This subpart contains public safety requirements that apply to launch processing and post-launch operations at a launch site in the United States. Ground safety requirements in this subpart apply to activities performed by, or on behalf of, a launch operator at a launch site in the United States. A licensed launch site operator must satisfy the requirements of part 420 of this chapter.

(a) General. A launch operator's ground safety process must satisfy this subpart.

(b) Ground safety analysis conducted for launch at a Federal launch range. This provision applies to all sections of this subpart. The FAA will accept a ground safety process conducted for a launch from a Federal launch range without need for further demonstration of compliance to the FAA if:

(1) A launch operator has contracted with a Federal launch range for the provision of the ground safety process; and

(2) The FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the Federal launch range's ground safety process satisfies the requirements of this subpart. In this case, the FAA will treat the Federal launch range's process as that of a launch operator.

(c) Toxic release hazard analysis conducted for launch processing at a Federal launch range. The FAA will accept a toxic release hazard analysis conducted for launch processing from a Federal launch range provided the toxic release analysis satisfies the Federal launch range's requirements, and the FAA has assessed the Federal launch range, through its launch site safety assessment, and found that the applicable Federal launch range safety-related launch services and property satisfy the requirements of this subpart.

(d) Demonstration of compliance. For a licensed launch that does not satisfy paragraphs (b) and (c) of this section, a launch operator must demonstrate compliance to the FAA with the requirements of this subpart, and must include in its demonstration the analysis products required by subparts A and E of this part, and appendices I and J of this part.

(e) Alternate methods. The FAA will approve an alternate hazard control method if a launch operator demonstrates, in accordance with § 406.3(b), that its proposed hazard control method provides an equivalent level of safety to that required by this subpart.

(a) Public safety. A launch operator must ensure that each hazard control is in place to protect the public from each potential hazard associated with launch processing and post-launch operations.

(b) Ground safety analysis. A launch operator must perform and document a ground safety analysis that satisfies § 417.405 and appendix J of this part.

(c) Local agreements. A launch operator must coordinate and perform launch processing and post-launch operations that satisfy local agreements to ensure the responsibilities and requirements in this part and § 420.57 of this chapter are met. A launch operator, when using a launch site of a licensed launch site operator, must coordinate the launch operator's operations with the launch site operator and with any agreements that the launch site operator has with local authorities that form a basis for the launch site operator's license.

(d) Launch operator's exclusive use of a launch site. For a launch conducted from a launch site exclusive to its own use, a launch operator must satisfy the requirements of this subpart and of part 420 of this chapter, including subpart D of part 420.

(a) A launch operator must perform a ground safety analysis for launch vehicle hardware, ground hardware including launch site and ground support equipment, launch processing, and post-launch operations at a launch site in the United States. The requirements of this section apply to the performance of the ground safety analysis and to the ground safety analysis products that a launch operator must file with the FAA as required by § 417.402(d). This analysis must identify each potential hazard, each associated cause, and each hazard control that a launch operator must establish and maintain to keep each identified hazard from affecting the public. A launch operator must incorporate the launch site operator's systems and operations involved in ensuring public safety into the ground safety analysis.

(b) Technical personnel who are knowledgeable of launch vehicle systems, launch processing, ground systems, operations, and their associated hazards must prepare the ground safety analysis. These individuals must be qualified to perform the ground safety analysis through training, education, and experience.

(c) A launch operator must ensure personnel performing a ground safety analysis or preparing a ground safety analysis report will have the cooperation of the entire launch operator's organization. A launch operator must maintain supporting documentation and it must be available upon request.

(d) A launch operator must:

(1) Begin a ground safety analysis by identifying the systems and operations to be analyzed;

(2) Define the extent of each system and operation being assessed to ensure there is no miscommunication as to what the hazards are, and who, in a launch operator's organization or other organization supporting the launch, controls those hazards; and

(3) Ensure that the ground safety analysis accounts for each launch vehicle system and operation involved in launch processing and post-launch operations, even if only to show that no hazard exists.

