Streamlined Launch and Reentry Licensing Requirements, 15296-15444 [2019-05972]

Download as PDF 15296 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Parts 401, 404, 413, 414, 415, 417, 420, 431, 433, 435, 437, 440, and 450 [Docket No.: FAA–2019–0229; Notice No. 19–01] RIN 2120–AL17 Streamlined Launch and Reentry Licensing Requirements Federal Aviation Administration (FAA), Department of Transportation (DOT). ACTION: Notice of proposed rulemaking (NPRM). AGENCY: This rulemaking would streamline and increase flexibility in the FAA’s commercial space launch and reentry regulations, and remove obsolete requirements. This action would consolidate and revise multiple regulatory parts and apply a single set of licensing and safety regulations across several types of operations and vehicles. The proposed rule would describe the requirements to obtain a vehicle operator license, the safety requirements, and the terms and conditions of a vehicle operator license. DATES: Send comments on or before June 14, 2019. ADDRESSES: Send comments identified by docket number FAA–2019–0229 using any of the following methods: Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the online instructions for sending your comments electronically. Mail: Send comments to Docket Operations, M–30; U.S. Department of Transportation (DOT), 1200 New Jersey Avenue SE, Room W12–140, West Building Ground Floor, Washington, DC 20590–0001. Hand Delivery or Courier: Take comments to Docket Operations in Room W12–140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. Fax: Fax comments to Docket Operations at 202–493–2251. Privacy: In accordance with 5 U.S.C. 553(c), DOT solicits comments from the public to better inform its rulemaking process. DOT posts these comments, without edit, including any personal information the commenter provides, to www.regulations.gov, as described in the system of records notice (DOT/ALL– 14 FDMS), which can be reviewed at www.dot.gov/privacy. amozie on DSK9F9SC42PROD with PROPOSALS2 SUMMARY: VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Docket: Background documents or comments received may be read at https://www.regulations.gov at any time. Follow the online instructions for accessing the docket or go to the Docket Operations in Room W12–140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. FOR FURTHER INFORMATION CONTACT: For questions concerning this action, contact Randy Repcheck, Office of Commercial Space Transportation, Federal Aviation Administration, 800 Independence Avenue SW, Washington, DC 205914; telephone (202) 267–8760; email Randy.Repcheck@faa.gov. SUPPLEMENTARY INFORMATION: Authority for This Rulemaking The Commercial Space Launch Act of 1984, as amended and codified at 51 U.S.C. 50901–50923 (the Act), authorizes the Department of Transportation, and the FAA through delegation, to oversee, license, and regulate commercial launch and reentry activities, and the operation of launch and reentry sites as carried out by U.S. citizens or within the United States. Section 50905 directs the FAA to exercise this responsibility consistent with public health and safety, safety of property, and the national security and foreign policy interests of the United States. In addition, section 50903 requires the FAA encourage, facilitate, and promote commercial space launches and reentries by the private sector. If adopted as proposed, this rulemaking would consolidate and revise multiple regulatory parts to apply a single set of licensing and safety regulations across several types of operations and vehicles. It would also streamline the commercial space regulations by, among other things, replacing many prescriptive regulations with performance-based rules, giving industry greater flexibility to develop means of compliance that maximize their business objectives while maintaining public safety. Because this rulemaking would amend the FAA’s launch and reentry requirements, it falls under the authority delegated by the Act. List of Abbreviations and Acronyms Frequently Used in This Document AC—Advisory Circular CEC—Conditional expected casualty EC—Expected casualty ELOS determination—Equivalent-level-ofsafety determination ELV—Expendable launch vehicle FSA—Flight safety analysis PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 FSS—Flight safety system PC—Probability of casualty PI—Probability of impact RLV—Reusable launch vehicle Table of Contents I. Overview of Proposed Rule II. Background A. History B. Licensing Process C. National Space Council D. Streamlined Launch and Reentry Licensing Requirements Aviation Rulemaking Committee III. Discussion of the Proposal A. The FAA’s Approach To Updating and Streamlining Launch and Reentry Regulations B. Single Vehicle Operator License C. Performance-Based Requirements and Means of Compliance D. Launch From a Federal Launch Range E. Safety Framework Flight Safety A. Public Safety Criteria 1. Neighboring Operations Personnel 2. Property Protection (Critical Assets) 3. Consequence Protection Criteria for Flight Abort and Flight Safety System B. System Safety Program 1. Safety Organization 2. Procedures 3. Configuration Management and Control 4. Post-Flight Data Review C. Preliminary Safety Assessment for Flight D. Hazard Control Strategy E. Flight Abort 1. Flight Safety Limits and Uncontrolled Areas 2. Flight Abort Rules 3. Flight Safety System F. Flight Hazard Analysis G. Computing Systems and Software Overview H. Hybrid Launch Vehicles I. Flight Safety Analysis Overview J. Safety-Critical Systems 1. Safety-Critical Systems Design, Test, and Documentation 2. Flight Safety System K. Other Prescribed Hazard Controls 1. Agreements 2. Safety-Critical Personnel Qualifications 3. Work Shift and Rest Requirements 4. Radio Frequency Management 5. Readiness: Reviews and Rehearsals 6. Communications 7. Preflight Procedures 8. Surveillance and Publication of Hazard Areas 9. Lightning Hazard Mitigation 10. Flight Safety Rules 11. Tracking 12. Launch and Reentry Collision Avoidance Analysis Requirements 13. Safety at End of Launch 14. Mishaps: Definition, Plan, Reporting, Response, Investigation, Test-Induced Damage L. Pre- and Post-Flight Reporting 1. Preflight Reporting 2. Post-Flight Reporting Ground Safety A. Definition and Scope of Launch B. Ground Safety Requirements Process Improvements E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules A. Safety Element Approval B. Incremental Review of a License Application C. Time Frames D. Continuing Accuracy of License Application and Modification of License Other Changes A. Pre-Application Consultation B. Policy Review and Approval C. Payload Review and Determination D. Safety Review and Approval E. Environmental Review F. Additional License Terms and Conditions, Transfer of a Vehicle Operator License, Rights Not Conferred by a Vehicle Operator License G. Unique Safety Policies, Requirements, and Practices H. Compliance Monitoring I. Registration of Space Objects J. Public Safety Responsibility, Compliance With License, Records, Financial Responsibility, and Human Spaceflight Requirements K. Applicability L. Equivalent Level of Safety Additional Technical Justification and Rationale A. Flight Safety Analyses 1. Scope and Applicability 2. Flight Safety Analysis Methods 3. Trajectory Analysis for Normal Flight 4. Trajectory Analysis for Malfunction Flight 5. Debris Analysis 6. Flight Safety Limits Analysis 7. Gate Analysis 8. Data Loss Flight Time and Planned Safe Flight State Analyses 9. Time Delay Analysis 10. Probability of Failure 11. Flight Hazard Areas 12. Debris Risk Analysis 13. Far-Field Overpressure Blast Effects 14. Toxic Hazards for Flight 15. Wind Weighting for the Flight of an Unguided Suborbital Launch Vehicle B. Software C. Changes to Parts 401, 413, 414, 420, 437, 440 1. Part 401—Definitions 2. Part 413—Application Procedures 3. Part 414—Safety Element Approvals 4. Part 420—License To Operate a Launch Site 6. Part 437—Experimental Permits 7. Part 440—Financial Responsibility IV. Regulatory Notices and Analyses A. Regulatory Evaluation B. Regulatory Flexibility Determination C. International Trade Impact Assessment D. Unfunded Mandates Assessment E. Paperwork Reduction Act F. International Compatibility G. Environmental Analysis V. Executive Order Determinations A. Executive Order 13132, Federalism B. Executive Order 13211, Regulations That Significantly Affect Energy Supply, Distribution, or Use C. Executive Order 13609, International Cooperation D. Executive Order 13771, Reducing Regulation and Controlling Regulatory Costs VI. Additional Information VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 A. Comments Invited B. Availability of Rulemaking Documents The Proposed Amendment I. Overview of Proposed Rule The FAA commercial space transportation regulations protect public health and safety and the safety of property from the hazards of launch and reentry. In addition, the regulations address national security and foreign policy interests of the United States, financial responsibility, environmental impacts, informed consent for crew and space flight participants, and, to a limited extent, authorization of payloads not otherwise regulated or owned by the U.S. Government. The FAA is proposing this deregulatory action consistent with President Donald J. Trump’s Space Policy Directive—2 (SPD–2) ‘‘Streamlining Regulations on Commercial Use of Space.’’ 1 The directive charged the Department of Transportation with revising regulations to require a single license for all types of commercial space flight operations and replace prescriptive requirements with performance-based criteria. Streamlining these regulations would lower administrative burden and regulatory compliance costs and bolster the U.S. space commercial sector and industrial base. Additionally, this proposed rule incorporates industry input and recommendations provided primarily by the Streamlined Launch and Reentry Licensing Requirements Aviation Rulemaking Committee (ARC). The subject proposed rule would implement the applicable section of SPD–2 and address industry. The recommendation report is provided in the docket for this rulemaking. Current regulations setting forth application procedures and requirements for commercial space transportation licensing were based largely on the distinction between expendable and reusable launch vehicles. Specifically, title 14 of the Code of Federal Regulations (14 CFR) parts 415 and 417 address the launch of expendable launch vehicles (ELVs) and are based on the Federal launch range standards developed in the 1990s. Part 431 addresses the launch and reentry of reusable launch vehicles (RLVs), and part 435 addresses the reentry of reentry vehicles other than RLVs. Parts 431 and 435 are primarily process-based, relying on a license applicant to derive safety requirements through a ‘‘system safety’’ 1 Space Policy Directive—2, Streamlining Regulations on Commercial Use of Space; May 24, 2018 (https://www.whitehouse.gov/presidentialactions/space-policy-directive-2-streamliningregulations-commercial-use-space/). PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 15297 process. That being said, the FAA has used the more detailed part 417 requirements to inform parts 431 and 435. While these separate regulatory parts and requirements satisfied the need of the commercial space transportation industry at the time they were issued,2 the industry has changed and continues to evolve. The FAA proposes to consolidate, update, and streamline all launch and reentry regulations into a single performance-based part to better fit today’s fast-evolving commercial space transportation industry. Proposed part 450 would include regulations applicable to all launch and reentry vehicles, whether they have reusable components or not. The FAA looked to balance the regulatory certainty but rigidity of current ELV regulations with the flexibility but vagueness of current RLV regulations. As a result, these proposed regulations are flexible and scalable to accommodate innovative safety approaches while also protecting public health and safety, safety of property, and the national security and foreign policy interests of the United States. The FAA proposes to continue reviewing licenses in five component parts: Policy review, payload review, safety review, maximum probable loss determination, and environmental review. However, after consulting with the FAA, applicants would have the option of submitting portions of applications for incremental review and approval by the FAA. In terms of the applications themselves, the FAA has streamlined and better defined application requirements. In terms of safety requirements, the FAA would maintain a high level of safety. Neighboring operations requirements would result in a minimal risk increase compared to current regulations, offset by operational benefits. The FAA would anchor the proposed requirements on public safety criteria. The FAA would continue to use the current collective and individual risk criteria. However, this proposal would implement risk criteria for neighboring operations personnel, critical asset protection, and conditional risk to protect from an unlikely but catastrophic event.3 In particular, the 2 The current 14 CFR parts 415, 417, 431, and 435 regulatory text can be found at https:// www.ecfr.gov/ under their respective links. The eCFR contains Federal Register citations for each time a regulation is modified by rulemaking. 3 As will be discussed later, ‘‘neighboring operations personnel’’ would be defined as those members of the public located within a launch or reentry site, or an adjacent launch or reentry site, E:\FR\FM\15APP2.SGM Continued 15APP2 15298 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 conditional risk would be used to determine the need for a flight safety system 4 and the reliability of that system. To meet these public safety criteria, most operators would have the option of using traditional hazard controls or to derive alternate controls through a system safety approach. These rules would also revise quantitative flight safety analyses to better define their applicability and to reduce the level of prescriptiveness. In terms of ground safety, the FAA has scoped its oversight to better fit the safety risks and to increase operator flexibility. To satisfy the proposed performancebased regulations, operators would be able to use a means of compliance that has already been accepted by the FAA or propose an alternate approach. To retain the maximum flexibility to adjust to dynamic industry changes, the FAA would continue to offer operators the choice to request waivers of regulations and equivalent level of safety determinations. The proposed rule is a deregulatory action under Executive Order 13771.5 This deregulatory action would consolidate and revise multiple commercial space regulatory parts to apply a single set of licensing and safety regulations across several types of operations and vehicles. It would also replace many prescriptive regulations with performance-based regulations, giving industry greater flexibility to develop a means of compliance that maximizes their business objectives. This proposed rule would result in net cost savings for industry and enable future innovation in U.S. commercial space transportation. who are not associated with a specific hazardous licensed or permitted operation currently being conducted but are required to perform safety, security, or critical tasks at the site and are notified of the operation. ‘‘Critical asset’’ means an asset that is essential to the national interests of the United States. Critical assets include property, facilities, or infrastructure necessary to maintain national defense, or assured access to space for national priority missions. For ‘‘conditional risk,’’ the FAA would require that operators quantify the consequence of a catastrophic event, by calculating the conditional risk as conditional expected casualties for any one-second period of flight. Unlike collective risk that determines the expected casualties factoring in the probability that a dangerous event will occur, conditional risk determines the expected casualties assuming the dangerous event will occur. 4 The FAA proposes to revise the definition in § 401.5 of ‘‘flight safety system’’ to mean a system used to implement flight abort. A human can be a part of a flight safety system. The proposed definition is discussed later in this preamble. 5 Executive Order 13771, Reducing Regulation and Controlling Regulatory Costs, January 30, 2017, (https://www.whitehouse.gov/presidential-actions/ presidential-executive-order-reducing-regulationcontrolling-regulatory-costs/). VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 At the time of writing, the FAA estimates this proposed rule would affect 12 operators that have an active license or permit to conduct launch or reentry operations. In addition, the FAA estimates this proposed rule would affect approximately 276 launches over the next 5 years (2019 through 2023). The FAA anticipates this proposed rule would reduce the costs of current and future launch operations by removing prescriptive requirements that are burdensome to meet or require a waiver. The FAA expects these changes would lead to more efficient launch operations and have a positive effect on expanding the number of future launch and reentry operations. Based on the preliminary analysis, the FAA estimates industry stands to gain about $19 million in discounted present value net savings over 5 years or about $5 million in annualized net savings (using a discount rate of 7 percent). In addition, the FAA will save about $1 million in the same time period. The FAA expects industry will gain additional unquantified savings and benefits as the proposed rule is implemented, since it would provide flexibility and scalability through performance-based requirements that would reduce the future cost of innovation and improve the efficiency and productivity of U.S. commercial space transportation.6 Throughout this document, the FAA uses scientific notation to indicate probabilities. For example, 1 × 10¥2 means one in a hundred and 1 × 10¥6 means one in a million. II. Background A. History As noted earlier, the Act authorizes the Secretary of Transportation to oversee, license, and regulate commercial launch and reentry activities and the operation of launch and reentry sites as carried out by U.S. citizens or within the United States. The Act directs the Secretary to exercise this responsibility consistent with public health and safety, safety of property, and the national security and foreign policy interests of the United States, and to encourage, facilitate, and promote commercial space launches by the private sector. The FAA carries out the Secretary’s responsibilities under the Act. In the past 30 years, the Department of Transportation (DOT) regulations 6 51 U.S.C. 50904 grants the FAA authority to oversee, license, and regulate commercial launch and reentry activities, and the operation of launch and reentry sites as carried out by U.S. citizens or within the United States. PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 addressing launch and reentry have gone through a number of iterations intended to be responsive to an emerging industry while at the same time ensuring public safety. A review of this history is provided to put this rulemaking in perspective. 1. First Licensing Regulations in 1988 DOT’s first licensing regulations for commercial launch activities became effective over 30 years ago, on April 4, 1988. The regulations replaced previous guidance and constituted the procedural framework for reviewing and authorizing all proposals to conduct non-Federal launch activities, including the launching of launch vehicles, operation of launch sites, and payload activities that were not licensed by other federal agencies. They included general administrative procedures and a revised compilation of DOT’s information requirements. No licensed launches had yet taken place when DOT initially issued these regulations. Accordingly, DOT established a flexible regime intended to be responsive to an emerging industry while at the same time ensuring public safety. This approach worked well because all commercial launches at the time took place from Federal launch ranges where safety practices were well established and had proven effective in protecting public safety. In 1991, when the industry reached about ten launches a year, DOT took further steps designed to simplify the licensing process for launch operators with established safety records by instituting a launch operator license, which allowed one license to cover a series of launches where the same safety resources support identical or similar missions. 2. Licensing Changes in 1999 On June 21, 1999,7 the FAA amended its commercial space transportation licensing regulations to clarify its license application process generally, and for launches from Federal launch ranges specifically. The FAA intended the regulations to provide an applicant or an operator with greater specificity and clarity regarding the scope of a license and to codify and amend licensing requirements and criteria. Notable changes were dividing launch into preflight and flight activities; defining launch to begin with the arrival of the launch vehicle or its major components at a U.S. launch site; separating what had been a safety and mission review into a safety, policy, and 7 Commercial Space Transportation Licensing Regulations, Final Rule. 64 FR 19586 (April 21, 1999). E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules payload review; and the addition of a specific requirement to ‘‘passivate’’ any vehicle stage left on orbit to avoid the potential of creating orbital debris through a subsequent explosion. amozie on DSK9F9SC42PROD with PROPOSALS2 3. Reusable Launch Vehicle Regulations in 2000 In the mid-1990s, prospective RLV operators identified the absence of adequate regulatory oversight over RLV operations, particularly their reentry, as an impediment to technology development. The need for a stable and predictable regulatory environment in which RLVs could operate was considered critical to the capability of the emerging RLV industry to obtain the capital investment necessary for research and development and ultimately vehicle operations. The Commercial Space Act of 1998, Public Law 105–303, extended DOT’s licensing authority to the reentry of reentry vehicles and the operation of reentry sites by non-Federal entities. In September 2000, the FAA amended the commercial space transportation licensing regulations by establishing requirements for the launch of an RLV, the reentry of a reentry vehicle, and the operation of launch and reentry sites.8 At the time, the FAA believed that the differences between ELVs and RLVs justified a different regulatory approach. There was a long history of successful ELV launches from Federal launch ranges using detailed prescriptive regulations, encouraging the FAA to follow suit. Also, ELVs and RLVs used different means of terminating flight. ELV launches typically relied on flight safety systems (FSS) that terminated flight to ensure flight safety by preventing a vehicle from traveling beyond approved limits. Unlike an ELV, the FAA contemplated that an RLV might rely upon other means of ending vehicle flight, such as returning to the launch site or using an alternative landing site, in case the vehicle might not be able to safely conclude a mission as planned. Importantly, other than NASA’s Space Shuttle, there was little experience with RLVs. For these reasons, the FAA decided to enact flexible process-based regulations for RLVs and other reentry vehicles. These regulations reside in 14 CFR parts 431 and 435. 4. Further Regulatory Changes in 2006 The last major change to FAA launch regulations occurred in 2006.9 The FAA 8 Commercial Space Transportation Reusable Launch Vehicle and Reentry Licensing Regulations, Final Rule. 65 FR 56617 (September 19, 2000). 9 Licensing and Safety Requirements for Launch, Final Rule. 71 FR 50508 (August 25, 2006). VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 believed that it would be advantageous for its ELV regulations to be consistent with Federal launch range requirements and worked with the United States Air Force (Air Force) and the National Aeronautics and Space Administration (NASA) to codify safety practices for ELVs. Those regulations reside in 14 CFR parts 415 and 417. The 2006 rule also codified safety responsibilities and requirements that applied to any licensed launch, regardless of whether the launch occurs from a Federal launch range or a non-Federal launch site. In developing the technical requirements, the FAA built on the safety success of Federal launch ranges and sought to achieve their same high level of safety by using Federal launch range practices as a basis for FAA regulations consistent with its authority. The regulations specified detailed processes, procedures, analyses, and general safety system design requirements. For safety-critical hardware and software, where necessary, the rule provided design and detailed test requirements. The FAA attempted to provide flexibility by allowing a launch operator the opportunity to demonstrate an alternative means of achieving an equivalent level of safety. 5. Evolution of Launch Vehicles and the Need for Updated and Streamlined Regulations Since 2006, the differences between ELVs and RLVs have blurred. Vehicles that utilize traditional flight safety systems now are partially reusable. For example, the Falcon 9 first stage, launched by Space Exploration Technologies Corporation (SpaceX), routinely returns to the launch site or lands on a barge, and other operators are developing launch vehicles with similar return and reuse capabilities. Although the reuse of safety critical systems or components can have public safety implications, labeling a launch vehicle as expendable or reusable has not impacted the primary approach necessary to protect public safety, certainly not to the extent suggested in the differences between part 431 and parts 415 and 417. Moreover, the regulations for ELV launches in parts 415 and 417 have proven to be too prescriptive and onesize-fits-all, and the significant detail has caused the regulations to become obsolete in many instances. For example, part 417 requires all launch operators to have at least 11 plans that define how launch processing and flight of a launch vehicle will be conducted, each with detailed requirements. This can lead an operator to produce PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 15299 documents that are not necessary to conduct safe launch operations. In contrast, the regulations for RLV launches have proven to be too general, lacking regulatory clarity. For example, part 431 does not contain specificity regarding the qualification of flight safety systems, acceptable methods for flight safety analyses, and ground safety requirements. This lack of clarity can cause delays in the application process to allow for discussions between the FAA and the applicant. Operators frequently rely upon the requirements in part 417 to demonstrate compliance. Since 2015, the launch rate has only increased, from 9 licensed launches a year to 33 licensed launches in 2018. Beginning in 2016, the FAA developed a comprehensive strategy to consolidate and streamline the regulatory parts associated with commercial space launch and reentry operations and licensing of space vehicles. Actions by the National Space Council confirmed and accelerated FAA rulemaking plans regarding launch and reentry licenses. B. Licensing Process When it issues a license, the Act requires the FAA to do so consistent with public health and safety, safety of property, and national security and foreign policy interests of the United States.10 The FAA currently conducts its licensing application review in five component parts: Policy Review, Payload Review, Safety Review, Maximum Probable Loss Determination, and Environmental Review. The license application review is depicted in figure 1. A policy review, in consultation with other government agencies, determines whether the launch or reentry would jeopardize U.S. national security or foreign policy interests, or international obligations of the United States. A payload review, also in consultation with other government agencies, determines whether the launch or reentry of a payload would jeopardize public health and safety, safety of property, U.S. national security or the foreign policy interests, or international obligations of the United States. A safety review examines whether the launch or reentry would jeopardize public health and safety and safety of property, and typically is the most extensive part of FAA’s review. The Act also requires the FAA to determine financial responsibility of the licensee for third party liability and losses to U.S. Government property based on the maximum probable loss. Lastly, the National Environmental Policy Act requires the FAA to consider and 10 51 E:\FR\FM\15APP2.SGM U.S.C. 50905(a). 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules document the potential environmental effects associated with issuing a launch or reentry license. effects associated with issuing a launch or reentry license. This proposal would not alter this 5pronged approach to licensing. Although the FAA usually evaluates components concurrently, as noted later in this preamble, the FAA may make separate determinations after considering the interrelationship between the components. For instance, this proposal would allow an applicant to apply for a Safety Review component in an incremental manner. This preamble will discuss the proposed incremental review process in further detail later. Intelligence, and the NASA Administrator. On June 30, 2017, President Donald J. Trump signed Executive Order 13803, which reestablished the National Space Council to provide a coordinated process for developing and monitoring the implementation of national space policy and strategy. The newlyreinstituted body met for the first time on October 5, 2017. As Chair of the Council, the Vice President directed the Secretaries of Transportation and Commerce, and the Director of the Office of Management and Budget, to conduct a review of the U.S. regulatory framework for commercial space activities and report back within 45 days with a plan to remove barriers to commercial space enterprises. The assigned reports and recommendations for regulatory streamlining were presented at the second convening of the National Space Council on February 21, 2018. The Council approved four recommendations, including DOT’s recommendation that the launch and reentry regulations should be reformed into a consolidated, performance-based licensing regime. On May 24, 2018, the Council memorialized its recommendations in SPD–2. SPD–2 instructed the Secretary of Transportation to publish for notice amozie on DSK9F9SC42PROD with PROPOSALS2 C. National Space Council The National Space Council was established by President George H.W. Bush on April 20, 1989 by Executive Order 12675 to have oversight of U.S. national space policy and its implementation. Chaired by Vice President Dan Quayle until its disbanding in 1993, the first National Space Council consisted of the Secretaries of State, Treasury, Defense, Commerce, Transportation, Energy, the Director of the Office of Management and Budget, the Chief of Staff to the President, the Assistant to the President for National Security Affairs, the Assistant to the President for Science and Technology, the Director of Central VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 and comment proposed rules rescinding or revising the launch and reentry licensing regulations, no later than February 1, 2019. SPD–2 charged the Department with revising the regulations such that they would require a single license for all types of commercial space flight operations and replace prescriptive requirements with performance-based criteria. SPD–2 further commended the Secretary to coordinate with the members of the National Space Council, especially the Secretary of Defense and the NASA Administrator, to minimize requirements associated with commercial space flight launch and reentry operations from Federal launch ranges as appropriate. D. Streamlined Launch and Reentry Licensing Requirements Aviation Rulemaking Committee On March 8, 2018, the FAA chartered the Streamlined Launch and Reentry Licensing Requirements Aviation Rulemaking Committee (ARC) to provide a forum to discuss regulations to set forth procedures and requirements for commercial space transportation launch and reentry licensing. The FAA tasked the ARC to develop recommendations for a performancebased regulatory approach in which the E:\FR\FM\15APP2.SGM 15APP2 EP15AP19.000</GPH> 15300 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules regulations set forth the safety objectives to be achieved while providing the applicant with the flexibility to produce tailored and innovative means of compliance. The ARC’s membership represented a broad range of stakeholder perspectives, including members from aviation and space communities. The ARC was supported by the FAA and other federal agency subject matter experts. The following table identifies ARC participants from the private sector: amozie on DSK9F9SC42PROD with PROPOSALS2 Aerospace industries association. Airlines for America. Alaska Aerospace Corporation. Astra Space. Blue Origin. Boeing. Coalition for Deep Space Exploration. Commercial Spaceflight Federation. Exos Aerospace Systems & Technologies, Inc. Generation Orbit. Lockheed Martin Corporation. MLA Space, LLC. Mojave air and spaceport. Orbital ATK. RocketLab. Sierra Nevada Corp. Spaceport America. SpaceX. Space Florida. Stratolaunch. United Launch Alliance. Vector Launch, Inc. Virgin Galactic/Virgin Orbit. World View Enterprises. On April 30, 2018, the ARC produced its final recommendation report, which has been placed in the docket to this rulemaking.11 The ARC recommended that the proposed regulations should— 1. Be performance-based, primarily based upon the ability of the applicant to comply with expected casualty limits. 2. Be flexible. i. Adopt a single license structure to accommodate a variety of vehicle types and operations and launch or reentry sites. ii. Allow for coordinated determination of applicable regulations prior to the application submission. iii. Develop regulations that can be met without waivers. iv. Use guidance documents to facilitate frequent updates. 3. Reform the pre-application consultation process and requirements. i. Use ‘‘complete enough’’ as the real criterion for entering application evaluation and remove the requirement for pre-application consultation. ii. Use a level-of-rigor approach to scope an applicant-requested pre11 Streamlined Launch and Reentry Licensing Requirements ARC, Recommendations Final Report (April 30, 2008). The ARC Report is available for reference in the docket for this proposed rule. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 application consultation process as the basis for a ‘‘complete enough’’ determination, considering both an applicant’s prior experience and whether the subject vehicle is known or unknown. 4. Contain defined review timelines. i. Support significantly-reduced timelines and more efficient review. ii. Increase predictability for industry. iii. Create reduced review timelines for both new and continuing accuracy submissions. 5. Contain continuing accuracy requirements. Continuing accuracy submissions should be based upon impact to public safety as measured by the Expected Casualty (EC). 6. Limit FAA jurisdiction. i. Limit FAA jurisdiction to activities so publicly hazardous as to warrant FAA-oversight. ii. Identify well-defined inspection criteria. 7. Eliminate duplicative jurisdiction on Federal launch ranges. The FAA will address these recommendations in more detail throughout the remainder of this document. During the course of the ARC, volunteer industry members formed a Task Group to provide draft regulatory text reflecting proposed revisions to the commercial space transportation regulations. The volunteer industry members of the Task Group were Blue Origin, Sierra Nevada Corporation, Space Florida, and SpaceX. The majority of the ARC opposed the formation of this Task Group and disagreed with including the proposed regulatory text into the ARC’s recommendation report. The FAA will not specifically address the proposed regulatory text in this document because it did not receive broad consensus within the ARC. III. Discussion of the Proposal A. The FAA’s Approach To Updating and Streamlining Launch and Reentry Regulations The FAA’s approach to meeting SPD– 2’s mandate is to consolidate, update, and streamline all launch and reentry regulations into a single performancebased part. Pursuant to SPD–2, and in the interest of updating the FAA’s regulations to reflect the current commercial space industry, the FAA proposes to consolidate requirements for the launch and reentry of ELVs, RLVs, and reentry vehicles other than an RLV.12 The FAA would also update a number of safety provisions, including 12 These requirements currently appear in parts 415, 417, 431, and 435. PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 15301 areas such as software safety and flight safety analyses (FSA), to reflect recent advancements. Finally, the FAA proposes to streamline its regulations by designing them to be flexible and scalable, to reduce timelines, to remove or minimize duplicative jurisdiction, and to limit FAA jurisdiction over ground safety to operations that are hazardous to the public. This streamlining was the focus of the ARC. The FAA proposal would follow the ARC recommendations to enable greater regulatory flexibility. First, the proposed rule would be primarily performancebased, codifying performance standards and relying on FAA guidance or other standards to provide acceptable means of compliance. This would allow the regulations to better adapt to advancements in the industry. Second, the FAA proposes to change the structure of its launch and reentry license to be more flexible in the number and types of launches and reentries one license can accommodate. Third, as the ARC suggested, system safety principles would be prominent. All applicants would need to comply with core system safety management principles and conduct a preliminary safety assessment. Some applicants may also be required to use a flight hazard analysis to derive hazard controls particular to their operation. Lastly, for any particular requirement, the FAA would maintain the ability for an applicant or operator to propose an alternative approach for compliance, and then clearly demonstrate that the alternative approach would provide an equivalent level of safety to the requirement. The ARC recommended that the level of rigor of an applicant’s safety demonstration vary based on vehicle history, company history, and the relative risk of the launch or reentry. It also recommended that the FAA not always require a flight safety system. The FAA recognizes that different operations require different levels of rigor, and is proposing a more scalable regulatory regime. Given performancebased regulations are inherently scalable, the FAA proposal is consistent with the ARC recommendation, even though it does not explicitly account for vehicle or operator history as a means of scaling requirements. In addition to performance-based requirements, this proposal would implement a specific level-of-rigor approach to ensure safety requirements are proportionate to the public safety risk in the need for a flight safety system and its required E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15302 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules reliability, in flight safety analysis,13 and in software safety. These are all discussed in greater detail later in this preamble. Because the rulemaking process is time-consuming and labor intensive, the FAA seeks to minimize the need for regulatory updates to proposed part 450 through the proposed performancebased regulations which would allow for a variety of FAA-approved means of compliance. Approving new means of compliance creates flexibility for operators without reducing safety. Additionally, approving new means of compliance is easier to accomplish than updating regulatory standards through the rulemaking process. Thus, the proposed regulatory scheme would be more adaptable to the fast-evolving commercial space industry. The ARC recommended that the FAA should design a modular approach to application submittal and evaluation and significantly reduce FAA review timelines. This proposal would allow an applicant to apply for a license in an incremental manner,14 to be developed on a case-by-case basis during preapplication consultation. Most timelines in the proposal would have a default value, followed by an option for the FAA to agree to a different time frame, taking into account the complexity of the request and whether it would allow sufficient time for the FAA to conduct its review and make its requisite findings. Lastly, the FAA proposes to make it easier for a launch or reentry operator to obtain a safety element approval, which would reduce the time and effort of an experienced operator in a future license application. Although these provisions should reduce the time for experienced operators, the FAA does not propose to reduce by regulation the statutory review period of 180 days to make a decision on a license application. It might be useful to provide some perspective concerning the time the FAA actually takes to make license determinations. The average of the last ten new license determinations through calendar year 2018 was 141 days; the median was 167 days. The FAA strives to expedite determinations when possible to accommodate launch schedules. In three of these ten, the FAA made determinations in 54, 73, and 77 days, all without tolling. Three determinations were tolled for 73, 77, and 171 days. The lengthy tolling was 13 For flight safety analyses, various levels of rigor would be outlined in ACs. 14 In this rulemaking, the term ‘‘incremental’’ would be synonymous with the ARC’s proposed term of ‘‘modular.’’ VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 the result of a software issue concerning a flight safety system that the applicant needed to resolve. To our knowledge, a launch has never been delayed as a result of the time it took the FAA to make a license determinations. The ARC recommended that the FAA propose rules that eliminate duplicative U.S. Government requirements when an operator conducts operations at a Federal launch range. The FAA’s proposal would allow for varying levels of Federal launch range involvement, including a single FAA authorization. It would also minimize duplicative work by a launch or reentry operator. This issue is discussed in more detail later in this preamble. Also, the ARC recommended that the FAA limit its jurisdiction over ground operations to activities so publicly hazardous as to warrant the FAA’s oversight. This proposal would scope ground activities overseen by FAA to each operation. It would also permit neighboring operations personnel to be present during launch activities in certain circumstances. The ARC also recommended that the FAA require the pre-application process only for new operators or new vehicle programs, and that pre-application occur at the operator’s discretion for all other operations.15 The FAA proposes to retain the requirement for preapplication consultation because of the various flexibilities proposed in this rule. These include incremental review, timelines, and the performance-based nature of many of the regulatory requirements. Pre-application consultation would assist operators with the licensing process and accommodate all operators, including those that choose to avail themselves of the flexibilities provided in this proposal. The FAA acknowledges, however, that pre-application consultation can be minimal for operators experienced with FAA requirements. In such cases, consultation may consist of a telephone conversation. B. Single Vehicle Operator License As part of its streamlining effort, the FAA proposes in § 450.3 (Scope of Vehicle Operator License) to establish one license, a vehicle operator license, for commercial launch and reentry activity. A vehicle operator license would authorize a licensee to conduct one or more launches or reentries using the same vehicle or family of vehicles and would specify whether it covers launch, reentry, or launch and reentry. The FAA would eliminate the current limitation in § 415.3 specifying a launch 15 ARC PO 00000 Report at p. 23. Frm 00008 Fmt 4701 Sfmt 4702 license covers only one launch site, and would eliminate the designations of launch-specific license and launch operator license, mission-specific license and operator license, and reentry-specific license and reentryoperator license. The proposal would also allow the FAA to scope the duration of the license to the operation. Although the FAA has not defined a ‘‘family of vehicles,’’ launch operators often do so themselves. Usually, the vehicles share a common core, i.e., the booster and upper stage. Sometimes multiple boosters are attached together to form a larger booster. Historically, solid rocket motors have been attached to core boosters to enhance capability. There has never been an issue concerning what operators and the FAA consider to be members of the same family. It is merely a convenient way to structure licenses. SPD–2 directed the DOT to revise the current launch and reentry licensing regulations with special consideration to requiring a single license for all types of commercial launch and reentry operations. Similarly, the ARC recommended that the FAA adopt a single license structure to accommodate a variety of vehicle types, operations, and launch and reentry sites. In accordance with these recommendations, the FAA proposes a single vehicle operator license that could be scoped to the operation. In order to accommodate the increasingly similar characteristics of some ELVs and RLVs, as well as future concepts, these proposed regulations would no longer distinguish between ELVs and RLVs. Rather, this proposal would consolidate the licensing requirements for all commercial launch and reentry activities under one part, and applicants would apply for the same type of license. In addition to accommodating different vehicles and types of operations, this proposal would allow launches or reentries under a single vehicle operator license from or to multiple sites. Under the current regulations, in order for an operator to benefit from using multiple sites for launches authorized by a part 415 license, the operator must apply for a new license.16 This process is unnecessarily burdensome. This 16 For example, in 2018, a launch operator held a launch license under part 415 that authorized it to launch from Kennedy Space Center (KSC) in Florida; however, the operator contemplated launching from a nearby launch site, Cape Canaveral Air Force Station (CCAFS). Under current part 415, in order to launch from CCAFS instead of KSC, the operator has to file a separate application for a license to launch from CCAFS. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules proposed change would facilitate the application process because an operator would no longer be required to apply for a separate license to launch or reenter from a launch site other than that specified by the license. In order to apply for a license that includes multiple sites, an applicant would need to provide the FAA with application materials that would allow the FAA to conduct separate reviews for each site to determine, for example: Maximum probable loss required by part 440; public risk to populated areas, aircraft, and waterborne vessels; and the environmental impacts associated with proposed launches or reentries. The FAA foresees that a license that authorizes launches or reentries at more than one site would make it administratively easier for an operator to change sites for a particular operation. For example, an operator could move a launch from one site to another due to launch facility availability. A launch might move from CCAFS to KSC. Additionally, FAA foresees multiple sites will be utilized by operators of hybrid vehicles at launch sites with runways as well as vehicles supporting operationally responsive space missions such as DARPA Launch Challenge. Under this proposed licensing regime, an applicant should be prepared to discuss its intent to conduct activity from multiple sites during pre-application consultation. This discussion would give both the applicant and the agency an opportunity to scope the application and identify any potential issues early on when changes to the application or proposed licensed activities would be less likely to cause additional issues or significant delays. The launch operator would not need to specify the specific launches that would be planned for each site. The FAA would continue its current practice for operator licenses of requiring a demonstration that a proposed range of activities, not every trajectory variation within that range, can be safely conducted in order to scope the license. The license would not need to be modified unless the proposed operation fell outside the authorized range. The FAA further notes that under § 413.11, after an initial screening the FAA determines whether an application is complete enough to begin its review. If an application that includes multiple launch sites is complete enough for the FAA to accept it and begin its review, the 180-day review period under § 413.15(a) would begin. However, if during the FAA’s initial review it determines that an application is sufficiently complete to make a license determination for at least one launch VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 site but not all launch sites included in the application, the FAA would have the option to toll the review period, as provided in § 413.15(b). Alternatively, the FAA could continue its review of the part of the application with complete enough information and toll the portion involving any launch site with insufficient information to make a licensing determination. In either case, the FAA would notify the applicant as required by § 413.15(c). Finally, the FAA proposes a more flexible approach to the duration of a vehicle operator license under § 450.7 (Duration of a Vehicle Operator License). Specifically, the FAA would determine, based on information received from an applicant, the appropriate duration of the license, not to exceed five years. In making this determination, the FAA would continue its current practice of setting the duration of a license for specified launches to be approximately one year after the expected date of the activity. Currently, a launch-specific license expires upon completion of all launches authorized by the license or the expiration date stated in the license, whichever occurs first. An operator license remains in effect for two years for an RLV and five years for an ELV from the date of issuance. The FAA considered setting all license durations to five years, but rejected this option to allow an applicant to obtain a license for a limited specific activity rather than for a more general range of activities. An applicant may prefer a shorter license duration for a specific activity because a licensee has obligations under an FAA license, such as the requirements to demonstrate financial responsibility and allow access to FAA safety inspectors, and a shorter license duration would relieve an applicant of compliance with these requirements after the activity has ended. Unless an operator requests an operator license, currently good for either two or five years, the operator does not typically request a license duration. The FAA initially sets the duration to encompass the authorized activity. The FAA plans to continue its current practice of extending licenses through renewals or modifications to accommodate delays in authorized launches or reentries. C. Performance-Based Requirements and Means of Compliance SPD–2 directs the FAA to consider replacing prescriptive requirements in the commercial space flight launch and reentry licensing process with performance-based criteria. The ARC echoed the SPD–2 recommendation for performance-based requirements that PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 15303 allowed varying means of compliance proposed by the operator.17 In response to SPD–2 and the ARC recommendations, the FAA is proposing to replace many of the prescriptive licensing requirements with performance-based requirements. These performance-based requirements would provide flexibility, scalability, and adaptability as discussed in the introduction. An operator would be able to use an acceptable means of compliance to demonstrate compliance with the requirements. Currently, the FAA uses both prescriptive and performance-based requirements for launches and reentries respectively.18 Parts 415 and 417 provide detailed prescriptive requirements for ELVs. Although these requirements provide regulatory certainty, they have proven inflexible. As the industry grows and innovates, ELV operators have identified alternate ways of operating safely that do not comply with the regulations as written. This has forced operators to request waivers or equivalent-level-of safetydeterminations (ELOS determinations), often close to scheduled launch dates. On the other hand, the performancebased regulations in parts 431 and 435 lack the detail to efficiently guide operators through the FAA’s regulatory regime. Indeed, the FAA often fills these regulatory gaps by adopting part 417 requirements in practice. The process of adding regulatory certainty to these performance-based regulations by adopting part 417 requirements has been frustrating and contentious for both operators and the FAA. Adopting performance-based requirements that allow operators to use an acceptable means of compliance would decrease the need for waivers or ELOS determinations to address new technology advancements. An acceptable means of compliance is one means, but not the only means, by which a requirement could be met. The FAA would set the safety standard in regulations and identify any acceptable means of compliance currently available. The FAA would provide public notice of each means of compliance that the Administrator has accepted by publishing the acceptance 17 ARC Report, at p. 7. 415 and 417, and their associated appendices, provide primarily prescriptive requirements for licensing and launch of an ELV. Part 431 provides primarily performance- and process-based requirements for a launch and reentry of a reusable launch vehicle. Part 435 provides similar requirements to part 431 for the reentry of a reentry vehicle other than a reusable launch vehicle. Parts 431 and 435 rely on a system safety process performed by an operator in order to demonstrate adequate safety of the operation. 18 Parts E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15304 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules on its website, for example. This notification would communicate to the public and the industry that the FAA has accepted a means of compliance or any revision to an existing means of compliance. A consensus standards body, any individual, or any organization would be able to submit means of compliance documentation to the FAA for consideration and potential acceptance. An operator could also develop its own means of compliance to demonstrate it met the safety standard. Once the Administrator has accepted a means of compliance for that operator, the operator could use it in future license applications. The FAA would not provide public notice of individual operator-developed means of compliance. If any information submitted to the FAA as part of a means of compliance for acceptance is proprietary, it would be afforded the same protections as are applied today to license applications submitted under § 413.9. For five of the proposed requirements, an operator would have to demonstrate compliance using a means of compliance that has been approved by the FAA before an operator could use it in a license application. These five requirements are flight safety systems (proposed § 450.145), FSA methods (proposed § 450.115), lightning flight commit criteria (proposed § 450.163(a)), and airborne toxic concentration and duration thresholds (proposed §§ 450.139 and 450.187). The FAA has developed Advisory Circulars (ACs) or identified government standards that discuss an acceptable means of compliance for each of these requirements, and has placed these documents in the docket for the public’s review and comment. If an operator wishes to use a means of compliance not previously accepted by the FAA to demonstrate compliance with one of the five requirements, the FAA would have to review and accept it prior to an operator using that means of compliance to satisfy a licensing requirement. If an operator is interested in applying for the acceptance of a unique means of compliance, it should submit any data or documentation to the FAA necessary to demonstrate that the means of compliance satisfies the safety requirements established in the regulation. An operator should note that the FAA will take into account such factors as complexity of the means of compliance; whether the means of compliance is an industry, government, or voluntary consensus standard; and whether the means of compliance has been peer-reviewed during its review VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 and determination. These factors may affect how quickly the FAA is able to review and make a determination. The time could range from a few days to many weeks. Although applying for the acceptance of a new means of compliance may take time, once an operator’s unique means of compliance is accepted by the FAA, the operator can use it in future license applications. The FAA also anticipates that this process will result in flexibility for industry and will encourage innovation as industry and consensus standards bodies 19 develop multiple ways for an operator to meet the requisite safety standards. The FAA believes this is the best approach to enabling new ways of achieving acceptable levels of safety through industry innovation, and seeks public comment on whether this approach may induce additional innovation through industry-developed consensus standards. D. Launch From a Federal Launch Range Both industry and the National Space Council have urged government agencies involved in the launch and reentry of vehicles by commercial operators to work towards common standards and to remove duplicative oversight. The ARC recommended an end goal of either exclusive FAA jurisdiction over commercial launches at a range, or a range adopting the same flight safety regulations used by the FAA. SPD–2 directed the Secretary of Defense, the Secretary of Transportation, and the NASA Administrator to coordinate to examine all existing U.S. Government requirements, standards, and policies associated with commercial space flight launch and reentry operations from Federal launch ranges and minimize those requirements, except those necessary to protect public safety and national security, that would conflict with the efforts of the Secretary of 19 The FAA intends to rely increasingly on voluntary consensus standards as means of compliance. Section 12(d) of the National Technology Advancement Act (Pub. L. 104–113; 15 U.S.C. 3701, et seq.) directs federal agencies to use voluntary consensus standards in lieu of government-unique standards except where inconsistent with law or otherwise impractical. Because voluntary consensus bodies are made up of a wide selection of industry participants, and often also include FAA participation, the FAA expects its review of a means of compliance developed by a voluntary consensus standards body would be more expeditious than a custom means of compliance. Unlike means of compliance developed by a voluntary consensus standards body, a custom means of compliance would not be subject to peer review or independent review of the viability of the technical approach. PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 Transportation in implementing the Secretary’s responsibilities to review and revise its launch and reentry regulations.20 Most recently, the John S. McCain National Defense Authorization Act for Fiscal Year 2019 includes a provision stating that the Secretary of Defense may not impose any requirement on a licensee or transferee that is duplicative of, or overlaps in intent with, any requirement imposed by the Secretary of Transportation under 51 U.S.C. chapter 509, unless imposing such a requirement is necessary to avoid negative consequences for the national security space program.21 Currently, the FAA issues a safety approval to a license applicant proposing to launch from a Federal launch range if the applicant satisfies the requirements of part 415, subpart C, and has contracted with the range for the provision of safety-related launch services and property, as long as an FAA Launch Site Safety Assessment (LSSA) 22 shows that the range’s launch services and launch property satisfy part 417. The FAA assesses each range and determines if the range meets FAA safety requirements. If the FAA assessed a range, through its LSSA, and found that an applicable range safety-related launch service or property satisfies FAA requirements, then the FAA treats the range’s launch service or property as that of a launch operator’s, and there is no need for further demonstration of compliance to the FAA. The FAA reassesses a range’s practices only when the range chooses to change its practice. The ARC recommended that ranges and the FAA have common flight safety regulations and guidance documents. To address this recommendation, the FAA proposes performance-based requirements for both ground and flight safety that an operator could meet using Air Force and NASA practices as a means of compliance. The FAA expects that there will be few, if any, instances where Air Force or NASA practices do not satisfy the proposed performancebased requirements. Additionally, the proposed requirements should provide enough flexibility to accommodate changes in Air Force and NASA practices in the future. The FAA expects that range services that a range applies to U.S. Government launches and 20 SPD–2; May 24, 2018 (https:// www.whitehouse.gov/presidential-actions/spacepolicy-directive-2-streamlining-regulationscommercial-use-space). 21 Section 1606(2)(A), John S. McCain National Defense Authorization Act for Fiscal Year 2019, Public Law 115–232 (amending 51 U.S.C. 50918 note). 22 LSSA is an FAA evaluation of Federal range services and launch property. E:\FR\FM\15APP2.SGM 15APP2 to eliminate duplicative approvals. Instead, the FAA will continue to work with the appropriate agencies to streamline commercial launch and reentry requirements at ranges and Federal facilities by leveraging the Common Standards Working Group (CSWG).23 15305 reentries will almost invariably satisfy the FAA’s proposed requirements. The FAA currently accepts flight safety analyses performed by Air Force on behalf of an operator without additional analysis and anticipates that it would give similar deference to other analyses by federal agencies once it established that they meet FAA requirements. The FAA developed this approach to reduce operator burden to the largest extent possible. The FAA is bound to execute its statutory mandates and may do so only to the extent authorized by those statutes. Although federal entities often have complimentary mandates and statutory authorities, they are rarely identical. That is, each federal department or agency has been given separate mission. Federal entities establish interagency processes to manage closely related functions in as smoothly and least burdensome manner possible. Coordinating FAA requirements, range practices, and those practices implemented at other Federal facilities is largely an interagency issue, this proposal does not include language E. Safety Framework In addition to proposing a single vehicle operator license and replacing prescriptive requirements with performance-based requirements, this rule would rely on a safety framework that provides the flexibility needed to accommodate current and future operations and the regulatory certainty lacking in some of the current regulations. This proposal would consolidate the launch and reentry safety requirements in subpart C. Figure 2 depicts the safety framework on which the FAA relied in developing its proposed safety requirements. In developing this framework, the FAA considered following the approach taken in parts 431 and 435 and relying almost exclusively on a robust systems safety approach. As noted earlier, experience has shown that part 431 does not offer enough specificity and, as a result, it has been unclear to operators what safety measures the FAA requires to achieve an acceptable level of safety. In particular, there are no explicit requirements for ground safety, flight safety analysis, or flight safety systems. On the other hand, part 417 is too prescriptive, particularly regarding design and detailed procedural requirements for ground safety, detailed design and test requirements for flight safety systems, and numerous plans that placed needless burden on operators and impeded innovation. Thus, the framework described below is designed to strike a balance between these two parts. The proposed regulations clearly lay out FAA expectations, but should provide a launch or reentry operator with flexibility on how it achieves acceptable public safety. The framework also seeks to allow operators that wish to conduct operations using proven hazard control strategies to do so. System Safety Program. All operators would be required to have a system safety program that would establish system safety management principles for both ground and flight safety throughout the operational lifecycle of a launch or reentry system. The system safety program would include a safety organization, procedures, configuration control, and post-flight data review. Preliminary Flight Safety Assessment. For flight safety, an operator would conduct a preliminary flight safety assessment to identify public hazards and determine the appropriate hazard control strategy for a phase of flight or an entire flight. An operator could use traditional hazard controls such as physical containment, wind weighting, or flight abort to mitigate hazards. Physical containment is when a launch vehicle does not have sufficient energy for any hazards associated with its flight to reach the public or critical assets. 23 The CSWG consists of range safety personnel from the Air Force and NASA, and was chartered in the early 2000’s to develop and maintain common launch safety standards among agencies. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 E:\FR\FM\15APP2.SGM 15APP2 EP15AP19.001</GPH> amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules 15306 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 Wind weighting is when the operator of an unguided suborbital launch vehicle adjusts launcher azimuth and elevation settings to correct for the effects of wind conditions at the time of flight to provide a safe impact location for the launch vehicle or its components. Flight Abort is the process to limit or restrict the hazards to public health and safety and the safety of property presented by a launch vehicle or reentry vehicle, including any payload, while in flight by initiating and accomplishing a controlled ending to vehicle flight. Flight abort as a hazard control strategy would be required for a phase of flight that is shown by a consequence analysis to potentially have significant public safety impacts. Otherwise, an operator would be able to bypass these traditional hazard control strategies and conduct a flight hazard analysis. Flight Hazard Analysis. As an alternative to traditional hazard control measures, an operator would be able to conduct a flight hazard analysis to derive hazard controls. Hazard analysis is a proven engineering discipline that, when applied during system development and throughout the system’s lifecycle, identifies and mitigates hazards and, in so doing, eliminates or reduces the risk of potential mishaps and accidents. In addition, a separate hazard analysis methodology is outlined for computing systems and software. Flight Safety Analysis. Regardless of the hazard control strategy chosen or mandated, an operator would be required to conduct a number of flight safety analyses. At a minimum, these analyses would quantitatively demonstrate that a launch or reentry meets the public safety criteria for debris, far-field overpressure, and toxic hazards. Other analyses support flight abort and wind weighting hazard control strategies and determine flight hazard areas.24 For a detailed discussion, please see the ‘‘Additional Technical Justification and Rationale’’ discussion later in the preamble. Derived Hazard Controls. An operator would derive a number of hazard controls through its conduct of a flight hazard analysis and flight safety analyses. Prescribed Hazard Controls. Regardless of the hazard controls 24 Note that flight hazard analysis and flight safety analysis are interdependent in that each can help inform the other. Flight safety analysis quantifies the risks posed by hazards, which are typically identified and mitigated during the flight hazard analysis, by using physics to model how the vehicle will respond to specific failure modes. The FSA is also useful to define when operational restrictions are necessary to meet quantitative risk requirements. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 derived from a flight hazard analysis and flight safety analyses, the FAA would require a number of other hazard controls that have historically been necessary to achieve acceptable public safety. These include requirements for flight safety and other safety critical systems, agreements, safety-critical personnel qualifications, crew rest, radio frequency management, readiness, communications, preflight procedures, surveillance and publication of hazard areas, lightning hazard mitigation, flight safety rules, tracking, collision avoidance, safety at the end of launch, and mishap planning. Acceptable Flight Safety. All elements of the safety framework combine to provide acceptable public safety during flight. In proposed § 450.101 (Public Safety Criteria), the FAA would outline specific public safety criteria to clearly define how safe is safe enough. Section 450.101 is discussed in detail later in this preamble. Ground Safety. With respect to ground safety, an operator would conduct a ground hazard analysis to derive ground hazard controls. Those, along with prescribed hazard controls, would provide acceptable public safety during ground operations. Flight Safety A. Public Safety Criteria Proposed § 450.101 would consolidate all public safety criteria for flight into one section. It would contain the core performance-based safety requirements to protect people and property on land, at sea, in the air, and in space. All other flight safety requirements in proposed part 450 subpart C would support the achievement of these criteria. The § 450.101 requirements would define how safe is safe enough for the flight of a commercial launch or reentry vehicle. Proposed § 450.101(a) contains launch risk criteria, or the risk thresholds an operator may not exceed during flight. An operator would be permitted to initiate the flight of a launch vehicle only if the collective, individual, aircraft, and critical asset risk satisfy the proposed criteria. The criteria would apply to every launch from liftoff through orbital insertion for an orbital launch, and through final impact or landing for a suborbital launch, which is the same scope used for current launch risk criteria in parts 417 and 431. Each measure of risk serves a different purpose. Collective risk addresses the risk to a population as a whole, whereas individual risk addresses the risk to each person within a population. The measure of aircraft risk is unique, due to the difficulty of modeling collective PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 and individual risk for aircraft in flight. Lastly, critical asset risk addresses the loss of functionality of an asset that is essential to the national interests of the United States. Critical assets include property, facilities, or infrastructure necessary to maintain national defense, or assured access to space for national priority missions. Proposed § 450.101(a)(1) would establish the collective risk criteria for flight, measured by expected casualties (EC). The proposal would define EC as the mean number of casualties predicted to occur per flight operation if the operation were repeated many times. The term casualties refers to serious injuries or worse, including fatalities. It would require the risk to all members of the public, excluding persons in aircraft and neighboring operations personnel, to not exceed an expected number of 1 × 10¥4 casualties, posed by impacting inert and explosive debris, toxic release, and far field blast overpressure.25 With two exceptions, this is the same criteria currently used in §§ 417.107(b)(1) and 431.35(b)(1)(i). The first exception applies to people on waterborne vessels, who would now be included in the collective risk criteria to all members of the public. The second exception applies to neighboring operations personnel. This proposal would require the risk to all neighboring operations personnel not exceed an expected number of 2 × 10¥4 casualties. Both of these topics are discussed separately later in this preamble. Proposed § 450.101(a)(2) would establish the individual risk criteria for flight, measured by probability of casualty (PC). The proposal would define PC as the likelihood that a person will suffer a serious injury or worse, including a fatal injury, due to all hazards from an operation at a specific location. It would require the risk to any individual member of the public, excluding neighboring operations personnel, to not exceed a PC of 1 × 10¥6 per launch, posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. With one exception, this is the same criteria currently in §§ 417.107(b)(2) and 431.35(b)(1)(iii). The exception is neighboring operations personnel would have separate individual risk criteria, which is discussed later in this preamble. Proposed § 450.101(a)(3) would set aircraft risk criteria for flight. It would 25 Far field blast overpressure is a phenomenon resulting from the air blast effects of large explosions that may be focused by certain conditions in the atmosphere through which the blast waves propagate. Population may be at risk from broken window glass shards. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules require a launch operator to establish any aircraft hazard areas necessary to ensure the probability of impact with debris capable of causing a casualty for aircraft does not exceed 1 × 10¥6. This is the same requirement as current § 417.107(b)(4). Part 431 does not have aircraft risk criteria, although the FAA’s current practice is to use the part 417 criteria for launches licensed under part 431. With this proposal, the FAA would expressly apply this criterion to all launches. The FAA does not propose any other changes for the protection of aircraft at this time. The FAA has an ongoing Airspace Access ARC, composed of commercial space transportation and aviation industry representatives, whose recommendations may inform a future rulemaking on protection of aircraft. Proposed § 450.101(a)(4) would set the launch risk criteria for critical assets. It would require the probability of loss of functionality for each critical asset to not exceed 1 × 10¥3, or some other more stringent probability if deemed necessary to protect the national security interests of the United States. This would be a new requirement and is discussed separately later in this preamble. Proposed § 450.101(b) would define risk criteria for reentry. These would be the same as the risk criteria for launch, except that the proposed criteria would apply to each reentry, from the final health check prior to the deorbit burn through final impact or landing. The same discussion earlier regarding collective risk, individual risk, aircraft risk, and risk to critical assets would apply to the reentry risk criteria. Proposed § 450.101(c) would set the flight abort criteria for both launch and reentry. It represents the most significant change to public safety criteria in this proposed rule. It would require that an operator use flight abort as a hazard control strategy if the consequence of any reasonably foreseeable vehicle response mode,26 in any one-second period of flight, is greater than 1 × 10¥3 conditional expected casualties (CEC) for uncontrolled areas.27 CEC is the consequence, measured in terms of EC, without regard to the probability of failure, and will be discussed in the Consequence Protection Criteria for Flight Abort and Flight Safety System 26 Vehicle response mode means a mutually exclusive scenario that characterizes foreseeable combinations of vehicle trajectory and debris generation. 27 Uncontrolled Area is an area of land not controlled by a launch or reentry operator, a launch or reentry site operator, an adjacent site operator, or other entity by agreement. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 section. Flight abort with the use of an FSS and applying the CEC criteria in proposed part 450 is discussed later in this preamble. Proposed § 450.101(c) would apply to all phases of flight, unless otherwise agreed to by the FAA based on the demonstrated reliability of the launch or reentry vehicle during that phase of flight. The flight of a certificated aircraft that is carrying a rocket to a drop point is an example of when the use of an FSS would likely not be necessary even though the CEC could be above the threshold, because the aircraft would have a demonstrated high reliability. Proposed § 450.101(d) would establish disposal 28 safety criteria. It would require that an operator conducting a disposal of a vehicle stage or component from Earth orbit either meet the criteria of § 450.101(b)(1), (2), and (3), or target a broad ocean area. Because a launch vehicle stage or component will not survive a disposal substantially intact, disposal is not considered a reentry.29 Disposal is an effective method of orbital debris prevention because it eliminates the vehicle stage or component as a piece of orbital debris and as a risk for future debris creation through collision. The FAA is not proposing to require that a launch operator dispose of any upper stage or component in this rulemaking. The current proposal would only apply if a launch operator chooses to dispose of its upper stage or other launch vehicle component. Although an operator could choose to demonstrate that the proposed collective and individual risk criteria are met for a disposal, the FAA expects most, if not all, disposals to target a broad ocean area.30 This is consistent with current practice and NASA Technical Standards.31 Because the broad ocean 28 The FAA proposes to define ‘‘disposal’’ in § 401.5 to mean the return or attempt to return, purposefully, a launch vehicle stage or component, not including a reentry vehicle, from Earth orbit to Earth, in a controlled manner. The proposed definition is discussed later in this preamble. 29 A ‘‘reentry’’ is defined in 51 U.S.C. 50902, as ‘‘to return or attempt to return, purposefully, a reentry vehicle and its payload or human beings, if any, from Earth orbit or from outer space to Earth.’’ A ‘‘reentry vehicle’’ is defined as ‘‘a vehicle designed to return from Earth orbit or outer space to Earth, or a reusable launch vehicle designed to return from Earth orbit or outer space to Earth, substantially intact.’’ 30 A disposal that ‘‘targets a broad ocean area’’ would wholly contain the disposal hazard area within a broad ocean area. 31 NASA–STD–8715.14A, paragraph 4.7.2.1.b, states, ‘‘For controlled reentry, the selected trajectory shall ensure that no surviving debris impact with a kinetic energy greater than 15 joules is closer than 370 km from foreign landmasses, or is within 50 km from the continental U.S., territories of the U.S., and the permanent ice pack of Antarctica.’’ PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 15307 area has such a low density of people that are exposed almost exclusively in large waterborne vessels, objects that survive reentry to impact in these areas produce an insignificant PC. Therefore, operators disposing a vehicle stage or component into a broad ocean area would not need to demonstrate compliance with the collective, individual, or aircraft risk criteria. For purposes of this proposal, the FAA considers ‘‘broad ocean’’ as an area 200 nautical miles (nm) from land. Two hundred nm is also the recognized limit of exclusive economic zones (EEZ), which are zones prescribed by the United Nations Convention on the Law of the Sea 32 over which the owning state has exclusive exploitation rights over all natural resources. Disposal beyond an EEZ further reduces the chance of disrupting economic operations such as commercial fishing. Proposed § 450.101(e) would address the protection of people and property on-orbit, through collision avoidance requirements during launch or reentry and through requirements aimed at preventing explosions of launch vehicle stages or components on-orbit. Specifically, proposed § 450.101(e)(1) would require a launch or reentry operator to prevent the collision between a launch or reentry vehicle stage or component, and people or property on-orbit, in accordance with the requirements in proposed § 450.169(a) (Launch and Reentry Collision Avoidance Analysis Requirements). Proposed § 450.101(e)(2) would require that a launch operator prevent the creation of debris through the conversion of energy sources into energy that fragments the stage or component, in accordance with the requirements in proposed § 450.171 (Safety at End of Launch). Proposed § 450.171 would contain the same requirements as in §§ 417.129 and 431.43(c)(3). Both §§ 450.169(a) and 450.171 are addressed in greater detail later in the preamble. Proposed § 450.101(f) would require that an operator for any launch, reentry, or disposal notify the public of any region of land, sea, or air that contains, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty. The requirement to notify the public of planned impacts is currently in §§ 417.111(i)(5) and 431.75(b). The calculation of such hazard areas is discussed later in this preamble in the 32 United Nations Convention on the Law of the Sea, Dec. 10, 1982, 1833 U.N.T.S. 397. Although the United States has not ratified UNCLOS, its comprehensive legal framework codifies customary international law governing uses of the ocean. E:\FR\FM\15APP2.SGM 15APP2 15308 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules discussion of proposed § 450.133 (Flight Hazard Areas). Notification of planned impacts would be included in proposed § 450.101 because it is not tied to risk and is therefore not covered by the other public safety criteria of proposed § 450.101. In proposed § 450.101(g), the FAA would establish performance level requirements for the validity of analysis methods. Specifically, consistent with the existing language in § 417.203(c) and current practice for launch and reentry assessments, an operator’s analysis method would have to use accurate data and scientific principles and be statistically valid. ‘‘Accurate data’’ would continue to refer to completeness, exactness, and fidelity to the maximum extent practicable. In this context, ‘‘scientific principles’’ would continue to refer to knowledge based on the scientific method, such as that established in the fields of physics, chemistry, and engineering. An analysis based on non-scientific principles, such as astrology, would not be consistent with this standard. A ‘‘statistically valid’’ analysis would be the result of a sound application of mathematics and would account for the uncertainty in any statistical inference due to sample size limits, the degree of applicability of data to a particular system, and the degree of homogeneity of the data. 1. Neighboring Operations Personnel amozie on DSK9F9SC42PROD with PROPOSALS2 Two of the proposed requirements in § 450.101 that do not exist in the current regulations carve out separate individual and collective risk criteria for neighboring operations personnel. With the increase in operations and launch rate, the Air Force, NASA, and the industry have expressed concerns about the FAA’s public risk criteria because in certain circumstances they force an operator to clear or evacuate any other launch operator and its personnel not involved with a specific FAA-licensed operation from a hazard area or safety clear zone during certain licensed activities.33 The clearing or evacuation of other launch operator personnel, which can range from a handful of workers to over a thousand for a significant portion of a day, results in potential schedule impacts and lost productivity costs to other range users. These impacts will increase as the 33 To illustrate the problematic nature of the current risk requirements as they are applied to the public, flybacks and landings of reusable boosters at Cape Canaveral Air Force Station conducted under an FAA license are causing operational impacts to other range users due to FAA requirements to clear the public, including range users not involved with the launch, to meet public safety criteria. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 launch tempo increases and similar operations are conducted at other sites. The Air Force, NASA, and industry have recommended that the FAA treat certain personnel of other launch operators, referred to in this proposed rulemaking as ‘‘neighboring operations personnel,’’ differently than the rest of the public who are typically visitors, tourists, or people who are located outside a launch site and are not aware of the hazards nor trained and prepared to respond to them. Specifically, they recommend that the FAA characterize neighboring operations personnel who work at a launch site as either nonpublic or subject to a higher level of risk than the rest of the public, to minimize the need to evacuate them during certain licensed operations.34 The ARC recommended: (1) Excluding permanently badged personnel and neighboring launch operations from the definition of ‘‘public’’; (2) revising the definition of ‘‘public safety’’ because the current definition is overly broad, ambiguous, and inconsistent with other federal agencies, including the Air Force; (3) distinguishing between ‘‘public’’ (i.e., those uninvolved individuals located outside the controlled-access boundaries of a launch or reentry site or clustered sites within a defined Federal or private spaceport) and people who work regularly within the controlledaccess boundaries of a Federal or private spaceport or an operator’s dedicated launch or reentry site; 35 and (4) employing mitigation measures for uninvolved neighboring operations personnel when a hazardous operation or launch is scheduled.36 34 The Air Force requested that the FAA propose an approach that allows certain neighboring operations personnel during an FAA-licensed launch to be assessed at the Air Force’s higher launch essential risk criteria of 10 × 10¥6 individual probability of casualty. Also, Air Force and NASA members of the CSWG have asked for increased flexibility with the collective risk EC for flight to accommodate neighboring operations personnel. As one of its recommendations to the National Space Council in November 2017, NASA suggested a change to operational requirements to clear employees from hazard areas during commercial operations under an FAA license. 