(a) Applicability. This subpart applies to any flight safety system that a launch operator uses. The requirements of § 417.107(a) define when a launch operator must use a flight safety system. A launch operator must ensure that its flight safety system satisfies all the requirements of this subpart, including the referenced appendices. Paragraph (b) of this section provides an exception to this.

(b) Alternate flight safety system. A flight safety system need not satisfy one or more of the requirements of this subpart for a launch if a launch operator demonstrates, in accordance with § 406.3(b), that the launch achieves an equivalent level of safety as a launch that satisfies all the requirements of this part. The flight safety system must undergo analysis and testing that is comparable to that required by this part to demonstrate that the system's reliability to perform each intended function is comparable to that required by this subpart.

(c) Functions, subsystems, and components. When initiated in the event of a launch vehicle failure, a flight safety system must prevent any launch vehicle hazard, including any payload hazard, from reaching a populated or other protected area. A flight safety system must consist of all of the following:

(1) A flight termination system that satisfies appendices D, E, and F of this part;

(2) A command control system that satisfies §§ 417.303 and 417.305;

(3) Each support system required by § 417.307; and

(4) The functions of any personnel who operate flight safety system hardware or software including a flight safety crew that satisfies § 417.311.

(d) Compliance—(1) Non-Federal launch site. For launch from a non-Federal launch site, any flight safety system, including all components, must:

(i) Comply with a launch operator's flight safety system compliance matrix of § 415.127(g) that accounts for all the design, installation, and monitoring requirements of this subpart, including the referenced appendices; and

(ii) Comply with a launch operator's testing compliance matrix of § 415.129(b) that accounts for all the test requirements of this subpart, including the referenced appendices.

(2) Federal launch range. This provision applies to all sections of this subpart. The FAA will accept a flight safety system used or approved on a Federal launch range without need for further demonstration of compliance to the FAA if:

(i) A launch operator has contracted with a Federal launch range for the provision of flight safety system property and services; and

(ii) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the Federal launch range's flight safety system property and services satisfy the requirements of this subpart. In this case, the FAA will treat the Federal launch range's flight safety system property and services as that of a launch operator.

(a) General. When initiated by a flight safety official, a command control system must transmit a command signal that has the radio frequency characteristics and power needed for receipt of the signal by the onboard vehicle flight termination system. A command control system must include all of the following:

(1) All flight termination system activation switches;

(2) All intermediate equipment, linkages, and software;

(3) Any auxiliary stations;

(4) Each command transmitter and transmitting antenna; and

(5) All support equipment that is critical for reliable operation, such as power, communications, and air conditioning systems.

(b) Performance specifications. A command control system and each subsystem, component, and part that can affect the reliability of a component must have written performance specifications that demonstrate, and contain the details of, how each satisfies the requirements of this section.

(c) Reliability prediction. A command control system must have a predicted reliability of 0.999 at the 95 percent confidence level when operating, starting with completion of the preflight testing and system verification of § 417.305(c) through initiation of flight and until the planned safe flight state for each launch. Any demonstration of the system's predicted reliability must satisfy § 417.309(b).

(d) Fault tolerance. A command control system must not contain any single-failure-point that, upon failure, would inhibit the required functioning of the system or cause the transmission of an undesired flight termination message. A command control system's design must ensure that the probability of transmitting an undesired or inadvertent command during flight is less than 1 × 10−7.

(e) Configuration control. A command control system must undergo configuration control to ensure its reliability and compatibility with the flight termination system used for each launch.

(f) Electromagnetic interference. Each command control system component must function within the electromagnetic environment to which it is exposed. A command control system must include protection to prevent interference from inhibiting the required functioning of the system or causing the transmission of an undesired or inadvertent flight termination command. Any susceptible remote control data processing or transmitting system that is part of the command control system must prevent electromagnetic interference.

(g) Command transmitter failover. A command control system must include independent, redundant transmitter systems that automatically switch, or “fail-over,” from a primary transmitter to a secondary transmitter when a condition exists that indicates potential failure of the primary transmitter. The switch must be automatic and provide all the same command control system capabilities through the secondary transmitter system. The secondary transmitter system must respond to any transmitter system configuration and radio message orders established for the launch. The fail-over criteria that trigger automatic switching from the primary transmitter to the secondary transmitter must account for each of the following transmitter performance parameters and failure indicators:

(1) Low transmitter power;

(2) Center frequency shift;

(3) Out of tolerance tone frequency;

(4) Out of tolerance message timing;

(5) Loss of communication between central control and transmitter site;

(6) Central control commanded status and site status disagree;

(7) Transmitter site fails to respond to a configuration or radiation order within a specified period of time; and

(8) For a tone-based system, tone deviation and tone imbalance.

