This subpart contains public safety requirements that apply to the launch of an orbital or suborbital expendable launch vehicle from a Federal launch range or other launch site. If the FAA has assessed the Federal launch range, through its launch site safety assessment, and found that an applicable range safety-related launch service or property satisfies the requirements of this subpart, then the FAA will treat the Federal launch range's launch service or property as that of a launch operator without need for further demonstration of compliance to the FAA if:

(a) A launch operator has contracted with a Federal launch range for the provision of the safety-related launch service or property; and

(b) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the Federal launch range's safety-related launch service or property satisfy the requirements of this subpart. In this case, the FAA will treat the Federal launch range's process as that of a launch operator.

(a) A launch operator must maintain and document a safety organization. A launch operator must identify lines of communication and approval authority for all public safety decisions, including those regarding design, operations, and analysis. A launch operator must describe its lines of communication, both within the launch operator's organization and between the launch operator and any federal launch range or other launch site operator providing launch services, in writing. Documented approval authority shall also be employed by the launch operator throughout the life of the launch system to ensure public safety and compliance with this part.

(b) A launch operator's safety organization must include, but need not be limited to, the following launch management positions:

(1) An employee of the launch operator who has the launch operator's final approval authority for launch. This employee, referred to as the launch director in this part, must ensure compliance with this part.

(2) An employee of the launch operator who is authorized to examine all aspects of the launch operator's launch safety operations and to monitor independently personnel compliance with the launch operator's safety policies and procedures. This employee, referred to as the safety official in this part, shall have direct access to the launch director, who shall ensure that all of the safety official's concerns are addressed prior to launch.

(a) General. A launch operator must employ a personnel certification program that documents the qualifications, including education, experience, and training, for each member of the launch crew.

(b) Personnel certification program. A launch operator's personnel certification program must:

(1) Conduct an annual personnel qualifications review and issue individual certifications to perform safety related tasks.

(2) Revoke individual certifications for negligence or failure to satisfy certification requirements.

(a) Flight safety system. For each launch vehicle, vehicle component, and payload, a launch operator must use a flight safety system that satisfies subpart D of this part as follows, unless § 417.125 applies.

(1) In the vicinity of the launch site. For each launch vehicle, vehicle component, and payload, a launch operator must use a flight safety system in the vicinity of the launch site if the following exist:

(i) Any hazard from a launch vehicle, vehicle component, or payload can reach any protected area at any time during flight; or

(ii) A failure of the launch vehicle would have a high consequence to the public.

(2) In the downrange area. For each launch vehicle, vehicle component, and payload, a launch operator must provide a flight safety system downrange if the absence of a flight safety system would significantly increase the accumulated risk from debris impacts.

(b) Public risk criteria. A launch operator may initiate the flight of a launch vehicle only if flight safety analysis performed under paragraph (f) of this section demonstrates that any risk to the public satisfies the following public risk criteria:

(1) A launch operator may initiate the flight of a launch vehicle only if the total risk associated with the launch to all members of the public, excluding persons in water-borne vessels and aircraft, does not exceed an expected number of 1 × 10−4 casualties. The total risk consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. The FAA will determine whether to approve public risk due to any other hazard associated with the proposed flight of a launch vehicle on a case-by-case basis. The Ec criterion applies to each launch from lift-off through orbital insertion for an orbital launch, and through final impact for a suborbital launch.

(2) A launch operator may initiate flight only if the risk to any individual member of the public does not exceed a casualty expectation of 1 × 10−6 per launch for each hazard.

(3) A launch operator must establish any water borne vessel hazard areas necessary to ensure the probability of impact (Pi) with debris capable of causing a casualty for water borne vessels does not exceed 1 × 10−5.

(4) A launch operator must establish any aircraft hazard areas necessary to ensure the probability of impact (Pi) with debris capable of causing a casualty for aircraft does not exceed 1 × 10−6.

(5) A launch operator may initiate flight of a launch vehicle only if all of the risks to the public satisfy the criteria in the critical asset protection requirements in § 450.101(a)(4) and (b)(4).

(c) Debris thresholds. A launch operator's flight safety analysis, performed as required by paragraph (f) of this section, must account for any inert debris impact with a mean expected kinetic energy at impact greater than or equal to 11 ft-lbs and, except for the far field blast overpressure effects analysis of § 417.229, a peak incident overpressure greater than or equal to 1.0 psi due to any explosive debris impact.

(1) When using the 11 ft-lbs threshold to determine potential casualties due to blunt trauma from inert debris impacts, the analysis must:

(i) Incorporate a probabilistic model that accounts for the probability of casualty due to any debris expected to impact with kinetic energy of 11 ft-lbs or greater and satisfy paragraph (d) of this section; or

(ii) Count each expected impact with kinetic energy of 11 ft-lbs or greater to a person as a casualty.

(2) When applying the 1.0 psi threshold to determine potential casualties due to blast overpressure effects, the analysis must:

(i) Incorporate a probabilistic model that accounts for the probability of casualty due to any blast overpressures of 1.0 psi or greater and satisfy paragraph (d) of this section; or

(ii) Count each person within the 1.0 psi overpressure radius of the source explosion as a casualty. When using this approach, the analysis must compute the peak incident overpressure using the Kingery-Bulmash relationship and may not take into account sheltering, reflections, or atmospheric effects. For persons located in buildings, the analysis must compute the peak incident overpressure for the shortest distance between the building and the blast source. The analysis must count each person located anywhere in a building subjected to peak incident overpressure equal to or greater than 1.0 psi as a casualty.

