Regulations last checked for updates: Nov 27, 2024

Title 14 - Aeronautics and Space last revised: Nov 21, 2024
Table of Contents

§ 450.101 - Safety criteria.

§ 450.103 - System safety program.

§ 450.107 - Hazard control strategies.

§ 450.108 - Flight abort.

§ 450.109 - Flight hazard analysis.

§ 450.110 - Physical containment.

§ 450.111 - Wind weighting.

§ 450.113 - Flight safety analysis requirements—scope.

§ 450.115 - Flight safety analysis methods.

§ 450.117 - Trajectory analysis for normal flight.

§ 450.119 - Trajectory analysis for malfunction flight.

§ 450.121 - Debris analysis.

§ 450.123 - Population exposure analysis.

§ 450.131 - Probability of failure analysis.

§ 450.133 - Flight hazard area analysis.

§ 450.135 - Debris risk analysis.

§ 450.137 - Far-field overpressure blast effects analysis.

§ 450.139 - Toxic hazards for flight.

§ 450.141 - Computing systems.

§ 450.143 - Safety-critical system design, test, and documentation.

§ 450.145 - Highly reliable flight safety system.

§ 450.147 - Agreements.

§ 450.149 - Safety-critical personnel qualifications.

§ 450.151 - Work shift and rest requirements.

§ 450.153 - Radio frequency management.

§ 450.155 - Readiness.

§ 450.157 - Communications.

§ 450.159 - Pre-flight procedures.

§ 450.161 - Control of hazard areas.

§ 450.163 - Lightning hazard mitigation.

§ 450.165 - Flight commit criteria.

§ 450.167 - Tracking.

§ 450.169 - Launch and reentry collision avoidance analysis requirements.

§ 450.171 - Safety at end of launch.

§ 450.173 - Mishap plan—reporting, response, and investigation requirements.

§ 450.175 - Test-induced damage.

§ 450.177 - Unique safety policies, requirements, and practices.

§ 450.179 - Ground safety—general.

§ 450.181 - Coordination with a site operator.

§ 450.183 - Explosive site plan.

§ 450.185 -

§ 450.187 - Toxic hazards mitigation for ground operations.

§ 450.189 - Ground safety prescribed hazard controls.

§ 450.101 - Safety criteria.

(a) Launch risk criteria. For any launch, an operator may initiate the flight of a launch vehicle only if all risks to the public satisfy the criteria in this paragraph (a). For an orbital launch, the criteria in this paragraph apply from liftoff through orbital insertion. For a suborbital launch, or a suborbital launch and reentry, the criteria in this paragraph apply from liftoff through final impact or landing.

(1) Collective risk. The collective risk, measured as expected number of casualties (EC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. Public risk due to any other hazard associated with the proposed flight of a launch vehicle will be determined by the Administrator on a case-by-case basis.

(i) The risk to all members of the public, excluding persons in aircraft and neighboring operations personnel, must not exceed an expected number of 1 × 10 4 casualties.

(ii) The risk to all neighboring operations personnel must not exceed an expected number of 2 × 10 4 casualties.

(2) Individual risk. The individual risk, measured as probability of casualty (PC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. The FAA will determine whether to approve public risk due to any other hazard associated with the proposed flight of a launch vehicle on a case-by-case basis.

(i) The risk to any individual member of the public, excluding neighboring operations personnel, must not exceed a probability of casualty of 1 × 10 6 per launch.

(ii) The risk to any individual neighboring operations personnel must not exceed a probability of casualty of 1 × 10 5 per launch.

(3) Aircraft risk. A launch operator must establish any aircraft hazard areas necessary to ensure the probability of impact with debris capable of causing a casualty for aircraft does not exceed 1 × 10 6.

(4) Risk to critical assets. (i) The risk to critical assets, measured as the probability of loss of functionality, must not exceed the following probabilities:

(A) For each critical asset, except for a critical payload, 1 × 10 3 ; and

(B) For each critical payload, 1 × 10 4.

(ii) The Administrator will consult with relevant Federal agencies, and each agency will identify, for purposes of this part, any critical assets that the agency owns or otherwise depends on. For purposes of this part, the Administrator will accept any identification by the Secretary of Defense that an asset is critical to national security.

(iii) The Administrator or Federal site operator will notify the licensee of any risk to critical assets above the risk criteria in paragraph (a)(4)(i) of this section.

(iv) The Administrator may determine, in consultation with relevant Federal agencies, that a more stringent probability is necessary to protect the national interests of the United States.

(v) The risk criteria in paragraph (a)(4)(i) of this section do not apply to property, facilities, or infrastructure supporting the launch that are within the public area distance, as defined in part 420, appendix E, tables E1 and E2 or associated formulae, of the vehicle's launch point.

(b) Reentry risk criteria. For any reentry, an operator may initiate the deorbit of a vehicle only if all risks to the public satisfy the criteria in this paragraph (b). The following criteria apply to each reentry, other than a suborbital reentry, from the final health check prior to initiating deorbit through final impact or landing:

(1) Collective risk. The collective risk, measured as expected number of casualties (EC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. Public risk due to any other hazard associated with the proposed deorbit of a reentry vehicle will be determined by the Administrator on a case-by-case basis.

(i) The risk to all members of the public, excluding persons in aircraft and neighboring operations personnel, must not exceed an expected number of 1 × 10 4 casualties.

(ii) The risk to all neighboring operations personnel must not exceed an expected number of 2 × 10 4 casualties.

(2) Individual risk. The individual risk, measured as probability of casualty (PC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. Public risk due to any other hazard associated with the proposed flight of a launch vehicle will be determined on a case-by-case basis.

(i) The risk to any individual member of the public, excluding neighboring operations personnel, must not exceed a probability of casualty of 1 × 10 6 per reentry.

(ii) The risk to any individual neighboring operations personnel must not exceed a probability of casualty of 1 × 10 5 per reentry.

(3) Aircraft risk. A reentry operator must establish any aircraft hazard areas necessary to ensure the probability of impact with debris capable of causing a casualty for aircraft does not exceed 1 × 10 6.

(4) Risk to critical assets. (i) The risk to critical assets, measured as the probability of loss of functionality, must not exceed the following probabilities:

(A) For each critical asset, except for a critical payload, 1 × 10 3 ; and

(B) For each critical payload, 1 × 10 4.

(ii) The Administrator will consult with relevant Federal agencies, and each agency will identify, for purposes of this part, any critical assets that the agency owns or otherwise depends on. For purposes of this part, the Administrator will accept any identification by the Secretary of Defense that an asset is critical to national security.

(iii) The Administrator or Federal site operator will notify the licensee of any risk to critical assets above the risk criteria in paragraph (b)(4)(i) of this section.

(iv) The Administrator may determine, in consultation with relevant Federal agencies, that a more stringent probability is necessary to protect the national interests of the United States.

(c) High consequence event protection. An operator must protect against a high consequence event in uncontrolled areas for each phase of flight by:

(1) Using flight abort as a hazard control strategy in accordance with the requirements of § 450.108;

(2) Ensuring the consequence of any reasonably foreseeable failure mode, in any significant period of flight, is no greater than 1 × 10 3 conditional expected casualties; or

(3) Establishing the launch or reentry vehicle has sufficient demonstrated reliability as agreed to by the Administrator based on conditional expected casualties criteria during that phase of flight.

(d) Disposal safety criteria. A launch operator must ensure that any disposal meets the criteria of paragraphs (b)(1) through (3) of this section, or targets a broad ocean area.

(e) Protection of people and property on orbit. (1) A launch or reentry operator must prevent the collision between a launch or reentry vehicle stage or component and people or property on orbit, in accordance with the requirements in § 450.169(a).

(2) For any launch vehicle stage or component that reaches Earth orbit, a launch operator must prevent the creation of debris through the conversion of energy sources into energy that fragments the stage or component, in accordance with the requirements in § 450.171.

(f) Notification of planned impacts. For any launch, reentry, or disposal, an operator must notify the public of any region of land, sea, or air that contains, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty.

(g) Validity of the analysis. For any analysis used to demonstrate compliance with this section, an operator must use accurate data and scientific principles and the analysis must be statistically valid. The method must produce results consistent with or more conservative than the results available from previous mishaps, tests, or other valid benchmarks, such as higher-fidelity methods.

System Safety Program
§ 450.103 - System safety program.

An operator must implement and document a system safety program throughout the lifecycle of a launch or reentry system that includes the following:

(a) Safety organization. An operator must maintain a safety organization that has clearly defined lines of communication and approval authority for all public safety decisions. At a minimum, the safety organization must have the following positions:

(1) Mission director. For each launch or reentry, an operator must designate a position responsible for the safe conduct of all licensed activities and authorized to provide final approval to proceed with licensed activities. This position is referred to as the mission director in this part.

(2) Safety official. For each launch or reentry, an operator must designate a position with direct access to the mission director who is—

(i) Responsible for communicating potential safety and noncompliance issues to the mission director; and

(ii) Authorized to examine all aspects of the operator's ground and flight safety operations, and to independently monitor compliance with the operator's safety policies, safety procedures, and licensing requirements.

(3) Addressing safety official concerns. The mission director must ensure that all of the safety official's concerns are addressed.

(b) Hazard management. For hazard management:

(1) An operator must implement methods to assess the system to ensure the validity of the hazard control strategy determination and any flight hazard or flight safety analysis throughout the lifecycle of the launch or reentry system;

(2) An operator must implement methods for communicating and implementing any updates throughout the organization; and

(3) Additionally, an operator required to conduct a flight hazard analysis must implement a process for tracking hazards, risks, mitigation measures, and verification activities.

(c) Configuration management and control. An operator must—

(1) Employ a process that tracks configurations of all safety-critical systems and documentation related to the operation;

(2) Ensure the use of correct and appropriate versions of systems and documentation tracked in paragraph (c)(1) of this section; and

(3) Document the configurations and versions identified in paragraph (c)(2) of this section for each licensed activity.

