[Federal Register Volume 90, Number 92 (Wednesday, May 14, 2025)]
[Proposed Rules]
[Pages 20414-20424]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2025-08496]
[[Page 20414]]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 450
[Docket No. FAA-2025-0798]
Agency Advisory Circular: Reduced Reliability Flight Safety
System Design, Test, and Documentation
AGENCY: Federal Aviation Administration (FAA), Department of
Transportation (DOT).
ACTION: Notification and request for comments.
-----------------------------------------------------------------------
SUMMARY: FAA invites public comments about our intention to publish an
advisory circular. This Advisory Circular (AC) provides guidance to
demonstrate compliance with the design, test, and documentation
requirements for a Reduced Reliability Flight Safety System (RRFSS) of
commercial space launch or reentry vehicles. This AC presents one
acceptable means of compliance (MOC), but this is not the only
acceptable MOC. Launch and reentry license applicants may use this AC
to guide their internal processes, format their license applications,
or both.
DATES: Written comments should be submitted by June 13, 2025.
ADDRESSES: Please send written comments:
By Electronic Docket: www.regulations.gov (Enter docket number into
search field).
By mail: Charles Huet, 800 Independence Avenue SW, Room 331,
Washington, DC 20591.
FOR FURTHER INFORMATION CONTACT: Charles Huet by email at:
[email protected]; phone: 202-267-7427.
SUPPLEMENTARY INFORMATION:
I. Authority
The Commercial Space Launch Act of 1984, as amended and codified at
51 U.S.C. 50901 through 50923, authorizes the DOT, and the FAA through
delegation, to oversee, license, and regulate commercial launch and
reentry activities, and the operation of launch and reentry sites as
carried out by U.S. citizens or within the United States. The FAA
exercises these responsibilities consistent with public health and
safety, safety of property, and the national security and foreign
policy interests of the United States. See 51 U.S.C. 50905.
II. Text of Draft Advisory Circular
1.1 Purpose
1.1.1 This Advisory Circular (AC) provides guidance to demonstrate
compliance with the design, environment, test, analyses, and
documentation requirements for a Flight Safety System (FSS) under 14
CFR 450.143.
1.1.2 Per Sec. 450.108(b)(2), a vehicle operator using flight
abort as a hazard control strategy to meet the safety criteria of Sec.
450.101 must use a FSS that either:
(1) Meets the requirements of Sec. 450.145 if the consequence of
any reasonably foreseeable failure mode in any significant period of
flight is greater than 1x10 -2 conditional expected
casualties (CEc) in uncontrolled areas; or
(2) Meets the requirements of Sec. 450.143 when the consequence of
any reasonably foreseeable failure mode in any significant period of
flight is between 1x10 -2 and 1x10 -3 CEc for
uncontrolled areas.
A FSS that meets the requirements of Sec. 450.145 is known as a
Highly Reliable Flight Safety System (HRFSS). A FSS that meets the
requirements of Sec. 450.143 is known as a Reduced Reliability Flight
Safety System (RRFSS). This AC only provides guidance for an RRFSS.
Compliance with Sec. 450.143 should ensure that no credible fault
(Sec. 450.143(b)) can lead to increased risk to the public beyond
nominal safety-critical system operation. The guidance of this AC (see
Figure below) should be used to develop a program-specific means of
compliance (MOC) document, which must be expanded to include component-
specific design and test details, similar to the most updated Range
Commanders Council (RCC) 319 and RCC 324 content such as test matrices
and definition of performance tests.
[GRAPHIC] [TIFF OMITTED] TP14MY25.001
Figure 1: AC 450.143-1 Document Flow
1.1.3 Other approaches that fulfill regulatory objectives may be
acceptable to the Federal Aviation Administration (FAA) Office of
Commercial Space Transportation (AST). This AC presents one, but not
the only, acceptable MOC with the requirements of Sec. 450.143. The
FAA should consider other MOC that an applicant may elect to present
that also satisfy the entrance and exit criteria defined within this
AC.
1.1.4 Applicants are advised to refer to AC 450.108-1, Flight Abort
Rule Development, for all un-crewed vehicles whose FSSs used during
commercial space launch or reentry operations are required to have
flight abort capability and comply with Sec. 450.108(b)(2) and AC
450.107-1, Hazard Control Strategies Determination, to determine which
strategies to use.
1.2 Scope
1.2.1 This initial release of AC 450.143-1 is for a single-use FSS
only.
1.2.2 A FSS is composed of two major sub-systems: the Flight
Termination System (FTS) and the Range Tracking (and Telemetry) System
(RTS). This initial release of AC 450.143-1 provides a MOC for the FTS
of an RRFSS, but does not address FSS component software, such as that
contained on an Automated Flight Termination Unit and typically managed
under RCC 319-19 Appendix A for HRFSS, or RTS components for an RRFSS.
[[Page 20415]]
1.3 Exception
An applicant should perform design, testing, and documentation in
compliance with Sec. 450.143 for FSSs, except for FSSs for which an
operator demonstrates through its flight hazard analysis that the
likelihood of any hazardous condition specifically associated with the
system that may cause death or serious injury to the public is
extremely remote, pursuant to Sec. 450.109(b)(3). Thus, this AC does
not apply to crewed vehicles that have safety-critical systems for
which an operator must demonstrate--using a flight hazard analysis--
that the likelihood of any hazardous condition that may cause death or
serious injury is extremely remote, pursuant to Sec. 450.109(b)(3).
1.4 Licensing and Regulatory Applicability
1.4.1 This AC presents one, but not the only, acceptable MOC with
the associated regulatory requirements. The FAA will consider other MOC
that an applicant may elect to present. In addition, an operator may
tailor the provisions of this AC to meet its unique needs, provided the
changes are accepted as an MOC by the FAA. Throughout this document,
the word ``must'' characterizes statements that directly follow from
regulatory text and therefore reflect regulatory mandates, or that an
applicant must satisfy in order to use this AC as a MOC. The word
``may'' describes variations or alternatives allowed within the
accepted MOC set forth in this AC.
1.4.2 The guidance in this AC is for launch and reentry license
applicants and operators required to comply with 14 CFR part 450. The
guidance in this AC is for those seeking a launch or reentry vehicle
operator license, a licensed operator seeking to renew or modify an
existing vehicle operator license.
1.4.3 The material in this AC is advisory in nature and does not
constitute a regulation. This guidance is not legally binding in its
own right and will not be relied upon by the FAA as a separate basis
for affirmative enforcement action or other administrative penalty.
Conformity with this guidance document (as distinct from existing
statutes and regulations) is voluntary only, and nonconformity will not
affect rights and obligations under existing statutes and regulations.
This AC describes acceptable means, but not the only means, for
demonstrating compliance with the applicable regulations.
1.4.4 The material in this AC does not change or create any
additional regulatory requirements, nor does it authorize changes to,
or deviations from, existing regulatory requirements.
2 Applicable Regulations and Related Documents
2.1 Related U.S. Statute
Title 51 U.S.C. subtitle V, chapter 509, Commercial Space Launch
Activities.
2.2 Related FAA Commercial Space Transportation Regulations
The following regulations from title 14 of the CFR must be
accounted for when showing compliance with Sec. 450.143. The full text
of these regulations can be downloaded from the U.S. Government
Printing Office e-CFR. A paper copy can be ordered from the Government
Printing Office, Superintendent of Documents, Attn: New Orders, PO Box
371954, Pittsburgh, PA 15250-7954.
Section 401.7, Definitions.
Section 450.101, Public Safety Criteria.
Section 450.107, Hazard Control Strategies.
Section 450.108, Flight Abort.
Section 450.109, Flight Hazard Analysis.
Section 450.115, Flight Safety Analysis Methods.
Section 450.141, Computing Systems.
Section 450.131, Probability of Failure Analysis.
