(a) This subpart contains requirements for performing the flight safety analysis required by § 417.107(f).

(b) The flight safety analysis requirements of this subpart apply to the flight of any launch vehicle that must use a flight safety system as required by § 417.107(a), except as permitted by paragraph (d) of this section.

(c) The flight safety analysis requirements of §§ 417.203, 417.205, 417.207, 417.211, 417.223, 417.224, 417.225, 417.227, 417.229, 417.231, and 417.233 apply to the flight of any unguided suborbital launch vehicle that uses a wind-weighting safety system. Appendices B, C, and I of this part also apply.

(d) For any alternative flight safety system approved by the FAA under § 417.301(b), the FAA will determine during the licensing process which of the analyses required by this subpart apply.

(a) General. A launch operator's flight safety analysis must satisfy the performance requirements of this subpart. The flight safety analysis must also meet the requirements for methods of analysis contained in appendices A and B of this part for a launch vehicle flown with a flight safety system and appendices B and C of this part for an unguided suborbital launch vehicle that uses a wind-weighting safety system except as otherwise permitted by this section. A flight safety analysis for a launch may rely on an earlier analysis from an identical or similar launch if the analysis still applies to the later launch.

(b) Method of analysis. (1) For each launch, a launch operator's flight safety analysis must use—

(i) A method approved by the FAA during the licensing process;

(ii) A method approved as a license modification by the FAA; or,

(iii) If the launch takes place from a Federal launch range, a method approved as part of the FAA's launch site safety assessment of the Federal range's processes.

(2) Appendix A of this part contains requirements that apply to all methods of flight safety analysis. A licensee must notify the FAA for any change to the flight safety analysis method. A licensee must file any material change with the FAA as a request for license modification before the launch to which the proposed change would apply. Section 417.11 contains requirements governing a license modification.

(c) Alternate analysis method. The FAA will approve an alternate flight safety analysis method if a launch operator demonstrates, in accordance with § 406.3(b), that its proposed analysis method provides an equivalent level of fidelity to that required by this subpart. A launch operator must demonstrate that an alternate flight safety analysis method is based on accurate data and scientific principles and is statistically valid. The FAA will not find a launch operator's application for a license or license modification sufficiently complete to begin review under § 413.11 of this chapter until the FAA approves the alternate flight safety analysis method.

(d) Analyses performed by a Federal launch range. This provision applies to all sections of this subpart. The FAA will accept a flight safety analysis used by a Federal launch range without need for further demonstration of compliance to the FAA, if:

(1) A launch operator has contracted with a Federal launch range for the provision of flight safety analysis; and

(2) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the range's analysis methods satisfy the requirements of this subpart. In this case, the FAA will treat the Federal launch range's analysis as that of a launch operator.

(e) Analysis products. For a licensed launch that does not satisfy paragraph (d) of this section, a launch operator must demonstrate to the FAA compliance with the requirements of this subpart, and must include in its demonstration the analysis products required by part 415 subpart F of this chapter, part 417 subpart A, and appendices A, B, C, and I of this part, depending on whether the launch vehicle uses a flight safety system or a wind-weighting safety system.

(a) Public risk management. A flight safety analysis must demonstrate that a launch operator will, for each launch, control the risk to the public from hazards associated with normal and malfunctioning launch vehicle flight. The analysis must employ risk assessment, hazard isolation, or a combination of risk assessment and partial isolation of the hazards, to demonstrate control of the risk to the public.

(1) Risk assessment. When demonstrating control of risk through risk assessment, the analysis must demonstrate that any risk to the public satisfies the public risk criteria of § 417.107(b). The analysis must account for the variability associated with:

(i) Each source of a hazard during flight;

(ii) Normal flight and each failure response mode of the launch vehicle;

(iii) Each external and launch vehicle flight environment;

(iv) Populations potentially exposed to the flight; and

(v) The performance of any flight safety system, including time delays associated with the system.

(2) Hazard isolation. When demonstrating control of risk through hazard isolation, the analysis must establish the geographical areas from which the public must be excluded during flight and any operational controls needed to isolate all hazards from the public.