35 According to the ARC, these individuals who work regularly within the boundaries of a federal range or private spaceport are industry workers who know and accept the risks associated with the hazardous environment in which they work. 36 These mitigations might include: facility separation distances (e.g., separation between launch points on a multi-user spaceport) that anticipate and allow for safe concurrent operations; terms in site and use agreements with the Federal or non-Federal property owner that indemnify and hold harmless the government or other landlord; and potential reciprocal waivers (not required by regulation) that may be entered into among neighboring operations to share risks of hazards to each other’s property and personnel. PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 i. FAA Proposed Definitions of Public and Neighboring Operations Personnel in § 401.5 To address these concerns, the FAA proposes to add two definitions to § 401.5. The first is ‘‘public,’’ which the FAA would define in § 401.5, for a particular licensed or permitted launch or reentry, as people and property that are not involved in supporting the launch or reentry. This would include those people and property that may be located within the launch or reentry site, such as visitors, individuals providing goods or services not related to launch or reentry processing or flight, and any other operator and its personnel. This language is similar to the current definition of ‘‘public safety’’ in § 401.5, which the FAA proposes to delete, except that the FAA has included reentry and permitted activities in the definition.37 The second is the definition of ‘‘neighboring operations personnel,’’ which the FAA would define in § 401.5 as those members of the public located within a launch or reentry site, as determined by the Federal or licensed launch or reentry site operator,38 or an adjacent launch or reentry site, who are not associated with a specific hazardous licensed or permitted operation currently being conducted but are required to perform safety, security, or critical tasks at the site and are notified of the hazardous operation. While neighboring operations personnel would still fall under the proposed definition of public, this proposal would apply different individual and collective risk criteria to them. The FAA seeks comment on this approach. In developing its proposal, the FAA looked to NASA and Air Force requirements, which treat a portion of the public differently than the FAA regulations by allowing some other launch operators and their personnel, referred to as ‘‘neighboring operations personnel’’ by the Air Force 39 and 37 The FAA would also delete the definition of ‘‘public’’ in § 420.5 for launch sites, which means people and property that are not involved in supporting a licensed or permitted launch. The new definition of public in § 401.5 will apply to all parts, including part 420. 38 Since neighboring operations personnel, as defined in this proposal, work at a launch or reentry site, the FAA expects that the site operator (i.e., an operator of a Federal site or FAA-licensed launch or reentry site), not the launch operator, would identify these personnel. 39 The Air Force has two sub-categories of public: Neighboring operations personnel and the general public. For a specific launch, the general public includes all visitors, media, and other non-essential personnel at the launch site, as well as persons located outside the boundaries of the launch site. For the Air Force, neighboring operations personnel are individuals, not associated with the specific E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 ‘‘critical operations personnel’’ by NASA,40 to be subjected to a higher level of risk than the rest of the public. This approach lessens the impact to multiple users and enables concurrent operations at a site. The FAA’s proposed definition more closely aligns with the definitions of neighboring operations personnel and critical operations personnel adopted by the Air Force and NASA, respectively, because it distinguishes neighboring operations personnel as personnel required to perform safety, security, or critical tasks and who are notified of neighboring hazardous operations. Critical tasks may include maintaining the security of a site or facility or performing critical launch processing tasks such as monitoring pressure vessels or testing safety critical systems of a launch vehicle for an upcoming mission. Because of these specific duties, neighboring operations personnel are operation or launch currently being conducted, required to perform safety, security, or critical tasks at the launch base, and who are notified of a neighboring hazardous operation and are either trained in mitigation techniques or accompanied by a properly trained escort. In accordance with guidance information in AFSPCMAN 91–710V1, neighboring operations personnel may include individuals performing launch processing tasks for another launch, but do not include individuals in training for any job or individuals performing routine activities such as administrative, maintenance, support, or janitorial. AFSPCMAN 91–710V1 can be found at https://static.epublishing.af.mil/production/1/afspc/publication/ afspcman91-710v1/afspcman91-710v1.pdf. The Air Force may allow neighboring operations personnel to be within safety clearance zones and hazardous launch areas, and neighboring operations personnel would not be evacuated with the general public. The Air Force includes neighboring operations personnel in the same risk category as launchessential personnel. The allowable collective aggregated risk for launch essential personnel is 300 × 10¥6 and the allowable individual risk for launch essential personnel is 10 × 10¥6. 40 NASA, for the purposes of range safety risk management, defines public as visitors and personnel inside and outside NASA-controlled locations who are not critical operations personnel or mission essential personnel and who may be on land, on waterborne vessels, or in aircraft. Similar to the Air Force’s definition of neighboring operations personnel, NASA considers critical operations personnel to include persons not essential to the specific operation (launch, reentry, flight) being conducted, but who are required to perform safety, security, or other critical tasks at the launch, landing, or flight facility; are notified of the hazardous operation and either trained in mitigation techniques or accompanied by a properly trained escort; are not in training for any job or individuals performing routine activities such as administrative, maintenance, or janitorial activities; and may occupy safety clearance zones and hazardous areas, and are not evacuated with the public. NASA includes critical operations personnel in the same risk category as mission essential personnel. For flight, the allowable collective aggregated risk for the combination of mission essential personnel and critical operations personnel is 300 × 10¥6 and the allowable individual risk for mission essential or critical operations personnel is 10 × 10¥6. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 more likely than the rest of the public to be specially trained and prepared to respond to hazards present at a launch or reentry site. Those hazards include exposure to debris, overpressure, toxics, and fire. The Air Force and NASA definitions specify that these personnel are either trained in mitigation techniques or accompanied by a properly trained escort. Note, however, that the FAA would not require that neighboring operations personnel be trained or accompanied by a trained escort. It would be burdensome to require a licensee to ensure neighboring operations personnel are trained, and training is not necessary to justify the slight increase in risk allowed for workers performing safety, security, or critical tasks. The FAA proposal would not include all permanently badged personnel on a launch or reentry site as neighboring operations personnel. While neighboring operations personnel are permanently-badged personnel, including all permanently-badged personnel as neighboring operations personnel could then include individuals performing routine activities such as administrative, maintenance, or janitorial duties. These individuals are not necessary for critical tasks. Unlike for neighboring operations personnel, the disruption to routine activities does not sufficiently justify allowing these individuals to remain on site during hazardous operations. ii. Individual Risk Level for Neighboring Operations Personnel Currently, for ELVs, the individual risk criterion for the public in § 417.107(b)(2) allows a launch operator to initiate flight only if the risk to any individual member of the public does not exceed 1 × 10¥6 per launch for each hazard. Part 431 is similar for an RLV mission. Thus, any person not involved in supporting a launch or reentry, whether within or outside the bounds of the launch or reentry site, are required to have a risk of casualty no higher than 1 × 10¥6 per launch or reentry for each hazard. The FAA proposes in § 450.101(a)(2) a higher individual risk criterion of 1 × 10¥5 for neighboring operations personnel compared to 1 × 10¥6 for the rest of the public for launch and reentry. Although neighboring operations personnel would still fall under the FAA’s definition of public, this proposal would establish a higher risk threshold for neighboring operations personnel as compared to other members of the public. This proposal would permit neighboring operations personnel to remain on site because—unlike other PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 15309 members of the public such as visitors or tourists—the presence of these personnel at a launch or reentry site is necessary for security or to avoid the disruption of launch or reentry activities at neighboring sites. In addition, the proposed increased risk to which these personnel would be exposed is minimal. iii. Collective Risk Level for Neighboring Operations Personnel Sections 417.107(b)(1) and 431.35(b)(1)(i) and (ii) currently require that for each proposed launch or reentry, the risk level to the collective members of the public, which would include neighboring operations personnel but exclude persons in waterborne vessels and aircraft, must not exceed an expected number of 1 × 10¥4 casualties from impacting inert and explosive debris and toxic release associated with the launch or reentry. Similar to individual risk, the FAA proposes a separate collective risk criterion for neighboring operations personnel in § 450.101(a)(1). This proposal would permit a launch operator to initiate the flight of a launch vehicle only if the total risk associated with the launch to all members of the public, excluding neighboring operations personnel and persons in aircraft, does not exceed an expected number of 1 × 10¥4 casualties. Additionally, a launch operator would be permitted to initiate the flight of a launch vehicle only if the total risk associated with the launch to neighboring operations personnel did not exceed an expected number of 2 × 10¥4 casualties. These risk criteria would also apply to reentry. These proposed requirements would enable neighboring operations personnel to remain within safety clear zones and hazardous launch areas during flight. Additionally, neighboring operations personnel would not be required to evacuate with the rest of the public as long as their collective risk does not exceed 2 × 10¥4. The rationale is the same as that for individual risk. While the FAA proposal would add a separate collective risk limit for neighboring operations personnel, the collective risk limit for the public other than neighboring operations personnel would not be able to exceed 1 × 10¥4 for flight. iv. Maximum Probably Loss (MPL) Thresholds for Neighboring Operations Personnel Under a license, an operator must obtain liability insurance or demonstrate financial responsibility to compensate for the maximum probable loss from claims by a third party for E:\FR\FM\15APP2.SGM 15APP2 15310 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 death, bodily injury, or property damage or loss.41 For financial responsibility purposes under 14 CFR part 440, neighboring operations personnel qualify as third parties.42 Thus, allowing neighboring operations personnel to remain within hazard areas has the potential to increase the maximum probable loss, and therefore the amount of third party liability insurance that a licensee would be required to obtain. However, this would be fully or partially mitigated by changing the threshold value used to determine MPL for neighboring operations personnel. The MPL is the greatest dollar amount of loss that is reasonably expected to result from a launch or reentry. Current regulations define what is reasonable by establishing probability thresholds: • Losses to third parties that are reasonably expected to result from a licensed or permitted activity are those that have a probability of occurrence of no less than one in ten million. • Losses to government property and government personnel involved in licensed or permitted activities that are reasonably expected to result from licensed or permitted activities are those that have a probability of occurrence of no less than one in one hundred thousand. Therefore, for any launch or reentry, there should only be a 1 in 10,000,000 (1 × 10¥7) chance that claims from third parties would exceed the MPL value, and a 1 in 100,000 (1 × 10¥5) chance that claims from the government for government property loss would exceed the MPL value. Because it is much less likely that claims from third parties would exceed the MPL value, the FAA’s calculation of MPL takes into account a larger number of rare events that could result in a third party claim than could result in a government property claim. And, because the MPL calculation for third party liability involves consideration of more events related to non-government personnel third party losses than events related to government personnel losses, non-government third party losses are more likely to influence the MPL calculation. The difference in 41 An operator must also obtain liability insurance or demonstrate financial responsibility to compensate the U.S. Government for damage or loss to government property, but this is not affected by the neighboring operations personnel proposal. 42 Title 51 U.S.C. 50902 defines third party as a person except the U.S. Government or its contractors or subcontractors involved in the launch or reentry services; a licensee or transferee under Chapter 509 and its contractors, subcontractors or customers involved in launch or reentry services; the customer’s contractors or subcontractors involved in launch or reentry services; or crew, government astronauts, or space fight participants. Section 440.3 incorporates this definition into the regulations. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 thresholds reflects the government’s acceptance of greater risk in supporting launch and reentry activities than that accepted by the uninvolved public.43 The FAA proposes, for the purpose of determining MPL, that the threshold for neighboring operations personnel be the same as the threshold for losses to government property and involved government personnel, such that losses to neighboring operations personnel would have a probability of occurrence of no less than 1 × 10¥5. This approach would be appropriate because unlike other third parties, except for involved government personnel, the presence of neighboring operations personnel at a launch or reentry site is necessary for security or to avoid the disruption of launch or reentry activities at neighboring sites. The presence of neighboring operations personnel during licensed activities would not influence the MPL value for third-party liability in most cases because, as discussed above, the 1 × 10¥5 threshold would capture fewer events and therefore have less of an influence on MPL. The FAA seeks comment on this approach. v. Ground Operations Pertinent to Neighboring Operations Personnel For ground operations, the FAA currently does not have, nor is it proposing at this time, quantitative public risk criteria for neighboring operations personnel or the rest of the public. As will be discussed in greater detail later, an operator would conduct a ground hazard analysis to derive ground hazard controls. This analysis would be a qualitative, not quantitative. Thus, there would be no quantitative criteria to treat neighboring operations personnel differently than other members of the public during ground operations. An operator would be expected to use hazard controls to contain hazards within defined areas and to control public access to those areas. An operator may use industry or government standards to determine proper mitigations to protect the public, including neighboring operations personnel, from hazards. The impact on neighboring operations personnel during ground activities should be minimal. Additionally and as discussed later, the FAA is proposing that launch would 43 Subject to congressional appropriation, the Federal Government indemnifies a launch or reentry operator for claims above the insured amount up to $1.5 billion, adjusted for inflation from January 1989 (approximately $3 billion as of 2016). The lower the threshold used for calculating MPL, the greater chance that the Federal Government may need to indemnify a licensee. PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 begin at the start of preflight ground operations that pose a threat to the public, which could be when a launch vehicle or its major components arrive at a U.S. launch site, or at a later point as agreed to by the Administrator.44 Scoping preflight ground operations to only those that require FAA oversight would alleviate many of the previouslydiscussed issues associated with neighboring operations personnel. 2. Property Protection (Critical Assets) Another proposed requirement in § 450.101 that does not exist in the current regulations is the proposal to adopt a critical asset protection criterion in proposed § 450.101. To better inform this proposed requirement, the FAA would also amend § 401.5 to add a definition of critical asset. Specifically, the probability of loss of functionality for each critical asset would not be able to exceed 1 × 10¥3, or a more stringent probability if the FAA determines, in consultation with relevant federal agencies, it is necessary to protect the national security interests of the United States. This requirement is necessary to ensure a high probability of the continuing functionality of critical assets. A critical asset would be defined as an asset that is essential to the national interests of the United States, as determined in consultation with relevant federal agencies. Critical assets would include property, facilities, or infrastructure necessary to maintain national defense, or assured access to space for national priority missions. Critical assets would also include certain military, intelligence, and civil payloads, including essential infrastructure when directly supporting the payload at the launch site. Under this proposal, the FAA anticipates that it would work with relevant authorities, including a launch or reentry site operator or Federal property owner, to identify each ‘‘critical asset’’ and its potential vulnerability to launch and reentry hazards. 44 The clause ‘‘as agreed to by the Administrator’’ is used throughout the proposed regulations, particularly in relation to timeframes discussed in detail later in this preamble. Where the clause is used, it means that an operator may submit an alternative to the proposed requirement to the FAA for review. The FAA must agree to the operator’s proposal in order for the operator to use the alternative. By whatever means the FAA’s agreement to an alternative is communicated to the operator, the agreement means that the alternative does not jeopardize public health and safety and the FAA has no objection to the submitted alternative. Unless the context of the situation clearly provides otherwise, ‘‘as agreed to by the Administrator’’ does not simply mean receipt by the FAA (i.e., that the item was given to a representative of the FAA and that person received it on behalf of the FAA). E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules The FAA’s existing risk criteria, currently found in §§ 417.107(b) and 431.35(b), do not explicitly set any limit on the probability of loss of functionality for any assets on the surface of the Earth due to launch or reentry operations. An example of loss of functionality would be if a launch vehicle crashed on a nearby launch complex and resulted in damage that prevented the use of the launch complex until repaired. Currently, FAA requirements provide some protection for the safety of property during launch or reentry by limiting individual and collective risks because people are generally co-located with property. However, no protection is afforded for assets within areas that are evacuated. The proposed property protection criteria would be consistent with current practice at Federal launch ranges. Launch operations from NASAoperated ranges are subject to requirements that limit the probability of debris impact to less than or equal to 1 × 10¥3 for designated assets. While the Air Force does not have a formal requirement, in practice, launch operations from Air Force-operated ranges have adopted the NASA standard. In the past, Federal launch ranges have, on occasion, applied a more stringent requirement limiting the probability of debris impact caused by launch or reentry hazards to less than or equal to 1 × 10¥4 for national security payloads, including essential infrastructure when directly supporting the payload at the launch site. The FAA is looking to extend the protection of critical assets to non-Federal launch or reentry sites. The Pacific Spaceport (located on Kodiak Island, Alaska) is an example of a non-Federal launch or reentry site that is a dual-use commercial and military spaceport (meaning that commercial missions have been conducted there, as well as missions for the Department of Defense), which has no regulatory assurance of protection from loss of functionality of critical assets. For these reasons, the FAA has determined that a requirement to maintain a high probability of continuing functionality of critical assets at a launch site is necessary to ensure the safety of property and national security interests of the United States. Launch and reentry infrastructure used for commercial operations are increasingly in close proximity to critical assets, such as infrastructure used to support the national interests of the United States. The national interests of the U.S. relevant to this proposal go beyond national security interests, and include VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 infrastructure used to serve high priority NASA missions as well. For example, the FAA considers launch and reentry services to deliver cargo to and from the International Space Station as national priority missions. As another example, the launch infrastructure used by SpaceX to launch the Falcon 9 from Kennedy Space Center is within 2 nm of the launch infrastructure used by ULA to launch the Atlas V, which are both used to support commercial operations and operations that serve the national interests of the United States. The FAA coordinated the development of this proposed critical asset protection requirement with NASA, the Department of Defense, and the Intelligence Community. Furthermore, the proposed property protection requirement would also help achieve the goal of common standards for launches from any U.S. launch site, Federal or non-Federal. Common standards are public safety related requirements and practices that are consistently employed by the Air Force, the FAA, and NASA during launch and reentry activities. Common standards would provide launch and reentry operators certainty in planning and enable a body of expertise to support those standards. Finally, the proposed property protection standards would apply to all FAA-licensed launches, whether to or from a Federal launch range or a nonFederal launch or reentry site. Applying the provision to non-Federal sites would ensure continuity in the protection of critical assets and that the probability of loss of functionality of critical assets is the same for all commercial launch and reentry operations. The FAA sees no reason for imposing different standards of safety for critical assets based on whether a launch takes place from a non-Federal launch site or from a Federal launch range, especially in light of the fact that some non-Federal sites are dual use, supporting both commercial and military operations. During the interagency review process, the Department of Defense requested and the FAA considered specifying a more stringent criterion for certain critical assets of utmost importance. This subcategory of critical assets would be known as critical payloads. Specifically, the FAA considered requiring the probability of loss of functionality for critical payloads, including essential infrastructure when directly supporting the payload at the launch site, not exceed 1 × 10¥4. The FAA considered defining a critical payload as a critical asset that (1) is so costly or unique that it cannot be readily replaced, or (2) the PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 15311 time frame for its replacement would adversely affect the national interests of the United States. Critical payloads may include vital national security payloads, and high-priority NASA and NOAA payloads. For example, a payload such as NASA’s Curiosity rover would likely be afforded this protection. The higher protection criterion would have safeguarded those payloads of utmost importance to the United States meriting a greater degree of protection than other critical assets. The specific 1 × 10¥4 criterion would apply to those national priority payloads at a launch or reentry site, including essential infrastructure when directly supporting the payload. A federal agency would identify payloads meeting the definition of ‘‘critical payload’’ as warranting protection at the 1 × 10¥4 level. These may include commercial payloads that meet the national interest described above. The FAA opted to not include this higher protection criterion due to uncertainty about its impact on future launch or reentry operations. Therefore, in order to properly analyze this request, the FAA requests comment on the following: (1) If the FAA adopted the morestringent 1 × 10¥4 criterion for critical payloads, what impacts would it have on your operation? (2) Should FAA consider applying this more-stringent criterion to any commercial payload? Please provide specific examples and rationale. (3) If this criterion is applied to commercial space launch and reentry operations, what would be the additional, incremental costs and benefits on your current and future operations compared to the proposed 1 × 10¥3 criterion? Specifically, the FAA requests information and data to quantify additional costs and benefits of this criterion compared to the proposed 1 × 10¥3 criterion. Please provide sources for information and data provided. 3. Consequence Protection Criteria for Flight Abort and Flight Safety System This proposal would expand the FAA’s use of consequence criteria to protect the public from an unlikely but catastrophic event. Proposed § 450.101(c) would require that operators quantify the consequence of a catastrophic event by calculating CEC for any one-second period of flight. Unlike EC that determines the expected casualties factoring in the probability that a dangerous event will occur, CEC determines the expected casualties assuming the dangerous event will occur. In essence, it represents the E:\FR\FM\15APP2.SGM 15APP2 15312 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 consequence of the worst foreseeable events during a launch or reentry. The FAA proposes to use CEC to determine the need for flight abort with a reliable FSS as a hazard control strategy, to set reliability standards for any required FSS, and to determine when to initiate a flight abort. In other words, the more severe the potential consequences from an unplanned event, the more stringent the flight abort requirements. The current ELV flight abort regulations are essentially a one-sizefits-all approach. In practice, the current requirement in § 417.107(a) requires an FSS for any orbital launch vehicle to prevent hazards from reaching protected areas at all times during flight. Regardless of the individual and collective risks, or the consequences in the case of a catastrophic event, all FSSs must satisfy part 417, subparts D and E, requirements.45 These include reliability requirements (0.999 reliable at 95 percent confidence) 46 and extensive testing requirements. Besides requiring a potentially expensive FSS, the part 417 hazard control approach also has the potential to limit vehicle flight paths unnecessarily, even when those flight paths would produce low public risks and consequences. This preamble will discuss these areas in further detail later. The FAA also recognizes shortcomings in its current part 431 hazard control approach. Part 431 does not expressly require the use of an FSS to manage hazards. Rather, § 431.35(c) requires a system safety process to identify hazards and assess the risk to public health and safety and the safety of property. The system safety approach has consistently resulted in the use of an FSS as a hazard control strategy. In practice, the FAA has applied part 417 FSS requirements to part 431 to ensure proper reliability and flight abort rules. Part 417 FSS requirements have proven difficult to scale to different operations. Indeed, the FAA has had to 45 Part 417 sets specific FSS requirements covering general command control system requirements, command control system testing, FSS support systems, FSS analysis, and flight safety crew roles and qualifications. 46 Section 417.309 requires that each onboard flight termination system and each command control system must have a predicted reliability of 0.999 at the 95 percent confidence level when operating, as well as predicted reliability of 0.999 at the 95 percent confidence for multiple component systems such as the ordnance train to propagate a charge, any safe-and-arm device, and ordinance interrupters and initiators. As these component systems define the reliability of the FSS and approximate the design reliability of the entire flight safety system, for the purpose of the preamble the current requirements are discussed as requiring an FSS to have predicted reliability of 0.999 at a 95 percent confidence level. This will be discussed later in the preamble in further detail. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 issue numerous waivers to these requirements to accommodate the fastevolving commercial space industry. The need for waivers has been partially driven by changes to Air Force requirements, which diverged from FAA regulations beginning in 2013.47 For example, the FAA has repeatedly waived its requirement to activate an FSS to ensure no debris greater than 3 pounds per square foot (psf) ballistic coefficient 48 reaches protected areas.49 In granting these waivers, the FAA has adopted the conditional risk management approach, noting that the predicted consequence was below a threshold of 1 × 10¥2 CEC. The FAA has concluded that measuring the consequence from reasonably foreseeable, albeit unlikely, failures is an appropriate metric to assess prudent mitigations of risks to public health and safety and the safety of property.50 The ARC also made recommendations with respect to flight abort and FSS requirements. It recommended the FAA tier the level of rigor for FSSs into three risk categories. In relevant part, ARC members proposed that the lowest risk category not require an FSS, that the medium risk category require streamlined FSS test requirements (e.g., reduce from three to one qualification units) and not require configuration and risk management, and the highest risk category require a Range Commanders Council (RCC) 51 319-compliant FSS. It also suggested the highest risk category could use another operational or design 47 The FAA regulations and Air Force requirements regarding flight abort were virtually identical from the time part 417 was promulgated in 2006 until 2013 when the Air Force provided permanent relief from the requirement for impact limit lines to bound where debris with a ballistic coefficient greater than 3 pounds per square foot can impact if the FSS works properly. The Air Force cited an ELOS determination when it issued the permanent relief, stating that the public risk criteria would still apply. 48 Ballistic coefficient is a measure of an object’s ability to overcome air resistance, and it is defined as the gross weight in pounds divided by the frontal area of the vehicle (in square feet) times the coefficient of drag. 49 Waiver of Debris Containment Requirements for Launch. 81 FR 1470, 1470–1472 (January 12, 2016). 50 Using consequence as safety criteria in FAA commercial space regulations is not without precedent. Section 431.43(d) sets a limit for foreseeable public consequences in terms of CEC, but only for an unproven RLV. Section 431.43(d) provides that an unproven RLV may only be operated so that during any portion of flight, the expected number of casualties does not exceed 1 × 10¥4 given assuming a vehicle failure will occur at any time the instantaneous impact point is over a populated area. 51 The Range Commanders Council addresses the common concerns and needs of operational ranges within the United States. It works with other government departments and agencies to establish various technical standards to assist range users. PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 approach proven to address concerns of low probability/high consequence event. The ARC only identified risk as a means of scaling FSS requirements and did not recommend specific risk thresholds.52 In light of the shortcomings identified by the FAA and ARC recommendations, the FAA agrees that the FAA’s FSS requirements should be scaled. For that reason, the FAA proposes to use consequence to determine the need for an FSS, the required FSS reliability, and when to activate an FSS. To determine whether or not an FSS is needed, an operator would be required to calculate CEC in any one second period of flight. The calculation of CEC can range from a straightforward product of the effective casualty area and the population density to a high fidelity analysis.53 Proposed § 450.101(c) would require, at a minimum, that an operator compute the effective casualty area and identify the population density that would be impacted for each reasonably foreseeable vehicle response mode in any one-second period of flight in terms of CEC. The casualty area, population density, and predicted consequence for each vehicle response mode are intermediate quantities that are necessary to demonstrate compliance with the individual and collective risk criteria currently, thus these new requirements would not necessarily impart significant additional burden on operators. The FAA is proposing to rely on CEC rather than EC to determine whether or 52 ARC Report at p. 12. FAA referenced the need to prevent a high consequence event in its evaluation of a 2016 waiver request, which enabled the first Return to Launch Site (RTLS) mission (Orbcomm-2). Specifically, the FAA noted that the 3 psf ballistic coefficient requirement of § 417.213(d) was intended to (1) capture the current practice of the U.S. Air Force, (2) provide a clear and consistent basis to establish impact limit lines to determine the occurrence of an accident as defined by § 401.5, and (3) help prevent a high consequence to the public given FSS activation. As part of the waiver rationale, the FAA cited the longstanding governing principle applied to launch safety: ‘‘to provide for the public safety, the Ranges, using a Range Safety Program, shall ensure that the launch and flight of launch vehicles and payloads present no greater risk to the general public than that imposed by the over-flight of conventional aircraft.’’ (Eastern and Western Range 127–1, Range Safety Requirements, Oct. 31, 1997) The waiver rationale also cited an analysis of 30 years of empirical evidence provided by the NTSB that showed that the public safety consequence associated with general aviation accidents is 1 × 10¥2 expected fatalities. The FAA’s analysis demonstrated that the consequence of events that could produce debris outside of the impact limit lines was consistent with the threshold of 1 × 10¥2 CEC, even with input data corresponding to the worst-case weather conditions. Thus, the FAA concluded that the waiver would not jeopardize public health and safety or the safety of property. 53 The E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules not an FSS is needed because FAA believes it is the best approach to implement the ARC’s recommendation that the FAA treat high consequence events differently than lower consequence events. As noted earlier, the ARC recommended a three tiered approach—high risk would require a highly reliable FSS, medium risk would require an FSS with more streamlined requirements, and low risk would require no FSS. The FAA’s approach of using a consequence analysis instead of a risk analysis would use the same factors as used in a risk analysis, such as casualty area, population density, and predicted consequence for each vehicle response. Proposed § 450.145 (Flight Safety System), in paragraph (a), would require an operator to employ an FSS with design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing if the consequence of any vehicle response mode is 1 × 10¥2 CEC or greater, consistent with the current FSS requirements in part 417.54 If the consequence of any vehicle response mode is between 1 × 10¥2 and 1 × 10¥3 CEC, the required design reliability would be relaxed to no lower than 0.975 at 95 percent confidence 55 with commensurate design, analysis, and testing requirements necessary to support this reliability. If the CEC is less than 1 × 10¥3, and the individual and collective risk criteria are met, an operator would not be required to have an FSS. The FAA coordinated with NASA and the Department of Defense in the Common Standards Working Group to arrive at this proposal. An RCC 319-compliant FSS would only be required for any phase of flight in which the CEC exceeds 1 × 10¥2. This threshold is consistent with past precedent, FAA waivers, and U.S. Government consensus standards. Other government entities use a consequence threshold of 1 × 10¥2 to protect against explosive hazards.56 This threshold is 54 Sections 417.303 and 417.309. statistics, a confidence interval is the range of values that includes the true value at a specified confidence level. A confidence level of 95% is commonly used which means that there is a 95% chance that the true value is encompassed in the interval. 56 The Department of Defense, NASA, and the FAA use quantity-distance limits originally designed to limit conditional individual risk of fatality to 1 × 10¥2 from inert debris fragment impacts. They define minimum separation distances between potential sources of high speed fragments (propelled by accidental explosions) and areas with exposed personnel to ensure no more than one hazardous fragment impact per 600 sqft, with the assumption that any exposed person has a vulnerable area of 6 sqft. NASA only permits inhabited buildings at closer distances if proved sufficient to limit hazardous debris to 1/600 sqft, amozie on DSK9F9SC42PROD with PROPOSALS2 55 In VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 also rooted in the longstanding and often cited principle that launch and reentry should present no greater risk to the public than that imposed by the over-flight of conventional aircraft. The Air Force, the RCC, and an American National Standard (ANSI/AIAA S–061– 1998) 57 58 have identified the public risks posed by conventional aircraft as an important benchmark for the acceptable risks posed by launch vehicles. Like commercial space operations, civil aviation poses an involuntary hazard to the public on the ground. Therefore, the FAA looked to this risk to the public on the ground to derive consequence limits for commercial space activities. The FAA analyzed National Transportation Safety Board (NTSB) aviation accident data and determined that the average consequences on the ground from all fatal civil aviation accidents are 0.06 casualties and 0.02 fatalities. The average ground fatality of an airline crash is 1, and of a general aviation crash is 0.01.59 The proposed threshold appears reasonable given this range of aviation related accident consequences. The FAA proposes a threshold of 1 × 10¥3 CEC as a metric for determining the need for any FSS. This is an order of magnitude less than the threshold that determines the need for a highlyreliable FSS, and which is scaled to the reliability of the required FSS. Combined with the individual risk and cumulative risk thresholds, the FAA believes that this proposed threshold would ensure public safety. The use of a consequence metric is consistent with the ARC comments. The ARC suggested that an FSS with a reliability of 0.999 at 95 percent confidence is appropriate for high consequence, low probability events and a lower reliability could be acceptable under the right circumstances. The FAA notes that the ARC did not identify any threshold values to define ‘‘high consequence’’; however, the proposal does identify specific quantitative consequence thresholds in terms of CEC. The FAA and thus enforces a consequence limit of no more than 1 × 10¥2 conditional expected fatalities (NASA–STD–8719.12A—2018–05–23, p. 63). 57 Waiver of Debris Containment Requirements for Launch. 81 FR 1470 (January 12, 2016), at 1470– 1472. 58 According to ANSI/AIAA S–061–1998, ‘‘during the launch and flight phase of commercial space vehicle operations, the safety risk for the general public should be no more hazardous than that caused by other hazardous human activities (e.g., general aviation over flight).’’ 59 The FAA looked at NTSB data on injuries and fatalities of people on the ground from fatal civil aviation accidents (where an occupant of the aircraft died) for the 30-year period between 1984 and 2013. PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 15313 invites comments on this approach in general, as well as the specific thresholds proposed. Lastly, proposed § 450.125 (Gate Analysis), in paragraph (c), would limit the predicted average consequence from flight abort resulting from a failure in any one-second period of flight to 1 × 10¥2 CEC. Flight abort will be discussed in more detail later in the preamble. B. System Safety Program Proposed § 450.103 (System Safety Program) would require an operator to implement and document a system safety program throughout the lifecycle of a launch or reentry system that includes at least the following: (1) Safety organization, including a mission director and safety official; (2) procedures to evaluate the operational lifecycle of the launch or reentry system to maintain current preliminary safety assessments and any flight hazard analyses; (3) configuration management and control; and (4) post-flight data review. Due to the complexity and variety of vehicle concepts and operations, a system safety program would be necessary to ensure that an operator considers and addresses all risks to public safety. Currently, parts 415 and 417 have a more prescriptive philosophy of flight safety hazard mitigation. While the requirements ensure safety, they neither provide the flexibility needed to address the diverse and dynamic nature of today’s commercial space transportation industry nor address the unique aspects of non-traditional launch and reentry vehicles. For example, except for unguided suborbital launch vehicles, it is virtually impossible for operations that can reach populated areas but that do not use an FSS to comply with parts 415 and 417. Regulations applicable to reentry and RLVs in part 431 expressly established system safety requirements as a flexible approach to approving a safety process that encompasses design and operation. Section 431.33 sets the requirements for the maintenance and documentation of a safety organization. Specifically, it requires: (1) The identification of lines of communication and approval authority for all mission decisions possibly affecting public safety including internal and external lines of communication with the launch or reentry site to ensure compliance with required plans and procedures; (2) the designation of a person responsible for conducting all licensed RLV mission activities; and (3) designation of a qualified safety official by name, title, and qualifications. E:\FR\FM\15APP2.SGM 15APP2 15314 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 Section 431.35(c) specifically requires the use of a system safety process to identify hazards and assess the risks to public health and safety and the safety of property and to demonstrate compliance with the acceptable risk criteria.60 It also incorporates core components of a hazard analysis. Section 431.35(d) requires several deliverables to demonstrate compliance with acceptable risk criteria and a compliant system safety process. Despite the explicit deliverables, the structure of the regulation has proved to be confusing for applicants. For instance, some system safety analysis element requirements are intermixed with vehicle design element requirements. Similarly, general information requirements such as the identification of hazardous material can be found listed with unrelated requirements such as the description of the RLV. The inclusion of these elements in the section governing system safety has led applicants to produce application deliverables that were scattered and not easily understood by the FAA. Also, some less experienced applicants did not understand that the regulation required a system safety analysis and provided general information and an informal assessment of how that general information may have affected public safety. The ARC made specific suggestions on the role of system safety in the FAA’s safety regulatory scheme. It recommended the FAA use a system safety process at the core of its safety requirements to identify hazards and develop hazard control strategies that are verified by means of an FSA, relevant operational constraints, and means of meeting those constraints. It noted the FAA could provide better detail on its safety requirements. For instance, § 431.35(c) could be expanded to include risk-informed decision making and continuous risk management requirements. It further suggested the FAA incorporate varying levels of rigor that would scale required verification requirements, like test plans and performance results, by vehicle, operator category, and relative risk as a 60 Section 431.35(c) also fails to provide a detailed description of the composition of a compliant system safety process. This lack of detail has often led to the submission of deficient applications because the applicant failed to demonstrate that the system safety process was adequate to meet public safety requirements and therefore the FAA did not find the application to be complete enough for acceptance. The ARC noted the confusion around the FAA’s evaluation of an application’s system safety submission and recommended changing the regulation to increase regulatory certainty. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 means of scoping requirements to vehicle hazards and potential population exposure. The FAA agrees that the system safety process should form the core of its safety requirements as a means of making the safety requirements more flexible for novel operations and processes. Proposed § 450.103 lists the minimum components all operators would be required to have in their system safety programs to protect public health and safety and the safety of property. Part 431 established a process-based requirement for a system safety program but did not define its components or a safety standard. This lack of definition has led to many operators establishing system safety programs that are missing components necessary for public safety. This lengthened some applicants’ preapplication consultation and the license application evaluation process. The FAA intends to further define the system safety program to lessen the potential for misunderstandings between applicants and the FAA. This proposal should allow potential operators to design system safety programs that better address public safety concerns prior to license application submittal. 1. Safety Organization Proposed § 450.103(a) would require an operator to maintain and document a safety organization with clearly defined lines of communication and approval authority for all public safety decisions. This safety organization would include at least two positions, referred to as a mission director and a safety official. The mission director would be responsible for the safe conduct of all licensed activities and authorized to provide final approval to proceed with licensed activities. The safety official 61 would be required to communicate potential safety and noncompliance matters to the mission director during flight and ground operations. The safety official would also be authorized to examine all aspects of an operator’s ground safety and flight safety operations. It is common practice in any safety organization, including those within the commercial space industry, to establish who will be responsible for ensuring safety and to have clear processes for 61 In 1999, the FAA added the requirement for a safety official possessing authority to examine launch safety operations and to monitor independently personnel compliance with safety policies and procedures. The FAA stated in the preamble to the final rule that the person responsible for safety should have the ability to perform independently of those parts of the applicant’s organization responsible for mission assurance. 64 FR 19604 (April 21, 1999). PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 communicating safety concerns effectively throughout the organization. This proposal would allow for one person, or several, to perform the safety official’s functions. Unlike current regulations, an operator would not have to name a specific safety official in its license application. Instead, an operator would be required to designate a position to accomplish the necessary tasks of a safety official. The FAA seeks comment on this approach, and whether it provides an appropriate level of flexibility to industry. Many operators have complained about the burden of naming a specific safety official in a license application. One challenge is that, in many cases, an operator applies for a license before selecting a safety official. As such, many operators must submit a modification of their application once they have chosen a safety official. Another issue is that operators that conduct activities at a frequent rate must employ several persons that serve as safety officials to keep pace with their operations. These persons may serve as safety officials on several different types of operations on multiple licenses. Therefore, the operator must frequently submit license application modifications every time it selects a new person to serve in that capacity. An operator is further burdened when safety officials leave the launch operator’s organization or assume a new role within the organization that would prohibit them from serving as a safety official. The FAA believes a safety organization that includes a safety official is essential to public safety; however, identifying that individual by name is not necessary. Under the proposal, the operator would still be required to designate a safety official for any licensed activity prior to the start of that activity. The FAA has previously noted that licensed ground operations have commenced without designating a safety official. Many applicants mistakenly assumed the safety official was only necessary for flight operations. These operators conducted preflight ground operations in advance of flight without a safety official monitoring the operation. This proposal would require a safety official for all licensed operations to independently monitor licensed activity to ensure compliance with the operator’s safety policies. Additionally, the safety official would report directly to the mission director. The absence of a safety official could result in a lack of independent safety oversight and a potential for a break down in communications of important safetyrelated information. The FAA would continue to inspect licensed operations E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules to ensure that a safety official is in place throughout the course of the licensed activity. amozie on DSK9F9SC42PROD with PROPOSALS2 2. Procedures Proposed § 450.103(b) would require that an operator establish procedures to evaluate hazards throughout the complete operational lifecycle of a program. This is important because design and operational changes to a system can have an impact on public safety. This proposed requirement was implied in § 431.35(c) but was not explicitly stated. Specifically, § 450.103(b) would require the operator to implement a process to update the preliminary safety assessment and any flight hazard analysis to reflect the knowledge gained during the lifecycle of the system. To accomplish this, an operator would be required to establish methods to review and assess the validity of the preliminary safety assessment and any flight hazard analysis throughout the operational lifecycle of the launch or reentry system. An operator would also need to have methods for updating the assessment or analysis, and to communicate the updates throughout its organization. For any flight hazard analysis, an operator would also have to have a process for tracking hazards, risks, mitigation and hazard control measures, and verification activities. 3. Configuration Management and Control Proposed § 450.103(c) would lay out configuration management and control requirements. The FAA has chosen to consolidate configuration management and control requirements within the system safety program requirements. Requirements addressing configuration control were previously scattered throughout the regulations, including in §§ 417.111(e), 417.123(e)(2), 417.303(e), and 417.407(c). Operators frequently make changes to their vehicles, such as new manufacturing techniques for a component or changes to the materials on key structures. Operators may also make operational changes such as new analysis techniques, automating processes that were previously conducted by personnel, or changing the surveillance techniques in hazard areas. These types of changes can have significant impacts on public safety. This proposal would require an operator to track configurations of all safety-critical systems and documentation, ensure the correct and appropriate versions of the systems and documentation are used, and maintain records of system configurations and versions used for each licensed activity. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 The FAA expects that an operator would design configuration management and control into its operations. The FAA also expects that an operator would provide the capability to both alert responsible individuals when key documentation must be updated and ensure that all stakeholders—internal and external to the launch operator’s organization—are using current and accurate information. 4. Post-Flight Data Review Proposed § 450.103(d) would require that an applicant conduct a post-flight data review. The proposed requirements in § 450.103(d) are not explicitly contained in part 415, 417 or 431. However, it is industry practice to review post-flight data to address vehicle reliability and mission success, so any added burden from proposed § 450.103(d) would be minimal. Operator review of post-flight data provides valuable safety information on future operations, particularly the identification of anomalies. At a minimum, proposed § 450.103(d)(1) would require that an operator employ a process for evaluating post-flight data to ensure consistency between the assumptions used for the preliminary safety assessment, any flight hazard or flight safety analysis, and associated mitigation and hazard control measures. Proposed § 450.103(d)(2) would require that an operator resolve any inconsistencies identified in proposed § 450.103(d)(1) prior to the next flight of the vehicle. The FAA expects that the operator would address any inconsistencies by updating analyses using the best available data for the upcoming mission, or documenting the rationale explaining how changes to the data inputs would not have an impact on the results of the analysis for a proposed mission. The FAA would add this requirement to ensure that the operator makes all appropriate updates to the analysis identifying all public safety impacts in order to avoid inconsistencies in future missions that could jeopardize public safety. Proposed § 450.103(d)(3) would require that an operator identify any anomaly that may impact the flight hazard analysis, flight safety analysis, safety critical system, or is otherwise material to public safety and safety of property. An examination and understanding of launch or reentry vehicle system and subsystem anomalies throughout the lifecycle of the vehicle system can alert an operator of an impending mishap. An operator should review post-flight data to identify unexpected issues or critical systems that are operating outside of PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 15315 predicted limits. Flight safety systems are examples of safety-critical systems that could jeopardize public safety if they do not perform nominally. Proposed § 450.103(d)(4) would require an operator to address any anomaly identified in proposed § 450.103(d)(3). Prior to the next flight, an operator would be required to address each anomaly by, at a minimum, updating any flight hazard analysis, flight safety analysis, or safety critical system. The FAA seeks comment on whether proposed § 450.103(d) would change an operator’s approach to reviewing postflight data. 5. Application Requirements Proposed § 450.103(e) would set the system safety program application requirements. An applicant would be required to provide a summary of how it plans to satisfy the system safety program requirements. It is currently common practice for applicants to provide the FAA with a system safety program plan or documents containing the necessary information to determine compliance with the system safety program requirements in § 431.35(c). A system safety program plan that covers the elements in § 450.103(e) would satisfy the proposed application requirements. The FAA also recommends an applicant consult with the FAA during the development of its system safety program prior to implementation. With respect to the safety organization, an applicant would be required to describe the applicant’s safety organization, identifying the applicant’s lines of communication and approval authority, both internally and externally, for all public safety decisions and the provision of public safety services. In the past, many applicants have chosen to provide an organization chart depicting the safety organization. The FAA encourages the continuation of this practice. However, the applicant would be required to provide a sufficient narrative describing the organization, particularly the lines of communication. For example, if an engineer in the safety organization becomes aware of a hazard, the applicant should describe how that engineer would communicate that hazard to the safety official. An applicant would also be required to provide a summary of the processes and products identified in the system safety program requirements. The FAA expects that processes would be scalable based on the size of the operation or the potential public safety impacts of the proposed operation. For example, an E:\FR\FM\15APP2.SGM 15APP2 15316 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules applicant with a dozen employees and a relatively small launch or reentry vehicle may use meetings or less formal ways to develop its preliminary hazard list. However, an applicant with a larger vehicle operating from multiple sites and hundreds of employees would need a more formal means of tracking information and developing the required analyses. amozie on DSK9F9SC42PROD with PROPOSALS2 C. Preliminary Safety Assessment for Flight Under proposed § 450.105 (Preliminary Safety Assessment for Flight), every operator would be required to conduct and document a preliminary safety assessment (PSA) for the flight of a launch or reentry vehicle. The PSA would identify operationspecific information relevant to public safety and would help the operator scope the analyses that must be conducted to ensure that the operation satisfies the public safety criteria in proposed § 450.101. An operator could use the knowledge obtained from the PSA to identify the effect of design and operational decisions on public safety and thus determine potential hazard control strategies. The products of the PSA are consistent with products that are currently produced for preliminary flight safety analyses and preliminary system safety analyses. The PSA will allow operators to quickly identify and demonstrate the hazard control strategy appropriate for their proposed operation. The FAA intends the PSA to be a toplevel assessment of the potential public safety impacts identifiable early in the design process. This assessment should be broad enough that minor changes in vehicle design or operations would not have a significant impact on, or invalidate the products produced by, the PSA. At the same time, the PSA should be detailed enough to identify the public safety and hazard control implications associated with key design trade studies. The FAA recommends that an operator perform an initial PSA at the outset of the design phase of a proposed operation. Thereafter, the operator should update the assessment as needed in accordance with the launch operator’s established procedures to evaluate the complete operational lifecycle of a launch or reentry system. The results of the PSA would provide the operator with an appropriate hazard control strategy for its proposed operation.62 62 As mentioned previously and discussed in greater detail in the next section, traditional hazard controls include physical containment, wind weighting, or flight abort. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Under proposed § 450.105(a), an acceptable PSA would identify at least the following key elements: (1) The vehicle response modes; (2) the types of hazards associated with the vehicle response modes; (3) the geographical area where the public may be exposed to a hazard; (4) the population of the public exposed to the hazard; (5) the CEC; (6) a preliminary hazard list which documents all causes of vehicle response modes that, excluding mitigation, have the capability to create a hazard to the public; (7) safety-critical systems; and (8) the timeline identifying all safety critical events. The FAA expects that an operator would use many of these PSA elements in subsequent analyses. For instance, population data, vehicle response modes, and the associated effects are part of a valid quantitative risk analysis. These items could also be useful for a flight hazard analysis. A vehicle response mode is a mutually exclusive scenario that characterizes foreseeable combinations of vehicle trajectory and debris generation. Examples include ontrajectory explosion, on-trajectory loss of thrust, and tumble turns. The types of hazards associated with any vehicle response mode can include inert and explosive debris, overpressure, and toxics. By understanding the potential vehicle response modes and the hazards associated with those vehicle response modes, an operator can then determine the geographical areas where the public may be exposed to a hazard. This information, along with the population of the public exposed to the hazard, would allow an operator to begin to characterize the potential risk during any particular phase of flight. Calculating CEC as discussed earlier, is important to understand the need for an FSS and its required reliability. All of these elements, which comprise § 450.105(a)(1) through (5), are important to develop hazard control strategies. Proposed § 450.105(a)(6) would require an operator to produce a preliminary hazard list. The operator would be required to review the operation to determine what hazards exist in order to generate the preliminary hazard list. This assessment is different from the quantitative risk analysis and is meant to give an operator an understanding of how public safety is affected at the subsystem or component level of the operation. An operator should use common system safety tools such as Fault Trees, Failure Modes and Effects Analyses (FMEA), safety panels, and PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 engineering judgement to develop the preliminary hazard list. An operator should describe hazards in terms that identify each potential source of harm, the mechanism by which the harm may be caused, and the potential outcome if the harm were to remain unaddressed.63 The operator should ensure that the hazard is described in enough detail so that the safety critical personnel within the operator’s organization would be able to review the hazard and easily ascertain the source, mechanism, and the public safety-related outcome of the hazard. In developing the preliminary hazard list, an operator would not be required to assess the risk associated with each hazard or potential mitigation measures. These items would be determined in the flight hazard analysis, if required, as discussed in the ‘‘Flight Hazard Analysis’’ section of this preamble. When developing the preliminary hazard list, the operator would also be required to address items that are not specific to the vehicle hardware but necessary for the launch or reentry system. These items would include things like human factors, training, and other operational concerns. The FAA believes the preliminary hazard list is critical as the regulatory approach changes from narrowly prescribed methods to performancebased standards that focus on the applicant demonstrating safety through system safety management and engineering. As the industry moves toward to a more performance-based regime, there is a growing need for operators to produce the analyses specific to their unique operations in order to ensure public safety and detail the appropriate hazard mitigation strategies for their proposed operation. Additionally, an operator that makes changes to its operation could potentially move from a regulatory pathway that does not require a hazard analysis to one that does. The existence of a preliminary hazard list should alleviate some of the existing burdens on operators by requiring only those analyses necessary to ensure the safety of a particular operation. It would also more quickly facilitate analyses demonstrating public safety, thus creating the potential for operational changes closer to flight of the vehicle. For example, consider an operation where a flight hazard analysis 63 For example, a potential source of harm could be a leak in a rocket engine fuel system line caused by a manufacturing defect, overpressure, or improper installation. The mechanism for harm could be a fire resulting from that leak. The outcome could be loss of the vehicle with impact on population. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules was unnecessary because of the use of an FSS under proposed § 450.145(a)(1). In that case, a change in FSS design, testing or qualification, or disabling the abort system during some phases of flight, could result in the need for a flight hazard analysis. Because the operator would be required to generate a preliminary hazard list, it would already have the initial step of the flight hazard analysis completed, excluding any impacts of the change. The operator would then be required to complete the final steps of the hazard analysis to complete its safety documentation. Proposed § 450.105(a)(7) would require an operator to identify safetycritical systems. A safety critical system would be a system that is essential to safe performance or operation. A safetycritical system, subsystem, component, condition, event, operation, process, or item, is one whose proper recognition, control, performance, or tolerance, is essential to ensuring public safety. It is important for an operator to clearly identify safety critical systems because many requirements in proposed part 450 relate to these systems. Proposed § 450.105(a)(8) would require an operator to identify a timeline identifying all safety critical events. This timeline is important to identify the potential public safety consequences during any particular phase of flight. Proposed § 450.105(b) would set the PSA application requirements. The applicant would be required to provide the results of the preliminary safety assessment in its application. The applicant would be required to provide information for every requirement listed under § 450.105(a). These application requirements are consistent with those currently in part 431. Although these specific system safety requirements would be new for ELV operators, the FAA does not expect they would add a substantial burden given that part 417 operators were performing similar work, albeit not under the system management umbrella. ELV operators must already identify vehicle failure modes; debris, toxics, distant-focusing overpressure, and other hazards; geographical containment and overflight trajectories; consequences that determine flight limits; and all safety critical systems and events. The PSA codifies these concerns as primary to safety and the development of hazard control strategies and requires all vehicle operators to document such considerations. Development of the PSA would allow the operator to determine whether they must perform a flight hazard analysis. The operator would be required to assess each phase of flight to determine VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 how public safety hazards are mitigated. If there is a phase of flight where all identified public safety hazards are not mitigated using physical containment, wind weighting, or flight abort, the operator would be required to perform a flight hazard analysis, discussed later in this preamble, for that particular phase of flight. D. Hazard Control Strategy Proposed § 450.107 (Hazard Control Strategies) would provide options for hazard control strategies that an operator could use to meet the public safety criteria in proposed § 450.101 for each phase of a launch or reentry vehicle’s flight. An operator could use physical containment, wind weighting, or flight abort and would not be required to conduct a flight hazard analysis. Alternatively, an operator could conduct a flight hazard analysis to derive hazard controls. As part of its application, an operator would be required to identify the selected hazard control strategy for each phase of flight. The use of a flight hazard analysis to derive hazard controls provides the most flexibility of any of the hazard control strategies. The ARC recommended this approach and stated that the system safety process should be used to identify hazards and develop control strategies, which would then be verified by means of flight safety analysis and relevant operational constraints and means of meeting those constraints.64 In certain circumstances, however, historical methods may also provide an acceptable level of safety. If the public safety hazards identified in the preliminary safety assessment can be mitigated adequately to meet the public safety requirements of proposed § 450.101 using physical containment, wind weighting, or flight abort with a highly reliable FSS, an operator would not need to conduct a flight hazard analysis for that phase of flight. This proposal is different than current regulations, where the option of conducting a hazard analysis to derive hazard controls is only available to reusable launch vehicles. Under proposed part 450, the option to use a flight hazard analysis would not rest on whether a vehicle is expendable or reusable. Under proposed § 450.107(b), an operator could use physical containment to satisfy the public safety requirements of proposed § 450.101 when an operator’s launch vehicle does not have sufficient energy for any hazards associated with its flight to reach an area where it exposes the 64 ARC PO 00000 Report at p. 10. Frm 00023 Fmt 4701 Sfmt 4702 15317 public or critical assets to a hazard. These launches can take place from any launch site, depending on the size of the launch vehicle, the expected trajectory, and other factors. The more remote a launch site is, the greater its capacity to accommodate a launch using physical containment. This approach is consistent with current practice because the FAA has always accepted a demonstration of physical containment as a means of satisfying risk requirements. The use of physical containment as a hazard control strategy is the easiest way to meet the public safety requirements of proposed § 450.101 and may, in a remote location, involve a simple showing that the maximum distance vehicle hazards can reach defines an area that is unpopulated and does not contain any critical assets. Because physical containment precludes the need for an FSS, an operator would not be required to meet any requirements relevant to an FSS. If an operator shows its vehicle does not have sufficient energy for any of its associated hazards to reach outside the flight hazard area, the operator would not have to perform a flight hazard analysis. Further, many other requirements would be either not applicable or easily met. Because physical containment may also involve visitor control, wind constraints, realtime toxic analysis, and other mitigation measures, the FAA would require an operator to apply other mitigation measures to ensure no public exposure to hazards, as agreed to by the Administrator on a case-by-case basis. Under proposed § 450.107(c), an operator could use wind weighting to satisfy the public safety requirements of proposed § 450.101 when an operator uses launcher elevation and azimuth settings to correct for wind effects that an unguided suborbital launch vehicle, typically called a sounding rocket, would experience during flight. Due to its relative simplicity and effectiveness, wind weighting has historically been used by NASA, the Department of Defense, and commercial operators as the primary method to ensure public safety for the launch of a sounding rocket. This approach is currently codified in part 417. Under part 431, an operator can use wind weighting as an acceptable hazard mitigation measure determined through the system safety process. Under proposed part 450, an operator launching a sounding rocket could use wind weighting or it could propose other hazard controls in its application through a flight hazard analysis. The specific wind weighting requirements are discussed in the E:\FR\FM\15APP2.SGM 15APP2 15318 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 ‘‘Additional Technical Justification and Rationale’’ section. Under proposed § 450.107(d), an operator could use flight abort to satisfy the public safety requirements of proposed § 450.101 when an operator limits or restricts the hazards to the public or critical assets presented by a launch vehicle or reentry vehicle, including any payload, while in flight by initiating and accomplishing a controlled ending to vehicle flight, when necessary. This is discussed in more detail in the ‘‘Flight Abort’’ section. If the public safety hazards identified in the preliminary safety assessment cannot be mitigated adequately to meet the public risk criteria of proposed § 450.101 using physical containment, wind weighting, or flight abort, an operator would be required to conduct a flight hazard analysis in accordance with proposed § 450.109 (Flight Hazard Analysis) to derive hazard controls for that phase of flight. The use of a flight hazard analysis to derive hazard controls is the primary approach used in current parts 431, 435, and 437. The FAA has previously required the use of a flight hazard analysis for reentry, for the captive carry portion of an airlaunched vehicle, and for piloted suborbital vehicles. A detailed discussion of flight hazard analysis is included later in this preamble. In its application, an applicant would be required to describe its hazard control strategy for each phase of flight. An applicant may elect to use different hazard control strategies for different phases of flight, depending on risks associated with those phases. For example, an applicant using an airlaunched system might use a flight hazard analysis during the captive carry phase of flight, and flight abort during the rocket-powered phase of flight. Additionally, if using physical containment as a hazard control strategy, an applicant would be required to demonstrate that the launch vehicle does not have sufficient energy for any hazards associated with its flight to reach outside the flight hazard area. The applicant would also be required to describe the methods used to ensure that flight hazard areas are cleared of the public and critical assets. E. Flight Abort As discussed earlier, flight abort is a hazard control strategy to limit or restrict the hazards to the public or critical assets presented by a launch vehicle or reentry vehicle, including any payload, while in flight. Flight abort is a controlled ending to vehicle flight and is initiated by an operator when ending VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 flight poses less risk to public safety and the safety of property than continued flight without a safety intervention. Flight abort is the primary hazard control strategy used today for orbital expendable launch vehicles under part 417, and under Air Force and NASA launch range requirements. The FAA proposes to require this approach, with a reliable FSS, only when certain conditional risks are present. Specifically, proposed § 450.101(c) would require an operator to use flight abort with an FSS that meets the requirements of § 450.145 as a hazard control strategy if the consequence of any reasonably foreseeable vehicle response mode, in any one-second period of flight, is greater than 1 × 10¥3 conditional expected casualties for uncontrolled areas.65 The basis for this number is discussed in the ‘‘Consequence Protection Criteria for Flight Abort and Flight Safety System’’ section. Under this test, a typical orbital launch from the Air Force Eastern and Western ranges would require an FSS capable of initiating flight abort. Small orbital launch vehicles launched from more remote locations, however, would not normally be required to use flight abort as a hazard control strategy. The FAA seeks comment on this approach. To implement flight abort as a hazard control strategy, an operator would establish flight safety limits and gates in accordance with proposed §§ 450.123 (Flight Safety Limits Analysis) and 450.125, establish flight abort rules in accordance with § 450.165 (Flight Safety Rules), and employ an FSS in accordance with § 450.145 and software in accordance with § 450.111. Flight abort as a hazard control strategy can be used by an operator, even if it is not required under § 450.101(c), as a hazard mitigation measure derived from the flight hazard analysis. For example, a piloted vehicle with low conditional expected casualty during powered flight may use an FSS in combination with other measures, such as propellant dumping, to keep vehicle hazards from reaching a populated area. 1. Flight Safety Limits and Uncontrolled Areas An operator would have to identify the location of uncontrolled areas and 65 The proposed requirement to use flight abort as a hazard control strategy is less restrictive than § 417.107(a), which requires a launch operator to use an FSS in the vicinity of the launch site if any hazard from a launch vehicle, vehicle component, or payload can reach any protected area at any time during flight, or if a failure of the launch vehicle would have a high consequence to the public. PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 establish flight safety limits that define when an operator must initiate flight abort to: • Prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission, and • Ensure compliance with the public safety criteria of § 450.101. The FAA would define debris capable of causing a casualty with kinetic energy or other thresholds as will be discussed later. The public safety criteria that would go into determining flight safety limits would be collective risk, individual risk, risk to critical assets, and conditional risk. An uncontrolled area would be an area of land not controlled by a launch or reentry operator, a launch or reentry site operator, an adjacent site operator, or other entity by agreement. Under current regulations, these areas are referred to as ‘‘protected areas.’’ Importantly, as discussed earlier, the conditional risk criteria would not apply to controlled areas, which are areas that are controlled by any of the entities listed earlier, because by exercising control over these areas the entity would have a greater ability to ensure that catastrophic risk is mitigated by other means. In addition to establishing flight safety limits, an operator would establish gates, if the vehicle would need to overfly a landmass during its flight. A gate is an opening in a flight safety limit through which a vehicle may fly, provided the vehicle meets certain pre-defined conditions such that the vehicle performance indicates an ability to continue safe flight. If the vehicle fails to meet the required conditions to pass a gate, then flight abort would occur at the flight safety limit. In other words, the gate would be closed. Flight safety limits and gates are discussed in greater detail later in this preamble. 2. Flight Abort Rules An operator would identify the conditions under which the FSS, including the functions of any flight abort crew, must abort the flight to ensure compliance with § 450.101. An operator would be required to abort a flight if a flight safety limit is violated, or if some condition exists that could lead to a violation, such as a compromised FSS or loss of data. Flight abort rules are discussed in greater detail later in this preamble. 3. Flight Safety System To enable flight abort, an operator must use an FSS. An FSS is an integral E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules part of positive control of a launch or reentry vehicle because it allows an operator to destroy the vehicle, terminate thrust, or otherwise achieve flight abort to limit or restrict the hazards to public health and safety and the safety of property presented by a vehicle while in flight. Traditional FSSs are comprised of an onboard flight termination system, a ground-based command and control system, and tracking and telemetry systems. Historically, the flight safety crew monitoring the course of a vehicle would send a command to the vehicle to terminate flight if the vehicle violated a flight abort rule. Recently, operators are favoring autonomous FSSs, negating the need for a ground-based command and control system or flight abort crew. As discussed earlier, the CEC would establish whether an FSS is required, and if so, its reliability. • If the consequence of any vehicle response mode is 1 × 10¥2 conditional expected casualties or greater for uncontrolled areas, an operator would be required to employ an FSS with design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing; or • If the consequence of any vehicle response mode is between 1 × 10¥2 and 1 × 10¥3, an operator would be required to employ an FSS with a design reliability of 0.975 at 95 percent confidence and commensurate design, analysis, and testing. Note that if the consequence of any vehicle response mode is less than 1 × 10¥3, the FAA would not require an FSS or mandate its reliability if an operator chooses to use one. Unlike part 417, the FAA would not propose specific design or testing requirements for an FSS. Instead, the FAA would accept specified government or industry standards as meeting the FSS reliability requirements. At this time, only one government standard would meet the requirement for a design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing, and that is RCC 319.66 The FSS requirements codified in part 417, including component performance requirements and acceptance and qualification testing, were originally written to align FAA launch licensing requirements with the Federal launch range standards in RCC 319. Like part 417, RCC 319 requires qualification tests to demonstrate reliable operation in 66 RCC 319 can be found at https:// www.wsmr.army.mil/RCCsite/Documents/319-14_ Flight_Termination_Systems_Commonality_ Standard/RCC_319-14_FTS_Commonality.pdf. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 environments exceeding the expected operating environment for the system components, acceptance tests to demonstrate that the selected batch of components meets the requirements of the design specifications, and other preflight testing at the system or subsystem level to demonstrate functionality after installation. In the short term, the FAA expects individual applicants to create their own FSS requirements based on RCC 319 and have them approved as an accepted means of compliance by the FAA prior to application submittal. This would be akin to ‘‘tailoring’’ RCC 319, which is current practice at the Federal launch ranges. In the long run, the FAA expects the industry to develop voluntary consensus standards for FSSs, particularly for those FSSs that are only required to have a design reliability of 0.975 at 95 percent confidence. By removing detailed design and testing requirements from FAA regulations and relying on standards to meet reliability thresholds, the FAA would encourage innovation in flight abort. The FAA seeks comment on whether this approach would encourage innovation and more rapid evolution of FSS designs. F. Flight Hazard Analysis Proposed § 450.109 would require that an operator conduct and document a flight hazard analysis and continue to maintain the flight hazard analysis throughout the lifecycle of the launch or reentry system unless an operator uses proven hazard control strategies such as physical containment, wind weighting, or flight abort. At its most basic, a flight hazard analysis identifies all reasonably foreseeable hazards and the necessary measures to eliminate or mitigate that risk. A flight hazard analysis would be required only for those phases of flight for which the operator does not employ a traditional hazard control (e.g., physical containment). As noted earlier, the use of a flight hazard analysis to derive hazard controls would provide flexibility that does not currently exist under the prescriptive requirements in part 417 67 and is broadly consistent with the practice in parts 431 and 435.68 Proposed § 450.109(a) would require that an operator further refine the flight 67 The current ELV regulatory scheme in parts 415 and 417 mitigates flight hazards for all launches by requiring a reliable FSS and prescriptive flight abort requirements. 68 Current RLV and reentry vehicle regulations in parts 431 and 435 do not specifically require a flight hazard analysis. However, § 431.35(c) and (d) require a system safety process to identify hazards, assess the risks, and the elimination or mitigation of the risk. In practice, the FAA has interpreted this broad section to require a flight hazard analysis. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 15319 hazard list developed during the earlier PSA, including verifying the list of items identified in § 450.109 and any new hazards identified since completing the PSA. A hazard is a real or potential condition that could lead to an unplanned event or series of events resulting in death, serious injury, or damage to or loss of equipment or property. The list of items in proposed § 450.109(a)(1) is a list of hazard categories that exist in all commercial space operations and must therefore be eliminated or mitigated to acceptable levels. After identifying and describing hazards, proposed § 450.109(a)(2) would require that an operator assess each hazard’s likelihood and severity. This assessment would be used to establish mitigation priorities. The operator would then determine the severity of the specific potential hazardous condition with respect to public safety. An operator should determine the severity for a specific hazard by identifying the worst credible event that may result from the hazard. For example, if an operator identifies a hazard such as incorrect vehicle position data due to inertial measurement unit (IMU) drift leading to an off nominal trajectory, the operator would determine the public impact using the greatest off nominal vehicle trajectory and the worst credible public safety outcome. Meaning, if the vehicle would break up aerodynamically due to an off nominal trajectory caused by IMU drift, the operator should base its severity assessment on the debris event generated by the break up taking into account the population in the area. If the vehicle operates in a remote area the severity may be low; however, if the operation occurs within the reach of the population, the severity would be catastrophic. After severity and likelihood are assessed, proposed § 450.109(a)(3) would require that an operator ensure that any hazard that may cause a casualty is extremely remote, and any hazard that can cause major damage to public property or critical assets is remote. If a particular hazard source has been observed in a similar operation under similar conditions, it will be difficult to justify that the likelihood of the reoccurrence of the event will qualify as remote or extremely remote. This requirement is substantively the same as current practice under § 431.35(c) and is specifically called out in § 437.55(a)(3) for experimental permits. Examples of suggested likelihood categories for remote and extremely remote are provided in FAA’s Advisory Circular (AC) 437.55–1 E:\FR\FM\15APP2.SGM 15APP2 15320 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 ‘‘Hazard Analyses for the Launch or Reentry of a Reusable Suborbital Rocket Under an Experimental Permit’’ as 1 × 10¥5 and 1 × 10¥6, respectively. The operator would then need to identify and describe risk elimination and mitigation measures as required by proposed § 450.109(a)(4). The operator should always consider whether the risk mitigation measures introduce new hazards. This proposed section codifies current practice under the § 431.35(c) broad system safety analysis requirement. Although not required, system safety standards and advisory material such as MIL–STD–882E, AC 437.55–1, and AC 431.35–2A ‘‘Reusable Launch and Reentry Vehicle System Safety Process’’ recommend that operators develop risk elimination or mitigation approaches in the following order: 1. Design for minimum risk. The first priority should be to eliminate hazards through appropriate design or operational choices.69 If an operator cannot eliminate a risk, it should minimize it through design or operational choices. 