Section 450.143, Safety-Critical System Design, Test, and
Documentation.
Section 450.145, Highly Reliable Flight Safety System.
Section 450.161, Control of Hazard Areas.
Section 450.209, Compliance Monitoring.
2.3 Related U.S. Statute
These FAA Advisory Circulars are or will be available through the
FAA website, https://www.faa.gov.
AC 450.35-1, Means of Compliance Process, when published.
AC 450.101-1, High Consequence Event Protection, May 20,
2021.
AC 450.107-1, Hazard Control Strategies Determination,
July 27, 2021.
AC 450.108-1, Flight Abort Rule Development, July 27,
2021.
AC 450.141-1A, Computing Systems Safety, August 16, 2021.
AC 450.143-2, Systems Safety Critical Components, when
published.
2.4 Related Government Documents
MIL-STD-461, Requirements for the Control of
Electromagnetic Interference Characteristics of Subsystems and
Equipment, dated December 11, 2015, or latest revision. https://quicksearch.dla.mil//qsDocDetails.aspx?ident_number=35789.
MIL-STD-810, Environmental Engineering Considerations and
Laboratory Tests, dated May 18, 2022, or latest revision. https://quicksearch.dla.mil//qsDocDetails.aspx?ident_number=35978
National Aeronautics and Space Administration (NASA) NASA-
HDBK-7004, Force Limited Vibration Testing, dated May 16, 2000, or
latest revision. http://everyspec.com/NASA/NASA-NASA-HDBK/NASA-HDBK-7004_15229/.
NASA-HDBK-7005, Dynamics Environmental Criteria, dated
March 21, 2017, or latest revision. https://ntrs.nasa.gov/citations/20190026820.
NASA/SP-20230004376, Methodology for Physics of Failure-
Based Reliability Assessments Handbook, dated June 1, 2024, or latest
revision. https://ntrs.nasa.gov/citations/20230004376.
Office of Management and Budget (OMB) Circular A-119,
Federal Participation in the Development and Use of Voluntary Consensus
Standards and in Conformity Assessment Activities, dated February 10,
1998, or latest revision. https://www.whitehouse.gov/wp-content/uploads/2017/11/Circular-119-1.pdf.
Range Commanders Council (RCC), IRIG Standard 253-93, IRIG
Standard Missile Antenna Pattern Coordinate System and Data Formats,
dated August 1993, or latest revision. https://www.trmc.osd.mil/wiki/display/publicRCC//253+IRIG+Standard+Missile+Antenna+Pattern+Coordinate+System+and+Data+Formats.
Range Commanders Council (RCC), Standard 319-19, Flight
Termination Commonality Standard, dated June 2019, or latest revision.
https://www.trmc.osd.mil/wiki/display/publicRCC/319+Flight+Termination+Commonality+Standard.
RCC, Standard 324-11, Global Positioning and Inertial
Measurements Range Safety Tracking Systems Commonality Standard, dated
February 2011, or latest revision. https://www.trmc.osd.mil/wiki/display/publicRCC//324+Global+Positioning+and+Intertial+Measurements+Range+Safety+Tracking+Systems+Commonality+Standard.
Space and Missile Systems Center Standard, Test
Requirements for Launch, Upper-Stage, and Space Vehicles, SMC-S-016,
dated September
[[Page 20416]]
5, 2014, or latest revision. https://ntrl.ntis.gov/NTRL/dashboard/searchResults/titleDetail/ADA619375.xhtml#.
SSCI91-701, The Space Systems Command Launch and Range
Safety Program, dated December 27, 2022, or latest revision. https://static.e-publishing.af.mil/production/1/ssc/publication/ssci91-701/ssci91-701.pdf.
2.5 Related Industry Standards
American National Standards Institute (ANSI)/American
Institute of Aeronautics and Astronautics (AIAA) S-102.2.2-2019,
Performance-Based System Reliability Modeling Requirements, dated
September 24, 2014, or latest revision. https://arc.aiaa.org/doi/book/10.2514/4.867132.
Institute of Electrical and Electronics Engineers (IEEE)
1413, A Standard for Reliability Predictions, dated October 21, 2011,
or latest revision. https://ieeexplore.ieee.org/document/6058638.
Society of Automotive Engineers (SAE) TAHB0009A,
Reliability Program Handbook, dated May 3, 2019, or latest revision.
https://www.sae.org/standards/content/tahb0009a/.
3 Definition of Terms
For this AC, the terms and definitions from Sec. 401.7 and this
list apply:
3.1 Acceptance Testing
Testing conducted on the qualification and flight hardware after
the completion of the manufacturing process. Generally, acceptance
tests are performed on each article of the safety-critical flight
hardware to verify that it is free of defects, free of integration and
workmanship errors, and ready for operational use. For acceptance
testing of components deemed safety-critical, acceptance testing should
also demonstrate basic flight survivability, and performance to
specification requirements. This practice is analogous to environmental
stress screening referenced in industry best practices for reliability.
Acceptance testing is performed to enveloping maximum predicted
environments or minimum workmanship environments.
3.2 Failure
The inability of a system or system component to perform a required
function within specified limits.
3.3 Piece-Part
A single electronic component piece not normally subject to
disassembly without destruction or impairment of use, such as
resistors, capacitors, transistors, and relays.
3.4 Qualification Testing
Testing of a device or component in flight like or operational
configuration, to predicted flight environments plus a prescribed
margin, to demonstrate that the design, manufacturing, and assembly
processes have resulted in hardware that conforms to specifications and
performance requirements when subjected to margined environments.
Qualification testing also ensures that acceptance testing and planned
operations will not damage the component. Qualification test articles
are to be expended and should not be used for flight.
3.5 Reliability
The probability an item will perform its intended function with no
failure for a given time interval and under given conditions (e.g.,
environment and loads).
4 Acronyms
AC Advisory Circular
A-h Amp-Hour
AIAA American Institute of Aeronautics and Astronautics
ADS Automatic Destruct System
ANSI American National Standards Institute
AST FAA Office of Commercial Space Transportation
CEc Conditional Expected Casualty
CFR Code of Federal Regulations
Ec Expected Casualty
E2E End-to-End Testing
EMI Electromagnetic Interference
EMC Electromagnetic Compatibility
FAA Federal Aviation Administration
FMECA Failure Mode, Effects, and Criticality Analysis
FSS Flight Safety System
FTS Flight Termination System
FTSR Flight Termination System Report
HDBK Handbook
HRFSS Highly Reliable Flight Safety System
IEEE Institute of Electrical and Electronics Engineers
MAS Minimum Acceptable Standard
MIL-STD Military Standard
MOC Means of Compliance
MPE Maximum Predicted Environments
NASA National Aeronautics and Space Administration
OMB Office of Management and Budget
PSD Power Spectral Density
RCC Range Commanders Council
RF Radio Frequency
RRFSS Reduced Reliability Flight Safety System
RTS Range Tracking System
SAE Society of Automotive Engineers
SRM Solid Rocket Motor
SRS Shock Response Spectrum
TM Telemetry
U.S. United States
5 Basis for Design
For an RRFSS MOC, an applicant may use RCC 319 and RCC 324, with
reductions in the requirements from a HRFSS, including all design,
environments, test and analysis rigor, and margins; or an applicant may
follow the MOC methodology within this chapter. The MOC provided in
this AC is an acceptable baseline for an RRFSS which has reduced
requirements for the applicant. The Flight Safety Risk, defined by the
Entrance Criteria and validated/approved by the Exit Criteria, is
defined within this AC and deemed an acceptable MOC for a RRFSS. As
noted above, this AC presents one, but not the only, acceptable MOC
with the requirements of Sec. 450.143.
FSS reliability is the reliability of the FSS to perform a
termination when required, and to not perform inadvertent termination
or termination of a nominal vehicle.