(d) Casualty modeling. A probabilistic casualty model must be based on accurate data and scientific principles and must be statistically valid. A launch operator must obtain FAA approval of any probabilistic casualty model that is used in the flight safety analysis. If the launch takes place from a Federal launch range, the analysis may employ any probabilistic casualty model that the FAA accepts as part of the FAA's launch site safety assessment of the Federal launch range's safety process.

(e) [Reserved]

(f) Flight safety analysis. A launch operator must perform and document a flight safety analysis as required by subpart C of this part. A launch operator must not initiate flight unless the flight safety analysis demonstrates that any risk to the public satisfies the public risk criteria of paragraph (b) of this section. For a licensed launch that involves a Federal launch range, the FAA will treat an analysis performed and documented by the Federal range, and which has an FAA approved launch site safety assessment, as that of the launch operator as provided in § 417.203(d) of subpart C of this part. A launch operator must use the flight safety analysis products to develop flight safety rules that govern a launch. Section 417.113 contains the requirements for flight safety rules.

(a) Ground safety requirements apply to launch processing and post-launch operations at a launch site in the United States.

(b) A launch operator must protect the public from adverse effects of hazardous operations and systems associated with preparing a launch vehicle for flight at a launch site.

(c) §§ 417.111(c), 417.113(b), and 417.115(c), and subpart E of this part provide launch operator ground safety requirements.

(a) General. A launch operator must implement written launch plans that define how launch processing and flight of a launch vehicle will be conducted without adversely affecting public safety and how to respond to a launch mishap. A launch operator's launch plans must include those required by this section. A launch operator's launch plans do not have to be separate documents, and may be part of other applicant documentation. A launch operator must incorporate each launch safety rule established under § 417.113 into a related launch safety plan. The launch operator must follow each launch plan.

(b) Flight Safety Plan. A launch operator must implement a plan that includes the following:

(1) Flight safety personnel. Identification of personnel by position who:

(i) Approve and implement each part of the flight safety plan and any modifications to the plan; and

(ii) Perform the flight safety analysis and ensure that the results, including the flight safety rules and establishment of flight hazard areas, are incorporated into the flight safety plan.

(2) Flight safety rules. All flight safety rules required by § 417.113.

(3) Flight safety system. A description of any flight safety system and its operation, including any preflight safety tests that a launch operator will perform.

(4) Trajectory and debris dispersion data. A description of the launch trajectory. For an orbital expendable launch vehicle, the description must include each planned orbital parameter, stage burnout time and state vector, and all planned stage impact times, locations, and downrange and crossrange dispersions. For a guided or unguided suborbital launch vehicle, the description must include each planned stage impact time, location, and downrange and crossrange dispersion.

(5) Flight hazard areas. Identification and location of each flight hazard area established for each launch as required by § 417.223, and identification of procedures for surveillance and clearance of these areas and zones as required by paragraph (j) of this section.

(6) Support systems and services. Identification of any support systems and services that are part of ensuring flight safety, including any aircraft or ship that a launch operator will use during flight.

(7) Flight safety operations. A description of the flight safety related tests, reviews, rehearsals, and other flight safety operations that a launch operator will conduct under §§ 417.115 through 417.121. A flight safety plan must contain or incorporate by reference written procedures for accomplishing all flight safety operations.

(8) Unguided suborbital launch vehicles. A launch operator's flight safety plan for the launch of an unguided suborbital rocket must meet the requirements of paragraph (b) of this section and provide the following data:

(i) Launch angle limits, as required by § 417.125(c)(3); and

(ii) All procedures for measurement of launch day winds and for performing wind weighting as required by §§ 417.125 and 417.233.

(c) Ground safety plan. A launch operator must implement a ground safety plan that describes implementation of the hazard controls identified by a launch operator's ground safety analysis and implementation of the ground safety requirements of subpart E of this part. A ground safety plan must address all public safety related issues and may include other ground safety issues if a launch operator intends it to have a broader scope. A ground safety plan must include the following:

(1) A description of the launch vehicle and any payload, or class of payload, identifying each hazard, including explosives, propellants, toxics and other hazardous materials, radiation sources, and pressurized systems. A ground safety plan must include figures that show the location of each hazard on the launch vehicle, and indicate where at the launch site a launch operator performs hazardous operations during launch processing.

(2) Propellant and explosive information including:

(i) Total net explosive weight of each of the launch operator's liquid and solid propellants and other explosives for each explosive hazard facility as defined by part 420 of this chapter.

(ii) For each toxic propellant, any hazard controls and process constraints determined under the launch operator's toxic release hazard analysis for launch processing performed as required by § 417.229 and appendix I of this part.

(iii) The explosive and occupancy limits for each explosive hazard facility.

(iv) Individual explosive item information, including configuration (such as, solid motor, motor segment, or liquid propellant container), explosive material, net explosive weight, storage hazard classification and compatibility group as defined by part 420 of this chapter.