2. Incorporate safety devices. If an operator cannot eliminate hazards through design or operation selection, then an operator should reduce risks through the use of active or passive safety devices.70 3. Provide warning devices. When neither design nor safety devices can eliminate or adequately reduce identified risks, the operator should use a device to detect and warn of the hazardous condition to minimize the likelihood of inappropriate human reaction and response.71 4. Implement procedures and training. When it is impractical to eliminate risks through design or safety and warning devices, the operator should develop and implement procedures and training that mitigate the risks.72 Proposed § 450.109(a)(5) would require that the risk elimination and mitigation measures achieve the proposed risk levels in § 450.109(a)(3) through verification and validation. Verification ensures the measures 69 An example of designing out risk to the public would be to operate in an unpopulated area. 70 An example of an active safety device would be a computing system that automatically shuts down the rocket engine when a sensor detects high thrust chamber temperatures. A passive safety device might be a firewall to prevent a fire from reaching a pilot. 71 An example of a warning device would be an abort indicator such as a flashing light or a message on a cockpit instrument panel. 72 An example of risk mitigation procedures and training are abort procedures and rehearsals of those procedures. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 themselves are properly developed and implemented while validation ensures the measures will actually achieve the desired outcome. Verification takes place while developing the measures and validation after development and implementation. This requirement is substantively the same as current practice under § 431.35(c). The acceptable methods of verifying safety measures are: 1. Analysis: Technical or mathematical evaluation, mathematical models, simulations, algorithms, and circuit diagrams. 2. Test: Actual operation to evaluate performance of system elements during ambient conditions or in operational environments at or above expected levels. These tests include functional tests and environmental tests. 3. Demonstration: Actual operation of the system or subsystem under specified scenarios, often used to verify reliability, transportability, maintainability, serviceability, and human engineering factors. 4. Inspection: Examination of hardware, software, or documentation to verify compliance of the feature with predetermined criteria. An operator could use methods separately or combine them depending on the feasibility of the methods and the maturity of the vehicle and operation. Proposed § 450.109(b) would require that an applicant establish and document the criteria and techniques for identifying new hazards throughout the launch or reentry system lifecycle. Development, implementation, and continued operation of any system requires that changes be made throughout the lifecycle. Changes to the vehicle, especially to safety-critical systems and operations, can have significant impacts on public safety and will result in changes to the hazard analysis. Anomalies and failures can also identify unknown hazards. This requirement is substantively the same as the FAA’s current practice under § 431.35(c). Parts 415 and 417 do not have a flight hazard analysis requirement. Proposed § 450.109(c) would require that the flight hazard analysis be updated and complete for every launch or reentry. In other words, the analysis must be applicable to the specific mission. A hazard analysis for a previous mission may be used only if the vehicle and operational details of the mission do not impact the validity of any aspect of the hazard analysis. The FAA has not prescribed the methodology that an operator must follow to ensure the accuracy of a flight hazard analyses. However, this item is PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 key to ensuring that the operator is aware of the hazards in the proposed operation. Proposed § 450.109(d) requires that an operator continually update the flight hazard analysis throughout the operational lifecycle of the launch or reentry system. This requirement is substantively the same as current FAA practice under § 431.35(c). Proposed § 450.109(e) establishes the flight hazard analysis application requirements. An applicant would be required to submit a flight hazard analysis in its application to provide the FAA with sufficient detail to evaluate the applicant’s flight hazard analyses and its criteria and techniques for identifying new hazards throughout the lifecycle of the launch or reentry system. The FAA recommends that the applicant provide at a minimum a hazard table that provides a description of each hazard identified, associated severity and likelihood of each hazard, the mitigation measures identified for each hazard, and a summary of the validation and verification of each hazard. For hazards that require mitigation, the applicant would also be required to provide the data showing the verification of those mitigations measures. The FAA expects the results of any testing or analysis associated with the verification to be in a format that is easily understood by an experienced technical evaluator. For items verified by analysis, the applicant should provide the assumptions and methodology used to conduct the analyses if it is not easily understood by evaluating the results. These application requirements would not require more than the current practices under § 431.35(c) and (d). G. Computing Systems and Software Overview The FAA is proposing to address hazards associated with computing systems and software separate from flight hazard analysis. The FAA would consolidate all software safety requirements applicable to launch or reentry operations in a single section, in proposed § 450.111 (Computing Systems and Software).73 These proposed regulations address both software and how the software operates on the intended hardware and computing systems.74 While the FAA discusses 73 For the purpose of this discussion, the phrase ‘‘software safety requirements’’ refers to software safety regulations and ‘‘software requirements’’ refers to the specifications that define a software component’s intended functionality. 74 The FAA understands software to mean a combination of computer instructions and E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules hardware requirements elsewhere under the safety-critical systems requirements, it is important to recognize that software safety cannot be evaluated outside of the computing system in which it operates.75 A computing system is a complete system made up of the central processing unit, memory, related electronics, and peripheral devices. These proposed software safety requirements would streamline the software safety evaluation process by adding detail to the performance-based requirements in the existing rules. The software safety requirements in the proposed rule are levied in proportion to the potential software hazards and the degree of control over those hazards.76 In other words, software safety requirements would increase in rigor with the rise in potential safety risks and degree of autonomy. Conversely, software safety requirements would decrease in rigor with reductions in the potential safety risk or degree of autonomy.77 This approach would codify existing FAA practice of modulating the stringency of review commensurate with the level of public risk. The FAA would also add more clarity to the software scaled requirements to guide applicants to appropriate and predictable engineering judgments when determining the proper depth and breadth of software development, analysis, and verification activities. The FAA expects these changes would enable innovation by setting predictable safety requirements based on knowable characteristics of new software systems and in proportion to the risks involved with the innovation. For a detailed discussion, please see the Additional Technical Justification and Rationale discussion later in the preamble. amozie on DSK9F9SC42PROD with PROPOSALS2 H. Hybrid Launch Vehicles Hybrid vehicles are vehicles that have some characteristics of aircraft and other characteristics of traditional launch or reentry vehicles. This proposal would allow an operator to forego the use of flight abort as a hazard control strategy during certain phases of flight if the hybrid launch or reentry vehicle has a computer data that enables a computer to perform computational and control functions. 75 Hardware is the collection of physical parts of a computer system, including memory storage devices, power sources, and processors that execute software. 76 For the purpose of this rulemaking, software hazards are those hazardous conditions created by the execution of software, or for which software is used as a mitigation or control. 77 The FAA uses the phrase ‘‘level of rigor’’ to describe the amount of precision and effort applied by an applicant to address the severity of a hazard and associated software autonomy. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 high demonstrated reliability during those phases of flight. The FAA would make these determinations on a case-bycase basis based on a vehicle’s demonstrated reliability. The FAA may regulate hybrid vehicles under either the commercial space transportation or the civil aircraft regulations, depending on the operation. For a flight of a hybrid vehicle where a carrier aircraft has been modified to carry a rocket and the operator intends to ignite the rocket, the FAA considers the aircraft a component of the launch vehicle.78 The combination launch vehicle system is authorized solely by a vehicle operator license or experimental permit under Title 51. The FAA currently authorizes the operation of hybrid vehicles using a license or permit for the entire mission from preflight ground activities through taxi, take off, flight, landing, wheel stop, and post-flight safing for all components of the combined launch vehicle system. The FAA has granted a license to hybrid vehicles such as the Stargazer/Pegasus, WhiteKnightOne/SpaceShipOne, WhiteKnightTwo/SpaceShipTwo, and Cosmic Girl/LauncherOne combinations. In addition to carrier aircraft models, hybrid vehicles may also include future concepts such as a single vehicle with both air-breathing and rocket engines, winged launch or reentry vehicles, balloon-launched rockets, and other concepts that may have characteristics of both aviation and traditional launch or reentry vehicles.79 The FAA will work with applicants using hybrid vehicles during preapplication to identify the appropriate regulatory path. To date, the FAA has issued guidance in two legal interpretations on the process for determining whether flights or portions of flights of hybrid vehicles are 78 ‘‘Chapter 509 applies when [a hybrid] system operates as a launch vehicle from the flight of the carrier aircraft, through ignition of the rocket, to the return and landing of the carrier aircraft and the suborbital rocket. For a mission that does not entail ignition of the rocket, the FAA’s aviation statute and regulations apply.’’ See Legal Interpretation to Pamela L. Meredith from Mark W. Bury (September 26, 2013). 79 An example of a hybrid vehicle that does not use a carrier aircraft is the World View capsule. This capsule is not a rocket, but it meets the definition of a launch vehicle because it operates at an altitude where it needs to be designed, built, and tested to operate in outer space. See Legal Interpretation to Pamela L. Meredith from Mark W. Bury, September 26, 2013; (https://www.faa.gov/ about/office_org/headquarters_offices/agc/practice_ areas/regulations/interpretations/data/interps/ 2013/meredith-zuckertscoutt&rasenberger%20%20(2013)%20legal%20interpretation.pdf). Similar to other hybrid vehicles, when not operating as a launch vehicle, World View will operate under the appropriate aviation provisions of title 49. PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 15321 regulated under title 49 or Title 51.80 As new hybrid concepts are unveiled, the FAA anticipates issuing additional guidance to assist operators. The FAA has worked with and received input from industry on how to regulate hybrid vehicles. For instance, in 2017 and 2018, the FAA convened a Safety Risk Management (SRM) panel consisting of FAA and industry representatives to review and assess hazards associated with captive carry operations.81 The panel recommended dispensing with any aircraft hazard area requirement during the captive carry phase of flight for previously licensed hybrid vehicles with fixed-wing carrier aircraft. The ARC also recommended that the FAA set a different standard for hybrid vehicles, specifically that the FAA not require an FSA for operations where the agency has already considered impacts to public safety during the airworthiness certification process. Additionally, the ARC recommended that an operator only be required to conduct an FSA for those portions of flight when the hazardous configuration of the hybrid system differs from that approved under an experimental airworthiness certificate or equivalent authorization. As discussed earlier, the FAA proposes to provide flexibility for certain phases of flight with respect to FSA (proposed § 450.113(a)(5)) and FSS (proposed § 450.101(c)) requirements. This is consistent with the ARC’s recommendation. The FAA recognizes that airworthiness certificates and licenses, when developed collaboratively between the Aviation Safety and Commercial Space Transportation lines of business, sufficiently protect the public. In these cases, the FAA would include a license term and condition for a current airworthiness certificate. Specifically, the license would impose terms and conditions such as compliance with certain part 91 (General Operating and 80 Legal Interpretation to Kelvin B. Coleman from Lorelei Peter, July 23, 2018; (https://www.faa.gov/ about/office_org/headquarters_offices/agc/practice_ areas/regulations/interpretations/data/interps/ 2018/coleman-ast-1%20-%20(2018)%20legal% 20interpretation.pdf); Legal Interpretation to Pamela L. Meredith from Mark W. Bury, Sept. 26, 2013; (https://www.faa.gov/about/office_org/ headquarters_offices/agc/practice_areas/ regulations/interpretations/data/interps/2013/ meredith-zuckertscoutt&rasenberger%20-% 20(2013)%20legal%20interpretation.pdf). 81 The SRM panel members included FAA representatives from the Air Traffic Organization, Aviation Safety, and the Office of Commercial Space Transportation. The panel also included civil aviation and commercial space participants such as the Air Line Pilots Association, the National Air Traffic Controllers Association, Orbital ATK, Virgin Galactic, Virgin Orbit, and Mojave Air and Space Port. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15322 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules Flight Rules) requirements and airworthiness operating limitations, not including any restrictions on compensation or hire. This blended approach of combining airworthiness with part 450’s system safety requirements would ensure public safety without the need for an FSA. This proposal would reduce FSA, CEC, and FSS requirements for phases of flight such as the captive carry phase, the carrier-vehicle-alone phase, and any rocket component glide back. The captive carry phase of flight starts when the carrier vehicle takes off carrying the rocket aloft and transports it to the rocket release location. The carriervehicle-alone phase starts when the carrier vehicle releases the rocket, and includes all flight activities in support of the mission until the carrier vehicle lands and is safed. During the carriervehicle-alone phase, the rocket component is conducting its rocketpowered and coast phases. The rocket coast phase occurs immediately after the rocket engine shuts down, and is not considered an aviation-like glide phase because the pilot does not have significant control authority over the instantaneous impact point (the predicted impact point following thrust termination of a vehicle). For returning rockets, there may be a glide phase which begins at a point to be determined on a case-by-case basis after the vehicle completes any reconfiguration necessary and demonstrates non-rocket powered control authority and ends when the vehicle lands. The FAA would work with hybrid vehicle applicants during preapplication consultation to determine the applicability of FSA, CEC, and FSS requirements. For example, the FAA might determine the quantitative FSA requirement for those portions of a mission where the vehicle operates as a civil aviation aircraft governed by civil aviation regulations (as incorporated into the license) is unnecessary because the vehicle has demonstrated reliability during that phase as indicated by the issuance of an airworthiness certificate. Thus, an applicant would not have to conduct the quantitative FSA for the aircraft-like controllable phases of flight, such as the captive carry phase or for phases with non-rocket powered or glide phases previously authorized under an airworthiness certificate. This would not normally be the case during the rocket-powered, coast, reentry, or glide back phases of flight that are unique to space flight. All other regulatory requirements, including system safety requirements, would apply to the entire mission. Due to the VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 unknown operating characteristics of future hybrid vehicles, the FAA is not proposing to provide a blanket FSA exemption for all hybrid systems. I. Flight Safety Analysis Overview For purposes of this proposed rule, a flight safety analysis consists of a set of quantitative analyses used to determine flight commit criteria, flight abort rules, flight hazard areas, and other mitigation measures, and to verify compliance with the public safety criteria in proposed § 450.101. The FAA proposes 15 sections for flight safety analysis. The analyses are described here briefly because of their overall importance to the regulation and are discussed in greater detail in the ‘‘Additional Technical Justification and Rationale’’ section. Furthermore, the FAA plans to publish updated ACs and guidelines to describe acceptable means to conduct these analyses. The first two sections for FSA would outline the scope, applicability, and methods for conducting FSAs: 1. Flight Safety Analysis Requirements—Scope and Applicability (§ 450.113). This section would establish the portions of flight for which an operator would be required to perform and document an FSA and would identify the analyses required for each type of operation. 2. Flight Safety Analysis Methods (§ 450.115). This section would set methodology requirements for FSAs, including level of fidelity. Three sections would require fundamental flight safety analyses: 1. Trajectory Analysis for Normal Flight (§ 450.117). All the FSAs depend on some form of analysis of the trajectory under normal conditions, referred to as a normal trajectory. 2. Trajectory Analysis for Malfunction Flight (§ 450.119). A malfunction trajectory analysis is necessary to determine how far a vehicle can deviate from its normal flight path in case of a malfunction. This analysis helps determine impact points in case of a malfunction and is therefore a vital input for the analyses needed to demonstrate compliance with risk criteria. 3. Debris Analysis (§ 450.121). A debris analysis is necessary to characterize the debris generated in various failure scenarios, including those that could produce an intact vehicle impact. Four analyses would produce information necessary to implement flight abort as a hazard control strategy: 1. Flight Safety Limits Analysis (§ 450.123). A flight safety limit analysis is necessary to identify uncontrolled PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 areas and establish flight safety limits that define when an operator must initiate flight abort to (1) ensure compliance with the public safety criteria of proposed § 450.101, and (2) prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. 2. Gate Analysis (§ 450.125). A gate analysis is necessary to determine necessary openings in a flight safety limit through which a vehicle may fly, provided the vehicle meets certain predefined conditions indicating an ability to continue safe flight. 3. Data Loss Flight Time and Planned Safe Flight State Analyses (§ 450.127). A data loss flight time analysis is necessary to establish when an operator must abort a flight following the loss of vehicle tracking information. A planned safe flight state analysis is necessary to determine when an FSS is no longer necessary. 4. Time Delay Analysis (§ 450.129). A time delay analysis is necessary to establish the mean elapsed time between the violation of a flight abort rule and the time when the flight safety system is capable of aborting flight for use in establishing flight safety limits. One section addresses probability of failure analysis: 1. Probability of Failure Analysis (§ 450.131). During any particular flight or phase of flight, an estimated probability of failure, and how that probability is allocated across flight time and vehicle response mode, is necessary to support the determination of hazard areas and risk. One section addresses the determination of flight hazard areas: 1. Flight Hazard Area Analysis (§ 450.133). This analysis is necessary to determine any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to protect the public health and safety, and safety of property. Three sections would be necessary to determine whether risk criteria are met for different types of hazards: 1. Debris Risk Analysis (§ 450.135). A debris risk analysis is necessary to determine whether the individual and collective risks of public casualties, due to inert and explosive debris hazards meets public safety criteria. 2. Far-field Overpressure Blast Effects Analysis (§ 450.137). This analysis is necessary to determine whether the potential public hazard from broken windows as a result of impacting explosive debris, including impact of an intact launch vehicle, meets public safety criteria. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules 3. Toxic Hazards for Flight (§ 450.139). This analysis is necessary to determine whether hazards associated with toxic release meet public safety criteria. Lastly, one section is necessary for the launch of an unguided suborbital launch vehicle using wind weighting as a hazard control strategy. A launch vehicle using other mitigations would not be required to conduct this analysis: 1. Wind Weighting for the Flight of an Unguided Suborbital Launch Vehicle (§ 450.141). This section would outline a wind weighting analysis that is required to ensure that the launch of an unguided suborbital launch vehicle using wind weighting as a hazard control strategy meets public safety criteria. J. Safety-Critical Systems amozie on DSK9F9SC42PROD with PROPOSALS2 1. Safety-Critical Systems Design, Test, and Documentation The FAA proposes to consolidate the design, test, and documentation requirements for safety-critical components in proposed § 450.143 (Safety-Critical System Design, Test, and Documentation). A common set of requirements is needed for clarity and consistency. Safety-critical systems or components include those systems or components whose performance is essential to ensuring public safety. Historically, the FAA has considered the FSS to be the only safety-critical system on an ELV. For RLVs and reentry vehicles, the use of a systematic, logical, and disciplined system safety process is meant to identify safety-critical systems and the extent of prudent operational controls.82 If a system failure would cause any hazards and those hazards could reach a populated area, then the system is likely a safety-critical system. Generally, RLV operators incorporate FSSs, although they may also incorporate other safety-critical elements of risk mitigation and hazard control. Non-RLV reentry vehicles also require a thorough system safety process to identify safetycritical hardware. The current rules for ELV, RLV, and reentry vehicle safety-critical systems are quite different. However, in practice, the evaluation of the safety of such systems is very similar. Parts 415 and 82 Some of the more commonly used methodologies include Preliminary Hazard Lists (PHL), Preliminary Hazard Analyses (PHA), Event Tree Analyses (ETA), Fault Tree Analyses (FTA), FMEAs, and FMECAs. Generally, these methodologies help operators determine whether a system failure could cause a loss of vehicle control, a vehicle breakup or other creation of uncontrolled debris, a discharge of hazardous material, or would prevent safe landing. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 417 require ELVs to have very reliable hazard-constraining FSSs that ensure public safety. These FSSs are subject to design requirements, extensive design qualification testing, and acceptance testing of all components. RLVs and reentry vehicles are required to undergo a comprehensive system safety engineering process that, in part, identifies and eliminates hazards to reduce the associated risk to acceptable levels by defining safety-critical systems and identifying associated hazards and risks. Under system safety, an operator develops design-level safety requirements and provides evidence for verification and validation of safetycritical systems and requirements. For safety-critical systems this serves the purpose of design qualification and acceptance. Given that RLVs are built to experience multiple flights, the lifecycle 83 of safety-critical systems must also be considered as part of the design, testing, and documentation. i. Current Qualification and Acceptance Testing Requirements Qualification testing is an assessment of a prototype or other structural article to verify the structural integrity of a design. Generally, qualification testing involves testing the design under a number of different environmental factors to stress the design, with a multiplying factor applied to the expected environmental testing limit. This qualification testing is conducted for temperatures, tensile loads, handling shocks, and other expected environmental stressors. Unlike qualification testing that is performed on qualification units, acceptance testing is performance testing conducted on the actual hardware to be used on a vehicle after the completion of the manufacturing process. Generally, acceptance tests are performed on each article of the safetycritical flight hardware to verify that it is free of defects, free of integration and workmanship errors, and ready for operational use. Acceptance testing includes testing for defects, along with environmental testing similar to the qualification testing described earlier. For ELVs, qualification and acceptance testing are important verification of the reliability of all FSSs at the subsystem and component level, and ensures the safe operability of the only safety-critical system on any given 83 Many operators seek to refurbish or otherwise reuse safety-critical systems for multiple flights. Operators must design, test, and document safetycritical systems to demonstrate their safety-critical systems can continue to operate reliably throughout the component life in all predicted operating environments. PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 15323 ELV. For ELVs, current qualification and acceptance testing requirements and procedures for FSS subsystems and components are listed in §§ 417.305, 417.307, and appendix E of part 417 (E417). As FSSs are the only safetycritical systems on traditional ELVs, the component-level testing requirements in part 417 describe the testing of specific possible components in great detail, going so far as to differentiate testing requirements for silver-zinc batteries in E417.21 from nickel-cadmium batteries in E417.22. While the FAA has approved alternative FSSs, the prescription level of the current requirements discourages significant innovation. The same emphasis on validation of design and verification of hardware tolerances applies to components that have been identified as safety-critical during a system safety process. For RLVs and reentry vehicles, a system safety process is required by § 431.35(c).84 Under the system safety process, a vehicle designer must assess nominal and non-nominal flight scenarios of the vehicle and must account for any possible safety-critical system failures during flight that could result in a casualty to the public. Those vehicle operators are required, by § 431.35(d)(3), to identify all safetycritical systems and are required by § 431.35(d)(7) to demonstrate the risk elimination in relation to those safetycritical systems. While not explicitly called out in the current part 431 or 435, qualification and acceptance testing are the widely accepted standards for demonstrating that safety-critical systems, subsystems, and components are not at risk of failing during flight. Current regulations are undefined with respect to the applicability of qualification and testing of safetycritical components that are not listed in §§ 417.301(b), 417.305 and 417.307, or appendix E of part 417. The regulations are similarly ambiguous if the vehicle does not have a traditional FSS but still has components that are considered safety-critical, like many vehicles licensed under part 431. This ambiguity has led to regulatory uncertainty, which in turn has resulted in lengthy exchanges between the FAA and license applicants about what components and systems needed to be tested, what testing would be acceptable to the FAA, and why that testing was necessary to be compliant. Testing is currently generally required for safety-critical systems across all vehicle types, either explicitly or as verification and validation in the 84 Section 431.35(c) is required for reentry vehicles by § 435.33. E:\FR\FM\15APP2.SGM 15APP2 15324 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 system safety process, but this is often not well-reflected in the current regulations. As a result, applicants often are confused by qualification testing requirements asserted by the FAA for RLVs when there are no explicit qualification testing requirements in part 431. ii. Current Fault Tolerance Requirements Fault-tolerance is the idea that a system must be designed so that it is able to perform its function in the event of a failure of one or more of its components. In a fault-tolerant design of a safety-critical system, no single credible fault should be capable of increasing the risk to public safety beyond that of a nominal operation. Typically, a fault-tolerant design applies redundancy or a system of safety barriers to ensure the system can function, though perhaps with reduced performance. An example of a faulttolerant design is an aircraft with multiple engines that can continue flying even if one of the engines fails. The current part 417 regulations cover fault-tolerant design of FSS components as a set of explicit prescriptive requirements. For instance, § 417.303(d) specifically lists fault-tolerance as a requirement of an FSS command control system design, requiring that no single failure point be able to inhibit the system’s function or inadvertently transmit a flight termination command. An operator must demonstrate that the command system, in accordance with § 417.309(c), is fault tolerant through analysis, identification of possible failure modes, implementation of redundant systems or other mitigation measures, and verification that the mitigation measures will not fail simultaneously. Appendix D of part 417 (section D417.5) further details single fault tolerance and prescribes redundancy of command strings that are structurally, electrically, and mechanically separated to ensure that any failure that would damage, destroy, or otherwise inhibit the operation of one redundant component would not inhibit the operation of the other redundant component. The current ELV regulations are prescriptive and often dictate specific implementations of fault-tolerance where other forms may be adequate. For instance, a fail-safe approach has been used in the rationale of past applicants that use thrust termination systems to protect public safety. A fail-safe design is a system that can fail in a controlled way, such that the failure will still ensure public safety, like elevator brakes held open by the tension of the elevator VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 cable such that if the cable snaps the brakes engage and stop the elevator from falling. The FAA has granted waivers to the redundancy requirement of section D417.5(c) for fail-safe safety-critical systems that have been integrated in such a way that a loss of power to that system would result in direct thrust termination of the launch vehicle though deactivation of normally-closed valves. Also, ELOS determinations have been issued for flight termination receivers that have fail-safe commands that are issued on signal loss because the failure of the system automatically results in termination of the flight and the constraint of flight hazards. Less prescriptive fault-tolerant design regulations could enable such designs instead of requiring waivers or ELOS determinations. Operations licensed under parts 431 and 435 may not have traditional FSSs, but the need for fault-tolerance is implicitly derived from the system safety process of § 431.35(c) and (d), as it is often a necessary control for an identified hazard. The FAA views faulttolerance as a necessary characteristic of any reliable system. The current fault tolerance provisions lack clarity in the scope of their applicability to RLVs and reentry vehicles because they are implicit in the system safety processes of hazard identification and mitigation. As with the testing requirements, a lack of regulatory clarity is detrimental to both applicants and the FAA, leading to confusion, a drawn-out application acceptance process, and lengthy discussions to arrive at a clear understanding of how fault tolerance is applicable to a proposed operation. iii. Current Reuse Requirements Safety-critical FSSs of ELVs generally undergo a single flight. Therefore, very little life-cycle planning is required for them unless an operator seeks to reuse certain safety-critical components. However, ELV operators must still account for environments that the FSS is expected to encounter throughout the lifecycle of the system, including storage, transportation, installation, and flight, which generally are built into qualification and acceptance testing levels. Lifecycle planning is a more significant concern for reusable safetycritical systems because near-total reuse is an expected part of their operation. Current parts 415 and 417 contain requirements for the reuse of ELV FSS components. To be a licensed ELV operator, an applicant must submit to the FAA any reuse qualification testing, refurbishment, and acceptance testing plans, in accordance with § 415.129(f). PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 Those test plans must show that any FSS component is still capable of performing as required when subjected to the qualification test environmental levels plus the total number of exposures to the maximum expected environmental levels for each of the flights to be flown. Previously flown FSSs must also abide by § E417.13(a)(3), and the components must undergo one or more reuse acceptance tests before each flight to demonstrate that the component still satisfies all its performance specifications when subjected to each maximum predicted environment. Additionally, tests for reuse must compare performance measurements to all previous tests to ensure no trends emerge that indicate performance degradation in the component that could prevent the component from satisfying all its performance specifications during flight. As the lines have blurred between ELVs with significantly reusable safetycritical systems and RLVs, these requirements still contain good safety policy, but they are constrained by their limited coverage of only traditional FSSs. While operations licensed under part 431 are focused on RLVs, neither part 431 nor part 435 contain any explicit requirements placed on reuse. Like all other aspects of safety-critical system requirements, reuse under these parts is governed by the system safety process of § 431.35. Safety-critical systems that do not account for expected lifecycle, refurbishment, and reuse do not adequately meet the hazard identification and risk mitigation of the system safety requirements. Implicit in the system safety requirements, commensurate testing is required to demonstrate that the planned lifecycle performance remains accurate. Reuse of safety-critical components is a potential hazard that needs to be mitigated. Reuse induces stress on components and systems that can degrade operational performance if not accounted for in design and testing. Additionally, ‘‘reuse’’ implies multiple uses of a component after its initial intended lifetime or outside of its initial intended operating environments. Based on industry best practices, intended use and lifetime should be designed into components initially; qualification and acceptance testing should be based on predicted operating environments that encompass the entire lifetime of a system; and lifecycle management practices should be used to refine initial predictions. The current lack of a clear, unified, and simple requirement that explicitly covers reuse for all safetycritical systems leads to prescriptive E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 constraints on ELV operators and regulatory confusion for RLV and reentry operators who are unfamiliar with the implicit requirements of a system safety process. iv. Consolidation of Design, Test and Documentation Requirements The FAA proposes to consolidate the design, test and documentation requirements for safety-critical systems and components, both identified by a system safety process and as part of an FSS, currently found in parts 415 and 417, 431, and 435. Specifically, the FAA proposes to provide performance-based requirements for safety-critical systems, including fault tolerant design, design qualification testing, hardware acceptance testing, and the verification of flight environments to assess the lifecycle of safety-critical systems for reuse purposes. Under proposed § 450.143, all safetycritical systems would be required to meet these requirements, including a FSS that also would be required to meet the additional requirements of proposed § 450.145. By having a consistent set of overarching requirements regulating the design, testing, and documentation of safety-critical systems and hardware, the FAA anticipates that applicants would be enabled to implement new risk-mitigating design strategies under a clear and consolidated regulatory regime. New technologies that emerge would be covered by the general requirements without causing regulatory delays due to confusion, increasing paperwork burdens required for requesting waivers, or waiting for future rulemaking changes necessary to allow emerging technologies. These criteria would be the standards for demonstrating that such systems can survive and perform to an adequate level of safety in all operating environments. The ARC recommended that better standards need to be developed regarding safety-critical systems. The ARC pointed out that there is no single process or procedure that documents an acceptable way to go through a system design and determine safety-criticality, and it asked for better guidance on safety-criticality, given that usually industry views criticality more from a mission assurance point of view. More generally, the ARC requested a more performance-based regulatory regime, with a clearer focus on safety and greater flexibility for novel operations. In regards to reuse and maintenance, the ARC suggested that requirements should be focused on maintaining reliability of inputs. The ARC specifically called out the section E417.13 requirement to VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 remove and recomplete acceptance testing prior to reuse of flight safety system components between each flight as an untenable burden both in terms of cost and time. Furthermore, the ARC also noted that continued acceptance testing of flight hardware to predict environmental levels plus margins puts undue strain on flight systems and can significantly reduce their lifespan. To remedy the confusion resulting from a current lack of regulatory clarity for RLVs and reentry vehicles, proposed § 450.143(c) and (d) would explicitly require qualification testing of the design and acceptance testing of the safety-critical flight hardware. To remedy the implied design constraints of current detailed requirements for ELVs, proposed § 450.143(c) and (d) would be general, high-level requirements for demonstrating the performance of safety-critical system design, and that the system is operational and free from defects and errors. Specifically, proposed § 450.143(c) would require an operator to functionally demonstrate 85 the design of a vehicle’s safety-critical systems at conditions beyond its predicted operating environment. The design qualification tests should include enough margin beyond predicted operating environments to demonstrate that the system design can tolerate manufacturing variance or environmental uncertainties without performance degradation. Proposed § 450.143(d)(1) would require operators to perform a functional demonstration of any safetycritical systems by exposing them to their predicted operating environment with margin. The performance of the flight hardware during the test would be required to demonstrate that the flight units are free of defects, integration or workmanship errors, and are ready for operational use. Alternatively, an applicant would be able to comply with proposed § 450.143(d)(2) instead of proposed § 450.143(d)(1). If an applicant chooses to comply with proposed § 450.143(d)(2), it would be required to ensure functional capability and that the flight hardware remains free from error and defect during its service life through a combination of in-process controls and a quality assurance process. This flexible approach to acceptance testing would relieve some of the burdens of a traditional acceptance testing regime and would add clarity that these demonstrations are required for all safety-critical flight hardware. 85 Functional demonstration is generally achieved through testing. PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 15325 Proposed § 450.143 would clearly state the requirements for all safetycritical system components and eliminate the ambiguity that exists in the current regulations regarding required testing of safety-critical system components that are not a part of an FSS. While FSSs are safety-critical systems, their criticality requires additional requirements beyond proposed § 450.143. The consolidated performance requirements for FSS components are detailed in proposed § 450.145, and are discussed in the ‘‘Flight Safety System’’ section of this preamble. As the proposed rule seeks to make the safety requirements of § 450.143 applicable to all commercial space launch and reentry vehicles, there should be better clarity across the industry and the government regarding what is required of safety-critical systems for both design qualification testing and flight hardware acceptance testing. Also, as recommended by the ARC, the FAA’s proposal would allow for the possibility of other forms of acceptance testing methodologies and quality controls, subject to approval of the FAA, for safety-critical components that are not directly covered by the flight safety system requirements. This option should enable new business practices but maintain the safety verification necessary to ensure public safety. The ARC did not speak specifically to fault tolerant design but did indicate that vehicle reliability and architecture should be considerations in the FAA’s evaluation of novel systems. Proposed § 450.143(b) would require an applicant’s safety-critical system to be designed so that no single credible fault would impact public safety. This proposal would provide clarity to the scope of the requirement of faulttolerance by defining it as an explicit design performance requirement. It would replace many specific prescriptive requirements in part 417’s subpart D and appendices D and E with a single general performance requirement and clarify the scope of applicability for RLV and reentry vehicle applicants. Additionally, by requiring only that the safety-critical systems be designed to be fault tolerant so that no single credible fault can lead to increased risk to public safety, the proposed regulations would allow flexibility as to the method an operator uses to comply with the requirements. For example, the FAA anticipates that an operator might choose to comply with proposed § 450.143(b) with a design that provides for redundancy for systems that can be duplicated or E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15326 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules through damage-tolerant design for those safety-critical systems (like primary structures) that cannot be redundant. It is expected that this flexibility would accommodate technical innovation. Additionally, an operator would be able to satisfy the fault-tolerance requirement by fail-safe designs that have traditionally been approved through ELOS determinations, eliminating the need for applicants to apply for additional FAA review and evaluation. The ARC advised the FAA to focus on verifying the veracity of maintenance processes for reuse, combined with alternatives to acceptance testing on per flight basis. The FAA believes it has addressed the testing alternatives in this NPRM and agrees that the processes and procedures to ensure safety-critical systems are safe for reuse are an important part of lifecycle validation. Given safety-critical systems are essential to public safety, the FAA proposes that an operator would be required to validate predicted operating environments against actual operating environments and assess component life throughout the lifecycle of the safetycritical unit. This validation can be done through an initial fatigue life assessment and continual accounting of remaining components life or through a comprehensive inspection and maintenance program that accounts for damage accumulation and fault detection. Proposed § 450.143(e) would require that predicted operating environments be based on conditions expected to be encountered in all phases of flight, recovery, preparation, and transportation. It would also require an operator to monitor the environments experienced by safety-critical systems in order to validate the predicated operating environment and assess the actual component life left or to adjust inspection periods. While the system safety and FSS approaches to reuse can further define specific requirements, the FAA proposes more general requirements on the operator to account for the complete lifecycle of each safetycritical system, considering the design, testing, and use of safety-critical components. Allowing operators to determine a proposed lifecycle for a safety-critical system, to demonstrate operational capabilities and environmental endurance through testing, to devise processes for monitoring the lifecycle of the safetycritical system, and setting criteria and procedures for refurbishment or replacement allows operators flexibility in their business plans. Having this flexibility would allow applicants to VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 demonstrate to the FAA how they would ensure reused safety-critical components will not degrade in performance. The FAA anticipates that such a demonstration would include elements such as qualification of the design for its intended lifetime; acceptance testing to screen components; monitoring of environmental levels during use; and monitoring component health through inspections for either disposal or refurbishment. While the lifecycle management requirement would give the applicant flexibility on implementation, the proposed rule would require applicants to consider the implementation details such as maintenance, inspection, and consumable replacement. With the flexibility of the top-level requirement, applicants could continue to employ rigorous, per flight acceptance testing of safety-critical components, or with enough flight data they may be able to employ a system more similar to commercial aviation where flown components can be assessed in light of the actual operating environment and planned component reuse does not require component testing on a per flight basis. Monitoring of environments and assessment of safety-critical hardware for reuse is expected to affect the probability of failure that would feed back into FSAs as a check that risk to public safety is not increased. These flexible, top-level requirements for safety-critical systems would make explicit the currently implicit reuse requirements of parts 431 and 435’s system safety process, improving regulatory clarity and operational flexibility, while still requiring the important planning, monitoring, and assessments necessary to ensure public safety. To demonstrate compliance with the proposed performance requirements, the FAA proposes clear application requirements in § 450.143(f). As in the current § 431.35(d)(3) and (5), an applicant would have to describe and diagram all safety-critical systems in its application. Similar requirements exist for ELV flight safety systems of part § 415.127(b) and (c). Section 450.143(f)(3) also would require a summary of the analysis detailing how applicants arrived at the predicted operating environment and duration for all qualification and acceptance testing. This is current practice, and proposed § 450.143(e) makes this requirement explicit for RLVs and reentry vehicles. The proposed requirements are also more generalized and adaptable than the current component-level requirements for ELVs. Under proposed PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 § 450.143(f)(4) and (5), applicants would be required to detail their plans for lifecycle monitoring by describing any instrumentation or inspection processes used to assess reused safety-critical systems, and the criteria and procedures for any service life extension proposed for those system components. Much like the rest of the FAA’s proposal, applicants of any vehicle type are already expected to provide this information, but the requirements have been distilled into high-level, generalized requirements to allow for maximum operational flexibility while still identifying the inputs the FAA needs to verify compliance with the safe performance and operation requirements. While FSSs are additionally subject to the requirements of proposed § 450.145, the proposed requirements for safety-critical systems would clarify existing practice and enable novel concepts of safety and safety-critical design. 2. Flight Safety System An FSS is an integral tool to protect public health and safety and the safety of property from hazards presented by a vehicle in flight. An FSS allows an operator to exercise positive control of a launch or reentry vehicle, allowing an operator to destroy the vehicle, terminate thrust, or otherwise achieve flight abort. An extremely reliable FSS that controls the ending of vehicle flight according to properly established rules nearly ensures containment of hazards within acceptable limits. For that reason, the FAA considers an FSS a safety-critical system. The FAA currently requires an FSS for ELVs. Most RLVs—aside from unguided suborbital vehicles utilizing a wind weighting system or certain vehicles where the vehicle’s operation is contained by physics—derive from the system safety process the need for some FSS to mitigate flight hazards. Traditional FSSs for ELVs are comprised of an onboard flight termination system (FTS), a groundbased command and control system, and tracking and telemetry systems. Historically, the flight safety crew monitoring the course of a vehicle would send a command to self-destruct if the vehicle crossed flight safety limit lines and in doing so threatened a protected area. Redundant transceivers in the launch vehicle would receive the destruct command from the ground, set off charges in the vehicle to destroy the vehicle and disperse the propellants so that an errant vehicle’s hazards would not impact populated areas. While this method of flight abort through ordnance is conventional, the FAA currently does E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules not require an FSS to be destructive, as made explicit in the definitions of FSS in both §§ 401.5 and 417.3. There has been some innovation in FSSs—thrust termination systems are used frequently and most RLVs can demonstrate regulatory compliance with part 431 with a safety system that achieves a controlled landing in the event of an aborted flight. As the commercial space transportation industry has matured, operators have proposed FSS alternatives. These alternative approaches include fail-safe single string systems that trade off mission assurance and redundancy, other fail-safe consequence mitigation systems, and dual purpose systems such as FSSs that reuse the output of safetycritical GPS components for primary navigation avionics. These alternative approaches are not well governed by the existing regulations. amozie on DSK9F9SC42PROD with PROPOSALS2 i. Current Regulatory Framework for FSS The present ELV licensing requirements in parts 415 86 and 417 include lengthy and detailed requirements for the performance of an FSS and its components, as well as detailed testing and reporting requirements. These requirements were originally adopted to match current practices at Federal ranges. Section 417.107(a) identifies the need for an FSS while subpart D (§§ 417.301–417.311) identifies the performance requirements of an FSS and its component systems. Appendices D 87 and E 88 include 86 Part 415 contains the application requirements to demonstrate compliance with part 417 and the test report requirements to demonstrate compliance with the relevant appendices of part 417. Specifically, § 415.127 requires detailed descriptions and diagrams of the FSS and subsystems, a list of all system components that have a critical storage or service life, detailed descriptions of controls and displays, the system analyses of § 417.309, demonstration of compliance with the performance requirements, installation procedures, and tracking and monitoring validation procedures. Applicants must file all preliminary design data no later than 18 months before bringing any launch vehicle to a proposed launch site. 87 Appendix D lists very detailed performance requirements and design reliability requirements including fault tolerance and redundancy, environment survivability requirements, radio command destruct parameters, remote and redundant safing mechanisms, positively controlled arming mechanisms, installation procedures, and system health monitoring. It also requires vehicles to have an automatic or inadvertent separation destruct system for any stage that does not possess a complete command destruct system but is capable of reaching a protected area before the planned safe flight state. 88 Appendix E to part 417 contains the tests and analysis requirements to verify the performance requirements of FTSs and their components. It contains detailed component level charts for acceptance and qualification performance testing, including the number of samples (or percentage of VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 prescriptive FSS design, performance, testing, and analysis requirements. Under part 417, an FSS must consist of an FTS, a command and control system,89 support systems (like tracking and telemetry),90 and identification of the functions of any personnel who operate FSS hardware or software.91 Together, these requirements allow for a very limited range of FSS concepts because they are primarily focused on containment of hazards by destruction of the vehicle or stage. Section 417.301(b) permits applicants to propose alternative FSSs, which do not need to satisfy one or more of the prescriptive requirements of subpart D of part 417. This provision is intended to enable greater flexibility for innovation without negatively impacting safety. The FAA approves an alternative FSS if an operator establishes through a clear and convincing demonstration that a launch would achieve an equivalent level of safety to an operation that satisfies all of the existing FSS requirements. Alternative FSS, like traditional FSS, must still undergo rigorous analysis and testing to demonstrate the system’s reliability to perform each intended function. Unlike ELVs, RLVs are not explicitly required to have an FSS, but the requirement for an FSS and its reliability requirement is derived as an essential hazard mitigation from a robust system safety process under part 431. This requirement falls under the § 431.35(c) requirement for applicants to use a system safety process to identify the hazards and mitigate risks to public health and safety under non-nominal flight of the vehicle and payload. An the lot) that must undergo each test type. The testing plans must detail the environment, equipment, pass/fail criteria, measurements, other testing parameters, and any analyses planned in lieu of testing. 89 A command control system transmits a command signal that has the radio frequency characteristics and power needed for receipt of the signal by the flight termination system onboard the launch vehicle. The command control system must include equipment to ensure that an onboard flight termination system will receive a transmitted command signal and must meet specific performance requirements in § 417.303. 90 Currently, under § 417.307 an FSS must include two independent tracking sources and provide the launch vehicle position and status to the flight safety crew from liftoff until the vehicle reaches its planned safe flight state. Additionally, data processing, display, and recording systems must display, and record, raw input and processed data at no less than 0.1 second intervals. 91 As part of the current requirements for an FSS, § 417.311(a) requires human intervention capability for flight termination to be initiated by flight safety crew. Therefore, § 417.307 requires design, test, and functional requirements for systems that support the functions of a flight safety crew, including any vehicle tracking system. PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 15327 acceptable system safety analysis identifies and assesses the probability and consequences of any reasonably foreseeable hazardous event and safetycritical system failures during launch flight that could result in a casualty to the public. Based on current practice, most RLVs must have some method to reliably achieve flight abort to fully mitigate flight risks and consequences, either in the form of a pilot that can safely abort flight using system controls, a more traditional FSS that is designed and tested in the same manner as is required for ELVs, or a system that can meet the requirements for an alternative FSS under § 417.301(b). The lack of an explicit requirement for an FSS in part 431 often leads to confusion regarding what is expected for applicants mitigating hazards through flight abort. Reentry vehicles under part 435 are also subject to a system safety process to identify hazards and mitigate risks to public health and safety under nonnominal flight of the reentry vehicle and any payload. Because § 435.33 points to part 431, an acceptable system safety analysis for reentry also assesses the probability and consequences of any reasonably foreseeable hazardous events during the reentry flight that could result in a casualty to the public. Unlike part 431, most part 435 reentries do not require an FSS because it is generally accepted that, if controlled reentries become uncontrolled, the vehicle is unlikely to substantially survive reentry. Due to the nature of the hazards associated with reentry, and since breakup is expected for non-nominal reentries, an FSS often cannot significantly ameliorate a reentry flight’s risk or consequence. A reentry applicant must still account for the possibility of a random reentry in its risk analysis after attempting a reentry burn. ii. Autonomous Systems Current regulations do not allow an operator to rely solely on an autonomous system to terminate a flight. At the time of their publication, human control capability was considered critical to safety because neither software nor hardware had been proven reliable to make flight termination decisions. Since that time, the FAA has approved the use of autonomous FSSs for ELVs by finding that they can meet the requirements of an alternative FSS under § 417.301(b). Applicants were able to demonstrate that the autonomous FSS achieved an equivalent level of safety to a launch with a human-in-the-loop as the risk to public safety was extremely low and the autonomous system had been flight tested in shadow mode. In past E:\FR\FM\15APP2.SGM 15APP2 15328 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 rulemakings, the FAA has made clear that, in requiring human intervention capability for activation of an FSS, the FAA did not intend to foreclose development or use of autonomous systems. However, despite those assurances and the FAA findings of equivalent safety, current FAA regulations still expressly require that a capability exist for a person to intervene and make decisions for FSS activation. The FAA is proposing to update the regulations to match the current practice of allowing autonomous FSSs. By removing the outdated requirements for a human in-the-loop, the FAA believes that it would encourage further innovation without negatively impacting safety. The consequence analysis and reliability thresholds would continue to hold any potential autonomous FSS to the rigorous standards previously required of a human-initiated FSS, and the software as part of the autonomous FSS must be demonstrated to meet reliability requirements. With the recent advancements of the requisite technology and the performance constraints of the FSS, the FAA is confident that it is beneficial both to the commercial space transportation industry and public safety to explicitly allow flight abort to be governed by capable autonomous systems. iii. Current Requirement for Reliability of a FSS Each FTS and command and control system must satisfy the predicted reliability requirement of 0.999 at the 95 percent confidence level. For FSSs on both ELVs and RLVs, there are effectively only two methods of currently demonstrating that a system meets reliability standards. The first method is to test 2,995 units at expected operating environment levels with 0 failures to demonstrate a 0.999 design reliability at a 95 percent confidence level. Given the cost of FSS components, the cost of testing, and the time required to conduct such tests, this is not practicable. The second method arises out of RCC 319. The FSS requirements codified in part 417, including component performance requirements, and acceptance and qualification testing, were originally written to align FAA launch licensing requirements with the Federal launch range standards in RCC 319. Like part 417, RCC 319 requires qualification tests to demonstrate reliable operation in environments exceeding the expected operating environment for the system components, acceptance tests to demonstrate that the selected batch of VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 components meets the requirements of the design specifications, and other preflight testing at the system or subsystem level to demonstrate functionality after installation. The benefit of the part 417 and RCC 319 method is that for qualification tests, generally only three test units are required. Three units are required instead of many more because the units are tested with margin above their predicted operating environment. Testing three units with the margin specified achieves the required reliability and confidence levels of 0.999 design reliability at 95 percent confidence level, rather than having to test 2,995 units at the predicted operating environment with no margin. iv. Proposed Reliability Standards for FSS Given the FAA anticipates that most commercial space vehicles will continue to control flight hazards through the use of FSSs, the FAA proposes in § 450.145 to continue to require a very reliable FSS in most instances. Under the current regulations, FSS not only enable an operation to meet the collective and individual risk criteria during flight but also protect against low-probability but high-consequence events near the launch site or when flying over populated areas. As previously discussed, the FAA’s proposal to quantify these low-probability but highconsequence events as CEC in proposed § 450.101(c) would clearly delineate which operations are required to use an FSS to control for risks and consequences.92 The CEC calculation is the consequence, measured in terms of EC, without regard to the probability of failure. The underlying intent of the current prescriptive requirements was to have an FSS that could reliably perform flight abort to restrict hazards from reaching populated or otherwise protected areas. The FAA also recognizes that vehicles operating in remote areas are less likely to have significant consequences in the case of a flight failure. For operations where the consequence of a flight failure is less, the FAA has determined that, while still being highly reliable, the FSS may not need to be as highly reliable as 92 As noted earlier, only operations that have a predicted consequence of 1 × 10¥3 CEC or above for uncontrolled areas for each reasonably foreseeable vehicle response mode in any one-second period of flight would be required to implement an FSS to abort flight as a hazard control strategy. An FSS would not be required for operations that can be shown to have a predicted consequence of less than 1 × 10¥3 CEC; however, a hazard analysis would be required for any operations without a FSS or demonstrable physical containment. PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 an FSS for a vehicle operating in an area where the consequence of a flight failure is higher. Generally, this proposed relaxation of the FSS reliability requirement—based on reduced potential consequence—is expected to be applicable to operations launching or reentering in remote locations or for stages that do not overfly population centers. In order to achieve these scalable, performance-based requirements, proposed § 450.145(a) would contain two reliability standards for an FSS. Proposed § 450.145(a)(1) would require any operator with a consequence of 1 × 10¥2 CEC or greater in any uncontrolled area for any vehicle response mode to employ an FSS with the standard design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing. This reliability standard would be consistent with various sections of part 417, in particular § 417.309(b)(2), that require major FSS component systems, such as onboard flight termination systems and ground-based command control systems, to be tested to demonstrate 0.999 design reliability at 95 percent confidence. This reliability threshold would have to be demonstrated for the operation of the entire system, including any systems located on-board the launch or reentry vehicle, any ground-based systems, and any other component or support systems. Alternatively, in order to make regulations adaptable to innovative operations while maintaining appropriate levels of safety, operations with lower potential consequences would require an FSS with less demonstrated design reliability at the same confidence. Proposed § 450.145(a)(2) would require any operator with a consequence of between 1 x 10¥2 and 1 × 10¥3 CEC in any uncontrolled area for any vehicle response mode to only employ an FSS with design reliability of at least 0.975 at 95 percent confidence and commensurate testing. The FAA considered simply setting the proposed § 450.145(a)(2) threshold an order of magnitude lower, at 0.99 design reliability with a 95 percent confidence, to reflect the order of magnitude less CEC from the consequence analysis. Absent other standards to demonstrate compliance with the reliability threshold, that would mean testing 299 units with 0 failures, instead of testing 2,995 units with 0 failures. However, in consultation with NASA and Air Force representatives in the CSWG, the FAA has elected to propose that the reduced reliability threshold should be set at E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules 0.975 design reliability with a 95 percent confidence for lower consequence vehicles. While there are no established standards to demonstrate the 0.975 reliability number, that threshold is consistent with reliability parameters in RCC 324 and represents existing single string flight reliability requirements. The FAA is confident that industry associations will develop consensus standards regarding design and testing that sufficiently demonstrate that a novel FSS design meets this reliability threshold. Until such time as an industry standard is established, proposed § 450.145(a)(2) in practice may result in single string or equivalent FSSs being approved for operations in remote areas or for phases of flight that do not overfly populated areas. Similar to FSS that must meet the more reliable threshold, all means of compliance would be required to be accepted by the FAA in accordance with proposed §§ 450.145(b) and 450.35. These proposed reliability requirements would replace the existing launch and reentry FSS licensing requirements on all commercial space transportation missions. However, the FAA anticipates that, with the consequence analysis driving the requirement to have an FSS, most reentry operations would continue to not require an FSS as is the current case under part 435. For launch operators, applicants would still be required to demonstrate the reliability by submitting to review of their design, testing, and analysis. Operators would still be required to monitor the flight environments actually experienced by their FSSs in accordance with proposed § 450.145(c) to corroborate the qualification test data submitted to the FAA. Proposed part 450 would consolidate and clarify the performance requirements for future FSSs. In doing so, the FAA anticipates that some operations will be relieved of the burden of unnecessarily stringent FSS reliability requirements and that some operations will be able to utilize innovative concepts to achieve flight abort. By appropriately scaling FSS reliability to consequence analysis, the FAA expects to see the emergence of new industry standards, increased use of autonomous FSSs, and no measurable adverse impact to public health and safety or the safety of property. There is expected to be no measurable adverse impact to public health and safety or the safety of property because the lowered reliability threshold will only apply to launches and reentries which would not create significant consequences, given a VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 flight failure. Furthermore, while rigorous tests and analysis should still be expected for most FSSs, FAA regulations would no longer prescribe a particular form of FSS. The proposed performance measure of reliability to achieve safe flight abort to meet collective and individual risk limits and to mitigate the possibility of low probability but high consequence events is the best method for maintaining safety while scoping FAA regulations to govern only the function, not the form, of FSSs. v. FSS Design, Testing, and Documentation Requirements Applicants using a FSS of any reliability threshold would be required to meet the proposed § 450.143 safetycritical system design, test, and documentation requirements discussed previously. As an FSS will always be considered a safety critical system, any operator utilizing an FSS must comply with the requirements to design their system as fault tolerant, conduct qualification and acceptance testing, and provide evidence to validate predicted operating environments and component life. Proposed § 450.145(d) would include the application requirements for an FSS. Similar to the current part 415 requirements, proposed § 450.145 would require applicants to describe the FSS, including its proposed operation, and diagram the FSS in detail. The FAA’s intent is to make these requirements less prescriptive than current regulations and also to allow more flexible time frames. Proposed § 450.145(d) would require applicants to submit any analyses reports and acceptance, qualification, and preflight test plans used to demonstrate that the reliability and confidence levels are met. Any test plans or documentation would be required to detail the planned test procedures and the test environments. Further, an applicant would have to submit procedures for validating the accuracy of any vehicle tracking data utilized by the flight safety crew or the FSS to make the decision to abort flight. While proposed § 450.145(d) consolidates these application requirements and removes prescriptive component-level design requirements, the proposed regulations would not require substantially different information than the FAA requires today to demonstrate that FSSs meet performance standards and will undergo the required testing prior to flight. vi. Reporting Requirements Under the preflight reporting requirements in proposed § 450.213(d), PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 15329 operators would be required to submit, or to provide the FAA access to, any test reports associated with the flight safety system test plans approved during the application process. These reports must be submitted or made available no less than 30 days before flight unless the Administrator agrees to a different time frame under § 404.15. In the reports, licensees would have to clearly show that the testing results demonstrate compliance with the reliability requirements in proposed § 450.145(a). This is current practice under § 417.17(c)(1) and (4) through (6). To show the FSS is in compliance and can support the mission as intended, FSS reports would continue to be required to include testing reports that detail the results of the approved subsystem and component-level testing, including any failures, any actions necessary to correct for any failures, actual testing environment showing sufficient margin to predicted operating environments, and a comparison matrix of the actual qualification and acceptance test levels used for each component compared against the predicted flight levels for each environment. Proposed § 450.213(d)(4) would require licensees to report any components qualified by similarity analysis or some combination of analysis and testing. Preflight reporting is necessary to demonstrate compliance with the test plans approved in the application and to demonstrate that the FSS meets the reliability threshold prior to flight. Proposed § 450.215 (Post-Flight Reporting) would continue to require licensees to submit a post-flight report no later than 90 days after an operation if there were any anomalies in the flight environment material to public health and safety and the safety of property, including those experienced by any FSS components; a practice currently required by § 417.25(c). RLV operators licensed under part 431 are not currently required to submit a postflight report identifying anomalies that are material to public safety and corrective actions, but the added burden is expected to be minimal. To accurately report any such anomalies so that they may be corrected in future flights, operators would also be required to monitor the FSS during each flight, in accordance with proposed § 450.145(c). Any anomalies experienced by the FSS would be considered material to public health and safety and the safety of property and, therefore, would need to be included in post-flight reporting. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15330 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules vii. ARC Recommendations The ARC suggested that, in a performance-based licensing scheme, the regulations should be flexible with regard to FSSs and allow an operator to propose a means of achieving the performance metric without dictating a specific hardware approach. For example, the ARC recommended that an operator should be able to propose an alternative to having a destruct flight termination system. While, the FAA believes that the current regulations allow for non-destructive FSSs, it acknowledges that the preponderance of the existing prescriptive requirements address FSSs that terminate flight through destructive means. The ARC recommended the current prescriptive requirements be moved to a guidance document. As discussed previously, the FAA intends to recognize RCC 319 as the accepted means of compliance in demonstrating that a FSS has a design reliability of 0.999 at 95 percent confidence. The RCC 319 document would maintain the common standards between all Federal launch and reentry safety authorities but also would be updated periodically to address the evolving space transportation industry. Industry could also develop new means of compliance in the future, as discussed below. The ARC also recommended that an FSS should not be required, proposing instead that an operator should only be required to meet risk calculations in the FSA and may do so by utilizing a FSS. The FAA disagrees that an FSS should not be required, as there are other safety factors to be considered beyond simple individual or collective risk, namely, the consequence of a failure as discussed earlier. However, the FAA has attempted to propose more flexible regulations that would allow some operations to be licensed without an FSS, or with novel concepts of FSS, or an FSS that may require less extensive demonstration of reliability. In quantifying the low probability but high consequence events that necessitate an FSS beyond collective and individual risk limits, the FAA intends to more clearly delineate when it would be appropriate for an operation to forego an extremely reliable FSS or an FSS completely. If an FSS is not required, the applicant would be required to demonstrate that hazards are contained or mitigated through a hazard analysis and system safety principles. In addition to proposing the acceptability of FSSs with a design reliability of 0.975 at 95 percent confidence, under certain situations, the FAA proposes to indicate more clearly that FSS concept and VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 design is flexible and open to innovation as long as the reliability thresholds for flight abort are met. The ARC also discussed a number of concepts that industry believes should be considered in scaling an FSS’s necessary reliability as determined through the FSA. The ARC pointed specifically to population density, the realm of reasonably foreseeable failures, trajectory, size, and explosive capabilities of the vehicle. The FAA proposes that these factors would be contemplated as a part of the consequence analysis required in the public safety criteria of proposed § 450.101(c), alongside traditional measures of risk. In identifying FSS reliability thresholds pegged to potential consequence, or CEC, the reliability of FSSs is determined through analysis that accounts for factors such as what population centers a vehicle or debris can reach and potential failure modes. The FAA anticipates that this would address the ARC’s recommendation that vehicles with low risk to the public, especially vehicles operating in remote and sparsely populated areas, may require a lower demonstrated reliability. To the question of how an applicant might demonstrate the reliability of an FSS with a less than extremely reliable design that does not otherwise meet current common standards like RCC 319, such as the FAA proposed threshold of 0.975 at 95 percent confidence, the ARC advised that several approaches may already exist. As previously discussed, the less reliable FSS can be demonstrated by testing several hundred units under expected environments, instead of the 2,995 tests required to demonstrate design reliability of 0.999 at 95 percent—but it is still likely that neither is practical or viable for most operators. In their place, alternative standards are necessary to approximate the demonstration of the reliability threshold through less burdensome means. The ARC report pointed to the Air Force Space Command’s Space and Missile Systems Center Standard SMC– S–016, ‘‘Test Requirements For Launch, Upper-Stage and Space Vehicles,’’ as an example of a standard that allows for one unit of qualification testing, instead of the standard three units required by RCC–319.93 The ARC noted that standard may be useful for heritage 93 As one company pointed out in the ARC report, SMC–S–016 and similar standards are for general vehicle testing and do not consider the higher reliability required for FSS, whereas RCC 319 and AFSPCMAN91–710 require additional margins and certainty. The company believes that testing a single unit is not sufficient, unless there was a tradeoff that increased the required test margin. PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 systems that are already considered reliable. The FAA maintains that for 0.999 design reliability at 95 percent, the qualification testing of three or more units may be required to reduce the likelihood of either anomalous test passes or failures. The FAA seeks comment on this approach. The FAA also seeks comment on how SMC–S– 016 could be incorporated as an accepted means of compliance for reliability demonstration of the lower reliability criteria. In discussions with Federal launch range personnel, it has been suggested that testing and analysis requirements in RCC 324 may be a more appropriate basis for evaluating a FSS meeting the lower reliability threshold. The FAA remains interested in identifying standards that are applicable or could be drawn upon to develop means of compliance to the proposed regulations. The FAA is also not foreclosing the idea that vehicles can demonstrate the reliability of the FSS or vehicle through flight history. The ARC pointed out in their report that certain aspects of FSSs can be tested in flight—for example using an autonomous FSS in ‘‘shadow mode’’ on-board a vehicle and testing the system’s function with no ordnance or other active destruct capabilities. The FAA ultimately decided to not propose any explicit requirements pertaining to acceptable flight testing as a means of allowing industry applicants and the FAA to develop new accepted means of compliance in the demonstration of reliability. While the FAA wishes to encourage the innovation and development of novel reliability demonstration standards, the FAA also recognizes that such standards are not currently developed and would require extensive evaluation before they could be accepted as demonstrating fidelity and safety. Because the FSS is so critical to flight safety in the instances where it is required, new reliability and compliance demonstration strategies must be accepted by the FAA prior to application acceptance. In discussing the scalability of FSS requirements, the ARC proposed that the FAA delineate categories of operators and vehicles. The suggested categories included a new vehicle by a new operator, a proven vehicle by an experienced operator, a derived vehicle by an experienced operator, and considerations for vehicle hazard class and population density in operating areas. The FAA considered operator and vehicle categories as a means of scaling FSS reliability requirements as an alternative to consequence analysis, but determined that the relevant measure of public protection indicating the need for E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules an FSS is not experience, but risk and possible consequence. While less experienced operators will likely pose a higher risk, as accounted for in the probability of failure, experience does not account for the potential consequences of a vehicle failure. Experienced operators with experienced vehicle designs can propose operations that still pose a high risk to the public, or an operation with low risk but high potential consequences in the event of a failure. The FAA seeks comment on the proposal to use consequence, not operator experience, as a factor in levelof-rigor. amozie on DSK9F9SC42PROD with PROPOSALS2 K. Other Prescribed Hazard Controls 1. Agreements The FAA proposes to streamline the existing agreement requirements by removing specific requirements for a variety of agreements and procedures and allowing an operator to determine what agreements would be needed for its particular operation. In § 450.147 (Agreements), a vehicle operator would be required to have written agreements with any entity that provides a service or use of property to meet a requirement in part 450. Current § 417.13 requires a launch operator to enter into an agreement with a Federal launch range to have access to and the use of U.S. Government property and services required to support a licensed launch from the facility and for public-safety related operations and support before conducting a licensed launch from a Federal launch range. The Federal launch range arranges for the issuances of notifications to mariners and airmen. Currently, for launches from a nonFederal launch site in the United States, a launch operator must ensure that launch processing at the launch site satisfies the requirements of part 417. For a launch from a launch site licensed under part 420, a launch operator must conduct its operations in accordance with any agreements that the launch site operator has entered into with any Federal and local authorities. These include agreements with the local U.S. Coast Guard district to establish procedures for the issuance of a Notice to Mariners (NTM) prior to a launch and with the FAA air traffic control (ATC) facility having jurisdiction over the airspace through which the launch will take place to establish procedures for the issuance of a Notice to Airmen (NOTAM) prior to the launch and for the closing of air routes during the launch window. For a launch from an exclusive-use site, where there is no licensed launch site operator, a launch VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 operator must satisfy the requirements of part 420. In addition, a launch operator must: (1) Describe its procedures for informing local authorities of each designated hazard area near the launch site associated with a launch vehicle’s planned trajectory and any planned impacts of launch vehicle components and debris; (2) provide any hazard area information to the local U. S. Coast Guard, or equivalent local authority, for the issuance of NTMs and to the FAA ATC office, or equivalent local authority, that have jurisdiction over the airspace through which the launch will take place for the issuance of NOTAMs; and (3) coordinate with any other local agency that supports the launch, such as local law enforcement agencies, emergency response agencies, fire departments, the National Park Service, and the Mineral Management Service. For launches of RLVs under part 431 and reentries under part 435, an operator must enter into launch and reentry site use agreements with a Federal launch range or a licensed launch or reentry site operator that provide for access to and the use of property and services required to support a licensed RLV mission or reentry and public safety-related operations and support. Additionally, an operator must enter into agreements with the U.S. Coast Guard and the FAA regional office that has jurisdiction over the airspace through which a launch and reentry will take place to establish procedures for the issuance of NTMs and NOTAMs. As discussed earlier, there are currently similar requirements under parts 417 and 431 and, by reference, part 435, for agreements to ensure that NTMs and NOTAMs are implemented. Part 417 references part 420, which also contains requirements for these notices and requires operators to describe procedures to ensure that these and other notifications are accomplished. Part 417 requires an operator to execute agreements with multiple entities. None of the current requirements adequately addresses NTMs and NOTAMs when the U.S. Coast Guard or the FAA does not have jurisdiction, such as with launches or reentries from or to foreign or international territories. Currently, these agreements must be in place before a license is issued. However, in practice, the FAA sometimes accepts draft agreements or makes the submission of the executed agreements a condition of the license. Under proposed § 450.147, a vehicle operator would be required to enter into a written agreement with any entity that provides a service or property that PO 00000 Frm 00037 Fmt 4701 Sfmt 4702 15331 meets a requirement in part 450. Such entities would include a Federal launch range operator, a licensed launch or reentry site operator, any party that provides access to or use of property and services required to support a safe launch or reentry under part 450, the U.S. Coast Guard, and the FAA. Other entities that provide a service or property could also include local, state, or federal agencies, or private parties. For instance, a local fire department might provide a standby service to control a possible fire, a state agency could provide any number of services such as road closures, and NASA might provide telemetry capability. Although agreements with local agencies, for example, may be necessary to ensure public safety, the FAA believes that it is overly prescriptive to list in regulation the specific entities with which each operator must enter into an agreement. This proposal would require an operator to enter into only those agreements necessary for its particular operation. If an operator works with multiple entities to satisfy requirements in proposed part 450, it would need multiple agreements. However, if agreements required under this proposed section are already addressed in agreements executed by the site operator, an operator would only need to enter into agreements with either the Federal launch range or other site operator and any entity with which the site operator does not perform the necessary coordination. In particular, Federal launch ranges almost always arrange for the issuance of NTMs and NOTAMs for launches.94 The proposal also contemplates agreements between a maritime or aviation authority other than the U.S. Coast Guard or the FAA. Unless otherwise addressed in agreements with the site operator, the proposed rule would require an operator to enter into such agreements for a launch or reentry that crosses airspace or impacts water not under the jurisdiction or authority of the U.S. Coast Guard or the FAA. Section 450.147(b) would require all agreements to clearly delineate the roles and responsibilities of each party in order to avoid confusion concerning responsibility for executing safetyrelated activities. Section 450.147(c) would require all agreements to be in effect before a license can be issued. However, as noted earlier, the FAA recognizes that agreements might not be finalized by the time the FAA is 94 Typically, Federal ranges do not arrange for the issuance of NTMs and NOTAMs for the disposal of a launch vehicle from orbit or the reentry of a reusable launch or reentry vehicle. E:\FR\FM\15APP2.SGM 15APP2 15332 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 prepared to make a licensing determination. Therefore, the regulation would allow an operator to request a later effective date, contingent upon the Administrator’s approval. An operator could do this by providing the FAA the status of the negotiations involving the agreement including any significant issues that require resolution and the expected date for its execution. Under proposed § 450.147(d), an applicant would be required to describe each agreement in its vehicle operator license application. An applicant should clearly delineate the roles and responsibilities of each party to the agreement to support a safe launch or reentry. The applicant would also need to provide a copy of any agreement, or portion thereof, to the FAA upon request. The FAA recognizes that some portions of agreements may contain business-related provisions that do not pertain to FAA requirements. Those portions would not be required. The FAA seeks comment on its proposed approach to agreements. 