(d) Post-flight data review. An operator must employ a process for evaluating post-flight data to—

(1) Ensure consistency between the assumptions used for the hazard control strategy determination, any flight hazard or flight safety analyses, and associated mitigation and hazard control measures;

(2) Resolve any inconsistencies identified in paragraph (d)(1) of this section prior to the next flight of the vehicle;

(3) Identify any anomaly that may impact any flight hazard analysis, flight safety analysis, or safety-critical system, or is otherwise material to public safety; and

(4) Address any anomaly identified in paragraph (d)(3) of this section prior to the next flight as necessary to ensure public safety, including updates to any flight hazard analysis, flight safety analysis, or safety-critical system.

(e) Application requirements. An applicant must submit in its application the following:

(1) A description of the applicant's safety organization as required by paragraph (a) of this section, identifying the applicant's lines of communication and approval authority, both internally and externally, for all public safety decisions and the provision of public safety services; and

(2) A summary of the processes and products identified in the system safety program requirements in paragraphs (b), (c), and (d) of this section.

Hazard Control Strategies
§ 450.107 - Hazard control strategies.

(a) General. To meet the safety criteria of § 450.101(a), (b), or (c) for the flight, or any phase of flight, of a launch or reentry vehicle, an operator must use one or more of the hazard control strategies identified in § 450.108 through § 450.111.

(b) Hazard control strategy determination. For each phase of flight during a launch or reentry, an operator must use a functional hazard analysis to determine a hazard control strategy or strategies that account for—

(1) All functional failures associated with reasonably foreseeable hazardous events that have the capability to create a hazard to the public;

(2) Safety-critical systems; and

(3) A timeline of all safety-critical events.

(c) Flight hazard analysis. An operator must conduct a flight hazard analysis in accordance with § 450.109 of this part for the flight, or phase of flight, of a launch or reentry vehicle if the public safety hazards cannot be mitigated adequately to meet the public risk criteria of § 450.101(a), (b), and (c) using physical containment, wind weighting, or flight abort.

(d) Application requirements. An applicant must submit in its application—

(1) The results of the hazard control strategy determination, including—

(i) All functional failures identified under paragraph (b)(1) of this section;

(ii) The identification of all safety-critical systems; and

(iii) A timeline of all safety-critical events.

(2) A description of its hazard control strategy or strategies for each phase of flight.

§ 450.108 - Flight abort.

(a) Applicability. This section applies to the use of flight abort as a hazard control strategy for the flight, or phase of flight, of a launch or reentry vehicle to meet the safety criteria of § 450.101.

(b) Flight safety system. An operator must use a flight safety system that:

(1) Meets the requirements of § 450.145 if the consequence of any reasonably foreseeable failure mode in any significant period of flight is greater than 1 × 10 2 conditional expected casualties in uncontrolled areas; or

(2) Meets the requirements of § 450.143 if the consequence of any reasonably foreseeable failure mode in any significant period of flight is between 1 × 10 2 and 1 × 10 3 conditional expected casualties for uncontrolled areas.

(c) Flight safety limits objectives. An operator must determine and use flight safety limits that define when an operator must initiate flight abort for each of the following—

(1) To ensure compliance with the safety criteria of § 450.101(a) and (b);

(2) To prevent continued flight from increasing risk in uncontrolled areas if the vehicle is unable to achieve a useful mission;

(3) To prevent the vehicle from entering a period of materially increased public exposure in uncontrolled areas, including before orbital insertion, if a critical vehicle parameter is outside its pre-established expected range or indicates an inability to complete flight within the limits of a useful mission;

(4) To prevent conditional expected casualties greater than 1 × 10 2 in uncontrolled areas due to flight abort or due to flight outside the limits of a useful mission from any reasonably foreseeable off-trajectory failure mode in any significant period of flight; and

(5) To prevent the vehicle state from reaching identified conditions that are anticipated to compromise the capability of the flight safety system if further flight has the potential to violate a flight safety limit.

(6) In lieu of paragraphs (c)(2) and (4) of this section, to prevent debris capable of causing a casualty due to any hazard from affecting uncontrolled areas using a flight safety system that complies with § 450.145.

(d) Flight safety limits constraints. An operator must determine flight safety limits that—

(1) Account for temporal and geometric extents on the Earth's surface of any reasonably foreseeable vehicle hazards under all reasonably foreseeable conditions during normal and malfunctioning flight;

(2) Account for physics of hazard generation and transport including uncertainty;

(3) Account for the potential to lose valid data necessary to evaluate the flight abort rules;

(4) Account for the time delay, including uncertainties, between the violation of a flight abort rule and the time when the flight safety system is expected to activate;

(5) Account in individual, collective, and conditional risk evaluations both for proper functioning of the flight safety system and failure of the flight safety system;

(6) Are designed to avoid flight abort that results in increased collective risk to the public in uncontrolled areas, compared to continued flight; and

(7) Ensure that any trajectory within the limits of a useful mission that is permitted to fly without abort would meet the collective risk criteria of § 450.101(a)(1) or (b)(1) when analyzed as if it were the planned mission in accordance with § 450.213(b)(2).

(e) End of flight abort. A flight does not need to be aborted to protect against high consequence events in uncontrolled areas beginning immediately after critical vehicle parameters are validated, if the vehicle is able to achieve a useful mission and the following conditions are met for the remainder of flight:

(1) Flight abort would not materially decrease the risk from a high consequence event; and

(2) There are no key flight safety events.

(f) Flight abort rules. For each launch or reentry, an operator must establish and observe flight abort rules that govern the conduct of the launch or reentry as follows.

(1) Vehicle data required to evaluate flight abort rules must be available to the flight safety system under all reasonably foreseeable conditions during normal and malfunctioning flight.

(2) The flight safety system must abort flight:

(i) When valid, real-time data indicate the vehicle has violated any flight safety limit developed in accordance with this section;

(ii) When the vehicle state approaches identified conditions that are anticipated to compromise the capability of the flight safety system and further flight has the potential to violate a flight safety limit; and

(iii) In accordance with methods used to satisfy (d)(3) of this section, if tracking data is invalid and further flight has the potential to violate a flight safety limit.

(g) Application requirements. An applicant must submit in its application the following:

(1) A description of the methods used to demonstrate compliance with paragraph (c) of this section, including descriptions of how each analysis constraint in paragraph (d) of this section is satisfied in accordance with § 450.115.

(2) A description of how each flight safety limit and flight abort rule is evaluated and implemented during vehicle flight, including the quantitative criteria that will be used, a description of any critical parameters, and how the values required in paragraphs (c)(3) and (e) of this section are identified;

(3) A graphic depiction or series of depictions of flight safety limits for a representative mission together with the launch or landing point, all uncontrolled area boundaries, the nominal trajectory, extents of normal flight, and limits of a useful mission trajectories, with all trajectories in the same projection as each of the flight safety limits; and

(4) A description of the vehicle data that will be available to evaluate flight abort rules under all reasonably foreseeable conditions during normal and malfunctioning flight.

§ 450.109 - Flight hazard analysis.

(a) Applicability. This section applies to the use of a flight hazard analysis as a hazard control strategy to derive hazard controls for the flight, or phase of flight, of a launch or reentry vehicle. Hazards associated with computing systems and software are further addressed in § 450.141.

(b) Analysis. A flight hazard analysis must identify, describe, and analyze all reasonably foreseeable hazards to public safety resulting from the flight of a launch or reentry vehicle. Each flight hazard analysis must—

(1) Identify all reasonably foreseeable hazards, and the corresponding failure mode for each hazard, associated with the launch or reentry system relevant to public safety, including those resulting from:

(i) Vehicle operation, including staging and release;

(ii) System, subsystem, and component failures or faults;

(iii) Software operations;

(iv) Environmental conditions;

(v) Human factors;

(vi) Design inadequacies;

(vii) Procedure deficiencies;

(viii) Functional and physical interfaces between subsystems, including any vehicle payload;

(ix) Reuse of components or systems; and

(x) Interactions of any of the above.

(2) Assess each hazard's likelihood and severity.

(3) Ensure that the likelihood of any hazardous condition that may cause death or serious injury to the public is extremely remote.

(4) Identify and describe the risk elimination and mitigation measures required to satisfy paragraph (b)(3) of this section.

(5) Document that the risk elimination and mitigation measures achieve the risk level of paragraph (b)(3) of this section through validation and verification. Verification includes:

(i) Analysis;

(ii) Test;

(iii) Demonstration; or

(iv) Inspection.

(c) New Hazards. An operator must establish and document the criteria and techniques for identifying new hazards throughout the lifecycle of the launch or reentry system.

(d) Completeness Prior to Flight. For every launch or reentry, the flight hazard analysis must be complete and all hazards must be mitigated to an acceptable level in accordance with paragraph (b)(3) of this section.

(e) Updates. An operator must continually update the flight hazard analysis throughout the lifecycle of the launch or reentry system.

(f) Application requirements. An applicant must submit in its application the following:

(1) Flight hazard analysis products of paragraphs (b)(1) through (5) of this section, including data that verifies the risk elimination and mitigation measures resulting from the applicant's flight hazard analyses required by paragraph (b)(5) of this section; and

(2) The criteria and techniques for identifying new hazards throughout the lifecycle of the launch or reentry system as required by paragraph (c) of this section.

§ 450.110 - Physical containment.

(a) Applicability. This section applies to the use of physical containment as a hazard control strategy for the flight, or phase of flight, of a launch or reentry vehicle to meet the safety criteria of § 450.101(a), (b), and (c).

(b) Containment. To use physical containment as a hazard control strategy, an operator must—

(1) Develop the flight hazard area in accordance with § 450.133;

(2) Ensure that the launch vehicle does not have sufficient energy for any hazards associated with its flight to reach outside the flight hazard area;

(3) Ensure the hazard area is clear of the public and critical assets; and

(4) Apply other mitigation measures necessary to ensure no public or critical asset exposure to hazards, such as control of public access or wind placards.