(3) A graphic depiction of the layout of a launch operator's launch complex and other launch processing facilities at the launch site. The depiction must show separation distances and any intervening barriers between explosive items that affect the total net explosive weight that each facility is sited to accommodate. A launch operator must identify any proposed facility modifications or operational changes that may affect a launch site operator's explosive site plan.

(4) A description of the process for ensuring that the person designated under § 417.103(b)(2) reviews and approves any procedures and procedure changes for safety implications.

(5) Procedures that launch personnel will follow when reporting a hazard or mishap to a launch operator's safety organization.

(6) Procedures for ensuring that personnel have the qualifications and certifications needed to perform a task involving a hazard that could affect public safety.

(7) A flow chart of launch processing activities, including a list of all major tasks. The flow chart must include all hazardous tasks and identify where and when, with respect to liftoff, each hazardous task will take place.

(8) Identification of each safety clear zone and hazard area established as required by §§ 417.411 and 417.413, respectively.

(9) A summary of the means for announcing when any hazardous operation is taking place, the means for making emergency announcements and alarms, and identification of the recipients of each type of announcement.

(10) A summary of the means of prohibiting access to each safety clear zone, and implementing access control to each hazard area, including any procedures for prohibiting or allowing public access to such areas.

(11) A description of the process for ensuring that all safety precautions and verifications are in place before, during, and after hazardous operations. This includes the process for verification that an area can be returned to a non-hazardous work status.

(12) Description of each hazard control required by the ground safety analysis for each task that creates a public or launch location hazard. The hazard control must satisfy § 417.407(b).

(13) A procedure for the use of any safety equipment that protects the public, for each task that creates a public hazard or a launch location hazard.

(14) The requirement and procedure for coordinating with any launch site operator and local authorities, for each task creating a public or launch location hazard.

(15) Generic emergency procedures that apply to all emergencies and the emergency procedures that apply to each specific task that may create a public hazard, including any task that involves hazardous material, as required by § 417.407.

(16) A listing of the ground safety plan references, by title and date, such as the ground safety analysis report, explosive quantity-distance site plan and other ground safety related documentation.

(d) Launch support equipment and instrumentation plan. A launch operator must implement a plan that ensures the reliability of the equipment and instrumentation involved in protecting public safety during launch processing and flight. A launch support equipment and instrumentation plan must:

(1) List and describe support equipment and instrumentation;

(2) Identify all certified personnel, by position, as required by § 417.105, who operate and maintain the support equipment and instrumentation;

(3) Contain, or incorporate by reference, written procedures for support equipment and instrumentation operation, test, and maintenance that will be implemented for each launch;

(4) Identify equipment and instrumentation reliability; and

(5) Identify any contingencies that protect the public in the event of a malfunction.

(e) Configuration management and control plan. A launch operator must implement a plan that:

(1) Defines the launch operator's process for managing and controlling any change to a safety critical system to ensure its reliability;

(2) Identifies, for each system, each person by position who has authority to approve design changes and the personnel, by position, who maintain documentation of the most current approved design; and

(3) Contains, or incorporates by reference, all configuration management and control procedures that apply to the launch vehicle and each support system.

(f) Frequency management plan. A launch operator must implement a plan that:

(1) Identifies each frequency, all allowable frequency tolerances, and each frequency's intended use, operating power, and source;

(2) Provides for the monitoring of frequency usage and enforcement of frequency allocations; and

(3) Identifies agreements and procedures for coordinating use of radio frequencies with any launch site operator and any local and Federal authorities, including the Federal Communications Commission.

(g) Flight termination system electronic piece parts program plan. A launch operator must implement a plan that describes the launch operator's program for selecting and testing all electronic piece parts used in any flight termination system to ensure their reliability. This plan must—

(1) Demonstrate compliance with the requirements of § 417.309(b)(2);

(2) Describe the program for selecting piece parts for use in a flight termination system;

(3) Identify performance of any derating, qualification, screening, lot acceptance testing, and lot destructive physical analysis for electronic piece parts;

(4) Identify all personnel, by position, who conduct the piece part tests;

(5) Identify the pass/fail criteria for each test for each piece part;

(6) Identify the levels to which each piece part specification will be derated; and

(7) Contain, or incorporate by reference, test procedures for each piece part.

(h) Accident investigation plan (AIP). A launch operator must implement a plan containing the launch operator's procedures for reporting and responding to launch accidents, launch incidents, or other mishaps, as defined by § 401.5 of this chapter. An individual, authorized to sign and certify the application as required by § 413.7(c) of this chapter, and the person designated under § 417.103(b)(2) must sign the AIP.

(1) Reporting requirements. An AIP must provide for—

(i) Immediate notification to the Federal Aviation Administration (FAA) Washington Operations Center in case of a launch accident, a launch incident or a mishap that involves a fatality or serious injury (as defined by 49 CFR 830.2).

(ii) Notification within 24 hours to the Associate Administrator for Commercial Space Transportation or the Federal Aviation Administration (FAA) Washington Operations Center in the event of a mishap, other than those in § 415.41 (b) (1) of this chapter, that does not involve a fatality or serious injury (as defined in 49 CFR 830.2).