(h) Switching between transmitter systems. Any manual or automatic switching between transmitter systems, including fail-over, must not result in the radio carrier being off the air long enough for any command destruct system to be captured by an unauthorized transmitter. The time the radio carrier is off the air must account for any loss of carrier and any simultaneous multiple radio carrier transmissions from two transmitter sites during switching.

(i) Radio carrier. For each launch, a command control system must provide all of the following:

(1) The radio frequency signal and radiated power density that each command destruct system needs to activate during flight;

(2) The 12-dB power density margin required by section D417.9(d) of appendix D of this part under nominal conditions; and

(3) A 6-dB power density margin under worst-case conditions.

(j) Command control system monitoring and control. A command control system must provide for monitoring and control of the system from the flight safety system displays and controls required by § 417.307(f), including real-time selection of a transmitter, transmitter site, communication circuits, and antenna configuration.

(k) Command transmitter system. For each launch, a command transmitter system must:

(1) Transmit signals that are compatible with any command destruct system's radio frequency receiving system of section D417.25 and command receiver decoder of section D417.29 of appendix D of this part;

(2) Ensure that all arm and destruct commands transmitted to a flight termination system have priority over any other commands transmitted;

(3) Employ an authorized radio carrier frequency and bandwidth with a guard band that provides the radio frequency separation needed to ensure that the system does not interfere with any other flight safety system that is required to operate at the same time;

(4) Transmit an output bandwidth that is consistent with the signal spectrum power used in the link analysis of § 417.309(f); and

(5) Not transmit other frequencies that could degrade the airborne flight termination system's performance.

(l) Command control system antennas. A command control system antenna or antenna system must satisfy all of the following:

(1) The antenna system must provide two or more command signals to any command destruct system throughout normal flight and in the event of a launch vehicle failure regardless of launch vehicle orientation;

(2) Each antenna beam-width must:

(i) Allow for complete transmission of the command destruct sequence of signal tones before a malfunctioning launch vehicle can exit the 3-dB point of the antenna pattern;

(ii) When the vehicle is centered in the antenna pattern at the beginning of the malfunction, account for the launch vehicle's malfunction turn capability determined by the analysis of § 417.209, the data loss flight times of § 417.219, and the time delay of § 417.221.

(iii) Encompass the boundaries of normal flight for the portion of flight that the antenna is scheduled to support; and

(iv) Account for any error associated with launch vehicle tracking and pointing of the antenna;

(3) The location of each antenna must provide for an unobstructed line of site between the antenna and the launch vehicle;

(4) The antenna system must provide a continuous omni-directional radio carrier pattern that covers the launch vehicle's flight from the launch point to no less than an altitude of 50,000 feet above sea level, unless the system uses a steerable antenna that satisfies paragraphs (l)(1) and (2) of this section for the worst-case launch vehicle malfunction that could occur during that portion of flight;

(5) An antenna must radiate circularly polarized radio waves that are compatible with the flight termination system antennas on the launch vehicle; and

(6) Any steerable antenna must allow for control of the antenna manually at the antenna site or by remote slaving data from a launch vehicle tracking source. A steerable antenna's positioning lag, accuracy, and slew rates must allow for tracking a nominally performing launch vehicle within one half of the antenna's beam-width and for tracking a malfunctioning launch vehicle to satisfy paragraph (l)(2) of this section.

(a) General. (1) A command control system, including its subsystems and components must undergo the acceptance testing of paragraph (b) of this section when new or modified. For each launch, a command control system must undergo the preflight testing of paragraph (c) of this section.

(2) Each acceptance and preflight test must follow a written test plan that specifies the procedures and test parameters for the test and the testing sequence. A test plan must include instructions on how to handle procedural deviations and how to react to test failures.

(3) If hardware or software is redesigned or replaced with a different hardware or software that is not identical to the original, the system must undergo all acceptance testing and analysis with the new hardware or software and all preflight testing for each launch with the new hardware or software.

(4) After a command control system passes all acceptance tests, if a component is replaced with an identical component, the system must undergo testing to ensure that the new component is installed properly and is operational.

(b) Acceptance testing. (1) All new or modified command control system hardware and software must undergo acceptance testing to verify that the system satisfies the requirements of § 417.303.