(e) A ground safety analysis need not account for potential hazards of a component if a launch operator demonstrates that no hazard to the public exists at the system level. A ground safety analysis need not account for an operation's individual task or subtask level if a launch operator demonstrates that no hazard to the public exists at the operation level. A launch operator must provide verifiable controls for hazards that are confined within the boundaries of a launch operator's facility to ensure the public will not have access to the associated hazard area while the hazard exists.

(f) A launch operator must identify each potential hazard, including non-credible hazards. The probability of occurrence is not relevant with respect to identifying a hazard. Where an assertion is made that no hazard exists for a particular system or operation, the ground safety analysis must provide the rationale. A launch operator must identify the following hazards of each launch vehicle system, launch site and ground support equipment, launch processing, and post-launch operations:

(1) System hazards, including explosives and other ordnance, solid and liquid propellants, toxic and radioactive materials, asphyxiants, cryogens, and high pressure. System hazards generally exist even when no operation is occurring; and

(2) Operation hazards derived from an unsafe condition created by a system, operating environment, or an unsafe act.

(g) A launch operator must categorize identified system and operation hazards as follows:

(1) Public hazard. A hazard that extends beyond the launch location under the control of a launch operator. Public hazards include the following:

(i) Blast overpressure and fragmentation resulting from an explosion;

(ii) Fire and deflagration, including hazardous materials such as radioactive material, beryllium, carbon fibers, and propellants. A launch operator must assume that in the event of a fire, hazardous smoke from systems containing hazardous materials will reach the public;

(iii) Sudden release of a hazardous material into the air, water, or ground; and

(iv) Inadvertent ignition of a propulsive launch vehicle payload, stage, or motor.

(2) Launch location hazard. A hazard that stays within the confines of the location under the control of a launch operator but extends beyond individuals doing the work. The confines may be bounded by a wall or a fence line of a facility or launch complex, or by a fenced or unfenced boundary of an entire industrial complex or multi-user launch site. A launch location hazard may affect the public depending on public access controls. Launch location hazards that may affect the public include the hazards listed in paragraphs (g)(1)(i)-(iv) of this section and additional hazards in potentially unsafe locations accessible to the public such as:

(i) Unguarded electrical circuits or machinery;

(ii) Oxygen deficient environments;

(iii) Falling objects;

(iv) Potential falls into unguarded pits or from unguarded elevated work platforms; and

(v) Sources of ionizing and non-ionizing radiation such as x-rays, radio transmitters, and lasers.

(3) Employee hazard. A hazard to individuals performing a launch operator's work, but not to other people in the area. A launch operator must comply with all applicable Federal, state, and local employee safety regulations. A launch operator's ground safety analysis must identify employee hazards and demonstrate that there are no associated public safety issues.

(4) Non-credible hazard. A hazard for which possible adverse effects on people or property would be negligible and where the possibility of adverse effects on people or property is remote. A launch operator's ground safety analysis must identify non-credible hazards and demonstrate that the hazard is non-credible.

(h) A ground safety analysis must identify each hazard cause for each public hazard and launch location hazard. The ground safety analysis must account for conditions, acts, or chain of events that can result in a hazard. The ground safety analysis must account for the possible failure of any control or monitoring circuitry within hardware systems that can cause a hazard.

(i) A ground safety analysis must identify the hazard controls to be established by a launch operator for each hazard cause identified in paragraph (h) of this section. A launch operator's hazard controls include the use of engineering controls for the containment of hazards within defined areas and the control of public access to those areas.

(j) A launch operator must verify all information in a ground safety analysis, including design margins, fault tolerance and successful completion of tests. A launch operator must:

(1) Trace any identified hardware to an engineering drawing or other document that describes hardware configuration;

(2) Trace any test or analysis used in developing the ground safety analysis to a report or memorandum that describes how the test or analysis was performed;

(3) Ensure the accuracy of the test or analysis and the associated results;

(4) Trace any procedural hazard control identified to a written procedure, and approved by the person designated under § 417.103(b)(2) or the person's designee, with the paragraph or step number of the procedure specified;

(5) Identify a verifiable hazard control for each hazard; if a hazard control is not verifiable, a launch operator may include it as an informational note on the hazard analysis form;

(6) For each hazard control, reference a released drawing, report, procedure or other document that verifies the existence of the hazard control; and

(7) Maintain records, as required by § 417.15, of the documentation that verifies the information in the ground safety analysis.