5.1 Entrance Criteria
An applicant seeking approval of an RRFSS design under this MOC
must ensure that the following criteria are met prior to submitting
documentation to the FAA for approval.
5.1.1 The applicant must submit a CEc analysis to the FAA
demonstrating that the consequence of any reasonably foreseeable
failure mode in any significant period of flight is greater than 1x10-3
and less than or equal to 1x10-2 CEc, as per Sec. Sec. 450.108(b)(2),
450.101(c)(2), and 450.115. While an applicant may choose to include an
FSS when the CEc value is less than or equal to 1x10-3, an FSS is not
required, per Sec. 450.101(c)(2). On the contrary, a HRFSS is required
when the CEc value is more than 1x10-2 CEc, per Sec. 450.108(b)(1).
5.1.2 The applicant must submit a preliminary design reliability
analysis showing that the design reliability of the FSS has the
potential to be greater than or equal to 0.900 at 95 percent lower
confidence bound, such that the risk to all members of the public,
excluding persons in aircraft and neighboring operations personnel, is
less than or equal to 1x10-4 Ec, with Ec determined per Sec.
450.101(a) and (b).
5.2 RRFSS Methodology
Paragraphs 6.1, 6.2, 6.3, and 6.4 provide requirements for a
methodology to design and test an FTS that is
[[Page 20417]]
compliant with Sec. 450.143. The FAA will consider the reliability
requirement of 0.900 at 95 percent lower confidence bound met through
compliance with this document, which incorporates the following:
performance-oriented design requirements for components;
comprehensive acceptance and qualification testing of
components; and
pre-flight confidence tests of the entire system.
The Minimum Acceptable Standard (MAS) for an FSS design is
dependent on the design and fulfilling the requirements of the MOC,
with consideration to the interdependencies of the requirements.
5.2.1 An RRFSS under this MOC is defined by reduction in
requirements from a HRFSS such that reliability is not maintained to
the baseline HRFSS, while still meeting performance specifications as a
FSS per satisfying the requirements set defined herein.
5.2.2 Based on the FSS design, some requirements of Chapter 6 may
not be applicable.
5.2.3 The design of a RRFSS must be compliant with the minimum set
of requirements herein but also needs to satisfy all of the Exit
Criteria for a specific design configuration. Not all the requirements
may be permitted if they result in not satisfying the Exit Criteria.
5.2.4 The developed MOC must include component-specific design and
test details, such as any redundancy, test matrices, and performance
functional tests.
5.3 Exit Criteria
To have an FTS qualified under this MOC:
5.3.1 The applicant must submit documentation in accordance with
paragraph 6.5 of this MOC;
5.3.2 The FSS System Predicted Design Reliability for the proposed
RRFSS design must be greater than or equal to 0.900 at 95 percent lower
confidence bound; and
5.3.3 The applicant must comply with all the following part 450
criteria based upon final Mission and FSS Design specifications:
a. Conditional Expected Casualty (CEc) between 1x10-2 and 1x10-3
per Sec. 450.108(b)(2).
b. Risk evaluations completed for both proper functioning of and
failure of the RRFSS per Sec. 450.108(d)(5).
c. Collective Risk of Expected Casualty (Ec) <= 1x10-4 per
Sec. Sec. 450.101(a) or (b) and 450.108(d)(5).
d. Individual Risk Probability of Casualty (Pc) <= 1x10-6 per
Sec. Sec. 450.101(a) or (b) and 450.108(d)(5).
e. Aircraft Risk <= 1x10-6 per Sec. Sec. 450.101(a) or (b) and
450.108(d)(5).
f. Risk to Critical Assets <= 1x10-3 per Sec. Sec. 450.101(a) or
(b) and 450.108(d)(5).
g. Risk to Critical Payloads <= 1x10-4 per Sec. Sec. 450.101(a) or
(b) and 450.108(d)(5).
h. Acceptable Flight Hazard Areas per Sec. Sec. 450.133, 450.161,
and 450.108(d)(5).
i. Conditional Expected Casualty (CEc) for flight abort <= 1x10-2
per Sec. Sec. 450.108(c)(4) and 450.108(d)(5).
6 Reduced Reliability Flight Safety System Baseline Test and Design
Requirements
The RRFSS must be compliant with the requirements of the following
categories:
[cir] Design requirements.
[cir] Environmental requirements.
[cir] Test requirements.
One means of documenting the flight safety system (FSS)
requirements is to start with RCC 319 and RCC 324, adjusting the
verbiage to be consistent with the details of this chapter.
Alternately, the applicant may use these requirements to develop their
own requirements and methodologies document. Any tailoring of these
requirements would need to be resubmitted as a new MOC for review and
approval.
The Applicant MOC documents will need to be assessed specifically
for the components of the FTS design, where specifics not defined
herein may be required to be defined per RCC 319-19.
Note: RTS requirement guidance, as noted earlier, is out of
scope from this initial AC release. The RRFSS MOC for RTS developed
by an Applicant must have traceability to RCC 324-11.
Note: Some requirements include parent references, (Parent:
xxx), which provide traceability to the original (highly reliable)
requirements, which have been reduced for this AC to meet a Sec.
450.143 RRFSS.
6.1 Design Requirements
Design requirements for an RRFSS should codify the system
functional architecture.
6.1.1 FTS Reliability Analysis
Reliability analyses must be provided for the integrated FTS,
including both on-vehicle and off-vehicle subsystems as separate
analyses. The reliability analyses must identify all credible failure
modes and the probability of failure for the FTS. The reliability
calculations must consider both operational and non-operational
(transportation, handling, integration, pad operations and recovery
operations, if applicable) environments. (Parent: RCC 319-19 section
3.2.2)
6.1.2 FSS Reliability Analysis
The FSS must be designed to meet the reliability that would support
compliant Exit Criteria, including ensuring that the system is
functional (survives) in the environments with margin. A common design
practice to ensure this possibility is to design with redundancy and
physical separations to minimize common cause failures or environmental
impacts to system functionality. Such practices are referenced in RCC
319-19 section 3.2.
6.1.3 FTS Survivability
Regarding system reliability, the FTS must be designed such that it
can survive and function nominally for all nominal and off-nominal
environments where it may need to take action to ensure that flight
abort limits will be enforced. If the FTS cannot survive these
environments, its reliability must be considered zero for flight safety
analysis purposes. For example, an analysis may be provided to
demonstrate a non-surviving FTS on a liquid vehicle is typically not a
concern due to vehicle break-up, whereas FTS on solid rocket motors
(SRMs) must be demonstrated as able to survive catastrophic events
because SRMs typically do not break-up without FSS. (Parent: RCC 319-19
section 3.2.4)
6.1.4 Fail-Safe Components
The use of fail-safe components and/or subsystems must be such that
if a failure occurs, the FSS retains the capability to safely terminate
or control the operation. Examples of fail-safe components include
normally-closed valves for which failure of electrical or pneumatic
controls result in cessation of commodity flow, or power-systems which
return relays to a default state that activates the termination end
effectors. (Parent: RCC 319-19 section 3.5.2)
6.1.4.1 The use of fail-safe components must require an analysis
that characterizes the failure modes and consequences of an inadvertent
termination, due to the potential higher likelihood of an on-trajectory
system failure.
Note: The use of fail-safe components does not necessarily
negate the need for redundancy or for the requirement of testing to
some defined and accepted standard/method (i.e., SMC-S-016 or RCC
324 test tables).
6.1.5 FTS Component Independence
Lack of independence (i.e., dependence) of FTS components on other
mission hardware must verify there are no common-cause, single, or
[[Page 20418]]
dual failure modes that result in FTS and mission failing concurrently.