(3) Combination of risk assessment and partial isolation of hazards. When demonstrating control of risk through a combination of risk assessment and partial isolation of the hazards from the public, the analysis must demonstrate that the residual public risk due to any hazard not isolated from the public under paragraph (a)(2) of this section satisfies the public risk criteria of § 417.107(b).

(b) Dependent analyses. Because some analyses required by this subpart are inherently dependent on one another, the data output of any one analysis must be compatible in form and content with the data input requirements of any other analysis that depends on that output. Figure 417.205-1 illustrates the flight safety analyses that might be performed for a launch flown with a flight safety system and the typical dependencies that might exist among the analyses.

(a) General. A flight safety analysis must include a trajectory analysis that establishes:

(1) For any time after lift-off, the limits of a launch vehicle's normal flight, as defined by the nominal trajectory and potential three-sigma trajectory dispersions about the nominal trajectory.

(2) A fuel exhaustion trajectory that produces instantaneous impact points with the greatest range for any given time after liftoff for any stage that has the potential to impact the Earth and does not burn to propellant depletion before a programmed thrust termination.

(3) For launch vehicles flown with a flight safety system, a straight-up trajectory for any time after lift-off until the straight-up time that would result if the launch vehicle malfunctioned and flew in a vertical or near vertical direction above the launch point.

(b) Trajectory model. A final trajectory analysis must use a six-degree of freedom trajectory model to satisfy the requirements of paragraph (a) of this section.

(c) Wind effects. A trajectory analysis must account for all wind effects, including profiles of winds that are no less severe than the worst wind conditions under which flight might be attempted, and must account for uncertainty in the wind conditions.

(a) General. A flight safety analysis must include a malfunction turn analysis that establishes the launch vehicle's turning capability in the event of a malfunction during flight. A malfunction turn analysis must account for each cause of a malfunction turn, such as thrust vector offsets or nozzle burn-through. For each cause of a malfunction turn, the analysis must establish the launch vehicle's turning capability using a set of turn curves. The analysis must account for:

(1) All trajectory times during the thrusting phases of flight.

(2) When a malfunction begins to cause each turn throughout the thrusting phases of flight. The analysis must account for trajectory time intervals between malfunction turn start times that are sufficient to establish flight safety limits and hazard areas that are smooth and continuous.

(3) The relative probability of occurrence of each malfunction turn of which the launch vehicle is capable.

(4) The time, as a single value or a probability time distribution, when each malfunction turn will terminate due to vehicle breakup.

(5) What terminates each malfunction turn, such as, aerodynamic breakup or inertial breakup.

(6) The launch vehicle's turning behavior from the time when a malfunction begins to cause a turn until aerodynamic breakup, inertial breakup, or ground impact. The analysis must account for trajectory time intervals during the malfunction turn that are sufficient to establish turn curves that are smooth and continuous.

(7) For each malfunction turn, the launch vehicle velocity vector turn angle from the nominal launch vehicle velocity vector.

(8) For each malfunction turn, the launch vehicle velocity turn magnitude from the nominal velocity magnitude that corresponds to the velocity vector turn angle.

(9) For each malfunction turn, the orientation of the launch vehicle longitudinal axis measured relative to the nominal launch vehicle longitudinal axis or Earth relative velocity vector at the start of the turn.

(b) Set of turn curves for each malfunction turn cause. For each cause of a malfunction turn, the analysis must establish a set of turn curves that satisfies paragraph (a) of this section and must establish the associated envelope of the set of turn curves. Each set of turn curves must describe the variation in the malfunction turn characteristics for each cause of a turn. The envelope of each set of curves must define the limits of the launch vehicle's malfunction turn behavior for each cause of a malfunction turn. For each malfunction turn envelope, the analysis must establish the launch vehicle velocity vector turn angle from the nominal launch vehicle velocity vector. For each malfunction turn envelope, the analysis must establish the vehicle velocity turn magnitude from the nominal velocity magnitude that corresponds to the velocity vector turn angle envelope.