(iii) Submission of a written preliminary report to the FAA, Associate Administrator for Commercial Space Transportation, in the event of a launch accident or launch incident, as defined by § 401.5 of this chapter, within five days of the event. The report must identify the event as either a launch accident or launch incident, and must include the following information:

(A) Date and time of occurrence;

(B) Description of event;

(C) Location of launch;

(D) Launch vehicle;

(E) Any payload;

(F) Vehicle impact points outside designated impact lines, if applicable;

(G) Number and general description of any injuries;

(H) Property damage, if any, and an estimate of its value;

(I) Identification of hazardous materials, as defined by § 401.5 of this chapter, involved in the event, whether on the launch vehicle, payload, or on the ground;

(J) Action taken by any person to contain the consequences of the event; and

(K) Weather conditions at the time of the event.

(2) Response plan. An AIP must—

(i) Contain procedures that ensure the containment and minimization of the consequences of a launch accident, launch incident or other mishap;

(ii) Contain procedures that ensure the preservation of the data and physical evidence;

(3) Investigation plan. An AIP must contain—

(i) Procedures for investigating the cause of a launch accident, launch incident or other mishap;

(ii) Procedures for reporting investigation results to the FAA; and

(iii) Delineated responsibilities, including reporting responsibilities for personnel assigned to conduct investigations and for any one retained by the licensee to conduct or participate in investigations.

(4) Cooperation with FAA and NTSB. An AIP must contain procedures that require the licensee to report to and cooperate with FAA and National Transportation Safety Board (NTSB) investigations and designate one or more points of contact for the FAA and NTSB.

(5) Preventive measure. An AIP must contain procedures that require the licensee to identify and adopt preventive measures for avoiding recurrence of the event.

(i) Local agreements and public coordination plans. (1) Where there is a licensed launch site operator, a launch operator must implement and satisfy the launch site operator's local agreements and plans with local authorities at or near a launch site whose support is needed to ensure public safety during all launch processing and flight, as required by part 420 of this chapter.

(2) For a launch from an exclusive-use site, where there is no licensed launch site operator, a launch operator must develop and implement any agreements and plans with local authorities at or near the launch site whose support is needed to ensure public safety during all launch processing and flight, as required by part 420 of this chapter.

(3) A launch operator must implement a schedule and procedures for the release of launch information before flight, after flight, and in the event of an mishap.

(4) A launch operator must develop and implement procedures for public access to any launch viewing areas that are under a launch operator's control.

(5) A launch operator must describe its procedures for and accomplish the following for each launch—

(i) Inform local authorities of each designated hazard areas near the launch site associated with a launch vehicle's planned trajectory and any planned impacts of launch vehicle components and debris as defined by the flight safety analysis required by subpart C of this part;

(ii) Provide any hazard area information prepared as required by § 417.225 or § 417.235 to the local United States Coast Guard or equivalent local authority for issuance of the notices to mariners;

(iii) Provide hazard area information prepared as required by § 417.223 or § 417.233 for each aircraft hazard area within a flight corridor to the FAA Air Traffic Control (ATC) office or equivalent local authority having jurisdiction over the airspace through which the launch will take place for the issuance of notices to airmen;

(iv) Communicate with the local Coast Guard and the FAA ATC office or equivalent local authorities, either directly or through any launch site operator, to ensure that notices to airmen and mariners are issued and in effect at the time of flight; and

(v) Coordinate with any other local agency that supports the launch, such as local law enforcement agencies, emergency response agencies, fire departments, National Park Service, and Mineral Management Service.

(j) Hazard area surveillance and clearance plan. A launch operator must implement a plan that defines the process for ensuring that any unauthorized persons, ships, trains, aircraft or other vehicles are not within any hazard areas identified by the flight safety analysis or the ground safety analysis. In the plan, the launch operator must—

(1) List each hazard area that requires surveillance under §§ 417.107 and 417.223;

(2) Describe how the launch operator will provide for day-of-flight surveillance of the flight hazard area to ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight commit criteria developed for each launch as required by § 417.113;

(3) Verify the accuracy of any radar or other equipment used for hazard area surveillance and account for any inaccuracies in the surveillance system when enforcing the flight commit criteria;

(4) Identify the number of security and surveillance personnel employed for each launch and the qualifications and training each must have;

(5) Identify the location of roadblocks and other security checkpoints, the times that each station must be manned, and any surveillance equipment used; and

(6) Contain, or incorporate by reference, all procedures for launch personnel control, handling of intruders, communications and coordination with launch personnel and other launch support entities, and implementation of any agreements with local authorities and any launch site operator.

(k) Communications plan. A launch operator must implement a plan providing licensee personnel and Federal launch range personnel, if applicable, communications procedures during countdown and flight. Effective issuance and communication of safety-critical information during countdown must include hold/resume, go/no go, and abort commands by licensee personnel and any Federal launch range personnel, during countdown. For all launches from Federal launch ranges, the Federal launch range must concur with the communications plan. The communications plan must:

(1) Describe the authority of licensee personnel and any Federal launch range personnel by individual or position title, to issue these commands;

(2) Ensure the assignment of communication networks, so that personnel identified under this paragraph have direct access to real-time safety-critical information required for issuing hold/resume, go/no go, and abort decisions and commands;

(3) Ensure personnel, identified under this paragraph, monitor each common intercom channel during countdown and flight; and

(4) Ensure the implementation of a protocol for using defined radio telephone communications terminology.