Note: All non-conformances, root cause analyses and mitigations/
get-well plans against any shared hardware must be approved by FAA
ASA-230. (Parent: RCC 319-19 section 3.2.5)
6.1.6 Component Service Life
Component service life must be defined and justified by the
Applicant and approved by the FAA. (Parent: RCC 319-19 section 3.2.10)
6.1.7 Consistency of Components
Consistency of components of flight hardware to qualification test
hardware must be maintained, including consistency of parts, materials
and processes. Any changes to flight hardware requires the FAA
notification and approval. (Parent: RCC 319-19 section 3.2.11)
6.1.8 Electronic Piece-Part Requirements
Piece-parts used in RRFSS must be demonstrated through testing, at
unit or part level, to ensure parts are free of workmanship errors. In
accordance with consistency requirements, piece-parts must also ensure
that the parts, materials, and processes used between the qualification
test procedure and acceptance test procedure parts are uniform to
ensure the qualification units remain representative samples of the
flight units.
For piece parts with little or no historical data or that is
operating at conditions outside its known envelope, additional testing
must be implemented to develop the information necessary to perform a
reliability assessment (e.g., in accordance with Society of Automotive
Engineers (SAE) TAHB0009 or ANSI/AIAA S-102.2.2-2019) in a
statistically valid manner (e.g., Sec. 450.131). (Parent: RCC 319-19
section 3.2.11 and Appendix B)
6.1.9 Functioning Time
The FTS activation time, from command initiation to airborne
termination action, must be specified and repeatable to ensure the FSS
activates in sufficient time to terminate a vehicle prior to
endangering a protected area. This time, with its uncertainty, is
required for flight safety analysis incorporation of the flight abort
limits. (Parent: RCC 319-19 section 3.2.12)
6.1.10 Component Specifications
Component specifications must be clearly defined for performance
within the mission operating parameters, including non-operational and
operational activities from manufacturing, transportation, handling and
integration, ground operations, flight operations, and post-flight
operations. (Parent: RCC 319-19 section 3.2.6)
6.2 Environmental Requirements
Environmental requirements for a RRFSS should codify the limits of
the non-operational and operational environments with margin to which
the RRFSS must be able to function.
6.2.1 Maximum Predicted Environments
Maximum predicted environments (MPE) must be consistent with P95/50
statistical methodologies, margined as appropriate per paragraph 6.2.2
to include operational and non-operational (transportation, handling,
integration, pad operations and recovery operations, if applicable)
environments. (Parent: RCC 319-19 section 3.3.2)
6.2.2 Environmental Uncertainty Margins
Environmental uncertainty margin must be included for new, unproven
system designs on top of the MPE test levels, where three complete
duration missions are required before such margin may be reduced or
eliminated. Specific margins must be applied to temperature extremes,
shock test levels, and vibration test levels, as a minimum. (Parent:
RCC 319-19 section 3.3.2)
6.2.2.1 Temperature extreme margin should be 8[deg]C beyond hot and
cold P95/50 temperatures.
6.2.2.2 Shock test levels margin should be +3 dB above P95/50 Shock
Response Spectrum (SRS).
6.2.2.3 Vibration test levels margin should be +3 dB above P95/50
Power Spectral Density (PSD).
Note: Such margin is considered inclusive when referencing
``flight-representative'' test levels.
Note: The applicant may propose margin levels with technical
rationale if reduced from the upper limits noted above, where
acceptability of such reductions will be considered based upon the
component criticality, FSS design, other modified requirements, and
satisfying the exit criteria of this AC.
6.2.3 Acceptance Test Environment Levels
Acceptance test environment levels must be the extreme of MPE and
minimum workmanship levels. (Parent: RCC 319-19 sections 3.3.3 and
3.3.7)
Note: Minimum workmanship levels for ordnance/pyrotechnic
devices and batteries may be different than the values provided
below, to be approved on a case-by-case basis by the FAA.
6.2.3.1 Lower temperature extreme should be -24[deg]C or MPE,
whichever is colder.
6.2.3.2 Upper temperature extreme should be +61[deg]C or MPE,
whichever is hotter.
6.2.3.3 Vibration test levels should be the greater of RCC 319-19
Table 4-4 or MPE for all frequencies between 20 Hz and 2000 Hz.
6.2.4 Qualification Margins for Operational Environments.
Qualification margin must be included for all operational
environments to ensure RRFSS performance during off-nominal and
anomalous launch vehicle operations, as well as to provide for
confidence that the RRFSS components will perform nominally after being
subjected to non-flight operations, such as ground testing and check-
outs. (Parent: RCC 319-19 sections 3.3.3 and 3.3.7)
6.2.4.1 Temperature Extremes 10[deg]C Beyond Hot And Cold Acceptance
Test Levels
6.2.4.2 Shock Test Levels
[cir] +3 dB above MPE levels for frequencies of 100 Hz to 2000 Hz.
[cir] +4.5 dB above MPE levels for frequencies of 2000 Hz to 10
kHz.
For multi-stage vehicles and strap-on (booster) SRMs, FTS
components must also meet a minimum breakup shock level, in addition to
the MPE +4.5 dB level, for which the minimum breakup shock level must
be up to RCC 319-19 Table 4-5, where lower levels must require approved
justification.
A minimum margin of 1.5 dB between MPE levels and qualification
test levels must be maintained for all frequencies.
For liquid propellant vehicles, if FTS Break-Up analysis
demonstrates FTS survivability, no minimum break-up level is required.
6.2.4.3 Vibration Test Levels
[cir] +4.5 dB above Acceptance Test levels for frequencies of 20 Hz
to 2 kHz.
[cir] A minimum margin of 1.5 dB between acceptance test levels and
qualification test levels should be maintained for all frequencies.
6.2.5 Electrical Component Test Sequence
Electrical component test sequence should be such that electrical
components (active and passive) should be tested for thermal
environments, followed by shock environments, and finally by random
vibration environments.
[[Page 20419]]
6.2.6 Non-Electrical Component Testing
Non-electrical component test sequence should not be constrained
for mechanical, pneumatic, and pyrotechnic components, but the operator
should provide a rationale for the sequence performed.
6.2.7 Thermal Requirements
Thermal requirements must ensure that the RRFSS components can
perform nominally across the representative thermal extremes, defined
by hot and cold temperatures during all activities related to the FTS
hardware, as well as, transition rates between those temperature
extremes. (Parent: RCC 319-19 sections 3.3.3, 4.12.2, and 4.15.2)
6.2.8 Vibration Requirements
Vibration environments must ensure the RRFSS components can perform
nominally when subjected to representative dynamic levels due to
sources such as, but not limited to, handling, transportation, aero-
acoustics, vehicular modal dynamics, and other vehicle component
dynamics. (Parent: RCC 319-19 sections 3.3.5, 3.3.6, 3.3.7, 4.12.4,
4.12.5, 4.12.6, 4.15.8, 4.15.9, and 4.15.10)
6.2.9 Shock Requirements
Shock environments must ensure the RRFSS components can perform
nominally when subjected to representative shock levels due to sources
such as, but not limited to, transportation, lift-off, engine shutdown,
and staging. (Parent: RCC 319-19 sections Sec. Sec. 3.3.9, 3.3.11, and
4.15.11)
6.2.10 Acceleration Environments
On vehicles with greater than 5 Gs of MPE acceleration, components
must be tested to acceleration environments. (Parent: RCC 319-19
section 3.3.4).
6.2.10.1 The acceleration environment should be determined for all
components, which could be used to inform design to attenuate strong
environments, such as the use of vibration and shock isolators
Note: 5 Gs is based upon 1-sigma 6.1 Grms random vibration
minimum workmanship equivalency, with some derating.
