounter from liftoff to the planned safe flight state. The test 
must ensure the receiver decoder does not respond to frequencies, 
from 10 MHz to 1000 MHz except at the receiver specified operational 
bandwidth. The test must demonstrate that the radio frequency 
rejection of out of band signals provides a minimum of 60 dB beyond 
eight times the maximum specified operational bandwidth. The test 
frequencies must include all expected interfering transmitting 
sources using a minimum bandwidth of 20% of each transmitter center 
frequency, receiver image frequencies and harmonics of the assigned 
center frequency.
    (3) Decoder channel bandwidth rejection. The test must 
demonstrate that the receiver decoder rejects any out-of-band 
command tone frequency. The test must demonstrate that each tone 
filter will not respond to another tone outside the specified tone 
filter frequency bandwidth using a frequency modulated tone 
deviation from 2 dB to 20 dB above the measured threshold level.
    (4) Adjacent tone decoder channel rejection. The test must 
demonstrate that none of the tone decoder channels responds to any 
adjacent frequency modulated tone channel when they are frequency 
modulated with a minimum of 150% of the expected tone deviation.
    (5) Logic sequence. The test must demonstrate that the receiver 
issues the required commands when commanded and does not issue false 
commands during any abnormal logic sequence including issuing a 
destruct command prior to the arm command.
    (6) Destruct sequence. The test must demonstrate that the 
receiver decoder requires two commanded steps to issue a destruct 
command. The test must demonstrate that the receiver processes an 
arm command as a prerequisite for the destruct command.
    (7) Receiver abnormal logic. The test must demonstrate that the 
receiver decoder will not respond to any combination of tones or 
tone pairs other than the correct command sequence.
    (8) Noise immunity. The test must demonstrate that a receiver 
decoder will not respond to a white noise frequency modulated radio 
frequency input at a minimum frequency modulated deviation of 12 dB 
above the measured threshold deviation.
    (9) Tone drop. The test must demonstrate that the receiver 
decoder will not respond to a valid command output when one tone in 
the sequence is dropped.
    (10) Amplitude modulation rejection. The test must demonstrate 
that the receiver decoder will not respond to any tone or amplitude 
modulated noise when subjected to maximum pre-flight and flight 
input power levels. An acceptance test must subject the receiver 
decoder to 50% amplitude modulation. A qualification test must 
subject the receiver decoder to 100% amplitude modulation.
    (11) Decoder channel deviation rejection. The test must 
demonstrate that the receiver decoder does not inadvertently trigger 
on frequency-modulated noise. The test must demonstrate that the 
receiver decoder does not respond to tone modulations 10 dB below 
the nominal tone modulation.
    (g) Input current monitor. An input current monitor test must 
continuously monitor command receiver decoder power input current 
during environmental stress conditions to detect any variation in 
amplitude. Any variation in input current indicates internal 
component damage and constitutes a test failure. Any fluctuation in 
nominal current draw when the command receiver decoder is in the 
steady state indicates internal component damage and constitutes a 
test failure.
    (h) Output functions. An output functions test must subject the 
receiver decoder to the arm and destruct commands during 
environmental stress conditions and continuously monitor all command 
outputs to detect any variation in amplitude. Any variation in 
output level indicates internal component damage and constitutes a 
test failure.
    (i) Radio frequency level monitor. A radio frequency level 
monitor test must subject a receiver decoder to the guaranteed radio 
frequency input power level during environmental stress conditions 
and continuously monitor the radio frequency level monitor, also 
known as radio frequency signal strength, signal strength telemetry 
output, or automatic gain control. Any unexpected fluctuations or 
dropout constitutes a test failure.
    (j) Thermal performance. A thermal performance test must 
demonstrate that the receiver decoder satisfies all its performance 
specifications when subjected to operating and workmanship thermal 
environments. The receiver decoder must undergo the thermal 
performance test during a thermal cycle test and during a thermal 
vacuum test. The receiver decoder must undergo the thermal 
performance test at its low and high operating voltage while the 
receiver decoder is at the high and low temperatures during the 
first, middle, and last thermal cycles. The thermal performance test 
at each high and low temperature must include each of the following 
sub-tests of this section:
    (1) Response time, paragraph (c)(1) of this section;
    (2) Input current, paragraph (c)(2) of this section;
    (3) Output functions, paragraph (c)(4) of this section;
    (4) Decoder channel deviation, paragraph (e)(2)(i) of this 
section;
    (5) Operational bandwidth, paragraph (e)(2)(ii) of this section;
    (6) Radio frequency dynamic range, paragraph (e)(2)(iii) of this 
section;
    (7) Capture ratio, paragraph (e)(2)(iv) of this section;

[[Page 50623]]

    (8) Radio frequency monitor, paragraph (e)(2)(v) of this 
section;
    (9) Message timing, paragraph (e)(2)(xi) of this section;
    (10) Check tone, paragraph (e)(2)(xii) of this section; and
    (11) Self test, paragraph (e)(2)(xiii) of this section.

E417.21 Silver-zinc batteries.

    (a) General. This section applies to any silver-zinc battery 
that is part of a flight termination system. Any silver-zinc battery 
must satisfy each test or analysis identified by any table of this 
section to demonstrate that the battery satisfies all its 
performance specifications when subjected to each non-operating and 
operating environment.
BILLING CODE 4910-13-P

[[Page 50624]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.024


[[Page 50625]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.025


[[Page 50626]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.026


[[Page 50627]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.027


[[Page 50628]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.028


[[Page 50629]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.029


[[Page 50630]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.030

BILLING CODE 4910-13-C
    (b) Cell capacity. 
    (1) Single electrical cycle. For a sample silver-zinc cell from 
a battery that has only one charge-discharge cycle, a capacity test 
must satisfy all of the following:
    (i) The cell must undergo activation that satisfies paragraph 
(j) of this section;
    (ii) At the end of the manufacturer-specified wet stand time, 
the cell must undergo a discharge of the nameplate capacity;
    (iii) The test must then subject the cell to the electrical 
performance test of paragraph (k) of this section using the 
qualification electrical load profile described in paragraph 
(k)(7)(ii) of this section;
    (iv) The cell must then undergo a final discharge to determine 
the positive and negative plate capacity; and
    (v) The test must demonstrate that each capacity satisfies the 
manufacturer's specification and is in-family.
    (2) Multiple electrical cycles. For a silver-zinc cell from a 
battery that has more than one charge-discharge cycle, a capacity 
test must satisfy all of the following:
    (i) The cell must undergo activation that satisfies paragraph 
(j) of this section;
    (ii) The test must subject the cell to the maximum predicted 
number of charge-discharge cycles that the battery will experience 
during normal operations;
    (iii) At the end of each cycle life after each charge, the test 
must satisfy all of the following:
    (A) The cell must undergo a discharge of the manufacturer's 
nameplate capacity;
    (B) The cell must then undergo the electrical performance test 
of paragraph (k) of this section using the qualification electrical 
load profile described in paragraph (k)(7)(ii) of this section; and
    (C) The cell must then undergo a discharge to determine the 
positive plate capacity;
    (iv) At the end of the cycle life of the last charge-discharge 
cycle, in addition to determining the positive plate capacity, the 
cell must undergo a discharge to determine the negative plate 
capacity; and
    (v) The test must demonstrate that each capacity for each cycle 
satisfies the manufacturer's specification and is in-family.
    (c) Silver-zinc battery status-of-health tests.
    (1) 500-volt insulation. A 500-volt insulation test of a silver-
zinc battery must satisfy the status-of-health test requirements of 
section E417.3(f). The test must measure insulation resistance 
between mutually insulated pin-to-pin and pin-to-case points using a 
minimum 500-volt workmanship voltage prior to connecting any battery 
harness to the cells. The test must measure the continuity of the 
battery harness after completion of all wiring, but before battery 
activation to demonstrate that the insulation and continuity 
resistances satisfy their performance specifications.
    (2) Continuity and isolation. A continuity and isolation test of 
a silver zinc battery must satisfy the status-of-health test 
requirements of section E417.3(f). The test must demonstrate that 
all battery wiring and connectors are installed according to the 
manufacturer's specifications. The test must measure all pin-to-pin 
and pin-to-case resistances and demonstrate that each satisfies all 
its performance specifications and are in-family.
    (3) No-load voltage. A no-load voltage test must satisfy the 
status-of-health test requirements of section E417.3(f). The test 
must demonstrate that each battery cell satisfies its performance 
specification for voltage without any load applied. A battery must 
undergo this test just after introduction of electrolyte to each 
cell, after electrical conditioning of the battery, before and after 
each electrical performance test and, for a flight battery, just 
before installation into the launch vehicle.
    (4) Pin-to-case isolation. A pin-to-case isolation test must 
satisfy the status-of-health test requirements of section E417.3(f). 
The test must measure voltage isolation between each pin and the 
battery case to demonstrate that no current leakage path exists as a 
result of electrolyte leakage. This measurement must use a voltmeter 
with an internal resistance of no less than 100K ohms and have a 
resolution that detects any leakage current of 0.1 milliamps or 
greater.
    (d) Proof pressure. 
    (1) Cells. Each individual cell or each cell within a battery 
must undergo pressurization to 1.5 times the worst case operating 
differential pressure or highest setting of the cell vent valve for 
no less than 15 seconds. The test must demonstrate that the leak 
rate satisfies its performance specification. After pressurization, 
each cell must remain sealed until activation. For a battery, the 
test must demonstrate the integrity of each cell seal when in the 
battery configuration.
    (2) Battery cases. Each battery case must undergo pressurization 
to 1.5 times the worst case operating differential pressure for no 
less than 15 minutes. The test must demonstrate no loss of 
structural integrity and no hazardous condition. For any sealed 
battery, the test must demonstrate that the leak rate satisfies its 
performance specification.
    (e) Electrolyte. A test of each electrolyte lot for battery 
activation must demonstrate that the electrolyte satisfies the 
manufacturer's specifications, including volume and concentration.
    (f) Battery mounting and case integrity. A battery mounting and 
case integrity test must demonstrate that any welds in the battery's 
mounting hardware or case are free of workmanship defects using X-
ray examination that satisfies section E417.5(f).
    (g) Pre-activation. A pre-activation test must demonstrate that 
a battery or cell will not experience a loss of structural integrity 
or

[[Page 50631]]

create a hazardous condition when subjected to predicted operating 
conditions and all required margins. This must include all of the 
following:
    (1) The test must demonstrate that any battery or cell pressure 
relief device satisfies all its performance specifications;
    (2) The test must exercise 100% of all pressure relief devices 
that can function repeatedly without degradation; and
    (3) The test must demonstrate that each pressure relief device 
opens within  10% of its performance specification.
    (h) Monitoring capability. A monitoring capability test must 
demonstrate that each device that monitors a silver-zinc battery's 
voltage, current, or temperature satisfies all its performance 
specifications.
    (i) Heater circuit verification. A heater circuit verification 
test must demonstrate that any battery heater, including its control 
circuitry, satisfies all its performance specifications.
    (j) Activation.
    (1) The activation of a battery or cell must follow a procedure 
that is approved by the manufacturer and includes the manufacturer's 
activation steps.
    (2) The activation procedure and equipment for acceptance 
testing must be equivalent to those used for qualification and 
storage life testing.
    (3) The activation procedure must include verification that the 
electrolyte satisfies the manufacturer's specification for 
percentage of potassium hydroxide.
    (4) The quantity of electrolyte for activation of the batteries 
and cells for any qualification test must satisfy all of the 
following:
    (i) One of the three required qualification battery samples and 
six of the 12 required individual qualification cell samples must 
undergo activation with no less than the manufacturer specified 
maximum amount of electrolyte; and
    (ii) One of the three required qualification battery samples and 
six of the 12 required individual qualification cell samples must 
undergo activation with no greater than the manufacturer specified 
minimum amount of electrolyte.
    (k) Electrical performance. An electrical performance test must 
demonstrate that a battery or cell satisfies all its performance 
specifications and is in-family while the battery is subjected to 
the electrical load profile described in paragraph (k)(7) of this 
section and include all of the following:
    (1) The test must demonstrate that the battery or cell supplies 
the required current while maintaining the required voltage 
regulation that satisfies the manufacturer's specifications and is 
in family with previous test results;
    (2) The test must monitor each of the battery or cell's critical 
electrical performance parameters; including voltage, current, and 
temperature, with a resolution and sample rate that detects any 
failure to satisfy a performance specification. For a battery, the 
test must monitor the battery's performance parameters and the 
voltage of each cell within the battery. During the current pulse 
portion of the load profile, the voltage monitoring must have a 
sample rate of once every 0.1 millisecond or better;
    (3) The test must measure a battery or cell's no-load voltage 
before and after the application of any load to the battery or cell;
    (4) A silver-zinc battery or cell must undergo this test after 
the battery or cell is activated and after the manufacturer's 
specified soak period;
    (5) The test must demonstrate that the battery or cell voltage 
does not fall below the voltage needed to provide the minimum 
acceptance voltage of each electronic component that the battery 
powers while the battery or cell is subjected to the steady state 
portion of the load profile;
    (6) The test must demonstrate that the battery or cell voltage 
does not fall below the voltage needed to provide the minimum 
qualification voltage of each electronic component that the battery 
powers while the battery or cell is subjected to the pulse portion 
of the load profile; and
    (7) The test load profile must satisfy one of the following:
    (i) For acceptance testing, the load profile must begin with a 
steady-state flight load that lasts for no less than 180 seconds 
followed without interruption by a current pulse. The pulse width 
must be no less than 1.5 times the ordnance initiator qualification 
pulse width or a minimum workmanship screening pulse width of 100 
milliseconds, whichever is greater. The pulse amplitude must be no 
less than 1.5 times the ordnance initiator qualification pulse 
amplitude. After the pulse, the acceptance load profile must end 
with the application of a steady-state flight load that lasts for no 
less than 15 seconds; or
    (ii) For qualification testing or any storage life testing, the 
load profile must begin with a steady-state flight load that lasts 
for no less than 180 seconds followed by a current pulse. The pulse 
width must be no less than three times the ordnance initiator 
qualification pulse width or a minimum workmanship screening pulse 
width of 200 milliseconds, whichever is greater. The pulse amplitude 
must be no less than 1.5 times the ordnance initiator qualification 
pulse amplitude. After the pulse, the qualification load profile 
must end with a steady-state flight load that lasts for no less than 
15 seconds.
    (l) Activated stand time. An activated stand time test must 
demonstrate that a silver-zinc battery or cell satisfies all its 
performance specifications after it is activated and subjected to 
the environments that the battery or cell will experience from the 
time it is activated until flight. This must include all of the 
following:
    (1) The test environment must simulate the pre-flight battery or 
cell conditioning environments, including the launch vehicle 
installation environment;
    (2) The test environment must simulate the worst case 
temperature exposure and any thermal cycling, such as due to any 
freezer storage, and any diurnal cycling on the launch vehicle;
    (3) The test must measure the battery or cell's open-circuit 
voltage at the beginning and again at the end of the activated stand 
time to demonstrate that it satisfies its performance 
specifications; and
    (4) The test must apply an electrical load to the battery or 
cell at the end of the activated stand time to demonstrate whether 
the battery or cell is in a peroxide or monoxide chemical state that 
satisfies its performance specifications before undergoing any other 
operating environmental test.
    (m) Overcharge. An overcharge test only applies to a battery or 
cell that undergoes charging during normal operations. The test must 
demonstrate that the battery or cell satisfies all its performance 
specifications when subjected to an overcharge of no less than the 
manufacturer's specified overcharge limit using the nominal charging 
rate.
    (n) Charge-discharge cycles. This test only applies to a battery 
or cell that undergoes charging during normal operations. The test 
must satisfy all of the following:
    (1) The test must subject the battery or cell sample to the 
maximum predicted number of charge-discharge cycles that the battery 
or cell will experience during normal operations;
    (2) After activation, each battery or cell sample must undergo 
three thermal cycles at the end of the first cycle life and three 
thermal cycles at the end of each cycle life after each intermediate 
charge before the final charge;
    (3) During each set of three thermal cycles for each charge-
discharge cycle, the test must satisfy the thermal cycle test 
requirements of paragraphs (o)(2)-(o)(5) of this section;
    (4) For a battery, after the three thermal cycles for each 
charge-discharge cycle, the battery must undergo a pin-to-case 
isolation test that satisfies paragraph (c)(4) of this section;
    (5) Each battery or cell must undergo a discharge of its 
nameplate capacity before each charge; and
    (6) The battery or cell must undergo any further operating 
environment tests only after the final charge.
    (o) Thermal cycle. A thermal cycle test must demonstrate that a 
silver-zinc battery or cell satisfies all its performance 
specifications when subjected to pre-flight thermal cycle 
environments, including acceptance testing, and flight thermal cycle 
environments. This must include all of the following:
    (1) The test must subject the battery or cell to no less than 
the acceptance-number of thermal cycles that satisfies section 
E417.13(d)(1);
    (2) The thermal cycle environment must satisfy all of the 
following:
    (i) Each thermal cycle must range from 10 [deg]C above the 
maximum predicted temperature range to 5.5 [deg]C below. If the 
launch vehicle's telemetry system does not provide the battery's 
temperature before and during flight as described in section 
D417.17(b)(9), each thermal cycle must range from 10 [deg]C above 
the maximum predicted temperature range to 10 [deg]C below;
    (ii) For each cycle, the dwell-time at each high and low 
temperature must last long enough for the battery or cell to achieve 
internal thermal equilibrium and must last no less than one hour; 
and
    (iii) When heating and cooling the battery or cell, the 
temperature change at a rate that averages 1 [deg]C per minute or 
the maximum predicted rate, whichever is greater;
    (3) Each battery or cell must undergo the electrical performance 
test of paragraph (k) of

[[Page 50632]]

this section when the battery or cell is at ambient temperature 
before beginning the first thermal cycle and after completing the 
last cycle;
    (4) Each battery or cell must undergo the electrical performance 
test of paragraph (k) of this section, at the high and low 
temperatures during the first, middle and last thermal cycles; and
    (5) The test must continuously monitor and record all critical 
performance and status-of-health parameters, including the battery 
or cell's open circuit voltage, during all thermal cycle dwell times 
and transitions with a resolution and sample rate that will detect 
any performance degradation.
    (p) Discharge and pulse capacity. A discharge and pulse capacity 
test must demonstrate that a silver zinc battery or cell satisfies 
all its electrical performance specifications at the end of its 
specified capacity limit for the last operating charge and discharge 
cycle. The test must include all of the following:
    (1) The battery or cell must undergo discharge at flight loads 
until the total capacity consumed during this discharge and during 
all previous qualification tests reaches the manufacturer's 
specified capacity.
    (2) The test must demonstrate that the total amount of capacity 
consumed during the discharge test and all previous qualification 
tests satisfies the battery or cell's minimum performance 
specification.
    (3) After satisfying paragraphs (p)(1) and (p)(2) of this 
section, the test must measure the battery or cell's no-load voltage 
and then apply a qualification load profile that satisfies all of 
the following:
    (i) The load profile must begin with a steady state flight load 
for no less than 180 seconds followed by a current pulse;
    (ii) The pulse width must be no less than three times the 
ordnance initiator qualification pulse width or a minimum 
workmanship screening pulse width of 200 milliseconds; whichever is 
greater;
    (iii) The pulse amplitude must be no less than 1.5 times the 
ordnance initiator qualification pulse amplitude; and
    (iv) After the pulse, the qualification load profile must end 
with a steady state flight load that lasts for no less than 15 
seconds.
    (4) The test must monitor each of the battery or cell's critical 
electrical performance parameters; including voltage, current, and 
temperature, with a resolution and sample rate that detects any 
failure to satisfy a performance specification. For a battery, the 
test must monitor the battery's performance parameters and the 
voltage of each cell within the battery. During the current pulse 
portion of the load profile, the voltage monitoring must have sample 
rate that will detect any component performance degradation.
    (5) The test must demonstrate that the battery or cell voltage 
does not fall below the voltage needed to provide the minimum 
acceptance voltage of each electronic component that the battery 
powers while the battery or cell is subjected to the steady state 
portion of the load profile.
    (6) The test must demonstrate that the battery or cell voltage 
does not fall below the voltage needed to provide the minimum 
qualification voltage of each electronic component that the battery 
powers while the battery or cell is subjected to the pulse portion 
of the load profile.
    (7) After satisfying paragraphs (p)(1) through (p)(6) of this 
section, the battery or cell must undergo a complete discharge and 
the test must demonstrate that the total silver plate capacity is 
in-family.
    (q) Internal inspection. An internal inspection must identify 
any excessive wear or damage to a silver-zinc battery, including any 
of its cells, or an individual cell after the battery or cell is 
exposed to all the qualification test environments. An internal 
inspection must satisfy section E417.5(g) and include all of the 
following:
    (1) An internal examination of any battery to verify that there 
was no movement of any component within the battery that could 
stress that component beyond its design limit during flight:
    (2) An examination to verify the integrity of all cell and 
wiring interconnects.
    (3) An examination to verify the integrity of all potting and 
shimming materials.
    (4) The removal of all cells from the battery and examination of 
each cell for any physical damage.
    (5) A destructive physical analysis to verify the integrity of 
all plate tab to cell terminal connections and the integrity of each 
plate and separator. For each battery sample required to undergo all 
the qualification tests, one cell from each corner and two cells 
from the middle of the battery must undergo the destructive physical 
analysis. For storage life testing, one of the two cells required to 
undergo all the storage life tests must undergo destructive physical 
analysis. The inspection must verify the integrity of each plate 
tab, identify any anomaly in each plate, including its color or 
shape, and identify any anomaly in each separator, including its 
condition, silver migration, and any oxalate crystals.
    (6) A test that demonstrates that the zinc plate capacity of the 
cells satisfies the manufacturer's specification. For each battery 
sample required to undergo all the qualification tests, the test 
must determine the zinc plate capacity for three cells from the 
battery, other than the cells of paragraph (q)(5) of this section. 
For storage life testing, the test must determine the zinc plate 
capacity for one cell that is required to undergo all the storage 
life tests, other than the cell of paragraph (q)(5) of this section.
    (r) Coupon cell acceptance. A coupon cell acceptance test must 
demonstrate that the silver zinc cells that make up a flight battery 
were manufactured the same as the qualification battery cells and 
satisfy all their performance specifications after being subjected 
to the environments that the battery experiences from the time of 
manufacture until activation and installation. This must include all 
of the following:
    (1) One test cell that is from the same production lot as the 
flight battery, with the same lot date code as the cells in the 
flight battery, must undergo the test.
    (2) The test cell must have been attached to the battery from 
the time of the manufacturer's acceptance test and have experienced 
the same non-operating environments as the battery.
    (3) The test must occur immediately before activation of the 
flight battery.
    (4) The test cell must undergo activation that satisfies 
paragraph (j) of this section.
    (5) The test cell must undergo discharge at a moderate rate, 
using the manufacturer's specification, undergo two qualification 
load profiles of paragraph (k)(7)(ii) of this section at the 
nameplate capacity, and then undergo further discharge until the 
minimum manufacturer specified voltage is achieved. The test must 
demonstrate that the cell's amp-hour capacity and voltage 
characteristics satisfy all their performance specifications and are 
in-family.
    (6) For a silver-zinc battery that will undergo charging during 
normal operations, the test cell must undergo the requirements of 
paragraph (r)(5) of this section for each qualification charge-
discharge cycle. The test must demonstrate that the cell capacity 
and electrical characteristics satisfy all their performance 
specifications and are in family for each charge-discharge cycle.