2. Safety-Critical Personnel Qualifications The FAA proposes to remove the certification requirements found in §§ 417.105, 417.311, and 415.113 and replace them with performance-based requirements in § 450.149 (SafetyCritical Personnel Qualifications). Section 450.149 would require qualified personnel to perform safety-critical tasks for launch and reentry operations. The FAA also proposes to expand personnel qualification requirements to ensure that safety-critical personnel are qualified to perform their assigned safety tasks. An operator must qualify and train its safety-critical personnel in performing their safety-critical tasks for all vehicle and license types because training mitigates the potential for human error during safety-critical operations. Currently, the FAA requires a personnel certification program in part 417 for personnel that perform safety-related tasks. Specifically, § 417.105 requires that a launch operator employ a personnel certification program that documents the qualifications, including education, experience and training, for each member of the launch crew. The launch operator’s certification program must include annual reviews and revocation of certifications for negligence or failure to satisfy certification requirements. Section 415.113 requires an operator to submit a safety review document that describes how the applicant will satisfy the personnel certification program requirements of § 417.105 and identify VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 by position individuals who implement the program. The document must also demonstrate how the launch operator implements the program, contain a table listing each hazardous operation or safety critical task certified personnel must perform, and include the position of the individual who reviews personnel qualifications and certifies the personnel performing the task. In § 417.105(b), an operator is required to review personnel qualifications and issue individual certifications. The intent behind this requirement was to ensure that qualified people perform the required safety tasks. Neither part 431 nor part 435 have a personnel certification program requirement or any personnel training requirement; however, the need for personnel qualifications is a natural outcome of the system safety process. The FAA recognizes that the current regulations in part 417 are inflexible and that using a certification program is not the only method to ensure qualified personnel perform safety-critical tasks. Operators may use other methods to verify all training and experience required for personnel to perform a task is current. For example, an operator may maintain training records to document internal training and currency requirements or completion standards for its safety critical personnel. An operator’s issuance of individual certifications does not itself enhance public safety. If the personnel are qualified through training and experience for each safety task performed, additional certification is unnecessary because no additional training is required for an individual to be issued a certification. Removing the certification requirement would also reduce cost to the industry by removing the two-step process to allow qualified personnel to perform safety-related tasks. Additionally, the flight safety crew roles and qualifications requirements in § 417.311, are prescriptive. Section 417.311(a) requires a flight safety crew to document each position description and maintain documentation of individual crew qualifications, including education, experience, and training, as part of the personnel certification program of § 417.105. Section 417.311(b) describes the roles of the flight safety crew and explicitly states subjects and tasks that the crew must be trained in and references the certification program. Finally, § 417.311(c) requires the flight safety crew members to complete a training and certification program to ensure familiarization with launch site, launch vehicle, and FSS functions, equipment, PO 00000 Frm 00038 Fmt 4701 Sfmt 4702 and procedures related to a launch prior to being called on to support a launch. It also requires a preflight readiness training and certification program be completed and prescribes the content that must be included in such training. The current regulations are a burden to operators because they focus on FSSs and do not account for evolving technologies, including autonomous FSSs. Removing the prescriptive requirements in § 417.311 and replacing them with performance-based requirements would alleviate this burden. The ARC recommends that the proposed regulation ensure that the applicant has a structure in place to protect public safety, and that the FAA use current requirements as guidelines for evaluation and approval when necessary. The FAA agrees that the regulations should ensure that personnel performing tasks that impact public safety are qualified to perform those tasks. As the industry grows and operations become more frequent and varied, operators need greater flexibility in operational practices. Employing a qualification program to ensure personnel performing safety-critical tasks are trained is one factor in protecting safety of public and public property. Therefore, the FAA proposes to remove the requirements for a certification program described in §§ 415.113 and 417.105 and replace the prescriptive requirements of § 417.311 with performance-based requirements that capture the intent of the current regulations—to ensure that an operator’s safety-critical personnel are trained, qualified, and capable of performing their safety critical tasks, and that their training is current. Under proposed § 450.149, an applicant would be required to identify in its application the safety-critical tasks that require qualified personnel and provide its internal training and currency requirements, completion standards, or any other means of demonstrating compliance with proposed § 450.149(a). The proposed performance-based requirements would allow each operator to identify the safety-critical operations and personnel needed for the operation. It would also allow an operator to determine what training, experience, and qualification should be required for each safety-critical task. The FAA would consider any task that may have an effect on public safety and meets the definition of safety-critical found in § 401.5 subject to the requirements of § 450.149. These tasks would include, but are not limited to, operating and installing flight safety system hardware, E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 operating safety support systems, monitoring vehicle performance, performing flight safety analysis, conducting launch operations, controlling public access, surveillance, and emergency response. With the many different kinds of operations currently underway, an operator is in the best position to identify the operations, personnel, and training needed for its operation. The FAA would also require that an operator ensure personnel are qualified, and that those qualifications are current, without requiring certification. The regulation would require proper training of personnel and verification that each person performing safety critical tasks is qualified. Under § 450.149, an applicant would be required to document all safety-critical tasks and internal requirements or standards for personnel to meet prior to performing the identified tasks during the application phase. The applicant would be required to provide internal training and currency requirements, completion standards, or any other means of demonstrating compliance with the requirements of § 450.149 in its application. The applicant would also be required to describe the process for tracking training currency. In the event that a person’s qualification was not current, either because their qualification does not meet the training currency requirements detailed in the application or because a new process or procedure has been instituted that has made the training inaccurate or incomplete, the individual would not be qualified to perform safety-related tasks specific to the expired qualification. Lastly, part 460 contains training and qualification requirements for flight crew. Compliance with these requirements would meet the training and qualification requirements in proposed § 450.149 for flight crew. 3. Work Shift and Rest Requirements The FAA proposes to combine the rest requirements of §§ 417.113(f) and 431.43(c)(4)(i) through (iv) into proposed § 450.151 (Work Shift and Rest Requirements) which would require an applicant to document and implement rest requirements that ensure personnel are physically and mentally capable of performing tasks assigned. An applicant would be required to submit its rest rules during the application phase. Personnel involved in the launch or reentry of expendable and reusable vehicles need to be physically and mentally capable of performing their duties, especially those people making decisions or performing operations that VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 affect public safety. Fatigue can degrade a person’s ability to function and make the necessary decisions to conduct a safe launch or reentry operation. Since the FAA started requiring rest rules, there have been no incidents resulting from fatigue during a licensed launch or reentry. To maintain this level of safety, the FAA proposes to continue requiring rest rules in order to prevent fatigue and ensure operator personnel can perform their duties safely. A 1993 NTSB investigation of an anomaly that occurred during a commercial launch from a Federal launch range found a high probability that fatigue and lack of rest prior to launch operations contributed to mistakes that resulted in the vehicle initiating flight while the range was in a no-go condition.95 Launching in a nogo condition increases risk to the public because the vehicle operates outside of established boundaries and analysis. The NTSB found that the person who decided to proceed with the launch was not given enough time to rest after working extra hours the previous day. In addition, the launch was scheduled for early in the morning so the on-console time was around 2:00 a.m. The NTSB report recommended instituting rest rules that allow for sufficient rest before the launch operation. As a result of the 1993 NTSB report, the FAA issued rest rules in its 1999 final rule. The 1999 final rule required an applicant to ensure that its flight safety personnel adhere to Federal launch range rest rules. In its 2000 final rule for RLVs, the FAA required rest rules, in § 431.43(c)(4), similar to the Air Force work and rest standards for launches and the FAA’s ELV requirements.96 The specific and detailed requirements set forth in § 431.43(c)(4) fail to account for the various factors that can affect crew rest such as the time of day of an operation, length of preflight operations, and travel to and from the launch or reentry site. 95 Special Investigation Report: Commercial Space Launch Incident, Launch Procedure Anomaly Orbital Sciences Corporation, Pegasus/SCD–1, 80 Nautical Miles East of Cape Canaveral, Florida, February 9, 1993. Report PB 93–917003/NTSB/ SIR93–02, July 23, 1993; (https://www.ntsb.gov/ safety/safety-studies/Documents/SIR9302.pdf). 96 Section 431.43(c)(4) contains requirements that are detailed and prescriptive. It requires vehicle safety operations personnel to adhere to specific work and rest standards. These requirements prescribe the maximum length of workshift and the minimum rest period after such work shift preceding initiation of an RLV reentry mission or during the conduct of the mission. It also prescribes the maximum hours permitted to be worked in the 7 days preceding initiation of an RLV mission, the maximum number of consecutive work days, and the minimum rest period after 5 consecutive days of 12-hour shifts. PO 00000 Frm 00039 Fmt 4701 Sfmt 4702 15333 The 2006 final rule adopted the current § 417.113(f), which is more performance-based than § 431.43(c)(4). Section 417.113(f) requires that for any operation that has the potential to have an adverse effect on public safety, the launch rules must ensure that the launch crew is physically and mentally capable of performing all assigned tasks. It also requires those rules to govern the length, number, and frequency of work shifts, and the rest afforded to launch crew between shifts. The ARC recommended the FAA use the § 417.113(f) approach as a basis for the proposed rest rules. The ARC recommended that the regulations should require each license applicant and operator to establish crew rest requirements applicable to their individual operation and suggested that the FAA consider each operator’s rules through the application review and approval process. The FAA agrees with this approach. Additionally, the ARC suggested that the rest rules apply to specific personnel with direct control of the vehicle or launch or reentry decision making. While the FAA agrees with the intent of requiring all safety critical personnel to adhere to rest rules, it does not want to limit safety critical personnel to the roles the ARC identified because it is prescriptive and does not allow for operational flexibility. The FAA also agrees with the ARC that it is up to the company to monitor compliance with its rest rules. The FAA does not have an explicit requirement for an operator to monitor its employees, only that it documents and implements rest requirements. The FAA seeks comment on whether a specific requirement for operator monitoring would be necessary. Regardless, the FAA would monitor compliance on occasion with its inspection program, as it does today with current crew rest rules. The FAA recognizes that launch and reentry operations are varied. The FAA considered using prescriptive requirements like those in § 431.43(c)(4) to address rest rules. However, there are many factors that can affect crew rest that make a prescriptive regulation impracticably complex and inflexible for allowing alternate methods of compliance that take into account mitigations and unique circumstances. Section 450.151 would retain the current performance-based requirements of § 417.113(f) with modifications to include launch and reentry operations. The proposed requirements would cover operations of expendable, reusable, and reentry vehicles and allow an operator flexibility to employ rest rules that fit E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15334 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules the particular operations. Current § 417.113(f) requires that crew rest rules govern the length, number, and frequency of work shifts, including the rest afforded the launch crew between shifts. Similarly, proposed § 450.151(a) would require an operator to document and implement rest requirements that ensure safety-critical personnel are physically and mentally capable of performing all assigned tasks. Proposed § 450.151(b) would provide additional requirements regarding the aspects of work shifts and rest periods critical to public safety, and would add a process for extending work shifts. Proposed § 450.151(b)(1) would require an operator’s rest rules to include the duration of each work shift and the process for extending this shift; including the maximum allowable length of any extension. This requirement would provide each operator with the flexibility to identify the duration of each work shift most suited to the operation such that safetycritical personnel are physically and mentally capable of performing all assigned tasks. It would also require a process for extending a work shift. Work shift length is important because performance decreases and fatigue increases as the length of the work shift increases. An operator should determine the optimum length for a work shift that ensures personnel are capable of performing their assigned tasks. Unforeseen circumstances can require personnel to work beyond the established work shift length. In such cases, under this proposal, the operator would be required to have a process for extending the work shift length up to a limit where personnel are no longer considered capable of performing their duties. Proposed § 450.151(b)(2) would require an operator’s rest rules to include the number of consecutive work shift days allowed before rest is required. This requirement would provide each operator with the flexibility to identify the number of consecutive work shift days safetycritical personnel may work such that they remain physically and mentally capable of performing all assigned tasks. Proposed § 450.151(b)(3) would require an operator’s rest rules to include the minimum rest period required between each work shift, including the period of rest required immediately before the flight countdown work shift. An operator would also be required to identify the minimum rest period required after the maximum number of work shift days allowed. Having enough rest between work shifts is important to ensure personnel are able to perform VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 critical tasks. The rest period before a countdown is particularly important because it can be affected by time of launch, reviews, and work needed to get a vehicle ready for operation. The FAA also proposes to remove the term ‘‘crew’’ from the rest requirements. The use of ‘‘crew’’ can be misleading and limiting. Operators could interpret crew to be flight crew only, whereas the rest rules are intended to apply to any position affecting public safety. Under this proposal, an applicant would be required to submit rest rules to the FAA that demonstrate compliance with proposed § 450.151. The FAA would evaluate an operator’s rest rules in the same way as it currently does under § 417.113(f) to ensure that personnel affecting public safety are mentally and physically capable of performing their duties during launch or reentry operations, and that the rest rules satisfy the requirements of proposed § 450.151. While an operator would be able to create its own rest rules under proposed § 450.151, an applicant would also be able to use current rest rules. That is, § 431.43(c)(4) would be an acceptable means of compliance to proposed § 450.151. The FAA would evaluate other rest rules against this benchmark and relevant standards. 4. Radio Frequency Management The FAA proposes to maintain the current substantive requirements of § 417.111(f) for radio frequency management and to expand the applicability of these requirements to RLVs and reentry vehicles in proposed § 450.153 (Radio Frequency Management). The FAA also would remove the current requirements to implement a frequency management plan and to identify agreements for coordination of use of radio frequencies with any launch site operator and local and federal authorities. Under § 415.119 and appendix B of part 415, an applicant for a launch license is required to include a frequency management plan 97 in its application, and that plan must satisfy the requirements of § 417.111(f). Specifically, current § 417.111(f) requires an operator to implement a frequency management plan that identifies each frequency, all allowable frequency tolerances, and each frequency’s intended use, operating power, and source. The plan must also provide for the monitoring of frequency usage and enforcement of frequency allocations and identify agreements and 97 A radio frequency management plan describes how an operator manages radio frequencies to meet termination or tracking requirements. PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 procedures for coordinating use of radio frequencies with any launch site operator and any local and Federal authorities, including the FCC. While parts 431 and 435 do not contain explicit frequency management requirements, an operator is required to identify and mitigate hazards, including hazards associated with frequency management as part of the system safety process in § 431.35(c) and (d). Section 431.35(c) requires operators to perform a hazard analysis and identify, implement, and verify mitigations are in place.98 Section 450.153 would replace the current requirement in § 417.111(f) to implement a frequency management plan. In proposed § 450.153(a), the FAA proposes to make these radio frequency management requirements applicable to any radio frequency used. This proposed requirement would include radio frequencies used not only in launch vehicles, but also in RLVs and reentry vehicles. Because radio frequency requirements are a mitigation for hazards associated with frequency management, the proposed requirements would not necessarily be new requirements for RLVs or reentry vehicles but would codify the need for radio frequency management for RLVs and reentry vehicles. The FAA also proposes to maintain the substantive radio frequency requirements of current § 417.111(f) in proposed § 450.153(a). Although the increased use of autonomous termination systems makes frequency management less critical for flight termination, there are still many operators that use command termination systems. Moreover, these requirements remain applicable to autonomous termination systems because operators still need to allocate radio frequencies to telemetry and tracking. There are also other hazards, such as electromagnetic interference and induced currents, that can result from radio frequency interference and that require mitigation. Therefore, an operator would continue to be required to: (1) Identify each frequency, all allowable frequency tolerances and each frequency’s intended use, operating power and source; (2) provide for monitoring of frequency usage and enforcement of frequency allocations; and (3) 98 One such hazard is radio interference that could disable a commanded FSS. An operator might mitigate such a hazard by ensuring that the power level of the command transmitter is sufficient to ensure termination with high reliability (i.e., 0.999 at 95 percent). For reentry vehicles, radio frequencies for tracking are coordinated to ensure there is coverage where needed as well as communication with the vehicle. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 coordinate the use of radio frequencies with any site operator and any local and Federal authorities. While no substantive changes are proposed to the radio frequency requirements, this proposal would remove the current requirement that an operator’s frequency management plan identify agreements and procedures for coordinating the use of radio frequencies with any launch site operator and any local or federal authorities. Many of the agreements necessary for radio frequency management would be covered in proposed § 450.147. In proposed § 450.153(b), an applicant would be required to submit procedures or other means to demonstrate compliance with the requirements of § 450.153(a) as part of its application. This requirement would provide an applicant flexibility in the manner of demonstrating compliance, such as using checklists or continuing to use a frequency management plan. 5. Readiness: Reviews and Rehearsals The FAA proposes to revise and consolidate the readiness requirements of parts 417 and 431 into a performancebased regulation that would require an operator to document and implement procedures to assess readiness to proceed with the flight of a launch or reentry vehicle. The FAA currently requires an operator to be ready to perform launch or reentry operations. Readiness, which is currently addressed through readiness reviews and rehearsals, has three components— readiness of the vehicle, of the personnel, and of the equipment. In consolidating these parts, the FAA proposes to remove the current requirements to conduct rehearsals, to poll the FAA at the launch readiness review, and to provide a signed written decision to proceed. The FAA also proposes to eliminate the specific review requirements of §§ 417.117 and 431.37. Launch rates have increased substantially since the adoption of parts 417 and 431. In 2007, an operator might only launch one to three times a year. Currently, there are operators that have launch rates exceeding 20 launches per year. Readiness requirements have become overly burdensome as operators spend time on rehearsals and reviews that were meant to ensure readiness. Timing requirements have resulted in additional reviews or non-compliances. Operators in a high launch rate environment may not benefit much from rehearsals and added reviews. Currently, § 417.117 requires that a launch operator (1) review the status of VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 operations, systems, equipment and personnel required by part 417, (2) maintain and implement documented criteria for successful completion of each review, (3) track and document corrective actions or issues identified during the review, and (4) ensure that launch operator personnel overseeing the review attest to successful completion of the reviews criteria in writing. Section 417.117(b)(3) requires an operator to conduct a launch readiness review for flight within 48 hours of flight. The decision to proceed with launch must be in writing and signed by the launch director and any launch site operator or Federal launch range. The launch operator must also poll the FAA to verify that the FAA has not identified any issues related to the launch operator’s license. For RLV operations, § 431.37 requires an applicant to submit procedures that ensure readiness of the vehicle, personnel, and equipment as part of the application process. These procedures must involve the vehicle safety operations personnel and the launch site and reentry site personnel involved in the mission. The procedures must include a mission readiness review and specify that the individual responsible for the conduct of the licensed activities is provided specific information upon which he or she can make a judgement as to mission readiness. Additionally, as part of the readiness requirements, § 417.119 requires an operator to rehearse its launch crew and systems to identify corrective actions necessary to ensure public safety that cover the countdown, communications, and emergency procedures, and it specifically directs the launch operator in how to conduct its rehearsals. Section 431.33(c)(1) similarly requires an applicant to monitor and evaluate operational dress rehearsals to ensure they are conducted in accordance with procedures required by § 431.37 to ensure the readiness of vehicle safety operations personnel. The requirements of both parts 417 and 431 are prescriptive and do not provide an operator with much flexibility as to compliance. The lack of flexibility is evidenced by the issuance of waivers and documentation of noncompliances. This requirement has created a burden on operators because they must spend extra resources requesting waivers and responding to enforcement actions. Processing waivers and conducting additional reviews costs time and money for the FAA, as well. For example, § 417.117(b)(3) requires a flight operator to hold a launch readiness review no earlier than 48 hours before flight. Since 2007, the FAA PO 00000 Frm 00041 Fmt 4701 Sfmt 4702 15335 has processed over 20 waivers to the 48hour requirement. In situations where ELV operators have not requested a waiver to the timing requirement, they have held additional reviews just to meet the timing requirement of the flight readiness review. Additionally, the FAA has issued at least three enforcement letters because operators did not meet the timing requirement. The ARC recommended that the FAA distill reviews down to intent, list the minimum items the FAA reviews, and let the operator inform the FAA in the license application where those items are and how they would be reported. The FAA agrees that specific reviews are not required and proposes a list of items required to address readiness. The FAA also agrees that specific rehearsals are not required because there are a variety of methods by which an operator could meet readiness requirements. As discussed later, the FAA proposes to remove the specific requirement for rehearsals. The FAA proposes to revise and consolidate the readiness requirements of parts 417 and part 431 into proposed § 450.155, which would require an operator to document and implement procedures to assess readiness to proceed with the flight of a launch or reentry vehicle. The FAA anticipates that under this proposal an operator would be able to achieve readiness by various methods including, but not limited to, readiness meetings, tests, rehearsals, static fire tests, wet dress rehearsals,99 training, and experience. While current regulations require specific readiness reviews, proposed § 450.155 (Readiness) would remove the requirement for flight readiness reviews, including the requirements for a launch readiness review no earlier than 15 days before flight and the flight readiness review no earlier than 48 hours before flight. The FAA proposes to remove these requirements because it has found that multiple readiness reviews may not be necessary to demonstrate readiness. For instance, readiness can be determined by a single meeting close enough in time to the launch or reenty to ensure there have been no material changes to readiness, such as failure of a radar or telemetry system. Under the proposed rule, it would be up to the operator to propose how it would ensure readiness, and whether such procedures would include one or more readiness reviews, testing, or some other means. By eliminating the timing requirements, operators with high launch rates could propose how they 99 A wet dress rehearsal includes at least a partial fueling of a vehicle with a liquid propellant. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15336 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules will ensure they are ready for launch and whether that involves one or more readiness reviews held close enough in time to the launch to ensure no significant changes occur between the review and the launch. Removing the specific requirements for reviews and tests would not relieve the operator from having to perform a test or hold a review that is necessary for determining readiness, rather it would provide the operator with flexibility to develop and propose those tests and reviews most suitable for the operation in order to ensure readiness. The FAA would evaluate and make a determination on the adequacy of the proposed procedures during the licensing process. The FAA plans to publish a draft means-of-compliance guide with the publication of the proposed rule, which should include acceptable approaches. In the long term, the FAA plans to refer to an AC or standard for every performance-based requirement. Instead of requiring specific readiness reviews, proposed § 450.155 would require that an operator document and implement procedures to assess readiness to proceed with the flight of a launch or reentry vehicle. As part of the application requirements, the operator would be required to demonstrate compliance with the requirements of proposed § 450.155 through procedures that may include a readiness meeting close in time to flight. Unlike §§ 417.117 and 431.37, proposed § 450.155 would not specify particulars of what the procedures must contain. However, the operator would be required to document and implement procedures that at a minimum address: (1) Readiness of vehicle and launch, reentry, or landing site, including any contingency abort location; (2) readiness of safety-critical personnel, systems, software, procedures, equipment, property and services; and (3) readiness to implement a mishap plan. The FAA proposes to require that the procedures address these particular areas because the FAA has determined that a safe launch or reentry, at a minimum, requires the vehicle, site, and safety personnel to be ready and all safety systems and safety support equipment to be working properly. Additionally, being prepared to implement a mishap plan would ensure that public safety is maintained during a mishap because personnel would be familiar with their roles and ready to perform their duties in order to return the vehicle and site to a safe condition after the mishap. The FAA also proposes to remove the requirement that an operator poll the FAA at the launch readiness review and provide a signed certificate of the VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 decision to proceed contained in § 417.117. This polling is unnecessary because the FAA will always inform the operator of any licensing issues as soon as the FAA becomes aware of them. The FAA also proposes to remove the requirement that an operator provide a signed certificate of the decision to proceed with launch or reentry operations because the FAA has not used any signed certificate required under § 417.117 for any launch or reentry. All the certificates have been filed and have not served any purpose other than to comply with the requirement under § 417.117. The FAA believes that removing the requirements to poll the FAA and to have a signed certificate to proceed would not affect public safety and would relieve burdens to comply with those requirements from the operator and the FAA. The FAA proposes to remove the requirements in § 417.119 because rehearsals are not always needed to achieve readiness. It is important that the launch team be familiar with operations. Rehearsals are a good way to ensure proficiency with procedures, exercise communications and critical safety positions as a team, and identify areas where the operator needs to improve. However, the FAA acknowledges that rehearsals are not the only way to ensure the readiness performance requirement is met. This proposal would allow an operator to determine what methods would be best suited to ensure readiness for its operation. Operators that have high launch rates may not need to rehearse personnel that were involved in a similar launch days or weeks earlier. However, licensees that have not launched for a long time or that are launching for the first time may need rehearsals to meet some of the readiness requirements. Operators with high launch rates could demonstrate readiness with a readiness review and would not have to hold rehearsals, and training could fill gaps where actual operations do not provide familiarity with certain aspects of operations. For example, if no anomalies are experienced during actual operations, the operator could hold a rehearsal or provide additional training to exercise the anomaly resolution process. Current § 417.117(b)(3)(xi) requires an operator to review launch failure initial response actions and investigation roles and responsibilities and § 417.119(c) requires an operator to have a mishap plan rehearsal; current § 431.45 contains the requirements for a mishap plan for RLVs. Section 450.155(a)(3) would require an operator to document and implement procedures to ensure PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 readiness to implement a mishap plan in the event of a mishap. The proposal would allow flexibility to meet the readiness requirement for implementing a mishap plan by allowing an operator to propose a procedure acceptable to the FAA. Thus, an operator would have the ability to develop procedures to ensure readiness through training, rehearsals, or other means that might be more applicable to its vehicle and mission. The FAA would still expect an operator to review any lesson learned, corrective action, or changes to procedures resulting from any mishap plan rehearsals or mishap investigations. Under § 450.155(b), an applicant would need to demonstrate compliance with the requirements through procedures that may include a readiness meeting close in time to flight and describe the criteria for establishing readiness to proceed with the flight of a launch or reentry vehicle. 6. Communications Currently, the FAA requires operators to implement communications plans to ensure that clear lines of authority and situational awareness are maintained during countdown operations. The communications plan was the result of a 1993 NTSB investigation discussed earlier. One of the contributing factors identified in the investigation was the lack of clear communications between different ranges and the operator. The FAA requirements for communications plans are currently found in §§ 417.111(k) and 431.41 and are nearly identical. Currently, §§ 417.111(k) and 431.41 require an operator to implement a communications plan. Part 435 requires a reentry vehicle operator to comply with the safety requirements of part 431, including § 431.41. Both §§ 417.111(k) and 431.41 require an operator’s communications plan to define the authority of personnel, by individual or position title, to issue ‘‘hold/resume,’’ ‘‘go/no-go,’’ and abort commands; assign communication networks so that personnel have direct access to real-time safety-critical information required to issue ‘‘hold/ resume,’’ ‘‘go/no-go,’’ and any abort decisions and commands; ensure personnel monitor common intercom channels during countdown and flight; and implement a protocol for using defined radio telephone communications terminology. Additionally, § 431.41(b) requires that the applicant submit procedures to ensure that the licensee and reentry site personnel receive copies of the communications plan, and that the reentry site operator concurs with the plan. For launches from a Federal E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules launch range, § 417.111(k) also requires the Federal launch range to concur with the communications plan. Operators launching from Federal launch ranges comply with § 417.111(k). Operators submit a communications plan during the application process and coordinate with the Air Force. The communications plan includes lines of authority, identification of who has access to which channels, protocols for communication and procedures for decision processes. Often, the communication plan is not fully developed at the time the operator applies for a license, so operators often submit a representative plan during the application process and then provide a final plan prior to the first launch under a license. The FAA proposes to retain the substantive communications requirements in §§ 417.111(k) and 431.41 in § 450.157 (Communications), in paragraph (a), and remove the specific requirement to implement a communications plan. Section 450.157(b) would also require an operator to ensure currency of the communication procedures, similar to the current requirement in § 417.111(e). The FAA would preserve these requirements because all key participants must work from the same communications procedures in order to avoid miscommunication that could lead to a mishap.100 Section 450.157(c) would require an operator during each countdown to record all safety-critical communications network channels that are used for voice, video, or data transmissions to support safety-critical systems. This is substantially the same requirement as in §§ 417.111(l)(5)(vii) and 431.41. The FAA would retain this requirement because communications recording is often critical to mishap investigations. Lastly, the FAA would not require operators to submit communication procedures during the application process because generally such procedures are not mature at the time of application, and hence are unlikely to be the ones used during the actual countdown. Under the proposal, the FAA would not approve the communications procedures prior to licensing and would rely instead on an inspection process that ensures the operator is following the requirements for communications procedures. These inspections would be consistent with 100 NTSB Special Investigation Report: Commercial Space Launch Incident, Launch Procedure Anomaly Orbital Science Corporation, Pegasus/SCD–1, 80 Nautical Miles East of Cape Canaveral, Florida (February 9, 1993); at p. 53. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 current practice, where FAA inspectors often review the operator’s final communications procedures. Given that the FAA would no longer require demonstrations of compliance at the application stage for communications and preflight procedures, operators may be required to make revisions to those procedures to resolve issues identified during compliance monitoring. 7. Preflight Procedures Under § 417.111(l), an operator is required to develop and implement a countdown plan that verifies each launch safety rule and launch commit criterion is satisfied, personnel can communicate during the countdown, the communication is available after the flight, and a launch operator will be able to recover from a launch abort or delay. This countdown plan must cover the period of time when any launch support personnel are required to be at their designated stations through initiation of flight. It also must include procedures for handling anomalies that occur during countdown and any constraints to initiation of flight, for delaying or holding a launch when necessary, and for resolving issues. It must identify each person by position who approves the corrective actions, and each person by position who performs each operation or specific action. It also must include a written countdown checklist that must include, among other items, verification that all launch safety rules and launch commit criteria have been satisfied. In case of a launch abort or delay, the countdown plan must identify each condition that must exist in order attempt another launch, including a schedule depicting the flow of tasks and events in relation to when the abort or delay occurred and the new planned launch time, and identify each interface and entity needed to support recovery operations. Currently § 415.37(a)(2) requires that the applicant file procedures that ensure mission constraints, rules and abort procedures are listed and consolidated in a safety directive or notebook. Similarly, the mission readiness requirements of § 431.37(a)(2) require that procedures that ensure mission constraints, rules, and abort plans are listed and consolidated in a safety directive notebook. Currently some operators have paper notebooks containing all the checklists and countdown plans. These notebooks are updated frequently, even up to the day before a launch with change pages by every member of the launch team. This process can sometimes lead to confusion and configuration issues. Other operators have electronic systems PO 00000 Frm 00043 Fmt 4701 Sfmt 4702 15337 that contain all the checklists and countdown procedures. There are many advantages to electronic records, such as ease of dissemination and configuration control. As electronic file use becomes more common, the need for a physical notebook becomes unnecessary. What is critical for safety is that all launch personnel have the same set of procedures. Due to the dynamic nature of countdown procedures, operators provide checklists and procedures used in prior launches to meet the application requirements. The FAA evaluates these checklists and procedures during the license evaluation. However, because the checklists and procedures being evaluated are not final, operators must submit all updates to these documents as part of the continuing accuracy of the license requirements. FAA inspectors ensure the checklists and procedures are the most current, and that configuration control is maintained. The FAA proposes to streamline the current countdown procedures and requirements in §§ 415.37(a)(2), 417.111(l), and 431.39(a)(2) and replace them in § 450.159 (Preflight Procedures). In doing so, the FAA proposes to remove the requirements for safety directives or safety notebooks and for a countdown plan, and the requirement to file such plans because there are many methods of documenting the preflight procedures that do not involve a plan or notebook. Although the proposed preflight procedures would not be required to be submitted as part of the license application process, FAA inspectors would still ensure that such preflight procedures are implemented. Unlike the current regulations, the FAA proposes a performance-based requirement where an operator would need to implement preflight procedures would verify that all flight commit criteria are satisfied before flight and that ensure the operator is capable of returning the vehicle to a safe state after a countdown abort or delay.101 This aligns with the intent of current regulations while permitting flexibility on how the safety goal is achieved. As a result, there would be no impact on safety resulting from the removal of the current prescriptive requirements. Additionally, proposed § 450.159(b) would require an operator to ensure the currency of the preflight procedures, and that all personnel are working with the approved version of the preflight 101 A countdown abort includes launch scrubs, recycle operations, hang-fires, or any instance in which the launch vehicle does not lift-off after a command to initiate flight has been sent. E:\FR\FM\15APP2.SGM 15APP2 15338 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules procedures, similar to the current requirement in §§ 415.37(a)(3) and 431.39(c). The FAA would preserve these requirements because all key participants must work from the same preflight procedures in order to avoid a mishap. The FAA anticipates that the current requirements of § 417.111(l)(1) through (6) would be a means of compliance under the proposal, but not the only means of compliance. By allowing alternative means of compliance, the proposed regulations would provide greater operational flexibility and procedure streamlining across all operation types. amozie on DSK9F9SC42PROD with PROPOSALS2 8. Surveillance and Publication of Hazard Areas The FAA proposes to adopt surveillance of a flight hazard area regulations based on recent granted waivers and to better align with current practices at the Federal launch ranges, where most commercial launches take place, and to codify current practice that eliminates unnecessary launch delays while maintaining public safety. This proposal would only alter the substantive requirements applicable to the surveillance of ship (waterborne vessel) hazard areas not the surveillance of land or aircraft hazard areas. Therefore, this discussion will focus primarily on the proposal’s effect on the surveillance of waterborne vessel hazard areas. The specific requirements for conducting a flight hazard area analysis are discussed later in the preamble. Current regulations on establishing and surveilling hazard areas, including ship hazard areas, for ELVs are found in §§ 417.205 102 and 417.223 103 and part 417, appendix B.104 Part 431 does not set explicit requirements for the surveillance of waterborne vessel hazard areas, and the FAA has not yet issued a license under part 431 over water. However, both §§ 417.107(b)(2) and 431.35(b)(1)(ii) require that an operator ensure all members of the public are cleared of all regions, whether land, sea, or air, where any individual would be exposed to more than 1 × 10¥6 PC. 102 Section 417.205 requires the flight safety analysis to employ risk assessment, hazard isolation, or a combination of risk assessment and partial isolation of the hazards to demonstrate control of risk to the public. 103 Section 417.223 requires, in part, that an FSA include a flight hazard area analysis that identifies any regions of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to control the risk to the public from debris impact hazards. 104 Section B417.5(a) of appendix B to part 417 states that a launch operator must perform a launch site hazard area analysis that protects the public, aircraft, and ships from the hazardous activities in the vicinity of the launch site. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Although not explicit, the current regulations for ELV and RLV operations effectively require surveillance and evacuation of all regions where the individual risk criterion would be violated by the presence of any member of the public. The net effects of the current ELV regulations are: (1) An operator must establish a ship hazard area sufficient to ensure the PI for any ship does not exceed 1 × 10¥5 for any debris that could cause a casualty, (2) an operator must monitor the ship hazard area prior to initiating the flight operation, and (3) if a large enough ship enters the waterborne vessel hazard area to exceed the 1 × 10¥5 PI criterion, then the launch must be scrubbed or delayed until the ship exits the hazard area. Appendix B to part 417 directs a launch operator to evacuate and monitor each launch site hazard area to ensure compliance with the risk criteria in § 417.107(b)(2) and (3) and provide an adequate methodology to achieve this end. The FAA designed this methodology to be consistent with Air Force range safety requirements in 2006 and to ensure that the cumulative PI to any ships would not exceed 1 × 10¥5 for any debris expected to exceed the kinetic energy or overpressure thresholds established by § 417.107(c). Current § 417.223(b) requires public notices for flight hazard areas. A flight hazard area analysis must establish the ship hazard areas for notices to mariners that encompass the three-sigma impact dispersion area for each planned debris impact.105 Section 417.121(e) contains procedural requirements for issuing notices to mariners (and airmen). Furthermore, § 417.111(j) requires a launch operator to implement a plan that defines the process for ensuring that any unauthorized persons, ships, trains, aircraft or other vehicles are not within any hazard areas identified by the FSA or the ground safety analysis. In the plan, the launch operator must list each hazard area that requires surveillance to meet §§ 417.107 and 417.223, as well as describe how the launch operator will provide for day-offlight surveillance of the flight hazard area to ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight commit criteria developed for each launch. In practice, these regulations have been comprehensive enough to 105 In addition, a flight hazard area analysis must establish the aircraft hazard areas for notices to airmen that encompass the 3-sigma impact dispersion volume for each planned debris impact. PO 00000 Frm 00044 Fmt 4701 Sfmt 4702 ensure public safety, but at times overly prescriptive and unduly conservative. The FAA has waived several waterborne vessel protection requirements 106 in light of advanced ship monitoring technology and risk calculation models. The FAA’s first waiver of the § 417.107(b)(3) requirement illustrates the need for this proposed change.107 In approving the first waiver and numerous subsequent waivers to enable the proposed option, the FAA assessed the technological advances previously discussed. In this assessment, the FAA reviewed the Federal launch range input data and probabilistic casualty models that the Air Force at the 45th Space Wing uses to quantify individual and collective risks to people on waterborne vessels during the launch countdown for space launch missions. The FAA found that the 45th Space Wing’s public risk analyses use accurate data and scientific methods that are mathematically valid, with reasonably conservative assumptions applied in areas where significant uncertainty exists. In that instance, the FAA performed independent analyses using alternative methods to estimate the casualty risks for multiple foreseeable scenarios involving debris impacts on various types of waterborne vessels and found that large passenger vessels anywhere between the launch point and the first stage disposal zone can contribute significantly to the estimated EC from a launch. The FAA also found that small boats (too small to have Automatic Identification System (AIS) required 108) located close to the launch point should not produce significant individual risks. However, no past waivers involved changes in the areas where surveillance was mandatory in current practice, only where ships were allowed to be present in order for the launch to proceed. Section 450.161 (Surveillance and Publication of Hazard Areas) would require an operator to publicize, survey, and evacuate each flight hazard area before initiating flight or reentry, to the extent necessary to ensure compliance with proposed § 450.101. Proposed § 450.161(a) does not change the need for surveillance relative to the current requirements in parts 417 or 431 for people on land or aircraft because the proposal would continue to require that 106 For example, see Waivers of Ship Protection Probability of Impact Requirement, 81 FR 28930 (May 10, 2016). 107 81 FR 28930 (May 10, 2016). 108 AIS is required on commercial vessels 65 feet in length or more, towing vessels 26 feet in length or more, and other self-propelled vessels certified to carry more than 150 passengers or carrying dangerous cargo. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules an operator ensure all regions where any individual member of the public would be exposed to more than 1 × 10¥6 PC are evacuated. However, the proposal would remove the requirement to evacuate and monitor areas where a waterborne vessel would be exposed to greater than 1 × 10¥5 PI currently required by Appendix B to part 417, paragraph 417.5(a). The FAA proposal to include people on ships in the collective risk computation (see proposed § 450.101(a)(1) and (b)(1)) would explicitly allow the application of risk management principles to protect people on waterborne vessels. For example, an applicant could apply conservative estimates of the ship traffic and vulnerability to demonstrate acceptable public risks. In proposed § 450.161(a), surveillance would only be required to the extent necessary to ensure compliance with the public safety criteria, including individual and collective risks as well as notification of planned impacts from normal flight events capable of causing a casualty. For instance, an operator would not need to perform surveillance of areas where the risk to any individual would be no more than 1 × 10¥6 PC, unless surveillance was necessary to ensure acceptable collective risks. The proposal would generally allow operators the option to use the current approach in part 417, where surveillance is required to ensure no ship is exposed to more than 1 × 10¥5 PI, because that would generally be sufficient to ensure compliance with proposed § 450.101. In addition, the proposal would also provide the option for launch and reentry operators to use the new technology, including modern surveillance techniques, and include people in waterborne vessels as part of the collective risk calculation as approved by previous waivers.109 Current practice is to issue waivers to operators as an alternative to scrubbing or delaying a launch or reentry due to waterborne vessels in an area where the PI exceeds 1 × 10¥5. Thus, the proposal would curtail the need for waivers. While the proposal would relax the current part 417 requirement to ensure that no ship is exposed to more the 1 × 10¥5 PI, the FAA notes that the requirement to ensure no ships are present in areas where the individual risk exceeds 1 × 10¥6 PC is consistent with international guidelines. The International Maritime Organization (IMO) is the United Nations organization for safety and environmental protection regulations for 109 81 FR 28930 (May 10, 2016). VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 maritime activities. The IMO has developed a risk-based approach to safety and environmental protection regulations, which identifies a key threshold of one in a million (1 × 10¥6) probability of fatality per year for individual crewmembers, passengers, and members of the public ashore (considered third parties by the IMO). The IMO guidelines equate individual risks at the 1 × 10¥6 probability of fatality per year as broadly acceptable for maritime activities, and specifically state that individual risks below this level are negligible and no risk reduction required. The proposed § 450.101(a)(2) and (b)(2) requirements would ensure that no person will be present on ships where the individual risk exceeds 1 × 10¥6 PC . This requirement is consistent, and reasonably conservative, with respect to the IMO guidelines as explained in the RCC 321–07 Supplement.110 Thus, the FAA proposes to codify requirements for the development and surveillance of ship hazard area that are reasonably consistent with IMO guidelines for formal safety assessments. As previously discussed, there were important advances in ship surveillance techniques in recent years. In the past, observation techniques posed significant risks to launch operators. For example, the only known deaths related to launch operations at Cape Canaveral were five occupants of a helicopter that crashed at sea shortly after 2 a.m. on April 7, 1984, while flying surface surveillance for the scheduled launch of a Trident 1 missile from the USS Georgia.111 In many cases, the proposal would relieve the requirement for the type of surveillance that posed significant risks to launch operators in the past. Section 450.161(b) would require surveillance sufficient to verify or update the assumptions, input data, and results of the flight safety analyses. Given there are numerous assumptions and input data that are critical to the validity of the flight safety analyses, this requirement could have a variety of surveillance implications beyond the surveillance necessary to ensure the public exposure at the time of the operation is consistent with the assumptions and input data for the flight safety analyses. For example, an FSA could assume that a jettisoned stage remains intact to impact or breaks up into numerous pieces that are all 110 Range Commanders Council Risk Committee of the Range Safety Group, Common Risk Criteria for National Test Ranges: Supplement. RCC 321–07 Supplement, White Sands Missile Range, New Mexico, 2007, p. 5–50. 111 Air Force News Print Today (Apr. 8, 2011). PO 00000 Frm 00045 Fmt 4701 Sfmt 4702 15339 capable of causing casualties to people in a class of aircraft (e.g., business jets). An operator would be required to employ some type of surveillance (e.g., telemetry data, or remote sensors such as a camera or radar) to verify that the jettisoned stage behaves as assumed by the FSA if that behavior is germane to the size of the aircraft hazard area. Additionally, § 450.161(c) would require an applicant to publicize warnings for each flight hazard area, except for regions of land, sea, or air under the control of the vehicle or site operator or other entity by agreement. If the operator relies on another entity to publicize these warnings, the proposal requires the operator to verify that the warnings have been issued. The FAA notes that some operators already follow this practice. The proposed requirements would allow warnings that are consistent with current practice but would also allow more flexibility for warnings to mariners in accordance with proposed § 450.133(b). Notably, § 450.133(b)(1) would be consistent with current practice at the Federal launch ranges based on input from the CSWG, and § 450.133(b)(2) and (3) are based on current U.S. Government consensus standards).112 Proposed § 450.161(d) would also require an applicant to describe how it will provide for day-offlight surveillance of flight hazard areas, if necessary, to ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight commit criteria developed for each launch or reentry. This proposal is consistent with the executive branch policy to replace prescriptive requirements with performance-based criteria.113 Specifically, the FAA proposes to replace the ‘‘one-size-fits-all’’ approach to ship protection that effectively prevents launch or reentry operations to proceed if ships are in identified hazard areas irrespective of the estimated risks posed to people on those vessels. For example, during the launch of the Falcon 9 from CCAFS to deliver the SES–9 payload to orbit, SpaceX was delayed by the presence of a tug boat towing a large barge inside the ship hazard area in compliance with the FAA’s requirement in § 417.107(b) to limit the PI for waterborne vessels to 1 × 10¥5.114 Under the proposal, delays such as this would be avoided without the need for waivers. The FAA proposes to replace the ‘‘one-size-fits-all’’ approach with the performance-based criteria of the collective and individual 112 RCC 321–17 Standard. (May 24, 2018), at Section 2b. 114 81 FR 28930 (May 10, 2016). 113 SPD–2 E:\FR\FM\15APP2.SGM 15APP2 15340 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 risk limits in proposed § 450.101, and in doing so would require an operational delay only when necessary to ensure acceptable individual and collective risks. This approach was safely and successfully used, by waiver, for all Falcon 9 launches from the CCAFS and KSC starting in 2016. The FAA seeks comment on the proposed approach. Application of public risk management for the protection of people in waterborne vessels has the potential for reducing launch costs by reducing the number of operational delays and scrubs due to ships in areas where the individual and collective risks are nevertheless acceptable. Because it is a major procurer of launch services, reduced launch costs would be of direct benefit to the U.S. Government. It would also help to make the U.S. launch industry more competitive internationally by reducing launch delays and scrubs. 9. Lightning Hazard Mitigation The FAA proposes to remove appendix G to part 417 and replace it with the performance-based requirements of § 450.163 (Lightning Hazard Mitigation). The current requirements in appendix G to part 417 are outdated, inflexible, overly conservative, and not explicitly applicable to many RLVs and reentry vehicles. Lightning is an atmospheric discharge of electricity, and can either occur naturally or be ‘‘triggered.’’ Triggered lightning can be initiated as a result of a launch vehicle and its electricallyconductive exhaust plume passing through a strong pre-existing electric field.115 However, the triggering phenomenon is unpredictable because there are many conditions that must occur in order for the breakdown of the electric field resulting in a lightning strike to occur. One condition is the enhancement factor of the launch or reentry vehicle that acts as a conductor. The extremities of the vehicle, such as the nose radius of curvature coupled with the effective length of the vehicle (taking into account the plume length) will establish the viability of a lightning strike. Furthermore, a launch vehicle’s propellants will have different conductivity characteristics, leading to varying lengths; 116 as a result, not every vehicle will trigger a lightning strike 115 Roeder, William P. and Todd M. McNamara, A Survey Of The Lightning Launch Commit Criteria, American Meteorological Society, Aviation Range and Meteorology Conference. 116 E. P. Krider, M. C. Noogle, M. A. Uman, and R. E. Orville. ‘‘Lightning and the Apollo 17/Saturn V Exhaust Plume,’’ Journal of Spacecraft and Rockets, Vol. 11, No. 2 (1974), p. 72–75. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 under the same environmental conditions. This unpredictability is exacerbated further by the fact that a triggered lightning strike can occur even when the vehicle is penetrating a benign cloud, or is outside a cloud that is not producing lightning. Lightning can and has caused or necessitated the destruction of launch and reentry vehicles in flight. This destruction may occur both by physical damage (direct effect) to structural or electronic components from lightning attachment to the vehicle and by damage or upset to electronic systems from a nearby discharge (indirect effect). The direct and indirect effects of a lightning discharge pose hazards to the safety critical systems of launch and reentry vehicles, such as the FSS. If damage to the vehicle’s safety critical components renders it inoperable or causes safety-critical systems to malfunction, there may be no way to stop the vehicle from reaching the public. For example, the damage may cause the command signal that instructs the vehicle to stop thrusting, or to abort the mission, to not be received. Two such triggered lightning events occurred in 1969 and 1987, during ascent. In 1969, when a manned Apollo XII 117 vehicle lost power to its Command Module, the launch was seconds away from beginning initiation of its abort command. In 1987, an unmanned ELV lost its guidance, navigation and control 118 and began careening towards the range safety impact limit lines. The range safety officer had to terminate its flight. These two incidents led to the establishment of the present-day lightning launch commit criteria (LLCC), which the Air Force and NASA adhere to for all launches from a Federal launch range. The Lightning Advisory Panel (LAP),119 an advisory body to the Air Force and NASA, is responsible for reviewing and proposing modifications to the LLCC. Adherence to the LLCC has resulted in zero lightning-caused launch incidents for over thirty years. The FAA codified the LLCC into Appendix G to part 417 to address 117 Merceret et al., ed., A History of the Lightning Launch Commit Criteria and the Lightning Advisory Panel for America’s Space Program. NASA/TP– 2010–216283, 10, Section 2.3 (August 2010). 118 Merceret et al., ed., A History of the Lightning Launch Commit Criteria and the Lightning Advisory Panel for America’s Space Program. NASA/TP– 2010–216283, 31, Section 4.3.2 (August 2010). 119 The LAP’s expertise range from in-depth knowledge of the physics of lightning, electric fields, and clouds, to lightning impacts on launch vehicles and statistics of electric field strength in specific environmental conditions. Its membership is primarily academia, although the Air Force and NASA fund this organization. PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 concerns that the direct and indirect effects of a natural or triggered lightning strike may disable a vehicle’s FSS such that the launch operator could not stop the vehicle if it veered outside the impact limit lines (i.e., due to degraded signal). The FAA renamed these requirements to ‘‘Lightning Flight Commit Criteria’’ (LFCC). The LFCC in appendix G to part 417 consist of 10 natural and triggered lightning avoidance rules that provide criteria to minimize the risk of a launch vehicle being struck by lightning or triggering lightning. One rule contains criteria for avoiding natural lightning, the remaining nine contain avoidance criteria for triggering or initiating lightning when flying through, or near, specific cloud types or phenomena known to produce natural or triggered lightning. Taking into account the electrification process and the properties of electric fields within clouds, the triggered lightning rules establish time and distance requirements for distinct cloud types (e.g., cumulus cloud, attached or detached anvil cloud, thick clouds) believed to contain the necessary environmental conditions to produce elevated electric fields. These time and distance criteria help mitigate the threat of triggering lightning by increasing the probability that the electric field, at a given distance or after a length of time, will be below the threshold needed to produce lightning. Other rules contain prescriptive requirements and thresholds for not launching if there are high-surface electric fields as measured by a ground-based field mill, or if there is a threat of a vehicle becoming charged if it penetrates a cloud that contains frozen precipitation.120 Unfortunately, codifying the LLCC into appendix G of part 417 has led to two major challenges. First, because the science behind triggering lightning is not fully known, the criteria were developed with a margin of safety for large ELVs, such as the Titan IV. As a consequence, the criteria may be overly conservative for certain types of vehicles. While the LAP has updated the LLCC to keep pace with the advances in science and technology, the FAA rulemaking process is lengthy, and does not permit appendix G to be updated with the frequency necessary to keep up with the changes to the LLCCs. Revisions to appendix G are likely to be 120 Triboelectrification is a phenomenon that can occur when a launch vehicle flies through a region in a cloud that contains frozen precipitation. Under the right conditions, frozen precipitation can deposit a charge on the vehicle. If the launch vehicle is not treated, an electrostatic discharge could result. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 out-of-date by the time they are finalized and published. As a result, appendix G preserves much of the original LLCCs outdated standards, which leaves a discrepancy between the LLCC and appendix G. In an effort to address this issue, the FAA made four ELOS determinations. The first ELOS determination permitted the use of a new maximum radar reflectivity method 121 to determine whether the radar reflectivity values were below the risk threshold for triggering lightning in the cloud. Because this new measurement technique was not in appendix G, the launch operator could not benefit from this improvement unless it requested and received approval to use this technique rather than follow the criteria currently in appendix G. The ELOS determination relieved the burden on the operator to seek approval to use a different radar reflectivity measurement process; therefore, allowing more opportunity for the launch operator to take advantage of the improvement rather than wait until a final rulemaking incorporated the change. When the LAP updated the LLCCs again, the FAA issued a second ELOS determination reducing the distance requirement for the flight path of the launch vehicle in relation to a thick cloud, if the radar reflectivity thresholds were satisfied.122 The issuance of this ELOS determination was necessary to enable operators to use the most recent thick cloud rule without needing to seek individual ELOS determinations from the FAA or waiting for the FAA to update appendix G through a rulemaking. The third ELOS determination also resulted from an update to the LLCCs and allowed for use of a shorter radar wavelength to measure radar reflectivity if the criteria for attenuation due to rainfall and beam spreading were met. This modification allowed a launch operator to make use of weather radars that have wavelengths between 3 and 5 cm, in addition to radars with wavelengths of 5 cm or greater. Similar to the other ELOS determinations, this 121 This radar reflectivity method allowed measurement of a hydrometeor by a radar with a wavelength of less than 5 centimeters but greater than 3 centimeters if: (1) The surface of the radome of the radar was hydrophobic and the precipitation rate at the radar site was less than 15 mm/hr (0.59 in/hr) rainfall equivalent, and (2) For each point that was measured, the horizontal extent of composite radar reflectivity greater than lOdBZ along the line of sight between the radar and the point did not exceed the reflectivity extent in kilometers for a 3 cm radar due to radar beam attenuation. 122 The Launch operator can launch within 5nm of a thick cloud layer if the radar reflectivity is below 0 dBZ. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 relieved the burden from the operator to seek approval from the FAA, and allowed the operator to immediately use different radar wavelengths or wait until the FAA updated appendix G. The fourth ELOS determination informed the launch operator that satisfying NASA–STD–4010 would meet the requirements of appendix G to part 417.123 This ELOS determination enabled an operator to use the more upto-date LLCC in place of the outdated LFCC in appendix G. It also recognized that the NASA–STD–4010 contained the most current LLCCs and removed the burden from the FAA to issue an ELOS determination for every new update to the LLCC. The FAA only codified the LFCCs into part 417, and not parts 431 and 435. While the LFCCs are not explicitly included in part 431 or 435, § 431.35(c) requires an applicant to employ a system safety process to identify and mitigate hazards, including lightning. Additionally, while not all launch and reentry vehicles have the same threshold to trigger lightning, they do have the potential to incur direct or indirect effects that may impact their safety critical systems. Therefore, in order to protect public health and safety, the LFCCs are an appropriate mitigation strategy for suborbital RLVs and reentry vehicles that can induce lightning that could affect public safety. In 2006, the FAA sponsored a study to conduct a triggered lightning risk assessment for five different concept suborbital RLVs, from two different launch sites, to gain an understanding of the potential risk of triggering lightning for these new categories of vehicles.124 The study took into account the vehicle design, mission profile, and propellants, as well as the lightning climatology of a given launch site. In 2010,125 a followon study was performed for four concept vehicles at a total of four different launch sites.126 The study showed that all concept vehicles had a 123 The NASA–STD–4010 has been adopted by both NASA and the Air Force. When NASA published the LLCCs in a NASA Standard document it provided uniform engineering and technical requirements in one location lessening confusion to which version of the LLCCs were currently being applied. 124 Krider, Phil, E. et al., Triggered Lightning Risk Assessment for Reusable Launch Vehicles at the Southwest Regional and Oklahoma Spaceports, Report No: ATR–2006(5195)–1, Jan 30, 2006 (https://www.faa.gov/about/office_org/ headquarters_offices/ast/reports_studies/media/ ATR-2006(5195)-1.pdf). 125 Krider, Phil, E., et al., Triggered Lightning Risk Assessment for Reusable Launch Vehicles at Four Regional Spaceports, Report No: ATR–2010(4387)– 1, Apr 30, 2010. (https://www.faa.gov/about/office_ org/headquarters_offices/ast/reports_studies/ media/ATR-2010%20(5387)-1.pdf). PO 00000 Frm 00047 Fmt 4701 Sfmt 4702 15341 much higher triggering threshold (i.e., it was harder to initiate lightning) than that of a Titan IV ELV and that they each had different triggering thresholds within each concept vehicle and phase of mission. For instance, the glide phase was shown to have a higher triggering threshold than a powered phase. On the other hand, the study noted that many uncertainties remain with understanding the triggering conditions. Therefore, the results of the study recommended that until more accurate triggering thresholds for the differing vehicle concepts can be quantified, the avoidance criteria should be followed. The FAA requests comments on this proposal. The ARC recommended the intent or performance goal of the current LFCC be captured into performance-based requirements that allow for the consideration of each launcher’s mission profile, general vehicle and flight safety system components, and other factors that may reduce the currently-required 30-minute wait.127 The ARC also recommended that the prescriptive requirements in Appendix G be placed in a guidance document that provides acceptable means of meeting the performance-based requirements. Finally, the ARC estimated that launch and site operators could save hundreds of thousands of dollars, or more, for each avoidance of launch scrubs and no-go calls due to unnecessarily conservative weather restrictions. The FAA generally agrees with the ARC’s recommendation and proposes to replace the detailed prescriptive LFCC in appendix G with performance-based requirements in proposed § 450.163. It would also provide an AC that contains an accepted means of compliance with the proposed § 450.163(a)(1), including reference to NASA–STD–4010 128 and would also include other relevant standards for the design of a vehicle to withstand the direct and indirect effects of a lightning discharge. The FAA seeks comment on this approach. The FAA anticipates that a performance-based regulation, accompanied by an associated AC and government standards, would resolve 127 The ARC stated, ‘‘intent or performance goal, of the stated requirements.’’ The FAA has interpreted the phrase ‘‘of the stated requirements’’ to mean of the current LFCC found in appendix G to part 417. 128 NASA–STD–4010 is the current lighting launch commit criteria employed by NASA and the Air Force. The FAA uses this standard as its basis for the requirements in Appendix G and has issued a broad-based ELOS determination allowing an operator to comply with the current NASA–STD– 4010 instead of the existing Appendix G which is outdated. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15342 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules many of the issues with the current Appendix G. While a thorough understanding of whether a given launch vehicle and its mission profile will trigger lightning is far from being understood, a performance-based requirement for mitigating natural and triggered lightning strikes or encountering a nearby lightning discharge would allow an operator to use up-to-date lightning avoidance criteria without having to wait for the regulation to be updated, or for the FAA to issue an ELOS determination or a waiver. The intent of the current requirements found in Appendix G to part 417 is to avoid and mitigate natural and triggered lightning. Under the proposed regulations, the FAA would require operators to avoid and mitigate the potential for intercepting or initiating lightning strike or encountering discharge through implementation of flight commit criteria. Alternatively, an operator would be able to use a vehicle designed to continue safe flight if struck by lightning or encountering a nearby discharge. Finally, an operator would be able to comply with the proposed regulation by ensuring that compliance with public safety criteria would be met in the event of a lightning strike on the vehicle. Proposed § 450.163(a)(1), would require an operator to mitigate the potential for a vehicle to intercept or initiate a lightning strike or encounter a nearby discharge through flight commit criteria using a means of compliance accepted by the Administrator. Currently, the FAA is only aware of one standard, NASA–STD–4010, that is currently acceptable and would satisfy the requirements of proposed § 450.163(a)(1). While FAA anticipates that industry might develop new standards as technology advances, such standards would be required to be submitted as alternative means of compliance under § 450.35 (Accepted Means of Compliance) paragraph (c) and accepted by the Administrator prior to use. If an operator were to submit an alternative means of compliance to NASA–STD–4010, the proposed lightning standard would need to be evaluated and accepted by the FAA, including any consultation with outside expert, prior to being used in any license application using the new standard. The FAA anticipates that this revision would provide more flexibility to an operator than the current appendix G, which prescribes the specific lightning flight commit criteria that an operator must use. While the only method currently accepted by the Administrator VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 is NASA–STD–4010, operators would have the flexibility to propose lightning flight commit criteria based on a certain vehicle’s mission profile (e.g., whether it is a piloted RLV launching a payload to low Earth orbit, or a piloted suborbital reusable launch vehicle with spaceflight participants on board).129 However, as previously discussed, such a proposed means of compliance would need to be accepted prior to being used in a license application to satisfy proposed § 450.165(a)(1). An operator may choose instead to mitigate lightning strikes and the initiation of lighting by using a vehicle designed to continue safe flight in the event of a lightning strike, in accordance with proposed § 450.163(a)(2). To accomplish this, an operator would need to demonstrate that the vehicle design adheres to design standards for lightning protection of the vehicle and its safety critical systems. The FAA is currently evaluating current aircraft lightning protection standards, such as AC 20–136B and AC20–107B, to determine whether a launch or reentry vehicle designed to those standards would allow for the continued safe flight of the vehicle.130 The FAA anticipates that it would accept other industry standards for lightning protection or certification standards during vehicle design, such as SAE Aerospace Recommended Practices, or European Organization for Civil Aviation Equipment, as an acceptable means of compliance to proposed § 450.163(a)(2). Finally, an operator would be able to choose to comply with proposed § 450.163(c) by ensuring that it would be in compliance with the public safety criteria of proposed § 450.101 should it encounter discharge or take a direct lightning strike. The use of physical containment as a hazard control strategy would be a prime example, but other scenarios may also apply. Section 450.163 would apply to all launch and reentry vehicles, including ELVs, RLVs, hybrids, and reentry vehicles. Because the proposed requirement is performance based, each operator would be able to provide lightning mitigation methods designed for a specific vehicle’s mission profile. Under § 450.163, the FAA anticipates 129 The piloted vehicles can control and maneuver the vehicle leading up the release point or area thus limiting the exposure of the vehicle to elevated electric fields upon its launch. 