(a) General. A flight safety analysis must include a debris analysis. For an orbital or suborbital launch, a debris analysis must identify the inert, explosive, and other hazardous launch vehicle debris that results from normal and malfunctioning launch vehicle flight.

(b) Launch vehicle breakup. A debris analysis must account for each cause of launch vehicle breakup, including at a minimum:

(1) Any flight termination system activation;

(2) Launch vehicle explosion;

(3) Aerodynamic loads;

(4) Inertial loads;

(5) Atmospheric reentry heating; and

(6) Impact of intact vehicle.

(c) Debris fragment lists. A debris analysis must produce lists of debris fragments for each cause of breakup and any planned jettison of debris, launch vehicle components, or payload. The lists must account for all launch vehicle debris fragments, individually or in groupings of fragments whose characteristics are similar enough to be described by a single set of characteristics. The debris lists must describe the physical, aerodynamic, and harmful characteristics of each debris fragment, including at a minimum:

(1) Origin on the vehicle, by vehicle stage or component, from which each fragment originated;

(2) Whether it is inert or explosive;

(3) Weight, dimensions, and shape;

(4) Lift and drag characteristics;

(5) Properties of the incremental velocity distribution imparted by breakup; and

(6) Axial, transverse, and tumbling area.

(a) General. A flight safety analysis must identify the location of populated or other protected areas, and establish flight safety limits that define when a flight safety system must terminate a launch vehicle's flight to prevent the hazardous effects of the resulting debris impacts from reaching any populated or other protected area and ensure that the launch satisfies the public risk criteria of § 417.107(b).

(b) Flight safety limits. The analysis must establish flight safety limits for use in establishing flight termination rules. Section 417.113(c) contains requirements for flight termination rules. The flight safety limits must account for all temporal and geometric extents on the Earth's surface of a launch vehicle's hazardous debris impact dispersion resulting from any planned or unplanned event for all times during flight. Flight safety limits must account for all potential contributions to the debris impact dispersions, including at a minimum:

(1) All time delays, as established by the time delay analysis of § 417.221;

(2) Residual thrust remaining after flight termination implementation or vehicle breakup due to aerodynamic and inertial loads;

(3) All wind effects;

(4) Velocity imparted to vehicle fragments by breakup;

(5) All lift and drag forces on the malfunctioning vehicle and falling debris;

(6) All launch vehicle guidance and performance errors;

(7) All launch vehicle malfunction turn capabilities; and

(8) Any uncertainty due to map errors and launch vehicle tracking errors.

(c) Gates. If a launch involves flight over any populated or other protected area, the flight safety analysis must establish a gate as required by §§ 417.217 and 417.218.

(d) Designated debris impact limits. The analysis must establish designated impact limit lines to bound the area where debris with a ballistic coefficient of three or more is allowed to impact if the flight safety system functions properly.

A flight safety analysis must establish the straight-up time for a launch for use as a flight termination rule. Section 417.113(c) contains requirements for flight termination rules. The analysis must establish the straight-up time as the latest time after liftoff, assuming a launch vehicle malfunctioned and flew in a vertical or near vertical direction above the launch point, at which activation of the launch vehicle's flight termination system or breakup of the launch vehicle would not cause hazardous debris or critical overpressure to affect any populated or other protected area.

For a launch that involves flight over a populated or other protected area, the flight safety analysis must include an overflight gate analysis. The analysis must establish the portion of a flight safety limit, a gate, through which a normally performing launch vehicle's tracking icon will be allowed to proceed. A tracking icon must enable the flight safety crew to determine whether the launch vehicle's flight is in compliance with the flight safety rules established under § 417.113. When establishing that portion of a flight safety limit, the analysis must demonstrate that the launch vehicle flight satisfies the flight safety requirements of § 417.107.

(a) For a launch that involves overflight or near overflight of a populated or otherwise protected area prior to the planned safe flight state calculated as required by § 417.219, the flight safety analysis must construct a hold-and-resume gate for each populated or otherwise protected area. After a vehicle's tracking icon crosses a hold-and-resume gate, flight termination must occur as required by sections 417.113(d)(6).