(c) Application requirements. An applicant must submit in its application the following:

(1) A demonstration that the launch vehicle does not have sufficient energy for any hazards associated with its flight to reach outside the flight hazard area developed in accordance with § 450.133; and

(2) A description of the methods used to ensure that flight hazard areas are cleared of the public and critical assets.

§ 450.111 - Wind weighting.

(a) Applicability. This section applies to the use of wind weighting as a hazard control strategy for the flight of an unguided suborbital launch vehicle to meet the safety criteria of § 450.101(a), (b), and (c).

(b) Wind weighting safety system. The flight of an unguided suborbital launch vehicle that uses a wind weighting safety system must meet the following:

(1) The launcher azimuth and elevation settings must be wind weighted to correct for the effects of wind conditions at the time of flight to provide impact locations that will ensure compliance with the safety criteria in § 450.101; and

(2) An operator must use launcher azimuth and elevation angle settings that ensures the rocket will not fly in an unintended direction accounting for uncertainties in vehicle and launcher design and manufacturing, and atmospheric uncertainties.

(c) Analysis. An operator must—

(1) Establish flight commit criteria and other flight safety rules that control the risk to the public from potential adverse effects resulting from normal and malfunctioning flight;

(2) Establish any wind constraints under which flight may occur; and

(3) Conduct a wind weighting analysis that establishes the launcher azimuth and elevation settings that correct for the windcocking and wind-drift effects on the unguided suborbital launch vehicle.

(d) Stability. An unguided suborbital launch vehicle, in all configurations, must be stable throughout each stage of powered flight.

(e) Application requirements. An applicant must submit in its application the following:

(1) A description of its wind weighting analysis methods, including its method and schedule of determining wind speed and wind direction for each altitude layer;

(2) A description of its wind weighting safety system including all equipment used to perform the wind weighting analysis; and

(3) A representative wind weighting analysis using actual or statistical winds for the launch area and samples of the output.

Flight Safety Analyses
§ 450.113 - Flight safety analysis requirements—scope.

(a) An operator must perform and document a flight safety analysis for all phases of flight, except as specified in paragraph (b) of this section, as follows—

(1) For orbital launch, from liftoff through orbital insertion, and through all component impacts or landings;

(2) For suborbital launch, from liftoff through all component impacts or landings;

(3) For disposal, from the initiation of the deorbit through final impact; and

(4) For reentry, from the initiation of the deorbit through all component impacts or landing.

(b) An operator is not required to perform and document a flight safety analysis for a phase of flight if agreed to by the Administrator based on demonstrated reliability. An operator demonstrates reliability by using operational and flight history to show compliance with the risk criteria in § 450.101(a) and (b).

§ 450.115 - Flight safety analysis methods.

(a) Scope of the analysis. An operator's flight safety analysis method must account for all reasonably foreseeable events and failures of safety-critical systems during nominal and non-nominal launch or reentry that could jeopardize public safety.

(b) Level of fidelity of the analysis. An operator's flight safety analysis method must have a level of fidelity sufficient to—

(1) Demonstrate that any risk to the public satisfies the safety criteria of § 450.101, including the use of mitigations, accounting for all known sources of uncertainty, using a means of compliance accepted by the Administrator; and

(2) Identify the dominant source of each type of public risk with a criterion in § 450.101(a) or (b) in terms of phase of flight, source of hazard (such as toxic exposure, inert, or explosive debris), and failure mode.

(c) Application requirements. An applicant must submit a description of the flight safety analysis methodology, including identification of:

(1) The scientific principles and statistical methods used;

(2) All assumptions and their justifications;

(3) The rationale for the level of fidelity;

(4) The evidence for validation and verification required by § 450.101(g);

(5) The extent to which the benchmark conditions are comparable to the foreseeable conditions of the intended operations; and

(6) The extent to which risk mitigations were accounted for in the analyses.

§ 450.117 - Trajectory analysis for normal flight.

(a) General. A flight safety analysis must include a trajectory analysis that establishes, for any phase of flight within the scope as provided by § 450.113(a), the limits of a launch or reentry vehicle's normal flight as defined by the nominal trajectory, and the following sets of trajectories sufficient to characterize variability and uncertainty during normal flight:

(1) A set of trajectories to characterize variability. This set must describe how the intended trajectory could vary due to conditions known prior to initiation of flight; and

(2) A set of trajectories to characterize uncertainty. This set must describe how the actual trajectory could differ from the intended trajectory due to random uncertainties in all parameters with a significant influence on the vehicle's behavior throughout normal flight.

(b) Trajectory model. A final trajectory analysis must use a six-degree of freedom trajectory model to satisfy the requirements of paragraph (a) of this section.

(c) Atmospheric effects. A trajectory analysis must account for atmospheric conditions that have an effect on the trajectory, including atmospheric profiles that are no less severe than the worst conditions under which flight might be attempted, and for uncertainty in the atmospheric conditions.

(d) Application requirements. An applicant must submit the following:

(1) A description of the methods used to characterize the vehicle's flight behavior throughout normal flight, in accordance with § 450.115(c).

(2) The quantitative input data, including uncertainties, used to model the vehicle's normal flight in six degrees of freedom.

(3) The worst atmospheric conditions under which flight might be attempted, and a description of how the operator will evaluate the atmospheric conditions and uncertainty in the atmospheric conditions prior to initiating the operation;

(4) Representative normal flight trajectory analysis outputs, including the position velocity, and orientation for each second of flight for—

(i) The nominal trajectory;

(ii) A set of trajectories that characterize variability in the intended trajectory based on conditions known prior to initiation of flight; and

(iii) A set of trajectories that characterize how the actual trajectory could differ from the intended trajectory due to random uncertainties.

§ 450.119 - Trajectory analysis for malfunction flight.

(a) General. A flight safety analysis must include a trajectory analysis that establishes—

(1) The vehicle's deviation capability in the event of a malfunction during flight,

(2) The trajectory dispersion resulting from reasonably foreseeable malfunctions, and

(3) For vehicles using flight abort as a hazard control strategy under § 450.108, trajectory data or parameters that describe the limits of a useful mission. The FAA does not consider the collection of data related to a failure to be a useful mission.

(b) Analysis constraints. A malfunction trajectory analysis must account for each cause of a malfunction flight, including software and hardware failures, for every period of normal flight. The analysis for each type of malfunction must have sufficient temporal and spatial resolution to establish flight safety limits, if any, and individual risk contours that are smooth and continuous. The analysis must account for—

(1) The relative probability of occurrence of each malfunction;

(2) The probability distribution of position and velocity of the vehicle when each malfunction trajectory will terminate due to vehicle breakup, ground impact, or orbital insertion along with the cause of termination and the state of the vehicle;

(3) The parameters with a significant influence on a vehicle's flight behavior from the time a malfunction begins to cause a flight deviation until the time each malfunction trajectory will terminate due to vehicle breakup, ground impact, or orbital insertion; and

(4) The potential for failure of the flight safety system, if any.

(c) Application requirements. An applicant must submit—

(1) A description of the methodology used to characterize the vehicle's flight behavior throughout malfunction flight, in accordance with § 450.115(c).

(2) A description of the methodology used to determine the limits of a useful mission, in accordance with § 450.115(c).

(3) A description of the input data used to characterize the vehicle's malfunction flight behavior, including:

(i) A list of each cause of malfunction flight considered;

(ii) A list of each type of malfunction flight for which malfunction flight behavior was characterized; and

(iii) A quantitative description of the parameters, including uncertainties, with a significant influence on the vehicle's malfunction behavior for each type of malfunction flight characterized.

(4) Representative malfunction flight trajectory analysis outputs, including the position and velocity as a function of flight time for—

(i) Each set of trajectories that characterizes a type of malfunction flight;

(ii) The probability of each set of trajectories that characterizes a type of malfunction flight; and

(iii) A set of trajectories that characterizes the limits of a useful mission as described in paragraph (a)(3) of this section.

§ 450.121 - Debris analysis.

(a) General. A flight safety analysis must include an analysis characterizing the hazardous debris generated from normal and malfunctioning vehicle flight as a function of vehicle flight sequence.

(b) Vehicle impact and breakup analysis. A debris analysis must account for:

(1) Each reasonably foreseeable cause of vehicle breakup and intact impact,

(2) Vehicle structural characteristics and materials, and

(3) Energetic effects during break-up or at impact.

(c) Propagation of debris. A debris analysis must compute statistically valid debris impact probability distributions. The propagation of debris from each predicted breakup location to impact must account for—

(1) All foreseeable forces that can influence any debris impact location; and

(2) All foreseeable sources of impact dispersion, including, at a minimum:

(i) The uncertainties in atmospheric conditions;

(ii) Debris aerodynamic parameters, including uncertainties;

(iii) Pre-breakup position and velocity, including uncertainties; and

(iv) Breakup-imparted velocities, including uncertainties.

(d) Application requirements. An applicant must submit:

(1) A description of all scenarios that can lead to hazardous debris;

(2) A description of the methods used to perform the vehicle impact and breakup analysis, in accordance with § 450.115(c);

(3) A description of the methods used to compute debris impact distributions, in accordance with § 450.115(c);

(4) A description of the atmospheric data used as input to the debris analysis; and

(5) A quantitative description of the physical, aerodynamic, and harmful characteristics of hazardous debris.

§ 450.123 - Population exposure analysis.

(a) General. A flight safety analysis must account for the distribution of people for the entire region where there is a significant probability of impact of hazardous debris.

(b) Constraints. The exposure analysis must—

(1) Characterize the distribution of people both geographically and temporally;

(2) Account for the distribution of people among structures and vehicle types;

(3) Use reliable, accurate, and timely source data; and

(4) Account for vulnerability of people to hazardous debris effects.

(c) Application requirements. An applicant must submit:

(1) A description of the methods used to develop the exposure input data in accordance with § 450.115(c), and

(2) Complete population exposure data, in tabular form.

§ 450.131 - Probability of failure analysis.