130 AC 20–136B, Aircraft Electrical and Electronic Lightning System Lightning Protection, provides information and guidance on the protection of aircraft electrical and electronic systems from the effects of lightning. AC 20–107B, provides information and guidance on composite aircraft structure. PO 00000 Frm 00048 Fmt 4701 Sfmt 4702 that an operator would be able to apply new research findings or methodologies in a more timely manner than under appendix G. Further, the FAA would be able to update guidance materials in a timely manner to include those means of compliance that result from advances in science, information, or technology. Additionally, the FAA believes that, by providing an operator with the flexibility to mitigate natural and triggered lightning strikes through standards and best practices, the operators could avoid costly delays resulting from compliance with the requirements in the current appendix G. Section 450.163(b) would establish application requirements. To comply with proposed § 450.163(a)(1), an applicant would be required to submit lightning flight commit criteria that mitigate the potential for a launch or reentry vehicle intercepting or initiating a lightning strike, or encountering a nearby discharge using a means of compliance accepted by the Administrator. As previously discussed, the only current method to comply with § 450.165(a)(1) would be to use NASA– STD–4010. If an applicant chooses instead to comply with § 450.163(a)(2), it would be required to provide documentation demonstrating that the vehicle is designed to protect safety critical systems, such as electrical and electronic systems, or FSSs. The FAA anticipates that this documentation would include proof and validation that the vehicle has followed lightning protections standards that would protect the vehicle’s safety critical systems from a direct or indirect lightning discharge. If an applicant chooses to comply with § 450.163(a)(3), it would be required to provide documentation demonstrating compliance with § 450.101 in the event of a lightning discharge. As previously discussed, the FAA expects that this would be demonstrated through any number of analyses that validate that the vehicle is able to control individual and collective risk to the public, The FAA considered using direct measurement of the electric field within a cloud as an option for a launch operator to comply with proposed § 450.163. However, it is the FAA’s understanding that there is currently no consensus among the scientific community on the electric field value threshold to initiate lightning. Without a definite threshold value, the FAA would not be able to make a safety determination if an operator were to take direct measurements of the electric field. In addition, further research and data is required to establish procedures for measuring within the cloud, for how many measurements to make within a E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules period of time or distance from the cloud, and such other considerations. Nevertheless, given the performancebased nature of § 450.163, it is possible that in the future, an accepted means for obtaining real time electric field readings along the flight profile could lead to less restrictive criteria. amozie on DSK9F9SC42PROD with PROPOSALS2 10. Flight Safety Rules In proposed § 450.165, an operator would be required to establish and observe flight safety rules that govern the conduct of each launch or reentry. These would include flight commit criteria and flight abort rules. i. Flight Commit Criteria The FAA proposes to consolidate the flight-commit criteria requirements currently contained in parts 417, 431, and 435. Flight-commit criteria are conditions necessary prior to the flight of a launch vehicle or the reentry of a reentry vehicle to ensure that the launch or reentry does not exceed the public safety criteria in proposed § 450.101. Although this proposal restates flightcommit requirements differently than the current regulations, the changes would not alter substantive requirements, and are intended solely for clarification purposes. The ELV launch requirements for flight readiness are contained in §§ 415.37 and 417.113. Section 415.37 requires an applicant to file procedures for verifying readiness for safe flight, which result in flight-commit criteria. Section 417.113(c) requires that the launch safety rules include flightcommit criteria that identify each condition that must be met in order to initiate flight. The flight-commit criteria must implement the FSA; for a launch that uses an FSS, must ensure that the FSS is ready for flight; and for each launch, must document the actual conditions used for the flight-commit criteria at the time of lift-off and verify whether the flight-commit criteria are satisfied. Flight-commit criteria for launch and reentry of a reusable launch vehicle are contained in §§ 431.37 and 431.39, and by extension in § 435.33 for the reentry of a reentry vehicle other than a RLV. Unlike part 417, the parts 431 and 435 requirements are performance-based and required as part of the system safety analysis requirements. Flight-commit criteria-related requirements appear throughout proposed part 450. The main requirements would be found in §§ 450.155, 450.159, and 450.165. Section 450.155 would require an operator to document and implement procedures to assess readiness to VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 proceed with the flight of a launch or reentry vehicle. Proposed § 450.159 would require an operator to implement preflight procedures to verify that each flight-commit criterion has been met before initiating flight. Proposed § 450.165 would mandate that an operator’s flight safety rules include flight-commit criteria identifying each condition necessary prior to initiating flight to satisfy proposed § 450.101. These commit criteria would include surveillance, monitoring of meteorological conditions, implementing window closures for the purpose of collision avoidance, monitoring the status of any flight safety system, and any other hazard controls derived from system safety, software safety, or flight safety analyses. Also, for any reentry vehicle, the commit criteria would include monitoring the status of safety-critical systems before enabling reentry flight. Part 450 also includes requirements to develop flight-commit criteria based on the results of various analysis. For instance, § 450.135 (Debris Risk Analysis) would require operators to demonstrate compliance with public safety criteria in proposed § 450.101. In § 450.137, the far-field overpressure blast effect analysis would have to demonstrate compliance with public safety criteria in proposed § 450.101. Sections 450.139 (Toxic Hazards for Flight) and 450.187 (Toxic Hazards Mitigation for Ground Operations) would require an operator to derive flight-commit criteria based on the results of its toxic release hazard analysis, containment analysis, or toxic risk assessment to ensure any necessary evacuation of the public from any toxic hazard area prior to flight. Proposed § 450.141 (Wind Weighting for the Flight of an Unguided Suborbital Launch Vehicle) would require an operator to establish flight-commit criteria that control the risk to the public from potential adverse effects from normal and malfunctioning flight. Proposed § 450.161 would require an applicant to describe how it will provide for day-of-flight surveillance of flight hazard areas, if necessary, to ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight-commit criteria. Section 450.163 would require an operator to derive flight-commit criteria that mitigate the potential for a launch or reentry vehicle intercepting or initiating a lightning strike, or encountering a nearby discharge. Finally, § 450.169 (Launch and Reentry Collision Avoidance Analysis) would require an operator use the results of the collision avoidance analysis to develop PO 00000 Frm 00049 Fmt 4701 Sfmt 4702 15343 flight-commit criteria for collision avoidance. ii. Flight Abort Rules The FAA proposes to include flight abort rules as part of proposed flight safety rules in § 450.165. Flight abort rules apply to a vehicle that uses an FSS and are the conditions under which an FSS must abort the flight to ensure compliance with flight safety criteria. Current regulations in parts 417 and 431 address flight abort rules. Section 417.113(d) sets flight termination rules for ELVs. It requires operators to identify the conditions under which the FSS, including the functions of the flight safety system crew, must terminate flight to ensure public safety. The flight termination rules must implement the FSA, and specifically requires operators to terminate flight in the following six scenarios: 1. When real-time data indicate a flight safety limit has been reached. 2. At the straight-up time if the vehicle flies straight up. 3. If the vehicle becomes erratic and may endanger protected areas, while potentially losing control of the flight safety system. 4. No later than at the expiration of the data loss flight time if tracking data is lost. 5. If a vehicle is performing erratically prior to entering an overflight gate, or if the vehicle is not flying parallel to or converging to the nominal trajectory prior to entering a gate. 6. If a vehicle is performing erratically prior to entering a hold gate, or if the vehicle is not flying parallel to or converging to the nominal trajectory prior to entering a hold gate. Some of these current requirements may be overly prescriptive. For example, flight abort at the straight-up time is only one method of mitigating risk to the launch area in the event of a vehicle that fails to program and flies straight up. Although other methods may mitigate risk to an acceptable level, under the current requirements, an operator would be forced to abort flight at the straight up time. Also, the rules for allowing vehicles to enter gates are too subjective and not easily tied to specific hazards. Part 431, applicable to RLVs, does not impose specific flight abort rules. However, § 431.39(a) requires an applicant to submit mission rules and contingency abort plans that ensure safe conduct of mission operations during nominal and non-nominal vehicle flight. These would encompass flight abort rules because § 401.5 defines contingency abort as the cessation of E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15344 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules vehicle flight during ascent or descent in a manner that does not jeopardize public health and safety and the safety of property, in accordance with mission rules and procedures. Part 431 requires flight abort when needed to mitigate risk and a set of rules to that end, yet does so without following part 417’s more detailed and prescriptive approach. In practice, orbital rockets licensed under part 431 have used an AFSS with flight abort rules that are conservatively consistent with the six scenarios identified in 417.113(d), when applicable (e.g., no straight-up time for a horizontal launch). Section 450.165(c) lays out the proposed consolidation and clarification of flight abort rules. Although the FAA would maintain much of § 417.113(d)’s structure and requirements, the FAA looked for opportunities to replace prescriptive requirements with outcome objectives. The FAA would require operators to develop flight abort rules to comply with the public safety criteria of § 450.101, as well as to prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. Operators would also need to identify the functions of any flight abort crew, as specifically required in part 417. This is also consistent with the FAA’s practice in implementing part 431. Although not specifically stated in § 431.39(a), the FAA has required operators to identify crew functions. The FAA proposes to eliminate the straight-up rule, as it is not reasonable to include the rule at the exclusion of other existing mitigation options. Also, the FAA proposes to simplify the current requirements for gate passage to allow a vehicle to pass through a gate if it can achieve a useful mission. This would allow the operator to specify which vehicle parameters are the most useful for determining whether a vehicle should be allowed to enter a gate. For orbital launches, vehicles unable to achieve orbit cannot achieve a useful mission and should be terminated. The FAA would delete separate requirements for hold-andresume gates, as analysis should show which types of gates are most effective for the proposed flight, and those should be implemented. These proposed rules, which would be similar to those from part 417, were chosen over the generic requirement for mission rules from part 431 because they correspond to other sections in the proposed rule describing flight safety limits, gates, and other requirements. This is consistent with the ARC’s recommendation to change part 431 to better capture the intent of the flight VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 abort rules. An operator should balance potentially competing objectives as necessary to minimize risk when writing specific flight abort rules. For example, if there is a rule to destruct a vehicle to prevent an intact impact in order to reduce distant focused overpressure risk, the operator should also consider the resulting risk to aircraft when establishing the timing of the destruct action. Proposed § 450.165(d) lays out the application requirements for flight safety rules. For flight commit criteria, the FAA would require an applicant to provide a list of all flight commit criteria. These would include any criteria related to surveillance, monitoring of meteorological conditions, implementation of launch or reentry windows closures for the purpose of collision avoidance, confirmation that any safety-critical system is ready for flight, monitoring of safety-critical systems prior to enabling re-entry flight, and any other hazard controls. For flight abort rules, the FAA would require an applicant to provide a description of each rule, and the parameters that will be used to evaluate each rule, as well as a list that identifies the rules necessary for compliance with each requirement in § 450.101. All conditions in which flight abort action would be taken must be described, as well as rules and conditions allowing flight to continue past a gate. Lastly, the FAA would require an applicant to provide a description of the vehicle data that will be available to evaluate flight abort rules across the range of normal and malfunctioning flight. This information is necessary to ensure that compliance with the flight abort rules is achievable. 11. Tracking The FAA proposes to adopt vehicle tracking requirements. Specifically, proposed § 450.167 (Tracking) would require an operator to measure and record in real time the position and velocity of the vehicle. The system used to track the vehicle would be required to provide data to determine the actual impact locations of all stages and components, and to obtain vehicle performance data for comparison with the preflight performance predictions. The proposed requirements would be consistent with current practice for a wide variety of vehicles, including the widespread use of telemetry data, and various requirements of parts 417, 431, and 437. Current regulations for ELVs require a vehicle tracking system as part of the FSS. For example, in § 417.113(c), as part of the flight commit criteria for a PO 00000 Frm 00050 Fmt 4701 Sfmt 4702 launch that uses an FSS, readiness for flight includes that the launch vehicle tracking system has no less than two tracking sources prior to lift-off. Also, the launch vehicle tracking system must have no less than one verified tracking source at all times from lift-off to orbit insertion for an orbital launch, to the end of powered flight for a suborbital launch. Of course, the need for tracking is implicit in other requirements for launch of a vehicle with an FSS, including the requirements regarding data loss flight times in § 417.219. Section § 417.125 also requires an operator of an unguided suborbital launch vehicle to track the flight of its vehicle. Specifically, § 417.125(f) requires an operator to provide data to determine the actual impact locations of all stages and components, to verify the effectiveness of a launch operator’s wind weighting safety system, and to obtain rocket performance data for comparison with the preflight performance predictions. Part 431 has no explicit requirements related to tracking. However, currently every operation licensed under part 431 is required to employ a telemetry system that provides, among other safety critical information, data on the position and velocity of the vehicle in real-time. In addition, the one orbital RLV operation licensed to date employed an FSS and established data loss flight times. The use of data loss flight times is an explicit recognition that a vehicle without tracking poses a potential hazard to the public. Tracking is also required under Experimental Permit regulations. Under § 437.67, an operator must, during permitted flight, measure in real-time the position and velocity of its reusable suborbital rocket. The requirements for an operator to measure in real time the position and velocity of its rocket, coupled with the requirement to communicate with ATC during all phases of flight, are intended (among other things) to provide ATC with enough information to protect the public if the vehicle flies outside its planned trajectory envelope. Tracking data sufficient to identify the location of any vehicle impacts following an unplanned event are necessary to ensure a proper response to an emergency. Specifically, a launch operator must implement its mishap response plan if an unplanned event occurring during the flight of a launch vehicle results in the impact of a launch vehicle, its payload or any component thereof outside designated impact limit lines for an expendable launch vehicle; and, for an RLV, outside a designated landing site. More generally, vehicle- E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules 15345 tracking data provide a level of awareness that enables an appropriate response to an off-nominal situation, such as knowing where to apply fire suppression resources or where to evacuate the public to protect against predicted toxic plumes. More specifically, tracking data are an important element of current U.S. Government consensus standards, in accordance with RCC 321, to ensure the safety of people in aircraft. Specifically, since 2007, RCC 321 has included a requirement (in paragraph 3.3.4) to coordinate with the FAA to ensure timely notification of any expected air traffic hazard associated with range activities. In the event of a mishap, RCC 321 requires that the operator must immediately inform the FAA of the volume and duration of airspace where an aircraft hazard is predicted.131 Tracking data are also necessary to evaluate vehicle safety performance, even for normal flight. For example, § 417.125(g)(3) requires a launch operator of an unguided suborbital launch vehicle to compare the actual and predicted nominal performance (i.e., trajectory) of the vehicle. Accurate data to describe the vehicle normal trajectory envelope are necessary for valid quantitative public risk assessments. Current practice demonstrates that tracking data will help facilitate safe and efficient integration of launch and reentry operations into the NAS. The increasingly congested and constrained NAS creates a need to transition from segregation, to full integration of space vehicles. The FAA has several efforts underway to ensure the safe and efficient transition of launch and reentry vehicles through the NAS, while minimizing the effects of these operations on other users of the NAS. The FAA has contemplated the need to obtain real time data tracking data, including vehicle state vectors, reports of mission events, and indications of vehicle status, to help accomplish this. However, the FAA is deferring that discussion until after the Airspace Access Priorities ARC.132 Proposed § 450.167(a) would require an operator to measure and record in real time the position and velocity of the vehicle. The system used to track the vehicle would need to provide data to determine the actual impact locations of all stages and components, and to obtain vehicle performance data for comparison with the preflight performance predictions. The proposed requirements are consistent with current practice for a wide variety of vehicles, including the widespread use of telemetry data, and various requirements levied under parts 417, 431, and 437. Proposed § 450.167(a) would consolidate and standardize the current regulatory requirements for vehicle tracking-related information. Vehicletracking data facilitate appropriate emergency responses, and an ability to determine the actual vehicle impact locations due to an unplanned event is critical to evaluate the class of mishap. Comparison of the actual vehicle safety performance, such as the trajectory, with preflight predictions helps ensure the continued accuracy of the FSA input, and thus the validity of the public risk assessments and hazard areas. A comparison of the actual vehicle safety performance data to predict performance provides the FAA with a means to evaluate an operator’s understanding of its safety margins, which is a measure of maturity of the operation and thus a potential factor in the probability of failure analysis. Proposed § 450.167(b) would require an applicant to identify and describe each method or system used to meet the tracking requirements of proposed § 450.167(a) of this section. Because the proposed requirements are consistent with current practice, and in some cases less restrictive, the application requirements would not increase burden on license applicants. The FAA proposes to modernize the launch and reentry collision avoidance analysis criteria to match current common practice and provide better protection for inhabitable and active orbiting objects. It would also allow launch and reentry operators to obtain a launch collision avoidance analysis from Federal entities identified by the FAA. Previously, the FAA established identical rules for expendable launches from Federal and non-Federal launch ranges, RLV operations, and permitted launch operations. The proposed rule would consolidate launch and reentry collision avoidance analysis requirements from these three different parts into a single safety rule. The FAA anticipates that proposed changes to the collision avoidance analysis criteria would not significantly affect operators. The changes would capture current practice, provide alternative means of meeting existing requirements, and clarify the time period that the analysis must address. Launch and reentry collision avoidance measures are necessary actions for responsible and safe launches and reentries. Under current regulations, a launch collision avoidance analysis is performed prior to each launch to protect against collision with only inhabitable objects, including the International Space Station, as required screening objects. It is important to avoid collisions during launches because the energy released through an impact during launch would most likely be catastrophic for the launch vehicle and the object it impacted. In addition to mission assurance, to ensure the successful launch of an object, there are significant reasons to mitigate debris creation through collision avoidance. Launch collision avoidance analysis occurs prior to launch and entails the determination of times when a launch should not be initiated. There is a balance between launch opportunities and orbital safety that must be established to protect both the launch vehicle and on-orbit objects. Reentry collision avoidance analysis occurs prior to the initiation of a reentry maneuver and provides for the review of the maneuver trajectory to establish when reentry should not be initiated. Section 431.43(c)(1)(ii) documents the requirement for reentry collision avoidance. The creation of orbital debris is an expected result of a collision during launch or reentry.133 As stated earlier, limiting orbital debris is a vital part of protecting the space environment and is a national objective. Therefore, the FAA believes it is paramount to avoid all collisions during launch and reentry. The Department of Defense created a tiered level of separation distance to avoid collisions and still allow ample opportunity for launch. The FAA agrees with the tiers, identified in the chart below. This chart excludes the object launching or reentering, which would be damaged or destroyed in all cases. 131 Range Commanders Council, Common Risk Criteria for National Test Ranges, RCC 321–07, White Sands Missile Range, New Mexico, 2007. 132 Information regarding the Airspace Access Priorities ARC is available at https://www.faa.gov/ regulations_policies/rulemaking/committees/ documents/index.cfm/document/information/ documentID/3443. 133 Orbital debris is all human-generated debris in Earth orbit that is greater than 5 mm in any dimension. This includes, but is not limited to, payloads that can no longer perform their mission, rocket bodies and other hardware (e.g., bolt fragments and covers) left in orbit as a result of normal launch and operational activities, and fragmentation debris produced by failure or collision. Gases and liquids in free state are not considered orbital debris. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 12. Launch and Reentry Collision Avoidance Analysis Requirements PO 00000 Frm 00051 Fmt 4701 Sfmt 4702 E:\FR\FM\15APP2.SGM 15APP2 15346 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules FIGURE 2—LAUNCH COLLISION AVOIDANCE JUSTIFICATIONS AND TIERS amozie on DSK9F9SC42PROD with PROPOSALS2 Inhabitable Objects ..... Active Satellites .......... Trackable Debris >10 cm2 (LEO). Un-trackable Debris <10 cm 2 (LEO). Separation distance Protect public health and safety Safety of property 200 km ..................... 25 km ....................... 2.5 km ...................... Yes ........................... .................................. .................................. Yes ........................... Yes ........................... .................................. Not applicable .......... .................................. .................................. With space becoming more congested every year, it is vitally important for launch or reentry collision avoidance to extend beyond inhabitable objects to include all active orbiting objects and trackable orbital debris. Records from a recent Intelsat launch showed that if the launch occurred 35 minutes into the 2hour launch window, the launch vehicle could have passed by a defunct but still orbiting COSMOS navigation satellite by only 600 meters. The FAA believes not proposing launch collision avoidance in this instance is unnecessarily hazardous. Sections 417.107(e), 417.231, and 437.65 require launch operators to ensure that the launch vehicle does not pass closer than 200 km (approximately 124 statute miles) to a manned or mannable orbital object to avoid collisions during launch. A collision avoidance analysis must be obtained through a Federal entity. The analysis must be used to determine any launch holds to avoid potential collisions. In § 417.107(e), a launch operator must ensure that a launch vehicle, any jettisoned component, and its payload do not pass closer than 200 km to a manned or mannable orbital object throughout a sub-orbital launch, and for an orbital launch, during ascent to initial orbital insertion and through at least one complete orbit, and during each subsequent orbital maneuver or burn from initial park orbit, or direct ascent to a higher or interplanetary orbit, or until clear of all manned or mannable objects, whichever occurs first. A launch operator is also required under § 417.107(e) to obtain a collision avoidance analysis for each launch from United States Strategic Command or from a Federal launch range having an approved launch site safety assessment. The detailed requirements for obtaining a collision avoidance analysis are found in § 417.231 and section A417.31 of appendix A to part 417. The results of the collision avoidance analysis must be used to develop flight commit criteria for collision avoidance as required by § 417.113(c). These requirements and processes for ascertaining launch collision avoidance are unnecessarily complicated and are VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 U.S. national security or foreign policy interests International obligations Yes ........................... Yes ........................... Yes, if it creates significant debris. .................................. Yes ........................... Yes ........................... Yes, if it creates significant debris. .................................. inconsistent with the current practices executed at Federal launch ranges that provides an equivalent level of safety. The current practice is to use a common analysis time frame instead of a single orbit as identified in the current regulations. The safety standard for the standoff distance of 200 km remains consistent throughout launch (and reentry) requirements for launches of expendable and reusable launch vehicles and for launches from both Federal launch ranges as well as nonFederal launch sites. Section 417.231 requires a launch operator to include in its flight safety analysis a collision avoidance analysis that (1) establishes each launch wait in a planned launch window during which a launch operator must not initiate a flight in order to protect any manned or mannable orbiting object, and (2) accounts for uncertainties associated with launch vehicle performance and timing and ensures that any calculated launch waits incorporate additional time periods associated with such uncertainties. It also requires the launch operator to implement any launch waits into its flight commit criteria under § 417.113(c) to ensure that the operator’s launch vehicle, any jettisoned components, and its payload do not pass closer than 200 km to a manned or mannable orbiting object during ascent to initial orbital insertion through one complete orbit. Further, under § 417.231 no collision avoidance analysis is required if the maximum altitude attainable, using an optimized trajectory, assuming 3-sigma maximum performance, by a launch operator’s unguided suborbital launch vehicle is less than the altitude of the lowest manned or mannable orbiting object. Appendices A, section A417.31, and C, section C417.11, of part 417 provide constraints for performing the collision avoidance analysis as part of the flight safety analysis required by § 417.231. Section 437.65 establishes the minimum required altitude as 150 km, which is the current standard practice. Section 431.43(c)(1) and (3) also requires a collision avoidance analysis for RLVs to be performed to maintain at PO 00000 Frm 00052 Fmt 4701 Sfmt 4702 Avoid debris generation Yes. Yes. Yes. Protect with shielding & design. least a 200 km separation from any inhabitable orbiting object during launch and reentry. It requires the analysis to address closures in a planned launch window for ascent to outer space for an orbital RLV to initial orbit through at least one complete orbit; for reentry, the reentry trajectory; and expansions for the closure period. For reentry of vehicles not part of a reusable system, § 435.33 refers to part 431, subpart C, including § 431.43(c)(1) as a requirement. Appendix A to part 415 contains a worksheet for the data input for launch. However, Appendix A to part 415 is a U.S. Space Command form that is no longer in use.134 The current practice is to submit the launch collision avoidance analysis data prior to launch in a form and manner accepted by the Administrator, which is currently the R–15 launch plan worksheet. The data collected on the R–15 launch plan worksheet are detailed in sections A417.31 and C417.11 and are used by the agency performing the launch collision avoidance analysis. A number of issues are unclear or outdated under section A417.31. In section A417.31(c)(8), the option to use an ellipsoidal screening method does not identify the size of the ellipsoid required. Section A417.31(b)(3) limits an operator to use collision avoidance analysis (COLA) products to 12 hours from when ‘‘manned’’ objects were last tracked. This information is not provided to launch or reentry operators and therefore is not implemented in the current practices. Section A417.31(b)(4) and (c)(7) also includes two expansions of window closures. The first expansion is for every 90 minutes, a 15 second buffer should be added before and after the provided window closures, and the second is a 10-minute addition to the screening time. Neither of these practices are currently implemented at Federal launch ranges or non-Federal launch sites. With proposed § 450.169 and appendix A to part 450, the FAA would align the collision avoidance analysis 134 The U.S. Space Command was deactivated in 2002. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules criteria with current practice and provide better protection for inhabitable and active orbiting objects. The FAA also proposes to allow a launch operator to obtain a collision avoidance analysis from a Federal entity identified by the FAA. The proposed changes balance increased options and additional requirements and would allow more flexibility and accuracy in avoiding collision with orbiting objects. The FAA also proposes to remove appendix A to part 415 in its entirety because the Launch Notification Form is no longer used by the FAA or launch operators. The data is currently collected via the R–15 work sheet and associated trajectory files and is detailed in sections A417.31 and C417.11. Sections A417.31 and C417.11 would be replaced with appendix A to part 450, which would contain the Collision Analysis Worksheet information requirements and captures current practice. The FAA proposes a few format and editorial changes in the collision avoidance requirements of proposed § 450.169. First, the proposal would refer to ‘‘inhabitable’’ rather than ‘‘manned or mannable’’ objects for greater simplicity and ease of understanding. Similarly, the proposal would refer to ‘‘separation distances’’ rather than ‘‘miss distances,’’ as this terminology is more accurate and better connotes the FAA’s goal of maintaining a safe separation of objects on orbit. Finally, the proposal would refer to ‘‘window closures’’ for launch and reentry rather than ‘‘waits’’ in a launch or reentry window to provide a more cogent and accurate description. These updated terms would have the same meaning as the terms they replace.135 Substantively, the FAA proposes to consolidate the launch and reentry collision avoidance analysis requirements into proposed § 450.169. Proposed § 450.169(a) would require, for orbital or suborbital launch or reentry, an operator to establish any window closures needed to ensure that the vehicle, any jettisoned components, or payload meet the specified requirements of that section. When performing a launch or reentry collision avoidance analysis for inhabitable objects, under proposed § 450.169(a)(1), an operator would have two alternatives in addition to maintaining a spherical separation distance. An operator would be able to 135 The FAA recognizes reentry windows as a number of discrete or short duration windows during which a reentry may be commanded. Past experience shows window closures are insignificant for reentry. The safety requirements for launch or reentry window management are intended to be equitable. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 stipulate an ellipsoidal rather than a spherical separation distance between its vehicle and an inhabitable object or satisfy a probability of collision threshold rather than calculating a separation distance. The FAA also would maintain the current requirement to maintain a spherical separation distance as a third option. These proposed requirements are discussed more fully later in this section. The FAA also proposes to require that a collision avoidance analysis address other orbiting objects, such as active spacecraft and tracked debris. The uninhabitable active objects would be protected with significantly less restrictive clearance distances than provided to inhabitable objects. This would require no extra work from the operators, including those from nonFederal launch sites. Additionally, no launches have been scrubbed for COLA closures, and the FAA does not anticipate any impact to future operations due to this requirement. Proposed § 450.169(b) would require an operator to ensure that the requirements of proposed § 450.169(a) are met for the durations specified. Specifically, proposed § 450.169(b)(1) would require screening through the entire flight of a suborbital vehicle. Proposed § 450.169(b)(2) would standardize the time period of the launch collision avoidance analysis for an orbital launch to ascent from a minimum of 150 km to initial orbital insertion and for a minimum of 3 hours from liftoff. Proposed § 450.169(b)(3) would identify the screening time frame for reentry as the time frame from initial reentry burn to an altitude of 150 km. Similarly, proposed § 450.169(b)(4) would cover a disposal reentry with the same altitude. Proposed § 450.169(c) would establish that planned rendezvous operations that occur within the screening time frame are not considered a violation of collision avoidance if the involved operators have pre-coordinated the rendezvous or close approach. Proposed § 450.169(d) would establish the exclusion of collision avoidance for launch vehicles that do not reach a maximum altitude of 150 km. The FAA also proposes to change from a 3-sigma maximum performance established in current § C417.11 and replace it with maximum performance within 99.7% confidence level, extended through fuel exhaustion of each stage. The intention of the 3-sigma rule was the use of a 99.7% confidence level. However, the 3-sigma rule does not hold true (the same percentage confidence level) when the analysis adds multiple dimensions. Therefore, PO 00000 Frm 00053 Fmt 4701 Sfmt 4702 15347 the FAA proposes the requirement with 99.7% confidence level instead of the 3sigma rule in the existing regulation. In proposed § 450.169(e) an operator would be required to obtain a collision avoidance analysis for each launch or reentry from a Federal entity identified by the FAA. An operator would be required to use the results of the collision avoidance analysis to establish flight commit criteria for collision avoidance, account for uncertainties associated with launch or reentry vehicle performance and timing, and ensure that each window closure incorporates all additional time periods associated with such uncertainties. This latter proposed requirement would remove outdated practices from the launch collision avoidance requirements that are currently found in sections A417.31(c)(7)(iv) and C417.11(d)(7)(iv), which require adding 10 minutes to the screen duration time, sections A417.31(b)(4) and C417.11(c)(4) and § 431.43(c)(1)(iii) which require adding 15-second buffers to the launch window closures, and appendix A to part 415 which is a redundant form to the worksheet specified in sections A417.31 and C417.11. The current practices no longer require a 10-minute extra pad as the screening time is no longer a single orbit. Also, the 15second buffers are no longer required because the service provider accounts for the accuracy of the result products and the 15-second buffers were based upon the last time the orbital objects were tracked. The launch operator is not responsible for tracking orbital objects and is not provided data on when the orbital objects were last tracked making the existing requirement difficult to apply. The launch or reentry operator would only be required to account for uncertainties associated with launch or reentry vehicle performance and timing in accordance with proposed § 450.169(e)(2). This is consistent with the existing requirement in § 417.231(a). In proposed § 450.169(f), the FAA would require an operator to prepare a collision avoidance analysis worksheet for each launch or reentry using a standardized format that contains the input data required by appendix A to part 450. Proposed § 450.169(f)(1) would require an operator to file the input data with a Federal entity identified by the FAA and the FAA at least 15 days before the first attempt at the flight of a launch vehicle or the reentry of a reentry vehicle or in a different time frame in accordance with proposed § 404.15. The FAA anticipates that it initially would identify the Air Force Space Command (AFSPC) as an entity E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15348 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules with whom to file the collision avoidance analysis inputs. The FAA also proposes to maintain the current 15-day requirement of sections A417.31(b)(1) and C417.11(c)(1) in proposed § 450.169(f)(1). The 15-day requirement is necessary for federal agencies to evaluate the content of the submission and ensure the trajectory files and data provide acceptable data and can be processed successfully. It would also allow federal agencies to determine early potential conjunctions with national systems or human space flight activities, and would provide adequate time for federal agencies to develop a strategy for early orbit detection and tracking including taskings to global sensors and expected trajectories for sensors to aid in initial acquisition. Proposed § 450.169(f)(2) would require an operator to obtain a collision avoidance analysis performed by a Federal entity identified by the FAA 6 hours before the beginning of a launch or reentry window. This is consistent with existing sections A417.31(b)(2) and C417.11(c)(2). Consistent with current sections A417.31(b)(3) and C417.11(c)(3), proposed § 450.169(f)(3) would require an operator that needs an updated collision avoidance analysis due to a launch or reentry delay to file the request with the Federal entity and the FAA at least 12 hours prior to the beginning of the new launch or reentry window. Additionally, the current regulations, sections A417.31(b)(3) and C417.11(c)(3), limit the use of products to 12 hours from the time U.S. Strategic Command determines the state vectors of manned or mannable objects. The FAA intends to remove this limitation, as launch or reentry operators are not provided with the last time of observation of inhabitable objects and therefore cannot determine a 12-hour expiration time. The removal of this requirement would place the responsibility on the service provider to provide the time frame that the analysis is valid. For most cases, the analysis would be valid for the entire launch or reentry window. However, an extremely long launch window or sporadic reentry window may require additional analysis. The service provider would identify to an operator when its analysis in no longer valid, which is similar in intent to the original 12-hour expiration time, but more flexible in its application. i. Inhabitable Objects Inhabitable objects are those that are or may be occupied by persons. An inhabitable object need not be VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 inhabited, and the FAA views the term as encompassing any object that may be inhabited, regardless of whether it is at the time of launch. One point that merits clarification in light of inquiries the FAA has received—a launch operator’s own vehicle, if it is inhabitable, does not impose a corresponding obligation on a space station to keep away from it. A launch operator whose vehicle carries people should not construe the requirement to mean that the operator must always keep the vehicle 200 km away from any other object. Current FAA regulations do not protect persons on board a launch or reentry vehicle. Vehicles deliberately approaching each other for rendezvous or docking purposes will have to get within 200 km of each other. In these instances, collision avoidance remains paramount for those orbital objects other than the intended rendezvous spacecraft. Under proposed § 450.169(c), planned close approaches for rendezvous would not be considered violations of collision avoidance if the involved operators have previously coordinated the rendezvous. The proposed requirement to perform collision avoidance would apply during launches that have a rendezvous within the screening period and for licensed reentries that originate from orbiting spacecraft or objects. For planned reentry, coordinated close approaches and departures would not be considered violations of collision avoidance requirements if the involved operators have previously coordinated the operation. ii. Probability of Collision The FAA also proposes to amend the collision avoidance screening methods to include new options for analysis. The current regulation offers spherical or ellipsoidal screening, however, it fails to provide distances for ellipsoidal screening and identifies a spherical distance of 200 km as default. The FAA proposes an additional option of collision probability screening using a covariance matrix. A covariance matrix is a mathematical construct that describes the upper stage’s position and the uncertainty of that position in all dimensions. In proposed § 450.169(a)(1)(i), the FAA would permit a launch operator to employ a probability of collision of 1 × 10¥6, consistent with current Air Force practice, rather than relying solely on the spherical or ellipsoidal separation distance of 200 km currently required by section A417.31(c)(8)(i) and (ii) and § 431.43(c)(1). The spherical separationdistance option is the most conservative option and requires the least detail PO 00000 Frm 00054 Fmt 4701 Sfmt 4702 about the location of the launch vehicle and therefore results in the largest window closures. If launch operators have covariance—that is, uncertainty— information applicable to their nominal trajectories, the option of limiting the probability of collision allows for greater fidelity in avoiding a collision with inhabitable objects. For collision probability screening, proposed § 450.169(a)(1)(i) would require a covariance information, typically provided in a matrix, that identifies the uncertainty of the launch vehicle trajectory. When an operator can provide sufficient covariance (as identified in proposed appendix A to part 450, paragraph (d)(3)), the probability of its collision with an inhabitable object can be accurately calculated and launch window closures can be limited to only those times where actual high risk exists. In essence, this fine-tuned launch collision avoidance would provide assurance against collisions while minimizing potential launch window closures. The FAA proposes to allow the use of a probability of collision because the 18th Space Control Squadron’s (SPCS) use of the proposed probability threshold has prevented collisions while still allowing for maximum availability of launch windows. The FAA agrees that using probability assessment adequately protects inhabitable spacecraft while maximizing the time available for launch. Probability of collision is also the preferred analysis method for reentry collision avoidance. According to NASA,136 the Department of Defense’s 18th SPCS current practice for on-orbit debris regarding the ISS is to assess potential conjunctions inside specific-sized boxes centered on the ISS. Any object predicted to pass within this box is tracked with higher priority. The 18th SPCS then uses the best available data set to compute the probability of collision with the potentiallythreatening catalogued object. If that probability is greater than 1 × 10¥4, the ISS performs a collision avoidance maneuver. If that probability is greater than 1 × 10¥5, then the ISS would perform a collision avoidance maneuver when doing so would not compromise its mission objectives. Additionally, the proposed requirements in § 450.169 for a launch and reentry collision avoidance probability of collision criteria of 1 × 10¥6 against inhabitable 136 Operational Interface Procedures. Volume A, Report Number SSP–50643–A, Section 7.16.2. Published June 28, 2003, and last modified October 17, 2008. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules objects is consistent with current NASA practices. amozie on DSK9F9SC42PROD with PROPOSALS2 iii. Separation Distance Calculations by Sphere or Ellipsoid Section 417.231 currently requires a launch operator to ensure a separation distance of 200 km between its launch vehicle, any jettisoned components, or its payload, and an inhabitable object.137 The regulation does not specify whether the separation distance must be spherical or may be ellipsoidal. Section A417.31(c)(8) of Appendix A does, however, permit a launch operator to use spherical or ellipsoidal screening. In practice, the 18th SPCS provided ellipsoidal distances in the standardized collision avoidance request form, and the FAA has allowed the 18th SPCS methods as acceptable for launch screening volumes. The FAA anticipates that identifying these options in proposed § 450.169(a) will reduce confusion and accurately capture the requirements for ellipsoidal screening. Additionally, the FAA’s proposal would clarify that either method of calculation would be acceptable. Using ellipsoidal separation calculation would permit a launch vehicle to come within a predicted 50 km from an inhabitable object in the cross-track and radial directions. The intrack distance would be maintained at 200 km. The result is an ellipse around the inhabitable object that looks approximately like a pencil with the tip in the direction of travel. In accordance with longstanding Federal range standards, the 50-km separation distance in the cross-track and radial directions would provide an equivalent level of safety compared to a separation distance based on a sphere because the uncertainty in orbital location is significantly less side-to-side than it is along the velocity vector. Because the velocity vector is greatest in-track, a small change in velocity results in a significant variation in arrival time, and therefore requires the greatest compensation (200 km). However variations in orbital altitude are possible, but occur at a significantly reduced rate, allowing the exclusion distance to be reduced to 50 km radially. Variations laterally are also minimal and require the smallest compensation, allowing the reduction to 50 km in the cross-track directions. The FAA agrees with the Federal range conclusions that the ellipsoidal calculation maintains an equivalent level of safety as the 200-km spherical calculation. 137 14 CFR 417.231(b). VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 iv. Collision Avoidance for Objects That Are Not Inhabitable Sections A417.31(c)(8) and C417.11(d)(8) require that if a launch operator requests launch collision avoidance analysis for unmanned or unmannable objects, the analysis must use the spherical screening method with a separation distance of 25 km (approximately 15.5 statute miles). The screening was optional but, if used, the distance was mandated. The FAA proposes to alter the collision avoidance requirements for uninhabitable objects. Launches from federal ranges require screening for uninhabitable objects to meet Air Force or NASA requirements, therefore there most space launch operators are already familiar with the process and requirements. The FAA proposal creates a common standard for all commercial space launches. In proposed § 450.169(a)(2) and (3), the screening for potential conjunctions would include avoidance of uninhabitable objects, active objects, and trackable debris. The required minimum separation distance would remain at 25 km, or a PC of 1 × 10¥5, for active satellites. For those objects that are tracked and not active, such as debris, defunct rocket bodies, and dead or inactive satellites, for which the FAA currently has no requirement, the FAA proposes a required minimum separation distance of 2.5 km (approximately 1.6 statute miles), consistent with 18th SPCS screening practice. This proposed separation distance would provide increased safety for launches and reentries. The proposed screening would coincide with the screening for inhabitable objects and would cover the same time frames. This is consistent with current 18th SPCS operational procedures. Launch availability during the launch window is a concern of the FAA because excessive launch window closures could limit launch opportunities, increase the effects of prolonged airspace closures on aviation, and increase launch operations costs. The FAA analyzed previous U.S. launches—commercial, civil, and military—to determine the consequence to the launch window availability of adding uninhabitable objects as a mandatory launch collision avoidance requirement. Of the worldwide launches between September 2011 and June 2012, the maximum impact was the closing of approximately 12% of the launch window. The average impact was only 2% of each launch window closed due to launch collision avoidance accounting for both inhabitable and PO 00000 Frm 00055 Fmt 4701 Sfmt 4702 15349 uninhabitable objects. This level of impact was validated for launch closures for launches conducted in 2017. The worst-case scenarios for launch collision avoidance are launches of low inclination that pass through the densest part of the low earth orbit (LEO) population, around 800 km (approximately 497 statute miles) in altitude. The FAA believes implementing collision avoidance for inhabitable objects, active satellites, and trackable debris would adequately prevent collisions without placing excessive restrictions on launch opportunities. The FAA seeks comment on the potential impact of implementing these requirements. v. Accounting for A Conjunction Up to 3 Hours After Launch The current FAA requirement for screening time is one orbit (at least 100 minutes) plus 10 minutes padding.138 The current Federal screening practice at the 18th SPCS covers 3 hours. The FAA proposes to adopt 18th SPCS’s current practice as the minimum standard to ensure the necessary level of safety to inhabitable and active space objects and to avoid the generation of space debris. Under proposed § 450.169(b), the collision avoidance analysis for orbital launches would have to account for a conjunction that could occur up to 3 hours after launch. This change would be in line with practices for Federal launches. In actual practice, the 18th SPCS performs an analysis from launch to about 3 hours against all objects and debris in the catalog. However, commercial launchers currently can request screening through only one orbit after launch. Pre-launch collision avoidance analysis ensures there are no immediate conjunctions during orbital insertion and shortly thereafter but is dependent on pre-launch estimated trajectories. Extending this collision avoidance analysis to three hours post-launch provides sufficient time for creation of the first orbital element set (ELSET), at which point collision avoidance analysis begins being calculated using real positioning information. To create an ELSET, the Department of Defense uses multiple tracking information to establish the first ELSET and reduce the position error significantly. Once an ELSET has been created when the vehicle is on-orbit, an on-orbit collision avoidance analysis is routinely run out to 72 hours. Pre-launch collision avoidance analysis is the only possible method to prevent a collision until that first ELSET is created. 138 14 E:\FR\FM\15APP2.SGM CFR 417.107(e)(1)(ii)(B). 15APP2 15350 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 There is a significant collision avoidance warning time gap between the end of 18th SPCS’s 3-hour launch screening time and when 18th SPCS determines an ELSET. Pre-launch collision avoidance analysis beyond 3 hours is currently of limited utility. As positional errors based on predicted trajectories grow, data validity becomes increasingly suspect. Additionally, it is possible to create large launch window closures or even close the launch window entirely. Therefore, without a significant development in prediction calculation fidelity and accuracy, the FAA proposes to extend pre-launch collision avoidance to 3 hours. The accuracy of pre-launch collision avoidance analysis would be dependent on the accuracy of the trajectories provided. This 3-hour extension is important to protect inhabitable objects on-orbit. The ISS incurs collision risk from every launch. There is a warning time gap between the end of the pre-launch collision avoidance analysis and the start of on-orbit collision analysis done by the 18th SPCS. Until the 18th SPCS can determine the ELSET, the location of upper stages, payloads, and any released debris is unknown. During that time, whether the ISS is at risk from a collision would also be unknown. Extending the pre-launch collision avoidance requirement from one orbit to 3 hours would codify current practice. Additionally, although not required by FAA regulation, operators should promptly provide the 18th SPCS positional updates after orbital insertion until such time as the ELSET is established and on-orbit collision avoidance analysis commences. The FAA proposes to remove the requirements to expand the collision avoidance analysis screening time by 10 minutes to ensure that the entire first orbit of the launch vehicle is screened in sections A417.31(c)(7)(iv) and C417.11(d)(7)(iv). The expanded screening time required by those appendices would be unnecessary if the FAA extends the screening to 3 hours as described in proposed § 450.169(b). vi. Submitting Collision Avoidance Inputs to the FAA Proposed § 450.169(f) would require a launch operator to submit launch collision avoidance trajectory data to both AFSPC and the FAA. The current regulations only requires an operator to submit the data to the AFSPC. However, the AFSPC does not review launch operator data to ensure it complies with FAA requirements. The proposal would ensure the FAA receives and reviews the same data that is provided to AFSPC VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 for launch collision avoidance. As this data is generally submitted electronically, sending the data to both the FAA and AFSPC is not expected to increase cost or paperwork burden of the submission. Direct submission to AFSPC and the FAA will facilitate a quicker response to the operator than having the FAA act as a middleman between the operator and AFSPC, and enables coordination throughout the process. In the past, the FAA has found discrepancies between operator trajectory data and operator requests to AFSPC for specific launch collision avoidance analysis methods. On multiple occasions, operators have misapplied existing launch collision avoidance regulations. To ensure proper application of launch collision avoidance regulations the FAA must be able to review the launch collision data. A specific example of a discrepancy occurred when a launch operator directed the exclusion of the ISS from launch collision avoidance analysis in a request to AFSPC. The launch operator incorrectly assumed the protections for the ISS, the ultimate destination for one of the launched payloads, did not apply. In actuality, the planned rendezvous with the station was days into the mission, and not all objects launched were planned to rendezvous with the ISS. Collision avoidance analysis should have been requested for all launched objects against the catalog of space objects, including the ISS. FAA review of launch collision avoidance trajectory data would have identified that oversight. vii. Appendix A to Part 450—Collision Analysis Worksheet The FAA proposes to consolidate the data input requirements of sections A417.31 and C417.11 and to clarify the data and process for collision avoidance in appendix A to part 450. Existing sections A417.31 and C417.11 provide nearly identical requirements for mission information. However, some elements are no longer useful or require an update to meet current practices. Specifically, proposed appendix A to part 450, paragraph (a)(1) mission name and launch location, paragraph (a)(2) launch or reentry window, paragraph (a)(3) epoch, time of powered flight, and point of contact remain the same as existing requirements. Proposed paragraph (a)(4) segment number has been updated to change the requirement to provide vector at injection to instead provide orbital parameters. The substantive requirement to identify how the operator would receive analysis results in current sections A417.31(c)(3) PO 00000 Frm 00056 Fmt 4701 Sfmt 4702 and C417.11(d)(3) also remains unchanged in proposed paragraph (b); however, minor editorial revisions were made to the examples of the transmission mediums provided to reflect modern technology. The proposed rule provides clarifications for some data elements. Specifically, the FAA proposes to change the requirement to identify orbital objects to evaluate contained in section A417.31(c)(9). As written, section A417.31(c)(9) requires the operator to identify the orbiting objects to be included in the analysis. In all cases the analysis must include all objects. However, the current practice is to identify the characteristics of the orbiting object, i.e., name, length, width, depth, diameter, and mass. The FAA proposes to capture current practice in proposed paragraph (a)(6). Also, the proposed appendix would replace ‘‘vector at injection’’ in sections A417.31(c)(5) and C417.11(d)(5), with orbital parameters at proposed paragraph (a)(5). The proposed change would require an operator to identify the orbital parameters for all objects achieving orbit including the parameters for each segment after thrust end instead of the vector at injection for each segment. This requirement would allow accurate COLA calculations that consider changes in trajectory after orbital insertion. The FAA also proposes to clarify the trajectory file requirements in proposed paragraph (d) of appendix A to part 450. Sections A417.31(c)(5)(ii) and C417.11(d)(5)(ii) require that current operators provide position and velocity for each launched object after burnout or deployment. This requirement severely lacks in clarity and completeness. Proposed paragraph (d) would provide a clearer requirement in line with current practices. Launch and reentry operators would be required to provide trajectory files with position and velocity for each object through the entire screening process, not exclusively after burnout. The current practice at Federal ranges is to provide data through the entire screening process, therefore the FAA proposal is in line with current practices. Additionally, radar cross section and covariance (position and velocity) for probability of collision analysis would be required by proposed paragraph (d). These products are used in the analysis of potential collisions. Parts 431 and 437 require the same trajectory files for analysis, however the current regulations do not provide guidance on how to provide the products necessary to complete the analysis. Proposed § 450.169 and appendix A to part 450 would provide E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules the necessary guidance for all launch and reentry analysis. Proposed (e) of appendix A to part 450 would provide the three possible screening methodologies—spherical, ellipsoidal, or probability of collision. These requirements were discussed previously in this section. 13. Safety at End of Launch Proposed § 450.171 would include requirements aimed at preventing the creation of orbital debris. Proposed § 450.171(a) is the same as § 417.129 and substantively the same as § 431.43(c)(3), which require certain measures to be taken by a launch operator to prevent the creation of orbital debris. The FAA is not proposing to update the substantive requirements for orbital debris mitigation in this rulemaking because it plans to do so in a future rulemaking. Proposed § 450.171(b) would require an applicant to demonstrate compliance with the requirements in § 450.171(a) in its application. This requirement is the same as § 415.133, which applies to applications for the launch of an ELV from a non-Federal launch site. Proposed § 450.171(b) would broaden the applicability of the application requirement to all launches. This is necessary because the importance of orbital debris mitigation has no relation to whether a launch takes place from a Federal or non-Federal launch site, or whether the launch vehicle is expendable or reusable. The expansion of the applicability of the application requirement is the only change related to orbital debris mitigation. As noted earlier, the substantive safety requirements remain the same. amozie on DSK9F9SC42PROD with PROPOSALS2 14. Mishaps: Definition, Plan, Reporting, Response, Investigation, Test-Induced Damage As a part of its streamlining efforts, the FAA proposes four mishap-related actions, including a revised definition of anomaly. First, the FAA proposes to consolidate the many chapter III mishap-related definitions into a mishap classification system. Second, this proposal would consolidate existing chapter III requirements for mishap, accident investigation, and emergency response plans, and clarify and streamline reporting requirements. Third, the FAA proposes to redefine the term ‘‘anomaly’’ and expand its application to include licensed, and not just permitted, activities. Fourth, the FAA proposes to exempt precoordinated test-induced damage to property involved with the test from being a mishap. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 The FAA proposes using an overarching mishap classification system instead of separate terms for ‘‘mishap,’’ ‘‘launch accident,’’ ‘‘reentry accident,’’ ‘‘launch incident,’’ ‘‘reentry incident,’’ ‘‘human space flight incident,’’ and ‘‘launch site accident.’’ The proposed mishap classification system would streamline and clarify the current accident, incident, and mishap definitions to create four mishap categories organized by severity, from most severe (Class 1) to least severe (Class 4). This proposal would also eliminate the $25,000 monetary threshold from current ‘‘mishap’’ and accident terms. This proposal would consolidate parts 417 (Accident investigation plan), 420 (Launch site accident investigation plan), 431 and 435 (Mishap investigation plan and emergency response plan), and 437 (Mishap response plan), into a single section applicable to all types of licenses, permits, and vehicles. Additionally, the FAA proposes to update the definition of the term ‘‘anomaly’’ and relocate it from part 437 to part 401, making it applicable to licensed and permitted activities. Finally, the FAA proposes to exclude pre-coordinated test activities, resulting in damage to property owned by the operator and associated with test activities, from mishap consideration. This test-induced damage proposal provides permittees and licensees the freedom to conduct test activities that may result in damage to associated property, and the freedom to test without the need for a mishap investigation for foreseeable test failures. i. Mishap Definitions The FAA currently uses a variety of terms to describe the occurrence of an unplanned event during commercial launch, reentry, and site activities. The term ‘‘mishap’’ is a broad term encompassing several of these unplanned events. Mishap, as currently defined in § 401.5, means a launch or reentry accident, launch or reentry incident, launch site accident, failure to complete a launch or reentry as planned, or an unplanned event or series of events resulting in a fatality or serious injury (as defined in 49 CFR 830.2), or resulting in greater than $25,000 worth of damage to a payload, a launch or reentry vehicle, a launch or reentry support facility, or government property located on the launch or reentry site.139 As the definition shows, the term ‘‘mishap’’ captures 15 specific 139 Section PO 00000 401.5. Frm 00057 Fmt 4701 Sfmt 4702 15351 kinds of unplanned events,140 including five types of accidents and incidents. These are launch accident, reentry accident, launch incident, reentry incident, and launch site accident. These terms are defined separately in §§ 401.5 and 420.5. Mishap also includes unplanned events resulting in failure to complete a mission as planned, a fatality or serious injury, or damages greater than $25,000 to certain property associated with the licensed or permitted activity. The terms ‘‘launch accident,’’ ‘‘reentry accident,’’ and ‘‘launch site accident,’’ which are encompassed by the mishap definition, all include the occurrence of a fatality or serious injury to persons not associated with the activity and damage to property not associated with the activity exceeding $25,000. Unlike the term ‘‘launch site accident,’’ launch and reentry accidents account for the occurrence of a fatality or serious injury to a space flight participant or crew member during FAA-regulated activities. Other factors may also satisfy the various accident definitions. For instance, for launches involving an ELV, impacts of a launch vehicle, its payload, or any component thereof outside designated impact limit lines constitute an accident. If, however, the launch involves an RLV, impacts outside the designated landing site constitute an accident. In contrast, the definition for reentry accident makes no distinction between expendable and reusable vehicles. For reentry accidents, if the vehicle, its payload, or any component thereof lands outside a designated reentry site, the FAA deems it an accident. Similarly, although launch incidents and reentry incidents are both incidents, their definitions consist of different requirements. Launch and reentry incidents occur due to the malfunction of a FSS or other safety-critical system, or a failure of the operator’s safety organization, design or operations. The FAA proposes to consolidate these 140 (1) Launch accident; (2) reentry accident; (3) launch incident; (4) reentry incident; (5) launch site accident; (6) failure to complete a launch as planned; (7) failure to complete a reentry as planned; (8) an unplanned event resulting in a fatality; (9) an unplanned event resulting in a serious injury; (10) an unplanned event resulting in greater than $25,000 worth of damage to a payload; (11) an unplanned event resulting in greater than $25,000 worth of damage to a launch vehicle; (12) an unplanned event resulting in greater than $25,000 worth of damage to a reentry vehicle; (13) an unplanned event resulting in greater than $25,000 worth of damage to a launch support facility; (14) an unplanned event resulting in greater than $25,000 worth of damage to government property located on the launch site; or (15) an unplanned event resulting in greater than $25,000 worth of damage to a reentry site. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15352 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules terms into a single mishap classification system eliminating the need for multiple terms. Current definitions of mishap and accident also include a $25,000 monetary threshold that is arbitrary and outdated. Experience has shown that even minor damage that does not pose a threat to public safety can easily exceed the $25,000 monetary threshold, triggering potentially costly and burdensome notification, reporting, and investigation requirements. For example, a relatively minor unplanned event following a successful launch could result in damages to ground support equipment or launch facilities exceeding $25,000. The ARC noted the amount is outdated and does not necessarily reflect safety implications. Additionally, the conditions listed under the current definitions do not necessarily reflect the severity of consequences and associated public safety risks. A better mishap classification system would provide consistency of mishap thresholds and applicability to all types of operations, mitigating potential confusion. Rather than adding more definitions, the FAA would consolidate and replace the existing accident, incident, and mishap definitions with a mishap classification system that would be defined in § 401.5 and would apply to all licensed and permitted activities. Under the proposed changes, ‘‘mishap’’ would mean any event, or series of events associated with a licensed or permitted activity, that meets the criteria of a Class 1, 2, 3 or 4 mishap. The FAA would use this overarching definition to describe any mishap type occurring during permitted or licensed activities regardless of classification or consequence threshold. The FAA’s proposal was informed by existing NASA and Air Force mishap classification system definitions,141 and NTSB definitions.142 A ‘‘Class 1 mishap’’ would mean any event resulting in a fatality or serious injury to any person who is not associated with the licensed or permitted activity (e.g., members of the public) along with any space flight participant, crew, or government astronaut. The FAA would be adopting the definition of fatality or serious injury from 49 CFR 830.2. To constitute a Class 1 mishap, the fatality or injury must result from licensed or permitted activity, including ground operations at 141 NPR 8621.1C, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping. Air Force Instruction 91–204, Safety Investigation and Hazard Reporting. 142 As defined in 49 CFR 830.2. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 a launch or reentry site. A Class 1 mishap would be a mishap that has the highest consequences and greatest impact on public safety. The proposed Class 1 mishap definition would incorporate existing fatality and serious injury criteria from current ‘‘launch accident,’’ ‘‘reentry accident’’ and ‘‘launch site accident’’ definitions. On November 25, 2015, the U.S Commercial Space Launch Competitiveness Act was signed into law (Pub. L. 114–90). This law amends 51 U.S.C. 50901(15) by inserting ‘‘government astronauts’’ after ‘‘crew’’ each place it appears. In accordance with this amendment, and to ensure Class 1 mishap criteria applies equally to all persons on board a launch or reentry vehicle, the FAA Class 1 mishap definition includes government astronauts. The definition would only cover fatalities or serious injuries to crew, Government astronauts, spaceflight participants, or uninvolved public. The definition of Class 1 mishap would not cover other persons associated with the launch or reentry, similar to the current accident definitions for which it replaces. The proposed Class 1 Mishap also consolidates existing accident definitions, which would include potential recovery site accidents that were previously not defined. The FAA proposes to define a ‘‘Class 2 mishap’’ as any unplanned event, other than a Class 1 mishap, resulting in a malfunction of a safety-critical system, a failure of the safety organization or procedures, substantial damage to property not associated with the operation, or a high risk of causing a serious or fatal injury to any space flight participant, crew, government astronaut, or member of the public. The Class 2 mishap definition would encompass the current definitions of a ‘‘launch incident,’’ ‘‘reentry incident,’’ and ‘‘human space flight incident.’’ The definition would use a substantial damage to uninvolved property requirement instead of the $25,000 damage threshold. Under this proposal, the FAA would make a case-by-case determination whether the damage to public property is substantial. This evaluation may be based on, but not limited to, direct replacement cost, repair cost, and the property’s intended use and functionality. For example, structural damage to public property exceeding 50 percent of its market value may be deemed as substantial damage. This approach potentially reduces the burden on the commercial space industry and Federal government by providing flexibility on the determination of PO 00000 Frm 00058 Fmt 4701 Sfmt 4702 substantial damage and the scope of the resulting investigation. This is consistent with the ARC feedback. Other criteria—such as events posing a high risk of causing a serious or fatal injury to any space flight participant, crew, government astronaut, or member of the public—are based on the existing ‘‘human space flight incident’’ definition and expanded to include government astronauts and members of the public. With this criterion, the FAA intends to cover events akin to a near miss in the aviation industry and is consistent with the Air Force and NASA practices. The addition of ‘‘members of the public’’ is consistent with the FAA’s public safety mission. The FAA’s goal is to evaluate the event type by impact to public safety. The FAA proposes to define ‘‘Class 3 mishap’’ as any unplanned event, other than a Class 1 or Class 2 mishap, resulting in permanent loss of a vehicle during licensed activity or the impact of a vehicle, its payload, or any component thereof outside the planned landing site or impact area. This change would differentiate between licensed launches and reentries and permitted launches and reentries. The FAA believes this proposal captures the intent of the current mishap definition that includes the failure to complete a launch or reentry as planned criterion. At the same time, the separation of licensed and permitted operations between Class 3 and 4 mishaps is also consistent with ARC feedback. The FAA would consider debris impacts outside of defined limits to meet the Class 3 mishap definition, provided the event did not satisfy the criteria of a Class 1 or 2 mishap. Impacts of launch vehicle debris outside designated impact limit lines are currently considered a launch accident. The FAA proposes to define a ‘‘Class 4 mishap’’ as an unplanned event, other than a Class 1, Class 2, or Class 3 mishap, resulting in permanent loss of a vehicle during permitted activity, a failure to achieve mission objectives, or substantial damage associated with licensed or permitted activity. The FAA intends proposed ‘‘Class 4 Mishap’’ to capture other events with the potential for future public safety implications without directly affecting public safety during occurrence. For example, an operator may have complete loss of a permitted vehicle in a remote and unpopulated area. Although the loss may not have resulted in fatalities, serious injuries, or public property damage on this occasion, it is important to find the root cause of the mishap. Otherwise, if the operator does not identify and address the underlying E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 cause, it may endanger public safety during a future launch in different conditions. ii. Anomaly Definition The FAA proposes to change the definition of ‘‘anomaly’’ and to move the definition to § 401.5, where it would apply to all of chapter III. Anomaly would mean any condition during a licensed or permitted activity that deviates from what is standard, normal, or expected, during the verification or operation of a system, subsystem, process, facility, or support equipment. The inclusion of anomaly in § 401.5 would clearly define the expectation of post-operation reporting for all licensed or permitted operations. It would also capture off-nominal events that do not fall under the thresholds of Class 1–4 mishaps as part of the required postlaunch report. The FAA currently defines anomaly only in part 437. Part 437 defines an anomaly as a problem that occurs during verification or operation of a system, subsystem, process, facility, or support equipment. Section 437.73 requires strict recording, reporting, and implementation of corrective actions in the event of a public safety related anomaly. Section 417.25(c)(1), applicable to ELVs, requires operators to report an anomaly that occurred during launch countdown and flight in the post-launch report but does not define anomaly. Although part 431 does not have specific anomaly reporting requirements, in practice, the FAA requires operators to report anomalies. To ensure anomaly reporting, the FAA has begun adding a term and condition to launch licenses requiring operators to report anomalies prior to the next launch. The FAA uses anomaly reporting to track vehicle-related issues and to ensure an operator mitigates those issues prior to future flights. Given that not all anomalies are identified during flight, the post-launch reporting requirement allows the operator to review countdown and flight data for off-nominal conditions and report any anomalous condition to the FAA as a part of the post-launch report. Although an anomaly is defined in § 437.3, as ‘‘a problem that occurs during verification or operation of a system, subsystem, process, facility, or support equipment,’’ it is not defined in part 415, 417, 431, or 435, and hence, it is applicable only to experimental permits. However, § 417.25—Post launch report, requires an operator to ‘‘identify any discrepancy or anomaly that occurred during the launch countdown or flight.’’ The FAA is proposing to update the existing VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 definition of an anomaly to ‘‘any condition during a licensed or permitted activity that deviates from what is standard, normal, or expected, during the verification or operation of a system, subsystem, process, facility, or support equipment.’’ The proposed definition seeks only to clarify what a ‘‘problem’’ is by adding ‘‘deviates from what is standard, normal, or expected.’’ iii. Mishaps—Reporting, Response, and Investigation Requirements The FAA proposes to consolidate current chapter III mishap plan, reporting, response and investigation requirements into proposed § 450.173. The FAA seeks comment on its proposed approach, as discussed below, to mishap requirements, including reporting. Current title 14 CFR chapter III requirements for mishap and accident reporting, response, and investigation requirements are inconsistent and create confusion. For that reason, the FAA’s proposed changes would apply to mishap requirements for launch and reentry licenses, experimental permits, and launch and reentry site licenses. Proposed § 450.173 would replace §§ 417.111(h) (Accident Investigation Plan), 417.415(c) (Post launch and post flight hazard controls), and 431.45 (Mishap investigation plan and emergency response plan). The proposed mishap plan changes to §§ 420.59(a) (Mishap) and 437.41 (Mishap plan) would require an operator to meet the requirements of § 450.173. The inconsistencies in the FAA’s current regulatory scheme, including signature requirements for mishap plans, has led to much confusion. For example, § 417.111(h) requires an operator to implement a plan containing the launch operator’s procedures for reporting and responding to launch accidents, launch incidents, or other mishaps. It also requires two signatures, one from an individual authorized to sign and certify the application, and another from the designated safety official. Similarly, § 420.59 requires that licensed launch site operators develop and implement a launch site accident investigation plan that contains the licensee’s procedures for reporting, responding to, and investigating launch site accidents and for cooperating with Federal officials in case of a launch accident. It also requires a signature from an individual authorized to sign and certify the application, but not from the designated safety official like § 417.111(h). Current § 431.45 requires an RLV operator to submit a mishap investigation plan (MIP) containing the PO 00000 Frm 00059 Fmt 4701 Sfmt 4702 15353 applicant’s procedures for reporting and responding to launch and reentry accidents, launch and reentry incidents, or other mishaps that occur during the conduct of an RLV mission. It also requires that an RLV operator submit an emergency response plan (ERP) containing procedures for informing the affected public of a planned RLV mission. The FAA requires that an individual authorized to sign and certify the license application, the person responsible for the conduct of all licensed RLV mission activities, and the designated safety official, sign the MIP and ERP. In contrast, § 437.41 does not require any signatures. To ensure consistency between all title 14 CFR chapter III requirements, the FAA proposes to consolidate these requirements. The ARC noted that reporting requirements for mishaps not involving a fatality or serious injury are unclear and left up to the operator to determine. The ARC said the FAA should define a minimum standard for a reportable mishap, in addition to a minimum set of investigation and reporting requirements, including information that should be provided during initial notification. Current notification requirements are generally consistent for a launch, reentry, launch site accident, launch or reentry incident, or mishap involving a fatality or serious injury. In those instances, regulations throughout title 14 CFR chapter III require that operators provide immediate notification to the FAA’s Washington Operations Center (WOC).143 This is not the case when a mishap does not involve a fatality or serious injury.144 For example, part 417 requires notification within 24 hours to the Associate Administrator for Commercial Space Transportation or to the FAA WOC in the event of a mishap that does not involve a fatality or serious injury. In contrast, parts 431 and 437 only require 24-hour notification to the Associate Administrator for Commercial Space Transportation, but not to the FAA WOC for a mishap that does not involve a fatality or serious injury. Current part 420 does not require a launch site operator to provide a 24hour mishap notification. If a mishap occur during non-business hours, this raises the possibility that a launch operator may be unable to report it to the Associate Administrator for Commercial Space Transportation, which would create the potential for a 143 14 CFR 417.111(h)(1)(i), 420.59(b)(1), 431.45(b)(1), and 437.75(a)(1). 144 14 CFR 417.111(h)(1)(ii), 431.45(b)(2), and 437.75(a)(2). E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15354 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules non-compliance. To address these issues, the FAA proposes to provide a single source for all initial mishap notifications. The single source would be the FAA’s WOC, a 24-hour, sevenday, operational facility. Parts 417, 420, 431, and 437 all require an operator to submit a written preliminary report within five days 145 of either an accident or incident to the FAA, Associate Administrator for Commercial Space Transportation. The five-day report is a follow-up requirement designed to supplement initial mishap notification once more detailed information is known. Under the proposed mishap classification system and mishap plan requirements, all mishaps would have similar reporting requirements. The FAA believes the proposed mishap classification system would save the operator time and resources during the initial mishap response by eliminating the need to evaluate whether the event is an accident, incident, or mishap. This streamlining of reporting requirements reduces the burden of unclear reporting requirements noted by the ARC. Based on past examples, the five-day report is usually only one to three pages in length, requiring minimal time to compose. The FAA will use the information contained within the fiveday report to ensure the mishap has been properly classified and the proper level of investigation and FAA oversight is being conducted. The FAA believes the time required to complete the fiveday report is minimal and that by providing a clear expectation of required report contents in the event of all mishap types will eliminate confusion and ultimately result in timesavings. Response plan requirements for containing and minimizing the consequences of a mishap and for ensuring the preservation of data and physical evidence are generally consistent throughout license types with some exceptions. For instance, the regulations require that a launch site operator’s plan include procedures for reporting and cooperating with FAA and NTSB investigations, and for designating one or more points of contact. Additionally, licensees must identify and adopt preventive measures for avoiding recurrence of the event. Current investigation requirements are also generally consistent across license types. The FAA currently requires that operators investigate the cause of a launch, reentry, or launch site accident, launch or reentry site incident, 145 14 CFR 417.111(h)(1)(iii), 420.49(b)(2), 431.45(b)(3), and 437.75(a)(3). VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 or mishap across license types.146 After the investigation, an operator must report investigation results to the FAA and delineate responsibilities for personnel assigned to conduct the investigation and for anyone retained by the operator to participate in an investigation. Section 420.59(e)(1) also requires that a launch site operator’s investigation plan include procedures for participating in an investigation of a launch accident for launches launched from the launch site. To ensure vehicle recovery can be conducted safely and effectively and with minimal risk to the public, part 431 operators must submit an ERP containing the operator’s procedures for notifying local officials of unplanned and offsite landings. In addition, these operators must provide a plan for informing the public potentially affected of the estimated date, time, and landing location for the reentry activity. This information must be provided in layman’s terms. These requirements are unique to operations conducted under part 431. Section 417.415(c)’s post-launch and post-flight-attempt hazard controls require that an operator establish procedural controls for hazards associated with an unsuccessful flight where the launch vehicle has a land or water impact. These procedures ensure the evacuation and rescue of members of the public, the dispersion and movement of toxic plumes, identifying areas of risk, and communication with local government authorities. Additionally, these procedures require that an operator extinguish fires, secure impact areas, evacuate members of the public, prevent unauthorized access, and preserve evidence. Lastly, the operator must ensure public safety from hazardous debris and have plans for the recovery, salvage, and safe disposal of debris and hazardous materials. For all FAA-licensed operations, proposed § 450.173 would require that an operator report, respond, and investigate class 1, 2, 3, and 4 mishaps, using a plan or other written means.147 An approved mishap plan document would be eligible for reuse with other specific or similar vehicles, sites, and operations. This would ease the burden on industry. For example, a permittee applying for a license or a current licensee applying for a different type of license, would be able to use the same written mishap plan document 146 14 CFR 417.111(h)(3), 420.59(d)(3), 431.45(d), and 437.75(c). 