(l) Countdown plan. A launch operator must develop and implement a countdown plan that verifies that each launch safety rule and launch commit criterion is satisfied, verifies that personnel can communicate during the countdown and that the communication is available after the flight; and verifies that a launch operator will be able to recover from a launch abort or delay. A countdown plan must:

(1) Cover the period of time when any launch support personnel are to be at their designated stations through initiation of flight.

(2) Include procedures for handling anomalies that occur during a countdown and events and conditions that may result in a constraint to initiation of flight.

(3) Include procedures for delaying or holding a launch when necessary to allow for corrective actions, to await improved conditions, or to accommodate a launch wait.

(4) Describe a process for resolving issues that arise during a countdown and identify each person, by position, who approves corrective actions.

(5) Include a written countdown checklist that provides a formal decision process leading to flight initiation. A countdown checklist must include the flight day preflight tests of a flight safety system required by subpart D of this part and must contain:

(i) Identification of operations and specific actions completed, verification that there are no constraints to flight, and verification that a launch operator satisfied all launch safety rules and launch commit criteria;

(ii) Time of each event;

(iii) Identification of personnel, by position, who perform each operation or specific action, including reporting to the person designated under § 417.103(b)(3);

(iv) Identification of each communication channel that a launch operator uses for reporting each event;

(v) Identification of all communication and event reporting protocols;

(vi) Polling of personnel, by position, who oversee all safety critical systems and operations, to verify that the systems and the operations are ready to proceed with the launch; and

(vii) Record of all critical communications network channels that are used for voice, video, or data transmission that support the flight safety system, during each countdown.

(6) In case of a launch abort or delay:

(i) Identify each condition that must exist in order to make another launch attempt;

(ii) Include a schedule depicting the flow of tasks and events in relation to when the abort or delay occurred and the new planned launch time; and

(iii) Identify each interface and supporting entity needed to support recovery operations.

(a) General. For each launch, a launch operator must satisfy written launch safety rules that govern the conduct of the launch.

(1) The launch safety rules must identify the meteorological conditions and the status of the launch vehicle, launch support equipment, and personnel under which launch processing and flight may be conducted without adversely affecting public safety.

(2) The launch safety rules must satisfy the requirements of this section.

(3) A launch operator must follow all the launch safety rules.

(b) Ground safety rules. The launch safety rules must include ground safety rules that govern each preflight ground operation at a launch site that has the potential to adversely affect public safety. The ground safety rules must implement the ground safety analysis of subpart E of this part.

(c) Flight-commit criteria. The launch safety rules must include flight-commit criteria that identify each condition that must be met in order to initiate flight.

(1) The flight-commit criteria must implement the flight safety analysis of subpart C of this part and collision avoidance requirements in § 450.169 and critical asset protection requirements in § 450.101(a)(4) and (b)(4). These must include criteria for:

(i) Surveillance of any region of land, sea, or air necessary to ensure the number and location of members of the public are consistent with the inputs used for the flight safety analysis of subpart C of this part;

(ii) Monitoring of any meteorological condition and implementing any flight constraint developed using appendix G of this part. The launch operator must have clear and convincing evidence that the lightning flight commit criteria of appendix G, which apply to the conditions present at the time of lift-off, are not violated. If any other hazardous conditions exist, other than those identified by appendix G, the launch weather team will report the hazardous condition to the official designated under § 417.103(b)(1), who will determine whether initiating flight would expose the launch vehicle to a lightning hazard and not initiate flight in the presence of the hazard; and

(iii) Implementation of any launch wait in the launch window for the purpose of collision avoidance in accordance with collision avoidance requirements in § 450.169.

(2) For a launch that uses a flight safety system, the flight-commit criteria must ensure that the flight safety system is ready for flight. This must include criteria for ensuring that:

(i) The flight safety system is operating to ensure the launch vehicle will launch within all flight safety limits;

(ii) Any command transmitter system required by section D417.9 has sufficient coverage from lift-off to the point in flight where the flight safety system is no longer required by § 417.107(a);

(iii) The launch vehicle tracking system has no less than two tracking sources prior to lift-off. The launch vehicle tracking system has no less than one verified tracking source at all times from lift-off to orbit insertion for an orbital launch, to the end of powered flight for a suborbital launch; and

(iv) The launch operator will employ its flight safety system as designed in accordance with this part.

(3) For each launch, a launch operator must document the actual conditions used for the flight-commit criteria at the time of lift-off and verify whether the flight-commit criteria are satisfied.

(d) Flight termination rules. For a launch that uses a flight safety system, the launch safety rules must identify the conditions under which the flight safety system, including the functions of the flight safety system crew, must terminate flight to ensure public safety. These flight termination rules must implement the flight safety analysis of subpart C of this part and include each of the following:

(1) The flight safety system must terminate flight when valid, real-time data indicate the launch vehicle has violated any flight safety limit of § 417.213;

(2) The flight safety system must terminate flight at the straight-up-time required by § 417.215 if the launch vehicle continues to fly a straight up trajectory and, therefore, does not turn downrange when it should;

(3) The flight safety system must terminate flight when all of the following conditions exist:

(i) Real-time data indicate that the performance of the launch vehicle is erratic;

(ii) The potential exists for the loss of flight safety system control of the launch vehicle and further flight has the potential to endanger the public.