(a) General. For each hazard and phase of flight, a flight safety analysis for a launch or reentry must account for vehicle failure probability. The probability of failure must be consistent for all hazards and phases of flight.

(1) For a vehicle or vehicle stage with fewer than two flights, the failure probability estimate must account for the outcome of all previous flights of vehicles developed and launched or reentered in similar circumstances.

(2) For a vehicle or vehicle stage with two or more flights, vehicle failure probability estimates must account for the outcomes of all previous flights of the vehicle or vehicle stage in a statistically valid manner. The outcomes of all previous flights of the vehicle or vehicle stage must account for data on any mishap and anomaly.

(b) Failure. For flight safety analysis purposes, a failure occurs when a vehicle does not complete any phase of normal flight or when any anomalous condition exhibits the potential for a stage or its debris to impact the Earth or reenter the atmosphere outside the normal trajectory envelope during the mission or any future mission of similar vehicle capability.

(c) Previous flight. For flight safety analysis purposes—

(1) The flight of a launch vehicle begins at a time in which a launch vehicle lifts off from the surface of the Earth; and

(2) The flight of a reentry vehicle or deorbiting upper stage begins at a time in which a vehicle attempts to initiate a reentry.

(d) Allocation. The vehicle failure probability estimate must be distributed across flight phases and failure modes. The distribution must be consistent with—

(1) The data available from all previous flights of vehicles developed and launched or reentered in similar circumstances; and

(2) Data from previous flights of vehicles, stages, or components developed and launched, reentered, flown, or tested by the subject vehicle developer or operator. Such data may include previous experience involving similar—

(i) Vehicle, stage, or component design characteristics;

(ii) Development and integration processes, including the extent of integrated system testing; and

(iii) Level of experience of the vehicle operation and development team members.

(e) Observed vs. conditional failure rate. Probability of failure allocation must account for significant differences in the observed failure rate and the conditional failure rate. A probability of failure analysis must use a constant conditional failure rate for each phase of flight, unless there is clear and convincing evidence of a different conditional failure rate for a particular vehicle, stage, or phase of flight.

(f) Application requirements. An applicant must submit:

(1) A description of the methods used in probability of failure analysis, in accordance with § 450.115(c); and

(2) A representative set of tabular data and graphs of the predicted failure rate and cumulative failure probability for each foreseeable failure mode.

§ 450.133 - Flight hazard area analysis.

(a) General. A flight safety analysis must include a flight hazard area analysis that identifies any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to control the risk to the public. The analysis must account for, at a minimum—

(1) The regions of land, sea, and air potentially exposed to hazardous debris generated during normal flight events and all reasonably foreseeable failure modes;

(2) Any hazard controls implemented to control risk from any hazard;

(3) The limits of a launch or reentry vehicle's normal flight, including—

(i) Atmospheric conditions that are no less severe than the worst atmospheric conditions under which flight might be attempted; and

(ii) Uncertainty in the atmospheric conditions;

(4) All hazardous debris;

(5) Sources of debris dispersion in accordance with § 450.121(c); and

(6) A probability of one for any planned debris hazards or planned impacts.

(b) Waterborne vessel hazard areas. The flight hazard area analysis for waterborne vessels must determine the areas and durations for regions of water—

(1) That are necessary to contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty to persons on waterborne vessels;

(2) That are necessary to contain either where the probability of debris capable of causing a casualty impacting on or near a vessel would exceed 1 × 10 5, accounting for all relevant hazards, or where the individual probability of casualty for any person on board a vessel would exceed the individual risk criteria in § 450.101(a)(2) or (b)(2); and

(3) Where reduced vessel traffic is necessary to meet the collective risk criteria in § 450.101(a)(1) or (b)(1).

(c) Land hazard areas. The flight hazard area analysis for land must determine the durations and areas regions of land—

(1) That are necessary to contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty to any person on land;

(2) Where the individual probability of casualty for any person on land would exceed the individual risk criteria in § 450.101(a)(2) or (b)(2); and

(3) Where reduced population is necessary to meet the collective risk criteria in § 450.101(a)(1) or (b)(1).

(d) Airspace hazard volumes. The flight hazard area analysis for airspace must determine the durations and volumes for regions of air to be submitted to the FAA for approval—

(1) That are necessary to contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty to persons on an aircraft; and

(2) Where the probability of impact on an aircraft would exceed the aircraft risk criterion in § 450.101(a)(3) or (b)(3).

(e) Application requirements. An applicant must submit:

(1) A description of the methodology to be used in the flight hazard area analysis in accordance with § 450.115(c), including:

(i) Classes of waterborne vessel and vulnerability criteria employed; and

(ii) Classes of aircraft and vulnerability criteria employed.

(2) Tabular data and graphs of the results of the flight hazard area analysis, including:

(i) Geographical coordinates of all hazard areas that are representative of those to be published, in accordance with § 450.161, prior to any proposed operation;

(ii) Representative 97 percent probability of containment contours for all debris resulting from normal flight events capable of causing a casualty for all locations specified in paragraph (a) of this section;

(iii) Representative individual probability of casualty contours for all locations specified in paragraph (a) of this section, including tabular data and graphs showing the hypothetical location of any member of the public that could be exposed to a probability of casualty of 1 × 10 5 or greater for neighboring operations personnel, and 1 × 10 6 or greater for other members of the public, given all foreseeable conditions within the flight commit criteria;

(iv) If applicable, representative 1 × 10 5 and 1 × 10 6 probability of impact contours for all debris capable of causing a casualty to persons on a waterborne vessel regardless of location; and

(v) Representative 1 × 10 6 and 1 × 10 7 probability of impact contours for all debris capable of causing a casualty to persons on an aircraft regardless of location.

§ 450.135 - Debris risk analysis.

(a) General. A flight safety analysis must include a debris risk analysis that demonstrates compliance with safety criteria in § 450.101, either—

(1) Prior to the day of the operation, accounting for all foreseeable conditions within the flight commit criteria; or

(2) During the countdown using the best available input data, including flight commit criteria and flight abort rules.

(b) Casualty area and consequence analysis. A debris risk analysis must model the casualty area, and compute the predicted consequences of each reasonably foreseeable failure mode in any significant period of flight in terms of conditional expected casualties. The casualty area and consequence analysis must account for—

(1) All relevant debris fragment characteristics and the characteristics of a representative person exposed to any potential debris hazard;

(2) Statistically-valid debris impact probability distributions;

(3) Any impact or effects of hazardous debris; and

(4) The vulnerability of people to debris impact or effects, including:

(i) Effects of buildings, ground vehicles, waterborne vessel, and aircraft upon the vulnerability of any occupants;

(ii) Effect of atmospheric conditions on debris impact and effects;

(iii) Impact speed and angle, accounting for motion of impacted vehicles;

(iv) Uncertainty in input data, such as fragment impact parameters; and

(v) Uncertainty in modeling methodology.

(c) Application requirements. An applicant must submit:

(1) A description of the methods used to demonstrate compliance with the safety criteria in § 450.101, in accordance with § 450.115(c), including a description of how the operator will account for the conditions immediately prior to enabling the flight of a launch vehicle or the reentry of a reentry vehicle, such as the final trajectory, atmospheric conditions, and the exposure of people;

(2) A description of the atmospheric data used as input to the debris risk analysis;

(3) The effective unsheltered casualty area for all fragment classes, assuming a representative impact vector;

(4) The effective casualty area for all fragment classes for a representative type of building, ground vehicle, waterborne vessel, and aircraft, assuming a representative impact vector;

(5) Collective and individual debris risk analysis outputs under representative conditions and the worst foreseeable conditions, including:

(i) Total collective casualty expectation for the proposed operation;

(ii) A list of the collective risk contribution for at least the top ten population centers and all centers with collective risk exceeding 1 percent of the collective risk criteria in § 450.101(a)(1) or (b)(1);

(iii) A list of the maximum individual probability of casualty for the top ten population centers and all centers that exceed 10 percent of the individual risk criteria in § 450.101(a)(2) or (b)(2); and

(iv) A list of the conditional collective casualty expectation for each failure mode for each significant period of flight under representative conditions and the worst foreseeable conditions.

§ 450.137 - Far-field overpressure blast effects analysis.

(a) General. A flight safety analysis must include a far-field overpressure blast effect analysis that demonstrates compliance with safety criteria in § 450.101, either—

(1) Prior to the day of the operation, accounting for all foreseeable conditions within the flight commit criteria; or

(2) During the countdown using the best available input data, including flight commit criteria and flight abort rules.

(b) Analysis constraints. The analysis must account for—

(1) The explosive capability of the vehicle and hazardous debris at impact and at altitude;

(2) The potential influence of meteorological conditions and terrain characteristics; and

(3) The potential for broken windows due to peak incident overpressures below 1.0 psi and related casualties based on the characteristics of exposed windows and the population's susceptibility to injury, with considerations including, at a minimum, shelter types, window types, and the time of day of the proposed operation.

(c) Application requirements. An applicant must submit a description of the far-field overpressure analysis, including all assumptions and justifications for the assumptions, analysis methods, input data, and results. At a minimum, the application must include:

(1) A description of the population centers, terrain, building types, and window characteristics used as input to the far-field overpressure analysis;

(2) A description of the methods used to compute the foreseeable explosive yield probability pairs, and the complete set of yield-probability pairs, used as input to the far-field overpressure analysis;

(3) A description of the methods used to compute peak incident overpressures as a function of distance from the explosion and prevailing meteorological conditions, including sample calculations for a representative range of the foreseeable meteorological conditions, yields, and population center locations;

(4) A description of the methods used to compute the probability of window breakage, including tabular data and graphs for the probability of breakage as a function of the peak incident overpressure for a representative range of window types, building types, and yields accounted for;

(5) A description of the methods used to compute the probability of casualty for a representative individual, including tabular data and graphs for the probability of casualty, as a function of location relative to the window and the peak incident overpressure for a representative range of window types, building types, and yields accounted for;

(6) Tabular data and graphs showing the hypothetical location of any member of the public that could be exposed to a probability of casualty of 1 × 10 5 or greater for neighboring operations personnel, and 1 × 10 6 or greater for other members of the public, given foreseeable conditions;

(7) The maximum expected casualties that could result from far-field overpressure hazards given foreseeable conditions; and

(8) A description of the meteorological measurements used as input to any real-time far-field overpressure analysis.