E417.22 Commercial nickel-cadmium batteries.

    (a) General. This section applies to any nickel-cadmium battery 
that uses one or more commercially produced nickel-cadmium cells and 
is part of a flight termination system.
    (1) Compliance. Any commercial nickel-cadmium battery must 
satisfy each test or analysis identified by any table of this 
section to demonstrate that the battery satisfies all its 
performance specifications when subjected to each non-operating and 
operating environment.
    (2) Charging and discharging of nickel-cadmium batteries and 
cells. Each test required by any table of this section that requires 
a nickel-cadmium battery or cell to undergo a charge or discharge 
must include all of the following:
    (i) The rate of each charge or discharge must prevent any damage 
to the battery or cell and provide for the battery or cell's 
electrical characteristics to remain consistent. Unless otherwise 
specified, the charge or discharge rate used for qualification 
testing must be identical to the rate that the flight battery 
experiences during acceptance and preflight testing;
    (ii) A discharge of a cell must subject the cell to the 
discharge rate until the cell voltage reaches no greater than 0.9 
volt. A discharge of a battery, must subject the battery to the 
discharge rate until the battery voltage reaches no greater than 0.9 
volt times the number of cells in the battery. Any discharge that 
results in a cell voltage below 0.9 volt must use a discharge rate 
that is slow enough to prevent cell damage or cell reversal. Each 
discharge must include monitoring of voltage, current, and time with 
sufficient resolution and sample rate to determine capacity and 
demonstrate that the battery or cell is in-family;
    (iii) A charge of a battery or cell must satisfy the 
manufacturer's charging specifications and procedures. The charging 
input to the battery or cell must be no less than 160% of the 
manufacturer's specified capacity. The charge rate must not exceed 
C/10 unless the launch operator demonstrates

[[Page 50633]]

that a higher charge rate does not damage the battery or cell and 
results in repeatable battery or cell performance. The cell voltage 
must not exceed 1.55 volts during charging to avoid creating a 
hydrogen gas explosion hazard; and
    (iv) The test must monitor each of the battery or cell's 
critical electrical performance parameters with a resolution and 
sample rate to detect any failure to satisfy a performance 
specification. For a battery, the test must monitor the battery's 
performance parameters and those of each cell within the battery. 
During the current pulse portion of the load profile, the monitoring 
must have a resolution and sample rate that will detect any 
component performance degradation.
BILLING CODE 4910-13-P

[[Page 50634]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.031


[[Page 50635]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.032


[[Page 50636]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.033


[[Page 50637]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.034


[[Page 50638]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.035


[[Page 50639]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.036


[[Page 50640]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.037

BILLING CODE 4910-13-C

[[Page 50641]]

    (b) Venting devices. A test of a battery or cell venting device 
must demonstrate that the battery or cell will not experience a loss 
of structural integrity or create a hazardous condition when 
subjected to any electrical discharge, charging, or short-circuit 
condition and satisfy the following paragraphs:
    (1) Reusable venting devices. For a venting device that is 
capable of functioning repeatedly without degradation, such as a 
vent valve, the test must exercise the device and demonstrate that 
it satisfies all its performance specifications.
    (2) Non-reusable venting devices. For a venting device that does 
not function repeatedly without degradation, such as a burst disc, 
the test must exercise a lot sample to demonstrate that the venting 
device satisfies all its performance specifications. The test must 
demonstrate that each device sample vents within 10% of 
the manufacturer specified average vent pressure with a maximum vent 
pressure no higher than 350 pounds per square inch.
    (c) Cell inspection and preparation. A cell inspection and 
preparation must:
    (1) Record the manufacturer's lot-code;
    (2) Demonstrate that the cell is clean and free of manufacturing 
defects;
    (3) Use a chemical indicator to demonstrate that the cell has no 
leak; and
    (4) Discharge each cell to no greater than 0.9 volt using a 
discharge rate that will not cause damage to the cell.
    (d) Cell conditioning. Conditioning of a nickel-cadmium cell 
must stabilize the cell and ensure repeatable electrical performance 
throughout the cell's service-life. Conditioning of a cell must 
include both of the following:
    (1) Before any testing, each cell must age for no less than 11 
months after the manufacturer's lot date code to ensure consistent 
electrical performance of the cell for its entire service-life; and
    (2) After aging, each cell must undergo a first charge at a 
charging rate of no greater than its capacity divided by 20 (C/20), 
to initialize the chemistry within the cell. Any battery stored for 
over one month after the first charge must undergo recharging at the 
same rate.
    (e) Cell characterization. Characterization of a nickel-cadmium 
cell must stabilize the cell chemistry and determine the cell's 
capacity. A cell characterization must satisfy both of the 
following:
    (1) Each cell must repeatedly undergo charge and discharge 
cycles until the capacities for three consecutive cycles agree to 
within 1% of each other; and
    (2) During characterization, each cell must remain at a 
temperature of 20 [deg]C  2 [deg]C to ensure that the 
cell is not overstressed and to allow repeatable performance.
    (f) Charge retention. A charge retention test must demonstrate 
that a nickel-cadmium battery or cell consistently retains its 
charge and provides its required capacity, including the required 
capacity margin, from the final charge used prior to flight to the 
end of flight. The test must satisfy the status-of-heath test 
requirements of Sec.  E417.3(f) and satisfy all of the following 
steps in the following order:
    (1) The test must begin with the battery or cell fully charged. 
The battery or cell must undergo an immediate capacity discharge to 
develop a baseline capacity for comparison to its charge retention 
performance;
    (2) The battery or cell must undergo complete charging and then 
storage at 20 [deg]C  2 [deg]C for 72 hours;
    (3) The battery or cell must undergo discharging to determine 
its capacity; and
    (4) The test must demonstrate that each cell or battery's 
capacity is greater than 90% of the baseline capacity of paragraph 
(f)(1) of this section and the test must demonstrate that the 
capacity retention is in-family.
    (g) Capacity and overcharge at 0 [deg]C. A 0 [deg]C test of a 
nickel-cadmium cell must validate the cell's chemistry status-of-
health and determine the cell's capacity when subjected to a high 
charge efficiency temperature. The test must include all of the 
following:
    (1) Each cell must undergo repeated charge and discharge cycles 
at 0 [deg]C  2 [deg]C until all the capacities for three 
consecutive cycles agree to within 1% of each other; and
    (2) After the charge and discharge cycles of paragraph (g)(1) of 
this section, each cell must undergo an inspection to demonstrate 
that it is not cracked.
    (h) Post acceptance discharge and storage. Post acceptance 
discharge and storage of a nickel-cadmium battery or cell must 
prevent any damage that could affect electrical performance. This 
must include all of the following:
    (1) Any battery must undergo discharge to a voltage between 0.05 
volts and 0.9 volts to prevent cell reversal, allow safe handling, 
and minimize any aging degradation;
    (2) Any individual cell must undergo discharge to no greater 
than 0.05 volts to allow safe handling and minimize any aging 
degradation;
    (3) After the discharge, each battery or cell must undergo 
storage in an open circuit configuration and under storage 
conditions that protect against any performance degradation and are 
consistent with the qualification tests. This must include a storage 
temperature of no greater than 5 [deg]C.
    (i) Cycle life. A cycle life test of a nickel-cadmium cell or 
battery must demonstrate that the cell or battery satisfies all its 
performance specifications for no less than five times the number of 
operating charge and discharge cycles expected of the flight 
battery, including acceptance testing, pre-flight checkout, and 
flight.
    (j) Status-of-health. A status-of-health test of a nickel-
cadmium battery must satisfy section E417.3(f) and include 
continuity and isolation measurements that demonstrate that all 
battery wiring and connectors are installed according to the 
manufacturer's specifications. The test must also measure all pin-
to-pin and pin-to-case resistances to demonstrate that each 
satisfies all its performance specifications and are in-family.
    (k) Battery case integrity. A battery case integrity test of a 
sealed nickel-cadmium battery must demonstrate that the battery will 
not lose structural integrity or create a hazardous condition when 
subjected to all predicted operating conditions and all required 
margins and that the battery's leak rate satisfies all its 
performance specifications. This must include all of the following:
    (1) The test must monitor the battery's pressure while 
subjecting the battery case to no less than 1.5 times the greatest 
operating pressure differential that could occur under qualification 
testing, pre-flight, or flight conditions;
    (2) The pressure monitoring must have a resolution and sample 
rate that allows accurate determination of the battery's leak rate;
    (3) The test must demonstrate that the battery's leak rate is no 
greater than the equivalent of 10-4 scc/sec of helium; 
and
    (4) The battery must undergo examination to identify any 
condition that indicates that the battery might loose structural 
integrity or create a hazardous condition.
    (l) Monitoring capability. A monitoring capability test must 
demonstrate that each device that monitors a nickel-cadmium 
battery's voltage, current, or temperature satisfies all its 
performance specifications.
    (m) Heater circuit verification. A heater circuit verification 
test must demonstrate that any battery heater, including its control 
circuitry, satisfies all its performance specifications.
    (n) Electrical performance. An electrical performance test of a 
nickel-cadmium battery or cell must demonstrate that the battery or 
cell satisfies all its performance specifications and is in-family 
while the battery or cell is subjected to an acceptance or 
qualification electrical load profile. The test must also 
demonstrate that the battery or cell satisfies all its electrical 
performance specifications at the beginning, middle, and end of its 
specified preflight and flight capacity plus the required margin. 
The test must include and satisfy each of the following:
    (1) The test must measure a battery or cell's no-load voltage 
before applying any load to ensure it is within the manufacturer's 
specification limits.
    (2) The test must demonstrate that the battery or cell voltage 
does not violate the manufacturer's specification limits while the 
battery or cell is subjected to the steady-state flight load. The 
test must also demonstrate that the battery provides the minimum 
acceptance voltage of each electronic component that the battery 
powers.
    (3) The test must demonstrate that the battery or cell supplies 
the required current while maintaining the required voltage 
regulation that satisfies the manufacturer's specification. The test 
must demonstrate that the battery or cell voltage does not fall 
below the voltage needed to provide the minimum qualification 
voltage of each electronic component that the battery powers while 
the battery or cell is subjected to the pulse portion of the load 
profile. The test must subject the battery or cell to one of the 
following load profiles:
    (i) For acceptance testing, the test load profile must satisfy 
all of the following:
    (A) The load profile must begin with a steady-state flight load 
that lasts for no less than 180 seconds followed without 
interruption by a current pulse;
    (B) The pulse width must be no less than 1.5 times the ordnance 
initiator qualification pulse width or a minimum workmanship 
screening pulse width of 100 milliseconds, whichever is greater;

[[Page 50642]]

    (C) The pulse amplitude must be no less than 1.5 times the 
ordnance initiator qualification pulse amplitude; and
    (D) After the pulse, the acceptance load profile must end with a 
steady state flight load that lasts for no less than 15 seconds.
    (ii) For qualification testing, the test load profile must 
satisfy all of the following:
    (A) The load profile must begin with a steady-state flight load 
that lasts for no less than 180 seconds followed by a current pulse;
    (B) The pulse width must be no less than three times the 
ordnance initiator qualification pulse width or a minimum 
workmanship screening pulse width of 200 milliseconds, whichever is 
greater;
    (C) The pulse amplitude must be no less than 1.5 times the 
ordnance initiator qualification pulse amplitude; and
    (D) After the pulse, the qualification load profile must end 
with a steady-state flight load that lasts for no less than 15 
seconds.
    (4) The test must repeat, satisfy, and accomplish paragraphs 
(n)(1)-(n)(3) of this section with the battery or cell at each of 
the following levels of charge-discharge and in the following order:
    (A) Fully charged;
    (B) After the battery or cell undergoes a discharge that removes 
50% of the capacity required for launch and all required margins; 
and
    (C) After the battery or cell undergoes a discharge that removes 
an additional 50% of the capacity required for launch.
    (5) The test must subject the battery or cell the a final 
discharge that determines the remaining capacity. The test must 
demonstrate that the total capacity removed from the battery during 
all testing, including this final discharge, satisfies all the 
battery's performance specifications and is in-family.
    (o) Acceptance thermal cycle. An acceptance thermal cycle test 
must demonstrate that a nickel-cadmium battery satisfies all it 
performance specifications when subjected to workmanship and maximum 
predicted thermal cycle environments. This must include each of the 
following:
    (1) The acceptance-number of thermal cycles for a component 
means the number of thermal cycles that the component must 
experience during the acceptance thermal cycle test. The test must 
subject each component to no less than eight thermal cycles or 1.5 
times the maximum number of thermal cycles that the component could 
experience during launch processing and flight, including all launch 
delays and recycling, rounded up to the nearest whole number, 
whichever is greater.
    (2) The acceptance thermal cycle high temperature must be a 30 
[deg]C workmanship screening level or the maximum predicted 
environment high temperature, whichever is higher. The acceptance 
thermal cycle low temperature must be a -24 [deg]C workmanship 
screening temperature or the predicted environment low temperature, 
whichever is lower;
    (3) When heating or cooling the battery during each cycle, the 
temperature must change at an average rate of 1 [deg]C per minute or 
the maximum predicted rate, whichever is greater. The dwell time at 
each high and low temperature must be long enough for the battery to 
achieve internal thermal equilibrium and must be no less than one 
hour.
    (4) The test must measure all of a battery's critical status-of-
health parameters at the thermal extremes on all cycles and during 
thermal transition to demonstrate that the battery satisfies all its 
performance specifications. The battery must undergo monitoring of 
its open circuit voltage throughout the test to demonstrate that it 
satisfies all its performance specifications throughout testing. The 
sample rate must be once every 10 seconds or more often.
    (5) The battery must undergo an electrical performance test that 
satisfies paragraph (n) of this section while the battery is at the 
high, ambient, and low temperatures, during the first, middle, and 
last thermal cycles.
    (6) If either the workmanship high or low temperature exceeds 
the battery's maximum predicted operating temperature range and the 
battery is not capable of passing the electrical performance test at 
the workmanship temperature, the battery may undergo the electrical 
performance test at an interim temperature during the cycle. This 
must include all of the following:
    (i) Any interim high temperature must be no less than the 
maximum predicted high temperature;
    (ii) Any interim low temperature must be no greater than the 
maximum predicted low temperature;
    (iii) The dwell-time at any interim temperature must be long 
enough for the battery to reach thermal equilibrium; and
    (iv) After any electrical performance test at an interim 
temperature, the thermal cycle must continue until the battery 
reaches its workmanship temperature.
    (p) Qualification thermal cycle. A qualification thermal cycle 
test must demonstrate that a nickel-cadmium battery satisfies all 
its performance specifications when subjected to pre-flight, 
acceptance test, and flight thermal cycle environments. This must 
include each of the following:
    (1) The test must subject the fully charged battery to no less 
than three times the acceptance-number of thermal cycles of 
paragraph (o)(1) of this section.
    (2) The qualification thermal cycle high temperature must be a 
40 [deg]C workmanship screening level or the maximum predicted 
environment high temperature plus 10 [deg]C, whichever is higher. 
The qualification thermal cycle low temperature must be a -34 [deg]C 
workmanship screening temperature or the predicted environment low 
temperature minus 10 [deg]C, whichever is lower.
    (3) When heating or cooling the battery during each cycle, the 
temperature must change at an average rate of 1 [deg]C per minute or 
the maximum predicted rate, whichever is greater. The dwell time at 
each high and low temperature must be long enough for the battery to 
achieve internal thermal equilibrium and must be no less than one 
hour.
    (4) The test must measure the battery's critical status-of-
health parameters at the thermal extremes on all cycles and during 
thermal transition to demonstrate that the battery satisfies all its 
performance specifications. The battery must undergo monitoring of 
its open circuit voltage throughout the test to demonstrate that it 
satisfies all it performance specifications. The sample rate must be 
once every 10 seconds or more often.
    (5) The battery must undergo an electrical performance test that 
satisfies paragraph (n) of this section while the battery is at the 
high, ambient, and low temperatures, during the first, middle, and 
last thermal cycles.
    (6) If either the workmanship high or low temperature exceeds 
the battery's maximum predicted operating temperature range and the 
battery is not capable of passing the electrical performance test at 
the workmanship temperature, the battery may undergo the discharge 
and pulse capacity test at an interim temperature during the cycle. 
This must include all of the following:
    (i) Any interim high temperature must be no less than the 
maximum predicted high temperature plus 10 [deg]C;
    (ii) Any interim low temperature must be no greater than the 
maximum predicted low temperature minus 10 [deg]C;
    (iii) The dwell-time at any interim temperature must last long 
enough for the battery to reach thermal equilibrium; and
    (iv) After any electrical performance test at an interim 
temperature, the thermal cycle must continue to the workmanship 
temperature.
    (q) Operational stand time. An operational stand time test must 
demonstrate that a nickel-cadmium battery will maintain its required 
capacity, including all required margins, from the final charge that 
the battery receives before flight until the planned safe flight 
state. This must include each of the following:
    (1) The battery must undergo a charge to full capacity and then 
an immediate capacity discharge to establish a baseline capacity for 
comparison to the capacity after the battery experiences the 
operational stand time.
    (2) The battery must undergo a charge to full capacity. The test 
must then subject the battery to the maximum predicted pre-flight 
temperature for the maximum operating stand time between final 
battery charging to the planned safe flight state while in an open 
circuit configuration. The maximum operating stand time must account 
for all launch processing and launch delay contingencies that could 
occur after the battery receives its final charge.
    (3) After the maximum operating stand time has elapsed, the 
battery must undergo a capacity discharge to determine any capacity 
loss due to any self-discharge by comparing the operational stand 
time capacity with the baseline capacity in paragraph (q)(1) of this 
section.
    (4) The test must demonstrate that the battery's capacity, 
including all required margins, and any loss in capacity due to the 
operational stand time satisfy all associated performance 
specifications.
    (r) Internal inspection. An internal inspection of a nickel-
cadmium battery must identify any excessive wear or damage to the 
battery, including any of its cells, after the battery is exposed to 
all the qualification test

[[Page 50643]]

environments. An internal inspection must satisfy section E417.5(g) 
and include all of the following:
    (1) An internal examination to verify that there was no movement 
of any component within the battery that stresses that component 
beyond its design limit;
    (2) An examination to verify the integrity of all cell and 
wiring interconnects;
    (3) An examination to verify the integrity of all potting and 
shimming materials;
    (4) The removal of all cells from the battery and examination of 
each cell for any physical damage;
    (5) A test with a chemical indicator to demonstrate that none of 
the cells leaked; and
    (6) Destructive physical analysis of one cell from each corner 
and one cell from the middle of each battery that undergoes all the 
qualification tests. The destructive physical analysis must verify 
the integrity of all connections between all plate tabs and cell 
terminals, and the integrity of each plate and separator.
    (s) Cell leakage. A leakage test of a cell must demonstrate the 
integrity of the cell case seal using one of the following 
approaches:
    (1) Leak test 1:
    (i) The test must measure each cell's weight to 0.001 grams to 
create a baseline for comparison.
    (ii) The test must subject each cell, fully charged, to a vacuum 
of less than 10-2 torr for no less than 20 hours. While 
under vacuum, the cell must undergo charging at a C/20 rate. The 
test must control each cell's temperature to ensure that its does 
not exceed the cell's maximum predicted thermal environment.
    (iii) The test must measure each cell's weight after the 20-hour 
vacuum and demonstrate that the cell does not experience a weight 
loss greater than three-sigma from the average weight loss for each 
cell in the lot.
    (iv) Any cell that fails the weight-loss test of paragraph 
(h)(3) of this section must undergo cleaning and discharge. The cell 
must then undergo a full charge and then inspection with a chemical 
indicator. If the chemical indicator shows that the cell has a leak, 
a launch operator may not use the cell in any further test or 
flight.
    (2) Leak test 2:
    (i) The cell must develop greater than one atmosphere 
differential pressure during the 0 [deg]C capacity and overcharge 
test of paragraph (g) of this section.
    (ii) After the 0 [deg]C capacity and overcharge test of 
paragraph (g) of this section, the cell must undergo a full charge 
and then inspection with a chemical indicator. If the chemical 
indicator shows that the cell has a leak, a launch operator may not 
use the cell in any further test or flight.