(k) A launch operator must ensure the continuing accuracy of its ground safety analysis. The analysis of systems and operations must not end upon submission of a ground safety analysis report to the FAA during the license application process. A launch operator must analyze each new or modified system or operation for potential hazards that can affect the public. A launch operator must ensure that each existing system and operation is subject to continual scrutiny and that the information in a ground safety analysis report is kept current.

(a) General. A launch operator must establish and maintain the hazard controls identified by the ground safety analysis including:

(1) System hazard controls that satisfy § 417.409;

(2) Safety clear zones for hazardous operations that satisfy § 417.411;

(3) Hazard areas and controls for allowing public access that satisfy § 417.413;

(4) Hazard controls after launch or an attempt to launch that satisfy § 417.415; and

(5) Controls for propellant and explosive hazards that satisfy § 417.417.

(b) Hazard control verification. A launch operator must establish a hazard tracking process to ensure that each identified hazard has a verifiable hazard control. Verification status must remain “open” for an individual hazard control until the hazard control is verified to exist in a released drawing, report, procedure, or similar document.

(c) Hazard control configuration control. A launch operator must establish and maintain a configuration control process for safety critical hardware. Procedural steps to verify hazard controls, and their associated documentation, cannot be changed without coordination with the person designated in § 417.103(b)(2).

(d) Inspections. When a potential hazard exists, a launch operator must conduct periodic inspections of related hardware, software, and facilities. A launch operator must ensure qualified and certified personnel, as required by § 417.105, conduct the inspection. A launch operator must demonstrate that the time interval between inspections is sufficient to ensure satisfaction of this subpart. A launch operator must ensure safety devices and other hazard controls must remain in place for that hazard, and that safety devices and other hazard controls must remain in working order so that no unsafe conditions exist.

(e) Procedures. A launch operator must conduct each launch processing or post-launch operation involving a public hazard or a launch location hazard pursuant to written procedures that incorporate the hazard controls identified by a launch operator's ground safety analysis and as required by this subpart. The person designated in § 417.103(b)(2) must approve the procedures. A launch operator must maintain an “as-run” copy of each procedure. The “as-run” procedure copy must include changes, start and stop dates, and times that each procedure was performed and observations made during the operations.

(f) Hazardous materials. A launch operator must establish procedures for the receipt, storage, handling, use, and disposal of hazardous materials, including toxic substances and sources of ionizing radiation. A launch operator must establish procedures for responding to hazardous material emergencies and protecting the public that complies with the accident investigation plan as defined in § 417.111(h)(2). These procedures must include:

(1) Identification of each hazard and its effects;

(2) Actions to be taken in response to release of a hazardous material;

(3) Identification of protective gear and other safety equipment that must be available in order to respond to a release;

(4) Evacuation and rescue procedures;

(5) Chain of command; and

(6) Communication both on-site and off-site to surrounding communities and local authorities.

(g) Toxic release hazard notifications and evacuations. A launch operator must perform a toxic release hazard analysis for launch processing performed at the launch site that satisfies section I417.7 of this part. A launch operator must apply toxic plume modeling techniques that satisfy section I417.7 of this part and ensure that notifications and evacuations are accomplished to protect the public from potential toxic release.

(a) General. A launch operator must establish and maintain hazard controls for each system that presents a public hazard as identified by the ground safety analysis and satisfy the requirements of this section. A launch operator must:

(1) Ensure a system be at least single fault tolerant to creating a public hazard unless other hazard control criteria are specified for the system by the requirements of this part. A system capable of creating a catastrophic public hazard must be at least dual fault tolerant. Dual fault tolerant system hazard controls include: Switches, valves, or similar components that prevent an unwanted transfer or release of energy or hazardous materials;

(2) Ensure each hazard control used to provide fault tolerance is independent from other hazard controls so that no single action or event can remove more than one inhibit. A launch operator must prevent inadvertent activation of hazard control devices such as switches and valves;

(3) Provide at least two fully redundant safety devices if a safety device must function in order to control a public hazard. A single action or event must not be capable of disabling both safety devices; and

(4) Ensure computing systems and software used to control a public hazard satisfy the requirements of § 417.123.