§ 450.139 - Toxic hazards for flight.

(a) Applicability. (1) Except as specified in paragraph (a)(2), this section applies to any launch or reentry vehicle, including all vehicle components and payloads, that use toxic propellants or other toxic chemicals.

(2) No toxic release hazard analysis is required for kerosene-based fuels, unless the Administrator determines that an analysis is required to protect public safety.

(b) General. An operator must—

(1) Conduct a toxic release hazard analysis in accordance with paragraph (c) of this section;

(2) Manage the risk of casualties that could arise from the exposure to toxic release through one of the following means:

(i) Contain hazards caused by toxic release in accordance with paragraph (d) of this section; or

(ii) Perform a toxic risk assessment, in accordance with paragraph (e) of this section, that protects the public in compliance with the safety criteria of § 450.101, including toxic release hazards.

(3) Establish flight commit criteria based on the results of its toxic release hazard analysis and toxic containment or toxic risk assessment for any necessary evacuation of the public from any toxic hazard area.

(c) Toxic release hazard analysis. A toxic release hazard analysis must—

(1) Account for any toxic release that could occur during nominal or non-nominal flight;

(2) Include a worst-case release scenario analysis or a maximum-credible release scenario analysis for each process that involves a toxic propellant or other chemical;

(3) Determine if toxic release can occur based on an evaluation of the chemical compositions and quantities of propellants, other chemicals, vehicle materials, and projected combustion products, and the possible toxic release scenarios;

(4) Account for both normal combustion products and any unreacted propellants and phase change or chemical derivatives of released substances; and

(5) Account for any operational constraints and emergency procedures that provide protection from toxic release.

(d) Toxic containment. An operator using toxic containment must manage the risk of any casualty from the exposure to toxic release either by—

(1) Evacuating, or being prepared to evacuate, the public from any toxic hazard area in the event of a worst-case release or maximum-credible release scenario; or

(2) Employing meteorological constraints to limit an operation to times during which prevailing winds and other conditions ensure that any member of the public would not be exposed to toxic concentrations and durations greater than accepted toxic thresholds for acute casualty in the event of a worst-case release or maximum-credible release scenario.

(e) Toxic risk assessment. An operator using toxic risk assessment must establish flight commit criteria that demonstrate compliance with the safety criteria of § 450.101. A toxic risk assessment must—

(1) Account for airborne concentration and duration thresholds of toxic propellants or other chemicals. For any toxic propellant, other chemicals, or combustion product, an operator must use airborne toxic concentration and duration thresholds identified in a means of compliance accepted by the Administrator;

(2) Account for physical phenomena expected to influence any toxic concentration and duration in the area surrounding the potential release site;

(3) Determine a toxic hazard area for the launch or reentry, surrounding the potential release site for each toxic propellant or other chemical based on the amount and toxicity of the propellant or other chemical, the exposure duration, and the meteorological conditions involved;

(4) Account for all members of the public who may be exposed to the toxic release, including all members of the public on land and on any waterborne vessels, populated offshore structures, and aircraft that are not operated in direct support of the launch or reentry; and

(5) Account for any risk mitigation measures applied in the risk assessment.

(f) Application requirements. An applicant must submit:

(1) The identity of toxic propellant, chemical, or combustion products or derivatives in the possible toxic release;

(2) The applicant's selected airborne toxic concentration and duration thresholds;

(3) The meteorological conditions for the atmospheric transport and buoyant cloud rise of any toxic release from its source to downwind receptor locations;

(4) Characterization of the terrain, as input for modeling the atmospheric transport of a toxic release from its source to downwind receptor locations;

(5) The identity of the toxic dispersion model used, and any other input data;

(6) Representative results of an applicant's toxic dispersion modeling to predict concentrations and durations at selected downwind receptor locations, to determine the toxic hazard area for a released quantity of the toxic substance;

(7) A toxic release hazard analysis in accordance with paragraph (c) of this section:

(i) A description of the failure modes and associated relative probabilities for potential toxic release scenarios used in the risk evaluation; and

(ii) The methodology and representative results of an applicant's determination of the worst-case or maximum-credible quantity of any toxic release that might occur during the flight of a vehicle;

(8) In accordance with § 450.139(b)(2),

(i) A toxic containment in accordance with paragraph (d) of this section, identify the evacuation plans or meteorological constraints and associated launch commit criteria needed to ensure that the public will not be within a toxic hazard area in the event of a worst-case release or maximum-credible release scenario; or

(ii) A toxic risk assessment in accordance with paragraph (e) of this section:

(A) A demonstration that the safety criteria in § 450.101 will be met;

(B) The population characteristics in receptor locations that are identified by toxic dispersion modeling as toxic hazard areas;

(C) A description of any risk mitigations applied in the toxic risk assessment; and

(D) A description of the population exposure input data used in accordance with § 450.123.

Prescribed Hazard Controls for Safety-Critical Hardware and Computing Systems
§ 450.141 - Computing systems.

(a) Identification of computing system safety items. An operator must identify:

(1) Any software or data that implements a capability that, by intended operation, unintended operation, or non-operation, can present a hazard to the public; and

(2) The level of criticality of each computing system safety item identified in paragraph (a)(1) of this section, commensurate with its degree of control over hazards to the public and the severity of those hazards.

(b) Safety requirements. An operator must develop safety requirements for each computing system safety item. In doing so, the operator must:

(1) Identify and evaluate safety requirements for each computing system safety item;

(2) Ensure the safety requirements are complete and correct;

(3) Implement each safety requirement; and

(4) Verify and validate the implementation of each safety requirement by using a method appropriate for the level of criticality of the computing system safety item. For each computing system safety item that is safety critical under § 401.7, verification and validation must include testing by a test team independent of the development division or organization.

(c) Development process. An operator must implement and document a development process for computing system safety items appropriate for the level of criticality of the computing system safety item. A development process must define:

(1) Responsibilities for each task associated with a computing system safety item;

(2) Processes for internal review and approval—including review that evaluates the implementation of all safety requirements—such that no person approves that person's own work;

(3) Processes to ensure development personnel are trained, qualified, and capable of performing their role;

(4) Processes that trace requirements to verification and validation evidence;

(5) Processes for configuration management that specify the content of each released version of a computing system safety item;

(6) Processes for testing that verify and validate all safety requirements to the extent required by paragraph (b)(4) of this section;

(7) Reuse policies that verify and validate the safety requirements for reused computing system safety items; and

(8) Third-party product use policies that verify and validate the safety requirements for any third-party product.

(d) Application requirements. An applicant must:

(1) Identify and describe all computing system safety items involved in the proposed operations;

(2) Provide the safety requirements for each computing system safety item;

(3) Provide documentation of the development processes that meets paragraph (c) of this section;

(4) Provide evidence of the execution of the appropriate development process for each computing system safety item; and

(5) Provide evidence of the implementation of each safety requirement.

§ 450.143 - Safety-critical system design, test, and documentation.

(a) Applicability. This section applies to all safety-critical systems, except for—

(1) Highly reliable flight safety systems covered under § 450.145; or

(2) Safety-critical systems for which an operator demonstrates through its flight hazard analysis that the likelihood of any hazardous condition specifically associated with the system that may cause death or serious injury to the public is extremely remote, pursuant to § 450.109(b)(3).

(b) Design. An operator must design safety-critical systems such that no credible fault can lead to increased risk to the public beyond nominal safety-critical system operation.

(c) Qualification testing of design. An operator must functionally demonstrate the design of the vehicle's safety-critical systems at conditions beyond its predicted operating environments. The operator must select environmental test levels that ensure the design is sufficiently stressed to demonstrate that system performance is not degraded due to design tolerances, manufacturing variances, or uncertainties in the environment.

(d) Acceptance of hardware. An operator must—

(1) Functionally demonstrate any safety-critical system, while exposed to its predicted operating environments with margin, is free of defects, free of integration and workmanship errors, and ready for operational use; or

(2) Combine in-process controls and a quality assurance process to ensure functional capability of any safety-critical system during its service life.

(e) Lifecycle of safety-critical systems. (1) The predicted operating environments must be based on conditions predicted to be encountered in all phases of flight, recovery, and transportation.

(2) An operator must monitor the flight environments experienced by safety-critical system components to the extent necessary to—

(i) Validate the predicted operating environments; and

(ii) Assess the actual component life remaining or adjust any inspection period.

(f) Application requirements. An applicant must submit to the FAA the following as part of its application:

(1) A list and description of each safety-critical system;

(2) Drawings and schematics for each safety-critical system;

(3) A summary of the analysis to determine the predicted operating environments and duration to be applied to qualification and acceptance testing covering the service life of any safety-critical system;

(4) A description of any method used to validate the predicted operating environments;

(5) A description of any instrumentation or inspection processes to monitor aging of any safety-critical system;

(6) The criteria and procedures for disposal or refurbishment for service life extension of safety-critical system components; and

(7) A description of the standards used in all phases of the lifecycle of each safety-critical system.

§ 450.145 - Highly reliable flight safety system.

(a) General. For each phase of flight for which an operator must implement flight abort to meet the requirement of § 450.108(b)(1), the operator must use a highly reliable flight safety system on the launch or reentry vehicle, vehicle component, or payload with a design reliability in accordance with this section.

(b) Reliability. A highly reliable flight safety system must, using a means of compliance accepted by the Administrator—

(1) Have a design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing for the portion of the flight safety system onboard the vehicle; and

(2) Have a design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing for the portion of the flight safety system not onboard the vehicle, if used.