147 For purposes of the preamble discussion regarding proposed § 450.173, the term ‘‘mishap plan document’’ is used to encompass a plan or other written means. PO 00000 Frm 00060 Fmt 4701 Sfmt 4702 previously developed because the requirements would be the same regardless of license type. This mishap plan document would include notification to local officials should a mishap cause the vehicle to land offsite, such that a coordinated effort can be made to protect the public. Provided emergency response requirements such as coordinated emergency response agreements remain current, a permittee can submit a mishap response plan developed for permitted operations to satisfy the mishap plan document application requirements under a license. Additionally, the FAA would not have to evaluate the same company differently depending on the permit or license type. This would reduce time and cost for the industry and the FAA while maintaining the same level of public safety. iv. Discussion of the Mishap Plan— Reporting, Response, and Investigation Proposed Requirements Proposed § 450.173 would eliminate all mishap plan signature requirements. The requirement that the person certifying the accuracy of the application also sign the mishap plan document is not necessary because by signing the application, the operator is already certifying that the components thereof, including the mishap plan document, are accurate. Additional signatures (e.g., from the safety official or mission director) are also unnecessary as the roles and responsibilities for personnel implementing the mishap plan document are contained in the plan itself. Eliminating the signature requirements would provide operators with the flexibility to assign personnel to implement a mishap plan document without having to resubmit a signed document to the FAA. Proposed § 450.173(a) would require an operator to report, respond, and investigate class 1, 2, 3, and 4 mishaps according to paragraphs (b) through (h) of § 450.173, using a plan or other written means. Proposed § 450.173(b)(1) would require that an operator document the responsibilities for personnel assigned to implement the requirements of proposed § 450.173. Proposed § 450.173(b)(2) would require an operator to document reporting responsibilities for personnel assigned to conduct investigations and for anyone retained by the licensee to conduct or participate in investigations. Proposed § 450.173(b)(3) would require an operator to document the allocation of roles and responsibilities between the launch operator and any site operator for reporting, responding to, and E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules investigating any mishap during ground activities at the site. Further, proposed § 450.173(c) would require an operator to report to, and cooperate with, FAA and NTSB mishap investigations. Also, it would require that the operator identify one or more points of contact for the FAA and NTSB. This proposal does not substantively change current requirements to report, cooperate, and designate points of contact. Any changes from current regulations would be made merely for clarification purposes. In the event of an FAA- or NTSB-led investigation, the FAA would not require an operator to perform an independent internal investigation because it would be a party to the investigation. However, the operator would remain responsible for reporting investigation results to the FAA, which would include any governmentgenerated or independent investigation reports as well as party submissions. In the event of an operator-led investigation under FAA oversight, the operator’s investigation would be the primary investigation, although the FAA may grant official observer status to U.S. Government representatives (e.g., NASA, the Air Force). As official observers, these representatives would be integrated into the operator’s investigation to the extent the FAA finds appropriate. These U.S. Government entities may decide to conduct their own investigation independent of FAA oversight, although the FAA and NTSB have primary jurisdiction. Proposed § 450.173(d) would establish mishap reporting requirements applicable to all operations, vehicles, or mishap types. Proposed § 450.173(d)(1) would require that an operator immediately notify the FAA WOC in case of a mishap involving a fatality or serious injury. Immediately would continue to mean notification without delay. The immediate notification should not hamper emergency response activities. Proposed § 450.173(d)(2) would require that operators report other mishaps not involving a fatality or serious injury to the WOC within 24 hours. This would eliminate the current option to notify the Associate Administrator for Commercial Space Transportation instead of the WOC because the WOC, unlike the Administrator for Commercial Space Transportation, is available 24-hours per day, 7 days per week. Proposed § 450.173(d)(3) would require operators to submit a written preliminary report to the FAA Office of Commercial Space Transportation within five days of any mishap. The report would need to VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 include the information listed in proposed § 450.173(d)(3). This list of information would include the operator’s assessment on how the cause of its mishap could potentially affect similar vehicles, systems, or operations. Given some systems and components are common across operators, this information could prevent mishaps due to similar failures of a common system or component, including ground and range systems. The reporting requirements in this paragraph are similar to existing five-day reporting requirements. Under current regulations, a five-day preliminary written report was only required in the event of an accident or incident. Based on lessons learned from past mishaps, the FAA is streamlining these reporting requirements to ensure consistency between mishap classes and that information required to properly classify a mishap and the level of investigation required are reported. For example, mishaps involving a fatality or serious injury are typically investigated at the Federal level, as such, the FAA is aware of the information that may affect the safety of the public or public property. The operator, in accordance with their mishap plan, may investigate mishaps not involving a fatality or serious injury. In such cases, it is possible that the FAA may not become aware of information potentially affecting the public safety or public property in a timely manner, or other facts that may require elevating the class of mishap to a higher level. Proposed § 450.173(e) sets emergency response requirements. Proposed § 450.173(e)(1) would require that an operator activate emergency response services following a mishap. This requirement is consistent with the postlaunch and post-flight attempt hazard controls in current § 417.415. Proposed § 450.173(e)(2) would require that an operator maintain existing hazard area surveillance and clearance as necessary to protect public safety. These notices would include NOTAM and NOTMAR. Proposed § 450.173(e)(3) would require that an operator contain and minimize the consequences of a mishap. Proposed § 450.173(e)(4) would provide for the preservation of data and physical evidence, including debris, which the FAA considers to be a physical record. In an effort to contain and minimize the consequences of the mishap and maintain site integrity for investigation, an operator would need to safe and secure the mishap site in a timely manner. Proposed § 450.173(e)(4) is consistent with current requirements. Proposed § 450.173(e)(5) would require PO 00000 Frm 00061 Fmt 4701 Sfmt 4702 15355 an operator to implement agreements with local government authorities and emergency response services, as necessary. Emergency response procedures should identify who is responsible for securing the mishap site, and procedures for access to the mishap site. For example, the procedures should identify who is responsible for educating persons on the treatment of debris, and the disposal of hazardous materials. The FAA recommends that prior to beginning operations, an operator coordinate with Federal, state, and local authorities and emergency first responders to familiarize them with permitted and licensed operations and hazards associated with an operator’s activities, such as launch vehicle hazards. This pre-coordination is important to ensure the safety of emergency personnel responding to the mishap. Vehicle and operational hazards may include vehicle composites, propellants, oxidizers, pressure vessels, unexploded ordnance, oxygen systems, and batteries. If implemented, proposed § 450.173(f) would require an operator to investigate the root causes of a mishap and report the results to the FAA. Proposed § 450.173(g) would require that an operator identify and implement preventive measures prior to the next flight, unless otherwise approved by the Administrator. The FAA is proposing that preventive measures be implemented prior to the next flight in all cases in order to codify current practice. The FAA would work with operators on a case-by-case basis to determine whether its next operation may proceed if it is unable to implement preventive measures before the next flight. The requirement to implement corrective action prior to next flight is consistent with existing requirements in § 437.73(d) for anomaly recording, reporting, and implementation of corrective actions. Proposed § 450.173(h) would require that an operator maintain records associated with a mishap in accordance with proposed § 450.219(d) (Records). The operator would make these records available to Federal officials for inspection and copying. This requirement is consistent with existing record keeping requirements.148 Records would include debris, which the FAA considers a physical record. In all mishap cases, disposal of any related debris would be required to be coordinated with the FAA. Note that this proposal would allow for the sharing of proposed § 450.173 148 Sections 417.15(b), 420.61(b), 431.77(b), and 437.87(b). E:\FR\FM\15APP2.SGM 15APP2 15356 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 responsibilities between launch and reentry operators pursuant to an agreement. For example, the site operator may report the mishap occurrence to the FAA as required by proposed § 450.173(d), while the emergency response requirements of proposed § 450.173(e) may be shared by both the launch or reentry operator and site operator. An operator would be required to retain all records until completion of any Federal investigation and the FAA advises the operator that the records need no longer be retained. Finally, proposed § 450.173(i) would set application requirements. This section would require the submission of the mishap plan document at the time of license or permit application. v. Test-Induced Damage The FAA proposes to introduce a testinduced damage exception to the mishap definition in proposed § 450.175 (Test-induced Damage). This proposal would allow an operator to coordinate testing activities with the FAA before the activities take place to prevent the FAA from labeling failures as mishaps. Any test failure covered by this section would be considered test-induced damage and not a mishap, so long as the failure falls within the pre-coordinated and FAA-approved testing profile. The test-induced damage concept is not currently within the FAA’s commercial space regulations. This proposal is due to the FAA’s recognition that current mishap regulations may deter the kind of robust testing that may yield future safety benefits. The FAA currently deems a failure to achieve test objectives as a mishap (failure to complete a launch or reentry as planned). Similarly, a test failure that results in over $25,000 in damage to associated property would also be considered a mishap.149 In both cases, the resulting mishap designation would require a mishap investigation to identify root causes and preventive measures, which the operator would need to implement before the next operation. In the recent past, the FAA accepted the possibility of a test-induced damage approach by pre-coordinating with a launch operator prior to conducting an in-flight abort test of a crew escape system.150 The FAA found that this process worked well in pre-defining the objectives of the test, test limits, 149 ‘‘[R]esulting in greater than $25,000 worth of damage . . .’’ in accordance with the mishap definition in § 401.5. 150 Given these events fell within the precoordinated possible scenarios, the FAA did not consider them unplanned events and therefore, did not consider the events mishaps. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 expected outcomes, and potential failure modes. It also allowed the operator and FAA to reach a common understanding of what events would be categorized as a test-induced damage or mishap. This approach would also be consistent with ARC feedback that the existing mishap definition leads to protracted mishap investigations because it does not recognize the difference between operational missions and higher risk experimental or test missions. The ARC and FAA believe this discourages robust testing to push the limits of a vehicle and undercutting test programs currently covered under experimental permits. As noted earlier, the ARC shared its concern that current mishap reporting and investigation requirements discourage robust testing. The FAA believes that the proposed test-induced damages paradigm addresses this concern by providing an opportunity for license applicants and existing license holders to pre-coordinate test activities and pre-declare damages that the FAA would not consider a mishap. Under this paradigm, failure to achieve identified test objectives and certain pre-declared damages to property associated with the licensed activity, including ground support equipment, ground support systems, and flight hardware would not be reportable as an FAA-mishap provided the requirements of this section are met. The FAA also proposes to replace its existing mishap related definitions in favor of a mishap classification system to further clarify the types of events that would be considered a mishap. Proposed § 450.175(a) would lay out the specific conditions for the testinduced damage approach. It would require an operator to coordinate test activities with and obtain approval from the FAA before the planned activity. The coordination should take place with sufficient time for the FAA to evaluate the proposal during the application process or as a license modification. A test activity would need to be precoordinated with the FAA to be eligible for the test-induced damage mishap exception. The FAA would conduct precoordination activities during preapplication consultation. The testinduced damage exception would be optional and an operator would not be required to take this path. However, absent the test-induced damage exception, the FAA would categorize an unplanned event as a mishap in accordance with the proposed mishap classification system. Proposed § 450.175(a)(2) would preclude certain kinds of mishaps from the test-induced damage alternative. Specifically, any PO 00000 Frm 00062 Fmt 4701 Sfmt 4702 mishap involving a serious injury or fatality, damage to property not associated with the licensed activity, or hazardous debris leaving the predefined hazard area would be treated as a mishap and not test-induced damage. Finally, proposed § 450.175(a)(3) would require test-induced damage to fall within the scope of activities coordinated with the FAA to be eligible for this alternative. In other words, the FAA would consider the occurrence of damages resulting from test activities that fall outside the scope of approved activities (e.g., before scheduled test activities begin or exceeding operation limits) as a mishap in accordance with the proposed mishap classification system. The approved scope of the test would be outlined in the information submitted by the permittee or licensee to meet the application requirements of proposed § 450.175(b). Proposed § 450.175(b) would set the test-induced damage application requirements. The paragraph would list the information an applicant would need to submit under the test-induced damage alternative to mishap classification. The FAA does not intend the test-induced damage exception to apply to the operation of an entire vehicle, but rather the testing of specific components and systems. The applicant should submit test objectives in a complete, clear, and concise manner to help the FAA distinguish between nominal operations and specific test objectives. It should also provide test limits such as the expected environments, personnel, equipment, or environmental limits. Also, the applicant would identify expected outcomes that the FAA would later compare to actual outcomes. The FAA would also request a list of potential risks, including the applicant’s best understanding of the uncertainties in environments, test limits, or system performance. Applicable procedures or steps taken to execute the tests and the expected time and duration of the test would also be required. Finally, the FAA may request additional information such as clarification information to ensure public safety, safety of property, and to safeguard the national security and foreign policy interests of the United States. This proposal is similar to NASA’s test-induced damages process, as defined in NPR 8621.1C (NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping). NASA developed the test-induced damages paradigm in support of the December 2014 launch of Exploration Flight Test-1 and it has been in use supporting NASA test E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules programs ever since. The test-induced damages process is a formal process documenting the risk of damage and accepting that risk by signature before the test. Similar to the commercial space industry, NASA conducts tests to better understand and mitigate complex design, manufacturing, or operational issues with the objective of providing NASA with confidence that the system meets its technical and programmatic requirements and can successfully and safely perform its mission in the operational environment. As noted in NPR 8261.1C, some tests are designed and intended to result in hardware damage (e.g., a structural test-to-failure). Other tests are aggressive in nature, and test-incurred damage often occurs; the knowledge gained is used to improve designs. These statements hold true for the commercial space transportation industry as well. The FAA’s proposed test-induced damages takes a NASAproven process and tailors it to satisfy the FAA’s public safety mission. amozie on DSK9F9SC42PROD with PROPOSALS2 L. Pre- and Post-Flight Reporting 1. Preflight Reporting Under proposed § 450.213, the FAA would continue to require a licensee to provide the FAA with specified information prior to each launch or reentry, consistent with current requirements. An operator would send the information as an email attachment to ASTOperations@faa.gov, or by some other method as agreed to by the Administrator in the license. The FAA would require five categories of information: mission-specific, flight safety analysis products, flight safety system test data, data required by the FAA to conduct a collision avoidance analysis, and a launch or reentry schedule. The first category would be missionspecific information in proposed § 450.213(b). As currently required in §§ 417.17(b)(2) and 431.79(a), an operator would be required to provide this information to the FAA not less than 60 days before each mission conducted under the license. The FAA may also agree to a different time frame in accordance with § 404.15. An operator would not have to provide any information under this section if the mission-specific information was already provided in the application. This would be the case if an operator’s license authorizes specific missions, as opposed to unlimited launches or reentries within certain parameters. Specifically, an operator would continue to have to provide payload information in accordance with proposed § 450.43(i), and flight VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 information, including the vehicle, launch site, planned flight path, staging and impact locations, each payload delivery point, intended reentry or landing sites including any contingency abort locations, and the location of any disposed launch or reentry vehicle stage or component that is deorbited. This section would combine the reporting requirements of §§ 417.17(b)(2) and 431.79(a), although reporting the location of any disposed launch or reentry vehicle stage or component that is deorbited would be a new requirement. The FAA would add this information requirement because disposals are much more common now than when parts 417 and 435 were issued, and notifications to airmen and mariners would be necessary to protect the public from vehicle stages or components reentering as part of a disposal. In practice, licensees have arranged for the issuance of NOTAMs and NTMs for vehicle stages purposefully deorbited. The second category is flight safety analysis products in proposed § 450.213(c). An operator would need to submit to the FAA updated flight safety analysis products, using previouslyapproved methodologies, for each mission no less than 30 days before flight. The FAA may also agree to a different time frame in accordance with proposed § 404.15. The flight safety analysis products are similar to what is currently required under § 417.17(c)(3). Part 431 does not require similar flight safety analysis products to be submitted, although current practice is to require similar information in license orders. An operator would not be required to submit flight safety analysis products if the analysis submitted in the license application already satisfies all the requirements of the section. This would be the case if a licensee’s license authorizes specific missions, as opposed to unlimited launches within certain parameters. An operator would also not be required to submit flight safety analysis products if the operator demonstrated during the application process that the analysis does not need to be updated to account for missionspecific factors. This would be the case if an operator operates within certain operational constraints proven to satisfy public safety criteria. Otherwise, an operator would be required to submit flight safety analysis products while accounting for vehicle and mission specific input data and potential variations in input data that may affect any analysis product within the final 30 days before flight. An operator would also be required to submit the analysis products using the PO 00000 Frm 00063 Fmt 4701 Sfmt 4702 15357 same format and organization used in its license application. Lastly, an operator would not be able to change an analysis product within the final 30 days before flight, unless the operator has a process, approved in the license, for making a change in that period as part of the operator’s flight safety analysis process. The third category is flight safety system test data in proposed § 450.213(d). If an operator would be required to use an FSS to protect public safety as required by proposed § 450.101(c), it would need to submit to the FAA, or provide access to, any test reports in accordance with approved flight safety system test plans no less than 30 days before flight. The FAA may also agree to a different time frame in accordance with proposed § 404.15. This reporting requirement is discussed earlier in the section for flight safety systems. The fourth category would be data required by the FAA to conduct a collision avoidance analysis in proposed § 450.213(e). Not less than 15 days before the flight of a launch vehicle or the reentry of a reentry vehicle, an operator would need to submit the collision avoidance information in proposed Appendix A to part 450 to a Federal entity identified by the FAA, and the FAA. This reporting requirement is discussed in the ‘‘Launch and Reentry Collision Avoidance Requirements’’ section. The fifth category, as proposed in § 450.213(f), a launch or reentry schedule that identifies each review, rehearsal, and safety-critical operation. The schedule would be required to be filed and updated in time to allow FAA personnel to participate in the reviews, rehearsals, and safety-critical operations. This is similar to current § 417.17(b). 2. Post-Flight Reporting Under proposed § 450.215, the FAA would require an operator to provide specified information no later than 90 days after a launch or reentry. The FAA may also agree to a different time frame in accordance with proposed § 404.15. An operator would send the information as an email attachment to ASTOperations@faa.gov, or other method as agreed to by the Administrator in the license. Specifically, as discussed earlier, an operator would need to provide any anomaly that occurred during countdown or flight that is material to public health and safety and the safety of property,151 and any corrective action 151 What is material to public health and safety and the safety of property is discussed later in this preamble in reference to proposed § 450.211(a)(2). E:\FR\FM\15APP2.SGM 15APP2 15358 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules implemented or to be implemented after the flight due to an anomaly or mishap. Section 417.25(b) and (c) requires similar information. Part 431 does not require post-flight information, although current practice is to require similar information in license orders. In addition, an operator would need to provide the actual trajectory flown by the vehicle, and, for an unguided suborbital launch vehicle, the actual impact location of all impacting stages and impacting components. The actual trajectory flown by the vehicle would be a new requirement, while the actual impact locations for an unguided suborbital launch vehicle is similar to the requirements in current § 417.25(b) and (c). The FAA would use the actual trajectory flown by the vehicle to compare it to predicted trajectories. Because the FAA may not need this information for all launches, this information would only need to be reported if requested by the FAA. Lastly, an operator would need to report the number of humans on board the vehicle. This would be required because the FAA keeps a human space flight database for use by launch and reentry operators for the purposes of informed consent. Under § 460.45(c), and pursuant to statute, an operator must inform each space flight participant of the safety record of all launch or reentry vehicles that have carried one or more persons on board, including both U.S. government and private sector vehicles, to include the total number of people who have died or been seriously injured on these flights, the total number of launches and reentries conducted with people on board, and the number of catastrophic failures. To facilitate all operators accurately informing space flight participants, the FAA maintains the human space flight database and populates it using voluntarily provided information from industry. As more launches and reentries are expected with humans on board, the FAA will require this information to keep the human spaceflight database up to date, and expects that this would not significantly increase the burden to operators. Proposed § 450.3(b) would establish that launch begins under a license with the start of hazardous activities that pose a threat to the public, and it would amend the end of launch language to remove any reference to ELVs and RLVs. Finally, the FAA proposes to clarify that, absent the launch vehicle, the arrival of a payload at the launch site would not trigger the beginning of launch. Also, at a non-U.S. launch site, launch would begin at ignition or takeoff for a hybrid vehicle. Title 51 U.S.C. 50902 defines launch as to place or try to place a launch vehicle or reentry vehicle and any payload or human being from Earth in a suborbital trajectory; in Earth orbit in outer space; or otherwise in outer space, including activities involved in the preparation of a launch vehicle or payload for launch, when those activities take place at a launch site in the United States. The FAA added the current regulatory definition of launch in the 1999 final rule.152 The language in the regulatory definition differs slightly from the current statutory language regarding activities in preparation of the vehicle, and the regulatory definition does not include the reference to human beings because that reference was added to the statute after 1999.153 The regulatory definition also includes language that is not set forth in the statute pertaining to preand post-flight ground operations including language identifying the beginning of launch and end of launch. The FAA and industry have identified a number of issues associated with the current definition of launch in § 401.5. The current definition of launch is inflexible and has resulted in confusion regarding launch from non-U.S. sites and whether the arrival of a payload constitutes the beginning of launch. The preamble discussion in the 1999 final rule stated that the intent of the FAA’s definition of ‘‘launch’’ is to require a license at the start of those hazardous preflight activities that put public safety at risk. The final rule stated that, in accordance with this responsibility, the FAA will exercise regulatory oversight only if an activity is so hazardous as to pose a threat to third parties. Specifically, the FAA amozie on DSK9F9SC42PROD with PROPOSALS2 Ground Safety A. Definition and Scope of Launch As discussed in more detail in this section, the FAA proposes to amend the definitions of ‘‘launch’’ and ‘‘reentry’’ in part 401 to mirror the statutory definitions. The FAA would move the beginning and end of launch to proposed § 450.3, which defines the scope of a vehicle operator’s license. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 152 64 FR 19586 (April 21, 1999). currently defined in 14 CFR 401.5, launch means to place or try to place a launch vehicle or reentry vehicle and any payload from Earth in a suborbital trajectory, in Earth orbit in outer space, or otherwise in outer space, and includes preparing a launch vehicle for flight at a launch site in the United States. The current definition also defines beginning and end of launch, which, as discussed later in the preamble, the FAA proposes to amend and move to proposed part 450 (Scope of a vehicle operator license). determined that launch begins when hazardous activities related to the assembly and ultimate flight of the launch vehicle commence.154 The preamble further elaborated that the moment at which hazardous activities begin is when the major components of a licensee’s launch vehicle enter, for purposes of preparing for flight, the gate of a U.S. launch site, regardless of whether the site is situated on a Federal launch range and regardless of whether flight occurs from that site.155 At the time, the FAA determined that the arrival of the launch vehicle at a U.S. launch site would trigger the beginning of launch for the following reasons: ease of administration, consistent and broad interpretation, and change in the level of risk.156 Additionally, the rule stated that shortly after vehicle components arrive, hazardous activities related to the assembly and ultimate flight of the launch vehicle begin and therefore the arrival of the vehicle or its parts is a logical point at which the FAA should ensure that a launch operator is exercising safe practices and is financially responsible for any damage it may cause.157 In accordance with the definition of launch, the FAA has required a launch license to be in place before the arrival of major components of a launch vehicle at a U.S. launch site that are intended for use on a specific FAA-licensed launch. The lack of flexibility in the definition of beginning of launch has led to multiple requests from the industry to waive the requirement for a license to bring vehicle hardware on site and begin preflight activity.158 The FAA has issued numerous waivers because it determined that the proposed preflight activities associated with the arrival of launch vehicles or their major components were not so hazardous to the public as to require FAA oversight. In granting a waiver, the FAA determines that the waiver is in the public interest and will not jeopardize public health and safety, the safety of property, or any national security or foreign policy interest of the United States. In addition, by requesting a waiver to conduct preflight activities, the operator agrees that it must forgo the opportunity to seek indemnification for 153 As PO 00000 Frm 00064 Fmt 4701 Sfmt 4702 154 64 FR 19586 (April 21, 1999), at 19591. FR 19586 (April 21, 1999). 156 64 FR 19586 (April 21, 1999), at 19589. 157 64 FR 19586 (April 21, 1999), at 19591. 158 As stated previously, the FAA is only able to waive regulatory requirements, not definitions, and therefore has issued waivers to the requirement to obtain a license, rather than to the definition of launch. 155 64 E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules any loss incurred under the waiver during the waived preflight activities. Further, the current definition does not account for the significant technological advances the industry has experienced since adoption of the 1999 rule. For example, in the current commercial space transportation environment, launch operations often include vehicles or vehicle stages that fly back to a U.S. launch site and remain at the launch site. In cases where no license was in place to cover the presence of flight hardware for possible reuse, consistent with 1999 rule preamble language, the FAA has deemed this to be storage and does not require a license or waiver.159 As currently written, however, the definition could imply that a license is required for RLV launches during the period between end-of-launch and launch vehicle reuse, even when the vehicle is in a safe and dormant state, and would not be a threat to public safety. Because the current definition states that launch begins under a license with the arrival of a launch vehicle or payload at a U.S. launch site, the term ‘‘or payload’’ has been interpreted to mean arrival of a payload by itself could constitute beginning of launch. However, the 1999 preamble explicitly states that the FAA does not define launch to commence with the arrival of a payload absent the launch vehicle at a launch site.160 Also, it states that the FAA does not consider payload processing absent launch vehicle integration to constitute part of licensed activities.161 In addition, the 1999 rule preamble refers to launch beginning when the ‘‘major components’’ of a launch vehicle arrive at the launch site. However, the regulatory language remains unclear. Another point of current uncertainty is when launch begins from a non-U.S. site. Title 51 U.S.C. chapter 509 gives the FAA authority to issue a launch license to a U.S. citizen conducting a launch anywhere in the world. However, the current definition of launch is silent as to when launch begins from a non-U.S. site. This has resulted in operators lacking clarity as to when launch begins. In recent years, the FAA has licensed launches from international waters, Australia, the Marshall Islands, New Zealand, and Spain. In licensing these launches, the 159 64 FR 19586 (April 21, 1999), at 19593. ‘‘On the other hand, the FAA does not intend a launch license to encompass components stored at a launch site for a considerable period of time prior to flight.’’ 160 64 FR 19586 (April 21, 1999), at 19589. 161 64 FR 19586 (April 21, 1999), at 19593. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 FAA has consistently interpreted that launch from outside of U.S. territory to begin at ignition or at the first movement that initiates flight, whichever occurs earlier. The ARC commented about the definition of launch for licensed launches from a U.S. launch site. The ARC report stated that launch should be defined on a case-by-case basis for all operators. The ARC recommended licensed activities on U.S. launch sites for all vehicles include preflight ground operations, flight operations, and launch operations phases as tailored by each launch operator. The ARC further recommends the initiation and scope of launch activities, including preflight ground operations and flight operation phases, be defined by the impact of each activity on public safety and property. These activities may include both hazardous and safety-critical operations, the latter encompassing non-hazardous activities that may impact public risk during other pre-launch and flight activities. A list of performance-based criteria for licensed activities would be tailored for each operator and the FAA based on their specific concept of operations. This scope should only include hazardous operations unique to activities as defined in the operator’s license application documents and not activities already regulated by another government agency. In light of the multiple waiver requests and ARC recommendations, the FAA proposes to amend the regulatory definitions of launch and reentry (discussed later in this section) to match the statutory definitions. The FAA would also move the details in the definitions for beginning and end of launch (discussed later in this section) and reentry to the scope of a vehicle operator license requirements in proposed § 450.3. In addition, the FAA would revise ‘‘beginning of launch’’ to be more performance-based and ‘‘end of launch’’ to remove references to ELVs and RLVs. Finally, the FAA proposes to clarify that launch from a non-U.S. site would begin at ignition, and that the arrival of a payload to a launch site does not constitute beginning of launch. The FAA believes the proposed revisions capture the primary intent of the ARC’s recommendation, which is to limit FAA oversight to those launch operations that pose a hazard to public safety and the safety of property. The FAA would revise the definitions of launch and reentry in § 401.5 to mirror the statutory definitions. Specifically, the FAA would remove the beginning and end of launch language from the definition of ‘‘launch,’’ and add the term ‘‘human being’’ to align PO 00000 Frm 00065 Fmt 4701 Sfmt 4702 15359 with the 2015 update to the Act. Similarly, the FAA would revise the definition of ‘‘reenter/reentry’’ in part 401 to mirror the statutory definition, and would add the term ‘‘human being’’ to align with the 2015 update to the Act. The FAA would move the beginning and end of launch and reentry language to proposed § 450.3. The FAA proposes this change because such detail in a definition makes the definition unwieldy and, unlike regulatory requirements, definitions cannot be waived. The FAA would amend beginning of launch such that launch begins with the first hazardous activities related to the assembly and ultimate flight of the launch vehicle at a U.S. launch site. Unless a later point is agreed to by the Administrator, hazardous preflight ground operations would be presumed to begin when the launch vehicle or its major components arrive at the launch site. For operations where an applicant identifies a later time when hazardous operations begin, the applicant may propose the event that it believes should constitute the beginning of launch during the pre-application process.162 As a result, there would be no need to request a waiver. This proposed change would also clarify that for launch vehicle stages or when launch begins for an RLV that returns to a launch site and remains there in a dormant state, FAA oversight is not necessary since no hazardous activity that falls under the FAA’s oversight responsibilities are being performed. This proposal would clarify that, absent vehicle hardware, the arrival of payload does not constitute beginning of launch. Instead, launch would begin with the arrival of a launch vehicle or its major components at a U.S. launch site, or at a later point as agreed to by the Administrator. This proposal would also specify that launch from a non-U.S. site begins at ignition, or at the first movement that initiates flight, of the launch vehicle, whichever comes first. For hybrid vehicles, flight commences at take-off. The current ‘‘beginning of launch,’’ as defined in the definition of ‘‘launch’’ refers only to launches from a U.S. launch site, and is silent with regard to launches from sites outside the United States. Although the FAA issues launch licenses for launches from non-U.S. launch sites if the operator is a citizen 162 The FAA’s proposal regarding how an operator would determine what event constitutes the beginning of launch, and how to obtain the Administrator’s approval, is located in the Ground Safety section under the Identifying First Hazardous Activity sub-heading of this preamble. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15360 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules of the U.S., the FAA considers it outside its authority to license preflight activities that take place at a non-U.S. launch site in light of the statutory definition of launch that explicitly refers to ‘‘activities involved in the preparation of a launch vehicle . . . when those activities take place at a launch site in the United States.’’ The FAA also believes that this interpretation is necessary because of issues of sovereignty and liability under international law. For these non-U.S. launch sites, the FAA has historically licensed launches beginning at ignition, or if there is no ignition, then at the first movement that initiates flight. In order to provide clarity for launch operators launching from non-U.S. sites, the FAA is proposing to codify this approach in part 450. In addition to addressing issues in the current definition of ‘‘launch’’ regarding when launch begins, the FAA proposes to clarify when launch ends. First, the FAA would move the provisions in the current definition of launch regarding end of launch to proposed § 450.3. Second, the FAA would remove the distinction between ELVs and RLVs, which is consistent with one of the overall goals of this proposed rule. Overall, the substance of the current provisions related to end of launch currently located in § 401.5 would not change. Specifically, launch ends: 1. For an orbital launch of an ELV, after the licensee’s last exercise of control over its vehicle whether on orbit or a vehicle stage impacting on Earth; 2. For an orbital launch of an RLV, after deployment of all payloads or if there is no payload, after the launch vehicle’s first steady state orbit; and 3. For a suborbital launch of either an ELV or RLV that includes reentry, launch ends after reaching apogee; or for a suborbital launch that does not include a reentry, launch ends after the vehicle or vehicle component lands or impacts on Earth. In all these cases, activities on the ground to return either the launch site or the vehicle or vehicle component to a safe condition are part of launch and could possibly extend the end of launch. In the rare, yet to be seen, situation of a suborbital launch that does not require an FAA launch license but does require a reentry license, launch ends after the vehicle reaches apogee. In addition, the FAA would move the provisions related to reentry readiness and returning the vehicle to a safe state on the ground to proposed § 450.3. Including these reentry provisions in the scope of a vehicle operator license would clarify an operator’s responsibilities regarding VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 post-flight ground operations related to returning the vehicle to a safe state on the ground. Finally, the FAA proposes to modify the definition for reentry. Title 51 U.S.C. 50902 defines reentry as: to return or attempt to return, purposefully, a reentry vehicle and its payload or human beings, if any, from Earth orbit or from outer space to Earth. In 2000, the FAA codified the current regulatory definition of reentry in the final rule, Commercial Space Transportation Reusable Launch Vehicle and Reentry Licensing Regulations. Section 401.5 defines ‘‘reenter; reentry’’ as: To return or attempt to return, purposefully, a reentry vehicle and its payload, if any, from Earth orbit or from outer space to Earth. The term ‘‘reenter; reentry’’ includes activities conducted in Earth orbit or outer space to determine reentry readiness, and that are critical to ensuring public health and safety and the safety of property during reentry flight. The term ‘‘reenter; reentry’’ also includes activities conducted on the ground after vehicle landing on Earth to ensure the reentry vehicle does not pose a threat to public health and safety or the safety of property. As noted earlier, the FAA proposes to revise the definition to mirror the statute and move the provisions related to reentry readiness and returning the vehicle to a safe state on the ground to proposed § 450.3. B. Ground Safety Requirements This proposal would revise current ground safety requirements to make them more flexible, scalable, and adaptable to varying types of launch and reentry operations. The proposal seeks to ensure that the FAA’s oversight of ground operations at U.S. launch sites would only cover activities that are hazardous to the public and critical assets. Specifically, as proposed in § 450.179, an operator would be required to protect the public from adverse effects of hazardous operations and systems associated with preparing a launch vehicle for flight, returning a launch or reentry vehicle to a safe condition after landing, or after an aborted launch attempt, and returning a site to a safe condition. An operator would be required to conduct a ground hazard analysis (proposed § 450.185) and comply with certain prescribed hazard controls during those preflight activities that constitute launch. In addition, an operator would be required to comply with other ground safety and related application requirements in proposed part 450. The FAA proposed the part 417 ground safety regulations in the 2000 PO 00000 Frm 00066 Fmt 4701 Sfmt 4702 NPRM 163 and codified it in the 2006 final rule. The 2006 final rule adopted ground safety standards governing the preparation of a launch vehicle for flight. The final rule specified that in order for a launch operator to meet part 417 ground safety requirements, an operator must conduct a ground hazard analysis to meet the requirements of subpart E, part 417, as well as a toxic release hazard analysis to meet the requirements of § 417.227. For launches conducted from a Federal launch range, a launch operator could rely on an LSSA as an alternative means of demonstrating compliance with the FAA’s part 417 ground safety rules. Because most licensed ground operations were covered by the LSSA approach, the FAA did not begin to exercise the ground safety requirements in part 417 until 2016. Beginning in 2016, the FAA received several applications for launch licenses from non-Federal launch sites.164 Applicants were required to demonstrate compliance with the ground safety regulations in part 417. During the FAA’s evaluation, the agency found that many of its ground safety requirements were overly burdensome, highly prescriptive, and did not include criteria for determining public safety. Furthermore, the FAA discovered the requirements were out-of-date with commercial space transportation practices and operations, and in some cases duplicated other state and Federal regulations. Part 431 does not include explicit ground safety requirements. However, the scope of a launch license under part 431 includes preparing a launch vehicle for flight at a launch site in the United States. In conducting its safety review under § 431.31, the FAA must determine whether an applicant is capable of launching an RLV and payload, if any, from a designated launch site without jeopardizing public health and safety and the safety of property. The FAA evaluates on an individual basis all public safety aspects of a proposed RLV mission to ensure they are sufficient to support safe conduct of the mission, including ground safety. In licenses issued under part 431, the FAA has required operators to address reasonably 163 Licensing and Safety requirements for Launch, NPRM. 65 FR 63922 (October 25, 2000). 164 The FAA’s first license application involving a launch from a non-Federal launch range was from SpaceX for operations at pad 39A in Cape Canaveral, Florida. The FAA completed its evaluation and issued SpaceX the license on February 2017. Astra Space originally applied for a launch license from a non-Federal launch range in June 2017, and the FAA issued its license March 2018. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules foreseeable hazards to ensure the safety of pre- and post-flight ground operations. The lack of clarity in part 431 is problematic, and would be fixed by the ground safety requirements in this proposal. The ARC recommended that the FAA create ground safety regulations that are flexible and streamlined, continue to protect the public, and are not duplicative of other state or Federal authorities. The ARC provided four primary recommendations for ground safety. First, the ARC recommended the FAA allow operators to determine what activities and operations would be covered under FAA regulations by performing an analysis to define hazards. Second, the ARC recommended the FAA scale the scope of what is considered licensed activities based on each operator’s unique operations. Third, the ARC recommended the FAA focus its regulatory authority solely on those things that affect public safety. Finally, the ARC recommended the FAA only regulate those things that are not already overseen by other governmental authorities. The FAA agrees with the ARC’s recommendations that ground safety regulations should be flexible, performance-based, and utilize a ground hazard analysis that determines the best methods for protecting the public. The proposed ground safety regulations would rely on a system safety approach to allow flexibility by stripping away specific design requirements, establishing more performance-based requirements, and giving the operator flexibility in satisfying these requirements. Specifically, an operator would conduct a ground hazard analysis (proposed § 450.185), and comply with prescribed hazard controls. In addition to any mitigations identified in the ground hazard analysis, the proposed regulations would require several prescribed hazard controls, including an accounting of how the operator would protect members of the public who enter areas under their control, provisions on how the operator would mitigate hazards created by a countdown abort, an explanation of the operator’s plans for controlling fires, and generic emergency procedures an operator would implement. As will be discussed later, operators using toxic materials would have to perform a toxic release hazard analysis (proposed § 450.187), show how it would contain the effects of a toxic release, or how the public would be protected from those risks from toxic releases. Operators would also be required to develop an explosive siting plan (proposed § 450.183) and to VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 coordinate with licensed launch and reentry site operators (proposed § 450.181). 1. Ground Safety: Identifying First Hazardous Activity In proposed § 450.3, an operator would have the flexibility to determine for its particular operation when the first preflight activity that poses a hazard to the public begins in coordination with the FAA. An operator could identify the arrival of the vehicle or its major components at the launch site as the beginning of hazardous operations, which is consistent with current practice. This option would provide a clear demarcation of when launch begins that is easily understood by both an operator and the FAA. The license would cover all ground operations that may present a hazard to the public from the time flight hardware first arrives at the launch or reentry site to the end of launch or reentry. Alternatively, an operator could identify some other action, after the arrival of the vehicle or its major components at the launch site, as the beginning of hazardous activities. As discussed earlier in the scope of a vehicle operator license discussion, this option would be available for those operations where the arrival of the launch vehicle does not constitute the beginning of hazardous activities. It would also provide flexibility to operators because the start of hazardous launch operations is unique to each operator’s circumstances. These hazardous launch operations would include the pressurizing or loading of propellants into the vehicle or launch system,165 operations involving a fueled launch vehicle,166 or the transfer of energy necessary to initiate flight.167 While this option offers greater flexibility, it would require that an applicant talk with the FAA during preapplication consultation to identify which activity would be the beginning of hazardous launch operations. This is necessary for the FAA to scope its requirements accordingly, and so that 165 This would include the loading of propellants or pressurants, where there are potential hazards such as overpressure, explosion, debris, deflagration, fire, and toxic material release. The operations that are typically performed include wet dress rehearsals, cold flow, returning the vehicle to a safe state following a scrub, and tests that might be performed while the vehicle is being fueled. 166 This would include static fire or tests with a fully-fueled integrated vehicle. 167 This would include activities that involve placing the launch vehicle into a state that would enable it to achieve suborbital or orbital flight. Even if traditional propellants are not used, the energy needed to escape Earth’s gravity is significant and the initiation of the action to launch a vehicle could potentially have significant impact to public safety. PO 00000 Frm 00067 Fmt 4701 Sfmt 4702 15361 the applicant knows what to include in its application. Early interactions with the FAA would allow a potential applicant to work with the FAA to determine which preflight operations constitute launch and therefore must occur under a license. An applicant that elects to identify an activity after the arrival of a launch vehicle or associated major components at a launch site as the beginning of launch should be prepared to discuss its operations with the FAA so that the FAA can determine that operations occurring prior to that point would not pose a threat to public safety. Note that under this proposal, indemnification and reciprocal waiver of claims coverage would start when launch begins as it does under current regulations. In other words, financial responsibility requirements would apply from the first hazardous operation until launch ends. 2. Ground Safety: Ground Hazard Analysis Proposed § 450.185 (Ground Hazard Analysis) would require an operator to complete a ground hazard analysis which would include a thorough assessment of the launch vehicle, the launch vehicle integrated systems, ground support equipment, and other launch site hardware. The analysis would include an identification of hazards, a risk assessment, an identification and description of mitigations and controls, and provisions for hazard control verification and validation. Although the analysis might incorporate employee safety and mission assurance, this proposal would only require an applicant to identify the hazards that affect the public, and how an operator would mitigate those hazards. Proposed § 450.185(a) would require an operator to identify hazards. A hazard is a real or potential condition that could lead to an unplanned event or series of events resulting in death, serious injury, or damage to or loss of equipment or property. The FAA proposes separating ground hazards into two primary categories: System and operational hazards. System hazards would include, but would not be limited to, vehicle over-pressurization, sudden energy release including ordnance actuation, ionizing and nonionizing radiation, fire or deflagration, radioactive materials, toxic release, cryogens, electrical discharge, and structural failure. Operational hazards would be hazards introduced to the launch site through procedures and processes that occur during vehicle processing. Operational hazards would include propellant handling and E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15362 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules loading, transporting vehicles or components, vehicle system activation, and related tests. Once an operator has identified hazards, proposed § 450.185(b) would require an operator to conduct a risk assessment. In other words, an operator would have to evaluate each hazard to determine the likelihood and the severity of that hazard. This assessment should identify the likelihood of each hazard causing a casualty. This assessment should also account for the likelihood of each hazard causing major damage to public property or critical assets. Public property, in this case, means any property not associated with the operation. Critical assets means an asset that is essential to the national interests of the United States, and includes property, facilities, or infrastructure necessary to maintain national defense, or assured access to space for national priority missions. Proposed § 450.185(c) would require an operator to identify mitigations or controls used to eliminate or mitigate the severity or likelihood of identified hazards. An operator would be required to demonstrate, as part of its ground hazard analysis, that the mitigations or controls reduce the likelihood of each hazard that may cause (1) death or serious injury to the public to an extremely remote likelihood, and (2) major damage to public property or critical assets to a remote likelihood. These qualitative thresholds are the same as those in § 437.55(a)(3) and proposed § 450.109(a)(3). A hazard control is a preventative or mitigation measure that reduces the likelihood of the hazard or ameliorates its severity. Proposed § 450.185(d) would require an operator to identify and describe the risk elimination and mitigation measures required to satisfy the risk criteria in proposed § 450.185(c). Under current industry standards, these measures include one or more of the following: Design for minimum risk, incorporate safety devices, provide warning devices, or implement procedures and training, as previously discussed in reference to the analogous flight hazard analysis requirement in § 450.109(a)(4).168 Finally, proposed § 450.185(e) would require an operator to demonstrate through verification and validation that the risk elimination measures meet the remote and extremely remote standards discussed earlier. Verification is an evaluation to determine that safety measures derived from the ground hazard analysis are effective and have been properly implemented. 168 MIL–STD–882E, VerDate Sep<11>2014 section 4.3.4. 18:49 Apr 12, 2019 Jkt 247001 Verification provides measurable evidence that a safety measure reduces risk to acceptable levels. Validation is an evaluation to determine that each safety measure derived from the ground hazard analysis is correct, complete, consistent, unambiguous, verifiable, and technically feasible. Validation ensures that the right safety measure is implemented, and that the safety measure is well understood. While this proposal would require an operator to complete a full ground hazard analysis as described previously, an operator would not need to submit this analysis in its entirety as part of its vehicle operator license application. Rather in proposed § 450.185(f), the FAA would require an applicant to provide a description of the ground safety hazard analysis methodology, a list of the systems and operations involving the vehicle or payload that may cause a hazard to the public, and the results of the ground hazard analysis that affect the public. Although the results of the ground hazard analysis would be unique to each applicant’s operations, the ground hazard analysis application deliverables should have common elements. Specifically, the ground hazard analysis should contain the hazards that have a high likelihood or high severity of affecting the public. The analysis should include controls for the hazards that mitigate the risk to the public and all of the other requirements shown in § 450.185. Common hazards that affect public safety, which the FAA would expect to be addressed in a ground hazard analysis, include propellant loading, ordinance installation or actuation, proximity to pressurized systems during operations, certain lifting operations (such as solid rocket motors and payload integration), operations which could result in toxic release, and RF testing. Fundamentally, if the operator identifies a hazard that affects the public, it must be properly documented and mitigated to reduce the risk to the public. It should be noted that any part of the ground hazard analysis could be reviewed during inspection. 3. Ground Safety: Ground Safety Prescribed Hazard Controls In addition to those mitigations an operator would implement as a result of its ground hazard analysis, proposed § 450.189 (Ground Safety Prescribed Hazard Controls) would require an operator to implement certain prescribed hazard controls during the ground operations period of launch or reentry. These prescribed hazard controls would require that an operator document how it would protect PO 00000 Frm 00068 Fmt 4701 Sfmt 4702 members of the public who enter areas under the operator’s control, mitigate hazards created by a countdown abort. They would also require the operator’s plans for controlling fires and emergency procedures. Specifically, proposed § 450.189(b) would require an operator to document a process for protecting members of the public who enter any area under the operator’s control. Although the public would be protected from many hazards because they are excluded from safety clear zones and prevented from entering the site during certain hazardous operations, an operator should account for the protection of the public when they are allowed to be on the site. The proposed rule would require an operator to develop procedures to identify and track members of the public while on site, and methods to protect the public from hazards in accordance with the ground hazard analysis and the toxic hazard analysis. For example, the operator could have plans in place to control who enters its site, whether or not members of the public on site will be escorted, how the public will be made aware of and protected from hazards, and if members of the public will be required to wear personal protective equipment. This rule would also require an operator to establish, maintain, and perform procedures for controlling certain hazards in the event of a countdown abort or recycle operation. Current § 417.415(b) requires an operator to meet specific requirements for safing their vehicle, maintaining control of their FSS, and controlling access to the site until it is returned to a safe state. This rule would require a more performance-based approach to ensuring the safety of the vehicle and the site following a countdown abort or recycle operation in order to accommodate many different types of flight safety systems and operations. Proposed § 450.189(c) would require that an operator, following a countdown abort or recycle operation, establish, maintain, and perform procedures for controlling hazards related to the vehicle and returning the vehicle, stages, or other flight hardware and site facilities to a safe condition. In all of these instances, this proposal would require an operator to have provisions in place to keep the public safe while returning the launch vehicle or launch site back to a safe condition. If a launch vehicle does not lift-off after a command to initiate flight, an operator would be required to ensure that the vehicle and any payload are in a safe configuration, prohibit the public from entering into any identified hazard areas until the site E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules is returned to a safe condition, and maintain and verify that any FSS remains operation until certain that the launch vehicle does not represent a risk of inadvertent flight. These more specific requirements would be levied on an operator in the event of a failure to lift-off after a command to initiate because a launch vehicle can be in a particularly hazardous state. This proposed requirement is similar to § 417.415(b), which requires a launch operator to establish procedures for controlling hazards associated with a failed flight attempt where an engine start command was sent, but the launch vehicle did not lift-off. These procedures must include maintaining and verifying that each flight termination system remains operational, assuring that the vehicle is in a safe configuration, and prohibiting launch complex entry until the launch pad area safing procedures are complete. Proposed § 450.189(d) would require an operator to have in place reasonable precautions for reporting and controlling any fire that occurs during launch and reentry activities in order to prevent the occurrence of secondary hazards such as a brush fire caused by a static fire test or some related ground launch activity. These secondary hazards, if not controlled, could reach pressure vessels or other related equipment causing more damage. An operator may choose to meet industry standards or fire codes as a means of satisfying this requirement. Proposed § 450.189(e) would require an operator to establish general emergency procedures that address how emergencies would be handled at the site. An emergency has the potential to directly affect the public or create secondary hazards that may affect the public; therefore, implementation of these procedures are critical for safety of the public. An emergency would include any event that would require an evacuation, or a response from emergency officials such as the fire department or emergency medical technicians. Additionally, the establishment of general emergency procedures would allow the operator to have roles, responsibilities, and plans in place in advance of an emergency to reduce the effects of any emergency on the public. Section 417.111(c)(15) currently requires an operator to have generic emergency procedures in place for any emergency that may create a hazard to the public, and this rule would replace those prescriptive requirements with performance-based requirements. Proposed § 450.189(f) would require an applicant to submit its process for VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 protecting members of the public who enter any area under the operator’s control. This process would be submitted as part of an applicant’s vehicle operator license application. 4. Ground Safety: Coordination With a Licensed Launch or Reentry Site Operator Under proposed § 450.181(a), for a launch or reentry conducted from or to a Federal launch or reentry site or a site licensed under part 420 or 433, an operator must coordinate with the site operator because the two entities each have public safety responsibilities during ground operations. Specifically, an operator must coordinate with the site operator to ensure public access is controlled where and when necessary to protect public safety, to ensure launch or reentry operations are coordinated with other launch and reentry operators and other affected parties to prevent unsafe interference, to ensure that any ground hazard area does not unnecessarily interfere 169 with continued operation of the launch or reentry site, and to ensure prompt and effective response in the event of a mishap that could impact public safety. This is similar to § 417.9(b)(2), which requires a launch operator to coordinate with a launch site operator and provide any information on its activities and potential hazards necessary for the launch site operator to determine how to protect any other launch operator, person, or property at the launch site. Part 431 requires an agreement between a launch or reentry operator and any site operator in § 431.75. In addition, in the mission readiness review requirements in § 431.37(a), an operator must involve launch site and reentry site personnel and verify their readiness to provide safety-related launch property and launch services. For a launch or reentry conducted from or to a site licensed under part 420 or 433, § 450.181(b) would require an operator to also coordinate with the site operator to establish roles and responsibilities for reporting, responding to, and investigating any mishap during ground activities at the 169 The FAA has proposed minimum requirements for ground hazard areas based on safety thresholds, either toxic hazard areas or other hazard areas derived from the ground hazard analysis, but has always allowed operators to propose to clear areas larger than necessary to ensure greater safety. In consultation with NASA and the Department of Defense, the FAA discovered that FAA approved ground hazard areas were having adverse impacts on neighboring space operations in easily avoidable ways. As such, the FAA has proposed ground hazard areas be coordinated with the affected launch or reentry site operators prior to licensing. PO 00000 Frm 00069 Fmt 4701 Sfmt 4702 15363 site. The same mishap plan requirements in proposed § 450.173 would apply to a site operator leaving open the assignment of roles and responsibilities between a site and launch or reentry operator for reporting, responding to, and investigating mishaps during ground operations. Proposed § 450.181(b) is designed to ensure those roles and responsibilities are established. As part of its application, an applicant would be required to describe how it is coordinating with a Federal or licensed launch or reentry site operator in compliance with this section. As discussed earlier, in reference to proposed § 450.147, a vehicle operator would be required to submit as part of its vehicle operator license application references to any agreements with other entities utilized to meet any requirements of this section. In this context, agreements may include security, access control services, any lease agreements for launch sites, services used for hazard controls or analysis, or any agreement with local emergency or government services. 5. Ground Safety: Explosive Site Plan Proposed § 450.183 (Explosive Site Plan) would require an applicant to include an explosive site plan as part of its vehicle operator license application, if it proposes to conduct a launch or reentry from or to a site exclusive to its own use. The explosive site plan would have to demonstrate compliance with the explosive siting requirements of §§ 420.63, 420.65, 420.66, 420.67, 420.69, and 420.70. Currently for exclusive use sites, § 417.9(c) requires a launch operator to satisfy the requirements of the public safety requirements of part 420. With proposed § 450.183, the FAA is clarifying that the only requirements from part 420 that need be conducted by an exclusive use operator is the explosive safety requirements. 6. Ground Safety: Toxic Hazards During Ground Operations Proposed § 450.187 contains requirements for toxic hazard mitigation for ground operations. This is discussed later in the ‘‘Additional Technical Justification and Rationale’’ section, in the subsection on toxic hazards for flight, due to the commonality of toxic requirements for ground operations and flight. Process Improvements A. Safety Element Approval This proposal would modify part 414 to enable applicants to request a safety E:\FR\FM\15APP2.SGM 15APP2 15364 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 element approval in conjunction with a license application as provided in proposed part 450. Proposed § 450.39 (Use of Safety Element Approval) would allow an applicant to use any vehicle, safety system, process, service, or personnel for which the FAA has issued a safety element approval under part 414 without the FAA’s reevaluation of that safety element during a license application evaluation to the extent its use is within its approved envelope. Finally, this proposal would change the part 414 term from ‘‘safety approval’’ to ‘‘safety element approval’’ to distinguish it from ‘‘safety approval’’ as used in parts 415, 431, and 435, and proposed part 450, because these terms, as discussed later in this section, have entirely different meanings. i. Part 414 and 415 Safety Approval Clarification As defined in current § 414.3, a safety approval is an FAA document containing an FAA determination that one or more safety elements, when used or employed within a defined envelope, parameter, or situation, will not jeopardize public health and safety or safety of property. As listed in the Act, safety elements include: (1) Launch vehicle, reentry vehicle, safety system, process, service, or any identified component thereof; or (2) qualified and trained personnel, performing a process or function related to licensed launch activities or vehicles. In contrast, parts 415, 431, and 435 reference ‘‘safety approval’’ to mean an FAA determination that an applicant is capable of launching a launch vehicle and its payload without jeopardizing public health and safety, and safety of property. Other chapter III parts, including parts 431 and 435, reference ‘‘safety approval’’ as described in part 415. The use of identical terms in parts 414, 415, 431, and 435 to reference different meanings has caused confusion. Therefore, the FAA proposes to distinguish these terms by changing the part 414 term to ‘‘safety element approval.’’ This proposed term more accurately reflects the substance of a part 414 safety approval of a particular element that may be used to support the application review for one or more launch or reentry licenses. Other than the addition of ‘‘element’’ to the current term, the part 414 definition and related references in parts 413 and 437 would remain the same. The FAA would make conforming changes throughout parts 413, 414, and 437, where a part 414 safety approval is referenced, to change those references to ‘‘safety element approval.’’ The term ‘‘safety approval’’ VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 would maintain the same meaning as that in current 415, 431 and 435 where it appears in the proposed rule. ii. Part 414 Safety Element Approval 170 Application Submitted in Conjunction With a License Application Part 414 enables a launch and reentry operator to use an approved safety element within a specified scope without a re-examination of the element’s fitness and suitability for a particular launch or reentry proposal. A safety element approval may be issued independent of a license, and it does not confer any authority to conduct activities for which a license is required under chapter III. A safety element approval does not relieve its holder of the duty to comply with all applicable requirements of law or regulation that may apply to the holder’s activities. The ARC recommended that an applicant for a launch or reentry license be able to identify one or more safety elements included in the applicant’s license application and to request review of those safety elements for a safety element approval concurrent with the license application review.171 The FAA agrees with the ARC’s recommendation. The FAA notes that its practice has always been to accept references to information provided in a previous license application so long as the applicant can demonstrate the relevance of that information to the current application. The FAA also relies on previous evaluations where it analyzed compliance with a particular requirement if the same operator submits a more recent application using the same analysis. The proposed changes would codify this approach for safety element approval applications in proposed § 450.39 172 and the relevant sections in part 414. This proposal would allow an applicant to request a safety element approval as part of its vehicle operator license application. Specifically, this rule would provide a process in proposed § 414.13 to apply for a safety 170 For readability and ease of understanding, this section refers to a current part 414 safety approval as a safety element approval, regardless of whether the discussion is referencing the current regulations or the proposed regulations. For direct quotations, the FAA retains the previous term ‘‘safety approval.’’ 171 ARC Report, p. 24–25. 172 Proposed § 450.39 is similar to § 437.21(c) for experimental permits, which states that if an applicant proposes to use any reusable suborbital rocket, safety system, process, service, or personnel for which the FAA has issued a safety approval under part 414, the FAA will not reevaluate that safety element to the extent its use is within its approved envelope. Parts 415 and 431 do not have similar sections because they were developed before part 414 was issued. PO 00000 Frm 00070 Fmt 4701 Sfmt 4702 element approval concurrently with a license application. These safety element approval applications submitted in conjunction with a license would largely use information contained in a license application to satisfy part 414 requirements. This would alleviate the need to provide separate applications for a vehicle operator license and a safety element approval. The FAA envisions safety element approvals in conjunction with a license application to cover the same safety elements as delineated in § 414.3. Using similar processes as for part 414, the FAA would determine whether a safety element is eligible for a safety element approval. The FAA would base its determination on criteria in proposed part 450. The applicant would be required to specify the sections of the license application that support its application for a safety element approval. The technical criteria for reviewing a safety approval submitted as part of a vehicle operator license application would be limited to the requirements of proposed part 450. This limitation would simplify the safety element approval process by eliminating the need to provide a Statement of Conformance letter, as required under current § 414.1(c)(3) for a safety element approval separate from a vehicle operator license application. To avoid this limitation to proposed part 450 criteria, an applicant could apply for a safety element approval separate from a vehicle operator license. However, there is no difference between a safety element approval issued through a separate application or a vehicle operator license application. Finally, the FAA proposes to remove the requirement stating that, for each grant of a safety element approval, the FAA will publish in the Federal Register a notice of the criteria that were used to evaluate the safety element approval application, and a description of the criteria. The FAA provided the rationale for this notification in the preamble to a proposed rule.173 The FAA explained that the purpose of this notification requirement was to make clear the criteria and standards the FAA used to assess a safety element. However, the FAA has found that this requirement is unnecessary, and has potentially discouraged applications for safety element approvals due to concerns that proprietary data may be disclosed. Going forward, a safety element approval application submitted concurrently with a vehicle operator license application would be evaluated 173 Safety Approvals, NPRM, 70 FR 32191, 32198 (June 1, 2005). E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 based only on criteria in proposed part 450. For other safety element approvals, experience has shown that there is no need to publish the criteria because the FAA’s determinations were not based on any uniquely-derived standard. In fact, all eight safety element approvals granted by the FAA have been evaluated against regulations in 14 CFR chapter III. Therefore, the FAA proposes to revise the requirement in current § 414.35 (re-designated as § 414.39) such that safety element approval evaluation criteria, whether related to an application submitted concurrently with a license application or separately, would not require publication. Given the FAA’s proposal to not require publication of evaluation criteria, the confidentiality provision under current § 414.13(d) 174 is no longer necessary. That provision notifies applicants that if proposed criteria is secret, proprietary, or confidential, it may not be used as a basis to issue a safety approval. B. Incremental Review of a License Application In response to the ARC recommendations, the FAA proposes to amend part 413 and to include language in proposed part 450 to allow an applicant the option for an incremental review of the safety approval portion of its application. Under 51 U.S.C. 50905(a)(1), the FAA is required by statute to issue or deny a launch or reentry license not later than 180 days after accepting an application. Under the same statute, the FAA must inform the applicant of any pending issue and action required to resolve the issue not later than 120 days after accepting an application. To ensure that the FAA has sufficient time to complete a thorough review to evaluate whether the applicant complies with the FAA’s commercial space transportation regulations in the prescribed time frame, § 413.11 states the FAA screens the application to determine if it contains sufficient information for it to begin its review. It also states that if the application is so incomplete or indefinite that the FAA cannot start to evaluate it, the FAA will notify the applicant accordingly. In accordance with internal policy, the FAA aims to make this complete enough determination within two calendar weeks after receiving the application. When the FAA accepts an application, the 180-day review period begins on the date that the FAA received the 174 Current § 414.13 would be renumbered in this proposal as § 414.17 to maintain sequential section numbering. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 application. If the FAA accepts an application as complete enough to review, the FAA works with applicants to identify additional information and documentation needed to demonstrate regulatory compliance, and advises applicants when those materials are needed. If the additional materials are not provided within an appropriate time frame, the FAA tolls the review period, stopping the counting of time towards the 180-day deadline. Once the FAA has completed its review, it issues a license, or informs the applicant, in writing, that the license application is being denied and states the reasons for denial. Industry representatives have expressed frustration both with a lack of clarity as to what is ‘‘complete enough’’ for the FAA to accept an application and begin review and with the 180-day review period. The FAA seeks comment on how the FAA can improve the clarity of ‘‘complete enough’’ to address past frustrations. For an applicant that is in the early stages of development, there are challenges with compiling all of the documentation in parallel with their vehicle development. First-time applicants regularly underestimate the amount of time needed for licensing. For nearly all applicants, much of the vehicle and mission information is only refined and finalized within the 180-day review period, which may subject the application to tolling and business risk to the applicant’s timeline for launch operations. The timing of the issuance of an FAA authorization has never caused a delay to a launch or reentry operation, but the FAA is cognizant that there could be impacts on an operator even absent an operation delay. In part to address these issues, and bearing in mind that a written application is the means by which the FAA determines whether a launch or reentry operator can conduct a launch or reentry safely, the FAA invited the ARC to describe how the FAA might modify its application process to improve efficiency for both the FAA and applicants. The ARC suggested in part that the FAA allow for an incremental or modular application and review process. Specifically, the ARC recommended that the application review process should be modified to allow for incremental approvals of subsections to guide a focused review and avoid tolling. The recommendation suggested further that, rather than 180 days for review of an entire application, the FAA should assign a brief period for each subsection or module. The current application process is already modular to an extent. The FAA has issued payload determinations outside of a license, primarily for PO 00000 Frm 00071 Fmt 4701 Sfmt 4702 15365 payload developers seeking early assurances that their payload would be permitted to be launched. The FAA has even conducted preliminary policy reviews to provide similar assurances to future applicants on a less formal basis. Despite these allowances, the vast majority of FAA commercial space licensing evaluation time is spent on evaluating the safety implications of a license application. Because this proposed rule seeks to convert the prescriptive safety requirements to performance-based criteria, the FAA believes that it may be possible to develop a flexible safety review process that can afford applicants early determinations, providing an applicant more flexibility and control over the timing of the licensing process. The ARC also recommended that the FAA reduce its application review time. The ARC focused on differentiating between experienced and inexperienced operators in order to decrease FAA review time of license applications. While the FAA agrees that experienced operators may require shorter application review times, it should be noted that this would likely be due to familiarity with the application process, more streamlined application materials that lend themselves to a more efficient review, and established processes that have been through FAA review previously (such as ground safety analyses). While the proposed incremental review process would empower operators to better define when certain portions of an application are reviewed and would allow an operator that has satisfied certain requirements early to receive credit for those portions of its application in advance, other proposals in this rulemaking, such as safety element approvals concurrent with a license application, flexible time frames, and reduced application burdens, would probably serve to reduce review times more effectively than an incremental application process. Nevertheless, the modular nature of payload determinations, policy approvals, environmental evaluations, and financial responsibility requirements, and the more granular incremental review of compliance with the safety approval requirements would allow an applicant to seek partial approval of an application as soon as a portion is ready to be evaluated. These approvals would allow an operator to better manage its timeline and any potential timeline risk. The flexible nature of this proposal would allow the FAA to further engage with industry and establish new best practices and greater efficiencies for E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15366 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules both government evaluators and our commercial partners. The option of using an incremental approach would provide more flexibility to operators who are able to provide portions of their application in advance. In proposed § 450.33 (Incremental Review and Determinations), the FAA would revise the launch and reentry regulations to allow for an incremental review application submission option for vehicle operator license applicants. Because the current regulations already allow an operator to submit the payload, policy, environmental, and financial responsibility portions of its application independently, the FAA proposes that the incremental review process apply specifically to the safety approval portion of a license application. Given the large variety of applicant experience, proposed operations, and company timelines, the FAA recognizes a need for flexibility. Accordingly, the FAA is proposing amendments to part 413 and regulatory language in proposed part 450 to allow for incremental application submission and determinations. This incremental review application process would not replace the traditional review of a full, complete application submitted at once—the incremental review would be an optional path to obtaining an FAA license determination that allows an applicant to choose an application submission process that suits their business model and program needs. The FAA is proposing in § 450.33(a) that, prior to any submission, an applicant would be required to identify to the FAA that it plans to avail itself of the incremental review and determination application process. During pre-application consultation, the FAA would work with an applicant towards an incremental review process that is aligned to both the development process for an applicant and the necessities of the FAA’s evaluation framework. The FAA proposes to coordinate with applicants during preapplication consultation to determine the following: (1) Appropriate portions of an operator’s application that could be submitted and reviewed independently; (2) the application and review schedule with dates of key milestones; (3) the applicant’s planned approach to demonstrate compliance with each applicable regulation, to include any foreseeable requests for waiver; and (4) the scope of the proposed action being applied for, the identification of any novel safety approaches or other potentially complicating factors, and how those will be addressed during the licensing process. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 The details of an applicant’s incremental application process would have to be approved by the FAA in accordance with proposed § 450.33(b) prior to application submission and the FAA could issue determinations towards a safety approval resulting from those reviews, in accordance with proposed § 450.33(c). An applicant would be able to propose sections of the safety approval portion of its application that the FAA could review independently. This process would allow an applicant to submit completed sections, for example the System Safety Program, to the FAA early, rather than wait until the entire application was complete enough. The FAA would also be able, where appropriate, to review and make determinations on these increments prior to a full licensing determination. It would also allow an applicant to identify more challenging or lengthy portions of an application that could be submitted earlier to avoid delays and tolling closer to a launch date. The FAA believes this process would improve predictability for applicants seeking assurances against business risks. As the FAA gains more experience with the incremental application process, the FAA may issue guidance for the process or an example of a process that has been found to satisfy the intent of the regulation. The FAA considered the ARC’s recommendations for predetermined modules, but identified several concerns in attempting to model the practice of such a process. The ARC provided a flow diagram that partitioned the evaluation process into nine conceptual 30-day modules, with the proposal that those modules could be reviewed in serial or in parallel. As noted earlier, the FAA is statutorily limited to a 180-day review process, so any review of modules in serial could not exceed 180 days. The ARC recommended that if the modules are submitted in parallel for concurrent review, extra time should be provided for FAA review up to 90 days to allow for dependent analyses. The ARC recommendation asserted the importance that the modules are independent in terms of content, when possible, but correctly acknowledged that some modules will necessarily depend on others.175 The FAA seeks to provide as much flexibility as practicable in the proposed process to enable innovative business practices and schedules that contemplate frequent launches and reentries, but many aspects of the safety evaluation are interdependent, and the FAA requires certain material from one aspect of a 175 ARC PO 00000 Report, p. 61. Frm 00072 Fmt 4701 Sfmt 4702 safety evaluation to inform and remain consistent with other aspects. Furthermore, operators generally develop and define standards, methodologies, processes, preliminary designs, and plans for an aspect of their evaluation long before they are able to submit advanced analysis products or testing results. The FAA seeks comment on how a formal incremental review process would account for the statutory 180-day review period, when application increments or modules are likely to be submitted and reviewed at very different time periods. To enable incremental application submission and review, the FAA is proposing to amend § 413.1 to broaden the term application to encompass either a full application submitted for review or an application portion submitted under the incremental review process. In making this amendment, the FAA would be able to accommodate applications submitted under either process. The FAA proposes to retain the pre-application consultation requirement of § 413.5, which is streamlined by the proposed removal of § 415.105 and its duplicative requirement for a more prescriptive preapplication consultation process. Under this proposal, an operator would be required to identify whether it wants to enter into the incremental application process during pre-application consultation. Should an operator elect to submit its application incrementally, it would work with the FAA to detail what is needed for each application portion to begin review. In proposing an approach to incremental review, the FAA expects that an applicant would consider the following: 1. Application increments submitted at different times should be not be dependent on other increments to the extent practicable. 2. Application increments should be submitted in a workable chronological order. In other words, an applicant should not submit an application increment before a separate application increment on which it is dependent. For example, the FAA would not expect to agree to review a risk analysis before reviewing a debris analysis or probability of failure analysis because the risk analysis is directly dependent on the other two analyses. 3. An applicant should be able to clearly identify all the regulations and associated application materials that would be required for each application increment, and should be able to demonstrate to the FAA that all the applicable regulations are covered by the separately submitted portions. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules 4. Examples of application increments that may be suitable for incremental review include: System Safety Program, Preliminary Safety Assessment for Flight, Flight Safety Analysis Methods, and FSS Design. The FAA seeks comment on the incremental approach generally. The FAA further seeks comment on any other useful guidelines that an applicant should consider when crafting an incremental approach. Finally, the FAA also seeks comment on any other safety approval sections of a license application that would be appropriate for incremental review. Finally, the FAA would amend § 413.15 to provide that the time frame for any incremental review and determinations would be established with an applicant on a case-by-case basis during pre-application consultation. The FAA would continue to work with applicants during the preapplication phase to assist applicants in navigating the FAA’s regulations and identifying potential challenges. C. Time Frames amozie on DSK9F9SC42PROD with PROPOSALS2 Chapter III regulations include a number of prescriptive time frame requirements that the FAA proposes to make more flexible. In 2016, the FAA conducted a review of the time frames in chapter III and found that many could be made more flexible without any discernable impact on safety. During meetings with the Commercial Spaceflight Federation (CSF) 176 in 2017 and 2018, some members of industry expressed concern about the FAA’s restrictive time frame requirements. The ARC also stated that the current regulatory time frames and requirements for submission of changes is onerous and untenable for high flight rates.177 In consideration of the industry’s comments and the FAA’s review of chapter III time frames, the FAA proposes in § 450.15 to increase flexibility by allowing an operator the option to propose alternative time frames that better suit its operations. The FAA would revise the time frame requirements in parts 404, 413, 414, 415, 417, 420, 431, 437, and 440 that are overly burdensome and may result in waiver requests. Further, the FAA would, after reviewing the operator’s request for an alternative time frame, 176 The Commercial Spaceflight Federation (CSF) states that its mission is ‘‘to promote the development of commercial human spaceflight, pursue ever-higher levels of safety, and share best practices and expertise throughout the industry.’’ Its member businesses and organizations include commercial spaceflight developers, operators, spaceports, suppliers and service providers. 177 ARC Report, p. 48. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 provide the FAA’s expected review period to make its determination on the proposed alternative time frame. The proposed revisions to parts 415, 417, and 431 would be included in new proposed part 450. For ease of reference, the FAA would list all revised chapter III time frames in proposed appendix A to part 404. Proposed § 450.15(b) would inform the operator to submit its request for an alternative time frame in writing. The ‘‘in writing’’ provision could be in the form of a formal letter or email sent electronically to the email address ASTApplications@faa.gov, with the subject line ‘‘Alternative Time Frame Request.’’ If an operator would like to send the request in hardcopy, it would mail the request to the Federal Aviation Administration, Associate Administrator for Commercial Space Transportation, Room 331, 800 Independence Avenue SW, Washington, DC 20591; Attention: Alternative Time Frame Request. The FAA anticipates that an operator would submit these requests during the pre-application consultation or during the application process, and not after a license has been issued. At a minimum, the operator would be required to submit its request before the time frame specified in the regulations. Note, the FAA would need time to process the request. For example, if a requirement states that an operator must submit a document 30 days before launch, the operator may not submit a request for an alternative time frame 30 days before launch or later. Also, under the proposal, the requested alternate time frame must be specific. For example, an operator could request to submit a document 15 days before launch, but not ‘‘as soon as possible.’’ The FAA would provide the operator its decision in writing. Proposed § 404.15(c) would provide the conditions under which the Administrator would agree to an alternative time frame. That is, the FAA would review and agree to an alternative time frame if the proposed alternative time frame would allow time for the FAA to conduct its review and make the requisite findings. For example, the default time frame in proposed § 450.213(b) for a licensee to submit to the FAA certain payload information would be not less than 60 days before each mission conducted under a license. The FAA uses the information to verify that each payload fits within any approved class of payload under the license, and to address any issues that may arise. The FAA may only need a shorter time frame for this effort if the approved payload classes are well defined and PO 00000 Frm 00073 Fmt 4701 Sfmt 4702 15367 unlikely to generate payload-specific issues. As another example, the default time frame in proposed § 450.213(d) for a licensee to submit to the FAA certain flight safety system test data would be no later than 30 days before flight. The FAA may agree to a shorter time frame for an experienced operator that uses a proven flight safety system. D. Continuing Accuracy of License Application and Modification of License The FAA proposes to consolidate continuing accuracy requirements currently in §§ 417.11 and 431.73 in proposed § 450.211. The proposed rule would preserve the standards in §§ 417.11 and 431.73. In addition, it would allow an applicant to request approval of an alternate method for requesting license modifications during the application process. This option currently only exists in § 437.85 for experimental permits. Under the current regulations, an operator must ensure that any representation contained in a license application is accurate for the entire term of a license. After the FAA issues a launch license, an operator must apply to the FAA for a license modification if any representation that is material to public health and safety or safety of property is no longer accurate (commonly referred to as ‘‘material change’’). An application to modify a license must be prepared and submitted in accordance with part 413. The licensee must indicate what parts of its license application or license terms and conditions would be affected by a proposed modification. Although license applications are often updated during the application process, the application, as fixed at the time of license issuance, becomes part of the licensing record. After issuing the license, the FAA deems any material change to a representation in the application to be a modification to the license. However, changes may occur after a license is issued, particularly among operators that are developing new systems or incorporating innovative technology. The FAA does not wish for the material change requirement to deter those changes intended to improve operations. Although the FAA and operators may not always agree on what constitutes a material change, the FAA works with the operator to resolve any issues and reduce uncertainties. Regarding compliance with an issued license, the ARC recommended that information needed prior to each launch, as long as it is within the approved flight envelope, should be minimized and a centralized, automated E:\FR\FM\15APP2.SGM 15APP2 15368 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 system for submitting preflight information should be established. Continuing accuracy reviews should be limited to an assessment of the risks created by the change. The ARC further recommended that if the regulations continued to use the term ‘‘material change,’’ then that term should be defined in the regulations, guidance, or pre-application agreement. The FAA agrees with the ARC’s recommendations. While there already exist avenues by which a licensee can minimize the need for license modifications,178 this rule would adopt an approach from § 437.85 where the FAA may identify the types of changes that a permittee may make to a reusable suborbital rocket design without invalidating the permit. In proposed § 450.211, the FAA may approve an alternate method for requesting license modifications if requested during the application process. The FAA envisions that this approach would permit an applicant during the application process to propose a method that is responsive to its anticipated types of changes after a license is issued. Regarding the recommendation for the development of a centralized automated system for submitting preflight information, while the FAA has been flexible in accepting application material and license updates submitted in electronic format, it recognizes that an improved system is desirable. The FAA is exploring mechanisms to facilitate these submissions. Finally, the FAA agrees with the ARC recommendation that it should develop guidance on what constitutes a ‘‘material change’’ and has identified the following areas that often constitute a material change: 1. Safety-critical system or component changes (e.g., flight safety system) that may affect public safety, including— a. Substitution of an existing safetycritical component with a component with a new part number or manufacturer (reflecting changed dimensions, changed functional or performance specifications, or changed manufacturing process). b. Modifications to a safety critical component deemed necessary by an 178 A license applicant may circumvent or lessen the need for frequent license modification due to material change by providing in its application a range of payloads, flight trajectories, hazard areas, and orbital destinations, so as to encompass more flexibility in actual licensed operations. A license applicant may also create acceptable processes for making changes to safety critical systems and their components, mission rules, hazard areas, and safety organization, that limit the need for license modifications. Part of these processes would include a mechanism for informing FAA of the change. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 anomaly investigation, and requiring reverification by test or inspection. c. Rework or repair of a safety-critical component after inspections or tests revealed fabrication or assembly imperfections. d. Reuse, after an earlier launch or reentry, of safety-critical systems or components, requiring refurbishment, re-qualification testing, and reacceptance testing. 2. Hazard analysis changes that may affect public safety such as the validity of the hazard analysis, mitigation measure, or verification of a safety critical system or component. 3. Flight safety rule changes that may affect public safety such as flight commit criteria associated with public safety. 4. Hazard area changes that may affect public safety, including the dimensions of the area. 5. Maximum Probable Loss (MPL) related changes that affect the validity of the assumptions used to establish the MPL (e.g., change in the number of personnel within a hazard area, change in trajectory resulting in more overflight of people or property, increase in vehicle size with more propellant, hazardous materials, or potential debris). 6. Environmental Assessment related changes that affect the validity of an environmental assessment (e.g., changes to mitigation measures outlined in a record of decision or environmental impact statement). 7. Safety organization changes that may affect public safety such as changes to the roles and responsibilities of the safety organization or personnel, including changes in contractual safety services.179 8. Critical documents or processes that may affect public safety. The FAA believes that this list provides guidance to help operators better understand what constitutes a material change. As the industry continues to develop and the FAA identifies material changes, it will consider providing more detailed guidance. 179 As discussed earlier in the preamble, the proposed rule would eliminate the current requirement to name a specific individual as the safety official. Instead, the NPRM would allow for one person or several persons to perform the safety official functions, and, the operator would be required to designate a position, not a specific individual, to accomplish the safety official functions. Therefore, under this proposal, if the operator changes the specific individual performing the safety official functions, that would not constitute a material change. PO 00000 Frm 00074 Fmt 4701 Sfmt 4702 Other Changes A. Pre-Application Consultation As discussed earlier, the ARC recommended that the FAA require the pre-application process only for new operators or new vehicle programs. For all other operations, the ARC recommended that pre-application occur at the operator’s discretion.180 The FAA does not agree that preapplication should be discretionary for anyone. In light of the various flexibilities proposed in this rule, preapplication consultation would remain critical to assist operators with the licensing process, especially those that choose to avail themselves of the flexibilities provided in this proposal. These flexibilities include incremental review, timelines, and the performancebased nature of many of the regulatory requirements. Pre-application consultation eases the burden on both the applicant and the FAA during the application process by identifying and resolving issues that allow applicants to submit application materials the agency can accept as complete enough for review. That being said, pre-application consultation with an experienced operator conducting an operation substantively similar to one previously licensed would likely be an abbreviated process. In response to the ARCs request for defined review times, the FAA considered an approach to preapplication consultation that would culminate in a mutually agreeable ‘‘compliance plan.’’ Under this approach, a compliance plan would be developed collaboratively between the applicant and the FAA. Key milestones that could be established by the compliance plan would include, but would not be limited to, the planned dates of the formal application submittal, the FAA’s licensing determination, and the submission of any required information that is unavailable at the time of formal application submittal. The FAA chose not to propose this requirement because it could be overly burdensome, possibly delay an application submittal, and the compliance plan could require frequent updates. However, the FAA would be open to commenters’ views on how to best develop a voluntary pre-application product, such as a compliance plan. B. Policy Review and Approval The FAA currently reviews a launch and reentry license application to determine whether it presents any issues affecting national security 180 ARC E:\FR\FM\15APP2.SGM Report, p. 23. 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 interests, foreign policy interests, or international obligations of the United States. As part of its review and in accordance with section 50918 of the Act, the FAA consults with the Department of State, Department of Defense, and other executive agencies, as appropriate. The Department of Defense assesses the effect of the launch on U.S. national security, and the Department of State assesses its effect on foreign policy interests and international obligations of the United States. For good practice, the FAA also consults with NASA, the Department of Commerce’s National Oceanic and Atmospheric Administration (NOAA), and the Federal Communications Commission (FCC), for counsel on those U.S. interests related to the primary responsibilities of each agency. As such, the FAA coordinates with the FCC and NOAA over matters related to frequency licensing and Earth imaging, respectively, and with NASA for matters particularly related to its assets in space. Section 415.25 currently contains application requirements for a policy review of the launch of a vehicle other than an RLV, § 431.25 for the launch and reentry of an RLV, and § 435.23 for the launch of a reentry vehicle other than an RLV.181 To date, these informational requirements have served their purpose well. However, the FAA believes that the current informational requirements should be modified to relieve the applicant of unnecessary burden and to improve the utility of the information requested for a policy review. Currently, §§ 415.25(b) and 431.25(b) both require an applicant to identify structural, pneumatic, propellant, propulsion, electrical and avionics systems. Section 431.25(b) also requires an applicant to identify thermal and guidance systems used in the launch vehicle, and all propellants. Although identifying the aforementioned systems is important for a safety review, the FAA believes that this information is not critical for a policy review, which addresses whether the launch or reentry presents issues affecting national security interests, foreign policy interests, or international obligations of the United States. The FAA proposes to consolidate the policy review requirements contained in 181 These sections require an applicant to provide basic information about the launch or reentry vehicle, its ownership, launch site, flight azimuths, trajectories, associated ground tracks and instantaneous impact points, sequence of planned events or maneuvers during flight, range of nominal impact areas for all spent motors and other discarded mission hardware, and for each orbital mission, the range of intermediate and final orbits of each vehicle upper stage, and their estimated orbital lifetimes. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 §§ 415.25 and 431.25 under proposed § 450.41 (Policy Review and Approval). In doing so, the FAA would retain the substance of the current requirements while further tailoring the informational requirements toward a policy review. Also, the FAA would replace the launch or reentry vehicle description requirements with vehicle description requirements that are more appropriate for a policy review. Finally, the FAA would require the applicant to provide flight azimuths, trajectories, and associated ground tracks and instantaneous impact points, and contingency abort 182 profiles, if any, for the duration of the licensed activity. Specifically, proposed § 450.41(e)(2) would replace the current requirement to identify structural, pneumatic, propulsion, electrical, thermal, guidance and avionics systems with a requirement to describe the launch or reentry vehicle and any stages, including their dimensions, type and amounts of all propellants, and maximum thrust. As previously mentioned, currently required information is not critical for a policy review because policy determinations do not require the same level of technical detail as a safety review and do not need to delve into vehicle design specifics. Instead, the information required by proposed § 450.41(e)(2) would provide the FAA and its interagency partners with the scope of the proposed activity that is more pertinent to a policy review. Moreover, the FAA anticipates that the proposed changes would be significantly less burdensome for an applicant, as the information is readily available and requires minimal effort to provide. In contrast, the currently required information, while also readily available, might be extensive and require more effort to compile. Additionally, it is unclear that the requirements to supply flight azimuths, trajectories, and associated ground tracks and instantaneous impact points, currently found in §§ 415.25(d)(2) and 431.25(d)(2), apply for the duration of the licensed activity (i.e., from lift-off to the end of licensed activities). For example, applicants previously have interpreted the requirement to supply flight azimuths and trajectories to end at orbital insertion because that is when ground tracks and instantaneous impact points vanish. However, during interagency coordination for policy 182 The FAA proposes to revise the definition in § 401.5 of ‘‘contingency abort’’ to mean a flight abort with a landing at a planned location that has been designated in advance of vehicle flight. The proposed definition is discussed later in this preamble. PO 00000 Frm 00075 Fmt 4701 Sfmt 4702 15369 reviews of orbital missions, NASA and the Department of Defense have repeatedly, and specifically, requested information from the FAA concerning the trajectories of upper stages after orbital insertion in order to determine the potential for the proposed mission to jeopardize the safety of government property in outer space or national security. Therefore, in addition to consolidating §§ 415.25(d)(2) and 431.25(d)(2) into proposed § 450.41(e)(4)(ii), the FAA would add language to clarify that the requirement to supply flight azimuths, trajectories, and associated ground tracks and instantaneous impact points applies for the duration of the licensed activity (i.e., lift off to the end of launch). This clarification would eliminate the need for the FAA to request additional information from an applicant to satisfy inquiries from NASA and the Department of Defense during policy reviews and prevent any unnecessary delays to the policy review process. C. Payload Review and Determination The FAA proposes to consolidate the payload review requirements. The agency would also remove the requirement to identify the method of securing the payload on an RLV, add application requirements to assist the interagency review, such as the identification of approximate transit time to final orbit and any encryption, clarify the FAA’s relationship with other federal agencies for payload reviews, and modify the 60-day notification requirement currently found in §§ 415.55 and 431.53. While speaking of payload reviews, it is important to keep in mind the definitions of launch vehicle and payload as defined in FAA regulations. The FAA is not proposing to amend these definitions. A launch vehicle is a vehicle built to operate in, or place a payload in, outer space or a suborbital rocket. A payload is an object that a person undertakes to place in outer space by means of a launch vehicle, including components of the vehicle specifically designed or adapted for that object. Thus, a payload can become a reentry vehicle. For example, the Dragon is a payload when it is launched on the Falcon 9 and a reentry vehicle when it reenters from Earth orbit. The FAA believes that any component attached to, or part of, a launch or reentry vehicle that has an intended use in space other than transporting itself or a payload, is in fact a payload. For example, the FAA has treated canisters of cremains attached to a stage left in orbit as payloads. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15370 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules Pursuant to § 415.51, unless the payload is exempt from review under § 415.53, the FAA reviews a payload proposed for launch to determine whether an applicant, payload owner, or operator has obtained all the required licenses, authorization, and permits. The FAA further determines whether a payload’s launch would jeopardize public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. Similarly, both § 431.51 for launch and reentry of an RLV and § 435.41 for reentry of a reentry vehicle other than an RLV, require the FAA to review a payload to examine the policy and safety issues related to the proposed reentry of a payload. Current §§ 415.59 and 431.57 also require the applicant to submit basic payload information to allow the FAA to conduct a payload review. While the information requirements for payload review in §§ 415.59 and 431.57 are similar, they are not identical. Both sections require that an applicant provide the payload’s physical dimensions and weight; owner and operator; orbital parameters for parking, transfer, and final orbits; and hazardous materials, as defined in § 401.5, and radioactive materials, and the amounts of each. However, § 415.59 requires an applicant to provide the name and class of the payload, the intended payload operations during the life of the payload, and the delivery point in flight at which the payload will no longer be under the licensee’s control. Whereas, § 431.57 requires an applicant to provide either the payload name or payload class and function; the physical characteristics of the payload in addition to the payload’s dimensions and weight; the explosive potential of payload materials, alone and in combination with other materials found on the payload or RLV during reentry; and the method of securing the payload on the reusable launch vehicle. It also replaces delivery point with designated reentry site(s); and requires the identification of intended payload operations during the life of the payload. With respect to hazardous materials, § 431.57 also requires the applicant to identify the container of the hazardous materials, in addition to the type and amount, because how the hazardous materials are contained is important for reentry. The FAA believes that the current payload review informational requirements necessitate modification to improve the utility and efficiency of payload review. During interagency review, other agencies have requested VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 information from the FAA for the amount of time a payload will take to reach its final orbital destination. This information allows the agencies to assess the payload’s potential to impact their operations. However, current regulations do not contain an informational requirement that the applicant provide this information. As a result, the FAA often must make additional requests to the applicant in order to provide the requesting agencies with the information. In the past, most non-government payloads were telecommunications or remote sensing satellites for which there were well-established regulatory regimes. Operators are now proposing payloads with new intended uses such as servicing other satellites and mapping frequency use. The capabilities of payloads continue to grow; for example, cubesats are appearing in great numbers with unique capabilities. As a result, it is possible that these new uses may pose threats to national security, such as the resolution of on-board cameras that might be used to survey national security space assets. Consequently, payload reviews increasingly need to address the threat that these new uses and capabilities might pose to U.S. national security, either unintentional or malicious. Additionally, § 415.53 provides that the FAA does not review payloads regulated by the FCC or the Department of Commerce. Section 431.51 provides that the FAA does not review payloads subject to regulation by other federal agencies. However, neither of these regulations reflect current practice. In practice, the FAA includes payload information in its interagency reviews for all payloads, with the exception of certain U.S. Government payloads for which information is unavailable due to national security concerns, because § 415.51 provides that the safety requirements apply to all payloads, regardless of whether the payload is otherwise exempt. Even though the FAA conducts a review of all payloads, the FAA does not impinge on the authority of the FCC or the Department of Commerce, nor question the decision of the FCC or NOAA to approve communications or remote sensing satellites. It does not question the decision of another federal agency concerning its payloads. More accurately, while the FAA may conduct a review of all payloads, the FAA does not make a payload determination on what it considers an ‘‘exempt’’ payload. Changes in the types of payloads that are being launched or proposed have also complicated the scope of FAA payload reviews and demonstrated that PO 00000 Frm 00076 Fmt 4701 Sfmt 4702 the language exempting certain payloads from review is overly restrictive. The FAA has made payload determinations for payloads that will undoubtedly require FCC or NOAA licensing, but the proposed payload missions were beyond the scope of communications or remote sensing. These payloads were examined in the interagency process and neither the FCC nor NOAA took exception to the FAA’s approach. Section 50918 of Title 51 of the U.S. Code mandates that the Secretary of Transportation consult with the Secretary of Defense on matters affecting national security, the Secretary of State on matters affecting foreign policy, and the heads of other agencies when appropriate. Section 50919(b) states that chapter 509 of Title 51 does not affect the authority of the FCC or Department of Commerce. The language of FAA regulations exempting from review those payloads subject to the jurisdiction of the FCC, NOAA, and other agencies, is more restrictive regarding the FAA’s authority than what is required in the statutory mandate of 51 U.S.C. 50918 and 50919. The genesis of this more-limited role by the FAA came from the Report of House of Representatives, May 31, 1984, that accompanied H.R. 3942. Specifically, the report stated: ‘‘[t]he Committee intends that the Secretary not review or otherwise evaluate the merits of communications satellites licensed and approved by the FCC, other than to assure the proper integration of such payload with the launch vehicle and its launch into orbit.’’ At that time, almost all non-government payloads were communications or remote sensing satellites, regulated by the FCC and NOAA, respectively. When DOT published the initial licensing regulations in 1988, the preamble noted that the payloads subject to existing payload regulation included only telecommunications satellites licensed by the FCC and remote sensing satellites licensed by NOAA. It went on to state that payloads that were not subject to review by DOT included all domestic payloads not presently regulated by the FCC or NOAA and all foreign payloads. Almost any domestic payload, even if it is not a telecommunications satellite, however, requires FCC licensing because it will invariably have a U.S.owned or -operated transmitter for telemetry purposes. Therefore, it appears that the intention of the rule was only to exclude from FAA regulation telecommunications satellites licensed by the FCC and likewise, remote sensing satellites licensed by E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules NOAA, and not any satellite with a transmitter licensed by the FCC or with some incidental remote sensing capability. In recent years, there have been proposals for commercial payloads where the primary purpose might be scientific or exploratory or even artistic. Despite their primary purpose, these payloads almost always require an FCC license because they have transmitters for telemetry. Similarly, some payloads also require approval by NOAA even though remote sensing may be ancillary to the main purpose. Without an interagency review, the FAA has no direct means of knowing whether a payload is exempt from review and, as a result, has initiated interagency reviews. These reviews also serve the purpose of alerting the other agencies to launches of payloads that might jeopardize U.S. national security or foreign policy interests, or international obligations of the United States, even if they are exempt from an FAA payload review. Although the FAA has not to date been faced with the Department of Defense or the Department of State raising concerns through the interagency review regarding national security or foreign policy for an ‘‘exempt’’ payload, the FAA believes that it would be its responsibility to convey those concerns to the appropriate agencies for resolution. The ARC asserts that the payload reviews being conducted are more detailed than necessary to assure the protection of ‘‘public health and safety.’’ The ARC recommended that payloads that stay within the vehicle, have nonhazardous materials, or those that have previously been approved for flight, should not require reviews. It recommended that safety goals can be met by only requiring reviews for hazardous payloads that could impact ‘‘public health and safety.’’ The ARC also stated that it would be more cost effective to regulate only hazardous payloads ejected from the launch vehicle in reportable quantities using the existing standards in 49 CFR 172.101. It believes such an approach would reduce unnecessary paperwork and subsequent FAA review for ‘‘benign payloads,’’ and the reduction of burden on the FAA to review ‘‘non-safety related payloads’’ would support industry’s increased flight tempo and reduce FAA review times. The FAA does not agree with the ARC recommendation that payloads that stay within the vehicle, payloads that are non-hazardous materials, or those that have previously been approved for flight should not require reviews. The fact that a payload remains on or within the VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 launch or reentry vehicle does not change the function of the payload. The payload’s intended use in space or changes in the orbit of the vehicle to accommodate the payload operation might present issues because it could affect NASA or Department of Defense assets either due to its orbit or function. For example, the Department of Defense has concerns regarding payloads that may pass close enough to its assets to photograph them. The FAA recognizes that some payloads, such as canisters of cremains, attached to an upper stage, might have little or no safety or policy implications. However, a review is still necessary to make that determination. Obviously, the absence of hazardous materials also removes some safety concerns; however, as previously discussed, hazardous materials are not the only concern addressed in the payload review. While payloads that stay within a vehicle, do not contain hazardous materials, or have previously been approved may require less scrutiny, a payload review is still required because the FAA is statutorily mandated under 51 U.S.C. 50904(c) to determine whether a license applicant or payload owner or operator has obtained all required licenses, authorization, and permits. If no license or authorization or permit is required by another federal agency, the FAA must determine whether a launch would jeopardize public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. Similarly, while potentially it might be more cost effective to regulate only hazardous payloads ejected from a launch vehicle in reportable quantities using existing standards in 49 CFR 172.101, the FAA must still comply with the statutory requirements imposed on it by 51 U.S.C. 50904(c). Both the FAA’s current and proposed regulations reflect this statutory requirement. As for payloads that have previously been approved for launch, the FAA already authorizes classes of payloads under §§ 431.53 and 415.55, but it still requires identification of the specific payload at least 60 days prior to the launch in order to confirm that the payload fits within the authorized class and to coordinate with other federal agencies. The FAA currently does not make a new payload determination if a payload fits within a class of payloads authorized under a particular license, but the review is still necessary to confirm there are no issues that affect public health and safety, the safety of property, or national security. The more defined the payload class, the less the PO 00000 Frm 00077 Fmt 4701 Sfmt 4702 15371 likelihood of any issues once the specific payload is identified. For series of virtually identical payloads, the FAA has authorized the entire series. A payload or launch operator can work with the FAA to facilitate and expedite payload approvals by defining payload classes to accommodate possible payloads. Also, payload classes authorized for one operator will usually be authorized for another operator. The FAA acknowledges that the current 60day notification requirement might be unnecessary for certain well-defined payload classes and proposes to modify this requirement to permit a shorter notification on a case-by-case basis. The FAA anticipates that the notification requirement would be specified either in the separate payload determination or in a vehicle operator license. The ARC recommended that payloads that contain hazardous materials in Federally-reportable quantities be reviewed in 15 days. The FAA does not agree with the ARC’s recommendation because there are other considerations regarding intended operations in space that might affect national security or the safety of property. For example, a payload may have the capability of observing or interfering with U.S. national security assets or violate a provision of a treaty. The FAA proposes to consolidate the requirements for a payload review currently contained in subparts D of parts 415, 431, and 435 in proposed § 450.43 (Payload Review and Determination). The proposed consolidation would retain most of the current payload review requirements. The limited changes the FAA proposes to the payload requirements are discussed in this section. The FAA proposes to modify the relationship with other agencies by removing the misleading statement that the FAA does not review payloads that are subject to regulation by the FCC or the Department of Commerce. Specifically, the FAA proposes to modify the regulation to reflect that while it does not review those aspects of payloads that are subject to regulation by the FCC or the Department of Commerce, it still reviews the payloads to determine their effect on the safety of launch. The FAA also consults with other agencies to determine whether their launch would jeopardize public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. Proposed § 450.43(b) would provide that the FAA would not make a payload determination over those aspects of payloads that are subject to regulation by the FCC or the E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15372 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules Department of Commerce. The FAA does not intend to interfere with any requirement that these agencies might impose or with approvals or denials. This clarification is merely a recognition of current practice regarding payloads that do not easily fit into the existing regulatory rubric. The FAA also proposes not to retain the specific reference to NOAA in § 415.53(a). Although commercial remote sensing is currently licensed by NOAA’s Office of Commercial Remote Sensing Regulatory Affairs (CRSRA), the Secretary of Commerce recently proposed merging CRSRA with NOAA’s Office of Space Commerce and moving them directly under the Office of the Secretary of Commerce. As a result, proposed § 450.43(b) would revise the description of which payloads are exempt, to clarify that a payload planning to conduct remote sensing operations would be exempt if licensed by any office within the Department of Commerce. In consolidating the informational requirements in parts 415, 431, and 435, the FAA proposes to eliminate information requirements concerning the method of securing a payload that was a requirement under § 431.57(g) for RLVs because that information is not relevant to a payload review. The FAA considered replacing that informational requirement with a more general one to provide the potential of the payload to affect the dynamics of the vehicle. However, the FAA determined such information was more pertinent to the vehicle operator and should instead be included in systems safety analysis for the launch or reentry, if appropriate. Proposed § 450.43(i)(1) also would require an applicant to provide an expanded description for the payload that would include its composition and any hosted payloads in addition to the current requirements of physical dimensions and weight. The FAA proposes to ask for any foreign ownership of the payload or payload operator. In addition, the FAA would add the approximate transit times to final orbit for the payload. The FAA proposes to elaborate what it means by intended payload operations during the life of the payload by adding its anticipated life span and any planned disposal. Further, it proposes a requirement to describe any encryption associated with data storage on the payload and transmissions to or from the payload. Encryption helps ensure against cyber intrusion, loss of spacecraft control, and potential debriscausing events. The FAA is proposing these additions to the information requirements for launches to assist other VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 federal agencies because NASA and the Department of Defense frequently have requested this information in response to the FAA’s interagency review in order to determine whether the proposed payload would jeopardize the safety of government property in outer space, or U.S. national security. The FAA also proposes to add a general requirement that it may request any other information necessary to make a determination based on public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. The FAA believes that it would rarely invoke this provision but believes that it is crucial to address unique payloads. The FAA anticipates that for payload classes—as distinguished from specific payloads—the applicant might only be able to provide a range of expected transit times and would find this acceptable. Similarly, for classes of payloads the FAA would find it appropriate to provide ranges for information related to size of the payload and quantities of hazardous materials. It also proposes to add the explosive potential of payload materials, alone and in combination with other materials on the payload for launches, as it already does for reentries because the information is equally relevant to the safety of a launch as for a reentry. The FAA anticipates that these additional data requirements would impose minimal burden, if any, on the applicant. For example, the payload operator should already have detailed plans for moving its payload to its final destination, and the explosive equivalent for most materials is easily calculated using readily-available information. As another example, in requesting information about what encryption, if any, is used, the FAA is not asking for a detailed account of encryption methodology. Many operators are already using 256-bit Advanced Encryption Standard encryption (AES–256) to protect commercial telemetry, tracking, and control data links and mission data transmission or storage. In this case, an operator would only need to state that it uses AES–256. These additional data requirements help inform the overall evaluation of a payload. By specifying in its regulations what is required to expedite the FAA’s payload review process without the need to make supplemental requests to an applicant to address interagency concerns, and the applicant would avoid having to respond to such requests. The FAA seeks comment on this proposed approach. PO 00000 Frm 00078 Fmt 4701 Sfmt 4702 D. Safety Review and Approval As part of its current licensing process under parts 415 and 431, the FAA conducts a safety review to determine whether a proposed launch or reentry will jeopardize public health and safety and safety of property. The FAA would not change the philosophy or purpose of a safety review in this rulemaking. As with the current regulations, an applicant would have to satisfy the safety requirements in order to obtain a license to conduct a launch or reentry. Only a vehicle operator license applicant would be eligible to apply for a safety approval, and may apply for a safety approval separately and incrementally. As with current regulations, the FAA would advise an applicant, in writing, of any issues raised during a safety review that would impede issuance of a license, and the applicant may respond in writing, or amend its license application in accordance with § 413.17. This proposal would also not change the process by which the FAA denies a license, and the recourse afforded an applicant if a license is denied. For launches and reentries from, or to, a Federal launch range or any launch or reentry site where a Federal launch range provides safety-related launch or reentry services or property by contract, the FAA would accept the service or property as meeting the relevant requirements of proposed part 450, as long as the FAA determines that the Federal launch range’s safety requirements for the launch or reentry services or property provided satisfy those requirements. Note that a Federal launch range could, at the direction of the operator, provide FSA products such a debris risk analyses or flight safety limits analyses, directly to the FAA on behalf of an operator. While the FAA is not proposing to change the philosophy and purpose of a safety review and approval, the FAA is proposing changes to the requirements to obtain a safety approval. The FAA proposes to locate the application requirements for a safety approval in proposed § 450.45 (Safety Review and Approval), in paragraph (e), and throughout proposed subpart C. The application requirements in proposed § 450.45(e) are general and not specific to any safety requirement, and would include information not covered explicitly in proposed subpart C. Proposed § 450.45(e)(1) would address basic requirements for an application, such as the inclusion of a glossary of terms and a listing of referenced material. This proposed requirement is similar to current § 415.107, although E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules the proposed regulation would not include the requirement for an application to be logically organized, with a clear and consistent page numbering system, and topics crossreferenced. The FAA expects an applicant to ensure its application meets these basic organizational standards without explicitly requiring them. In proposed § 450.45(e)(2), the FAA would require an applicant to submit information about its launch or reentry site. This proposed requirement is similar to current § 415.109(a), with the addition of references to a reentry site. In proposed § 450.45(e)(3), the FAA would require an applicant to submit information about its launch or reentry vehicle, including safety critical systems. This proposed requirement is similar to current § 415.109(b), but would include reentry vehicles in addition to launch vehicles. In proposed § 450.45(e)(4), the FAA would require an applicant to submit a generic launch or reentry processing schedule that identifies any readiness activities, such as reviews and rehearsals, each safety-critical preflight operation, and day of flight activities. Although the proposed regulations do not necessarily require reviews or rehearsals, should the applicant propose them to meet readiness requirements, they should be included in the schedule. This proposed requirement is similar to current § 415.119, but with the addition of reentry vehicles. Proposed § 450.45(e)(5) would apply to any proposed launch or reentry with a human being on board the vehicle, and would require an applicant to demonstrate compliance with certain safety requirements in part 460. This proposed requirement is similar to current § 415.8, except that it would include reentry vehicles. Proposed § 450.45(e)(6) would address the potential launch or reentry of radionuclides, similar to current § 415.115(b) but with the addition of reentries. Because such proposals are rare, it is the current practice of the FAA to address the public safety issues on a case-by-case basis. This proposed rule would not change this approach. Lastly, in proposed § 450.45(e)(7), the FAA would reserve the right to request additional information if necessary. This request would include information incorporated by reference in the license application, such as a previous application submittal. The FAA could also request additional products that would allow the FAA to conduct an independent safety analysis. The FAA periodically conducts independent system safety and flight safety analyses in order to gain a deeper understanding VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 of the safety issues associated with a launch or reentry proposal. This independent analysis is particularly important for novel systems or operations. The FAA proposes to continue this practice with this rulemaking. Proposed subpart C would contain the remainder of the application requirements for a safety approval. With some exceptions, discussed later, each safety requirement in proposed subpart C has application requirements articulated at the end of each section. Under current regulations for ELVs, application requirements are contained in part 415, while safety requirements are contained in part 417. Under current regulations for RLVs contained in part 431, application requirements and safety requirements are not distinguished so clearly. The proposed approach is designed to clearly separate safety requirements from application requirements. However, the following proposed sections do not include application requirements, either because they introduce other sections or because the FAA would not require a demonstration of compliance to obtain a license: 1. § 450.101: This section would address the core public safety criteria for launching a launch vehicle or reentering a reentry vehicle. An applicant would demonstrate that it can meet these criteria in other parts of proposed subpart C. 2. § 450.113 (Flight Safety Analysis Requirements—Scope and Applicability): This section would address the scope and applicability of the FSA requirements contained in §§ 450.113 through 450.141. 3. § 450.157: This section would include requirements for communication procedures, but an applicant would not have to demonstrate compliance with this section in order to obtain a license. 4. § 450.159: This section would include requirements for preflight procedures. Similar to proposed § 450.157, an applicant would not have to demonstrate compliance with this section in order to obtain a license. 5. § 450.169: This section would include requirements for launch and reentry collision avoidance analysis. An applicant would not have to demonstrate compliance with this section in order to obtain a license, but it would have to provide certain information to the FAA prior to a launch or reentry. 6. § 450.179 (Ground Safety— General): This section would address the scope and applicability of the ground safety requirements contained in PO 00000 Frm 00079 Fmt 4701 Sfmt 4702 15373 §§ 450.181 (Coordination with a Site Operator) through 450.189. E. Environmental Review The FAA proposes to consolidate environmental review requirements for launch and reentry operators in a single section, as proposed § 450.47 (Environmental Review). Currently, these requirements are set forth in §§ 415.201, 415.203, 431.91, 431.93, and 435.61. In addition, the FAA proposes to revise current §§ 420.15, 433.7, 433.9, and 437.21 to conform to the changes in proposed § 450.47. Apart from consolidation, these proposed revisions would not alter the current environmental review process. The FAA is responsible for complying with the National Environmental Policy Act (NEPA) and other applicable environmental laws, regulations, and Executive Orders prior to issuing a launch or reentry license. To comply with NEPA, the FAA must first determine whether the licensing action requires a Categorical Exclusion (CATEX), an Environmental Assessment (EA), or an Environmental Impact Statement (EIS). A CATEX is appropriate when actions, individually or cumulatively, do not have a significant effect on the human environment. An EA broadly documents evidence and analysis necessary to determine whether a proposed action may significantly affect the human environment requiring the preparation of an EIS or results in a finding of no significant impact (FONSI). If the action may significantly affect the human environment, NEPA requires preparation of an EIS. An EIS is a thorough analysis of a proposed action’s impacts on the environment, including a public involvement process. Under current FAA practice, the issuance of a new launch or reentry license does not fall within the scope of a CATEX. However, an applicant may provide data and analysis to assist the FAA in determining whether a CATEX could apply (including whether an extraordinary circumstance exists) to a license modification. Examples include modifications that are administrative in nature or involve minor facility siting, construction, or maintenance actions. If a CATEX does not apply to the proposed action, but it is not anticipated to have significant environmental effects, then NEPA requires the preparation of an EA instead. The FAA may prepare an EA using applicantprovided information. In the alternative, an applicant may prepare an EA with FAA oversight. When NEPA requires an EIS for commercial space actions, the FAA uses third-party contracting to E:\FR\FM\15APP2.SGM 15APP2 15374 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules prepare the document. That is, the FAA selects a contractor to prepare the EIS, and the license applicant pays the contractor. Finally, if an EA or EIS was previously developed, the FAA may require a written re-evaluation of the environmental document to ensure the document’s continued adequacy, accuracy and validity.183 This proposed rule would not alter the current environmental review requirements. However, the consolidation of the launch and reentry regulations would require a consolidation of the environmental review requirements. and, that an applicant must submit a license application to transfer a license according to the provisions of part 413 and the requirements of proposed part 450. Also, like the current requirements, the proposal would require an applicant to satisfy all of the approvals and determinations required under part 450 before the FAA would transfer a license to an applicant, and the FAA would retain the ability to incorporate by reference any findings made part of the record to support the initial licensing determination and to modify a license to reflect any changes necessary because of a license transfer. F. Additional License Terms and Conditions, Transfer of a Vehicle Operator License, Rights Not Conferred by a Vehicle Operator License As discussed earlier in this preamble, the FAA proposes to consolidate, under proposed part 450, the differing types of launch and reentry licenses, currently in parts 415, 431, and 435, into a single vehicle operator license. As part of this consolidation, the FAA would combine specified sections of parts 415, 431, and 435 into proposed sections of part 450, such that the consolidated requirements would apply to a single vehicle operator license. Except for these changes, the current requirements would remain the same. The specific proposed changes are identified below. 3. Rights Not Conferred by a Vehicle Operator License The FAA proposes to consolidate in proposed § 450.13 (Rights Not Conferred by a Vehicle Operator License) the requirements in current §§ 415.15, 431.15, and 435.15 regarding the rights that are not conferred by issuance of a license. Although the location of the requirements would change, the requirements themselves would not substantively change. The proposed requirements would continue to state that issuance of a vehicle operator license does not relieve a licensee of its obligation to comply with all applicable requirements of law or regulation that may apply to its activities. In addition, the proposal would state the issuance of a license does not confer any proprietary, property or exclusive right in the use of any Federal launch range or related facilities, airspace, or outer space. its application, an operator would need to demonstrate that each unique safety policy, requirement, or practice imposed by the FAA protects public health and safety, safety of property, and the national security and foreign policy interests of the United States. Proposed § 450.177 is largely the same as § 417.127 with two differences. Section 417.127 requires an applicant to file a request for license modification for any change to a unique safety policy, requirement, or practice. The FAA would not incorporate this requirement in proposed part 450 because it is duplicative given the general license modification requirement in proposed § 450.177. Also, § 417.127 applies only when necessary to protect the public, whereas proposed § 450.177(b) would also apply to national security and foreign policy interests of the United States. This is necessary to cover the full scope of FAA’s licensing authority. The purpose for this proposed section is the same as for current § 417.127. As the space transportation industry continues to grow, advances in technology and implementation of innovations by launch and reentry operators will likely introduce new and unforeseen safety challenges. These unique challenges will require FAA officials and operators to collaborate on a case-by-case basis to identify and mitigate those unique hazards to public health and safety, safety of property, and the national security and foreign policy interests of the United States not specifically addressed by proposed part 450. G. Unique Safety Policies, Requirements, and Practices Proposed § 450.177 (Unique Policies, Requirements and Practices) would require an operator to review operations, system designs, analysis, and testing, and to identify any unique launch or reentry hazards not otherwise addressed by proposed part 450, consistent with current regulations and practice. An operator would be required to implement any unique safety policy, requirement, or practice needed to protect the public from the unique hazard. In its application, an operator would have to identify any unique safety policy, requirement, or practice, and demonstrate that each it protects public health and safety and the safety of property. Proposed § 450.177 would also provide that the FAA may identify and impose a unique policy, requirement, or practice, as needed, to protect the public health and safety, safety of property, and the national security and foreign policy interests of the United States. In H. Compliance Monitoring The FAA proposes to combine the compliance monitoring requirements of parts 417 and 431 into § 450.209 (Compliance Monitoring). In combining the requirements, the FAA would adopt § 417.23. The FAA currently conducts safety inspections to ensure a licensee complies with applicable regulations, the terms and conditions of its license, and representations the licensee made in its application. Compliance monitoring requirements are codified in §§ 417.23, 431.83, and 435.51. Section 417.23 requires that a launch operator cooperate with and allow Federal officers or employees access to observe any of its activities associated with the conduct of a licensed launch, and provide the FAA with a console for monitoring the countdown’s progress, and the communication on all channels of the countdown communication network. The requirements of §§ 417.23(a) and 431.83 are nearly identical in that both require a licensee to cooperate with and amozie on DSK9F9SC42PROD with PROPOSALS2 1. Additional Terms and Conditions The FAA proposes to consolidate the current additional terms and conditions requirements in §§ 415.11, 431.11, and 435.11 into proposed § 450.9 (Additional License Terms and Conditions) without substantive change. Therefore, the proposed requirement would state that the FAA may amend a vehicle operator license at any time by modifying or adding terms and conditions to the license to ensure compliance with the Act and regulations. 2. Transfer of a Vehicle Operator License The FAA proposes to consolidate the requirements to transfer a license in current §§ 415.13, 431.13, and 435.13 into proposed § 450.11 (Transfer of a Vehicle Operator License). Although the location of the requirements would change, the requirements themselves would not substantively change. The proposed requirements would continue to provide that only the FAA may transfer a vehicle operator license; 183 FAA Order 1050.1F, Environmental Impacts: Policies and Procedures, provides a more detailed description of the FAA’s policies and procedures for NEPA and CEQ compliance. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 PO 00000 Frm 00080 Fmt 4701 Sfmt 4702 E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules to allow Federal officers or employees access to observe any of its activities associated with the conduct of a licensed RLV mission. However, unlike § 417.23, § 431.83 does not require a licensee to provide a console to the FAA for monitoring all the channels on the countdown communication network. Monitoring the communications channels—including countdown, anomaly, range coordination, surveillance, and weather—is a vital part of compliance monitoring and safety inspection operations, regardless of operation type. Under part 417, a licensee cooperates with the FAA and provides its inspectors with access and consoles to observe the activities associated with the licensed launch. As a result, the FAA is able to monitor all communication channels, and has access to the safety official and the mission director through the communications panel and through a phone line. FAA inspectors regularly monitor an operator’s communications channels. In doing so, an inspector can become aware of issues that arise during a countdown. These issues may include vehicle health, ground operations, FSS health, range readiness, clearance of surveillance and hazard areas, weather, and countdown procedures. Additionally, listening to the communications channels also gives an inspector a sense of an operator’s safety culture, rigor, and readiness. In addition, inspectors can communicate face-to-face with the safety official and the mission director, if necessary, because they are typically collocated. Although there is a requirement in part 431, and incorporated by reference in part 435, that an operator cooperate with safety inspectors, there is no specific requirement for the licensee to provide access to all communication channels. The FAA has had to discuss with the operator what channels will be available for monitoring during these operations. Some operators have contended that their employees will not be as forthcoming with information if they know FAA inspectors are listening. However, being able to hear how the operator communicates during critical operations is necessary for inspectors to determine compliance and to address problems before they occur. Since inspectors cannot physically listen to all channels concurrently, an inspector will listen to one or more channels that can provide situational awareness and information used to determine compliance. The necessary discussions require additional time and may cause a delay, consume man-hours, and is a cost to both the government and the operator during the license application VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 phase, or potentially during a launch countdown. Regarding the contention that personnel are less likely to discuss problems if inspectors are monitoring their conversation, the FAA strives to be as unobtrusive as possible so as not to affect operations. Additionally, the purpose of compliance monitoring is not to punish operators. Rather, channel monitoring and on-site inspection allows inspectors to identify potential licensing issues and alert the operator, so it can take action to maintain or return to compliance. This approach ensures safety while minimizing impacts to the operator. There have been many instances where inspectors noticed incorrect test setups for FSS checks, for example, or other issues during compliance monitoring that would affect public safety, and informed the operator so they could be corrected before safety was impacted. Compliance monitoring is important for ensuring public safety and requires that FAA safety inspectors be exposed to actual operations in order to be trained, qualified, and capable of performing their safety-critical role. Because safety inspectors are trained to detect non-compliances, they need to have access to, and the discretion to see and hear, as much of the operation as they deem necessary. Observing activities for training and familiarization purposes benefits both the inspectors and the operator because the more familiar an inspector is with an operation, the better he or she can perform the inspection. Knowledgeable inspectors cause less operational impacts because they ask fewer questions and are less likely to incorrectly identify a non-compliance. The FAA proposes to combine the compliance monitoring requirements of §§ 417.23 and 431.83 in proposed § 450.209. The proposed regulation would primarily adopt those requirements in § 417.23, but ‘‘launch operator’’ would be replaced by ‘‘licensee’’, and ‘‘licensed launch’’ would be replaced by ‘‘licensed launch or reentry.’’ Additionally, the FAA proposes to allow an operator the option to provide the FAA with means other than a console for monitoring the communication and countdown channels. For example, a smaller company may operate without consoles, in which case the operator may provide the FAA with radio monitoring and a location in close proximity to the necessary data to monitor launch. As a result, the compliance monitoring requirements of proposed § 450.209 would apply to all launch and reentry operations, thereby capturing licensed PO 00000 Frm 00081 Fmt 4701 Sfmt 4702 15375 launch operations under current part 417 and licensed RLV operations under current part 431. Proposed § 450.209 also codifies current FAA practice for conducting compliance monitoring of part 435 operations. Proposed § 450.209(b) would require the licensee to provide the FAA with a console or other means for monitoring the countdown and communication network. This proposed requirement would alleviate the issues that result from extended negotiations. The option for ‘‘other means’’ would provide the operator with some flexibility, as the FAA recognizes that operations may occur with temporary infrastructure and a console may be an unrealistic request. In this case, the operator would be expected to provide the FAA with an alternative method to monitor communications that is approved by the FAA prior to operations. I. Registration of Space Objects The FAA proposes to consolidate the requirements for the registration of space objects in proposed § 450.217 (Registration of Space Objects). These requirements currently reside in §§ 417.19 and 431.85 and are largely identical. This proposal would not change the substantive requirements of either section, except to add a registration requirement for objects owned by a foreign entity. The 1975 Convention on Registration of Objects Launched into Outer Space (Registration Convention), to which the United States is a signatory, requires details about the orbit of each space object. To that end, current regulations require an applicant to provide information on space objects that the FAA forwards to the Department of State. The Department of State then registers the objects with the United Nations as required by the Registration Convention. Since enacting these current regulations, the Department of State has requested that the FAA also provide this information for objects possibly owned by foreign entities. Current registration of space objects requirements is codified in § 417.19, applicable to ELVs, and § 431.85, applicable to RLVs. The two provisions are substantively identical in all respects but one. That is, they both require the registration of any object placed in space by a licensed mission, unless the object is owned and registered by the U.S. Government or owned by a foreign entity. Similarly, both sections require the licensee to submit information about the space object’s international designator, the date and location of the mission, the general function of the space object, and E:\FR\FM\15APP2.SGM 15APP2 15376 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules the final orbital parameters. The sole substantive distinction is that § 431.85 also requires an operator to notify the FAA when it removes a space object. Proposed § 450.217 would deviate from current §§ 417.19 and 431.85 by requiring the registration of foreignowned space objects. The FAA would not require the licensee to determine the owner’s nationality. The Department of State would use this information to ensure that other nations meet their obligations by registering their foreign objects. Proper registration of all objects owned by foreign entities would allow for the protection of the United States from liability associated with these objects. Otherwise, the FAA would retain the same informational requirements. It would continue to require a licensee to submit information about the space object’s international designator, the date and location of the mission, the general function of the space object, and the final orbital parameters. Additionally, proposed § 450.217 would retain current § 431.85’s requirement that an operator notify the FAA when it removes a space object. amozie on DSK9F9SC42PROD with PROPOSALS2 J. Public Safety Responsibility, Compliance With License, Records, Financial Responsibility, and Human Spaceflight Requirements The FAA is not proposing any substantive changes to the requirements specified below. However, the agency is proposing to consolidate these requirements into the new, proposed part 450; clarify that the consolidated requirements apply to any licensed launch or reentry; and make other minor, clarifying edits. The following is a summary of the proposed changes: 1. Public Safety Responsibility and Compliance With License The FAA would consolidate the public safety responsibility requirements in current §§ 417.7 and 431.71(a) into proposed § 450.201 (Public Safety Responsibility). Also, the FAA would move the compliance requirement in current § 431.71(b) to its own section, proposed § 450.203, Compliance with License. Although the location of these requirements would change, the requirements themselves would not change. Therefore, proposed § 450.201 would provide that a licensee is responsible for ensuring public safety and safety of property during the conduct of a licensed launch or reentry. Proposed § 450.203 (Compliance with License) would require that a licensee conduct a licensed launch or reentry in accordance with representations made VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 in its license application, the requirements of proposed part 450, subparts C and D, and the terms and conditions contained in the license. The proposed requirement for a licensee to conduct a licensed launch or reentry in accordance with representations made in its license application is the same, in substance, to §§ 417.11(a) and 431.71(b). Section 417.11(a) states that a launch operator must conduct a licensed launch and carry out launch safety procedures in accordance with its application. Section 431.71(b) states that a licensee must conduct a licensed RLV mission and perform RLV safety procedures in accordance with representations made in its license application. The fact that representations made in a license application become binding on a licensee is discussed earlier in this preamble. The proposed requirement for a licensee to conduct a licensed launch or reentry in accordance with the requirements of proposed part 450, subparts C and D, is the same, in substance, to § 417.1(b)(2)’s treatment of part 417 requirements. Section 417.1(b)(2) states that the safety requirements of part 417, subparts B through E, apply to all licensed launches of expendable launch vehicles. Part 431 does not have a similar requirement because application requirements and safety requirements are interlinked, leaving uncertain the actual safety requirements under a license. Note that in subpart C, the application requirement paragraphs do not apply once a license is issued, unless a licensee applies for a modification. The proposed requirement for a licensee to conduct a licensed launch or reentry in accordance with the terms and conditions contained in the license is the same, in substance, to §§ 415.9(b) and 431.71(b). Section 415.9(b) states that a launch license authorizes a licensee to conduct a launch or launches subject to the licensee’s compliance with terms and conditions contained in license orders accompanying the license. Section 431.71(b) states that a licensee’s failure to comply with any license condition is sufficient basis for the revocation of a license or other appropriate enforcement action. The FAA includes terms and conditions in a license to address license-specific requirements. Under the proposal, a licensee’s failure to act in accordance with these items would be sufficient basis to revoke a license, or some other appropriate enforcement action. PO 00000 Frm 00082 Fmt 4701 Sfmt 4702 2. Financial Responsibility The FAA would consolidate the current financial responsibility requirements in §§ 417.21 and 431.81 into proposed § 450.205 (Financial Responsibility Requirements). Although the location of the requirements would change, the requirements themselves would not change. As such, the proposed regulation would require a licensee to comply with financial responsible requirements as required by part 440, and as specified in a license or license order. 3. Human Spaceflight The FAA would consolidate the human spaceflight requirements in current §§ 415.8, 431.8, and 435.8 into proposed § 450.207 (Human Spaceflight Requirements). The proposal would require a licensee conducting a launch or reentry with a human being on board the vehicle to comply with human spaceflight requirements as required by part 460 of this chapter and as specified in a license or license order. Although the location of the requirements would change, the requirements themselves would not change. 4. Records The FAA would consolidate the current record requirements in §§ 417.15(a) and (b) and 431.77(a) and (b) into proposed § 450.219(a) and (b). However, the FAA would replace the terms ‘‘launch accident’’ and ‘‘launch incident’’ in § 417.15(b) and the terms ‘‘launch accident,’’ ‘‘reentry accident,’’ ‘‘launch incident,’’ and ‘‘reentry incident’’ in § 431.77(b) with ‘‘class 1 or class 2 mishap.’’ As discussed in more detail earlier in this preamble, the FAA proposes to replace current part 401 definitions involving ‘‘accident,’’ ‘‘incident,’’ and ‘‘mishap’’ with specified mishap classes. The proposed regulation would require an operator to maintain, for 3 years, all records, data, and other material necessary to verify that a launch or reentry is conducted in accordance with representations contained in the operator’s application, the requirements of subparts C and D, and the terms and conditions contained in the license. To satisfy this requirement, the FAA expects an operator to keep a record of the actual conditions at the time of flight and any deviations outside of the flight commit criteria as specified in the current § 417.113(c). Similar to current requirements, in the event of a class 1 or class 2 mishap, an operator would be required to preserve all records related to the event until the completion of any E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules Federal investigation (which could be greater than 3 years) and the FAA has notified the operator that the records need no longer be retained. The operator would need to make all records required to be maintained under the regulations available to Federal officials for inspection and copying. K. Applicability amozie on DSK9F9SC42PROD with PROPOSALS2 1. General Proposed § 450.1 (Applicability) would state that part 450 prescribes requirements for obtaining and maintaining a license to launch, reenter, or both launch and reenter, a launch or reentry vehicle. As discussed previously, proposed part 450 would consolidate licensing requirements currently covered in parts 415, 417, 431, and 435. 2. Grandfathering Under proposed § 450.1(b), proposed part 450 would not apply to any launch or reentry that an operator elects to conduct pursuant to a license issued by the FAA or an application accepted by the FAA prior to the effective date of proposed part 450, with two exceptions. The proposed requirements for collision avoidance analysis (COLA) and asset protection would apply to all operators subject to the FAA’s authority under 51 U.S.C. chapter 509 who are conducting launches after the effective date of the new regulations. The FAA would determine the applicability of proposed part 450 to an application for a license modification submitted after the effective date of the part on a case-bycase basis. The proposed regulations are more performance based, and many of the current requirements would serve as a means of compliance to meet the proposed regulations. As a result, activities authorized under the existing regulations would be authorized under the proposed regulations. The FAA proposes to allow an operator to operate under the current regulations (specifically, parts 401, 415, 417, 431, and 435) when conducting a launch after the effective date of new part 450 provided it holds a license or has had a license application accepted prior to the effective date of this regulation. Pursuant to Space Policy Directive-3 184 (SPD–3), proposed § 450.169 and proposed appendix A to part 450 would align the COLA criteria with current common practice and provide better protection for inhabitable and active orbiting objects. Additionally, § 450.101 184 Space Policy Directive-3, National Space Traffic Management Policy, 83 FR 28969 (June 21, 2018). VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 would require that the probability of loss of functionality for each critical asset must not exceed 1 × 10¥3 to protect national assets. For that reason, the FAA is proposing that all operators would be required to comply with these two provisions on this rule’s effective date. Because many of the current regulations would serve as a means of compliance for the proposed regulations, the FAA would review license modifications that applied the current regulations as means of demonstrating compliance with the proposed regulations. Additionally, an operator could use a means of compliance other than the current regulations to demonstrate compliance in a license modification request. The FAA would determine the applicability of proposed part 450 to an application for a license modification submitted after the effective date of the part on a case-by-case basis. The FAA does not anticipate that a vehicle operator would have any greater difficulty meeting the requirements under the proposed regulations than under the existing regulations. In fact, the FAA believes that the proposed regulations are more flexible because most allow for many different means of compliance. An applicant for a renewal would be required to meet all the requirements of proposed part 450. The FAA anticipates that this would not be burdensome for operators seeking license renewals because there would be few, if any, additional application requirements that could not be fulfilled by reference to previously submitted information. L. Equivalent Level of Safety In addition to developing performance-based requirements, this proposal would preserve the equivalentlevel-of-safety flexibility by relocating the provision to proposed § 450.37. Unlike using a means of compliance, which requires demonstration of compliance with a performance-based regulation, the ELOS provision would continue to allow an applicant to propose an alternative method to meet the safety intent of a current regulatory requirement. For example, § 450.117(d)(3) would require representative normal flight trajectory analysis outputs for each one second of flight. An applicant may wish to request an ELOS determination to the onesecond interval, and the FAA would likely accept it if an alternative interval provides smooth and continuous individual PC contours. To demonstrate equivalent level of safety, an operator would provide a clear and convincing demonstration, PO 00000 Frm 00083 Fmt 4701 Sfmt 4702 15377 through technical rationale, that the proposed alternative approach provided a level of safety equivalent to the requirement it would replace. An ELOS determination means an approximately equal level of safety as determined by qualitative or quantitative means. Under § 450.37(b), an operator would not be able to use an ELOS determination to replace the public risk criteria set forth in § 450.101. In 2018, the FAA issued a final rule that expanded the option to satisfy commercial space transportation requirements by demonstrating an equivalent level of safety in order to provide more choice to operators and reduce the number of waivers that must be prepared by industry and processed by the government.185 To utilize the option, operators are required to demonstrate that they are achieving a level of safety equivalent to any safety parameters specified in the regulations. The FAA evaluates every request for an alternative means of regulatory compliance under the ELOS provisions to ensure that the safety of the public, property, or any national security or foreign policy interest of the United States is maintained to be consistent with the requirements in 14 CFR chapter III. The FAA would preserve the process established in the 2018 rulemaking, and would include its ELOS determination as part of any license issued applying this provision. The FAA requests comment on the potential use of ‘‘safety cases’’ when demonstrating an equivalent level of safety under proposed § 450.37. A safety case is a structured argument, supported by a body of evidence that provides a compelling, comprehensive, and valid case that a system is safe, for a given application in a given environment.186 The ARC report (at p. 25) suggested that FAA review time could be minimize if applicant submittals were ‘‘structured as a reasonable safety case that the proposed actions are safe under all plausible scenarios.’’ In fact, the ARC suggested ‘‘safety cases’’ could be useful options several times. With respect to the proposed regulation, a safety case would potentially show that certain requirements identified by the applicant, excluding the requirements of § 450.101, need not be complied with per se in order to demonstrate that an alternative approach provides an equivalent level of safety to the 185 Updates to Rulemaking and Waiver Procedures and Expansion of the Equivalent Level of Safety Option, Final Rule, 83 FR 28528 (June 20, 2018). 186 This Safety Case definition is from the U.K. Ministry of Defence (MOD) Standard 00–56, ‘‘Safety Management Requirements for Defence Systems.’’ E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15378 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules requirements identified by the applicant. A–P–T Research, Inc., under contract to the FAA, recommended the use of a safety case approach as an alternate path to securing a license.187 The FAA considered proposing a safety case approach to demonstrating an equivalent level of safety under proposed § 450.37 that would include a formal proposal process that must use a means of compliance accepted by the Administrator, unless the Administrator determines otherwise based on predicted public risks and consequences, or demonstrated reliability. The formal proposal process would: (1) Facilitate an FAA audit of all risk management methods proposed for use, including a demonstration of how the proposed methods can demonstrate compliance with § 450.101; (2) implement all the recommended improvements from the audit or justify all deviations from the recommended improvements; (3) document the risk management methods used and the verification evidence to demonstrate compliance with § 450.101; (4) facilitate an audit by an FAA-approved third party of the risk management methods used and the verification evidence to demonstrate compliance with § 450.101; and (5) submit the results of the third party audit for FAA review and approval. An applicant that sought to use this safety case approach would need to submit: (1) A description of their plan to facilitate an FAA audit of all risk management methods proposed for use, including a demonstration of how the proposed methods can demonstrate compliance with § 450.101; (2) a description of the improvements implemented based on the FAA audit and detailed justifications for any deviations from the FAA recommended improvements; (3) a description of the risk management methods used and the verification evidence to demonstrate compliance with § 450.101; (4) an agreement to facilitate an audit by an FAA-approved third party of the risk management methods used and the verification evidence to demonstrate compliance with § 450.101; and (5) a description of the results of the third party audit. The safety case approach recommended by APT included the use of a third party to review. The FAA sees potential complications, including liability considerations, when involving a third party in the licensing process. The FAA seeks comments on the potential usefulness and challenges 187 A–P–T Research, Inc. ‘‘A New Path to Launch Licenses,’’ Doc. No. CDSP–FL004–18–00402 (October 16, 2018). VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 associated with a safety case approach, whether or not a third party would be involved. Additional Technical Justification and Rationale The sections below provide detailed discussions of flight safety analyses and software safety. Additionally, this section discusses the numerous conforming changes the FAA proposes to the existing regulations in order to implement the proposed regulations. A. Flight Safety Analyses As discussed earlier, for purposes of this proposed rule, an FSA consists of a set of quantitative analyses used to determine flight commit criteria, flight abort rules, flight hazard areas, and other mitigation measures, and to verify compliance with the public safety criteria in proposed § 450.101. The FAA proposes 15 sections for flight safety analysis, as discussed below. 