(2) Acceptance testing must include functional testing, system interface validation testing, and integrated system-wide validation testing.

(3) Each acceptance test must measure the performance parameters that demonstrate whether the requirements of § 417.303 are satisfied.

(4) Any computing system, software, or firmware that performs a software safety critical function must undergo validation testing and satisfy § 417.123. If command control system hardware interfaces with software, the interface must undergo validation testing.

(c) Preflight testing—(1) General. For each launch, a command control system must undergo preflight testing to verify that the system satisfies the requirements of § 417.303 for the launch.

(2) Coordinated command control system and flight termination system testing. For each launch, a command control system must undergo preflight testing during the preflight testing of the associated flight termination system under section E417.41 of appendix E of this part.

(3) Command transmitter system carrier switching tests. A command transmitter system must undergo a test of its carrier switching system no earlier than 24 hours before a scheduled flight. The test must satisfy all of the following:

(i) Automatic carrier switching. For any automatic carrier switching system, the test must verify that the switching algorithm selects and enables the proper transmitter site for each portion of the planned flight; and

(ii) Manual carrier switching. For any manual carrier switching, the test must verify that the flight safety system crew can select and enable each transmitter site planned to support the launch.

(4) Independent radio frequency open loop verification tests. A command control system must undergo an open loop end-to-end verification test for each launch as close to the planned flight as operationally feasible and after any modification to the system or break in the system configuration. The test must:

(i) Verify the performance of each element of the system from the flight safety system displays and controls to each command transmitter site;

(ii) Measure all system performance parameters received and transmitted using measuring equipment that does not physically interface with any elements of the operational command control system;

(iii) Verify the performance of each flight safety system display and control and remote command transmitter site combination by repeating all measurements for each combination, for all strings and all operational configurations of cross-strapped equipment; and

(iv) Verify that all critical command control system performance parameters satisfy all their performance specifications. These parameters must include:

(A) Transmitter power output;

(B) Center frequency stability;

(C) Tone deviation;

(D) Tone frequency;

(E) Message timing;

(F) Status of each communication circuit between the flight safety system display and controls and any supporting command transmitter sites;

(G) Status agreement between the flight safety system display and controls and each and any supporting command transmitter sites;

(H) Fail-over conditions;

(I) Tone balance; and

(J) Time delay from initiation of a command at each flight safety system control to transmitter output of the command signal.

(d) Test reports. If a Federal launch range oversees the safety of a launch, the range's requirements are consistent with this subpart, and the range provides and tests the command control system, a launch operator need only obtain the range's verification that the system satisfies all the test requirements. For any other case a launch operator must prepare or obtain one or more written reports that:

(1) Verify that the command control system satisfies all the test requirements;

(2) Describe all command control system test results and test conditions;

(3) Describe any analysis performed instead of testing;

(4) Identify by serial number or other identification each test result that applies to each system or component;

(5) Describe any test failure or anomaly, including any variation from an established performance baseline, each corrective action taken, and all results of any additional tests; and

(6) Identify any test failure trends.

(a) General. (1) A flight safety system must include the systems required by this section to support the functions of the flight safety system crew, including making a flight termination decision.

(2) Each support system and each subsystem, component, and part that can affect the reliability of the support system must have written performance specifications that demonstrate, and contain the details of, how each satisfies the requirements of this section.

(3) For each launch, each support system must undergo testing to ensure it functions according to its performance specifications.

(b) Launch vehicle tracking. (1) A flight safety system must include a launch vehicle tracking system that provides launch vehicle position and status data to the flight safety crew from the first data loss flight time until the planned safe flight state for the launch.

(2) The tracking system must consist of at least two sources of launch vehicle position data. The data sources must be independent of one another, and at least one source must be independent of any vehicle guidance system.

(3) All ground tracking systems and components must be compatible with any tracking system components onboard the launch vehicle.

(4) If a tracking system uses radar as one of the independent tracking sources, the system must:

(i) Include a tracking beacon onboard the launch vehicle; or

(ii) If the system relies on skin tracking, it must maintain a tracking margin of no less than 6 dB above noise throughout the period of flight that the radar is used. The flight safety limits must account for the larger tracking errors associated with skin tracking.

(5) The tracking system must provide real-time data to the flight safety data processing, display, and recording system required by paragraph (e) of this section.

(6) For each launch, each tracking source must undergo validation of its accuracy. For each stage of flight that a launch vehicle guidance system is used as a tracking source, a tracking source that is independent of any system used to aid the guidance system must validate the guidance system data before the data is used in the flight termination decision process.