(c) Monitoring. An operator must monitor the flight environments experienced by any flight safety system component to the extent necessary to—

(1) Validate the predicted operating environment; and

(2) Assess the actual component life remaining or adjust any inspection period.

(d) Application requirements. An applicant must submit the information identified below, for any highly reliable flight safety system:

(1) Flight safety system description. An applicant must describe the flight safety system and its operation in detail, including all components, component functions, and possible operational scenarios.

(2) Flight safety system diagram. An applicant must submit a diagram that identifies all flight safety system subsystems and shows the interconnection of all the elements of the flight safety system. The diagram must include any subsystems used to implement flight abort both on and off the vehicle, including any subsystems used to make the decision to abort flight.

(3) Flight safety system analyses. An applicant must submit any analyses and detailed analysis reports of all flight safety system subsystems necessary to calculate the reliability and confidence levels required by paragraph (a) of this section.

(4) Tracking validation procedures. An applicant must document and submit the procedures for validating the accuracy of any vehicle tracking data utilized by the flight safety system to make the decision to abort flight.

(5) Flight safety system test plans. An applicant must submit acceptance, qualification, and preflight test plans of any flight safety system, subsystems, and components. The test plans must include test procedures and test environments.

(6) Monitoring plan. An applicant must submit a description of any method used to validate the predicted operating environments.

Other Prescribed Hazard Controls
§ 450.147 - Agreements.

(a) General. An operator must establish a written agreement with any entity that provides a service or property that meets a requirement in this part, including:

(1) Launch and reentry site use agreements. A Federal launch or reentry site operator, a licensed launch or reentry site operator, or any other person that provides services or access to or use of property required to support the safe launch or reentry under this part;

(2) Agreements for notices to mariners. Unless otherwise addressed in agreements with the site operator, for overflight of navigable water, the U.S. Coast Guard or other applicable maritime authority to establish procedures for the issuance of a Notice to Mariners prior to a launch or reentry and other measures necessary to protect public health and safety;

(3) Agreements for notices to airmen. Unless otherwise addressed in agreements with the site operator, the FAA Air Traffic Organization or other applicable air navigation authority to establish procedures for the issuance of a Notice to Airmen prior to a launch or reentry, for closing of air routes during the respective launch and reentry windows, and for other measures necessary to protect public health and safety; and

(4) Mishap response. Emergency response providers, including local government authorities, to satisfy the requirements of § 450.173.

(b) Roles and responsibilities. The agreements required in this section must clearly delineate the roles and responsibilities of each party to support the safe launch or reentry under this part.

(c) Effective date. The agreements required in this section must be in effect before a license can be issued, unless otherwise agreed to by the Administrator.

(d) Application requirements. An applicant must—

(1) Describe each agreement in this section; and

(2) Provide a copy of any agreement, or portion thereof, to the FAA upon request.

§ 450.149 - Safety-critical personnel qualifications.

(a) General. An operator must ensure safety-critical personnel are trained, qualified, and capable of performing their safety-critical tasks, and that their training is current.

(b) Application requirements. An applicant must—

(1) Identify safety-critical tasks that require qualified personnel;

(2) Provide internal training and currency requirements, completion standards, or any other means of demonstrating compliance with the requirements of this section; and

(3) Describe the process for tracking training currency.

§ 450.151 - Work shift and rest requirements.

(a) General. For any launch or reentry, an operator must document and implement rest requirements that ensure safety-critical personnel are physically and mentally capable of performing all assigned tasks.

(b) Work shifts and deviation approval process. An operator's rest requirements must address the following:

(1) Duration of each work shift and the process for extending this shift, including the maximum allowable length of any extension;

(2) Number of consecutive work shift days allowed before rest is required;

(3) Minimum rest period required—

(i) Between each work shift, including the period of rest required immediately before the flight countdown work shift; and

(ii) After the maximum number of work shift days allowed; and

(4) Approval process for any deviation from the rest requirements.

(c) Application requirement. An applicant must submit rest rules that demonstrate compliance with the requirements of this section.

§ 450.153 - Radio frequency management.

(a) General. For any radio frequency used, an operator must—

(1) Ensure radio frequency interference does not adversely affect performance of any flight safety system or safety-critical system; and

(2) Coordinate use of radio frequencies with any site operator and any local and Federal authorities.

(b) Application requirements. An applicant must submit procedures or other means to demonstrate compliance with the radio frequency requirements of this section.

§ 450.155 - Readiness.

(a) General. An operator must document and implement procedures to assess readiness to proceed with the flight of a launch or reentry vehicle. These procedures must address, at a minimum, the following:

(1) Readiness of vehicle and launch, reentry, or landing site, including any contingency abort location;

(2) Readiness of safety-critical personnel, systems, software, procedures, equipment, property, and services; and

(3) Readiness to implement the mishap plan required by § 450.173.

(b) Application requirements. An applicant must—

(1) Demonstrate compliance with the requirements of paragraph (a) of this section through procedures that may include a readiness meeting close in time to flight; and

(2) Describe the criteria for establishing readiness to proceed with the flight of a launch or reentry vehicle so that public safety is maintained.

§ 450.157 - Communications.

(a) An operator must implement communication procedures during the countdown and flight of a launch or reentry vehicle that—

(1) Define the authority of personnel, by individual or position title, to issue “hold/resume,” “go/no go,” and abort commands;

(2) Assign communication networks so that personnel identified in paragraph (a)(1) of this section have direct access to real-time, safety-critical information required to issue “hold/resume,” “go/no go,” and any abort commands; and

(3) Implement a protocol for using defined radio telephone communications terminology.

(b) An operator must ensure the currency of the communication procedures, and that all personnel are working with the approved version of the communication procedures.

(c) An operator must record all safety-critical communications network channels that are used for voice, video, or data transmissions that support safety-critical systems during each countdown.

§ 450.159 - Pre-flight procedures.

(a) An operator must implement pre-flight procedures that—

(1) Verify that each flight commit criterion is satisfied before flight is initiated; and

(2) Ensure the operator can return the vehicle to a safe state after a countdown abort or delay.

(b) An operator must ensure the currency of the pre-flight procedures, and that all personnel are working with the approved version of the pre-flight procedures.

§ 450.161 - Control of hazard areas.

(a) General. The operator must publicize, survey, control, or evacuate each flight hazard area identified in accordance with § 450.133 prior to initiating flight of a launch vehicle or the reentry of a reentry vehicle to the extent necessary to ensure compliance with § 450.101.

(b) Verification. The launch or reentry operator must perform surveillance sufficient to verify or update the assumptions, input data, and results of the flight safety analyses.

(c) Publication. An operator must publicize warnings for each flight hazard area, except for regions of land, sea, or air under the control of the vehicle operator, site operator, or other controlling authority with which the operator has an agreement. If the operator relies on another entity to publicize these warnings, it must:

(1) Determine whether the warnings have been issued; and

(2) Notify the FAA if the warnings have not been issued so that the FAA can determine if the launch or reentry can be conducted in a manner that sufficiently protects the public. This notification must provide sufficient information to enable FAA to issue warnings to U.S. aircraft.

(d) Application requirements. An applicant must submit—

(1) A description of how the applicant will provide for day-of-flight surveillance and control of flight hazard areas, if necessary, to ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight commit criteria developed for each launch or reentry as required by § 450.165(b);

(2) A description of how the applicant will provide for any publication of flight hazard areas necessary to meet the requirements of this section; and

(3) A description of how the applicant will establish flight commit criteria based on the results of its toxic release hazard analysis, toxic containment, or toxic risk assessment for any necessary evacuation of the public from any toxic hazard area.

§ 450.163 - Lightning hazard mitigation.

(a) Lightning hazard mitigation. An operator must—

(1) Establish flight commit criteria that mitigate the potential for a launch or reentry vehicle intercepting or initiating a direct lightning strike, or encountering a nearby discharge, using a means of compliance accepted by the Administrator; or

(2) Use a vehicle designed to protect safety-critical systems in the event of a direct lightning strike or nearby discharge.

(b) Application requirements. (1) An applicant electing to comply with paragraph (a)(1) of this section must submit flight commit criteria that mitigate the potential for a launch or reentry vehicle intercepting or initiating a direct lightning strike, or encountering a nearby lightning discharge.

(2) An applicant electing to comply with paragraph (a)(2) of this section must submit documentation providing evidence that the vehicle is designed to protect safety-critical systems against the effects of a direct lightning strike or nearby discharge.

§ 450.165 - Flight commit criteria.

(a) General. For each launch or reentry, an operator must establish and observe flight commit criteria that identify each condition necessary prior to flight to satisfy the requirements of § 450.101, and must include:

(1) Surveillance of any region of land, sea, or air in accordance with § 450.161;

(2) Monitoring of any meteorological condition necessary to—

(i) Be consistent with any safety analysis required by this part; and

(ii) If necessary in accordance with § 450.163, mitigate the potential for a launch or reentry vehicle intercepting a lightning strike, or encountering a nearby discharge;

(3) Implementation of any launch or reentry window closure in the launch or reentry window for the purpose of collision avoidance in accordance with § 450.169;

(4) Confirmation that any safety-critical system is ready for flight;

(5) Confirmation from the FAA that the risk to critical assets satisfies the requirements of § 450.101(a)(4) or (b)(4);

(6) For any reentry vehicle, except a suborbital vehicle, monitoring by the operator or an onboard system that the status of safety-critical systems is healthy before enabling reentry flight, to assure the vehicle can reenter safely to Earth; and

(7) Any other hazard controls derived from any safety analysis required by this part.

(b) Application requirements. An applicant must submit a list of all flight commit criteria.

§ 450.167 - Tracking.

(a) General. During the flight of a launch or reentry vehicle, an operator must measure and record in real time the position and velocity of the vehicle. The system used to track the vehicle must provide data to predict the expected impact locations of all stages and components, and to obtain vehicle performance data for comparison with the pre-flight performance predictions.

(b) Application requirements. An applicant must identify and describe each method or system used to meet the tracking requirements of paragraph (a) of this section.