6.2.11 Electromagnetic Interference/Electromagnetic Compatibility
Requirements
Electromagnetic Interference (EMI)/Electromagnetic Compatibility
(EMC) environments must ensure the RRFSS components under
representative levels are not adversely influenced by other vehicle
components or external sources, nor adversely influence other vehicle
components. (Parent: RCC 319-19 section 3.3.12 and 4.15.12)
6.2.12 Non-Operating Environments
Non-operational environments must be defined and verified as being
enveloped by operational environments, addressed by analysis/
similarity, or characterized for testing. (Parent: RCC 319-19 section
4.14)
Note: Includes fine sand, fungus resistance, etc.
6.2.13 Environmental Monitoring
Environmental monitoring must be performed for both non-operational
and operational environments to validate MPEs. (Parent: RCC 319-19
sections 5.1.7 and 5.6.1)
6.3 Test Requirements
Test requirements for a RRFSS should identify particular
methodologies to demonstrate the RRFSS satisfies design and
environmental requirements. An operator will meet the intent of the
reliability requirements through testing. Below are a set of test
requirements adapted from the requirements of RCC 319-19 MOC for a
Sec. 450.143 RRFSS. However, more rigorous, or additional testing may
be necessary to meet the FSS Exit Criteria of paragraph 5.3 and should
be further discussed with the FAA.
Follow best test equipment and instrumentation methodologies per
RCC 319-19 section 4.7.
6.3.1 Testability
The design of the FTS, components, ground support, and monitoring
equipment must allow for the required tests to all the environments of
this document to be performed and verified. (Parent: RCC 319-19 section
3.2.7)
6.3.2 Number of Qualification Units
The number of FTS qualification units must be sufficient to
demonstrate that the design meets the reliability goal necessary to
comply with the Exit Criteria of this AC.
Typically, one to three qualification units are required, based
upon the component criticality, and known commercial off-the-shelf or
vendor flight heritage. Life testing methods are one way to
characterize the number of units needed for test, and such methods may
be found in sources such as MIL-STD-810, IEEE 1413, NASA/SP-
20230004376, NASA-HDBK-7004, NASA-HDBK-7005 and a variety of other
standards and handbooks across government and industry. The specific
method chosen to demonstrate this is dependent on the design and its
intended environment--due to this, any proposal will need to be
reviewed and approved on a case-by-case basis. (Parent: RCC 319-19
Component Qualification Test Matrices)
Exception is that ordnance/pyrotechnic devices may utilize the lot
acceptance testing and qualification statistical based methods, similar
to RCC 319-19.
6.3.3 Government Test Oversight
Government test oversight must be similar to compliance monitoring
as described in Sec. 450.209, with the addition of all testing
activities associated with development of license deliverables.
6.3.4 Thermal Test Requirements
Thermal testing must be such that the RRFSS components are
subjected to flight-like thermal cycles between hot and cold extremes
derived in the environments document and at applicable thermal
transition rates for acceptance testing, and with margin for
qualification testing.
6.3.4.1 For acceptance testing, all FTS components must undergo a
minimum of 8 thermal cycles at acceptance test environments, whereas
components with active electronic components must undergo an additional
10 burn-in thermal cycles at the acceptance test environment levels.
(Parent: RCC 319-19 section 4.12.2)
6.3.4.2 For qualification testing, all FSS components must undergo
a minimum of 2x acceptance test thermal cycles (16 total) at
Qualification Test environments, plus MPE thermal cycles to account for
the number of planned ground operations, such as tanking tests, engine
tests, and extended pad stays. (Parent: RCC 319-19 section 4.15.2)
6.3.4.3 The transition rate between hot and cold must be at an
average rate of no less than 3 [deg]C per minute or the MPE ramp rate,
whichever is greater, and must not be slower than 1 [deg]C per minute.
(Parent: RCC 319-19 sections 4.12.2 and 4.15.2)
6.3.4.4 Dwell durations at high and low temperature extremes must
be such that the component reaches thermal equilibrium plus a margin of
5 minutes, but no less than 15 minutes per dwell or sufficiently long
enough to perform required component functional verification tests.
(Parent: RCC 319-19 sections 4.12.2 and 4.15.2)
6.3.5 Vibration Test Environments
Vibration testing must be such the RRFSS components are subjected
to flight-like dynamic test levels for a minimum test duration for
acceptance
[[Page 20420]]
testing, and with margin for qualification testing.
Note: For narrow band vibration peak clipping methodology,
reference RCC 319-19 section 7.10.
6.3.5.1 For acceptance testing, all FTS components must undergo a
minimum of 1 minute at acceptance test environments in each of three
orthogonal axes, or for the MPE duration to which the components are
subjected to the environment, whichever is longer. (Parent: RCC 319-19
sections 4.12.4, 4.12.5, and 4.12.6)
6.3.5.2 For qualification testing, all FSS components must undergo
a minimum of 2x the acceptance test duration at qualification test
environments, plus MPE level duration to account for planned ground
operations, such as transportation/handling and engine tests/static
fires. (Parent: RCC 319-19 sections 4.15.8, 4.15.9, and 4.15.10)
6.3.6 Shock Test Environments
Shock testing must be such that the RRFSS components are subjected
to flight-like shock test levels for sufficient repetitions to envelope
the number of events to be experienced during flight, with a margin for
qualification.
6.3.6.1 Shock testing must be performed for a component in each
positive and negative direction for each mutually perpendicular axes,
for 3 times direction, totaling 18 shocks. (Parent: RCC 319-19 section
4.15.11)
6.3.7 Acceleration Test Environments
Acceleration environments must ensure components on vehicles with
greater than 5 Gs of MPE acceleration must be tested. (Parent: RCC 319-
19 section 4.15.7)
6.3.7.1 For acceptance test, MPE acceleration levels for a duration
of 1 minute or MPE duration, whichever is greater.
6.3.7.2 For qualification test, MPE plus 6 dB levels for a duration
of 2x acceptance test duration.
6.3.7.3 For 5 Gs or less acceleration environments and components
that have small electronic parts and internal components (low mass)
must be shown to survive the Acceleration environment by Analysis or
Test.
[cir] Analyses may use a 2-sigma value in calculating random/sine
vibration to acceleration equivalency.
[cir] Vibration testing may be used in lieu of acceleration if
utilizing a 1-sigma value.
6.3.7.4 All wet cell batteries must be tested, not accomplished by
analysis.
6.3.8 Non-Operational Testing
Non-operational testing must be performed per methodologies within
RCC 319 19 unless analysis demonstrates enveloping by flight
environments. Such environments include, but are not limited to,
transportation, handling, and storage related thermal, shock,
vibration, and leakage environments. The use of design solutions, such
as conformal coatings, can be used towards acceptance rationale for
analysis on a case-by-case basis, which will require approval by the
FAA. (Parent: RCC 319-19 section 4.14)
6.3.9 Bench Handling Shock Test Requirements
Bench handling shock must be performed per RCC 319-19 on each face
of the component for which it could drop, for all edges of the defined
faces, as well as a drop from a handling height onto the defined face.
(Parent: RCC 319-19 section 4.15.12)
6.3.10 EMI/EMC Test Requirements
EMI Testing must be completed, modified from MIL-STD-461 (latest
revision) to only test operational frequency bands of applicable FSS,
flight vehicle and ground systems, as defined by ``in-band''
bandwidths. ``In-band'' is to be defined by the user per an approved
method, such as 6 dB down from the operational bandwidth limits similar
to MIL-STD-461 section 4.3.10.3.1.
The EMI and EMC tests must demonstrate that a component satisfies
all of its performance requirements when subjected to radiated or
conducted emissions from all vehicle systems and external ground
transmitter sources. In addition, the test must demonstrate that the
component does not radiate or conduct EMI that would degrade the
performance of any other FTS component. (Parent: RCC 319-19 section
4.15.12)
6.3.11 Performance Verification Test Requirements
Performance Verification Tests applicable to specific components
must be accomplished per RCC 319-19.