(4) The flight termination rules must incorporate the data-loss flight times and planned safe flight state of § 417.219, including each of the following:

(i) The flight safety system must terminate flight no later than the first data-loss flight time if, by that time, tracking of the launch vehicle is not established and vehicle position and status is unknown; and

(ii) Once launch vehicle tracking is established and there is a subsequent loss of verified tracking data before the planned safe flight state and verified tracking data is not received again, the flight safety system must terminate flight no later than the expiration of the data-loss flight time for the point in flight that the data was lost.

(5) For any gate established under § 417.217, both of the following apply:

(i) The flight safety system must terminate flight if the launch vehicle is performing erratically immediately prior to entering the gate.

(ii) The flight termination rules may permit the instantaneous impact point or other tracking icon to cross the gate only if there is no indication that the launch vehicle's performance has become erratic and the launch vehicle is either flying parallel to the nominal trajectory or converging to the nominal trajectory.

(6) For any hold-and-resume gate established under § 417.218;

(i) The flight safety system must terminate flight if the launch vehicle is performing erratically immediately prior to entering a hold gate.

(ii) The flight termination rules may permit the instantaneous impact point or other tracking icon to cross a hold gate only if there is no indication that the launch vehicle's performance has become erratic and the vehicle is either flying parallel to the nominal trajectory or converging to the nominal trajectory.

(iii) The flight termination rules of paragraphs (d)(1), (d)(3), and (d)(4) of this section apply after the instantaneous impact point or other tracking icon exits a resume gate.

(e) Flight safety system safing. For a launch that uses a flight safety system, the launch safety rules must ensure that any safing of the flight safety system occurs on or after the point in flight where the flight safety system is no longer required by § 417.107(b).

(f) Launch crew work shift and rest rules. For any operation with the potential to have an adverse effect on public safety, the launch safety rules must ensure the launch crew is physically and mentally capable of performing all assigned tasks. These rules must govern the length, number, and frequency of work shifts, including the rest afforded the launch crew between shifts.

(a) General. All flight, communication, and ground systems and equipment that a launch operator uses to protect the public from any adverse effects of a launch, must undergo testing as required by this part, and any corrective action and re-testing necessary to ensure reliable operation. A launch operator must—

(1) Coordinate test plans and all associated test procedures with any launch site operator or local authorities, as required by local agreements, associated with the operation; and

(2) Make test results, test failure reports, information on any corrective actions implemented and the results of re-test available to the FAA upon request.

(b) Flight safety system testing. A launch operator must only use a flight safety system and all flight safety system components, including any onboard launch vehicle flight termination system, command control system, and support system that satisfy the test requirements of subpart D of this part.

(c) Ground system testing. A launch operator must only use a system or equipment used to support hazardous ground operations identified by the ground safety analysis required by § 417.405 that satisfies the test requirements of paragraph (a) of this section.

(a) General. A launch operator must—

(1) Review the status of operations, systems, equipment, and personnel required by part 417;

(2) Maintain and implement documented criteria for successful completion of each review;

(3) Track to completion and document any corrective actions or issues identified during a review; and

(4) Ensure that launch operator personnel who oversee a review attest to successful completion of the review's criteria in writing.

(b) A launch operator must conduct the following reviews:

(1) Hazardous operations safety readiness reviews. A launch operator must conduct a review before performing any hazardous operation with the potential to adversely affect public safety. The review must determine a launch operator's readiness to perform the operation and ensure that safety provisions are in place. The review must determine the readiness status of safety systems and equipment and verify that the personnel involved satisfy certification and training requirements.

(2) Launch safety review. For each launch, a launch operator must conduct a launch safety review no later than 15 days before the planned day of flight, or as agreed to by the FAA during the application process. This review must determine the readiness of ground and flight safety systems, safety equipment, and safety personnel to support a flight attempt. Successful completion of a launch safety review must ensure satisfaction of the following criteria:

(i) A launch operator must verify that all safety requirements have been or will be satisfied before flight. The launch operator must resolve all safety related action items.

(ii) A launch operator must assign and certify flight safety personnel as required by § 417.105.

(iii) The flight safety rules and flight safety plan must incorporate a final flight safety analysis as required by subpart C of this part.

(iv) A launch operator must verify, at the time of the review, that the ground safety systems and personnel satisfy or will satisfy all requirements of the ground safety plan for support of flight.

(v) A launch operator must accomplish the safety related coordination with any launch site operator or local authorities as required by local agreements.

(vi) A launch operator must verify the filing of all safety related information for a specific launch with the FAA, as required by FAA regulations and any special terms of a license. A launch operator must verify that information filed with the FAA reflects the current status of safety-related systems and processes for each specific launch.