§ 450.169 - Launch and reentry collision avoidance analysis requirements.

(a) Criteria. Except as provided in paragraph (d) of this section, for an orbital or suborbital launch or reentry, an operator must establish window closures needed to ensure that the launch or reentry vehicle, any jettisoned components, or payloads meet the following requirements with respect to orbiting objects, not including any object being launched or reentered.

(1) For inhabitable objects, one of three criteria below must be met:

(i) The probability of collision between the launching or reentering objects and any inhabitable object must not exceed 1 × 10 6;

(ii) The launching or reentering objects must maintain an ellipsoidal separation distance of 200 km in-track and 50 km cross-track and radially from the inhabitable object; or

(iii) The launching or reentering objects must maintain a spherical separation distance of 200 km from the inhabitable object.

(2) For objects that are neither orbital debris nor inhabitable, one of the two criteria below must be met:

(i) The probability of collision between the launching or reentering objects and any object must not exceed 1 × 10 5; or

(ii) The launching or reentering objects must maintain a spherical separation distance of 25 km from the object.

(3) For all other known orbital debris identified by the FAA or other Federal Government entity as large objects with radar cross section greater than 1 m 2 and medium objects with radar cross section 0.1 m 2 to 1 m 2:

(i) The probability of collision between the launching or reentering objects and any known orbital debris must not exceed 1 × 10 5; or

(ii) The launching or reentering objects must maintain a spherical separation distance of 2.5 km.

(b) Screening time. A launch or reentry operator must ensure the requirements of paragraph (a) of this section are met as follows:

(1) Through the entire segment of flight of a suborbital launch vehicle above 150 km;

(2) For an orbital launch, during ascent from a minimum of 150 km to initial orbital insertion and for a minimum of 3 hours from liftoff;

(3) For reentry, during descent from initial reentry burn to 150 km altitude; and

(4) For disposal, during descent from initial disposal burn to 150 km altitude.

(c) Rendezvous. Planned rendezvous operations that occur within the screening time frame are not considered a violation of collision avoidance if the involved operators have pre-coordinated the rendezvous or close approach.

(d) Exception. A launch collision avoidance analysis is not required for any launched object if the maximum planned altitude by that object is less than 150 km.

(e) Analysis. Collision avoidance analysis must be obtained for each launch or reentry from a Federal entity identified by the FAA, or another entity agreed to by the Administrator.

(1) An operator must use the results of the collision avoidance analysis to establish flight commit criteria for collision avoidance; and

(2) The collision avoidance analysis must account for uncertainties associated with launch or reentry vehicle performance and timing, and ensure that each window closure incorporates all additional time periods associated with such uncertainties.

(f) Timing and information required. An operator must prepare a collision avoidance analysis worksheet for each launch or reentry using a standardized format that contains the input data required by appendix A to this part, as follows:

(1) Except as specified in paragraphs (f)(1)(i) and (ii) of this section, an operator must file the input data with an entity identified in paragraph (e) of this section and the FAA at least 7 days before the first attempt at the flight of a launch vehicle or the reentry of a reentry vehicle.

(i) Operators that have never received a launch or reentry conjunction assessment from the entity identified in paragraph (e) of this section, must file the input data at least 15 days in advance.

(ii) The Administrator may agree to an alternative time frame in accordance with § 404.15;

(2) An operator must obtain a collision avoidance analysis performed by an entity identified in paragraph (e) of this section, no later than 3 hours before the beginning of a launch or reentry window; and

(3) If an operator needs an updated collision avoidance analysis due to a launch or reentry delay, the operator must file the request with the entity identified in paragraph (e) of this section and the FAA at least 12 hours prior to the beginning of the new launch or reentry window.

§ 450.171 - Safety at end of launch.

(a) Orbital debris mitigation. An operator must ensure for any proposed launch that for all vehicle stages or components that reach Earth orbit—

(1) There is no unplanned physical contact between the vehicle or any of its components and the payload after payload separation;

(2) Debris generation does not result from the conversion of energy sources into energy that fragments the vehicle or its components. Energy sources include chemical, pressure, and kinetic energy; and

(3) For all vehicle stages or components that are left in orbit, stored energy is removed by depleting residual fuel and leaving all fuel line valves open, venting any pressurized system, leaving all batteries in a permanent discharge state, and removing any remaining source of stored energy.

(b) Application requirement. An applicant must demonstrate compliance with the requirements in paragraph (a) of this section.

§ 450.173 - Mishap plan—reporting, response, and investigation requirements.

(a) General. An operator must report, respond to, and investigate mishaps, as defined in § 401.7 of this chapter, in accordance with paragraphs (b) through (g) of this section using a plan or other written means.

(b) Responsibilities. An operator must document—

(1) Responsibilities for personnel assigned to implement the requirements of this section;

(2) Reporting responsibilities for personnel assigned to conduct investigations and for anyone retained by the operator to conduct or participate in investigations; and

(3) Allocation of roles and responsibilities between the launch operator and any site operator for reporting, responding to, and investigating any mishap during ground activities at the site.

(c) Mishap reporting requirements. An operator must—

(1) Immediately notify the FAA Washington Operations Center in case of a mishap that involves a fatality or serious injury (as defined in 49 CFR 830.2);

(2) Notify within 24 hours the FAA Washington Operations Center in the case of a mishap that does not involve a fatality or serious injury (as defined in 49 CFR 830.2); and

(3) Submit a written preliminary report to the FAA Office of Commercial Space Transportation within five days of any mishap. The preliminary report must include the following information, as applicable:

(i) Date and time of the mishap;

(ii) Description of the mishap and sequence of events leading to the mishap, to the extent known;

(iii) Intended and actual location of the launch or reentry or other landing on Earth;

(iv) Hazardous debris impact points, including those outside a planned landing site or designated hazard area;

(v) Identification of the vehicle;

(vi) Identification of any payload;

(vii) Number and general description of any fatalities or injuries;

(viii) Description and estimated costs of any property damage;

(ix) Identification of hazardous materials, as defined in § 401.7 of this chapter, involved in the event, whether on the vehicle, any payload, or on the ground;

(x) Action taken by any person to contain the consequences of the event;

(xi) Weather conditions at the time of the event; and

(xii) Potential consequences for other similar vehicles, systems, or operations.

(d) Emergency response requirements. An operator must—

(1) Activate emergency response services to protect the public and property following a mishap as necessary including, but not limited to:

(i) Evacuating and rescuing members of the public, taking into account debris dispersion and toxic plumes; and

(ii) Extinguishing fires;

(2) Maintain existing hazard area surveillance and clearance as necessary to protect public safety;

(3) Contain and minimize the consequences of a mishap, including:

(i) Securing impact areas to ensure that no members of the public enter;

(ii) Safely disposing of hazardous materials; and

(iii) Controlling hazards at the site or impact areas.

(4) Preserve data and physical evidence; and

(5) Implement agreements with government authorities and emergency response services, as necessary, to satisfy the requirements of this section.

(e) Mishap investigation requirements. In the event of a mishap, an operator must—

(1) Investigate the root causes of the mishap; and

(2) Report investigation results to the FAA.

(f) Preventative measures. An operator must identify and implement preventive measures for avoiding recurrence of the mishap prior to the next flight, unless otherwise approved by the Administrator.

(g) Mishap records. An operator must maintain records associated with the mishap in accordance with § 450.219(b).

(h) Application requirements. An applicant must submit the plan or other written means required by this section.

§ 450.175 - Test-induced damage.

(a) Applicability. This section applies to license applicants or operators seeking an optional test-induced damage exception.

(b) Coordination of potential test-induced damage. Test-induced damage is not a mishap if all of the following are true:

(1) A license applicant or operator coordinates potential test-induced damage with the FAA before the planned activity, and with sufficient time for the FAA to evaluate the operator's proposal during the application process or as a license modification;

(2) The test-induced damage did not result in any of the following:

(i) Serious injury or fatality (as defined in 49 CFR 830.2);

(ii) Damage to property not associated with the licensed activity; or

(iii) Hazardous debris leaving the pre-defined hazard area; and

(3) The test-induced damage falls within the scope of activities coordinated with the FAA in paragraph (b)(1) of this section.

(c) Application requirements. An applicant must submit the following information—

(1) Test objectives;

(2) Test limits;

(3) Expected outcomes;

(4) Potential risks, including the applicant's best understanding of the uncertainties in environments, test limits, or system performance;

(5) Applicable procedures;

(6) Expected time and duration of the test; and

(7) Additional information as required by the FAA to ensure protection of public health and safety, safety of property, and the national security and foreign policy interests of the United States.

§ 450.177 - Unique safety policies, requirements, and practices.

(a) Unique hazards. An operator must review operations, system designs, analysis, and testing, and identify any unique hazards not otherwise addressed by this part. An operator must implement any unique safety policy, requirement, or practice needed to protect the public from the unique hazard.

(b) Unique requirements. The FAA may identify and impose a unique policy, requirement, or practice as needed to protect the public health and safety.

(c) Application requirements. An applicant must—

(1) Identify any unique safety policy, requirement, or practice necessary in accordance with paragraph (a) of this section, and demonstrate that each unique safety policy, requirement, or practice protects public health and safety.

(2) Demonstrate compliance with each unique safety policy, requirement, or practice imposed by the FAA in accordance with paragraph (b) of this section.

Ground Safety
§ 450.179 - Ground safety—general.

(a) At a U.S. launch or reentry site, an operator must protect the public and property from adverse effects of hazardous operations and systems associated with—

(1) Preparing a launch vehicle for flight;

(2) Returning a launch or reentry vehicle to a safe condition after landing, or after an aborted launch attempt; and

(3) Returning a site to a safe condition.

(b) An operator is not required to comply with §§ 450.181 through 450.189 of this part if:

(1) The launch or reentry is being conducted from a Federal launch or reentry site;

(2) The operator has a written agreement with the Federal launch or reentry site for the provision of ground safety services and oversight; and

(3) The Administrator has determined that the Federal launch or reentry site's ground safety processes, requirements, and oversight are not inconsistent with the Secretary's statutory authority over commercial space activities.