(7) The launch vehicle tracking error from all sources, including data latency and any possible gaps or dropouts in tracking coverage, must be consistent with the flight safety limits of § 417.213 and the flight safety system time delay of § 417.221.

(8) Any planned gap in tracking coverage must not occur at the same time as any planned switching of command transmitters.

(c) Telemetry. (1) A flight safety system must include a telemetry system that provides the flight safety crew with accurate flight safety data during preflight operations and during flight until the planned safe flight state.

(2) The onboard telemetry system must monitor and transmit the flight termination system monitoring data of section D417.17 and any launch vehicle tracking data used to satisfy paragraph (b) of this section.

(3) The telemetry receiving system must acquire, store, and provide real-time data to the flight safety data processing, display, and recording system required by paragraph (e) of this section.

(d) Communications network. A flight safety system must include a communications network that connects all flight safety functions with all launch control centers and any down-range tracking and command transmitter sites. The system must provide for recording all required data and all voice communications channels during launch countdown and flight.

(e) Data processing, display, and recording. A flight safety system must include one or more subsystems that process, display, and record flight safety data to support the flight safety crew's monitoring of the launch, including the data that the crew uses to make a flight termination decision. The system must:

(1) Satisfy § 417.123 for any computing system, software, or firmware that must operate properly to ensure the accuracy of the data;

(2) Receive vehicle status data from tracking and telemetry, evaluate the data for validity, and provide valid data for display and recording;

(3) Perform any reformatting of the data as appropriate and forward it to display and recording devices;

(4) Display real-time data against background displays of the nominal trajectory and flight safety limits established in accordance with the flight safety analysis required by subpart C of this part;

(5) Display and record raw input and processed data at a rate that maintains the validity of the data and at no less than 0.1-second intervals;

(6) Record the timing of when flight safety system commands are input by the flight safety crew; and

(7) Record all health and status parameters of the command control system, including the transmitter failover parameters, command outputs, check channel or pilot tone monitor, and status of communications.

(f) Displays and controls. (1) A flight safety system must include the displays of real-time data and controls that the flight safety crew needs to perform all its functions, such as to monitor and evaluate launch vehicle performance, communicate with other flight safety and launch personnel, and initiate flight termination.

(2) A flight safety system must present all data that the flight safety crew needs to ensure that all flight commit criteria are satisfied for each launch, such as hazard area surveillance, any aircraft and ship traffic information, meteorological conditions, and the flight termination system monitoring data of section D417.17.

(3) The real-time displays must include all data that the flight safety crew needs to ensure the operational functionality of the flight safety system, including availability and quality, and that all flight termination rules are satisfied for each launch, such as:

(i) Launch vehicle tracking data, such as instantaneous vacuum impact point, drag corrected debris footprint, or present launch vehicle position and velocities as a function of time;

(ii) Vehicle status data from telemetry, including yaw, pitch, roll, and motor chamber pressure;

(iii) The flight termination system monitoring data of section D417.17;

(iv) Background displays of nominal trajectory, flight safety limits, data loss flight times, planned safe flight state, and any overflight gate through a flight safety limit all as determined by the flight safety analysis required by subpart C of this part; and

(v) Any video data when required by the flight safety crew to perform its functions, such as video from optical program and flight line cameras.

(4) The controls must allow the flight safety crew to turn a command transmitter on and off, manually switch from primary to backup transmitter antenna, and switch between each transmitter site. These functions may be accomplished through controls available to command transmitter support personnel and communications between those personnel and the flight safety crew.

(5) Each set of command transmitter system controls must include a means of identifying when it has primary control of the system.

(6) The displays must include a means of immediately notifying the flight safety system crew of any automatic fail-over of the system transmitters.

(7) All flight safety system controls must be dedicated to the flight safety system and must not rely on time or equipment shared with other systems.

(8) All data transmission links between any control, transmitter, or antenna must consist of two or more complete and independent duplex circuits. The routing of these circuits must ensure that they are physically separated from each other to eliminate any potential single failure point in the command control system in accordance with § 417.303(d).

(9) The system must include hardware or procedural security provisions for controlling access to all controls and other related hardware. These security provisions must ensure that only the flight safety crew can initiate a flight safety system transmission.

(10) The system must include two independent means for the flight safety crew to initiate arm and destruct messages. The location and functioning of the controls must provide the crew easy access to the controls and prevent inadvertent activation.