6.3.12 Prelaunch Test Requirements
Prelaunch testing must include acceptance testing of all FSS
components, End-to-End (E2E) testing with the final flight
configuration, and range-compatibility testing (as applicable).
(Parent: RCC 319-19 section 5.2)
6.3.12.1 Components such as flight termination receivers and
ordnance firing units must have a 180-day certification. On-vehicle
testing after the initial certification may be performed with pre-
approved procedures.
6.3.12.2 Range compatibility testing must be performed to verify
all FTS and RTS components satisfy all performance specifications in
the flight configuration when subjected to a minimum level of
electromagnetic noise from any potential source that can affect the
mission flight trajectory.
6.3.12.3 E2E must be performed no earlier than 14 days prior to the
initial launch date. However, E2E testing must be repeated if at any
time after the test, the integrity of the system is suspect or
compromised by a configuration change, mating/demating of any connector
or wiring harness, lightning strikes, or other event affecting the
integrity of the system.
6.3.13 Component Rework/Repair Test Requirements
Reworked and repaired components must undergo all required tests,
as approved by the FAA, to ensure the components satisfies all of its
performance requirements. If a test failure occurs, it may be necessary
to reperform all previous testing. The major consideration is the
cumulative effects from all the previous tests that may have
contributed to the failure. (Parent: RCC 319-19 section 4.8)
6.3.14 Test Failure Analyses
In the event of a test failure or anomaly, the test item,
procedures, and equipment must undergo a written failure analysis. The
failure analysis must identify the root cause and mechanism of the
failure, isolate the failure to the smallest replaceable item or items,
and ensure that there are no design, workmanship, or process problems
with other flight components of similar configuration (i.e. common
cause failures). Corrective actions must also be identified when
appropriate. Closure and approval of failure analysis disposition, root
cause and corrective action is required prior to flight. (Parent: RCC
319-19 section 4.5.2, 5.1.4, 7.11, and 8.1.2)
6.3.14.1 Unless emergency action is needed to safe the system to
protect personnel, in the event of a test anomaly or failure, the test
configuration must be frozen until an FAA representative can be
contacted. Invasive troubleshooting or corrective action must not begin
without FAA approval.
6.3.14.2 Failure Notification
The failure or anomaly of an FTS test must be reported verbally or
electronically to the FAA representative within 1 day. Data must be
provided in
[[Page 20421]]
a timely manner that allows the FAA sufficient time to review
documentation that supports program schedule.
6.3.14.3 A failure investigation plan or an interim write-up of the
failure analysis must be submitted that describes the detailed approach
to resolve the anomaly or failure.
6.3.14.4 Failure Reports
Failure reports must be submitted for review and approval,
including a summary of test failures where FSS components do not meet
performance requirements in the Flight Termination System Report
(FTSR), per paragraph 6.5.7 of this AC. All component test failures
must be documented in the applicable test reports. This requirement
includes failure of tests conducted at the supplier plant, contractor
plant, and at the launch site. A formal report containing a description
of the failure, an analysis of the failure, and planned corrective
actions must be submitted in a timely manner that allows sufficient
time to review documentation that supports program schedule. Failure
analyses must be submitted for approval within 30 days of failure,
stating a root cause. In the event a failure investigation requires
more than 30 days for the contractor to resolve, status reports on the
failure investigation must be submitted to the FAA every 30 days until
the investigation is completed.
6.3.15 Test Tolerances
Test tolerance levels must be met as defined in the following
table. (Parent: RCC 319-19 section 4.6)
Table 1--Test Tolerances
------------------------------------------------------------------------
Test Tolerance
------------------------------------------------------------------------
Sampling Time Interval..................... 5%.
Temperature................................ 3 [deg]C.
Pressure:
Above 1.3 x 10\2\ Pascals (1 Torr)..... 10%.
1.3 x 10-\1\ to 1.3 x 10\2\ Pascals 25%.
(0.001 Torr to 1 Torr).
Less than 1.3 x 10-1 Pascals (0.001 80%.
Torr).
Relative Humidity.......................... 5%.
Acceleration............................... 10%.
Vibration Frequency........................ 2%.
Sinusoidal Vibration Amplitude............. 10%.
Random Vibration Power Spectral Density
(G\2\/Hz):
20 to 100 Hz (5 Hz or narrower bands).. 1.5 dB.
100 to 500 Hz (25 Hz or narrower bands) 1.5 dB.
500 to 2000 Hz (50 Hz or narrower 3.0 dB.
bands).
Sound Pressure Level:
1/3 Octave Band........................ 3.0 dB.
Overall................................ 1.5 dB.
Shock Response Spectrum (Q = 10):
1/6 Octave Band Center Frequency +9 dB/-3 dB.
Amplitude.
Sample Rate............................ >=10x Max SRS Frequency and
at least 100,000 samples
per second.
Static Load................................ 5%.
------------------------------------------------------------------------
6.4 Analyses
Reference RCC 319-19 section 7 as a starting point. These analyses
are required documentation deliverables (paragraph 6.5) and, once
approved, are Exit Criteria to an approved Sec. 450.143 RRFSS. The
FTSR must include a summary of these analyses with a detailed report
submitted separately or within the FTSR, as appropriate.
6.4.1 Component Environments Derivation
An analysis that demonstrates the maximum predicted non-operating
and operating environmental levels that an FTS component is exposed to,
accounting for uncertainties due to flight-to-flight variability and
any analytical uncertainty must be provided. All assumptions,
derivation techniques (including modeling details), and supporting data
must also be included. (Parent: RCC 319-19 sections 3.3.2 and 7.10)
6.4.2 System Reliability
An analysis of the predicted design reliability of the FTS
(hardware and software), including effects of storage, transportation,
handling, and maintenance, in addition to rework must be provided. The
reliability analysis should capture component specific details from the
verification & validation, development process and on-going testing and
flight data, in addition to system factors, such as software and human
factors.
The reliability analysis must be updated, as appropriate, as flight
data and component failure data are gathered. (Parent: RCC 319-19
section 7.2)
6.4.3 FMECA/Fault Tree (or Equivalent)
An analysis to identify potential component and subsystem
reliability issues that could result in safety issues, leading to
specific design requirements must be provided. The Failure Mode,
Effects, and Criticality Analysis (FMECA) must list all possible
failure modes, the failures' effects on performance, probability of
occurrence, and the consequences of their occurrence. The FMECA also
identifies single-point failures and functions that are not or cannot
be tested (redundancy). This must follow standard industry methodology.
(Parent: RCC 319-19 section 7.2)
6.4.4 Radio Frequency Link Margin (as Applicable)
A link is a complete Radio Frequency (RF) path from a transmitter
output to the RF input of the airborne radio device or vice versa. A
link analysis, showing margin, must be performed for nominal
trajectories using vehicle attitude and antenna patterns and errant
flight that uses the 95 percent spherical coverage antenna gain. The
analysis of the link accounts for all losses such as attenuations,
amplification/gains, and free space loss/attenuation in the entire path
and then applies a pre-specified margin that ensures the signal-to-
noise-ratio is sufficient to reliably transmit
[[Page 20422]]
and receive the desired signals. A 9 dB margin over 95 percent of the
actual antenna patterns for a nominal trajectory must be met.
A mission specific link margin analysis showing positive margin
(greater than zero) for RTS ground telemetry must account for
acquisition plans, switching plans, coverage plans and antenna link
autotrack assignments. (Parent: RCC 319-19 section 7.6; SSCI 91-701
6.9.6.5.5, 6.10.4.4, 27 Dec 2022)
6.4.5 Antenna Patterns
An antenna pattern is a representation of an antenna's radiation or
receiving characteristics in geometric space. Antenna pattern test
requirements and formats can be found in RCC 253-93. The antenna
pattern must demonstrate that the radiation gain pattern of the entire
RF receiving system, including antennas, RF cables, and RF coupler,
will satisfy all the system's performance specifications. The test
must:
Determine the radiation gain pattern around the vehicle
and demonstrate the system is capable of meeting the required
performance specifications;
Emulate flight conditions, including ground transmitter
polarization, using simulated vehicle and a flight-configured RF
command destruct system;
Measure the radiation gain for 360 degrees around the
vehicle using angle increments that are small enough to identify any
deep pattern null. Each antenna pattern gain measurement angle
increment must not exceed 2 degrees; and
Generate an antenna pattern in a data format that is
compatible with the format needed to perform the FTS system RF link
analysis.