E417.23 Miscellaneous components.

    This section applies to any component that is critical to the 
reliability of a flight termination system and is not otherwise 
identified by this appendix. This includes any new technology or any 
component that may be unique to the design of a launch vehicle, such 
as any auto-destruct box, current limiter, or timer. A miscellaneous 
component must satisfy each test or analysis identified by any table 
of this section to demonstrate that the component satisfies all its 
performance specifications when subjected to each non-operating and 
operating environment. For any new or unique component, the launch 
operator must identify any additional test requirements necessary to 
ensure its reliability.
BILLING CODE 4910-13-P

[[Page 50644]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.038


[[Page 50645]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.039


[[Page 50646]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.040

BILLING CODE 4910-13-C

[[Page 50647]]

E417.25 Safe-and-arm devices, electro-explosive devices, rotor leads, 
and booster charges.

    (a) General. This section applies to any safe-and-arm device 
that is part of a flight termination system, including each electro-
explosive device, rotor lead, or booster charge used by the safe-
and-arm device. Any safe-and-arm device, electro-explosive device, 
rotor lead, or booster charge must satisfy each test or analysis 
identified by any table of this section to demonstrate that it 
satisfies all its performance specifications when subjected to each 
non-operating and operating environment.
BILLING CODE 4910-13-P

[[Page 50648]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.041


[[Page 50649]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.042


[[Page 50650]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.043


[[Page 50651]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.044


[[Page 50652]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.045


[[Page 50653]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.046


[[Page 50654]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.047


[[Page 50655]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.048


[[Page 50656]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.049


[[Page 50657]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.050


[[Page 50658]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.051


[[Page 50659]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.052


[[Page 50660]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.053


[[Page 50661]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.054


[[Page 50662]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.055


[[Page 50663]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.056


[[Page 50664]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.057


[[Page 50665]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.058

BILLING CODE 4910-13-C

    (b) Safe-and-arm device status-of-health. A safe-and-arm device 
status-of-health test must satisfy section E417.3(f). This must 
include measuring insulation resistance from pin-to-pin and pin-to-
case, safe-and-arm transition time, and bridgewire resistance 
consistency through more than one safe-and-arm transition cycle.
    (c) Safe-and-arm transition. This test must demonstrate that the 
safe-and-arm transition, such as rotational or sliding operation, 
satisfies all its performance specifications. This must include all 
of the following:
    (1) The test must demonstrate that the safe-and-arm monitors 
accurately determine safe-and-arm transition and whether the safe-
and-arm device is in the proper configuration;
    (2) The test must demonstrate that a safe-and-arm device is not 
susceptible to inadvertent initiation or degradation in performance 
of the electro-explosive device during pre-flight processing; and
    (3) The test must demonstrate the ability of a safe-and-arm 
device to satisfy all its performance specifications when subjected 
to five times the maximum predicted number of safe-to-arm and arm-
to-safe cycles.
    (d) Stall. A stall test must demonstrate that a safe-and-arm 
device satisfies all its performance specifications after being 
locked in its safe position and subjected to an operating arming 
voltage for the greater of:
    (i) Five minutes; or
    (ii) The maximum time that could occur inadvertently and the 
device still be used for flight.
    (e) Safety tests. The following safety tests must demonstrate 
that a safe-and-arm device can be handled safely:
    (1) Containment. A containment test must demonstrate that a 
safe-and-arm device will not fragment when any internal electro-
explosive device or rotor charge is initiated. A safe-and-arm device 
must undergo the test in the arm position and with any shipping cap 
or plug installed in each output port.
    (2) Barrier functionality. A barrier functionality test must 
demonstrate that, when in the safe position, if a safe-and-arm 
device's internal electro-explosive device is initiated, the 
ordnance output will not propagate to an explosive transfer system. 
This demonstration must include all of the following:
    (i) The test must consist of firings at high and low temperature 
extremes, the explosive transfer system must be configured for 
flight;
    (ii) Each high-temperature firing must be initiated at the 
manufacturer specified high temperature or a 71 [deg]C workmanship 
screening level, whichever is higher; and
    (iii) Each low-temperature firing must be initiated at the 
manufacturer specified low temperature or a -54 [deg]C workmanship 
screening level, whichever is lower.
    (3) Extended stall. An extended stall test must demonstrate that 
a safe-and-arm device does not initiate when locked in its safe 
position and is subjected to a continuous operating arming voltage 
for the maximum predicted time that could occur accidentally or one 
hour, whichever is greater.
    (4) Manual safing. A manual safing test must demonstrate that a 
safe-and-arm device can be manually safed in accordance with all its 
performance specifications.
    (5) Safing-interlock. A safing-interlock test must demonstrate 
that when a safe-and-arm device's safing-interlock is in place and 
operational arming current is applied, the interlock prevents arming 
in accordance with all the interlock's performance specifications.
    (6) Safing verification. A safing verification test must 
demonstrate that, while a safe-and-arm device is in the safe 
position, any internal electro-explosive device will not initiate if 
the safe-and-arm device input circuit is accidentally subjected to a 
firing voltage, such as from a command receiver or inadvertent 
separation destruct system output.
    (f) Thermal performance. A thermal performance test must 
demonstrate that a safe-and-arm device satisfies all its performance 
specifications when subjected to operating and workmanship thermal 
environments. This demonstration must include all of the following:
    (1) The safe-and-arm device must undergo the test while 
subjected to each required thermal environment;
    (2) The test must continuously monitor the bridgewire continuity 
with the safe-and-arm

[[Page 50666]]

device in its arm position to detect each and any variation in 
amplitude. Any variation in amplitude constitutes a test failure;
    (3) The test must measure the bridgewire resistance for the 
first and last thermal cycle during the high and low temperature 
dwell times to demonstrate that the bridgewire resistance satisfies 
the manufacturer specification;
    (4) The test must subject the safe-and-arm device to five safe-
and-arm cycles and measure the bridgewire continuity during each 
cycle to demonstrate that the continuity is consistent; and
    (5) The test must measure the safe-and-arm cycle time to 
demonstrate that it satisfies the manufacturer specification.
    (g) Dynamic performance. A dynamic performance test must 
demonstrate that a safe-and-arm device satisfies all its performance 
specifications when subjected to the dynamic operational 
environments, such as vibration and shock. This demonstration must 
include all of the following:
    (1) The safe-and-arm device must undergo the test while 
subjected to each required dynamic operational environment;
    (2) The test must continuously monitor the bridgewire continuity 
with the safe-and-arm device in the arm position to detect each and 
any variation in amplitude. Any amplitude variation constitutes a 
test failure. The monitoring must have a sample rate that will 
detect any component performance degradation;
    (3) The test must continuously monitor each safe-and-arm device 
monitor circuit to detect each and any variation in amplitude. Any 
variation in amplitude constitutes a test failure. This monitoring 
must have a sample rate that will detect any component performance 
degradation; and
    (4) The test must continuously monitor the safe-and-arm device 
to demonstrate that it remains in the fully armed position 
throughout all dynamic environment testing.
    (h) Electro-explosive device status-of-health. An electro-
explosive device status of health test must satisfy section 
E417.3(f). The test must include measuring insulation resistance and 
bridgewire continuity.
    (i) Static discharge. A static discharge test must demonstrate 
that an electro-explosive device can withstand an electrostatic 
discharge that it could experience from personnel or conductive 
surfaces without firing and still satisfy all its performance 
specifications. The test must subject the electro-explosive device 
to the greater of:
    (1) A 25k-volt, 500-picofarad pin-to-pin discharge through a 5k-
ohm resistor and a 25k-volt, 500-picofarad pin-to-case discharge 
with no resistor; or
    (2) The maximum predicted pin-to-pin and pin-to-case 
electrostatic discharges.
    (j) Firing tests.
    (1) General. Each firing test of a safe-and-arm device, electro-
explosive device, rotor lead, or booster charge must satisfy all of 
the following:
    (i) The test must demonstrate the initiation and transfer of all 
ordnance charges and that the component does not fragment. For a 
safe-and-arm device that has more than one internal electro-
explosive device, each firing test must also demonstrate that the 
initiation of one internal electro-explosive device does not 
adversely affect the performance of any other internal electro-
explosive device;
    (ii) The number of component samples that the test must fire and 
the test conditions, including firing current and temperature must 
satisfy each table of this section;
    (iii) Before initiation, each component sample must experience 
the required temperature for enough time to achieve thermal 
equilibrium;
    (iv) Each test must measure ordnance output using a measuring 
device, such as a swell cap or dent block, to demonstrate that the 
output satisfies all its performance specifications; and
    (v) Each test of a safe-and-arm device or electro-explosive 
device must subject each sample device to a current source that 
duplicates the operating output waveform and impedance of the flight 
current source. Each test of a rotor lead or booster charge must 
subject the component to an energy source that simulates the flight 
energy source.
    (2) All-fire current. Each all-fire current test must subject 
each component sample to the manufacturer's specified all-fire 
current value.
    (3) Operating current. Each operating current test must subject 
each component sample to the launch vehicle operating current value 
if known at the time of testing. If the operating current is 
unknown, the test must use no less than 200% of the all-fire current 
value.
    (4) 22-amps current. This test must subject each component 
sample to a firing current of 22 amps.
    (5) Ambient-temperature. This test must initiate each ordnance 
sample while it is subjected to ambient-temperature.
    (6) High-temperature. Each high-temperature test must initiate 
each ordnance sample while it is subjected to the qualification 
high-temperature level or a +71 [deg]C workmanship screening level, 
whichever is higher.
    (7) Low-temperature. Each low-temperature test must initiate 
each ordnance sample while it is subjected to the qualification low-
temperature level or a -54 [deg]C workmanship screening level, 
whichever is lower.
    (k) Radio frequency impedance. This test must determine the 
radio frequency impedance of an electro-explosive device for use in 
any flight termination system radio frequency susceptibility 
analysis.
    (l) Radio frequency sensitivity. This test must consist of a 
statistical firing series of electro-explosive device lot samples to 
determine the radio frequency no-fire energy level for the remainder 
of the lot. The firing series must determine the highest continuous 
radio frequency energy level to which the device can be subjected 
and not fire with a reliability of 0.999 at a 95% confidence level. 
Any demonstrated radio frequency no-fire energy level that is less 
than the level used in the flight termination system design and 
analysis constitutes a test failure.
    (m) No-fire energy level. This test must consist of a 
statistical firing series of electro-explosive device lot samples to 
determine the no-fire energy level for the remainder of the lot. The 
firing series must determine the highest electrical energy level at 
which the device will not fire with a reliability of 0.999 at a 95% 
confidence level when subjected to a continuous current pulse. Any 
demonstrated no-fire energy level that is less than the no-fire 
energy level used in the flight termination system design and 
analysis constitutes a test failure.
    (n) All-fire energy level. This test must consist of a 
statistical firing series of electro-explosive device lot samples to 
determine the all-fire energy level for the remainder of the lot. 
This firing series must determine the lowest electrical energy level 
at which the device will fire with a reliability of 0.999 at a 95% 
confidence level when subjected to a current pulse that simulates 
the launch vehicle flight termination system firing characteristics. 
Any demonstrated all-fire energy level that exceeds the all-fire 
energy level used in the flight termination system design and 
analysis constitutes a test failure.
    (o) Barrier alignment. A barrier alignment test must consist of 
a statistical firing series of safe-and-arm device samples. The test 
must demonstrate that the device's safe to arm transition motion 
provides for ordnance initiation with a reliability of 0.999 at a 
95% confidence level. The test must also demonstrate that the 
device's arm to safe transition motion provides for no ordnance 
initiation with a reliability of 0.999 at a 95% confidence level. 
This test may employ a reusable safe-and-arm subassembly that 
simulates the flight configuration.
    (p) No-fire verification. This test must demonstrate that a 
flight configured electro-explosive device will not inadvertently 
initiate when exposed to the maximum predicted circuit leakage 
current and will still satisfy all its performance specifications. 
The test must subject each sample electro-explosive device to the 
greater of:
    (1) The worst-case leakage current level and duration that could 
occur in an operating condition; or
    (2) One amp/one watt for five minutes.
    (q) Auto-ignition. This test must demonstrate that an electro-
explosive device does not experience auto-ignition, sublimation, or 
melting when subjected to any high-temperature environment during 
handling, testing, storage, transportation, installation, or flight. 
The test must include all of the following:
    (1) The test environment must be no less than 30 [deg]C higher 
than the highest non-operating or operating temperature that the 
device could experience;
    (2) The test must last the maximum predicted high-temperature 
duration or one hour, whichever is greater; and
    (3) After exposure to the test environment, each sample device 
must undergo external and internal examination, including any 
dissection needed to identify any auto-ignition, sublimation, or 
melting.

E417.27 Exploding bridgewire firing units and exploding bridgewires.

    (a) General. This section applies to any exploding bridgewire 
firing unit that is part of a flight termination system, including 
each exploding bridgewire that is used by the firing unit. Any 
firing unit or exploding bridgewire must satisfy each test or 
analysis

[[Page 50667]]

identified by any table of this section to demonstrate that it 
satisfies all its performance specifications when subjected to each 
non-operating and operating environment.
BILLING CODE 4910-13-P
[GRAPHIC] [TIFF OMITTED] TR25AU06.059


[[Page 50668]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.060


[[Page 50669]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.061


[[Page 50670]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.062


[[Page 50671]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.063


[[Page 50672]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.064


[[Page 50673]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.065


[[Page 50674]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.066


[[Page 50675]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.067


[[Page 50676]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.068


[[Page 50677]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.105


[[Page 50678]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.069

BILLING CODE 4910-13-C

[[Page 50679]]

    (b) Firing unit status-of-health. A firing unit status-of-health 
test must satisfy section E417.3(f). This must include measuring 
input current, all pin-to-pin and pin-to-case resistances, trigger 
circuit threshold, capacitor charge time and arming time.
    (c) Input command processing. An input command processing test 
must demonstrate that an exploding bridgewire firing unit's input 
trigger circuit satisfies all its performance specifications when 
subjected to any variation in input that it could experience during 
flight. The firing unit must undergo this test before the first and 
after the last environmental test to identify any degradation in 
performance due to any of the test environments. The test must 
demonstrate all of the following:
    (1) The amplitude sensitivity of the firing unit trigger circuit 
provides margin over the worst-case trigger signal that could be 
delivered on the launch vehicle as follows:
    (i) The firing unit triggers at 50% of the amplitude and 50% of 
the pulse duration of the lowest trigger signal that could be 
delivered during flight; and
    (ii) The firing unit triggers at 120% amplitude and 120% of the 
pulse duration of the highest trigger signal that could be delivered 
during flight;
    (2) The firing unit satisfies all its performance specifications 
when subjected to the maximum input voltage of the open circuit 
voltage of the power source, ground or airborne, and the minimum 
input voltage of the loaded voltage of the power source;
    (3) Each control and switching circuit that is critical to the 
reliable operation of an exploding bridgewire firing unit does not 
change state when subjected to a minimum input power drop-out for a 
period of 50 milliseconds;
    (4) The firing unit's response time satisfies all its 
performance specifications with input at the specified minimum and 
maximum vehicle supplied trigger signal; and
    (5) If the firing unit has differential input, the unit 
satisfies all its performance specifications with all input 
combinations at the specified trigger amplitude input signals.
    (d) High voltage circuitry. This test must demonstrate that a 
firing unit's high voltage circuitry satisfies all its performance 
specifications for initiating the exploding bridgewire when 
subjected to any variation in input that the circuitry could 
experience during flight. The firing unit must undergo the test 
before the first and after the last environmental test to identify 
any degradation in performance due to any of the test environments. 
The test must demonstrate all of the following:
    (1) The firing unit satisfies all its performance specifications 
when subjected to the worst-case high and low arm voltages that it 
could experience during flight;
    (2) The firing unit's charging and output circuitry has an 
output waveform, rise-time, and amplitude that delivers no less than 
a 50% voltage margin to the exploding bridgewire. The test must use 
the identical parameters, such as capacitor values and circuit and 
load impedance, as those used to provide the exploding bridgewire 
all-fire energy level;
    (3) The firing unit does not experience any arcing or corona 
during high voltage discharge; and
    (4) Each high-energy trigger circuit used to initiate the main 
firing capacitor has an output signal that delivers no less than a 
50% voltage margin with an input to the circuit at the nominal 
trigger threshold level.
    (e) Output monitoring. (1) An output monitoring test must 
measure the voltage of each high voltage capacitor and the arm power 
to a firing unit and demonstrate that it satisfies all its 
performance specifications.
    (2) An output monitoring test conducted while the firing unit is 
subjected to an operating environment, must continuously monitor the 
voltage of each high voltage capacitor and the arm power to the 
firing unit to detect any variation in amplitude. Any amplitude 
variation constitutes a test failure. The monitoring must use a 
sample rate that will detect any component performance degradation.
    (f) Abbreviated status-of-health. An abbreviated status-of-
health test must measure all a firing unit's critical performance 
parameters while the unit is subjected to each required operating 
environment to identify any degradation in performance while exposed 
to each environment. This must include continuous monitoring of the 
firing unit's input to detect any variation in amplitude. Any 
amplitude variation constitutes a test failure. The monitoring must 
have a sample rate that will detect any component performance 
degradation.
    (g) Abbreviated command processing. An abbreviated command 
processing test must exercise all of a firing unit's flight critical 
functions while the unit is subjected to each required operating 
environment. This must include subjecting the firing unit to the 
fire command throughout each environment while monitoring function 
time and the high voltage output waveform to demonstrate that each 
satisfies all its performance specifications.
    (h) Circuit protection. A circuit protection test must 
demonstrate that any circuit protection allows a firing unit to 
satisfy all its performance specifications, when subjected to any 
improper launch processing, abnormal flight condition, or any 
failure of another launch vehicle component. The demonstration must 
include all of the following:
    (1) Any circuit protection allows an exploding bridgewire firing 
unit to satisfy all its performance specifications when subjected to 
the maximum input voltage of the open circuit voltage of the unit's 
power source and when subjected to the minimum input voltage of the 
loaded voltage of the power source;
    (2) In the event of an input power dropout, any control or 
switching circuit that contributes to the reliable operation of an 
exploding bridgewire firing unit, including solid-state power 
transfer switches, does not change state for at least 50 
milliseconds;
    (3) Any watchdog circuit satisfies all its performance 
specifications;
    (4) The firing unit satisfies all its performance specifications 
when any of its monitoring circuits' output ports are subjected to a 
short circuit or the highest positive or negative voltage capable of 
being supplied by the monitor batteries or other power supplies; and
    (5) The firing unit satisfies all its performance specifications 
when subjected to any reverse polarity voltage that could occur 
during launch processing.
    (i) Repetitive functioning. This test must demonstrate that a 
firing unit satisfies all its performance specifications when 
subjected to repetitive functioning for five times the worst-case 
number of cycles required for acceptance, checkout and operations, 
including any retest due to schedule delays.
    (j) Static discharge. A static discharge test must demonstrate 
that an exploding bridgewire will not fire and satisfies all its 
performance specifications when subjected to any electrostatic 
discharge that it could experience from personnel or conductive 
surfaces. The test must subject an exploding bridgewire to the 
greater of:
    (1) A 25k-volt, 500-picofarad pin-to-pin discharge through a 5k-
ohm resistor and a 25k-volt, 500-picofarad pin-to-case discharge 
with no resistor; or
    (2) The maximum predicted pin-to-pin and pin-to-case 
electrostatic discharge.
    (k) Exploding bridgewire status-of-health. An exploding 
bridgewire status-of-health test must satisfy section E417.3(f). 
This must include measuring the bridgewire insulation resistance at 
operating voltage.
    (l) Safety devices. This test must demonstrate that any 
protection circuitry that is internal to an exploding bridgewire, 
such as a spark gap, satisfies all its performance specifications 
and will not degrade the bridgewire's performance or reliability 
when exposed to the qualification environments. The test must 
include static gap breakdown, dynamic gap breakdown, and 
specification hold-off voltage under sustained exposure.
    (m) Firing tests. (1) General. Each firing test of an exploding 
bridgewire must satisfy all of the following:
    (i) Each test must demonstrate that the exploding bridgewire 
satisfies all its performance specifications when subjected to 
qualification stress conditions;
    (ii) The number of exploding bridgewire samples that each test 
must fire and the test conditions, including firing voltage and 
temperature, must satisfy each table of this section;
    (iii) Before initiation, each component sample must experience 
the required temperature for enough time to achieve thermal 
equilibrium;
    (iv) Each test must subject each exploding bridgewire sample to 
a high voltage initiation source that duplicates the exploding 
bridgewire firing unit output waveform and impedance, including high 
voltage cabling; and
    (v) Each test must measure ordnance output using a measuring 
device, such as a swell cap or dent block, to demonstrate that the 
ordnance output satisfies all its performance specifications.
    (2) All-fire voltage. Each all-fire voltage test must subject 
each exploding bridgewire sample to the manufacturer specified all-
fire energy level for voltage, current, and pulse duration.