(b) Structures and material handling equipment. A launch operator must ensure safety factors applied in the design of a structure or material handling equipment account for static and dynamic loads, environmental stresses, expected wear, and duty cycles. A launch operator must:

(1) Inspect structures and material handling equipment to verify workmanship, proper operations, and maintenance;

(2) Prepare plans to ensure proper operations and maintenance of structures and material handling equipment;

(3) Assess structures and material handling equipment for potential single point failure;

(4) Eliminate single point failures from structures and material handling equipment or subject the structures and material handling equipment to specific inspection and testing to ensure proper operation. Single point failure welds must undergo both surface and volumetric non-destructive inspection to verify that no rejectable discontinuities exist;

(5) Establish other non-destructive inspection techniques if a volumetric inspection cannot be performed. A launch operator, in such a case, must demonstrate through the licensing process that the inspection processes used accurately verify the absence of rejectable discontinuities; and

(6) Ensure qualified and certified personnel, as defined in § 417.105, conduct the inspections.

(c) Pressure vessels and pressurized systems. A launch operator must apply the following hazard controls to a pressurized flight or ground pressure vessel, component, or systems:

(1) Qualified and certified personnel, as defined in § 417.105, must test each pressure vessel, component, or system upon installation and before being placed into service, and periodically inspect to ensure that no rejectable discontinuities exists;

(2) Safety factors applied in the design of a pressure vessel, component, or system must account for static and dynamic loads, environmental stresses, and expected wear;

(3) Pressurized system flow-paths, except for pressure relief and emergency venting, must be single fault tolerant to causing pressure ruptures and material releases during launch processing; and

(4) Provide pressure relief and emergency venting capability to protect against pressure ruptures. Pressure relief devices must provide the flow rate necessary to prevent a rupture in the event a pressure vessel is exposed to fire.

(d) Electrical and mechanical systems. A launch operator must apply the following hazard controls to electrical or mechanical systems that can release electrical or mechanical energy during launch processing:

(1) A launch operator must ensure electrical and mechanical systems, including systems that generate ionizing or non-ionizing radiation, are single fault tolerant to providing or releasing electrical or mechanical energy;

(2) In areas where flammable material exists, a launch operator must ensure electrical systems and equipment are hermetically sealed, explosion proof, intrinsically safe, purged, or otherwise designed so as not to provide an ignition source. A launch operator must assess each electrical system as a possible source of thermal energy and ensure that the electrical system can not act as an ignition source; and

(3) A launch operator must prevent unintentionally conducted or radiated energy due to possible bent pins in a connector, a mismated connector, shorted wires, or unshielded wires within electrical power and signal circuits that interface with hazardous subsystems.

(e) Propulsion systems. A propulsion system must be dual fault tolerant to inadvertently becoming propulsive. Propulsion systems must be single fault tolerant to inadvertent mixing of fuel and oxidizer. Each material in a propulsion system must be compatible with other materials that may contact the propulsion system during launch processing including materials used to assemble and clean the system. A launch operator must use engineering controls, including procedures, to prevent connecting incompatible systems. A launch operator must comply with § 417.417 for hazard controls applicable to propellants and explosives.

(f) Ordnance systems. An ordnance system must be at least single fault tolerant to prevent a hazard caused by inadvertent actuation of the ordnance system. A launch operator must comply with § 417.417 for hazard controls applicable to ordnance. In addition, an ordnance system must satisfy the following requirements;

(1) A launch operator must ensure ordnance electrical connections are disconnected until final preparations for flight;

(2) An ordnance system must provide for safing and arming of the ordnance. An electrically initiated ordnance system must include ordnance initiation devices and arming devices, also referred to as safe and arm devices, that provide a removable and replaceable mechanical barrier or other positive means of interrupting power to each ordnance firing circuit to prevent inadvertent initiation of ordnance. A mechanical safe and arm device must have a safing pin that locks the mechanical barrier in a safe position. A mechanical actuated ordnance device must also have a safing pin that prevents mechanical movement within the device. A launch operator must comply with section D417.13 of this part for specific safing and arming requirements for a flight termination system;

(3) Protect ordnance systems from stray energy through grounding, bonding, and shielding; and

(4) Current limit any monitoring or test circuitry that interfaces with an ordnance system to protect against inadvertent initiation of ordnance. Equipment used to measure bridgewire resistance on electro-explosive devices must be special purpose ordnance system instrumentation with features that limit current.