An abbreviated antenna pattern test must ensure that flight
hardware have the same characteristics of the qualification test units
and detect any antenna pattern changes that might occur due to damage
resulting from exposure to environments. The test must use a standard
ground plane and verify that a sampling of antenna gain measurements is
repeatable. (Parent: RCC 319-19 sections 4.16.5, 4.16.6; RCC 253-93)
6.4.6 RF Radiation
An RF radiation analysis must demonstrate that the system and
components satisfy all the performance requirements when subjected to
emitting sources on the vehicle and from surrounding environments. This
analysis must be performed by comparing the component level MIL-STD-461
EMI/EMC with the energy delivered by any emitting source to ensure that
components were tested to correct levels. This analysis is where the
in-band frequencies are defined. (Parent: RCC 319-19 section 7.14)
Emitting sources must include radiation emissions from FTS
and other vehicle components.
6.4.7 Battery Capacity
An analysis must be performed to demonstrate that the FTS battery
has a manufacturer-specified capacity that is no less than the required
operational capacity plus a margin. The operational capacity must be
based upon the maximum power required for all components connected to
the battery. An example method for calculating battery capacity can be
found in RCC 319-19 sectionSec. 3.16.2. (Parent: RCC 319-19 sections
3.9, 3.16, and 7.12)
Operational capacity must be calculated using the following
elements:
6.4.7.1 The specified capacity must include a margin of at least
0.5 A-h over the required capacity.
6.4.7.2 Batteries must have a lifetime of at least 150 percent of
the required mission time from transfer to internal power to FTS safing
(i.e., a 50 percent margin on lifetime).
6.4.7.3 Charge capacity must be based on the voltage level at the
knee in the discharge curve or above the minimum FTS component voltage
requirement, whichever is higher.
6.4.7.4 Secondary batteries and cells must have repeatable
performance.
6.4.8 FTS Breakup Analysis
A breakup analysis must be performed to determine the design and
location of the FTS components and subsystems to ensure that the FTS
functions reliably during a vehicle failure. The breakup analysis must
account for:
aerodynamic loading effects at high-angle-of-attack
trajectories during early stages of flight;
a hard-over engine nozzle-induced tumble during various
phases of flight for each stage;
out-of-sequence timing of vehicle staging and other events
that could damage FTS hardware or inhibit the functionality of FTS
components or subsystems; and
breakup due to aerodynamic loading effects at high-angle-
of-attack trajectories during early stages of flight must be analyzed
at time steps no more than five seconds apart.
Note: The purpose of the breakup analysis is to determine where
and when a vehicle is most likely to break up under the credible
failure scenarios. This data is used to ensure FTS components and
separation detection systems are properly designed and located to
maximize FTS survivability in the analyzed failure scenarios.
(Parent: RCC 319-19 section 7.15)
6.4.9 Qualification-by-Similarity
A qualification-by-similarity analysis must be submitted for review
and approval, including technical justification, and detailing any
changes between parts. A summary of all qualification-by-similarity
analyses must be included in the FTSR with all details captured in
individual component test reports. (Parent: RCC 319-19 section 7.12)
6.4.10 Sneak Circuit
With all components functioning nominally, the analysis must
demonstrate that there are no latent paths that could cause an
undesired event or prohibit function. (Parent: RCC 319-19 section 7.7)
6.4.11 Bent Pin
Each FTS component must undergo an analysis that demonstrates that
any single short circuit occurring as a result of a bent electrical
connection pin does not result in inadvertent system activation or
inhibiting the proper operation of the system. This analysis must
include pin-to-pin and pin-to-case. (Parent: RCC 319-19 section 7.5)
6.4.12 Fratricide
An FTS must undergo an analysis that demonstrates that the flight
termination of any stage at any time during flight does not sever
interconnecting FTS circuitry or ordnance to other stages until flight
termination on all the other stages has been initiated. (Parent: RCC
319-19 section 7.4)
6.4.13 Automatic Destruct System Timing Analysis
The Automatic Destruct System (ADS) timing analysis must be
provided, calculating the worst-case time between ADS triggering and
final destruct action. The analysis must demonstrate that the FTS will
function prior to becoming disabled by vehicle breakup. (Parent: RCC
319-19 section 7.17)
6.4.14 Ordnance Initiator Simulator Analysis
The analysis must be provided, demonstrating that the simulator
input current, impedance, voltage, optical power, or energy simulates
the flight ordnance characteristics. (Parent: RCC 319-19 section 7.18)
6.4.15 In-Flight FTS Analysis
A post-flight analysis must be provided within 60 days from end-of-
[[Page 20423]]
mission or prior to next flight, demonstrating that the FTS met all
applicable performance requirements during flight. Prior flights
analysis must be approved before subsequent flights. An analysis must
be provided for review and approval for any in-flight anomaly or when
termination action is taken. The FAA representatives must participate
in the investigation and be given sufficient notice to support all
activities. (Parent: RCC 319-19 section 7.19)
6.5 Documentation
This paragraph lists the documents that must be provided to the FAA
to comply with this MOC. Submission of these documents satisfies the
application requirements at Sec. 450.143(f) for the FTS component of
an RRFSS. The applicant will still have to submit documentation for the
RTS, as applicable. All documentation must be approved by the FAA, and
only then will this chapter meet the Exit Criteria of paragraph 5.3 of
this AC.
6.5.1 Means of Compliance Documents
The applicant must provide a document containing the applicable
requirements of paragraphs 6.1 through 6.5, which will be the program-
specific MOC document for the FTS of the RRFSS. The applicant must
provide appropriate documentation for the RTS and FSS Software MOCs
that will support being able to demonstrate compliance with Sec.
450.143.
6.5.2 Environmental Derivation
The FTS and each of its components must satisfy all of their
performance requirements when subjected to an environment that
envelopes their respective MPEs and applicable workmanship levels plus
a margin. An applicant must determine the non-operating and operating
environmental levels, rates of change, durations, etc., that a
component of an FTS will experience. The assumptions, derivation
technique, supporting data, and final environments that the FTS
components would be exposed to must be included in this document. All
FTS component-mounting hardware, cables, and wires must be considered
FTS components for the purposes of this document. The derivation may
include analysis, modeling, testing and/or monitoring.
Non-operating and operating environments include temperature
(including number of thermal cycles and thermal ramp rates), random
and/or sinusoidal vibration, shock, acceleration, acoustic vibration,
humidity, salt fog, dust, fungus, explosive atmosphere, or
electromagnetic energy that apply to a specific vehicle and launch/
flight site(s).
All FTS components must be designed to satisfy all performance
requirements when subjected to any predicted combined environments
(e.g., thermal/acceleration, thermal/vibration, thermal/shock) to which
the component may be exposed.