[[Page 50680]]

    (3) Operating voltage. Each operating voltage test must subject 
each exploding bridgewire sample to the firing unit's manufacturer 
specified operating voltage, current, and pulse duration. If the 
operating energy is unknown, the test must use no less than 200% of 
the all-fire voltage.
    (4) Twice-operating voltage. This test must subject each 
exploding bridgewire sample to 200% of the operating voltage.
    (5) Ambient-temperature. This test must initiate each exploding 
bridgewire sample while at ambient temperature.
    (6) High-temperature. Each high-temperature test must initiate 
each exploding bridgewire sample while it is subjected to the 
manufacturer specified high-temperature level or at a +71 [deg]C 
workmanship screening level, whichever is higher.
    (7) Low-temperature. Each low-temperature test must initiate 
each exploding bridgewire sample while it is subjected to the 
manufacturer specified low-temperature level or at a -54 [deg]C 
workmanship screening level, whichever is lower.
    (n) Radio frequency impedance. A radio frequency impedance test 
must determine an exploding bridgewire's radio frequency impedance 
for use in any system radio frequency susceptibility analysis.
    (o) Radio frequency sensitivity. A radio frequency sensitivity 
test must consist of a statistical firing series of exploding 
bridgewire lot samples to determine the radio frequency sensitivity 
of the exploding bridgewire. The test must demonstrate that the 
radio frequency no-fire energy level does not exceed the level used 
in the flight termination system design and analysis.
    (p) No-fire energy level. A no-fire energy level test must 
consist of a statistical firing series of exploding bridgewire lot 
samples to determine the highest electrical energy level at which 
the exploding bridgewire will not fire with a reliability of 0.999 
with a 95% confidence level when subjected to a continuous current 
pulse. The test must demonstrate that the no-fire energy level is no 
less than the no-fire energy level used in the flight termination 
system design and analysis.
    (q) All-fire energy level. An all-fire energy level test must 
consist of a statistical firing series of exploding bridgewire lot 
samples to determine the lowest electrical energy level at which the 
exploding bridgewire will fire with a reliability of 0.999 with a 
95% confidence level when subjected to a current pulse simulating 
the firing unit output waveform and impedance characteristics. Each 
exploding bridgewire sample must be in its flight configuration, and 
must possess any internal safety devices, such as a spark gap, 
employed in the flight configuration. The test must demonstrate that 
the all-fire energy level does not exceed the all-fire energy level 
used in the flight termination system design and analysis.
    (r) Auto-ignition. This test must demonstrate that an exploding 
bridgewire does not experience auto-ignition, sublimation, or 
melting when subjected to any high-temperature environment during 
handling, testing, storage, transportation, installation, or flight. 
The test must include all of the following:
    (1) The test environment must be no less than 30 [deg]C higher 
than the highest non-operating or operating temperature that the 
device could experience;
    (2) The test duration must be the maximum predicted high-
temperature duration or one hour, whichever is greater; and
    (3) After exposure to the test environment, each exploding 
bridgewire sample must undergo external and internal examination, 
including any dissection needed to identify any auto-ignition, 
sublimation, or melting.

E417.29 Ordnance interrupter.

    (a) General. This section applies to any ordnance interrupter 
that is part of a flight termination system, including any rotor 
lead or booster charge that is used by the interrupter. Any ordnance 
interrupter, rotor lead, or booster charge must satisfy each test or 
analysis identified by any table of this section to demonstrate that 
it satisfies all its performance specifications when subjected to 
each non-operating and operating environment.
BILLING CODE 4910-13-P

[[Page 50681]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.070


[[Page 50682]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.071


[[Page 50683]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.072


[[Page 50684]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.073


[[Page 50685]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.074


[[Page 50686]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.075


[[Page 50687]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.076


[[Page 50688]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.077


[[Page 50689]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.078

BILLING CODE 4910-13-C

    (b) Status-of-health. An ordnance interrupter status-of-health 
test must satisfy section E45417.3(f). This must include measuring 
the interrupter's safe-and-arm transition time.
    (c) Safe-and-arm position monitor. This test must demonstrate 
all of the following:
    (1) That an ordnance interrupter's safe-and-arm transition 
operation, such as rotation or sliding, satisfies all its 
performance specifications;
    (2) That any ordnance interrupter-monitoring device can 
determine, before flight, if the ordnance interrupter is in the 
proper flight configuration;
    (3) The presence of the arm indication when the ordnance 
interrupter is armed; and
    (4) The presence of the safe indication when the ordnance 
interrupter is safed.
    (d) Safety tests. (1) General. Each safety test must demonstrate 
that an ordnance interrupter is safe to handle and use on the launch 
vehicle.
    (2) Containment. For any ordnance interrupter that has an 
internal rotor charge, a containment test must demonstrate that the 
interrupter will not fragment when the internal charge is initiated.
    (3) Barrier functionality. A barrier functionality test must 
demonstrate that, when the ordnance interrupter is in the safe 
position, if the donor transfer line or the internal rotor charge is 
initiated, the ordnance output will not propagate to an explosive 
transfer system. The test must consist of firing tests at high- and 
low-temperature extremes with an explosive transfer system that 
simulates the flight configuration. The number of samples that the 
test must fire and the test conditions must satisfy each table of 
this section and all of the following:
    (i) High-temperature. A high-temperature test must initiate each 
ordnance sample while it is subjected to no lower than the 
qualification high-temperature level or a 71 [deg]C workmanship 
screening level, whichever is higher; and
    (ii) Low-temperature. A low-temperature test must initiate each 
ordnance sample while it is subjected to no higher than the 
qualification low-temperature level or a -54 [deg]C workmanship 
screening level, whichever is lower.
    (4) Extended stall. For an ordnance interrupter with an internal 
rotor or booster charge, an extended stall test must demonstrate 
that the interrupter does not initiate when:
    (i) Locked in its safe position; and
    (ii) Subjected to a continuous operating arming voltage for the 
maximum predicted time that could occur accidentally or one hour, 
whichever is greater.
    (5) Manual safing. A manual safing test must demonstrate that an 
ordnance interrupter can be manually safed.
    (6) Safing-interlock. A safing-interlock test must demonstrate 
that when an ordnance interrupter's safing-interlock is in place and 
operating arming current is applied, the interlock prevents arming 
and satisfies any other performance specification of the interlock.
    (e) Interrupter abbreviated performance. An interrupter 
abbreviated performance test must satisfy section E417.3(e). This 
must include continuous monitoring of the interrupter's arm 
monitoring circuit. An ordnance interrupter must undergo this test 
while armed.
    (f) Firing tests. (1) General. A firing test of an ordnance 
interrupter, rotor lead, or booster charge must satisfy all of the 
following:
    (i) The test must demonstrate that the initiation and output 
energy transfer of each ordnance charge satisfies all its 
performance specifications and that the component does not fragment;
    (ii) The number of samples that the test must fire and the test 
conditions, including firing current and temperature, must satisfy 
each table of this section;

[[Page 50690]]

    (iii) Before initiation, each component sample must experience 
the required temperature for enough time to achieve thermal 
equilibrium;
    (iv) The test of an ordnance interrupter must simulate the 
flight configuration, including the explosive transfer system lines 
on the input and output;
    (v) Each test of a rotor lead or booster charge must subject the 
component to an energy source that simulates the flight energy 
source;
    (vi) Each test must measure each ordnance output using a 
measuring device, such as a swell cap or dent block, to demonstrate 
that the output satisfies all its performance specifications; and
    (vii) For a single interrupter that contains more than one 
firing path, the test must demonstrate that the initiation of one 
firing path does not adversely affect the performance of any other 
path.
    (2) Ambient-temperature. This test must initiate each ordnance 
sample while it is at ambient temperature.
    (3) High-temperature. A high-temperature test must initiate each 
ordnance sample while it is subjected to no lower than the 
qualification high-temperature level or a +71 [deg]C workmanship 
level, whichever is higher.
    (4) Low-temperature. A low-temperature test must initiate each 
ordnance sample while it is subjected to no higher than the 
qualification low-temperature level or a - 54 [deg]C workmanship 
level, whichever is lower.
    (g) Barrier alignment. A barrier alignment test must consist of 
a statistical firing series of ordnance interrupter samples. The 
test must demonstrate that the interrupter's safe to arm transition 
motion provides for ordnance initiation with a reliability of 0.999 
at a 95% confidence level. The test must also demonstrate that the 
interrupter's arm to safe transition motion provides for no ordnance 
initiation with a reliability of 0.999 at a 95% confidence level. 
The test may employ a reusable ordnance interrupter subassembly that 
simulates the flight configuration.
    (h) Repetitive function. A repetitive function test must 
demonstrate the ability of an ordnance interrupter to satisfy all 
its performance specifications when subjected to five times the 
maximum predicted number of safe-to-arm and arm-to-safe cycles.
    (i) Stall. A stall test must demonstrate that an ordnance 
interrupter satisfies all its performance specifications after being 
locked in its safe position and subjected to an operating arming 
voltage for the greater of:
    (1) Five minutes; or
    (2) The maximum predicted time that could occur inadvertently 
and the interrupter would still be used for flight.

E417.31 Percussion-activated device (PAD).

    (a) General. This section applies to any percussion-activated 
device that is part of a flight termination system, including any 
primer charge it uses. Any percussion-activated device or primer 
charge must satisfy each test or analysis identified by any table of 
this section to demonstrate that it satisfies all its performance 
specifications when subjected to each non-operating and operating 
environment.
BILLING CODE 4910-13-P

[[Page 50691]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.079


[[Page 50692]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.080


[[Page 50693]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.081


[[Page 50694]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.082


[[Page 50695]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.083


[[Page 50696]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.084


[[Page 50697]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.085


[[Page 50698]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.086


[[Page 50699]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.087


[[Page 50700]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.088

BILLING CODE 4910-13-C

    (b) Safety tests. (1) General. Each safety test must demonstrate 
that a percussion-activated device is safe to handle and use on the 
launch vehicle.
    (2) No-fire impact. A no-fire impact test must demonstrate that 
a percussion-activated device, when pulled with the guaranteed no-
fire pull force:
    (i) Will not fire;
    (ii) The device's primer initiation assembly will not disengage; 
and
    (iii) The device will continue to satisfy all its performance 
specifications.
    (3) Safing-interlock locking. A safing-interlock test must 
demonstrate that, a percussion-activated device, with its safing-
interlock in place, will continue to satisfy all its performance 
specifications and the device's firing assembly will not move more 
than half the no-fire pull distance when subjected to the greater 
of:
    (i) A 200-pound pull force;
    (ii) The device's all-fire pull-force; or
    (iii) Twice the worst-case pull force that the device can 
experience after it is installed on the vehicle.
    (4) Safing-interlock retention test. A safing-interlock 
retention test must demonstrate that a percussion-activated device's 
safing-interlock is not removable when a no-fire pull or greater 
force is applied to the percussion-activated device lanyard. The 
test must also demonstrate that the force needed to remove the 
safing-interlock with the lanyard in an unloaded condition satisfies 
its performance specification.
    (c) Status-of-health. A status-of-health test of a percussion-
activated device must satisfy section E417.3(f). This test must 
include measuring the spring constant and firing pull distance.
    (d) Percussion-activated-device firing tests. (1) General. Each 
firing test of a percussion-activated device must satisfy all of the 
following:
    (i) The test must demonstrate that the device satisfies all its 
performance specifications when subjected to all qualification 
stress conditions;
    (ii) The number of samples that the test must fire and the test 
conditions, including temperature, must satisfy each table of this 
section;
    (iii) Before initiation, each component sample must experience 
the required temperature for enough time to achieve thermal 
equilibrium;
    (iv) The test must subject the device to the manufacturer 
specified pull-force;
    (v) The test must simulate the flight configuration, including 
the explosive transfer system lines on the output; and
    (vi) The test must measure each ordnance output using a 
measuring device, such as a swell cap or dent block, to demonstrate 
that the output satisfies all its performance specifications.
    (2) Ambient-temperature. This test must initiate each ordnance 
sample while it is subjected to ambient temperature.
    (3) High-temperature. A high-temperature test must initiate each 
ordnance sample while it is subjected to no lower than the 
qualification high-temperature level or a +71 [deg]C workmanship 
screening level, whichever is higher.
    (4) Low-temperature. A low-temperature test must initiate each 
ordnance sample while it is subjected to no higher than the 
qualification low-temperature level or a -54 [deg]C workmanship 
screening level, whichever is lower.
    (e) All-fire energy level. An all-fire energy level test must 
consist of a statistical firing series of primer charge lot samples 
to determine the lowest energy impact at which the primer will fire 
with a reliability of 0.999 at a 95% confidence level. The test must 
use a firing pin and configuration that is representative of the 
flight configuration.
    (f) Primer charge firing tests. (1) General. Each firing test of 
a primer charge must satisfy all of the following:
    (i) The test must demonstrate that the primer charge, including 
any booster charge or ordnance delay as an integral unit, satisfies 
all its performance specifications when subjected to all 
qualification stress conditions;
    (ii) The number of samples that the test must fire and the test 
conditions, including

[[Page 50701]]

impact energy and temperature, must satisfy each table of this 
section;
    (iii) Before initiation, each component sample must experience 
the required temperature for enough time to achieve thermal 
equilibrium;
    (iv) The test must use a firing pin and configuration that is 
representative of the flight configuration; and
    (v) The test must measure ordnance output using a measuring 
device, such as a swell cap or dent block, to demonstrate that the 
ordnance output satisfies all its performance specifications.
    (2) Ambient-temperature. This test must initiate each ordnance 
sample while it is subjected to ambient temperature.
    (3) High-temperature. A high-temperature test must initiate each 
ordnance sample while it is subjected to no lower than the 
qualification high-temperature level or a +71 [deg]C workmanship 
screening level, whichever is higher.
    (4) Low-temperature. A low-temperature test must initiate each 
ordnance sample while it is subjected to no higher than the 
qualification low-temperature level or a -54 [deg]C workmanship 
screening level, whichever is lower.
    (g) Auto-ignition. This test must demonstrate that any ordnance 
internal to a percussion-activated device does not experience auto-
ignition, sublimation, or melting when subjected to any high-
temperature environment during handling, testing, storage, 
transportation, installation, or flight. The test must include all 
of the following:
    (1) The test environment must be no less than 30 [deg]C higher 
than the highest non-operating or operating temperature that the 
device could experience;
    (2) The test duration must be the maximum predicted high-
temperature duration or one hour, whichever is greater; and
    (3) After exposure to the test environment, each ordnance 
component must undergo external and internal examination, including 
any dissection needed to identify any auto-ignition, sublimation, or 
melting.

E417.33 Explosive transfer system, ordnance manifold, and destruct 
charge.

    (a) General. This section applies to any explosive transfer 
system, ordnance manifold, or destruct charge that is part of a 
flight termination system. Any explosive transfer system, ordnance 
manifold, or destruct charge must satisfy each test or analysis 
identified by any table of this section to demonstrate that it 
satisfies all its performance specifications when subjected to each 
non-operating and operating environment.
BILLING CODE 4910-13-P

[[Page 50702]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.089


[[Page 50703]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.090


[[Page 50704]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.091


[[Page 50705]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.092


[[Page 50706]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.093


[[Page 50707]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.094


[[Page 50708]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.095


[[Page 50709]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.096

BILLING CODE 4910-13-C

    (b) Firing tests. (1) General. A firing test of an explosive 
transfer system, explosive manifold, or destruct charge must satisfy 
all of the following:
    (i) The test must demonstrate that each ordnance sample 
satisfies all its performance specifications when subjected to all 
qualification stress conditions;
    (ii) The number of samples that the test must fire and the test 
conditions, including temperature, must satisfy each table of this 
section;
    (iii) Before initiation, each ordnance sample must experience 
the required temperature for enough time to achieve thermal 
equilibrium;
    (iv) For any destruct charge, the test must initiate the charge 
against a witness plate to demonstrate that the charge satisfies all 
its performance specifications and is in-family;
    (v) For any explosive transfer system component, the test must 
measure ordnance output using a measuring device, such as a swell 
cap or dent block, to demonstrate that the ordnance output satisfies 
all its performance specifications; and
    (vi) For any explosive manifold that contains ordnance, the test 
must initiate the ordnance using an explosive transfer system in a 
flight representative configuration.
    (2) Ambient-temperature. This test must initiate each ordnance 
sample while it is subjected to ambient temperature.
    (3) High-temperature. A high-temperature test must initiate each 
ordnance sample while it is subjected to no lower than the 
qualification high-temperature level or a +71 [deg]C workmanship 
screening level, whichever is higher.
    (4) Low-temperature. A low-temperature test must initiate each 
ordnance sample while it is subjected to no higher than the 
qualification low-temperature level or a -54 [deg]C workmanship 
screening level, whichever is lower.
    (c) Penetration margin. A penetration margin test must 
demonstrate a destruct charge's ability to accomplish its intended 
flight termination function, such as to destroy the pressure 
integrity of any solid propellant stage or motor or rupture any 
propellant tank. This must include penetrating no less than 150% of 
the thickness of the target material. Each test must also 
demonstrate that the charge is in-family by correlating equivalent 
penetration depth into a witness plate and comparing the results 
from each test.
    (d) Propellant detonation. A propellant detonation test or 
analysis must demonstrate that a destruct charge will not detonate 
the propellant of its intended target.