(11) The system must include a digital countdown for use in implementing the flight termination rules of § 417.113 that apply data loss flight times and the planned safe flight state. The system must also include a manual method of applying the data loss flight times in the event that the digital countdown malfunctions.

(g) Support equipment calibration. Each support system and any equipment used to test flight safety system components must undergo calibration to ensure that measurement and monitoring devices that support a launch provide accurate indications.

(h) Destruct initiator simulator. A flight safety system must include one or more destruct initiator simulators that simulate each destruct initiator during the flight termination system preflight tests. Each destruct initiator simulator must:

(1) Have electrical and operational characteristics matching those of the actual destruct initiator;

(2) Monitor the firing circuit output current, voltage, or energy, and indicate whether the firing output occurs. The indication that the output occurred must remain after the output is removed;

(3) Have the ability to remain connected throughout ground processing until the electrical connection of the actual initiators is accomplished;

(4) Include a capability that permits the issuance of destruct commands by test equipment only if the simulator is installed and connected to the firing lines; and

(5) For any low voltage initiator, provide a stray current monitoring device in the firing line. The stray current monitoring device, such as a fuse or automatic recording system, must be capable of indicating a minimum of one-tenth of the maximum no-fire current.

(i) Timing. A flight safety system must include a timing system that is synchronized to a universal time coordinate. The system must:

(1) Initiate first motion signals;

(2) Synchronize flight safety system instrumentation, including countdown clocks; and

(3) Identify when, during countdown or flight, a data measurement or voice communication occurs.

(a) General. (1) Each flight termination system and command control system, including each of their components, must satisfy the analysis requirements of this section.

(2) Each analysis must follow an FAA approved system safety and reliability analysis methodology.

(b) System reliability. Each flight termination system and command control system must undergo an analysis that demonstrates the system's predicted reliability. Each analysis must:

(1) Account for the probability of a flight safety system anomaly occurring and all of its effects as determined by the single failure point analysis and the sneak circuit analysis required by paragraphs (c) and (g) of this section;

(2) Demonstrate that each system satisfies the predicted reliability requirement of 0.999 at the 95 percent confidence level;

(3) Use a reliability model that is statistically valid and accurately represents the system;

(4) Account for the actual or predicted reliability of all subsystems and components;

(5) Account for the effects of storage, transportation, handling, maintenance, and operating environments on component predicted reliability; and

(6) Account for the interface between the launch vehicle systems and the flight termination system.

(c) Single failure point. A command control system must undergo an analysis that demonstrates that the system satisfies the fault tolerance requirements of § 417.303(d). A flight termination system must undergo an analysis that demonstrates that the system satisfies the fault tolerance requirements of section D417.5(b). Each analysis must:

(1) Follow a standard industry methodology such as a fault tree analysis or a failure modes effects and criticality analysis;

(2) Identify all possible failure modes and undesired events, their probability of occurrence, and their effects on system performance;

(3) Identify single point failure modes;

(4) Identify areas of design where redundancy is required and account for any failure mode where a component and its backup could fail at the same time due to a single cause;

(5) Identify functions, including redundancy, which are not or cannot be tested;

(6) Account for any potential system failures due to hardware, software, test equipment, or procedural or human errors;

(7) Account for any single failure point on another system that could disable a command control system or flight termination system, such as any launch vehicle system that could trigger safing of a flight termination system; and

(8) Provide input to the reliability analysis of paragraph (b) of this section.

(d) Fratricide. A flight termination system must undergo an analysis that demonstrates that the flight termination of any stage, at any time during flight, will not sever interconnecting flight termination system circuitry or ordnance to other stages until flight termination on all the other stages has been initiated.

(e) Bent pin. Each component of a flight termination system and command control system must undergo an analysis that demonstrates that any single short circuit occurring as a result of a bent electrical connection pin will not result in inadvertent system activation or inhibiting the proper operation of the system.

(f) Radio frequency link. (1) The flight safety system must undergo a radio frequency link analysis to demonstrate that it satisfies the required 12-dB margin for nominal system performance and 6-dB margin for worst-case system performance.

(2) When demonstrating the 12-dB margin, each link analysis must account for the following nominal system performance and attenuation factors:

(i) Path losses due to plume or flame attenuation;

(ii) Vehicle trajectory;

(iii) Ground system and airborne system radio frequency characteristics; and

(iv) The antenna gain value that ensures that the margin is satisfied over 95% of the antenna radiation sphere surrounding the launch vehicle.