(3) Launch readiness review for flight. A launch operator must conduct a launch readiness review for flight as required by this section within 48 hours of flight. A person, identified as required by § 417.103(b)(1), must review all preflight testing and launch processing conducted up to the time of the review; and review the status of systems and support personnel to determine readiness to proceed with launch processing and the launch countdown. A decision to proceed must be in writing and signed by the person identified as required by § 417.103(b)(1), and any launch site operator or Federal launch range. A launch operator, during the launch readiness review, must poll the FAA to verify that the FAA has identified no issues related to the launch operator's license. During a launch readiness review, the launch operator must account for the following information:

(i) Readiness of launch vehicle and payload.

(ii) Readiness of any flight safety system and personnel and the results of flight safety system testing.

(iii) Readiness of safety-related launch property and services to be provided by a Federal launch range.

(iv) Readiness of all other safety-related equipment and services.

(v) Readiness of launch safety rules and launch constraints.

(vi) Status of launch weather forecasts.

(vii) Readiness of abort, hold and recycle procedures.

(viii) Results of rehearsals conducted as required by § 417.119.

(ix) Unresolved safety issues as of the time of the launch readiness review and plans for their resolution.

(x) Additional safety information that may be required to assess readiness for flight.

(xi) To review launch failure initial response actions and investigation roles and responsibilities.

(a) General. A launch operator must rehearse its launch crew and systems to identify corrective actions needed to ensure public safety. The launch operator must conduct all rehearsals as follows:

(1) A launch operator must assess any anomalies identified by a rehearsal, and must incorporate any changes to launch processing and flight needed to correct any anomaly that is material to public safety.

(2) A launch operator must inform the FAA of any public safety related anomalies and related changes in operations performed during launch processing or flight resulting from a rehearsal.

(3) For each launch, each person with a public safety critical role who will participate in the launch processing or flight of a launch vehicle must participate in at least one related rehearsal that exercises his or her role during nominal and non-nominal conditions so that the launch vehicle will not harm the public.

(4) A launch operator must conduct the rehearsals identified in this section for each launch.

(5) At least one rehearsal must simulate normal and abnormal preflight and flight conditions to exercise the launch operator's launch plans.

(6) A launch operator may conduct rehearsals at the same time if joint rehearsals do not create hazardous conditions, such as changing a hardware configuration that affects public safety, during the rehearsal.

(b) Countdown rehearsal. A launch operator must conduct a rehearsal using the countdown plan, procedures, and checklist required by § 417.111(l). A countdown rehearsal must familiarize launch personnel with all countdown activities, demonstrate that the planned sequence of events is correct, and demonstrate that there is adequate time allotted for each event. A launch operator must hold a countdown rehearsal after the assembly of the launch vehicle and any launch support systems into their final configuration for flight and before the launch readiness review required by § 417.117.

(c) Emergency response rehearsal. A launch operator must conduct a rehearsal of the emergency response section of the accident investigation plan required by § 417.111(h)(2). A launch operator must conduct an emergency response rehearsal for a first launch of a new vehicle, for any additional launch that involves a new safety hazard, or for any launch where more than a year has passed since the last rehearsal.

(d) Communications rehearsal. A launch operator must rehearse each part of the communications plan required by § 417.111(k), either as part of another rehearsal or during a communications rehearsal.

(a) General. A launch operator must perform safety critical preflight operations that protect the public from the adverse effects of hazards associated with launch processing and flight of a launch vehicle. The launch operator must identify all safety critical preflight operations in the launch schedule required by § 417.17(b)(1). Safety critical preflight operations must include those defined in this section.

(b) Countdown. A launch operator must implement its countdown plan, of § 417.111(l), for each launch. A launch operator must disseminate a countdown plan to all personnel responsible for the countdown and flight of a launch vehicle, and each person must follow that plan.

(c) [Reserved]

(d) Meteorological data. A launch operator must conduct operations and coordinate with weather organizations, as needed, to obtain accurate meteorological data to support the flight safety analysis required by subpart C of this part and to ensure compliance with the flight commit criteria required by § 417.113.

(e) Local notification. A launch operator must implement its local agreements and public coordination plan of § 417.111(i).

(f) Hazard area surveillance. A launch operator must implement its hazard area surveillance and clearance plan, of § 417.111(j), to meet the public safety criteria of § 417.107(b) for each launch.

(g) Flight safety system preflight tests. A launch operator must conduct preflight tests of any flight safety system as required by section E417.41 of appendix E of this part.

(h) Launch vehicle tracking data verification. For each launch, a launch operator must implement written procedures for verifying the accuracy of any launch vehicle tracking data provided. For a launch vehicle flown with a flight safety system, any source of tracking data must satisfy the requirements of § 417.307(b).

(i) Unguided suborbital rocket preflight operations. For the launch of an unguided suborbital rocket, in addition to meeting the other requirements of this section, a launch operator must perform the preflight wind weighting and other preflight safety operations required by §§ 417.125, 417.233, and appendix C of this part.

(a) A launch operator must document a system safety process that identifies the hazards and assesses the risks to public health and safety and the safety of property related to computing systems and software.

(b) A launch operator must identify all safety-critical functions associated with its computing systems and software. Safety-critical computing system and software functions must include the following:

(1) Software used to control or monitor safety-critical systems.

(2) Software that transmits safety-critical data, including time-critical data and data about hazardous conditions.

(3) Software used for fault detection in safety-critical computer hardware or software.

(4) Software that responds to the detection of a safety-critical fault.