(a) A launch operator must define a safety clear zone that confines the adverse effects of each operation involving a public hazard or launch location hazard. A launch operator's safety clear zones must satisfy the following:

(1) A launch operator must establish a safety clear zone that accounts for the potential blast, fragment, fire or heat, toxic and other hazardous energy or material potential of the associated systems and operations. A launch operator must base a safety clear zone on the following criteria:

(i) For a possible explosive event, base a safety clear zone on the worst case event, regardless of the fault tolerance of the system;

(ii) For a possible toxic event, base a safety clear zone on the worst case event. A launch operator must have procedures in place to maintain public safety in the event toxic releases reach beyond the safety clear zone; and

(iii) For a material handling operation, base a safety clear zone on a worst case event for that operation.

(2) A launch operator must establish a safety clear zone when the launch vehicle is in a launch command configuration with the flight safety systems fully operational and on internal power.

(b) A launch operator must establish restrictions that prohibit public access to a safety clear zone during a hazardous operation. A safety clear zone may extend to areas beyond the launch location boundaries if local agreements provide for restricting public access to such areas and a launch operator verifies that the safety clear zone is clear of the public during the hazardous operation.

(c) A launch operator's procedures must verify that the public is outside of a safety clear zone prior to a launch operator beginning a hazardous operation.

(d) A launch operator must control a safety clear zone to ensure no public access during the hazardous operation. Safety clear zone controls include:

(1) Use of security guards and equipment;

(2) Physical barriers; and

(3) Warning signs, and other types of warning devices.

(a) General. A launch operator must define a hazard area that confines the adverse effects of a hardware system should an event occur that presents a public hazard or launch location hazard. A launch operator must prohibit public access to the hazard area whenever a hazard is present unless the requirements for public access of paragraph (b) of this section are met.

(b) Public access. A launch operator must establish a process for authorizing public access if visitors or members of the public must have access to a launch operator's facility or launch location. The process must ensure that each member of the public is briefed on the hazards within the facility and related safety warnings, procedures, and rules that provide protection, or a launch operator must ensure that each member of the public is accompanied by a knowledgeable escort.

(c) Hazard controls during public access. A launch operator must establish procedural controls that prevent hazardous operations from taking place while members of the public have access to the launch location and must verify that system hazard controls are in place that prevent initiation of a hazardous event. Hazard controls and procedures that prevent initiation of a hazardous event include the following:

(1) Use of lockout devices or other restraints on system actuation switches or other controls to eliminate the possibility of inadvertent actuation of a hazardous system.

(2) Disconnect ordnance systems from power sources, incorporate the use of safing plugs, or have safety devices in place that prevent inadvertent initiation. Activity involving the control circuitry of electrically activated safety devices must not be ongoing while the public has access to the hazard area. Install safing pins on safe and arm devices and mechanically actuated devices. Disconnect explosive transfer lines, not protected by a safe and arm device or a mechanically actuated device or equivalent.

(3) When systems or tanks are loaded with hypergols or other toxic materials, close the system or tank and verify it is leak-tight with two verifiable closures, such as a valve and a cap, to every external flow path or fitting. Such a system must also be in a steady-state condition.

(4) Keep each pressurized system below its maximum allowable working pressure and do not allow it to be in a dynamic state. Activity involving the control circuitry of electrically activated pressure system valves must not be ongoing while the public has access to the associated hazard area. Launch vehicle systems must not be pressurized to more than 25% of the system's design burst pressure, when the public has access to the associated hazard area.

(5) Do not allow sources of ionizing or non-ionizing radiation, such as, x-rays, nuclear power sources, high-energy radio transmitters, radar, and lasers to be present or verify they are to be inactive when the public has access to the associated hazard area.