(3) When demonstrating the 6-dB margin, each link analysis must account for the following worst-case system performance and attenuation factors:

(i) The system performance and attenuation factors of paragraph (f)(2) of this section;

(ii) The command transmitter failover criteria of § 417.303(g) including the lowest output power provided by the transmitter system;

(iii) Worst-case power loss due to antenna pointing inaccuracies; and

(iv) Any other attenuation factors.

(g) Sneak circuit. Each electronic component that contains an electronic inhibit that could inhibit the functioning, or cause inadvertent functioning of a flight termination system or command control system, must undergo a sneak circuit analysis. The analysis must demonstrate that there are no latent paths of an unwanted command that could, when all components otherwise function properly, cause the occurrence of an undesired, unplanned, or inhibited function that could cause a system anomaly. The analysis must determine the probability of an anomaly occurring for input to the system reliability analysis of paragraph (b) of this section.

(h) Software and firmware. Any computing system, software, or firmware that performs a software safety critical function must undergo the analysis needed to ensure reliable operation and satisfy § 417.123.

(i) Battery capacity. A flight termination system must undergo an analysis that demonstrates that each flight termination system battery has a total amp hour capacity of no less than 150% of the capacity needed during flight plus the capacity needed for load and activation checks, preflight and launch countdown checks, and any potential launch hold time. For a launch vehicle that uses any solid propellant, the analysis must demonstrate that the battery capacity allows for an additional 30-minute hang-fire hold time. The battery analysis must also demonstrate each flight termination system battery's ability to meet the charging temperature and current control requirements of appendix D of this part.

(j) Survivability. A flight termination system must undergo an analysis that demonstrates that each subsystem and component, including their location on the launch vehicle, provides for the flight termination system to complete all its required functions when exposed to:

(1) Breakup of the launch vehicle due to aerodynamic loading effects at high angle of attack trajectories during early stages of flight, including the effects of any automatic or inadvertent destruct system;

(2) An engine hard-over nozzle induced tumble during each phase of flight for each stage; or

(3) Launch vehicle staging, ignition, or any other normal or abnormal event that, when it occurs, could damage flight termination system hardware or inhibit the functionality of any subsystem or component, including any inadvertent separation destruct system.

(a) A flight safety crew must operate the flight safety system hardware. A flight safety crew must document each flight safety crew position description and maintain documentation on individual crew qualifications, including education, experience, and training as part of the personnel certification program required by § 417.105.

(b) A flight safety crew must be able to demonstrate the knowledge, skills, and abilities needed to operate the flight safety system hardware in accordance with § 417.113.

(1) A flight safety crew must have knowledge of:

(i) All flight safety system assets and responsibilities, including:

(A) Communications systems and launch operations procedures;

(B) Both voice and data systems;

(C) Graphical data systems;

(D) Tracking; and

(E) Telemetry real time data;

(ii) Flight termination systems; and

(iii) Contingency operations, including hold, recycle and abort procedures.

(2) An individual who monitors vehicle performance and performs flight termination must have knowledge of and be capable of resolving malfunctions in:

(i) The application of safety support systems such as position tracking sources;

(ii) Digital computers;

(iii) Displays;

(iv) Command destruct;

(v) Communications;

(vi) Telemetry;

(vii) All electrical functions of a flight termination system;

(viii) The principles of radio frequency transmission and attenuation;

(ix) The behavior of ballistic and aerodynamic vehicles in flight under the influence of aerodynamic forces; and

(x) The application of flight termination rules.

(3) An individual who operates flight safety support systems must have knowledge of and be capable of resolving malfunctions in:

(i) The design and assembly of the flight safety support system hardware;

(ii) The operation of electromechanical systems; and

(iii) The nature and inherent tendencies of the flight safety system hardware being operated.

(4) An individual who performs flight safety analysis must have knowledge of orbital mechanics and be proficient in the calculation and production of range safety displays, impact probabilities, and casualty expectations.

(c) Flight safety crew members must complete a training and certification program to ensure launch site familiarization, launch vehicle familiarization, flight safety system functions, equipment, and procedures related to a launch before being called upon to support that launch. Each flight safety crew member must complete a preflight readiness training and certification program. This preflight readiness training and certification program must include:

(1) Mission specific training programs to ensure team readiness.

(2) Launch simulation exercises of system failure modes, including nominal and failure modes, that test crew performance, flight termination criteria, and flight safety data display integrity.