(b) The hold-and-resume gate analysis must account for:

(1) Overflight of a wholly contained populated or otherwise protected area. A hold-and-resume gate must be a closed, continuous contour that encompasses any populated or otherwise protected area located wholly within the impact limit lines. The hold-and-resume gate must encompass a populated or otherwise protected area such that flight termination or breakup of the launch vehicle while the tracking icon is outside the gate would not cause hazardous debris or overpressure to endanger the populated or otherwise protected area.

(2) Overflight of an uncontained populated or otherwise protected area. A hold-and-resume gate must be a closed, continuous contour that encompasses any area in which flight termination is allowed to occur. The hold-and-resume gate must encompass all hazard areas such that flight termination or breakup of the launch vehicle while the vehicle's tracking icon is inside the gate would not cause hazardous debris or critical overpressure to endanger any populated or otherwise protected area.

(a) General. For each launch, a flight safety analysis must establish data loss flight times, as identified by paragraph (b) of this section, and a planned safe flight state to establish each flight termination rule that applies when launch vehicle tracking data is not available for use by the flight safety crew. Section 417.113(d) contains requirements for flight termination rules.

(b) Data loss flight times. A flight safety analysis must establish the shortest elapsed thrusting time during which a launch vehicle can move from normal flight to a condition where the launch vehicle's hazardous debris impact dispersion extends to any protected area as a data loss flight time. The analysis must establish a data loss flight time for all times along the nominal trajectory from liftoff through that point during nominal flight when the minimum elapsed thrusting time is no greater than the time it would take for a normal vehicle to reach the overflight gate, or the planned safe flight state established under paragraph (c) of this section, whichever occurs earlier.

(c) Planned safe flight state. For a launch vehicle that performs normally during all portions of flight, the planned safe flight state is the point during the nominal flight of a launch vehicle where:

(1) No launch vehicle component, debris, or hazard can impact or affect a populated or otherwise protected area for the remainder of the launch;

(2) The launch vehicle achieves orbital insertion; or

(3) The launch vehicle's state vector reaches a state where the absence of a flight safety system would not significantly increase the accumulated risk from debris impacts and maintains positive flight safety system control to the maximum extent feasible.

(a) General. A flight safety analysis must include a time delay analysis that establishes the mean elapsed time between the violation of a flight termination rule and the time when the flight safety system is capable of terminating flight for use in establishing flight safety limits as required by § 417.213.

(b) Analysis constraints. A time delay analyses must determine a time delay distribution that accounts for the following:

(1) The variance of all time delays for each potential failure scenario, including but not limited to, the range of malfunction turn characteristics and the time of flight when the malfunction occurs;

(2) A flight safety official's decision and reaction time, including variation in human response time; and

(3) Flight termination hardware and software delays including all delays inherent in:

(i) Tracking systems;

(ii) Data processing systems, including all filter delays;

(iii) Display systems;

(iv) Command control systems; and

(v) Flight termination systems.

(a) General. A flight safety analysis must include a flight hazard area analysis that identifies any regions of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to control the risk to the public from debris impact hazards. The risk management requirements of § 417.205(a) apply. The analysis must account for, at a minimum:

(1) All trajectory times from liftoff to the planned safe flight state of § 417.219(c), including each planned impact, for an orbital launch, and through final impact for a suborbital launch;

(2) Regions of land potentially exposed to debris resulting from normal flight events and events resulting from any potential malfunction;

(3) Regions of sea and air potentially exposed to debris from normal flight events, including planned impacts;

(4) In the vicinity of the launch site, any waterborne vessels, populated offshore structures, or aircraft exposed to debris from events resulting from any potential abnormal flight events, including launch vehicle malfunction;

(5) Any operational controls implemented to control risk to the public from debris hazards;

(6) Debris identified by the debris analysis of § 417.211; and

(7) All launch vehicle trajectory dispersion effects in the surface impact domain.