Modifications made to the vehicle that result in a harsher
environment than the FTS was qualified for or that modify or interfere
with FTS performance will require evaluation and possible re-
qualification of the FTS. (Parent: RCC 319-19 sections 3.3.1 and 3.3.2)
6.5.3 Test Plans
Test plan documents identify the high-level test requirements,
including the component-specific test levels, test sequence, functional
tests, tolerances, and instrumentation requirements. (Parent: RCC 319-
19 sections 4.3 and 8.5.4)
6.5.4 Test Procedures
Test procedure documents explain how the test conductor is to
perform the testing, in a step-by-step manner including accepted test
tolerances and pass/fail criteria. (Parent: RCC 319-19 sections 4.3 and
8.5.4)
6.5.5 Test Reports
Test report documents demonstrate the compliance to all component
performance and environmental requirements, including any test
discrepancies and failures that were experienced. (Parent: RCC 319-19
sections 8.5.4 and 8.7)
6.5.6 Test Deviations/Non-Conformances
A test deviation or non-conformance report is for failure of tests
conducted at the supplier plant, contractor plant or at the launch
site/range. This is a formal report containing a description of the
failure, an analysis of the failure, and planned corrective actions
submitted and approved by the FAA. The report must be submitted to the
FAA in a timely manner that allows sufficient time to review
documentation that supports the program schedule. The failure analysis
must be submitted to the FAA for approval within 30 days of the
failure.
A failure of a test unit is defined as a test discrepancy that is
due to a design, workmanship, process, or any quality deficiency in the
item being tested. Any test discrepancy is considered a failure of the
test item unless it can be indisputably determined to have been due to
an unrelated cause. A test deviation is any step taken outside of the
approved test plan/procedure and must be approved by the FAA.
One method to facilitate management of test deviations and non-
conformances is to implement a Failure Reporting and Corrective Action
System, which is a closed loop control process that accounts for
failures occurring during all phases of testing and operations,
including data from incoming inspection, development testing, equipment
integration testing and reliability and maintainability testing while
emphasizing corrective action. (Parent: RCC 319-19 sectionSec. 4.5.2;
SMC-S-016 sections 3.58 and 3.59; Rome Laboratory Reliability
Engineer's Toolkit, April 1993)
6.5.7 Flight Termination System Report (FTSR)
The FTSR is a document developed by the applicant and submitted for
FAA review and approval. It is a medium through which the FTS approval
is obtained, containing a detailed description of the FTS, tailoring
summary system analysis results, design data, reliability data,
component design data, group support systems data, test data and FTS
Telemetry (TM) data. (Parent: RCC 319-19 section 8)
The following must be included in the FTSR document:
Detailed FTS drawings, schematics, and wiring diagrams.
These must also include all plug and jack designations, all pin
assignments, and all FTS-to-TM or other vehicle component interfaces.
Additionally, all components must be identified by component number and
value such that a circuit analysis can be performed.
Table of contents and glossary.
Introduction, addressing the scope and purpose of the
FTSR.
FTS General System Description. The general system
description section must present a brief description of the vehicle and
the FTS. The following items must be included in this section:
1. Vehicle Description--brief and general description of the
vehicle.
2. FTS Description--brief and general description of the FTS,
including a block diagram showing the location of all FTS components of
the vehicle and the interfaces with other systems.
3. FTS Cable Diagram--a cable diagram of the FTS from the antennas
to the termination device.
4. Overall FSS Schematic--a complete line schematic of the entire
FSS from antenna to the termination device,
[[Page 20424]]
including TM pick-of points and ground (umbilical) interfaces.
6.5.7.1 FTS Detailed Component and System Description
The detailed system description section includes a complete and
detailed narrative description of all the major components of the FTS.
The narrative description must include the following items:
1. A complete and detailed description of the FTS operation,
including all possible scenarios and a discussion of how the FTS
components function at the system and piece-part level.
2. A complete and detailed description of each FTS component and
how it functions, including specifications and schematics, mechanical
and piece-part specifications, and operating parameters.
3. Detailed schematics and drawings to include the following: the
complete FTS, showing component values such as resistance, capacitance,
and wattage; tolerance, shields, grounds, connectors, and pin numbers;
and TM pick-off points; all vehicle components and elements that
interface with or share common cause use with the FTS; and an
accounting of all pin assignments.
4. Drawings showing the location of all FTS system and subsystem
components on the vehicle that include the following descriptions:
component locations, mounting (attach points), orientation, and cable
routing; electrical connectors, connections, and the electrical
isolation of the FTS; and an illustrated parts breakdown of all
mechanically operated FTS components.
6.5.7.2 FTS Analysis Results
A summary of the applicable results of the analyses required in
paragraph 6.4 must be included, with detailed analyses submitted
separately.
6.5.7.3 FTS Ordnance Classification
The classifications for each ordnance device must be in accordance
with the Department of Transportation, Department of Defense, or United
Nations regulations. Supporting documentation must be included in this
section.
6.5.7.4 FTS Development, Qualification, Acceptance, and Age
Surveillance Test Plans, Procedures, and Reports
A list of test plans, procedures, and reports by title,
number, and revision date.
The maximum predicted flight loads for all anticipated
environmental forces such as shock, vibration, and thermal for each FTS
component, subsystem, and system.
A matrix of the actual qualification and acceptance test
levels used for each component, subsystem, and system in each test
versus the predicted flight levels for each environment. The test
tolerance allowed for each operational qualification test must be
included.
A clear identification of those components qualified by
similarity analysis or a combination of analysis and test.
A summary of each applicable test report. The actual test
report must be submitted as a stand-alone document.
6.5.7.5 Software and Firmware Independent Verification and Validations
A summary of software and firmware independent verification and
validations must be included.
6.5.7.6 FTS Modifications
All modifications to an approved FTS, its associated equipment,
component identification, test procedures, or any changes affecting the
configuration and integrity of the FTS must be included.
6.5.7.7 FTS Ground Support and Monitoring Equipment
The ground support and monitoring equipment section must include a
complete description of the ground test equipment used to check out the
FTS, including contractor-peculiar tests. This section must also
include specifications, system schematics, and component schematics for
program-unique test equipment for the following:
ordnance initiator simulator;
the RF ground support system;
the RF repeater system;
safety console layout, display arrangement, and function
of each monitor;
safety console terminations including the following:
a. schematics of all FTS monitor circuits from the FTS component
pick-off points to the console termination;
b. calibration data for all monitor circuit terminations provided
to the console.
any other ground support and monitoring equipment as
required by the FAA.
6.5.7.8 FTS Installation and Checkout
[cir] The installation and checkout section must include the
following information:
[cir] a list of procedures for checkout, calibration, and
installation of all components, systems, and subsystems of the FTS and
its associated ground checkout equipment, including launch-day
countdown; and
a summary of each task, objective, test configuration, test
equipment, and a time sequence flow chart.
6.5.7.9 Exception to Requirements
The section of the FTSR must include all waivers and conditionally
compliant requirements.
6.5.7.10 Changes to the FTSR
An initial and draft FTSRs must be submitted for expedited review,
as the design progresses, with each updated FTSR containing the latest
information on the FTS. The final FTSR must be submitted with
sufficient time for final review and approval.
Any changes to the FTS design must result in an immediate update to
the FTSR for review and approval by the FAA on a case-by-case basis.
Any unauthorized changes to the FTS design will result in automatic
revocation of the FTS and as such, the applicant's launch license.
6.5.7.11 Telemetry Measurement
This section provides a list of all FTS TM measurements. This
section includes the following minimum information for each
measurement:
description of each parameter;
TM measurement identifier;
sample rate;
minimum and full-scale level;
resolution;
engineering units and scaling factors;
analog or digital.
6.5.7.12 FTSR Appendices
All FTS development, qualification, and age surveillance test
reports must be included as stand-alone appendices.
6.5.8 Operational System Reliability Validation Plan
Post-flight verification of the FSS predicted design reliability
must be performed, for which the evaluation plan must be approved by
the FAA. Deltas between the as-qualified environments and those
experienced in flight will need to be reconciled.
Issued in Washington, DC.
James A. Hatt,
Space Policy Division Manager, Commercial Space Transportation, Federal
Aviation Administration.
[FR Doc. 2025-08496 Filed 5-13-25; 8:45 am]
BILLING CODE P