E417.35 Shock and vibration isolators.

    (a) General. This section applies to any shock or vibration 
isolator that is part of a flight termination system. Any isolator 
must satisfy each test or analysis identified by table E417.35-1 to 
demonstrate that it has repeatable performance and is free of any 
workmanship defects.

[[Page 50710]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.097

    (b) Load deflection. A load deflection test must demonstrate the 
ability of a shock or vibration isolator to withstand the full-scale 
deflection expected during flight while satisfying all its 
performance specifications and that the isolator is in-family. This 
must include subjecting each isolator to varying deflection 
increments from the null position to the full-scale flight 
deflection and measuring the isolator's spring constant at each 
deflection increment.
    (c) Status-of-health. A status-of-health test of a shock or 
vibration isolator must satisfy section E417.3(f). The test must 
include all of the following:
    (1) The test must measure the isolator's natural frequency while 
the isolator is subjected to a random vibration or sinusoidal sweep 
vibration with amplitudes that are representative of the maximum 
predicted operating environment; and
    (2) The test must measure the isolator's dynamic amplification 
value while the isolator is subjected to a random vibration or 
sinusoidal sweep vibration with amplitudes that are representative 
of the maximum predicted operating environment.

E417.37 Electrical connectors and harnesses.

    (a) General. This section applies to any electrical connector or 
harness that is critical to the functioning of a flight termination 
system during flight, but is not otherwise part of a flight 
termination system component. Any electrical connector or harness 
must satisfy each test or analysis identified by table E417.37-1 of 
this section to demonstrate that it satisfies all its performance 
specifications when subjected to each non-operating and operating 
environment.

[[Page 50711]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.098

    (b) Status-of-heath. A status-of-health test of a harness or 
connector must satisfy section E417.3(f). The test must include all 
of the following:
    (1) The test must measure the dielectric withstanding voltage 
between mutually insulated portions of the harness or connector to 
demonstrate that the harness or connector satisfies all its 
performance specifications at its rated voltage and withstands any 
momentary over-potential due to switching, surge, or any other 
similar phenomena;
    (2) The test must demonstrate that the insulation resistance 
between mutually insulated points is sufficient to ensure that the 
harness or connector satisfies all its performance specifications at 
its rated voltage and the insulation material is not damaged after 
the harness or connector is subjected to the qualification 
environments;
    (3) The test must demonstrate the ability of the insulation 
resistance between each wire shield and harness or conductor and the 
insulation between each harness or connector pin to every other pin 
to withstand a minimum workmanship voltage of 500 VDC or 150% of the 
rated output voltage, whichever is greater; and
    (4) The test must measure the resistance of any wire and harness 
insulation to demonstrate that it satisfies all its performance 
specifications.

E417.39 Ordnance interfaces and manifold qualification.

    (a) General. This section applies to any ordnance interface or 
manifold that is part of a flight termination system. Each ordnance 
interface or manifold must undergo a qualification test that 
demonstrates that the interface or manifold satisfies its 
performance specifications with a reliability of 0.999 at a 95% 
confidence level.
    (b) Interfaces. A qualification test of an ordnance interface 
must demonstrate the interface's reliability. This must include all 
of the following:
    (1) The test must use a simulated flight configured interface 
and test hardware that duplicate the geometry and volume of the 
firing system used on the launch vehicle; and
    (2) The test must account for performance variability due to 
manufacturing and workmanship tolerances such as minimum gap, 
maximum gap, and axial and angular offset.
    (c) Detonation flier plate ordnance transfer systems. A 
qualification test of a detonation flier plate ordnance transfer 
system composed of any component that has a charge or initiates a 
charge such as; electro-explosive devices, exploding bridgewires, 
ordnance delays, explosive transfer systems, destruct charges, and 
percussion-activated devices; must demonstrate the system's 
reliability using one of the following:
    (1) A statistical firing series that varies critical performance 
parameters, including gap and axial and angular alignment, to ensure 
that ordnance initiation occurs across each flight configured 
interface with a reliability of 0.999 at a 95% confidence level;
    (2) Firing 2994 flight units in a flight representative 
configuration to demonstrate that ordnance initiation occurs across 
each flight configured interface with a reliability of 0.999 at a 
95% confidence level; or

[[Page 50712]]

    (3) Firing all of the following units to demonstrate a gap 
margin that ensures ordnance initiation:
    (i) Five units at four times the combined maximum system gap;
    (ii) Five units at four times the combined maximum system axial 
misalignment;
    (iii) Five units at four times the combined maximum system 
angular misalignment; and
    (iv) Five units at 50% of the combined minimum system gap.
    (d) Deflagration and pressure sensitive ordnance transfer 
systems. A qualification test of a deflagration or pressure 
sensitive ordnance transfer system composed of devices such as 
ordnance delays, electro-explosive system low energy end-tips, and 
percussion-activated device primers must demonstrate the system's 
reliability using one of the following:
    (1) A statistical firing series that varies critical performance 
parameters, including gap interface, to ensure that ordnance 
initiation occurs across each flight configured interface;
    (2) Firing 2994 flight units in a flight representative 
configuration to demonstrate that ordnance initiation occurs across 
each flight configured interface; or
    (3) Firing all of the following units to demonstrate a 
significant gap margin:
    (i) Five units using a 75% downloaded donor charge across the 
maximum gap; and
    (ii) Five units using a 120% overloaded donor charge across the 
minimum gap.

E417.41 Flight termination system pre-flight testing.

    (a) General. A flight termination system, its subsystems, and 
components must undergo the pre-flight tests required by this 
section to demonstrate that the system will satisfy all its 
performance specifications during the countdown and launch vehicle 
flight. After successful completion of any pre-flight test, if the 
integrity of the system, subsystem, or component is compromised due 
to a configuration change or other event, such as a lightning strike 
or connector de-mate, the system, subsystem, or component must 
repeat the pre-flight test.
    (b) Pre-flight component tests. A component must undergo one or 
more pre-flight tests at the launch site to detect any change in 
performance due to any shipping, storage, or other environments that 
may have affected performance after the component passed the 
acceptance tests. Each test must measure all the component's 
performance parameters and compare the measurements to the 
acceptance test performance baseline to identify any performance 
variations, including any out-of-family results, which may indicate 
potential defects that could result in an in-flight failure.
    (c) Silver-zinc batteries. Any silver-zinc battery that is part 
of a flight termination system, must undergo the pre-flight 
activation and tests that table E417.21-1 identifies must take place 
just before installation on the launch vehicle. The time interval 
between pre-flight activation and flight must not exceed the 
battery's performance specification for activated stand time 
capability.
    (d) Nickel-cadmium batteries. Any nickel-cadmium flight 
termination system battery must undergo pre-flight processing and 
testing before installation on the launch vehicle and the processing 
and testing must satisfy all of the following:
    (1) Any pre-flight processing must be equivalent to that used 
during qualification testing to ensure the flight battery's 
performance is equivalent to that of the battery samples that passed 
the qualification tests;
    (2) Each battery must undergo all of the following tests at 
ambient temperature no later than one year before the intended 
flight date and again no earlier than two weeks before the first 
flight attempt:
    (i) A status-of-health test that satisfies section E417.22(j);
    (ii) A charge retention test that satisfies section E417.22(f); 
and
    (iii) An electrical performance test that satisfies section 
E417.22(n); and
    (3) The test results from the battery acceptance tests of 
section E417.22 and the one-year and two-week pre-flight tests of 
paragraph (d)(2) of this section must undergo a comparison to 
demonstrate that the battery satisfies all its performance 
specifications. The flight battery test data must undergo an 
evaluation to identify any out-of-family performance and to ensure 
that there is no degradation in electrical performance that 
indicates an age-related problem.
    (4) In the event of a launch schedule slip, after six weeks has 
elapsed from a preflight test, the battery must undergo the test 
again no earlier than two weeks before the next launch attempt.
    (e) Pre-flight testing of a safe-and-arm device that has an 
internal electro-explosive device. An internal electro-explosive 
device in a safe-and-arm device must undergo a pre-flight test that 
satisfies all of the following:
    (1) The test must take place no earlier than 10 calendar days 
before the first flight attempt. If the flight is delayed more than 
14 calendar days or the flight termination system configuration is 
broken or modified for any reason, such as to replace batteries, the 
device must undergo the test again no earlier than 10 calendar days 
before the next flight attempt. A launch operator may extend the 
time between the test and flight if the launch operator demonstrates 
that the electro-explosive device and its firing circuit will each 
satisfy all their performance specifications when subjected to the 
expected environments for the extended period of time;
    (2) The test must include visual checks for signs of any 
physical defect or corrosion; and
    (3) The test must include a continuity and resistance check of 
the electro-explosive device circuit while the safe-and-arm device 
is in the arm position and again while the device is in the safe 
position.
    (f) Pre-flight testing of an external electro-explosive device. 
An external electro-explosive device that is part of a safe-and-arm 
device must undergo a pre-flight test that satisfies all of the 
following:
    (1) The test must take place no earlier than 10 calendar days 
before the first flight attempt. If the flight is delayed more than 
14 calendar days or the flight termination system configuration is 
broken or modified for any reason, such as to replace batteries, the 
device must undergo the test again no earlier than 10 calendar days 
before the next flight attempt. A launch operator may extend the 
time between the test and flight if the launch operator demonstrates 
that the electro-explosive device and its firing circuit will 
satisfy all their performance specifications when subjected to the 
expected environments for the extended period of time; and
    (2) The test must include visual checks for signs of any 
physical defect or corrosion and a resistance check of the electro-
explosive device.
    (g) Pre-flight testing of an exploding bridgewire. An exploding 
bridgewire must undergo a pre-flight test that satisfies all of the 
following:
    (1) The test must take place no earlier than 10 calendar days 
before the first flight attempt. If the flight is delayed more than 
14 calendar days or the flight termination system configuration is 
broken or modified for any reason, such as to replace batteries, the 
exploding bridgewire must undergo the test again no earlier than 10 
calendar days before the next flight attempt. A launch operator may 
extend the time between the test and flight if the launch operator 
demonstrates that the exploding bridgewire will satisfy all its 
performance specifications when subjected to the expected 
environments for the extended period of time.
    (2) The test must verify the continuity of each bridgewire.
    (3) Where applicable, the test must include a high voltage 
static test and a dynamic gap breakdown voltage test to demonstrate 
that any spark gap satisfies all its performance specifications.
    (h) Pre-flight testing for command receiver decoders and other 
electronic components. (1) An electronic component, including any 
component that contains piece part circuitry, such as a command 
receiver decoder, must undergo a pre-flight test that satisfies all 
of the following:
    (i) The test must take place no earlier than 180 calendar days 
before flight. If the 180-day period expires before flight, the 
launch operator must replace the component with one that meets the 
180-day requirement or test the component in place on the launch 
vehicle. The test must satisfy the alternate procedures for testing 
the component on the launch vehicle contained in the test plan and 
procedures required by section E417.1(c); and
    (ii) The component must undergo the test at ambient temperature. 
The test must measure all performance parameters measured during 
acceptance testing.
    (2) A launch operator may substitute an acceptance test for a 
pre-flight test if the acceptance test is performed no earlier than 
180 calendar days before flight.
    (i) Pre-flight subsystem and system level test. A flight 
termination system must undergo the pre-flight subsystem and system 
level tests required by this paragraph after the system's components 
are installed on a launch vehicle to ensure proper operation of the 
final subsystem and system configurations. Each test must compare 
data obtained from the test to data from the pre-

[[Page 50713]]

flight component tests and acceptance tests to demonstrate that 
there are no discrepancies indicating a flight reliability concern.
    (1) Radio frequency system pre-flight test. All radio frequency 
systems must undergo a pre-flight test that satisfies all of the 
following:
    (i) The test must demonstrate that the flight termination system 
antennas and associated radio frequency systems satisfy all their 
performance specifications once installed in their final flight 
configuration;
    (ii) The test must measure the system's voltage standing wave 
ratio and demonstrate that any insertion losses are within the 
design limits;
    (iii) The test must demonstrate that the radio frequency system, 
from each command control system transmitter antenna used for the 
first stage of flight to each command receiver satisfies all its 
performance specifications;
    (iv) The test must occur no earlier than 90 days before flight; 
and
    (v) The test must demonstrate the functions of each command 
receiver decoder and calibrate the automatic gain control signal 
strength curves, verify the threshold sensitivity for each command, 
and verify the operational bandwidth.
    (2) End-to-end test of a non-secure command receiver decoder 
system. Any flight termination system that uses a non-secure command 
receiver decoder must undergo an end-to-end test of all flight 
termination system subsystems, including command destruct systems 
and inadvertent separation destruct systems. The test must satisfy 
all of the following:
    (i) The test must take place no earlier than 72 hours before the 
first flight attempt. After the test, if the flight is delayed more 
than 14 calendar days or the flight termination system configuration 
is broken or modified for any reason, such as to replace batteries, 
the system must undergo the end-to-end test again no earlier than 72 
hours before the next flight attempt;
    (ii) The flight termination system, except for all ordnance 
initiation devices, must undergo the test in its final onboard 
launch vehicle configuration;
    (iii) The test must use a destruct initiator simulator that 
satisfies Sec.  417.307(h) in place of each flight initiator to 
demonstrate that the command destruct and inadvertent separation 
destruct systems deliver the required energy to initiate the flight 
termination system ordnance;
    (iv) The flight termination system must undergo the test while 
powered by the batteries that the launch vehicle will use for 
flight. A flight termination system battery must not undergo 
recharging at any time during or after the end-to-end test. If the 
battery is recharged at any time before flight the system must 
undergo the end-to-end test again;
    (v) The end-to-end test must exercise all command receiver 
decoder functions critical to flight termination system operation 
during flight, including the pilot or check tone, using the command 
control system transmitters in their flight configuration or other 
representative equipment;
    (vi) The test must demonstrate that all primary and redundant 
flight termination system components, flight termination system 
circuits, and command control system transmitting equipment are 
operational; and
    (vii) The test must exercise the triggering mechanism of all 
electrically initiated inadvertent separation destruct systems to 
demonstrate that each is operational.
    (3) Open-loop test of a non-secure command destruct system. For 
each flight attempt, any flight termination system that uses a non-
secure command receiver decoder must undergo an open-loop radio 
frequency test, no earlier than 60 minutes before the start of the 
launch window, to validate the entire radio frequency command 
destruct link. For each flight attempt, the flight safety system 
must undergo the test again after any break or change in the system 
configuration. The test must satisfy all of the following:
    (i) The system must undergo the test with all flight termination 
system ordnance initiation devices in a safe condition;
    (ii) Flight batteries must power all receiver decoders and other 
electronic components. The test must account for any warm-up time 
needed to ensure the reliable operation of electronic components;
    (iii) The test must exercise the command receiver decoder arm 
function, including the pilot or check tone, using a command control 
transmitter in its flight configuration;
    (iv) The test must demonstrate that each receiver decoder is 
operational and is compatible with the command control transmitter 
system; and
    (v) Following successful completion of the open-loop test, if 
any receiver decoder is turned off or the transmitter system fails 
to continuously transmit the pilot or check tone, the flight 
termination system must undergo the open-loop test again before 
flight.
    (4) Initial open-loop test of a secure high-alphabet command 
destruct system. Any flight termination system that uses a secure 
high-alphabet command receiver decoder must undergo an open-loop 
radio frequency test to demonstrate the integrity of the system 
between the command control transmitter system and launch vehicle 
radio frequency system from the antenna to the command receiver 
decoders. The test must satisfy all of the following:
    (i) The test must occur before loading the secure flight code on 
to the command transmitting system and the command receiver 
decoders;
    (ii) The test must use a non-secure code, also known as a 
maintenance code, loaded on to the command control transmitting 
system and the command receiver decoders;
    (iii) Each command receiver decoder must be powered by either 
the ground or launch vehicle power sources;
    (iv) The command control transmitter system must transmit, open-
loop, all receiver decoder commands required for the flight 
termination system functions, including pilot or check tone to the 
vehicle;
    (v) The test must demonstrate that each command receiver decoder 
receives, decodes and outputs each command sent by the command 
control system; and
    (vi) The testing must demonstrate that all primary and redundant 
flight termination system components, flight termination system 
circuits, and command control system transmitting equipment are 
operational.
    (5) End-to-end test of a secure high-alphabet command destruct 
system. Any flight termination system that uses a secure high-
alphabet command receiver decoder must undergo an end-to-end test of 
all flight termination system subsystems, including command destruct 
systems and inadvertent separation destruct systems. The test must 
satisfy all of the following:
    (i) The system must undergo the test no earlier than 72 hours 
before the first flight attempt. After the test, if the flight is 
delayed more than 14 calendar days or the flight termination system 
configuration is broken or modified for any reason, such as to 
replace batteries, the system must undergo the end-to-end tests 
again no earlier than 72 hours before the next flight attempt;
    (ii) The system must undergo the test in a closed-loop 
configuration using the secure flight code;
    (iii) The flight termination system, except for the ordnance 
initiation devices, must undergo the test in its final onboard 
launch vehicle configuration;
    (iv) The test must use a destruct initiator simulator that 
satisfies Sec.  417.307(h) in place of each flight initiator to 
demonstrate that the command destruct and inadvertent separation 
destruct systems deliver the energy required to initiate the flight 
termination system ordnance;
    (v) The flight termination system must undergo the test while 
powered by the batteries that the launch vehicle will use for 
flight. A flight termination system battery must not undergo 
recharging at any time during or after the end-to-end test. If the 
battery is recharged at any time before flight the system must 
undergo the end-to-end test again;
    (vi) The test must exercise all command receiver decoder 
functions critical to flight termination system operation during 
flight, including the pilot or check tone, in a closed-loop test 
configuration using ground support testing equipment hardwired to 
the launch vehicle radio frequency receiving system;
    (vii) The test must demonstrate that all primary and redundant 
launch vehicle flight termination system components and circuits are 
operational; and
    (viii) The test must exercise the triggering mechanism of all 
electrically initiated inadvertent separation destruct systems to 
demonstrate that they are operational.
    (6) Abbreviated closed-loop test of a secure high-alphabet 
command destruct system. Any flight termination system that uses a 
secure high-alphabet command receiver decoder must undergo an 
abbreviated closed-loop test if, due to a launch scrub or delay, 
more than 72 hours pass since the end-to-end test of paragraph 
(h)(5) of this section. The test must satisfy all of the following:
    (i) The flight termination system must undergo the test in its 
final flight configuration with all flight destruct initiators 
connected and in a safe condition;
    (ii) The test must occur just before launch support tower 
rollback or other similar final countdown event that suspends access 
to the launch vehicle;

[[Page 50714]]

    (iii) Each command receiver decoder must undergo the test 
powered by the flight batteries;
    (iv) The test must exercise all command receiver decoder 
functions critical to flight termination system operation during 
flight except the destruct function, including the pilot or check 
tone, in a closed-loop test configuration using ground support 
testing equipment hardwired to the launch vehicle radio frequency 
receiving system; and
    (v) The test must demonstrate that the launch vehicle command 
destruct system, including each command receiver decoder and all 
batteries, is functioning properly.
    (7) Final open-loop test of a secure high-alphabet command 
destruct system. Any flight termination system that uses a secure 
high-alphabet command receiver decoder must undergo a final open-
loop radio frequency test no earlier than 60 minutes before flight, 
to validate the entire radio frequency command destruct link from 
the command control transmitting system to launch vehicle antenna. 
The test must satisfy all of the following:
    (i) The flight termination system must undergo the test in its 
final flight configuration with all flight destruct initiators 
connected and in a safe condition;
    (ii) Flight batteries must power all receiver decoders and other 
electronic components. The test must account for any warm-up time 
needed for reliable operation of the electronic components;
    (iii) The test must exercise each command receiver decoder's 
self-test function including pilot or check tone using the command 
control system transmitters in their flight configuration;
    (iv) The test must demonstrate that each receiver decoder is 
operational and compatible with the command control transmitter 
system; and
    (v) Following successful completion of the open-loop test, if 
any command receiver decoder is turned off or the transmitter system 
fails to continuously transmit the pilot or check tone, the flight 
termination system must undergo the final open-loop test again 
before flight.

Appendix G of Part 417--Natural and Triggered Lightning Flight Commit 
Criteria

G417.1 General.