(5) Software used in a flight safety system.

(6) Processor-interrupt software associated with previously designated safety-critical computer system functions.

(7) Software that computes safety-critical data.

(8) Software that accesses safety-critical data.

(9) Software used for wind weighting.

(c) A launch operator must conduct computing system and software hazard analyses for the integrated system.

(d) A launch operator must develop and implement computing system and software validation and verification plans.

(e) A launch operator must develop and implement software development plans, including descriptions of the following:

(1) Coding standards used;

(2) Configuration control;

(3) Programmable logic controllers;

(4) Policy on use of any commercial-off-the-shelf software; and

(5) Policy on software reuse.

(a) Applicability. This section applies only to a launch operator conducting a launch of an unguided suborbital launch vehicle.

(b) Need for flight safety system. A launch operator must launch an unguided suborbital launch vehicle with a flight safety system in accordance with § 417.107 (a) and subpart D of this part unless one of the following exceptions applies:

(1) The unguided suborbital launch vehicle, including any component or payload, does not have sufficient energy to reach any populated area in any direction from the launch point; or

(2) A launch operator demonstrates through the licensing process that the launch will be conducted using a wind weighting safety system that meets the requirements of paragraph (c) of this section.

(c) Wind weighting safety system. A launch operator's wind weighting safety system must consist of equipment, procedures, analysis and personnel functions used to determine the launcher elevation and azimuth settings that correct for the windcocking and wind drift that an unguided suborbital launch vehicle will experience during flight due to wind effects. The launch of an unguided suborbital launch vehicle that uses a wind weighting safety system must meet the following requirements:

(1) The unguided suborbital launch vehicle must not contain a guidance or directional control system.

(2) The launcher azimuth and elevation settings must be wind weighted to correct for the effects of wind conditions at the time of flight to provide a safe impact location. A launch operator must conduct the launch in accordance with the wind weighting analysis requirements and methods of § 417.233 and appendix C of this part.

(3) A launch operator must use a launcher elevation angle setting that ensures the rocket will not fly uprange. A launch operator must set the launcher elevation angle in accordance with the following:

(i) The nominal launcher elevation angle must not exceed 85°. The wind corrected launcher elevation setting must not exceed 86°.

(ii) For an unproven unguided suborbital launch vehicle, the nominal launcher elevation angle must not exceed 80°. The wind corrected launcher elevation setting must not exceed 84°. A proven unguided suborbital launch vehicle is one that has demonstrated, by two or more launches, that flight performance errors are within all the three-sigma dispersion parameters modeled in the wind weighting safety system.

(d) Public risk criteria. A launch operator must conduct the launch of an unguided suborbital launch vehicle in accordance with the public risk criteria of § 417.107(b). The risk to the public determined prior to the day of flight must satisfy the public risk criteria for the area defined by the range of nominal launch azimuths. A launch operator must not initiate flight until a launch operator has verified that the wind drifted impacts of all planned impacts and their five-sigma dispersion areas satisfy the public risk criteria after wind weighting on the day of flight.

(e) Stability. An unguided suborbital launch vehicle, in all configurations, must be stable in flexible body to 1.5 calibers and rigid body to 2.0 calibers throughout each stage of powered flight. A caliber, for a rocket configuration, is defined as the distance between the center of pressure and the center of gravity divided by the largest frontal diameter of the rocket configuration.

(f) Tracking. A launch operator must track the flight of an unguided suborbital launch vehicle. The tracking system must provide data to determine the actual impact locations of all stages and components, to verify the effectiveness of a launch operator's wind weighting safety system, and to obtain rocket performance data for comparison with the preflight performance predictions.

(g) Post-launch review. A launch operator must ensure that the post-launch report required by § 417.25 includes:

(1) Actual impact location of all impacting stages and each impacting component.

(2) A comparison of actual and predicted nominal performance.

(3) Investigation results of any launch anomaly. If flight performance deviates by more than a three-sigma dispersion from the nominal trajectory, a launch operator must conduct an investigation to determine the cause of the rocket's deviation from normal flight and take corrective action before the next launch. A launch operator must file any corrective actions with the FAA as a request for license modification before the next launch in accordance with § 417.11.

For each launch, a launch operator must review operations, system designs, analysis, and testing, and identify any unique hazards not otherwise addressed by this part. A launch operator must implement any unique safety policy, requirement, or practice needed to protect the public from the unique hazard. A launch operator must demonstrate through the licensing process that any unique safety policy, requirement, or practice ensures the safety of the public. For any change to a unique safety policy, requirement, or practice, with the exception of a launch specific update, the launch operator must file a request for license modification as required by § 417.11. The FAA may identify and impose a unique safety policy, requirement, or practice as needed to protect the public.

A launch operator must ensure for any proposed launch that for all launch vehicle stages or components that reach Earth orbit—

(a) There is no unplanned physical contact between the vehicle or any of its components and the payload after payload separation;

(b) Debris generation does not result from the conversion of energy sources into energy that fragments the vehicle or its components. Energy sources include chemical, pressure, and kinetic energy; and

(c) Stored energy is removed by depleting residual fuel and leaving all fuel line valves open, venting any pressurized system, leaving all batteries in a permanent discharge state, and removing any remaining source of stored energy.