(c) In making the determination required by paragraph (b)(3) of this section, the Administrator will consider the nature and frequency of launch and reentry activities conducted from the Federal launch or reentry site, coordination between the FAA and the Federal launch or reentry site safety personnel, and the Administrator's knowledge of the Federal launch or reentry site's requirements.

§ 450.181 - Coordination with a site operator.

(a) General. For a launch or reentry conducted from or to a Federal launch or reentry site or a site licensed under part 420 or 433 of this chapter, an operator must coordinate with the site operator to—

(1) Ensure public access is controlled where and when necessary to protect public safety;

(2) Ensure launch or reentry operations are coordinated with other launch and reentry operators and other affected parties to prevent unsafe interference;

(3) Designate any ground hazard area that affects the operations of a launch or reentry site; and

(4) Ensure a prompt and effective response is undertaken in the event of a mishap that could impact the safety of the public and property.

(b) Licensed site operator. For a launch or reentry conducted from or to a site licensed under part 420 or 433 of this chapter, an operator must also coordinate with the site operator to establish roles and responsibilities for reporting, responding to, and investigating any mishap during ground activities at the site.

(c) Application requirement. An applicant must describe how it is coordinating with a Federal or licensed launch or reentry site operator in compliance with this section.

§ 450.183 - Explosive site plan.

(a) Explosive siting requirements. For a launch or reentry conducted from or to a site exclusive to its own use, an operator must comply with the explosive siting requirements of §§ 420.63, 420.65, 420.66, 420.67, 420.69, and 420.70 of this chapter.

(b) Application requirement. An applicant must submit an explosive site plan in accordance with paragraph (a) of this section.

§ 450.185 -

An operator must perform and document a ground hazard analysis, and continue to maintain it throughout the lifecycle of the launch or reentry system. The analysis must—

(a) Hazard identification. Identify system and operation hazards posed by the vehicle and ground hardware, including site and ground support equipment. Hazards identified must include the following:

(1) System hazards, including:

(i) Vehicle over-pressurization;

(ii) Sudden energy release, including ordnance actuation;

(iii) Ionizing and non-ionizing radiation;

(iv) Fire or deflagration;

(v) Radioactive materials;

(vi) Toxic release;

(vii) Cryogens;

(viii) Electrical discharge; and

(ix) Structural failure.

(2) Operation hazards, including:

(i) Propellant handling and loading;

(ii) Transporting of vehicle or vehicle components;

(iii) Vehicle testing; and

(iv) Vehicle or system activation.

(b) Hazard assessment. Assess each hazard's likelihood and severity.

(c) Risk acceptability criteria. Ensure that the risk associated with each hazard meets the following criteria:

(1) The likelihood of any hazardous condition that may cause death or serious injury to the public must be extremely remote; and

(2) The likelihood of any hazardous condition that may cause major damage to property not associated with the launch or reentry must be remote.

(d) Risk mitigation. Identify and describe the risk elimination and mitigation measures required to satisfy paragraph (c) of this section.

(e) Validation and verification. Document that the risk elimination and mitigation measures achieve the risk levels of paragraph (c) of this section through validation and verification. Verification includes:

(1) Analysis;

(2) Test;

(3) Demonstration; or

(4) Inspection.

(f) Application requirements. An applicant must submit—

(1) A description of the methodology used to perform the ground hazard analysis;

(2) A list of all systems and operations that may cause a hazard involving the vehicle or any payload; and

(3) The ground hazard analysis products of paragraphs (a) through (e) of this section, including data that verifies the risk elimination and mitigation measures.

§ 450.187 - Toxic hazards mitigation for ground operations.

(a) Applicability. (1) Except as specified in paragraph (a)(2), this section applies to any launch or reentry vehicle, including all vehicle components and payloads, that use toxic propellants or other toxic chemicals.

(2) No toxic release hazard analysis is required for kerosene-based fuels, unless the Administrator determines that an analysis is required to protect public safety.

(b) General. An operator must—

(1) Conduct a toxic release hazard analysis in accordance with paragraph (c) of this section;

(2) Manage the risk of casualties that could arise from the exposure to toxic release through one of the following means:

(i) Contain hazards caused by toxic release in accordance with paragraph (d) of this section; or

(ii) Perform a toxic risk assessment, in accordance with paragraph (e) of this section, that demonstrates compliance with the risk criteria of § 450.185(c).

(3) Establish ground hazard controls based on the results of its toxic release hazard analysis and toxic containment or toxic risk assessment for any necessary evacuation of the public from any toxic hazard area.

(c) Toxic release hazard analysis. A toxic release hazard analysis must—

(1) Account for any toxic release that could occur during nominal or non-nominal launch or reentry ground operations;

(2) Include a worst-case release scenario analysis or a maximum-credible release scenario analysis for each process that involves a toxic propellant or other chemical;

(3) Determine if toxic release can occur based on an evaluation of the chemical compositions and quantities of propellants, other chemicals, vehicle materials, and projected combustion products, and the possible toxic release scenarios;

(4) Account for both normal combustion products and any unreacted propellants and phase change or chemical derivatives of released substances; and

(5) Account for any operational constraints and emergency procedures that provide protection from toxic release.

(d) Toxic containment. An operator using toxic containment must manage the risk of casualty from the exposure to toxic release either by—

(1) Evacuating, or being prepared to evacuate, the public from any toxic hazard area in the event of a worst-case release or maximum credible release scenario; or

(2) Employing meteorological constraints to limit a ground operation to times during which prevailing winds and other conditions ensure that the public would not be exposed to toxic concentrations and durations greater than accepted toxic thresholds for acute casualty in the event of a worst-case release or maximum credible release scenario.

(e) Toxic risk assessment. An operator using toxic risk assessment must manage the risk from any toxic release hazard and demonstrate compliance with the criteria in § 450.185(c). A toxic risk assessment must—

(1) Account for airborne concentration and duration thresholds of toxic propellants or other chemicals. For any toxic propellant, other chemicals, or combustion product, an operator must use airborne toxic concentration and duration thresholds identified in a means of compliance accepted by the Administrator;

(2) Account for physical phenomena expected to influence any toxic concentration and duration in the area surrounding the potential release site;

(3) Determine a toxic hazard area for each process surrounding the potential release site for each toxic propellant or other chemical based on the amount and toxicity of the propellant or other chemical, the exposure duration, and the meteorological conditions involved;

(4) Account for all members of the public that may be exposed to the toxic release; and

(5) Account for any risk mitigation measures applied in the risk assessment.

(f) Application requirements. An applicant must submit:

(1) The identity of the toxic propellant, chemical, or combustion products or derivatives in the possible toxic release;

(2) The applicant's selected airborne toxic concentration and duration thresholds;

(3) The meteorological conditions for the atmospheric transport and buoyant cloud rise of any toxic release from its source to downwind receptor locations;

(4) Characterization of the terrain, as input for modeling the atmospheric transport of a toxic release from its source to downwind receptor locations;

(5) The identity of the toxic dispersion model used, and any other input data;

(6) Representative results of an applicant's toxic dispersion modeling to predict concentrations and durations at selected downwind receptor locations, to determine the toxic hazard area for a released quantity of the toxic substance;

(7) For toxic release hazard analysis in accordance with paragraph (c) of this section:

(i) A description of the failure modes and associated relative probabilities for potential toxic release scenarios used in the risk evaluation; and

(ii) The methodology and representative results of an applicant's determination of the worst-case or maximum-credible quantity of any toxic release that might occur during ground operations;

(8) For toxic containment in accordance with paragraph (d) of this section, identify the evacuation plans or meteorological constraints and associated ground hazard controls needed to ensure that the public will not be within any toxic hazard area in the event of a worst-case release or maximum credible release scenario.

(9) For toxic risk assessment in accordance with paragraph (e) of this section:

(i) A demonstration that the risk criteria in § 450.185(c) will be met;

(ii) The population characteristics in receptor locations that are identified by toxic dispersion modeling as toxic hazard areas;

(iii) A description of any risk mitigation measures applied in the toxic risk assessment; and

(iv) A description of the population exposure input data used in accordance with § 450.123.

§ 450.189 - Ground safety prescribed hazard controls.

(a) General. In addition to the hazard controls derived from an operator's ground hazard analysis and toxic hazard analysis, an operator must comply with paragraphs (b) through (e) of this section.

(b) Protection of public on the site. An operator must document a process for protecting members of the public who enter any area under the control of a launch or reentry operator, including:

(1) Procedures for identifying and tracking the public while on the site; and

(2) Methods the operator uses to protect the public from hazards in accordance with the ground hazard analysis and toxic hazard analysis.

(c) Countdown abort. Following a countdown abort or recycle operation, an operator must establish, maintain, and perform procedures for controlling hazards related to the vehicle and returning the vehicle, stages, or other flight hardware and site facilities to a safe condition. When a launch vehicle does not liftoff after a command to initiate flight was sent, an operator must—

(1) Ensure that the vehicle and any payload are in a safe configuration;

(2) Prohibit entry of the public into any identified hazard areas until the site is returned to a safe condition; and

(3) Maintain and verify that any flight safety system remains operational until verification that the launch vehicle does not represent a risk of inadvertent flight.

(d) Fire suppression. An operator must have reasonable precautions in place to report and control any fire caused by licensed activities.

(e) Emergency procedures. An operator must have general emergency procedures that apply to any emergencies not covered by the mishap plan of § 450.173 that may create a hazard to the public.

(f) Application requirement. An applicant must submit the process for protecting members of the public who enter any area under the control of a launch or reentry operator in accordance with paragraph (b) of this section.

source: Docket No. FAA-2019-0229, Amdt. 450-2, 85 FR 79719, Dec. 10, 202085 FR 79739, Dec. 10, 2020, unless otherwise noted.
cite as: 14 CFR 450.175