    For purposes of this section, the requirement for any weather 
monitoring and measuring equipment needed to satisfy the lightning 
flight commit criteria limits the equipment to only that which is 
needed. Accordingly, the equipment could include a ground-based, or 
airborne field mill, or a weather radar, but may or may not be 
limited to those items. Certain equipment, such as a field mill, 
when utilized with the lightning flight commit criteria, may 
increase launch opportunities because of the ability to verify the 
electric field in any cloud within 5 nautical miles of the flight 
path. However, a field mill is not required in order to satisfy the 
lightning flight commit criteria.
    (a) This appendix provides flight commit criteria to protect 
against natural lightning and lightning triggered by the flight of a 
launch vehicle. A launch operator must apply these criteria under 
Sec.  417.113 (c) for any launch vehicle that utilizes a flight 
safety system.
    (b) The launch operator must employ:
    (1) Any weather monitoring and measuring equipment needed to 
satisfy the lightning flight commit criteria.
    (2) Any procedures needed to satisfy the lightning flight commit 
criteria.
    (c) If a launch operator proposes any alternative lightning 
flight commit criteria, the launch operator must clearly and 
convincingly demonstrate that the alternative provides an equivalent 
level of safety.

G417.3 Definitions, Explanations and Examples.

    For the purpose of appendix G417:
    Anvil cloud means a stratiform or fibrous cloud produced by the 
upper level outflow or blow-off from thunderstorms or convective 
clouds.
    Associated means that two or more clouds are causally related to 
the same weather disturbance or are physically connected. Associated 
does not have to mean occurring at the same time. A cumulus cloud 
formed locally and a cirrus layer that is physically separated from 
that cumulus cloud and that is generated by a distant source are not 
associated, even if they occur over or near the launch point at the 
same time.
    Bright band means an enhancement of radar reflectivity caused by 
frozen hydrometeors falling and beginning to melt at any altitude 
where the temperature is 0 degrees Celsius or warmer.
    Cloud means a visible mass of water droplets or ice crystals 
produced by condensation of water vapor in the atmosphere.
    Cloud edge means the visible boundary, including the sides, 
base, and top, of a cloud as seen by an observer. In the absence of 
a visible boundary as seen by an observer, the 0 dBZ radar 
reflectivity boundary defines a cloud edge.
    Cloud layer means a vertically continuous array of clouds, not 
necessarily of the same type, whose bases are approximately at the 
same level.
    Cumulonimbus cloud means any convective cloud with any part at 
an altitude where the temperature is colder than -20 degrees 
Celsius.
    Debris cloud means any cloud, except an anvil cloud, that has 
become detached from a parent cumulonimbus cloud or thunderstorm, or 
that results from the decay of a parent cumulonimbus cloud or 
thunderstorm.
    Disturbed Weather means a weather system where dynamical 
processes destabilize the air on a scale larger than the individual 
clouds or cells. Examples of disturbed weather include fronts and 
troughs.
    Electric field measurement aloft means the magnitude of the 
instantaneous vector electric field (E) at a known position in the 
atmosphere, such as measured by a suitably instrumented, calibrated, 
and located airborne-field-mill aircraft.
    Electric field measurement at the surface of Earth means the 1-
minute arithmetic average of the vertical electric field (Ez) at the 
ground measured by a ground-based field mill. The polarity of the 
electric field is the same as that of the potential gradient; that 
is, the polarity of the field at Earth's surface is the same as the 
dominant charge overhead. An interpolation based on electric field 
contours is not a measurement for purposes of this appendix.
    Field mill is a specific class of electric-field sensor that 
uses a moving, grounded conductor to induce a time-varying electric 
charge on one or more sensing elements in proportion to the ambient 
electrostatic field.
    Flight path means the planned normal flight trajectory, 
including its vertical and horizontal uncertainties to include the 
sum of the wind effects and the three-sigma guidance and performance 
deviations.
    Moderate precipitation means a precipitation rate of 0.1 inches/
hr or a radar reflectivity factor of 30 dBZ.
    Nontransparent means cloud cover is nontransparent if (1) forms 
seen through it are blurred, indistinct, or obscured; or (2) forms 
are seen distinctly only through breaks in the cloud cover. Clouds 
with a radar reflectivity factor of 0 dBZ or greater are also 
nontransparent.
    Ohms/Square means the surface resistance in ohms when a 
measurement is made from an electrode on one surface extending the 
length of one side of a square of any size to an electrode on the 
same surface extending the length of the opposite side of the 
square. The resistance measured in this way is independent of the 
area of a square.
    Precipitation means detectable rain, snow, hail, graupel, or 
sleet at the ground; virga, or a radar reflectivity factor greater 
than 18 dBZ at altitude.
    Specified Volume means the volume bounded in the horizontal by 
vertical plane, perpendicular sides located 5.5 km (3 NM) north, 
east, south, and west of the point on the flight track, on the 
bottom by the 0 degree C level, and on the top by the upper extent 
of all clouds.
    Thick cloud layer means one or more cloud layers whose combined 
vertical extent from the base of the bottom layer to the top of the 
uppermost layer exceeds a thickness of 4,500 feet. Cloud layers are 
combined with neighboring layers for determining total thickness 
only when they are physically connected by vertically continuous 
clouds, as, for example, when towering clouds in one layer contact 
or merge with clouds in a layer (or layers) above.
    Thunderstorm means any convective cloud that produces lightning.
    Transparent Cloud cover is transparent if objects above, 
including higher clouds, blue sky, and stars can be distinctly seen 
from below; or objects, including terrain, buildings, and lights on 
the ground, can be distinctly seen from above. Transparency is only 
defined for the visible wavelengths.
    Triboelectrification means the transfer of electrical charge 
from ice particles to the launch vehicle when the ice particles rub 
the vehicle during impact.
    Volume-Averaged, Height-Integrated Radar Reflectivity (units of 
dBZ-kilometers) means the product of the volume-averaged radar 
reflectivity and the average cloud thickness within a specified 
volume relative to a point along the flight track.

[[Page 50715]]

    Within is a function word used to specify a distance in all 
directions (horizontal, vertical, and slant separation) between a 
cloud edge and a flight path. For example, ``within 10 nautical 
miles of a thunderstorm cloud'' means that there must be a 10 
nautical mile margin between every part of a thunderstorm cloud and 
the flight path.

G417.5 Lightning.

    (a) A launch operator must not initiate flight for 30 minutes 
after any type of lightning occurs in a thunderstorm if the flight 
path will carry the launch vehicle within 10 nautical miles of that 
thunderstorm.
    (b) A launch operator must not initiate flight for 30 minutes 
after any type of lightning occurs within 10 nautical miles of the 
flight path unless:
    (1) The cloud that produced the lightning is not within 10 
nautical miles of the flight path;
    (2) There is at least one working field mill within 5 nautical 
miles of each such lightning flash; and
    (3) The absolute values of all electric field measurements made 
at the Earth's surface within 5 nautical miles of the flight path 
and at each field mill specified in paragraph (b)(2) of this section 
have been less than 1000 volts/meter for 15 minutes or longer.
    (c) If a cumulus cloud remains 30 minutes after the last 
lightning occurs in a thunderstorm, section G417.7 applies. Sections 
G417.9 and G417.11 apply to any anvil or detached anvil clouds. 
Section G417.13 applies to debris clouds.

G417.7 Cumulus Clouds.

    For the purposes of this section, ``cumulus clouds'' do not 
include altocumulus, cirrocumulus, or stratocumulus clouds.
    (a) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle within 10 nautical miles of any 
cumulus cloud that has a cloud top at an altitude where the 
temperature is colder than -20 degrees Celsius.
    (b) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle within 5 nautical miles of any 
cumulus cloud that has a cloud top at an altitude where the 
temperature is colder than -10 degrees Celsius.
    (c) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through any cumulus cloud with 
its cloud top at an altitude where the temperature is colder than -5 
degrees Celsius.
    (d) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through any cumulus cloud that 
has a cloud top at an altitude where the temperature is between +5 
degrees Celsius and -5 degrees Celsius unless:
    (1) The cloud is not producing precipitation;
    (2) The horizontal distance from the center of the cloud top to 
at least one working field mill is less than 2 nautical miles; and
    (3) All electric field measurements made at the Earth's surface 
within 5 nautical miles of the flight path and at each field mill 
used as required by paragraph (d)(2) of this section have been 
between -100 volts/meter and +500 volts/meter for 15 minutes or 
longer.

G417.9 Attached Anvil Clouds.

    (a) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through, or within 10 nautical 
miles of, a nontransparent part of any attached anvil cloud for the 
first 30 minutes after the last lightning discharge in or from the 
parent cloud or anvil cloud.
    (b) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through, or within 5 nautical 
miles of, a nontransparent part of any attached anvil cloud between 
30 minutes and three hours after the last lightning discharge in or 
from the parent cloud or anvil cloud unless:
    (1) The portion of the attached anvil cloud within 5 nautical 
miles of the flight path is located entirely at altitudes where the 
temperature is colder than 0 degrees Celsius; and
    (2) The volume-averaged, height-integrated radar reflectivity is 
less than +33 dBZ-kft everywhere along the portion of the flight 
path where any part of the attached anvil cloud is within the 
volume.
    (c) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through a nontransparent part of 
any attached anvil cloud more than 3 hours after the last lightning 
discharge in or from the parent cloud or anvil cloud unless:
    (1) The portion of the attached anvil cloud within 5 nautical 
miles of the flight path is located entirely at altitudes where the 
temperature is colder than 0 degrees Celsius; and
    (2) The volume-averaged, height-integrated radar reflectivity is 
less than +33 dBZ-kft everywhere along the portion of the flight 
path where any part of the attached anvil cloud is within the 
specified volume.

G417.11 Detached Anvil Clouds.

    For the purposes of this section, detached anvil clouds are 
never considered debris clouds.
    (a) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through or within 10 nautical 
miles of a nontransparent part of a detached anvil cloud for the 
first 30 minutes after the last lightning discharge in or from the 
parent cloud or anvil cloud before detachment or after the last 
lightning discharge in or from the detached anvil cloud after 
detachment.
    (b) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle within 5 nautical miles of a 
nontransparent part of a detached anvil cloud between 30 minutes and 
3 hours after the time of the last lightning discharge in or from 
the parent cloud or anvil cloud before detachment or after the last 
lightning discharge in or from the detached anvil cloud after 
detachment unless section (1) or (2) is satisfied:
    (1) This section is satisfied if all three of the following 
conditions are met:
    (i) There is at least one working field mill within 5 nautical 
miles of the detached anvil cloud; and
    (ii) The absolute values of all electric field measurements at 
the surface within 5 nautical miles of the flight path and at each 
field mill specified in (1) above have been less than 1000 V/m for 
15 minutes; and
    (iii) The maximum radar return from any part of the detached 
anvil cloud within 5 nautical miles of the flight path has been less 
than 10 dBZ for 15 minutes.
    (2) This section is satisfied if both of the following 
conditions are met:
    (i) The portion of the detached anvil cloud within 5 nautical 
miles of the flight path is located entirely at altitudes where the 
temperature is colder than 0 degrees Celsius; and
    (ii) The volume-averaged, height-integrated radar reflectivity 
is less than +33 dBZ-kft everywhere along the portion of the flight 
path where any part of the detached anvil cloud is within the 
specified volume.
    (c) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through a nontransparent part of 
a detached anvil cloud unless Section (1) or (2) is satisfied.
    (1) This section is satisfied if both of the following 
conditions are met:
    (i) At least 4 hours have passed since the last lightning 
discharge in or from the detached anvil cloud; and
    (ii) At least 3 hours have passed since the time that the anvil 
cloud is observed to be detached from the parent cloud.
    (2) This section is satisfied if both of the following 
conditions are met.
    (i) The portion of the detached anvil cloud within 5 nautical 
miles of the flight path is located entirely at altitudes where the 
temperature is colder than 0 degrees Celsius; and
    (ii) The volume-averaged, height-integrated radar reflectivity 
is less than +33 dBZ-kft everywhere along the portion of the flight 
path where any part of the detached anvil cloud is within the 
specified volume.

G417.13 Debris Clouds.

    (a) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through any nontransparent part 
of a debris cloud for 3 hours after the debris cloud is observed to 
be detached from the parent cloud or after the debris cloud is 
observed to have formed from the decay of the parent cloud top to an 
altitude where the temperature is warmer than -10 degrees Celsius. 
The 3-hour period must begin again at the time of any lightning 
discharge in or from the debris cloud.
    (b) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle within 5 nautical miles of a 
nontransparent part of a debris cloud during the 3-hour period 
defined in paragraph (a) of this section, unless:
    (1) There is at least one working field mill within 5 nautical 
miles of the debris cloud;
    (2) The absolute values of all electric field measurements at 
the Earth's surface within 5 nautical miles of the flight path and 
measurements at each field mill employed required by paragraph 
(b)(1) of this section have been less than 1000 volts/meter for 15 
minutes or longer; and
    (3) The maximum radar return from any part of the debris cloud 
within 5 nautical miles of the flight path has been less than 10 dBZ 
for 15 minutes or longer.

[[Page 50716]]

G417.15 Disturbed Weather.

    (a) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through a nontransparent cloud 
associated with disturbed weather that has clouds with cloud tops at 
altitudes where the temperature is colder than 0 degrees Celsius and 
that contains, within 5 nautical miles of the flight path:
    (1) Moderate or greater precipitation; or
    (2) Evidence of melting precipitation such as a radar bright 
band.

G417.17 Thick Cloud Layers.

    (a) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through a nontransparent part of 
a cloud layer that is:
    (1) Greater than 4,500 feet thick and any part of the cloud 
layer along the flight path is located at an altitude where the 
temperature is between 0 degrees Celsius and -20 degrees Celsius; or
    (2) Connected to a thick cloud layer that, within 5 nautical 
miles of the flight path, is greater than 4,500 feet thick and has 
any part located at any altitude where the temperature is between 0 
degrees Celsius and -20 degrees Celsius.
    (b) A launch operator need not apply the lightning commit 
criteria in paragraphs (a)(1) and (a)(2) of this section if the 
thick cloud layer is a cirriform cloud layer that has never been 
associated with convective clouds, is located only at temperatures 
of -15 degrees Celsius or colder, and shows no evidence of 
containing liquid water.

G417.19 Smoke Plumes.

    (a) A launch operator must not initiate flight if the flight 
path will carry the launch vehicle through any cumulus cloud that 
has developed from a smoke plume while the cloud is attached to the 
smoke plume, or for the first 60 minutes after the cumulus cloud is 
observed to be detached from the smoke plume.
    (b) Section G417.7 applies to cumulus clouds that have formed 
above a fire but have been detached from the smoke plume for more 
than 60 minutes.

G417.21 Surface Electric Fields.

    (a) A launch operator must not initiate flight for 15 minutes 
after the absolute value of any electric field measurement at the 
Earth's surface within 5 nautical miles of the flight path has been 
greater than 1500 volts/meter.
    (b) A launch operator must not initiate flight for 15 minutes 
after the absolute value of any electric field measurement at the 
Earth's surface within 5 nautical miles of the flight path has been 
greater than 1000 volts/meter unless:
    (1) All clouds within 10 nautical miles of the flight path are 
transparent; or
    (2) All nontransparent clouds within 10 nautical miles of the 
flight path have cloud tops at altitudes where the temperature is 
warmer than +5 degrees Celsius and have not been part of convective 
clouds that have cloud tops at altitudes where the temperature is 
colder than -10 degrees Celsius within the last 3 hours.

G417.23 Triboelectrification.

    (a) A launch operator must not initiate flight if the flight 
path will go through any part of a cloud at an altitude where the 
temperature is colder than -10 degrees Celsius up to the altitude at 
which the launch vehicle's velocity exceeds 3000 feet/second; unless
    (1) The launch vehicle is ``treated'' for surface 
electrification; or
    (2) A launch operator demonstrates by test or analysis that 
electrostatic discharges on the surface of the launch vehicle caused 
by triboelectrification will not be hazardous to the launch vehicle 
or the spacecraft.
    (b) A launch vehicle is treated for surface electrification if
    (1) All surfaces of the launch vehicle susceptible to ice 
particle impact are such that the surface resistivity is less than 
10\9\ ohms/square; and
    (2) All conductors on surfaces (including dielectric surfaces 
that have been treated with conductive coatings) are bonded to the 
launch vehicle by a resistance that is less than 10\5\ ohms.

Appendix H of Part 417--[Reserved]

Appendix I of Part 417--Methodologies for Toxic Release Hazard Analysis 
and Operational Procedures

I417.1 General.

    This appendix provides methodologies for performing toxic 
release hazard analysis for the flight of a launch vehicle as 
required by Sec.  417.229 and for launch processing at a launch site 
in the United States as required by Sec.  417.407(f). The 
requirements of this appendix apply to a launch operator and the 
launch operator's toxic release hazard analysis unless the launch 
operator clearly and convincingly demonstrates that an alternative 
approach provides an equivalent level of safety.

I417.3 Identification of non-toxic and toxic propellants.

    (a) General. A launch operator's toxic release hazard analysis 
for launch vehicle flight (section I417.5) and for launch processing 
(section I417.7) must identify all propellants used for each launch 
and identify whether each propellant is toxic or non-toxic as 
required by this section.
    (b) Non-toxic exclusion. A launch operator need not conduct a 
toxic release hazard analysis under this appendix for flight or 
launch processing if its launch vehicle, including all launch 
vehicle components and payloads, uses only those propellants listed 
in Table I417-1.
[GRAPHIC] [TIFF OMITTED] TR25AU06.099

    (c) Identification of toxic propellants. A launch operator's 
toxic release hazard analysis for flight and for launch processing 
must identify all toxic propellants used for each launch, including 
all toxic propellants on all launch vehicle components and payloads. 
Table I417-2 lists commonly used toxic propellants and the 
associated toxic concentration thresholds used by the Federal launch 
ranges for controlling potential public exposure. The toxic 
concentration thresholds contained in Table I417-2 are peak exposure 
concentrations in parts per million (ppm). A launch operator must 
perform a toxic release hazard analysis to ensure that the public is 
not exposed to concentrations above the toxic concentration 
thresholds for each toxicant involved in a launch. A launch operator 
must

[[Page 50717]]

use the toxic concentration thresholds contained in table I417-2 for 
those propellants. Any propellant not identified in table I417-1 or 
table I417-2 falls into the category of unique or uncommon 
propellants, such as those identified in table I417-3, which are 
toxic or produce toxic combustion by-products. Table I417.3 is not 
an exhaustive list of possible toxic propellants and combustion by-
products. For a launch that uses any propellant listed in table 
I417-3 or any other unique propellant not listed, a launch operator 
must identify the chemical composition of the propellant and all 
combustion by-products and the release scenarios. A launch operator 
must determine the toxic concentration threshold in ppm for any 
uncommon toxic propellant or combustion by-product in accordance 
with the following:
    (1) For a toxicant that has a level of concern (LOC) established 
by the U.S. Environmental Protection Agency (EPA), Federal Emergency 
Management Agency (FEMA), or Department of Transportation (DOT), a 
launch operator must use the LOC as the toxic concentration 
threshold for the toxic release hazard analysis except as required 
by paragraph (c)(2) of this section.
    (2) If an EPA acute emergency guidance level (AEGL) exists for a 
toxicant and is more conservative than the LOC (that is, lower after 
reduction for duration of exposure), a launch operator must use the 
AEGL instead of the LOC as the toxic concentration threshold.
    (3) A launch operator must use the EPA's Hazard Quotient/Hazard 
Index (HQ/HI) formulation to determine the toxic concentration 
threshold for mixtures of two or more toxicants.
    (4) If a launch operator must determine a toxic concentration 
threshold for a toxicant for which an LOC has not been established, 
the launch operator must clearly and convincingly demonstrate 
through the licensing process that public exposure at the proposed 
toxic concentration threshold will not cause a casualty.
BILLING CODE 4910-13-P
[GRAPHIC] [TIFF OMITTED] TR25AU06.100


[[Page 50718]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.101


[[Page 50719]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.102

BILLING CODE 4910-13-C

[[Page 50720]]