(6) Guard physical hazards to prevent potential physical injury to visiting members of the public. Physical hazards include the following:

(i) Potential falling objects;

(ii) Falls from an elevated height; and

(iii) Protection from potentially hazardous vents, such as pressure relief discharge vents.

(7) Maintain and verify that safety devices or safety critical systems are operating properly prior to permitting public access.

(a) A launch operator must establish, maintain and perform procedures for controlling hazards and returning the launch facility to a safe condition after a successful launch. Procedural hazard controls must include:

(1) Provisions for extinguishing fires;

(2) Re-establishing full operational capability of safety devices, barriers, and platforms; and

(3) Access control.

(b) A launch operator must establish procedures for controlling hazards associated with a failed flight attempt where a solid or liquid launch vehicle engine start command was sent, but the launch vehicle did not liftoff. These procedures must include the following:

(1) Maintaining and verifying that each flight termination system remains operational until verification that the launch vehicle does not represent a risk of inadvertent liftoff. If an ignition signal has been sent to a solid rocket motor, the flight termination system must remain armed and active for a period of no less than 30 minutes. During this time, flight termination system batteries must maintain sufficient voltage and current capacity for flight termination system operation. The flight termination system receivers must remain captured by the command control system transmitter's carrier signal;

(2) Assuring that the vehicle is in a safe configuration, including its propulsion and ordnance systems. The flight safety system crew must have access to the vehicle status. Re-establish safety devices and bring each pressurized system down to safe pressure levels; and

(3) Prohibiting launch complex entry until the launch pad area safing procedures are complete.

(c) A launch operator must establish procedural controls for hazards associated with an unsuccessful flight where the launch vehicle has a land or water impact. These procedures must include the following provisions:

(1) Evacuation and rescue of members of the public, to include modeling the dispersion and movement of toxic plumes, identification of areas at risk, and communication with local government authorities;

(2) Extinguishing fires;

(3) Securing impact areas to ensure that personnel and the public are evacuated, and ensure that no unauthorized personnel or members of the public enter, and to preserve evidence; and

(4) Ensuring public safety from hazardous debris, such as plans for recovery and salvage of launch vehicle debris and safe disposal of hazardous materials.

(a) A launch operator must comply with the explosive safety criteria in part 420 of this chapter.

(b) A launch operator must ensure that:

(1) The explosive site plan satisfies part 420 of this chapter;

(2) Only those explosive facilities and launch points addressed in the explosive site plan are used and only for their intended purpose; and

(3) The total net explosive weight for each explosive hazard facility and launch point must not exceed the maximum net explosive weight limit indicated on the explosive site plan for each location.

(c) A launch operator must establish, maintain, and perform procedures that ensure public safety for the receipt, storage, handling, inspection, test, and disposal of explosives.

(d) A launch operator must establish and maintain each procedural system control to prevent inadvertent initiation of propellants and explosives. These controls must include the following:

(1) Protect ordnance systems from stray energy through methods of bonding, grounding, and shielding, and controlling radio frequency radiation sources in a radio frequency radiation exclusion area. A launch operator must determine the vulnerability of its electro-explosive devices and systems to radio frequency radiation and establish radio frequency radiation power limits or radio frequency radiation exclusion areas as required by the launch site operator or to ensure safety.

(2) Keep ordnance safety devices, as required by § 417.409, in place until the launch complex is cleared as part of the final launch countdown. No members of the public may re-enter the complex until each safety device is re-established.

(3) Do not allow heat and spark or flame producing devices in an explosive or propellant facility without written approval and oversight from a launch operator's safety organization.

(4) Do not allow static producing materials in close proximity to solid or liquid propellants, electro-explosive devices, or systems containing flammable liquids.

(5) Use fire safety measures including:

(i) Elimination or reduction of flammable and combustible materials;

(ii) Elimination or reduction of ignition sources;

(iii) Fire and smoke detection systems;

(iv) Safe means of egress; and

(v) Timely fire suppression response.

(6) Include lightning protection on each facility used to store or process explosives to prevent inadvertent initiation of propellants and explosives due to lightning unless the facility complies with the lightning protection criteria of § 420.71 of this part.

(e) A launch operator, in the event of an emergency, must perform the accident investigation plan as defined in § 417.111(h).