(b) Public notices. A flight hazard areas analysis must establish the ship hazard areas for notices to mariners that encompass the three-sigma impact dispersion area for each planned debris impact. A flight hazard areas analysis must establish the aircraft hazard areas for notices to airmen that encompass the 3-sigma impact dispersion volume for each planned debris impact. Section 417.121(e) contains procedural requirements for issuing notices to mariners and airmen.

(a) General. All flight safety analyses for a launch, regardless of hazard or phase of flight, must account for launch vehicle failure probability in a consistent manner. A launch vehicle failure probability estimate must use accurate data, scientific principles, and a method that is statistically or probabilistically valid. For a launch vehicle with fewer than two flights, the failure probability estimate must account for the outcome of all previous launches of vehicles developed and launched in similar circumstances. For a launch vehicle with two or more flights, launch vehicle failure probability estimates must account for the outcomes of all previous flights of the vehicle in a statistically valid manner.

(b) Failure. For flight safety analysis purposes, a failure occurs when a launch vehicle does not complete any phase of normal flight or when any anomalous condition exhibits the potential for a stage or its debris to impact the Earth or reenter the atmosphere during the mission or any future mission of similar launch vehicle capability. Also, either a launch incident or launch accident constitutes a failure.

(c) Previous flight. For flight analysis purposes, flight begins at a time in which a launch vehicle normally or inadvertently lifts off from a launch platform. Lift-off occurs with any motion of the launch vehicle with respect to the launch platform.

A flight safety analysis must demonstrate that the risk to the public potentially exposed to inert and explosive debris hazards from any one flight of a launch vehicle satisfies the public risk criterion of § 417.107(b) for debris. A debris risk analysis must account for risk to populations on land, including regions of launch vehicle flight following passage through any gate in a flight safety limit established as required by § 417.217. A debris risk analysis must account for any potential casualties to the public as required by the debris thresholds and requirements of § 417.107(c).

A flight safety analysis must establish flight commit criteria that protect the public from any hazard associated with toxic release and demonstrate compliance with the public risk criterion of § 417.107(b). The analysis must account for any toxic release that will occur during the proposed flight of a launch vehicle or that would occur in the event of a flight mishap. The analysis must account for any operational constraints and emergency procedures that provide protection from toxic release. The analysis must account for all members of the public that may be exposed to the toxic release, including all members of the public on land and on any waterborne vessels, populated offshore structures, and aircraft that are not operated in direct support of the launch.

(a) General. A flight safety analysis must establish flight commit criteria that protect the public from any hazard associated with far field blast overpressure effects due to potential explosions during launch vehicle flight and demonstrate compliance with the public risk criterion of § 417.107(b).

(b) Analysis constraints. The analysis must account for:

(1) The potential for distant focus overpressure or overpressure enhancement given current meteorological conditions and terrain characteristics;

(2) The potential for broken windows due to peak incident overpressures below 1.0 psi and related casualties;

(3) The explosive capability of the launch vehicle at impact and at altitude and potential explosions resulting from debris impacts, including the potential for mixing of liquid propellants;

(4) Characteristics of the launch vehicle flight and the surroundings that would affect the population's susceptibility to injury, such as, shelter types and time of day of the proposed launch;

(5) Characteristics of the potentially affected windows, including their size, location, orientation, glazing material, and condition; and

(6) The hazard characteristics of the potential glass shards, such as falling from upper building stories or being propelled into or out of a shelter toward potentially occupied spaces.

For each launch of an unguided suborbital launch vehicle flown with a wind weighting safety system, in addition to the other requirements in this subpart outlined in § 417.201(c), the flight safety analysis must:

(a) Establish flight commit criteria and other launch safety rules that a launch operator must implement to control the risk to the public from potential adverse effects resulting from normal and malfunctioning flight;

(b) Establish any wind constraints under which launch may occur; and

(c) Include a wind weighting analysis that establishes the launcher azimuth and elevation settings that correct for the windcocking and wind-drift effects on the unguided suborbital launch vehicle.