    I417.5 Toxic release hazard analysis for launch vehicle flight.
    (a) General. For each launch, a launch operator's toxic release 
hazard analysis must determine all hazards to the public from any 
toxic release that will occur during the proposed flight of a launch 
vehicle or that would occur in the event of a flight mishap. A 
launch operator must use the results of the toxic release hazard 
analysis to establish for each launch, in accordance with Sec.  
417.113(b), flight commit criteria that protect the public from a 
casualty arising out of any potential toxic release. A launch 
operator's toxic release hazard analysis must determine if toxic 
release can occur based on an evaluation of the propellants, launch 
vehicle materials, and estimated combustion products. This 
evaluation must account for both normal combustion products and the 
chemical composition of any unreacted propellants.
    (b) Evaluating toxic hazards for launch vehicle flight. Each 
launch must satisfy either the exclusion requirements of section 
I417.3(b), the containment requirements of paragraph (c) of this 
section, or the statistical risk management requirements of 
paragraph (d) of this section, to prevent any casualty that could 
arise out of exposure to any toxic release.
    (c) Toxic containment for launch vehicle flight. For a launch 
that uses any toxic propellant, a launch operator's toxic release 
hazard analysis must determine a hazard distance for each toxicant 
and a toxic hazard area for the launch. A hazard distance for a 
toxicant is the furthest distance from the launch point where toxic 
concentrations may be greater than the toxicant's toxic 
concentration threshold in the event of a release during flight. A 
launch operator must determine the toxic hazard distance for each 
toxicant as required by paragraphs (c)(1) and (c)(2) of this 
section. A toxic hazard area defines the region on the Earth's 
surface that may be exposed to toxic concentrations greater than any 
toxic concentration threshold of any toxicant involved in a launch 
in the event of a release during flight. A launch operator must 
determine a toxic hazard area in accordance with paragraph (c)(3) of 
this section. In order to achieve containment, a launch operator 
must evacuate the public from a toxic hazard area as required by 
paragraph (c)(4) of this section or employ meteorological 
constraints as required by paragraph (c)(5) of this section. A 
launch operator must determine the hazard distance for a quantity of 
toxic propellant and determine and implement a toxic hazard area for 
a launch as follows:
    (1) Hazard distances for common propellants. Table I417-4 lists 
toxic hazard distances as a function of propellant quantity and 
toxic concentration threshold for commonly used propellants released 
from a catastrophic launch vehicle failure. Tables I417-10 and I417-
11 list the hazard distance as a function of solid propellant mass 
for HC1 emissions during a launch vehicle failure and during normal 
flight for ammonium perchlorate based solid propellants. A launch 
operator must use the hazard distances corresponding to the toxic 
concentration thresholds established for a launch to determine the 
toxic hazard area for the launch in accordance with paragraph (c)(3) 
of this section.
    (2) Hazard distances for uncommon or unique propellants. For a 
launch that involves any uncommon or unique propellant, a launch 
operator must determine the toxic hazard distance for each such 
propellant using an analysis methodology that accounts for the 
following worst case conditions:
    (i) Surface wind speed of 2.9 knots with a wind speed increase 
of 1.0 knot per 1000 feet of altitude.
    (ii) Surface temperature of 32 degrees Fahrenheit with a dry 
bulb temperature lapse rate of 13.7 degrees Fahrenheit per 1000 feet 
over the first 500 feet of altitude and a lapse rate of 3.0 degrees 
F per 1000 feet above 500 feet.
    (iii) Directional wind shear of 2 degrees per 1000 feet of 
altitude.
    (iv) Relative humidity of 50 percent.
    (v) Capping temperature inversion at the thermally stabilized 
exhaust cloud center of mass altitude.
    (vi) Worst case initial source term assuming instantaneous 
release of fully loaded propellant storage tanks or pressurized 
motor segments.
    (vii) Worst case combustion or mixing ratios such that 
production of toxic chemical species is maximized within the bounds 
of reasonable uncertainties.
    (viii) Evaluation of toxic hazards for both normal launch and 
vehicle abort failure modes.
BILLING CODE 4910-13-P

[[Page 50721]]

[GRAPHIC] [TIFF OMITTED] TR25AU06.103


[[Page 50722]]


[GRAPHIC] [TIFF OMITTED] TR25AU06.104

BILLING CODE 4910-13-C

    (3) Toxic hazard area. Having determined the toxic hazard 
distance for each toxicant, a launch operator must determine the 
toxic hazard area for a launch as a circle centered at the launch 
point with a radius equal to the greatest toxic hazard distance 
determined as required by paragraphs (c)(1) and (c)(2) of this 
section, of all the toxicants involved in the launch. A launch 
operator does not have to satisfy paragraph (c)(3) of this section 
if:
    (i) The launch operator demonstrates that there are no populated 
areas contained or partially contained within the toxic hazard area; 
and
    (ii) The launch operator ensures that no member of the public is 
present within the toxic hazard area during preflight fueling, 
launch countdown, flight and immediate postflight operations at the 
launch site. To ensure the absence of the public, a launch operator 
must develop flight commit criteria and related provisions for 
implementation as part of the launch operator's flight safety plan 
and hazard area surveillance and clearance plan developed under 
Sec. Sec.  417.111(b) and 417.111(j), respectively.
    (4) Evacuation of populated areas within a toxic hazard area. 
For a launch where there is a populated area that is contained or 
partially contained within a toxic hazard area, the launch operator 
does not have to satisfy paragraph (c)(5) of this section if the 
launch operator evacuates all people from all populated areas at 
risk and ensures that no member of the public is present within the 
toxic hazard area during preflight fueling and flight. A launch 
operator must develop flight commit criteria and provisions for 
implementation of the evacuations as part of the launch operator's 
flight safety plan, hazard area surveillance and clearance plan, and 
local agreements and public coordination plan developed according to 
Sec. Sec.  417.111(b), 417.111(j) and 417.111(i), respectively.
    (5) Flight meteorological constraints. For a launch where there 
is a populated area that is contained or partially contained within 
a toxic hazard area and that will not be evacuated under paragraph 
(c)(4) of this section, the launch is exempt from any further 
requirements of this section if the launch operator constrains the 
flight of a launch vehicle to favorable wind conditions or during 
times when atmospheric conditions result in reduced toxic hazard 
distances such that any potentially affected populated area is 
outside the toxic hazard area. A launch operator must employ wind 
and other meteorological constraints as follows:
    (i) When employing wind constraints, a launch operator must re-
define the toxic hazard area by reducing the circular toxic hazard 
area determined under paragraph (c)(3) of this section to one or 
more arc segments that do not contain any populated area. Each arc 
segment toxic hazard area must have the same radius as the circular 
toxic hazard area and must be defined by a range of downwind 
bearings.
    (ii) The launch operator must demonstrate that there are no 
populated areas within any arc segment toxic hazard area and that no 
member of the public is present within an arc segment toxic hazard 
area during preflight fueling, launch countdown, and immediate 
postflight operations at the launch site.
    (iii) A launch operator must establish wind constraints to 
ensure that any winds present at the time of flight will transport 
any toxicant into an arc segment toxic hazard area and away from any 
populated area. For each arc segment toxic hazard area, the wind 
constraints must consist of a range of downwind bearings that are 
within the arc segment toxic hazard area and that provide a safety 
buffer, in both the clockwise and counterclockwise directions, that 
accounts for any uncertainty in the spatial and temporal variations 
of the transport winds. When determining the wind uncertainty, a 
launch operator must account for the variance of the mean wind 
directions derived from measurements of the winds through the first 
6000 feet in altitude at the launch point. Each clockwise and 
counterclockwise safety buffer must be no less than 20 degrees of 
arc width within the arc segment toxic hazard area. A launch 
operator must ensure that the wind conditions at the time of flight 
satisfy the wind constraints. To accomplish this, a launch operator 
must monitor the launch site vertical profile of winds from the 
altitude of

[[Page 50723]]

the launch point to no less than 6,000 feet above ground level. The 
launch operator must proceed with a launch only if all wind vectors 
within this vertical range satisfy the wind constraints. A launch 
operator must develop wind constraint flight commit criteria and 
implementation provisions as part of the launch operator's flight 
safety plan and its hazard area surveillance and clearance plan 
developed according to Sec. Sec.  417.111(b) and 417.111(j), 
respectively.
    (iv) A launch operator may reduce the radius of the circular 
toxic hazard area determined in accordance with paragraph (c)(3) of 
this section by imposing operational meteorological restrictions on 
specific parameters that mitigate potential toxic downwind 
concentrations levels at any potentially affected populated area to 
levels below the toxic concentration threshold of each toxicant in 
question. The launch operator must establish meteorological 
constraints to ensure that flight will be allowed to occur only if 
the specific meteorological conditions that would reduce the toxic 
hazard area exist and will continue to exist throughout the flight.
    (d) Statistical toxic risk management for flight. If a launch 
that involves the use of a toxic propellant does not satisfy the 
containment requirements of paragraph (c) of this section, the 
launch operator must use statistical toxic risk management to 
protect public safety. For each such case, a launch operator must 
perform a toxic risk assessment and develop launch commit criteria 
that protect the public from unacceptable risk due to planned and 
potential toxic release. A launch operator must ensure that the 
resultant toxic risk meets the collective and individual risk 
criteria requirements contained in Sec.  417.107(b). A launch 
operator's toxic risk assessment must account for the following:
    (1) All credible vehicle failure and non-failure modes, along 
with the consequent release and combustion of propellants and other 
vehicle combustible materials.
    (2) All vehicle failure rates.
    (3) The effect of positive or negative buoyancy on the rise or 
descent of each released toxicant.
    (4) The influence of atmospheric physics on the transport and 
diffusion of each toxicant.
    (5) Meteorological conditions at the time of launch.
    (6) Population density, location, susceptibility (health 
categories) and sheltering for all populations within each potential 
toxic hazard area.
    (7) Exposure duration and toxic propellant concentration or 
dosage that would result in casualty for all populations.
    (e) Flight toxic release hazard analysis products. The products 
of a launch operator's toxic release hazard analysis for launch 
vehicle flight to be filed in accordance with Sec.  417.203(e) must 
include the following:
    (1) For each launch, a listing of all propellants used on all 
launch vehicle components and any payloads.
    (2) The chemical composition of each toxic propellant and all 
toxic combustion products.
    (3) The quantities of each toxic propellant and all toxic 
combustion products involved in the launch.
    (4) For each toxic propellant and combustion product, 
identification of the toxic concentration threshold used in the 
toxic risk analysis and a description of how the toxic concentration 
threshold was determined if other than specified in table I417.2.
    (5) When using the toxic containment approach of paragraph (c) 
of this section:
    (i) The hazard distance for each toxic propellant and combustion 
product and a description of how it was determined.
    (ii) A graphic depiction of the toxic hazard area or areas.
    (iii) A listing of any wind or other constraints on flight, and 
any plans for evacuation.
    (iv) A description of how the launch operator determines real-
time wind direction in relation to the launch site and any populated 
area and any other meteorological condition in order to implement 
constraints on flight or to implement evacuation plans.
    (6) When using the statistical toxic risk management approach of 
paragraph (d) of this section:
    (i) A description of the launch operator's toxic risk management 
process, including an explanation of how the launch operator ensures 
that any toxic risk from launch meets the toxic risk criteria of 
Sec.  417.107(b).
    (ii) A listing of all models used.
    (iii) A listing of all flight commit criteria that protect the 
public from unacceptable risk due to planned and potential toxic 
release.
    (iv) A description of how the launch operator measures and 
displays real-time meteorological conditions in order to determine 
whether conditions at the time of flight are within the envelope of 
those used by the launch operator for toxic risk assessment and to 
develop flight commit criteria, or for use in any real-time physics 
models used to ensure compliance with the toxic flight commit 
criteria.

I417.7 Toxic release hazard analysis for launch processing.

    (a) General. A launch operator must perform a toxic release 
hazard analysis to determine potential public hazards from toxic 
releases that will occur during normal launch processing and that 
will occur in the event of a mishap during launch processing. This 
section implements the ground safety requirements of Sec.  
417.407(g). A launch operator must use the results of the toxic 
release hazard analysis to establish hazard controls for protecting 
the public. A launch operator must include the toxic release hazard 
analysis results in the ground safety plan as required by Sec.  
417.111(c).
    (b) Process hazards analysis. A launch operator must perform an 
analysis on all processes to identify toxic hazards and determine 
the potential for release of a toxic propellant. The analysis must 
account for the complexity of the process and must identify and 
evaluate the hazards and each hazard control involved in the 
process. An analysis that complies with 29 CFR 1910.119(e) satisfies 
paragraphs (b)(1) and (b)(2) of this section. A launch operator's 
process hazards analysis must include the following:
    (1) Identify and evaluate each hazard of a process involving a 
toxic propellant using an analysis method, such as a failure mode 
and effects analysis or fault tree analysis.
    (2) Describe:
    (i) Each toxic hazard associated with the process and the 
potential for release of toxic propellants;
    (ii) Each mishap or incident experienced which has a potential 
for catastrophic consequences;
    (iii) Each engineering and administrative control applicable to 
each hazard and their interrelationships, such as application of 
detection methodologies to provide early warning of releases and 
evacuation of toxic hazard areas prior to conducting an operation 
that involves a toxicant;
    (iv) Consequences of failure of engineering and administrative 
controls;
    (v) Location of the source of the release;
    (vi) All human factors;
    (vii) Each opportunity for equipment malfunction or human error 
that can cause an accidental release;
    (viii) Each safeguard used or needed to control each hazard or 
prevent equipment malfunctions or human error;
    (ix) Each step or procedure needed to detect or monitor 
releases; and
    (x) A qualitative evaluation of a range of the possible safety 
and health effects of failure of controls.
    (3) The process hazards analysis must be updated for each 
launch. The launch operator must conduct a review of all the hazards 
associated with each process involving a toxic propellant for launch 
processing. The review must include inspection of equipment to 
determine whether the process is designed, fabricated, maintained, 
and operated according to the current process hazards analysis. A 
launch operator must revise a process hazards analysis to reflect 
changes in processes, types of toxic propellants stored or handled, 
or other aspects of a source of a potential toxic release that can 
affect the results of overall toxic release hazard analysis.
    (4) The personnel who perform a process hazard analysis must 
possess expertise in engineering and process operations, and at 
least one person must have experience and knowledge specific to the 
process being evaluated. At least one person must be knowledgeable 
in the specific process hazard analysis methodology being used.
    (5) A launch operator must resolve all recommendations resulting 
from a process hazards analysis in a timely manner prior to launch 
processing and the resolution must be documented. The documentation 
must identify each corrective action and include a written schedule 
of when any such actions are to be completed.
    (c) Evaluating toxic hazards of launch processing. A launch 
operator must protect the public from each potential toxic hazard 
identified by the process hazards analysis required by paragraph (b) 
of this section, the exclusion requirements of section I417.3(b), 
the containment requirements of paragraph (d) of this section, or 
the statistical risk management requirements of paragraph (l) of 
this section, to prevent any casualty that could arise out of 
exposure to any toxic release.

[[Page 50724]]

    (d) Toxic containment for launch processing. A launch operator's 
toxic release hazard analysis must determine a toxic hazard area 
surrounding the potential release site for each toxic propellant 
based on the amount and toxicity of the propellant and the 
meteorological conditions involved. A launch operator must determine 
whether there are populated areas located within a toxic hazard area 
that satisfy paragraph (h) of this section. If necessary to achieve 
toxic containment, a launch operator must evacuate the public in 
order to satisfy paragraph (i) of this section or employ 
meteorological constraints that satisfy paragraph (j) of this 
section. A launch operator, in determining a toxic hazard area, must 
first perform a worst-case release scenario analysis that satisfies 
paragraph (e) of this section or a worst-case alternative release 
scenario analysis that satisfies paragraph (f) of this section for 
each process that involves a toxic propellant. The launch operator 
must then determine a toxic hazard distance for each process that 
satisfies paragraph (g) of this section.
    (e) Worst-case release scenario analysis. A launch operator's 
worst-case release scenario analysis must account for the following:
    (1) Determination of worst-case release quantity. A launch 
operator must determine the worst-case release quantity of a toxic 
propellant by selecting the greater of the following:
    (i) For substances in a vessel, the greatest amount held in a 
single vessel, accounting for administrative controls that limit the 
maximum quantity; or
    (ii) For toxic propellants in pipes, the greatest amount in a 
pipe, accounting for administrative controls that limit the maximum 
quantity.
    (2) Worst-case release scenario for toxic liquids. A launch 
operator must determine the worst-case release scenario for a toxic 
liquid propellant as follows:
    (i) A launch operator must assume that for toxic propellants 
that are normally liquids at ambient temperature, the quantity in 
the vessel or pipe, as determined in paragraph (e)(1) of this 
section, is spilled instantaneously to form a liquid pool.
    (ii) The launch operator must determine surface area of the pool 
by assuming that the liquid spreads to one centimeter deep unless 
passive mitigation systems are in place that serve to contain the 
spill and limit the surface area. Where passive mitigation is in 
place, the launch operator must use the surface area of the 
contained liquid to calculate the volatilization rate.
    (iii) If the release occurs on a surface that is not paved or 
smooth, the launch operator may account for actual surface 
characteristics.
    (iv) The volatilization rate must account for the highest daily 
maximum temperature occurring in the past three years, the 
temperature of the substance in the vessel, and the concentration of 
the toxic propellants if the liquid spilled is a mixture or 
solution.
    (v) The launch operator must determine rate of release to the 
air from the volatilization rate of the liquid pool. A launch 
operator must use either the methodology provided in the Risk 
Management Plan (RMP) Offsite Consequence Analysis Guidance, dated 
April 1999, available at http:/www.epa.gov/swercepp/ap-ocgu.htm, or 
an air dispersion modeling technique that satisfies paragraph (g) of 
this section.
    (3) Worst-case release scenario for toxic gases. A launch 
operator must determine the worst-case release scenario for a toxic 
gas as follows:
    (i) For toxic propellants that are normally gases at ambient 
temperature and handled as a gas or as a liquid under pressure, the 
launch operator must assume that the quantity in the vessel, or 
pipe, as determined in paragraph (e)(1) of this section, is released 
as a gas over 10 minutes. The launch operator must assume a release 
rate that is the total quantity divided by 10 unless passive 
mitigation systems are in place.
    (ii) For gases handled as refrigerated liquids at ambient 
pressure, if the released toxic propellant is not contained by 
passive mitigation systems or if the contained pool would have a 
depth of 1 cm or less, the launch operator must assume that the 
toxic propellant is released as a gas in 10 minutes.
    (iii) For gases handled as refrigerated liquids at ambient 
pressure, if the released toxic propellant is contained by passive 
mitigation systems in a pool with a depth greater than 1 cm, the 
launch operator must assume that the quantity in the vessel or pipe, 
as defined in paragraph (e)(1) of this section, is spilled 
instantaneously to form a liquid pool. The launch operator must 
calculate the volatilization rate at the boiling point of the toxic 
propellant and at the conditions defined in paragraph (e)(2) of this 
section.
    (4) Consideration of passive mitigation. The launch operator 
must account for passive mitigation systems in the analysis of a 
worst case release scenario if the passive mitigation system is 
capable of withstanding the release event triggering the scenario 
and would function as intended.
    (5) Additional factors in selecting a worst-case scenario. A 
launch operator's worst-case release scenario for a toxic propellant 
must account for each factor that would result in a greater toxic 
hazard distance, such as a smaller quantity of the toxic propellant 
than required by paragraph (e)(1) of this section, that is handled 
at a higher process temperature or pressure.
    (f) Worst-case alternative release scenario analysis. A launch 
operator's worst-case alternative release scenario analysis must 
account for the following:
    (1) The worst-case release scenario for each toxic propellant 
and for each toxic propellant handling process;
    (2) Each release event that is more likely to occur than the 
worst-case release scenario that is determined in paragraph (e) of 
this section;
    (3) Each release scenario that exceeds a toxic concentration 
threshold at a distance that reaches the general public;
    (4) Each potential transfer hose release due to splits or sudden 
hose uncoupling;
    (5) Each potential process piping release from failures at 
flanges, joints, welds, valves, valve seals, and drain bleeds;
    (6) Each potential process vessel or pump release due to cracks, 
seal failure, or drain, bleed, or plug failure;
    (7) Each vessel overfilling and spill, or over pressurization 
and venting through relief valves or rupture disks;
    (8) Shipping container mishandling and breakage or puncturing 
leading to a spill;
    (9) Mishandling or dropping flight or ground hardware that 
contains toxic commodities;
    (10) Each active and passive mitigation system provided they are 
capable of withstanding the event that triggered the release and 
would still be functional;
    (11) History of each accident experienced by the launch operator 
involving the release of a toxic propellant; and
    (12) Each failure scenario.
    (g) Toxic hazard distances for launch processing. For each 
process involving a toxic propellant, a launch operator must perform 
an air dispersion analysis to determine the hazard distance for the 
worst-case release scenario or the worst-case alternative release 
scenario as determined under paragraphs (e) and (f) of this section. 
A launch operator must use either the methodology provided in the 
RMP Offsite Consequence Analysis Guidance, dated April 1999, or an 
air dispersion modeling technique that is applicable to the proposed 
launch. A launch operator's air dispersion modeling technique must 
account for the following analysis parameters:
    (1) Toxic concentration thresholds. A launch operator must use 
the toxic concentration thresholds defined by section I417.3(c).
    (2) Wind speed and atmospheric stability class. A launch 
operator, for the worst-case release analysis, must use a wind speed 
of 1.5 meters per second and atmospheric stability class F. If the 
launch operator demonstrates that local meteorological data 
applicable to the source of a toxic release show a higher wind 
minimum wind speed or less stable atmosphere during the three 
previous years, the launch operator may use these minimums. The 
launch operator, for analysis of the worst-case alternative 
scenario, must use statistical meteorological conditions for the 
location of the source.
    (3) Ambient temperature and humidity. For a worst-case release 
scenario analysis of a toxic propellant, the launch operator must 
use the highest daily maximum temperature from the last three years 
and average humidity for the site, based on temperature and humidity 
data gathered at the source location or at a local meteorological 
station. For analysis of a worst-case alternative release scenario, 
the launch operator must use typical temperature and humidity data 
gathered at the source location or at a local meteorological 
station.
    (4) Height of release. The launch operator must analyze the 
worst-case release of a toxic propellant assuming a ground level 
release. For a worst-case alternative scenario analysis of a toxic 
propellant, the release scenario may determine release height.
    (5) Surface roughness. The launch operator must use either an 
urban or rural topography, as appropriate. Urban means that there 
are many obstacles in the immediate area;

[[Page 50725]]

obstacles include buildings or trees. Rural means there are no 
buildings in the immediate area and the terrain is generally flat 
and unobstructed.
    (6) Dense or neutrally buoyant gases. Models or tables used for 
dispersion analysis of a toxic propellant must account for gas 
density.
    (7) Temperature of release substance. For a worst-case release 
scenario, the launch operator must account for the release of 
liquids other than gases liquefied by refrigeration at the highest 
daily maximum temperature, based on data for the previous three 
years appropriate to the source of the potential toxic release, or 
at process temperature, whichever is higher. For a worst-case 
alternative scenario, the launch operator may consider toxic 
propellants released at a process or ambient temperature that is 
appropriate for the scenario.
    (h) Toxic hazard areas for launch processing. A launch operator, 
having determined the toxic hazard distance for the toxic 
concentration threshold for each toxic propellant involved in a 
process using either a worst-case release scenario or a worst-case 
alternative release scenario, must determine the toxic hazard area 
for the process as a circle centered at the potential release point 
with a radius equal to the greatest toxic hazard distance for the 
toxic propellants involved in the process. A launch operator does 
not have to satisfy this section if:
    (1) There are no populated areas contained or partially 
contained within the toxic hazard area; and
    (2) There is no member of the public present within the toxic 
hazard area during the process.
    (i) Evacuation of populated areas within a toxic hazard area. 
For a process where there is a populated area that is contained or 
partially contained within the toxic hazard area, the launch 
processing operation does not have to satisfy this section if the 
launch operator evacuates the public from the populated area and 
ensures that no member of the public is present within the toxic 
hazard area during the operation. A launch operator must coordinate 
notification and evacuation procedures with the Local Emergency 
Planning Committee (LEPC) and ensure that notification and 
evacuation occurs according to its launch plans, including the 
launch operator's ground safety plan, hazard area surveillance and 
clearance plan, accident investigation plan, and local agreements 
and public coordination plan.
    (j) Meteorological constraints for launch processing. For a 
launch processing operation with the potential for a toxic release 
where there is a populated area that is contained or partially 
contained within the toxic hazard area and that will not be 
evacuated as required by paragraph (i) of this section, the 
operation is exempt from further requirements in this section if the 
launch operator constrains the process to favorable wind conditions 
or during times when atmospheric conditions result in reduced toxic 
hazard distances such that the potentially affected populated area 
is outside the toxic hazard area. A launch operator must employ wind 
and other meteorological constraints that satisfy the following:
    (1) A launch operator must limit a launch processing operation 
to times during which prevailing winds will transport a toxic 
release away from populated areas that would otherwise be at risk. 
If the mean wind speed during the operation is equal to or greater 
than four knots, the launch operator must re-define the toxic hazard 
area by reducing the circular toxic hazard area as determined in 
paragraph (h) of this section to one or more arc segments that do 
not contain a populated area. Each arc segment toxic hazard area 
must have the same radius as the circular toxic hazard area and must 
be defined by a range of downwind bearings. If the mean wind speed 
during the operation is less than four knots, the toxic hazard area 
for the operation must be the full 360-degree toxic hazard area as 
defined by paragraph (h) of this section. The total arc width of an 
arc segment hazard area for launch processing must be greater than 
or equal to 30 degrees. If the launch operator determines the 
standard deviation of the measured wind direction, the total arc 
width of an arc segment hazard area must include all azimuths within 
the mean measured wind direction plus three sigma and the mean 
measured wind direction minus three sigma; otherwise, the following 
apply for the conditions defined by the Pasquil-Gifford 
meteorological stability classes:
    (i) For stable classes D-F, if the mean wind speed is less than 
10 knots, the total arc width of the arc segment toxic hazard area 
must be no less than 90 degrees;
    (ii) For stable classes D-F, if the mean wind speed is greater 
than or equal to 10 knots, the total arc width of the arc segment 
toxic hazard area must be no less than 45 degrees;
    (iii) For neutral class C, the total arc width of the arc 
segment toxic hazard area must be no less than 60 degrees;
    (iv) For slightly unstable class B, the total arc width of the 
arc segment toxic hazard area must be no less than 105 degrees; and
    (v) For mostly unstable class A, the total arc width of the arc 
segment toxic hazard area must be no less than 150 degrees.
    (2) The launch operator must ensure that there are no populated 
areas within an arc segment toxic hazard area and that no member of 
the public is present within an arc segment toxic hazard area during 
the process as defined by paragraph (i) of this section.
    (3) A launch operator must establish wind constraints to ensure 
that winds present at the time of an operation will transport 
toxicants into an arc segment toxic hazard area and away from 
populated areas. For each arc segment toxic hazard area, the wind 
constraints must consist of a range of downwind bearings that are 
within the arc segment toxic hazard area and that provide a safety 
buffer, in both the clockwise and counterclockwise directions, that 
accounts for uncertainty in the spatial and temporal variations of 
the transport winds.
    (4) A launch operator may reduce the radius of the circular 
toxic hazard area as determined under paragraph (h) of this section 
by imposing operational meteorological restrictions on specific 
parameters that mitigate potential toxic downwind concentrations 
levels at a potentially affected populated area to levels below the 
toxic concentration threshold of the toxicant in question. The 
launch operator must establish meteorological constraints to ensure 
that the operation will be allowed to occur only if the specific 
meteorological conditions that would reduce the toxic hazard area 
exist and will continue to exist throughout the operation, or the 
operation will be terminated.
    (k) Implementation of meteorological constraints. A launch 
operator must use one or more of the following approaches to 
determine wind direction or other meteorological conditions in order 
to establish constraints on a launch processing operation or 
evacuate the populated area in a potential toxic hazard area:
    (1) The launch operator must ensure that the wind conditions at 
the time of the process comply with the wind constraints used to 
define each arc segment toxic hazard area. The launch operator must 
monitor the vertical profile of winds at the potential toxic release 
site from ground level to an altitude of 10 meters or the maximum 
height above ground of the potential release, whichever is larger. 
The launch operator may proceed with a launch processing operation 
only if wind vectors meet the wind constraints used to define each 
arc segment toxic hazard area.
    (2) A launch operator must monitor the specific meteorological 
parameters that affect toxic downwind concentrations at a potential 
toxic release site for a process and for the sphere of influence out 
to each populated area within the potential toxic hazard area as 
defined by paragraph (h) of this section. The launch operator must 
monitor spatial variations in the wind field that could affect the 
transport of toxic material between the potential release site and 
populated areas. The launch operator must acquire real-time 
meteorological data from sites between the potential release site 
and each populated area sufficient to demonstrate that the toxic 
hazard area, when adjusted to the spatial wind field variations, 
excludes populated areas. Meteorological parameters that affect 
toxic downwind concentrations from the potential release site and 
covering the sphere of influence out to the populated areas must 
fall within the conditions as determined in paragraph (j)(4) of this 
section. A launch operator must use one of the following methods to 
determine the meteorological conditions that will constrain a launch 
processing operation:
    (i) A launch operator may employ real-time air dispersion models 
to determine the toxic hazard distance for the toxic concentration 
threshold and proximity of a toxicant to populated areas. A launch 
operator, when employing this method, must proceed with a launch 
processing operation only if real-time modeling of the potential 
release demonstrates that the toxic hazard distance would not reach 
populated areas. The launch operator's process for carrying out this 
method must include the use of an air dispersion modeling technique 
that complies with paragraph (g) of this section and providing real-
time meteorological data for the sphere of influence around a 
potential toxic release site as input to the air dispersion model. 
The launch operator's

[[Page 50726]]

process must also include a review of the meteorological conditions 
to identify changing conditions that could affect the toxic hazard 
distance for a toxic concentration threshold prior to proceeding 
with the operation.
    (ii) A launch operator may use air dispersion modeling 
techniques to define the meteorological conditions that, when 
present, would prevent a toxic hazard distance for a toxic 
concentration threshold from reaching populated areas. The launch 
operator, when employing this method, must constrain the associated 
launch processing operation to be conducted only when the prescribed 
meteorological conditions exist. A launch operator's air dispersion 
modeling technique must comply with paragraph (g) of this section.
    (l) Statistical toxic risk management for launch processing. The 
launch operator must use statistical toxic risk management to 
protect public safety if a process that involves the use of a toxic 
propellant does not satisfy the containment requirements of 
paragraph (d) of this section. A launch operator, for each such 
case, must perform a toxic risk assessment and develop criteria that 
protect the public from risks due to planned and potential toxic 
release. A launch operator must ensure that the resultant toxic risk 
meets the collective and individual risk criteria requirements 
defined in Sec.  417.107(b). A launch operator's toxic risk 
assessment must account for the following:
    (1) All credible equipment failure and non-failure modes, along 
with the consequent release and combustion of toxic propellants;
    (2) Equipment failure rates;
    (3) The effect of positive or negative buoyancy on the rise or 
descent of the released toxic propellants;
    (4) The influence of atmospheric physics on the transport and 
diffusion of toxic propellants released;
    (5) Meteorological conditions at the time of the process;
    (6) Population density, location, susceptibility (health 
categories) and sheltering for populations within each potential 
toxic hazard area; and
    (7) Exposure duration and toxic propellant concentration or 
dosage that would result in casualty for populations.
    (m) Launch processing toxic release hazard analysis products. 
The products of a launch operator's toxic release hazards analysis 
for launch processing must include the following:
    (1) For each worst-case release scenario, a description of the 
vessel or pipeline and toxic propellant selected as the worst case 
for each process, assumptions and parameters used, and the rationale 
for selection of that scenario. Assumptions must include use of 
administrative controls and passive mitigation that were assumed to 
limit the quantity that could be released. The description must 
include the anticipated effect of the controls and mitigation on the 
release quantity and rate;
    (2) For each worst-case alternative release scenario, a 
description of the scenario identified for each process, assumptions 
and parameters used, and the rationale for the selection of that 
scenario. Assumptions must include use of administrative controls 
and passive mitigation that were assumed to limit the quantity that 
could be released. The description must include the anticipated 
effect of the controls and mitigation on the release quantity and 
rate;
    (3) Estimated quantity released, release rate, and duration of 
release for each worst-case scenario and worst-case alternative 
scenario for each process;
    (4) A description of the methodology used to determine the toxic 
hazard distance for each toxic concentration threshold;
    (5) Data used to estimate off-site population receptors 
potentially affected; and
    (6) The following data for each worst-case scenario and worst-
case alternative release scenario:
    (i) Chemical name;
    (ii) Physical state;
    (iii) Basis of results (provide model name if used, or other 
methodology);
    (iv) Scenario (explosion, fire, toxic gas release, or liquid 
spill and vaporization);
    (v) Quantity released in pounds;
    (vi) Release rate;
    (vii) Release duration;
    (viii) Wind speed and atmospheric stability class;
    (ix) Topography;
    (x) Toxic hazard distance;
    (xi) All members of the public within the toxic hazard distance;
    (xii) Any passive mitigation considered; and
    (xiii) Active mitigation considered (worst-case alternative 
release scenario only).

Appendix J of Part 417--Ground Safety Analysis Report

J417.1 General.

    (a) This appendix provides the content and format requirements 
for a ground safety analysis report. A launch operator must perform 
a ground safety analysis as required by subpart E of part 417 and 
document the analysis in a ground safety analysis report that 
satisfies this appendix, as required by Sec.  417.402(d).
    (b) A ground safety analysis report must contain hazard analyses 
that describe each hazard control, and describe a launch operator's 
hardware, software, and operations so that the FAA can assess the 
adequacy of the hazard analysis. A launch operator must document 
each hazard analysis on hazard analysis forms as required by Sec.  
J417.3(d) and file each system and operation descriptions as a 
separate volume of the report.
    (c) A ground safety analysis report must include a table of 
contents and provide definitions of any acronyms and unique terms 
used in the report.
    (d) A launch operator's ground safety analysis report may 
reference other documents filed with the FAA that contain the 
information required by this appendix.

J417.3 Ground safety analysis report chapters.

    (a) Introduction. A ground safety analysis report must include 
an introductory chapter that describes all administrative matters, 
such as purpose, scope, safety certification of personnel who 
performed any part of the analysis, and each special interest issue, 
such as a high-risk situation or potential non-compliance with any 
applicable FAA requirement.
    (b) Launch vehicle and operations summary. A ground safety 
analysis report must include a chapter that provides general safety 
information about the vehicle and operations, including the payload 
and flight termination system. This chapter must serve as an 
executive summary of detailed information contained within the 
report.
    (c) Systems, subsystems, and operations information. A ground 
safety analysis report must include a chapter that provides detailed 
safety information about each launch vehicle system, subsystem and 
operation and each associated interface. The data in this chapter 
must include the following:
    (1) Introduction. A launch operator's ground safety analysis 
report must contain an introduction to its systems, subsystems, and 
operations information that serves as a roadmap and checklist to 
ensure all applicable items are covered. All flight and ground 
hardware must be identified with a reference to where the items are 
discussed in the document. All interfacing hardware and operations 
must be identified with a reference to where the items are discussed 
in the document. The introduction must identify interfaces between 
systems and operations and the boundaries that describe a system or 
operation.
    (2) Subsystem description. For each hardware system identified 
in a ground safety analysis report as falling under one of the 
hazardous systems listed in paragraphs (c)(3), (c)(4) and (c)(5) of 
this section, the report must identify each of the hardware system's 
subsystems. A ground safety analysis report must describe each 
hazardous subsystem using the following format:
    (i) General description including nomenclature, function, and a 
pictorial overview;
    (ii) Technical operating description including text and figures 
describing how a subsystem works and any safety features and fault 
tolerance levels;
    (iii) Each safety critical parameter, including those that 
demonstrate established system safety approaches that are not 
evident in the technical operating description or figures, such as 
factors of safety for structures and pressure vessels;
    (iv) Each major component, including any part of a subsystem 
that must be technically described in order to understand the 
subsystem hazards. For a complex subsystem such as a propulsion 
subsystem, the ground safety analysis report must provide a majority 
of the detail of the subsystem including any figures at the major 
component level such as tanks, engines and vents. The presentation 
of figures in the report must progress in detail from broad 
overviews to narrowly focused figures. Each figure must have 
supporting text that explains what the figure is intended to 
illustrate;
    (v) Ground operations and interfaces including interfaces with 
other launch vehicle and launch site subsystems. A ground safety 
analysis report must identify a launch operator's and launch site 
operator's hazard controls for all operations that are potentially 
hazardous to the public. The

[[Page 50727]]

report must contain facility figures that illustrate where hazardous 
operations take place and must identify all areas where controlled 
access is employed as a hazard control; and
    (vi) Hazard analysis summary of subsystem hazards that 
identifies each specific hazard and the threat to public safety. 
This summary must provide cross-references to the hazard analysis 
form required by paragraph (d) of this section and indicate the 
nature of the control, such as design margin, fault tolerance, or 
procedure.
    (3) Flight hardware. For each stage of a launch vehicle, a 
ground safety analysis report must identify all flight hardware 
systems, using the following sectional format:
    (i) Structural and mechanical systems;
    (ii) Ordnance systems;
    (iii) Propulsion and pressure systems;
    (iv) Electrical and non-ionizing radiation systems; and
    (v) Ionizing radiation sources and systems.
    (4) Ground hardware. A ground safety analysis report must 
identify the launch operator's and launch site operator's ground 
hardware, including launch site and ground support equipment, that 
contains hazardous energy or materials, or that can affect flight 
hardware that contains hazardous energy or materials. A launch 
operator must identify all ground hardware by using the following 
sectional format:
    (i) Structural and mechanical ground support and checkout 
systems;
    (ii) Ordnance ground support and checkout systems;
    (iii) Propulsion and pressure ground support and checkout 
systems;
    (iv) Electrical and non-ionizing radiation ground support and 
checkout systems;
    (v) Ionizing radiation ground support and checkout systems;
    (vi) Hazardous materials; and
    (vii) Support and checkout systems and any other safety 
equipment used to monitor or control a potential hazard not 
otherwise addressed above.
    (5) Flight safety system. A ground safety analysis report must 
describe each hazard of inadvertent actuation of the launch 
operator's flight safety system, potential damage to the flight 
safety system during ground operations, and each hazard control that 
the launch operator will implement.
    (6) Hazardous materials. A ground safety analysis report must:
    (i) Identify each hazardous material used in all the launch 
operator's flight and ground systems, including the quantity and 
location of each material;
    (ii) Contain a summary of the launch operator's approach for 
protecting the public from toxic plumes, including the toxic 
concentration thresholds used to control public exposure and a 
description of any related local agreements;
    (iii) Describe any toxic plume model used to protect public 
safety and contain any algorithms used by the model; and
    (iv) Include the products of the launch operator's toxic release 
hazard analysis for launch processing as defined by section 
I417.7(m) of appendix I of this part for each launch that involves 
the use of any toxic propellants.
    (d) Hazard analysis. A ground safety analysis report must 
include a chapter containing a hazard analysis of the launch vehicle 
and launch vehicle processing and interfaces. The hazard analysis 
must identify each hazard and all hazard controls that the launch 
operator will implement. A ground safety analysis report must 
contain the results of the launch operator's hazard analysis of each 
system, subsystem, and operation using a standardized format that 
includes the items listed on the example hazard analysis form 
provided in figure J417-1 and that satisfies the following:
    (1) Introduction. A ground safety analysis report must contain 
an introduction that serves as a roadmap and checklist to the launch 
operator's hazard analysis forms. A launch operator must identify 
all flight hardware, ground hardware, interfacing hardware, and 
operations with a reference to where the items are discussed in the 
ground safety analysis report. The introduction must explain how a 
launch operator presents its hazard analysis in terms of hazard 
identification numbers as identified in figure J417-1.
    (2) Analysis. A launch operator may present each hazard on a 
separate form or consolidate hazards of a specific system, 
subsystem, component, or operation onto a single form. There must be 
at least one form for each hazardous subsystem and each hazardous 
subsystem operation. A launch operator must state which approach it 
has chosen in the introduction to the hazard analysis section. A 
launch operator must track each identified hazard control 
separately.
    (3) Numbering. A launch operator must number each hazard 
analysis form with the applicable system or subsystem identified. A 
launch operator must number each line item on a hazard analysis form 
with numbers and letters provided for multiple entries against an 
individual line item. A line item consists of a hardware or 
operation description and a hazard.
    (4) Hazard analysis data. A hazard analysis form must contain or 
reference all information necessary to understand the relationship 
of a system, subsystem, component, or operation with a hazard cause, 
control, and verification.
    (e) Hazard analysis supporting data. A ground safety analysis 
report must include data that supports the hazard analysis. If such 
data does not fit onto the hazard analysis form, a launch operator 
must provide the data in a supporting data chapter. This chapter 
must contain a table of contents and may reference other documents 
that contain supporting data.

    Issued in Washington, DC, on August 1, 2006.
Marion C. Blakey,
Administrator.

[FR Doc. 06-6743 Filed 8-24-06; 8:45 am]
BILLING CODE 4910-13-P