1. Scope and Applicability Proposed § 450.113 establishes the portions of flight for which an operator would be required to perform and document an FSA, and would describe the analyses required for each type of operation. The portion of flight governed by the public safety criteria is central to the scope of the FSA. The current scope of FSA regulations is laid out in §§ 417.201 and 417.107(b) for ELVs. Specifically, § 417.107(b)(1) currently requires that FSAs quantify the collective risks from lift-off through orbital insertion for orbital launches and from lift-off to final impact for suborbital launches. Unfortunately, § 417.107(b)(2) does not clearly specify the portion of flight for which an FSA must quantify the individual risks. In practice, the FAA has reconciled this vagueness by requiring the same scope for both collective and individual risks: From lift-off through orbital insertion for orbital launches and from lift-off to final impact for suborbital launches. It is also unclear in current regulations what portions of flight the FSA needs to cover for RLVs. Section 431.35(b)(1) simply states that the collective public risk limit applies to each proposed reentry, but does not speak specifically to beginning and end of the period of flight that an FSA must analyze. Reentry means to return or attempt to return, purposefully, a reentry vehicle from earth orbit or from outer space to Earth.188 Reentry includes activities conducted in Earth orbit or outer space to determine reentry readiness and that are critical to 188 14 PO 00000 CFR 401.5. Frm 00084 Fmt 4701 Sfmt 4702 ensuring public health and safety and the safety of property during reentry flight. The definition also includes activities conducted on the ground after vehicle landing on Earth to ensure the vehicle does not pose a threat to public health and safety or the safety of property. In practice, the FAA has required public risk assessments to begin at the final health check prior to initiation of de-orbit burn and ending when flight stops, such as splashdown for a capsule. Further, for both ELVs and RLVs, the current regulations do not expressly address the potential public safety hazards caused by the disposal of a launch vehicle stage or component from orbit. That is, §§ 417.107(b) and 431.35(b)(1), in addressing the public risk criteria, do not specifically address the disposal of launch vehicle stages or components. As discussed earlier, such vehicle disposals have become more common in recent years, reflecting the elevated priority put on orbital debris mitigation. The FAA explained in the 2016 final rule 189 that when the FAA requires that the quantitative risk analysis account for the planned impact of a first stage (or any stage) jettisoned prior to orbital insertion, it includes accounting for stage impacts regardless of whether the actual impact occurs before or after orbital insertion. For reentry, proposed §§ 450.101(b) and 450.113(a)(4) would clarify and reduce the period FSAs must analyze when quantifying the public risks posed by reentry operations. The proposal would clarify that post-flight operations are not included in the safety analyses necessary to quantify the public risks posed by reentry operations. In § 401.5, the FAA proposes to include a definition for deorbit that clarifies that deorbit begins with the final command to commit the vehicle to a perigee below 70 nautical miles, approximately 130 km, and ends when all vehicle components come to rest on the Earth. Proposed § 450.113 replaces § 417.201 to clarify the scope and applicability of FSAs. In proposed § 450.113(a)(1), an operator would be required to perform and document an FSA for orbital launch, from lift-off through orbital insertion,190 including any component or stage landings. In proposed § 450.113(a)(2), an operator would be 189 Changing the Collective Risk Limits for Launches and Reentries and Clarifying the Risk Limit Used to Establish Hazard Areas for Ships and Aircraft, Final Rule. 81 FR 47017 (July 20, 2016). 190 The FAA proposes orbital insertion to mean the point at which a vehicle achieves a minimum 70-nautical mile perigee based on a computation that accounts for drag. This adopts the definition of orbital insertion in RCC 321–17 Standard. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules required to perform and document an FSA for suborbital launch, from lift-off through final impact. In proposed § 450.113(a)(3), the FAA clarifies the scope of disposal FSA that would be necessary to demonstrate compliance with the disposal safety criteria in proposed § 450.101(d). Specifically, for disposal, an FSA would span from the beginning of the deorbit burn through final impact. Proposed § 450.113(a)(4) would require an operator to perform and document an FSA for reentry, from the beginning of the deorbit burn through landing. The proposal is consistent with current practice, but would clarify that post-landing activities are not included in the FSA. Proposed § 450.113(a)(5) would explicitly address hybrid vehicles, which include air-launch rockets released from carrier aircraft such as the Pegasus rocket carried by a modified L– 1011 airliner. The proposal would clarify that FSAs generally apply to hybrid vehicles, for all phases of flight unless the Administrator determines otherwise based on demonstrated reliability. Thus, the proposal would enable an operator of a hybrid vehicle with a high level of demonstrated reliability for the entire flight or for a phase of flight, to be exempt from performing some FSAs without seeking a waiver for the flight or phase of flight. Demonstrated reliability refers to statistically valid probability of failure estimates based on the outcomes of all previous flights of the vehicle or stage. For example, if an applicant seeks to operate a hybrid vehicle that features an air-launch rocket released from a carrier aircraft with minimal modification from the original design certified as a commercial transport aircraft, the FAA would find certain FSAs not applicable if empirical data sufficiently showed that the demonstrated reliability and estimated public risks of the system are equivalent to general aviation aircraft during a given phase of flight. Specifically, the FAA foresees that such an applicant could be exempt from some of the normal flight trajectory analysis requirements during the captive carry phases of flight if the applicant could demonstrate compliance with the public safety criteria in proposed § 450.101 without the benefit of some of the normal flight trajectory analysis outputs. Proposed § 450.113(b) would identify the specific FSA actions applicable to all launch and reentry vehicles (in paragraph (b)(1)), a launch or reentry vehicle that relies on an FSS to comply with proposed § 450.101 (in paragraph (b)(2)), and launch of an unguided VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 suborbital launch vehicle (in paragraph (b)(3)). 2. Flight Safety Analysis Methods Proposed § 450.115 (Flight Safety Analysis Methods) would set the methodology requirements for FSAs. This section would replace the prescriptive requirements currently in § 417.203 and appendices A, B, C and I to part 417. Currently, § 417.203(a) requires that FSAs meet the requirements for methods of analysis contained in appendices A (section A417) and B (section B417) to part 417 for a launch vehicle flown with an FSS, and appendices B and C (section C417) for an unguided suborbital launch vehicle that uses a wind-weighting safety system. Specifically, section A417 provides prescriptive requirements on the FSA methodologies and products for a launch vehicle flown with an FSS. Section B417 provides prescriptive requirements on the FSA for hazard area analyses for ship and aircraft protection. Section C417 provides prescriptive requirements on the FSA methodologies and products for a launch vehicle flown with a wind weighting safety system. Section 417.203(b) specifically lists the broad categories of approved methods of analysis while § 417.203(c) addresses requirements for alternate analysis methods. Section 417.203(c) currently requires that an alternate FSA method be based on accurate data and scientific principles, and is statistically valid. In practice, the FAA has evaluated the validity of an applicant’s proposed methods by comparing the results to valid benchmarks such as data from mishaps, test, or validated highfidelity methods. Section 417.203(e) requires that a launch operator demonstrate to the FAA compliance with the requirements of part 417, subpart C. In its application, a launch operator must include the analysis products required by parts 415, subpart F, 417, subpart A, and appendices A, B, C, and I, depending on whether the launch vehicle uses an FSS or a windweighting safety system. Pursuant to § 431.35(c), the FSA for an RLV is required to account for any reasonably foreseeable hazardous event and safety-critical system failures during launch flight or reentry that could result in a casualty to the public. However, part 431 does not include requirements for the methods used to provide an FSA, thus providing no standards for evaluating an FSA’s validity or level of fidelity. The part 431 license applications approved by the FAA included FSA methodologies and products comparable to those in 417 license applications. PO 00000 Frm 00085 Fmt 4701 Sfmt 4702 15379 Proposed § 450.115(a) sets the scope for FSA methods. This section would not materially change the scope of the FSA methods under current parts 417 and 431, which account for the risk to the public from hazards associated with normal and malfunctioning vehicle flight in accordance to § 417.205(a). However, proposed § 450.115(a) would add language currently not expressly provided in § 417.205(a) that would require an operator’s FSA method to account for all reasonably foreseeable events and failure of safety-critical systems. This language is consistent with the current requirement in § 431.35(c) to account for any reasonably foreseeable hazardous event, and safety-critical system failures during launch flight or reentry that could result in a casualty to the public. Proposed § 450.115(b) would establish the level of fidelity for FSAs. Specifically, it would require a level of fidelity sufficient to demonstrate that any risk to the public would satisfy the public risk criteria of proposed § 450.101, including the use of mitigations, accounting for all known sources of uncertainty, using a means of compliance accepted by the Administrator. It would also require that the analysis identify the dominant source of each type of public risk with a criterion in proposed § 450.101(a) or (b) in terms of phase of flight, source of hazard (such as toxic exposure, inert, or explosive debris), and vehicle response mode. Thus, this proposed rule would provide performance targets instead of the current part 417 approach that mandates a single level of fidelity equivalent to methods that comply with the extensive requirements given in the appendices of part 417. The requirements in proposed § 450.115(b) would account for all known sources of uncertainty and identify the dominant sources of risk. The proposal would be consistent with the best practices of other regulatory agencies that use quantitative risk analyses as part of a risk management approach to ensure public safety. The Nuclear Regulatory Commission (NRC), which has a long history of performance-based regulations with quantitative risk analyses to ensure public safety, has a long-standing policy to ensure that the quantitative techniques used for regulatory decisionmaking take into account the potential uncertainties that exist so that an estimate can be made on the confidence level to be ascribed to the quantitative E:\FR\FM\15APP2.SGM 15APP2 15380 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 results.191 The NRC has also found that, through use of quantitative techniques, important uncertainties have been, and continue to be, brought into better focus and may even be reduced as compared to those that would remain with sole reliance on deterministic decisionmaking. The NRC found that direct lack of severe accident experience makes it necessary that proper attention be given not only to the range of uncertainty surrounding probabilistic estimates, but also to the phenomenology that most influences the uncertainties. In other words, the NRC found the need to identify the dominant sources of public risks and their uncertainties when using quantitative risk analyses to ensure public safety.192 The FAA would require that operators use a means of compliance accepted by the Administrator for FSA methods. The FAA plans to publish a draft version of that AC concurrently with this NPRM. An important aspect of that AC is the use of approaches generally consistent with the consensus U.S. Government standards on launch and reentry risk assessments (e.g., RCC 321). The RCC 321 Standard (paragraph 2.4) recognizes that there is significant uncertainty in the computed risks of rocket launches and notes that confidence bounds of 90 percent describing the uncertainty in the computed risk can span multiple orders of magnitude. Thus, the consensus U.S. Government standards on launch and reentry risk assessments contains a policy statement that uncertainty cannot be ignored. The RCC 321 Supplement further concurred with several statements originally made by the NRC, including the following three: (1) The use of mean estimates does not, however, resolve the need to quantify (to the extent reasonable) and understand those important uncertainties involved in risk predictions; (2) sensitivity studies should be performed to determine those uncertainties most important to the probabilistic estimates; and (3) the results of sensitivity studies should be displayed showing, for example, the range of variation together with the underlying science or engineering assumptions that dominate this variation. Even so, the RCC went on to conclude that a formal uncertainty 191 Nuclear Regulatory Commission, Nuclear Regulatory Safety Policy Goals. 51 FR 28044 (August 21, 1986). 192 The Department of the Interior (DOI), Bureau of Reclamation, uses risk criteria for achieving public protection in dam safety decision-making in a manner consistent with this proposed rule. Specifically, the DOI uses mean values calculated from Monte Carlo or similar analyses that include explicit treatment of input uncertainty. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 analysis may not be necessary under conditions where the best mean estimate of the public risk is low relative to the collective risk criterion. For this rulemaking, the FAA considered adopting an approach to the treatment of uncertainty following RCC 321 Standard and Supplement. The FAA requests comment on whether this treatment of uncertainty is reasonable. Specifically, the FAA solicits input on the process whereby the uncertainty does not have to be considered if the computed risk is less than one-third of the primary aggregated collective risk criterion.193 Current Air Force practice is to include implementation of measures to improve risk analyses to reduce the level of uncertainty when the predicted risks exceed 3 × 10¥5 EC. Examples of that could include refined input data or a higher-fidelity method for the risk computations. Similarly, if the estimated risk level exceeds 3 × 10¥5 EC, the RCC 321 Standard states that the range should compute the uncertainty to ensure that a launch is not allowed that would violate the criterion based on best estimates that account for uncertainty. There are published examples of uncertainty analyses for launch risks that explicitly account for uncertainties associated with the input data (e.g., the probability of failure associated with a given break-up state vector), and biases and uncertainties in key sub-models (e.g., the sub-model used to compute the PC given an impact with a given piece of debris on a specific structure type). However, the end effect of the RCC 321 Standard approach to uncertainty treatment is that a range or range user could continue operating under current practice, using their current tools without formal uncertainty quantification for missions with a collective risk no greater than 3 × 10¥5 EC. Under the RCC approach, only missions that pose collective risks above 3 × 10¥5 EC based on point estimates would be required to perform formal uncertainty quantification. The FAA requests comment on whether the current approaches to uncertainty treatment employed by the RCC or the Air Force are viable in the FAA’s regulatory framework. The FAA further requests comments on any currently 193 The choice of one-third was consistent with the recommendation in AFSPCMAN 91–710 Vol.1, 1 July 2004. Attachment 5 states that if risk to all individuals from a single hazard exceeds an EC of 30 × 10¥6, a range user may have to take additional measures to protect personnel and resources. Examples include to fix, correct, or improve existing non-compliances, improve risk analyses to reduce the level of uncertainty, require a day-oflaunch risk analysis, or establish disaster aversion criteria. PO 00000 Frm 00086 Fmt 4701 Sfmt 4702 available approaches to address uncertainties in public risk assessments, including the approach identified in the draft means of compliance on uncertainty and level of fidelity in FSA methods. Proposed § 450.115(b) would require that an operator account for all known sources of uncertainty in various FSAs. The FAA intends to ensure that FSA methods account for known sources of aleatory (random) uncertainties that are the result of inherently random processes. An example of aleatory uncertainty is the influence of prevailing weather conditions on the results of collective and individual risk analyses for launch or reentry. The true EC is often highly influenced by the prevailing weather conditions during the proposed operation. The uncertainty in the true EC due to weather conditions is substantial for a typical baseline risk analysis that accounts for the foreseeable weather conditions in a given month based upon historical data and assumes that an operation is equally feasible under any of those likely weather conditions given all the safety and mission assurance constraints. For example, most vehicles would not attempt to fly through certain wind conditions due to the potential for the vehicle to break up or veer off-course, leading to a violation of safety or mission assurance constraints. The uncertainty in the true EC for a day-oflaunch risk analysis is much smaller, but the uncertainty in any forecast or measured weather input data will still produce some uncertainty in the EC due to measurement errors and variability in the weather measurements and forecasts. There are several other potentially important sources of aleatory uncertainty in an EC analysis, and there are various valid approaches to account for these aleatory uncertainties. This proposed rule would require that aleatory uncertainties are accounted for, including known sources of randomness in critical input data. These would include normal and malfunction trajectories, weather conditions, population and sheltering characteristics (e.g., between day and night), velocities induced during breakup, aerodynamic properties of the vehicle and debris, any yield from an explosive impact, and the amount of debris that burns up due to aero-thermal heating during re-entry. Proposed § 450.115(c) would establish application requirements for methods of analysis. Specifically, the proposed rule would require that an applicant submit a description of the FSA methodology for each launch or reentry approved by the FAA, including identification of the E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 scientific principles and statistical methods used, and all assumptions and their justifications. However, if the FAA determines that the range’s FSA methods meets FAA safety requirements, then the operator would not be required to provide the FAA with a description of the FSA methodology. Also, an applicant would be required to include the rationale for the level of fidelity, the evidence for validation and verification required by proposed § 450.101(g), the extent that the benchmark conditions are comparable to the foreseeable conditions of the intended operations, and the extent the analyses accounted for risk mitigations. The FAA intends for assumptions to be justified using logic, historical flight experience data, relevant test data, and the results from physics-based simulations. 3. Trajectory Analysis for Normal Flight The FAA proposes a single regulation governing an FSA for normal trajectories, applicable to all launch and reentry vehicles, in proposed § 450.117 (Trajectory Analysis for Normal Flight). The provision would distinguish between variability in the intended trajectory and uncertainties due to random sources of dispersion such as winds and vehicle performance. It would also clarify application requirements. All the FSAs depend on some form of analysis of the trajectory under normal conditions, otherwise known as a normal trajectory. That is, one must first understand a vehicle’s trajectory when it performs as intended and under normal conditions before one can determine the effects of malfunctions along its flight path. Current regulations for normal trajectory analyses are found in §§ 417.207 and 431.35(d) and appendix A to part 417. Section 417.207 sets the current trajectory analysis requirements for ELVs. Section 417.207(a)(1) requires an analysis that establishes the limits of a launch vehicle’s normal flight, as defined by the normal trajectory and potential three-sigma trajectory dispersions about the normal trajectory for any time after lift-off. Although this requirement is generally clear, the uncertainties the analysis must consider could be clearer. For example, the current requirement does not distinguish between inherently random uncertainties that could cause the actual trajectory to differ from the nominal trajectory, and variability in the known conditions immediately prior to the initiation of the operation (e.g., weather conditions at the time of the launch or the time into a launch window that the VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 launch occurs for a rendezvous mission). In terms of current RLV regulations in part 431, they describe flight trajectory analyses requirements in a single paragraph in § 431.35(d)(8). Specifically, the FAA requires that applicants provide flight trajectory analyses covering launch or ascent of the vehicle through orbital insertion and reentry or descent of the vehicle through landing, including its three-sigma dispersion. This regulation is silent as to the specific uncertainties for which the analysis must account. In practice, part 431 license applicants have provided normal trajectory data consistent with the part 417 regulations. Proposed § 450.117 would retain the substantive normal trajectory analysis requirements currently in § 417.207 and the definitions of key terms such as ‘‘normal flight’’ and ‘‘normal trajectory.’’ Proposed § 450.117(a)(1) would require a trajectory analysis that establishes the limits of a vehicles normal flight. The proposal would retain the requirement in § 417.207(a)(1) to establish a nominal trajectory where the vehicle performs as designed without any deviation due to winds, propulsion performance, or mass properties but would add clarity about the sources of uncertainty that a trajectory analysis must account for by distinguishing between variability and random uncertainty. Specifically, the proposal would expressly require a trajectory analysis to establish two separate sets of trajectories to characterize distinct sources of uncertainty, including variability and random uncertainty. One set of normal trajectories in § 450.117(a)(1)(ii) would characterize the uncertainty during normal flight due to random deviations from ideal conditions, such as wind conditions, vehicle mass, and performance characteristics. Another set of normal trajectories in § 450.117(a)(1)(i) would characterize how the intended trajectory could vary due to conditions known prior to initiation of flight. An example of variability is how the intended trajectory would change due to different times for lift-off within a launch window that lasts several minutes for a mission with an orbital rendezvous as the primary objective. Another example of variability is how the intended trajectory would change due to wind conditions. In such cases, the nominal trajectory represents the most likely liftoff time. An FSA must distinguish between variability and random uncertainty in the normal trajectory in order to demonstrate that the criteria in proposed § 450.101 would be satisfied at PO 00000 Frm 00087 Fmt 4701 Sfmt 4702 15381 any time the operator intends to initiate launch or re-entry flight. Section 450.117(a)(2) would require a fuel exhaustion trajectory that produces instantaneous impact points with the greatest range for any given time after liftoff for any stage that has the potential to impact the Earth and does not burn to propellant depletion before a programmed thrust termination. This is the same as current § 417.207(a)(2). The FAA is unaware of any challenges with the current regulation regarding a fuel exhaustion trajectory. For vehicles with an FSS, proposed § 450.117(a)(3) would establish a new requirement for trajectory data or parameters that describe the limits of a useful mission. The FAA proposes in § 401.5 to define the ‘‘limits of a useful mission’’ as the trajectory data or other parameters that describes the limits of a mission that can attain the primary objective, including but not limited to flight azimuth limits. Thus, the proposal would require an operator to establish the limits of a useful mission based on the values of trajectory parameters necessary to attain the primary mission objective, including flight azimuth limits. Note that the azimuth limit data is currently required by the Air Force in Air Force Space Command Manual (AFSPCMAN) 91–710 Vol. 2. The limits of a useful mission are essential input data for the flight safety limits analysis, and for an evaluation of whether a vehicle should be allowed to pass through a gate, as discussed later in this preamble. Proposed § 450.117(b) would require a final trajectory analysis to use a sixdegree of freedom trajectory model, and proposed § 450.117(c) would require a trajectory analysis to account for all wind effects, including profiles of winds that are no less severe than the worst wind conditions under which flight might be attempted, and for uncertainty in the wind conditions. These are similar to § 417.207(b) and (c), respectively. Proposed § 450.117(d) would provide application requirements for trajectory analyses that address the proposed methodology, input data, and output data. In paragraph (d)(1), an applicant would be required to describe the methodology used to characterize normal flight and the limits of a useful mission, including the scientific principles and statistical methods used, all assumptions and their justifications, the rationale for the level of fidelity of the methods, and the evidence for validation and verification that would be required by proposed § 450.101(g). In paragraph (d)(2), the FAA proposes to require that the applicant describe the E:\FR\FM\15APP2.SGM 15APP2 15382 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 input data used in normal trajectory analyses and provides a list of the minimum input data an applicant must describe. In paragraph (d)(3), the FAA proposes to require that an applicant describe a representative normal trajectory analysis outputs (e.g., position, velocity, and vacuum instantaneous impact point) for each second of flight for (1) the nominal trajectory, (2) a fuel exhaustion trajectory under otherwise nominal conditions, (3) a set of trajectories that characterize variability in the intended trajectory based on conditions known prior to initiation of flight, (4) a set of trajectories that characterize how the actual trajectory could differ from the intended trajectory due to random uncertainties, and (5) a set of trajectories that characterize the limits of a useful mission as described in proposed § 450.117(a). The proposed application requirements provide regulatory clarity regarding the normal trajectory characterization necessary to ensure compliance with proposed § 450.101. Note that in this proposed section, and other proposed flight safety analysis application requirements, the FAA requires representative data. This allows the FAA to evaluate an applicant’s methodologies. Representative data should be the best, meaning the most realistic, data available given the intended flight parameters. The applicant would also be required to submit additional products that allow the FAA to conduct an independent analysis, if requested by the Administrator. This same application requirement would also be in proposed §§ 450.119 through 450.141. At times, the FAA conducts independent flight safety analyses which usually require additional information than is normally required of an applicant. Instead of attempting to list out what is needed for every independent analysis, which is usually case-specific, the FAA proposes to simply state that more information may be necessary. The FAA’s conduct of an independent analysis is usually reserved for new vehicle concepts, new analysis methods, or proposals that involve unique public safety issues. 4. Trajectory Analysis for Malfunction Flight Proposed § 450.119 (Trajectory Analysis for Malfunction Flight) would consolidate trajectory analysis requirements for all launch and reentry vehicles. In consolidating, the FAA would also update its requirements to reflect advancements in trajectory analysis capabilities and clarify application requirements. A malfunction trajectory analysis is VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 necessary to determine how far a vehicle can deviate from its normal flight path in case of a malfunction. This analysis helps determine impact points in case of a malfunction and is therefore a vital input for the analyses needed to demonstrate compliance with risk criteria. The FAA’s current regulations covering trajectory analyses in case of malfunction are in § 417.209 (Malfunction turn analysis), appendix A to part 417, and § 431.35(d)(8). Current § 417.209 sets forth the trajectory analysis requirements in case of a malfunction applicable to ELVs. Section 417.209(a)(1) requires a trajectory analysis to establish the launch vehicle’s turning capability in the event of a malfunction during flight using a set of turn curves. Appendix A to part 417 (section A417.9) also provides more detailed and prescriptive requirements for analyzing ‘‘turn curves.’’ Turn curve data offered a reasonable way to simulate failures that produce trajectory departures, particularly in response to thrust offsets when computational limitations made it impractical to perform six degrees of freedom (6–DOF) simulations of malfunction trajectories. In the past, turn curves produced a reasonable way to model the classic cornus spiral behavior associated with a constant thrust offset or nozzle burnthrough. Thus, § 417.209(b) requires a set of turn curves to establish the launch vehicle velocity vector turn angle from the nominal launch vehicle velocity vector, and to establish the vehicle velocity turn magnitude from the nominal velocity magnitude. There are two fundamental types of malfunction turn curves: (1) One that shows how the magnitude velocity changes during the turn; and (2) the other for the direction of the velocity. Given advancements in computational capabilities, the use of turn curves as mandated by the current regulations constitutes an outdated and unnecessarily simplified analysis technique. For instance, through current computational capabilities, particularly the prevalence of 6–DOF trajectory models, it is generally more efficient and more accurate for an applicant to provide sets of Monte Carlo trajectories that characterize a given type of malfunction, even for the thrust vector offsets and nozzle burn-through, than to provide turn curve data. The current RLV regulations in part 431 do not explicitly address malfunction trajectory analyses. Section 431.35(d)(8) describes flight trajectory analysis requirements in a single paragraph. It requires that applicants provide flight trajectory analyses covering launch or ascent of the vehicle PO 00000 Frm 00088 Fmt 4701 Sfmt 4702 through orbital insertion and reentry or descent of the vehicle through landing, including its three-sigma dispersion. In practice, part 431 license applicants have provided malfunction trajectory analyses consistent with the part 417 regulations. However, the lack of clarity regarding the malfunction trajectory analysis requirements and ensuing discussions between the FAA and operators has resulted in inefficiencies and delays in the licensing process. Proposed § 450.119 would consolidate all trajectory analysis requirements for a malfunctioning flight which would be applicable to any launch or reentry vehicle. Based on the noted advancements in computational capabilities that have rendered the current use of turn curves outdated and over simplistic, the FAA proposes to remove the § 417.209(b) requirements related to turn curves in favor of more modern Monte Carlo methods. Proposed § 450.119(b) would provide performance-based requirements regarding what a malfunction trajectory analysis must account for, including applicable times in flight and valid trajectory time intervals. Specifically, the proposal would require the analysis to account for (1) all trajectory times during the thrusting phases or when the lift vector is controlled during flight, (2) the duration starting when a malfunction begins to cause each flight deviation throughout the thrusting phases of flight, and (3) trajectory time intervals between malfunction turn start times that are sufficient to establish flight safety limits, if any, and individual risk contours that are smooth and continuous. The proposal would retain in § 450.119(b)(4) the performance-based requirement currently in § 417.209(a)(3) to establish the relative probability of occurrence of each malfunction turn of which the vehicle is capable. In proposed § 450.119(b)(5), the analysis would also have to account for the probability distribution of position and velocity of the vehicle when each malfunction will terminate due to vehicle breakup, along with the cause of termination and the state of the vehicle.194 Finally, in proposed § 450.119(b)(6), the analysis would establish the vehicle’s flight behavior from the time when a malfunction begins to cause a flight deviation until ground impact or predicted structural failure, with trajectory time intervals that are 194 The proposed § 450.119(b)(5) requirement would be equivalent to the § 417.209(a)(4) through (9) requirements. Under § 417.209, the FAA prescribed the use of ‘‘turn curves’’ that were a particular way to compute the position and velocity at the end of a malfunction trajectory. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 sufficient to establish individual risk contours that are smooth and continuous. Finally, proposed § 450.119(c) would provide application requirements for malfunction trajectory analyses that address the proposed methodology, input data, and output data. An applicant would be required to describe the methodology used to characterize malfunction flight including the same elements required for the normal trajectory analyses. The FAA proposes to require that an applicant describe the input data used in malfunction trajectory analyses and provides a list of the minimum data an applicant must describe. The FAA also proposes to require that an applicant describe representative malfunction trajectory analysis outputs (e.g., position, velocity, and vacuum instantaneous impact point) for each second of flight and for the probability of each trajectory that characterizes a type of malfunction flight. Finally, the FAA may also request additional products to conduct an independent analysis. These proposed application requirements are consistent or less burdensome than current requirements. 5. Debris Analysis Proposed § 450.121 (Debris Analysis) would set the requirements for debris analysis by revising current requirements in § 417.211 (Debris analysis), accounting for part 431 practices not fully expressed in the regulatory language, consolidating requirements from § 417.107 (Flight Safety), and removing overly prescriptive and burdensome requirements from Appendix A to part 417. Under § 417.211(a), a debris analysis must identify the inert, explosive, and other hazardous vehicle debris that results from normal and malfunctioning flight. Section 417.211(b) specifies that a debris analysis must account for various causes of a launch vehicle breakup. This analysis includes debris from any flight termination system activation, launch vehicle explosion, aerodynamic loads, inertial loads, atmospheric reentry heating, and impact of an intact vehicle. Section 417.211(c) asks for a list of debris fragments for each cause of breakup and any planned jettison of debris, launch vehicle components, or payload. Also, § 417.107(c) contains debris threshold requirements for debris analysis and appendix A to part 417 (section A417.11) provides detailed direction on the debris analysis constraints, debris models, and other debris analysis products. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Although part 431 does not expressly ask for a debris analysis, the FAA has deemed § 431.35(b) to require one, applying the same standards as those in part 417. However, this lack of regulatory specificity in part 431 has led to longer pre-application consultation periods as the FAA and operators worked to ascertain the applicable requirements. Proposed § 450.121 would provide performance-based regulations regarding the level of fidelity required for key elements of a valid debris analysis. Proposed § 450.121(a) would include a debris analysis that characterizes the debris generated for each foreseeable vehicle response mode as a function of vehicle flight time, accounting for the effects of fuel burn and any configuration changes. The FAA proposes to add the references to fuel burn and configuration changes that are absent from current part 417 because an operator’s debris list will change over time with variations to the amount of available propellant and with the jettisoning of hardware. Proposed § 450.121(b) would require that the debris analysis account for each foreseeable cause of vehicle breakup, including any breakup caused by an FSS activation or by impact of an intact vehicle. This proposal would include debris from a vehicle’s jettisoned components and payloads because such debris could cause a casualty due to impact with an aircraft or waterborne vessel or could pose a toxic or fire hazard. This proposal is consistent with the ARC recommendation to develop a process for a debris catalogue. Foreseeable causes of vehicle breakup would include engine or motor explosion, or exceeding structural limits due to aerodynamic loads, inertial loads, or aerothermal heating. Proposed § 450.121(c) is substantively the same as § 417.107(c). The section contains the debris thresholds requirements. It would adopt the references to inert, explosive, and other hazardous vehicle debris currently in § 417.211(a). The inert debris requirement would include all debris that could impact a human being with a mean expected kinetic energy at impact greater than or equal to 11 ft-lbs, or mean impact kinetic energy per unit area of 34 ft-lb/in2. The required thresholds are well-established standards used by Federal launch ranges. In general, the 11 ft-lb requirement is the primary threshold for debris, whereas the 34 ft-lb/in2 is for penetrating injuries. This paragraph also would clarify the need to consider the effects of all inert debris on aircraft or PO 00000 Frm 00089 Fmt 4701 Sfmt 4702 15383 waterborne vessels, or those that pose a toxic or fire hazard. The debris analysis would also be required to identify any explosive debris. Proposed § 450.121(d) would provide the debris analysis application requirements. This paragraph would inherit, in a less detailed and prescriptive manner, the requirements in appendix A to part 417, section A417.11. It would expressly identify the information and data needed by the FAA to evaluate compliance with the regulatory requirements. Proposed § 450.121(d) would describe the level of fidelity required for the products of a debris analysis including (1) a description of the debris analysis methodology, including input data, assumptions, and justifications for the assumptions; (2) a description of all vehicle breakup modes and the development of debris lists; and (3) all debris fragment lists necessary to quantitatively describe the physical, aerodynamic, and harmful characteristics of each debris fragment or fragment class. Finally, as discussed earlier, the applicant would be required to provide additional products as requested by the FAA to conduct an independent analysis to ensure that public safety criteria are satisfied. 6. Flight Safety Limits Analysis Proposed § 450.123 would set the requirements to identify uncontrolled areas and establish flight safety limits that define when an operator must initiate flight abort to (1) ensure compliance with the public safety criteria of proposed § 450.101 and (2) prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. Current § 417.213(a) requires that a flight safety limits analysis identify the location of populated or other protected areas and establish flight safety limits to define when an FSS must terminate a launch vehicle’s flight to prevent hazardous impacts from reaching any protected area and ensure that the public risk criteria of § 417.107(b) are satisfied. Section 417.3 currently defines a flight safety limit as criteria to ensure a set of impact limit lines established for the flight of a launch vehicle flown with an FSS bound the area where debris with a ballistic coefficient of 3 psf or more is allowed to impact when an FSS functions. Thus, § 417.213(a) and the definition of flight safety limit require that any populated area be protected by flight safety limits from where the FSS must be activated. This requirement is not consistent with operations on Federal launch ranges E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15384 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules that allow potential debris impact in populated areas inside the impact limit lines, as long as the individual and collective public risks remain within acceptable limits. The requirements in § 417.213(b) are specific about potential contributors to the vehicle and debris dispersions for which the flight safety limits analysis must account including time delays, all wind effects, velocity imparted to vehicle fragments by breakup, all lift and drag forces on the malfunctioning vehicle and falling debris, all launch vehicle guidance and performance errors, all launch vehicle malfunction turn capabilities, and any uncertainty due to map errors and launch vehicle tracking errors. Section 417.213(d) requires that the analysis establish designated impact limit lines to bound the area where debris with a ballistic coefficient of 3 psf is allowed to impact, assuming the FSS functions properly. In contrast, part 431 does not contain any express requirements for a flight safety limits analysis to set flight safety limits. That being said, part 431 license applicants have performed a flight safety limits analysis mirroring part 417 requirements in cases where an FSS was employed to satisfy the public risk criteria in § 431.35(b). The FAA proposes to move the definition of ‘‘flight safety limit’’ from current § 417.3 to § 401.5 and update the definition to mean criteria to ensure that public safety is protected from the flight of a vehicle when an FSS functions properly. Thus, the proposal would remove any ballistic coefficient threshold from the definition of a flight safety limit. As previously discussed, the Air Force has permanently waived its previous requirement that embedded a specific ballistic coefficient threshold into the flight safety limits, and the FAA has also waived the corresponding requirement in § 417.213(d).195 When the FAA adopted the 3 psf ballistics coefficient standard (in 2006), the FAA recognized that ballistic coefficient is not well correlated with the probability of a casualty producing impact.196 Simply put, ballistic coefficient is an imperfect surrogate that was adopted based on past practice when computers were less capable than today. In § 401.5, the proposal would also replace the term ‘‘protected area’’ with ‘‘uncontrolled area,’’ defined as an area of land not controlled by a launch or reentry operator, a launch or reentry site operator, an adjacent site operator, or 195 81 FR 1470 (January 12, 2016). and Safety Requirements for Launch, NPRM. 67 FR 49464 (October 28, 2002). 196 Licensing VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 other entity by agreement. This change reflects the fact that all members of the public, even those in areas of land controlled by a launch operator, are protected to the extent that collective and individual public risk limits apply everywhere. Specifically, proposed § 450.123(a) would require protection of uncontrolled areas by flight safety limits and ensure compliance with the public safety criteria of proposed § 450.101, while controlled areas would be required to meet only the collective and individual risk requirements (also in accordance with proposed § 450.101). The FAA intends to assess the need for flight safety limits to protect environmentally-sensitive areas in the environmental review process of proposed § 450.47. The FAA anticipates that not all environmentally-sensitive areas will need this protection. For example, current practice for launches from the Western Range protects a National Marine Sanctuary in the Pacific Ocean against planned impacts of jettisoned items, but not against debris from a flight abort. Proposed § 450.123(a) would require an FSA to identify the location of uncontrolled areas and establish flight safety limits that would define when an operator must initiate flight abort to prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission, and to ensure compliance with the public safety criteria of proposed § 450.101. Given flight safety limits are only required to protect people in uncontrolled areas and not people in controlled areas, the proposal would reconcile the current inconsistency between the part 417 requirements versus the current practice at some Federal launch ranges that allows the public’s exposure to debris hazards as long as the collective and individual risk criteria are met. Proposed § 450.123(b) would require a flight safety limits analysis to identify flight safety limits for use in establishing flight abort rules. The flight safety limits would be required to account for temporal and geometric extents on the Earth’s surface of any vehicle hazards resulting from any planned or unplanned event for all times during flight, and account for potential contributions to the debris impact dispersions. This is the same as § 417.213(b). Proposed § 450.123(b)(3) would add a requirement to design flight safety limits to avoid flight abort under conditions that result in increased collective risk to people in uncontrolled areas, compared to continued flight. The proposed requirement is equivalent to the U.S. PO 00000 Frm 00090 Fmt 4701 Sfmt 4702 Government consensus standard that a conditional risk management process should be implemented to ensure that mission rules do not induce unacceptable consequences when they are implemented.197 In the flight safety context, a flight abort is a good example of a safety intervention intended to mitigate public risks, but that typically induces a conditional risk (e.g., a consequence associated with the debris event triggered by the flight abort). A flight safety limits analysis would ideally minimize all foreseeable consequences, not just those to people on the ground or to the extent necessary to meet the public safety criteria. For example, placing flight safety limits in areas where flight abort might place debris on a busy shipping lane or air corridor is not an ideal solution when other locations for the limits could meet the public safety criteria and consequence criteria, and still provide space for the vehicle to fly a useful mission. Also, as a malfunctioning vehicle’s debris footprint migrates towards a populated area, the consequence to people on the ground from a flight abort will increase from a low number and possibly reach the proposed consequence limit. The ideal location for a flight safety limit on such trajectory is not at the last location where an abort would still result in meeting the consequence criteria, which would presumably result in a consequence close to the limit, but at a location that minimizes the consequence. This proposed approach could result in flight safety limits that provide debris containment, or nearly so, while also allowing normal flight and flight within the limits of a useful mission without triggering an abort. In summary, the design of the flight safety limits and the associated flight safety rules would be required to avoid an increase in risk induced by a flight abort, compared to inaction or action at a different time. This is relevant to areas where debris containment is not possible, as discussed in greater length in the next section on proposed § 450.125. Proposed § 450.123(c) would require the flight safety analysis to include a gate analysis for an orbital launch, or any launch or reentry where one or more trajectories that represents a useful mission intersects a flight safety limit that provides containment of debris capable of causing a casualty. This is also discussed in more detail in the next section on gate analysis. Proposed § 450.123(d) would provide flexibility to allow the computation of 197 RCC E:\FR\FM\15APP2.SGM 321–10 at p. 2–7. 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules flight safety limits in real-time in lieu of computing flight safety limits preflight. This alternative would reduce the number of assumptions used in the flight safety limits analysis and allow for a computation that uses the best available data on the vehicle state. The proposal would allow the computation of flight safety limits in real-time to be performed on the ground or onboard the vehicle. The FAA proposes to remove the requirement for a straight-up time analysis currently in § 417.215. A straight-up time analysis establishes when to terminate the flight of a vehicle that fails to pitch over, and thus flies straight up, to achieve debris containment. The straight-up time is not the only method of limiting the risks and consequences to the launch area in the case of a vehicle that flies a straightup trajectory. Although the express provision is being removed in the proposed rule, the new performancebased analysis permitted under § 450.213 would allow the straight-up time approach to control the hazards from a straight-up flight, but its use would not be required. Proposed § 450.123(e) lays out the application requirements for flight safety limits analyses. The FAA would require an applicant to submit: (1) A description of how each flight safety limit will be computed; (2) representative flight safety limits and associated parameters; (3) an indication of which flight abort rule from proposed § 450.165(c) is used in conjunction with each example flight safety limit; (4) a graphic depiction or series of depictions of representative flight safety limits, the launch or landing point, all uncontrolled area boundaries, and vacuum instantaneous impact point traces for the nominal trajectory, extents of normal flight, and limits of a useful mission trajectories; (5) if the requirement for flight abort is computed in real-time in lieu of precomputing flight safety limits, a description of how the real-time flight abort requirement is computed including references to public safety criteria of § 450.101; and (6) additional products requested by the FAA for an independent analysis when necessary to demonstrate compliance with risk criteria. The proposed application requirements are consistent with current practice under parts 417 and 431. 7. Gate Analysis The FAA proposes § 450.125 to make regulations governing gate analyses more performance-based, flexible, and clear. This change would include revising the definition of ‘‘gate’’ and, as VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 discussed earlier, adding a definition of the ‘‘limits of a useful mission.’’ The proposal would also add an option to relax flight safety criteria without using a gate. Current § 417.3 defines a ‘‘gate’’ as the portion of a flight safety limit boundary through which the tracking icon of a launch vehicle flown with an FSS may pass without flight termination. As discussed earlier, a gate is an opening in a flight safety limit through which a vehicle may fly, provided the vehicle meets certain pre-defined conditions such that the vehicle performance indicates an ability to continue safe flight. If the vehicle fails to meet the required conditions to pass a gate, then flight abort would occur at the flight safety limit. In other words, the gate would be closed. The FAA has requirements for an overflight gate analysis in § 417.217 and appendix A, section A417.17, and for a hold-and-resume gate analysis in § 417.218. An overflight gate analysis determines whether a vehicle can overfly populated areas. This analysis requires a launch operator determine why it is safe to allow flight through a flight safety limit—the limit that protects populated or protected areas— without terminating a flight. This analysis accounts for the fact that it is potentially more dangerous to populated or protected areas to destroy a malfunctioning vehicle during certain portions of a launch than not to destroy it. In some circumstances, a destroyed vehicle may disperse debris over a wider area affecting more people than if the vehicle were to impact intact. The primary purpose of flight safety limits and gates is to establish safe locations and conditions to abort the flight prior to the vehicle entering a region or condition where it may endanger populated or other protected areas if flight were to continue. From an operator’s perspective, a gate should allow the vehicle to fly through a flight safety limit when the trajectory corresponds to a useful mission.198 Otherwise, a flight abort would be required for every flight that intersects with a flight safety limit even if the mission can still have a successful outcome. The optimal use of flight safety limits and gates would be to prevent vehicles that cannot achieve a useful mission from continuing flight, 198 As discussed earlier in this preamble, the FAA proposes in § 401.5 to define the ‘‘limits of a useful mission’’ as the trajectory data or other parameters that describes the limits of a mission that can attain the primary objective, including but not limited to flight azimuth limits. PO 00000 Frm 00091 Fmt 4701 Sfmt 4702 15385 even when the flight is along a trajectory that crosses a gate. The current gate regulations imply that gates are the only option when debris containment is not possible along a trajectory that represents a useful mission, whether it is normal or outside of the normal trajectory envelope. This requirement does not reflect current practice at the Federal launch ranges. Federal launch ranges sometimes relax flight safety limits to allow continued flight for these trajectories without the use of a gate, as long as the operations satisfies the collective risk criterion. Also, some Federal launch ranges do not currently require explicit identification of the conditional risk posed by a vehicle that flies on a trajectory within the normal trajectory envelope or the limits of a useful mission. The preflight risk due to such a trajectory is often small because the vehicle is not likely to deviate far from nominal. However, a gate or relaxed flight safety limit to allow flight on such a trajectory implies that the risk must be acceptable given that the vehicle does fly on such a trajectory. Such a failure to identify the conditional risk associated with such a trajectory as part of the gate analysis is inconsistent with the U.S. Government consensus standard (RCC 321–17 paragraph 2.3.6) that a conditional risk management process should be implemented to ensure that mission rules do not induce unacceptable levels of risk when they are implemented. Although part 431 has no requirements related to gate analysis, the one orbital RLV operation licensed to date employed an FSS and performed a gate analysis. The FAA’s proposed § 450.125 would establish a single set of performancebased gate analysis requirements applicable to all launch and reentry vehicles. The gate analysis requirements in §§ 417.217 and 417.218 would be combined. Proposed § 450.125 would remove prescriptive requirements on the types of gates, standardize the requirements for establishing a gate, and open the possibility of relaxing flight safety limits. The FAA believes an operator should have the freedom to select risk mitigation methods that will present the best safety posture rather than prescribing certain strategies that may not be the best for all scenarios and vehicles. The FAA also proposes to revise the existing definition of ‘‘gate’’ in § 401.5 to replace the term ‘‘flight termination’’ with ‘‘flight abort’’ and to add language to reflect that the flight must remain within specified parameters to avoid flight abort. Proposed § 450.125(a) would require a gate analysis for an orbital launch, or E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15386 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules any launch or reentry where one or more trajectories that represents a useful mission intersects a flight safety limit that provides containment of debris capable of causing a casualty. Proposed § 450.125(b) would set the gate analysis requirements. The FAA would require an analysis to establish a relaxation of flight safety limits to allow continued flight or a gate where a decision will be made to abort the launch or reentry, or allow continued flight. If a gate is established, the analysis should establish a measure of performance at the gate that would enable the flight abort crew or autonomous FSS to determine whether the vehicle is able to complete a useful mission, and abort the flight if it is not. Further, the analysis should establish accompanying flight abort rules. Finally, for an orbital launch, the analysis should establish a gate at the last opportunity to determine whether the vehicle’s flight is in compliance with the flight abort rules and can make a useful mission, and abort the flight if not. This last requirement would achieve the goal of assuring that only missions that can be useful are allowed to proceed to orbit, thereby limiting the potential for space debris. In addition, when the vehicle performance does not demonstrate an ability to reach a minimum safe orbit (without an imminent random reentry), meaning it cannot pass the useful mission requirement, the regulation would require that flight abort occur. In proposed § 450.125(c), the FAA would require the extents of any gate or relaxation of the flight safety limits to be based on normal trajectories, trajectories that may achieve a useful mission, collective risk, and consequence criteria. In proposed § 450.125(c)(1), the FAA proposes to require a gate or relaxation of flight safety limits anywhere a flight safety limit intersects with a normal trajectory if that trajectory would meet the individual and collective risk criteria of proposed § 450.101(a)(1) and (2) or (b)(1) and (2) when treated like a nominal trajectory with normal trajectory dispersions.199 Requiring all normal trajectories to be treated like a nominal trajectory with dispersions as input to a conditional risk analysis (given a sample normal trajectory) for the gate analysis would resolve the issue of an incomplete characterization of the conditional risk of a vehicle that flies through what was 199 The FAA would retain the definitions of ‘‘normal flight’’ and ‘‘normal trajectory’’ currently found in § 417.3. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 a flight safety limit while within the normal trajectory envelope. Another requirement of the proposed gate analysis would be that the predicted average consequence from flight abort resulting from any reasonably foreseeable vehicle response mode, in any one-second period of flight, using any modified flight safety limits must not exceed 1 × 10¥2 CEC. The goal of this requirement is to ensure that flight safety limits do not create an unacceptable consequence when used, since debris containment is no longer provided. A gate that does not have flight safety limits after the gate would not need to meet this consequence criterion since it would be placed at the same location as flight safety limits that do provide debris containment. Under the proposal, any intersections of flight safety limits with normal trajectories would result in flight safety limits that are relaxed enough to allow passage, or an open gate in the flight safety limit as long as there is enough data available to confirm that the vehicle is healthy (i.e., appears capable of reaching a minimum safe perigee). Flight on normal trajectories must still meet the public safety criteria in proposed § 450.101, so this practice would ensure acceptable risks and use the best available data to confirm that a vehicle is unlikely to fail before being allowed to fly through a gate, if one is present. Whether flight safety limits would be relaxed enough to let a vehicle fly through that area, or be gated, is optional. A gate is preferred if it would reduce risk, given that there is sufficient information available to make a decision on whether the vehicle is sufficiently healthy to pass. This practice would align with the Federal launch range’s current practice and meet the intent of the current requirement in § 417.107(a)(2). In proposed § 450.125(c)(2), trajectories that are outside of normal flight but within the limits of a useful mission would be evaluated as potential normal trajectories. Proposed § 450.125(c)(2) would allow flight safety limits to be gated or relaxed where they intersect with any trajectory within the limits of a useful mission, if the trajectory would meet the individual and collective risk criteria of proposed § 450.101(a)(1) and (2) or (b)(1) and (2), assuming that the trajectory flown would be treated like a nominal trajectory with normal trajectory dispersions. The predicted average consequence from flight abort resulting from a failure in any one-second period of flight, using any modified flight safety limits, would be required to not exceed 1 × 10¥2 CEC. The philosophy behind proposed § 450.125(c)(2) is to PO 00000 Frm 00092 Fmt 4701 Sfmt 4702 allow a non-normal flight to continue as long as the mission does not pose an unacceptable conditional risk given the present trajectory. A good example of missions that fall into this category are missions that lift-off on an incorrect flight azimuth, usually due to a software input error, such as the Ariane 5 failure on January 25, 2018, during its 97th mission (VA241). Apart from the programming error, these vehicles may be healthy and are not expected to fail more frequently than a flight without the programming error, so these flights should be allowed to continue if they meet the individual and collective risk criteria on the present azimuth (unless the risk from planned debris impacts was unacceptable on the present flight azimuth). If they do not, such flights would be required to implement an abort. This proposal is consistent with the ARC’s recommendation to expand part 431 to include flight abort rules that apply when the vehicle is performing outside of its profile and is unable to reach a useful orbit or survive, and needs to be terminated prior to overflight of a populated area. Proposed § 450.125(d) would establish the application requirements for gate analyses. Specifically, the proposal would require an applicant to submit a description of the methodology used to establish each gate or relaxation of a flight safety limit; a description of the measure of performance used to determine whether a vehicle will be allowed to cross a gate without flight abort, the acceptable ranges of the measure of performance, and how these ranges were determined; a graphic depiction showing representative flight safety limits, any protected uncontrolled area overflight regions, and instantaneous impact point traces for the nominal trajectory, extents of normal flight, and limits of a useful mission trajectories; and any additional products requested by the FAA to conduct an independent analysis when necessary to ensure that public risk criteria are not exceeded. The proposed application requirements are consistent with current practice under parts 417 and 431. 8. Data Loss Flight Time and Planned Safe Flight State Analyses The FAA proposes to consolidate and update data loss flight times and planned safe flight states requirements in proposed § 450.127 (Data Loss Flight Time and Planned Safe Flight State Analyses). Data loss flight time analyses are used to establish when an operator must abort a flight following the loss of vehicle tracking information. In § 417.3, E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules the FAA currently defines ‘‘data loss flight time’’ as the shortest elapsed thrusting time during which a launch vehicle flown with an FSS can move from its normal trajectory to a condition where it is possible for the launch vehicle to endanger the public. This definition is unclear as to what constitutes a condition where it is possible for the launch vehicle to endanger the public. Given the overall approach to impact limit lines in § 417.213(d) and the treatment of data loss flight times in appendix A to part 417, section A417.19, the FAA has interpreted the definition to mean any impact on a protected area with debris greater than 3 psf ballistic coefficient. With this proposal, the FAA would move the definition of ‘‘data loss flight time’’ from current § 417.3 to § 401.5 and update the definition to mean the shortest elapsed thrusting or gliding time during which a vehicle flown with an FSS can move from its trajectory to a condition where it is possible for the vehicle to violate a flight safety limit. An important change in the definition would be the replacement of ‘‘move from its normal trajectory’’ with ‘‘move from its trajectory.’’ Computing data loss flight times initialized using normal trajectories or nominal trajectories would both be acceptable means of compliance with the proposed regulation, since using the former should be more conservative. This resolves the issue of varying practices at different ranges and provides additional flexibility. In § 417.219(a), the FAA requires a launch operator to establish data loss flight times and a planned safe flight state. In § 417.219(b), the FAA requires that thrust be considered as a means of moving a vehicle towards a protected area, but some vehicles can also glide a significant distance using lift. Further, § 417.219(b) requires the data loss flight time to be relative to reaching protected areas, not flight safety limits. The requirements in § 417.219(c) also include a method of establishing the planned safe flight state that includes the subjective phrase ‘‘the absence of a flight safety system would not significantly increase the accumulated risk from debris impacts.’’ Data loss times are currently computed in different ways at Federal launch ranges, with some initializing the computation from the nominal trajectory and some from trajectories within the normal trajectory envelope, sometimes referred to as ‘‘dispersed’’ trajectories. Part 431 has no requirements related to analysis to establish data loss flight times or planned safe flight state. However, the one orbital RLV operation VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 licensed to date employed an FSS and established data loss flight times. The FAA’s proposed § 450.127(a) would require an FSA to establish data loss flight times and a planned safe flight state for each flight to establish each flight abort rule that applies when vehicle tracking data is not available for use by the flight abort crew or autonomous FSS. Substantively, this proposal is consistent with the current rule in § 417.219(a). However, the FAA’s proposal would update language to account for autonomous FSS and the use of the term flight abort in place of flight termination. Proposed § 450.127(b)(1) would retain the data loss flight time analysis requirements consistent with § 417.219, but with the addition of gliding flight as a means of moving a vehicle towards flight safety limits (in lieu of protected areas in accordance with § 417.219). The proposal would replace the subjective method of establishing the safe flight state with a more straightforward method of analyzing when the vehicle’s state vector reaches a state where the vehicle is no longer required to have a flight safety system. This is to avoid aborting a flight due to loss of track data during a phase of flight in which track data is not required to ensure safe flight. Thus, the proposal would encourage operators to avoid a flight abort, which often correlates with creating debris, due to loss of track data when in an area where flight abort is not required to meet the regulations. Proposed § 450.127(b)(2) would require data loss flight times to account for forces that may stop the vehicle before reaching a flight safety limit, such as aerodynamic forces that exceed the structural limits of the vehicle. When more conservative methods are used, such as assuming an instantaneous turn towards the nearest flight safety limit, data loss flight times can be underestimated in that a vehicle could not physically perform the turn without breaking up. Data loss flight times that are unrealistically low create the risk of an unnecessary abort (and thus, an unnecessary debris event) if track is lost, since track may return and allow flight to continue if the data loss flight times are greater. Proposed § 450.127(b)(3) would allow the computation of data loss flight times in real-time in lieu of only computations made preflight. This proposal would allow for a computation using the lastknown state vector of the vehicle before track was lost. Proposed § 450.127(b)(3) would allow the computation of data loss flight times to be performed on the ground or onboard the vehicle, depending on whether a traditional PO 00000 Frm 00093 Fmt 4701 Sfmt 4702 15387 command destruct or autonomous flight safety system is used. In proposed § 450.127(c), the requirements regarding the planned safe flight state would be consistent with those currently in § 417.219(c), only generalized to apply to reentry as well as launch. Proposed § 450.127(c)(1) would update the § 417.219(c)(1) requirement using new terminology without any change to the meaning. Proposed § 450.127(d) lays out the application requirements for data loss flight time and planned safe flight state analyses. Specifically, the proposal would require an applicant to submit a description of the methodology used to determine data loss flight times; tabular data describing the data loss flight times from a representative mission; the safe flight state and methodology used to determine it; and any additional products requested by the FAA to conduct an independent analysis. 9. Time Delay Analysis For ELVs, § 417.221(a) requires a time delay analysis that establishes the mean elapsed time between the violation of a flight termination rule and the time when the flight safety system is capable of terminating flight for use in establishing flight safety limits. Section 417.221(b) requires the analysis to determine a time delay distribution that accounts for the variance of all time delays for each potential failure scenario, a flight safety official’s decision and reaction time, and flight termination hardware and software delays which includes all delays inherent in tracking systems, data processing systems, display systems, command control systems, and flight termination systems. The FAA has also required time delay analyses for RLVs under the current regulatory scheme. Specifically, § 431.39(a) requires an RLV license applicant to submit contingency abort plans, if any, that ensure safe conduct of mission operations during nominal and non-nominal vehicle flight. In practice, a time delay analysis has been necessary to ensure safe conduct of an RLV that uses flight abort. The FAA proposes to streamline the regulations governing the analysis of time delay in proposed § 450.129 (Time Delay Analysis). Proposed § 450.129(a) would use language identical to § 417.221(a), except that the term ‘‘terminating’’ would be replaced with the term ‘‘aborting.’’ The proposal would replace the list of time delay contributions prescribed in § 417.221(b) with a performance-based requirement in proposed § 450.129(a), that the time delay analysis would be required to E:\FR\FM\15APP2.SGM 15APP2 15388 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 determine a time delay distribution that accounts for all foreseeable sources of delay. Proposed § 450.129(b) would list application requirements. Specifically, the proposal would require an applicant to submit a description of the methodology used in the time delay analysis, a tabular listing of each time delay source and the total delay, with uncertainty, and any additional products the FAA would request to conduct an independent analysis. 10. Probability of Failure Proposed § 450.131 (Probability of Failure Analysis) would cover probability of failure (POF) analysis requirements for all launch and reentry vehicles. The proposal would also make application requirements clearer and implement performance-based requirements to address allocation to flight times and vehicle response modes. The proposed POF performance requirements would allow an operator to employ alternative, potentially innovative methodologies so long as the results satisfy proposed requirements such as valid input data. Current regulations covering POF analysis requirements for ELVs are found in § 417.224. Part 431 does not have requirements for a POF analysis. Even so, a POF analysis is necessary to demonstrate compliance with the public risk criteria set for RLV operations in § 431.35(b). Section 417.224(a) requires that POF analyses use accurate data, scientific principles, and a method that is statistically or probabilistically valid. For vehicles with fewer than two flights, the POF must account for the outcome of all previous launches of vehicles developed and launched in similar circumstances. If a vehicle has more than two flights, the POF analysis must account for the outcomes of all previous flights of the vehicle in a statistically valid manner. Section 417.224(a) does not address the use of data on partial failures and anomalies, which is a shortcoming the FAA seeks to correct. Section 417.224(b) defines failure to mean when a launch vehicle does not complete any phase of normal flight, or when any anomalous condition exhibits the potential for a stage or its debris to impact the Earth or reenter the atmosphere during the mission, or any future mission, of similar launch vehicle capability. The paragraph makes clear a launch incident or accident also constitutes a failure. Finally, Section 417.224(c) explains that previous flights begin when the launch vehicle normally or inadvertently lifts off from a launch platform and that liftoff occurs with any VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 motion of the launch vehicle with respect to the launch platform. Although the § 417.224 definitions have generally served the FAA and the industry well, § 417.224 lacks requirements to address allocation to flight times and vehicle response modes (VRMs), even though these allocations are necessary to determine the public risks posed by various VRMs at various times in flight. Given POF is a primary factor in any risk computation, it is impossible for an applicant to demonstrate compliance with the quantitative public risk criteria without an analysis to determine the probability of any reasonably foreseeable outcome, such as an on-trajectory loss of thrust or a malfunction turn ending in aerodynamic break-up. The FAA would retain the substantive § 417.224 POF analysis requirements in proposed § 450.131, including the definitions of key terms such as ‘‘failure’’ and ‘‘previous flight’’. However, the proposal would apply to all launch and reentry vehicles. In addition, it would clarify the data a POF analysis must use to establish a valid allocation to flight times and vehicle response modes. Proposed § 450.131(a) would retain the same substantive requirements regarding the an operator’s estimation of the POF for vehicles with fewer than two flights. However, for vehicles with two or more previous flights, the proposal would change the § 417.224(a) provision by requiring that the outcomes of all previous flights of the vehicle or vehicle stage account for data on partial failures and anomalies including Class 3 and Class 4 mishaps. Thus, the proposal would require an analysis to account for partial failures and anomalies. These changes should improve the credibility of POF analyses by giving due credit to stages that succeed even though a subsequent stage fails. For example, consider a vehicle launched two times, with a failure during the second stage on the first launch and no failures during the second launch. For the third launch, the proposal would allow a probability of failure analysis to account for the fact that the first stage flew twice without a failure, while the second stage flew twice with one failure. Proposed § 450.131(b) would retain essentially the same definition of ‘‘failure’’ used in § 417.224(b), with changes using the proposed mishap terminology (Class 1 or Class 2) and to cover other vehicles beyond ELVs. Proposed § 450.131(c) would retain essentially the same definition of ‘‘previous flight’’ for FSA purposes, with changes intended to encompass all PO 00000 Frm 00094 Fmt 4701 Sfmt 4702 launch and reentry vehicles, including cases where an operator uses a carrier aircraft. Thus, ‘‘previous flight’’ for the purposes of an FSA would cover the flight of a launch vehicle beginning when the vehicle normally or inadvertently lifts off from a launch platform. Liftoff would still occur with any motion of the launch vehicle with respect to the launch platform. The FAA would clarify that this would include a carrier aircraft as a launch platform, and would include any intentional or unintentional separation from the launch platform. In terms of a reentry vehicle, the flight of a reentry vehicle or deorbiting upper stage would begin when a vehicle attempts to initiate a deorbit. Proposed § 450.131(d), titled ‘‘Allocation,’’ would establish performance requirements to address POF allocation to flight times and VRMs. The proposal would require that a vehicle POF be distributed across flight times and vehicle response modes consistent with the data available from all previous flights of vehicles developed and launched or reentered in similar circumstances; and data from previous flights of vehicles, stages, or components developed and launched or reentered by the subject vehicle developer or operator. Such data may include previous experience involving similar vehicle, stage, or component design characteristics; development and integration processes, including the extent of integrated system testing; and level of experience of the vehicle operation and development team members. These requirements were not in § 417.224 or part 431. In this context, phases of flight would be defined by planned events affecting the vehicle configuration and its failure rate, such as ignition, first stage flight, stage separation, second stage ignition, second stage flight, payload fairing separation, etc. This proposal would require what is already necessary and thus done in current practice. In proposed § 450.131(e), the FAA would require that a POF allocation account for significant differences in the observed failure rate and the conditional failure rate. The conditional failure rate represents the failure rate conditional on the vehicle or subsystem having survived, without a failure as defined earlier, to a given time in flight. The observed failure rate is the product of the conditional failure rate and the reliability function, which is commonly defined as the probability that the vehicle or subsystem has not failed prior to a given time in flight. For high reliability systems where the reliability function is close to one (by definition), E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 the observed failure rate can be approximated as the conditional failure rate. If the overall vehicle or stage POF is below 10 percent (over the entire period of time corresponding to a phase of flight), then this simplified approach produces a relative error less than approximately 0.5 percent, which is generally not considered a significant difference. For lower reliability systems, this approximation does produce a significant difference between the observed failure rate and the conditional failure rate. Here again, the proposal would clarify what is already necessary and thus done in current practice. Proposed § 450.131(e) would also require that a POF analysis use a constant conditional failure rate for each phase of flight, unless there is clear and convincing evidence of a different conditional failure rate for a particular vehicle, stage, or phase of flight. Thus, the proposal would require a POF analysis to assume that the conditional failure rate can be represented as a piece-wise constant function of time for each phase of flight, absent clear and convincing evidence to the contrary. The points that define transitions to a potentially different conditional failure rate must include staging events or other vehicle configuration changes, such as ignition of other engines or rocket motors. In some cases, the FAA anticipates that there will be sufficient evidence to justify a different failure rate, for example during a start-up or shut-down/burnout transient for a rocket motor compared to steady state operation of a stage, engine, or motor. Proposed § 450.131(f) would lay out the FAA’s application requirements for POF analyses that address the proposed methodology, assumptions and justification, input data, and output data. An applicant would also be required to provide a complete set of tabular data and graphs of the predicted failure rate and cumulative failure probability for each foreseeable VRM. The proposed requirements are consistent with current practice to the extent that any valid FSA must include the probability of failure assigned to each VRM as a function of time into flight. 11. Flight Hazard Areas The FAA proposes to streamline its regulations on flight hazard area in proposed § 450.133, applicable to all launch and reentry vehicles. The FAA would codify its working definition of ‘‘flight hazard area’’ to mean any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to protect the public health and safety and safety of property. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 An FSA would include a flight hazard area analysis to identify regions of land, sea, or air where an operation poses a potential hazard to the public. The proposal would reduce the size of the regions of land, sea, and air requiring hazard warnings from normal flight events and would reduce the size of regions requiring surveillance prior to initiating a commercial space transportation operation. These changes would be consistent with practices at Federal launch ranges. The current FAA regulations most pertinent to flight hazard area analysis are found in §§ 417.107(b) (Flight safety) and 417.223 (Flight hazard analysis) for ELVs, and §§ 431.35(b) (Acceptable reusable launch vehicle mission risk) and 431.43(b) (Reusable launch vehicle mission operational requirements and restrictions) for RLVs. Both the ELV and RLV regulations require flight hazard areas to protect against hazards posed by vehicle malfunctions (e.g., an inflight break-up) and normal flight events that create hazards (e.g., any planned jettison of debris, launch vehicle components, or vehicle stages). The FAA currently sets requirements to warn of, or limit the operations of, ELVs and RLVs in regions where planned debris impacts are likely, for example, due to jettisoned stages. In § 417.223(b), the FAA currently requires flight hazard area analyses to establish ship and aircraft hazard area warnings to mariners and airman in regions that encompass the three-sigma impact dispersion area for each planned debris impact. Similar language appears in § 431.43(b), which states that a nominal landing location is suitable if the area of the predicted three-sigma dispersion of the vehicle impacts can be wholly contained within the designated location. In the 2000 final rule, the FAA explained that it intended the threesigma to refer a location where the vehicle or stage landing would be contained 997 times out of 1000 attempts, or 99.7 percent probability of containment.200 Hence, these regulations used the term ‘‘three-sigma’’ to refer to a univariate Gaussian distribution,201 despite the fact that impact dispersions are bivariate, and not necessarily Gaussian. Notably, neither § 417.223 nor § 431.43 stipulate whether these warning areas must account for all debris or only debris capable of causing a casualty. There is evidence that the separation of large 200 65 FR 56618 (September 9, 2000), at 56629. distribution (also known as normal distribution) is a bell-shaped curve, and it is assumed that during any measurement values will follow a normal distribution with an equal number of measurements above and below the mean value. 201 Gaussian PO 00000 Frm 00095 Fmt 4701 Sfmt 4702 15389 stages can liberate small fragments with a negligible probability of creating a casualty, depending on the nature of the exposed population. For example, people in aircraft are often more vulnerable than people on the ground because a fragment that impacts an aircraft has a much higher kinetic energy due to the velocity of the aircraft. Both the ELV and RLV regulations require public risk controls, such as evacuation or surveillance, to ensure that no individual member of the public is exposed to greater one-in-a-million (1 × 10¥6) PC, irrespective of their location on land, sea, or air, to satisfy risk criterion in §§ 417.107(b) and 431.35(b). The part 417 regulations address the identification and surveillance of flight hazard areas explicitly in several sections, including §§ 417.111(b)(5), 417.121(f), and 417.223 as discussed below. Part 431 regulations do not expressly address flight hazard areas. However, the preamble to the 2000 final rule stated that the individual risk limit of 1 × 10¥6 PC would dictate whether or not an area must be evacuated for launch or reentry activity along that trajectory to occur safely, and clarified that limit applied for any person not involved in the licensed activity. Hence, the current RLV regulations clearly intended the evacuation, and surveillance by inference, of any area where a person not involved in the licensed activity would otherwise experience more than 1 × 10¥6 PC. Only § 417.223 and associated appendices provide specific direction on conducting flight hazard area analyses. In § 417.223(a), the FAA requires launch operators to perform a flight hazard area analysis that identifies any regions of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to control the risk to the public from debris impact hazards. In addition, the current regulation notes that the risk management requirements of § 417.205(a) apply to the flight hazard area analyses. Lastly, § 417. 223(a) paragraph lists factors that the analysis must account for. Regarding aircraft hazard areas, the preamble to part 431 stated that the FAA also reserves discretion to impose measures deemed necessary by that office to protect public safety.202 This deference to regional offices for aircraft protection resulted in a lack of clarity and potential unevenness to the aircraft protection requirements potentially imposed on RLV operators. Proposed § 450.133 would establish general requirements for the flight hazard area analysis as well as 202 65 E:\FR\FM\15APP2.SGM FR 56618 (September 19, 2000), at 56646. 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15390 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules requirements specific to waterborne vessel hazard areas, land hazard areas, airspace hazard volumes, and the license application. The proposal would make uniform to launch and reentry the requirement in current § 417.223(a) that operators must identify any regions of land, sea, or air that must be surveyed, publicized, controlled, or evacuated to the extent necessary to ensure acceptable individual and collective risks. However, as discussed later in this section, the proposed regulations would allow operators to reduce, or otherwise optimize, the size of the warning regions for hazards resulting from normal flight events. The proposal would add a definition of ‘‘flight hazard area’’ to § 405.1 to mean any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to protect the public health and safety, and safety of property. This definition is consistent with the current requirement in § 417.223(a). Note that the proposed definition would allow for the fact that it may be appropriate to issue a public warning for a flight hazard area, but unnecessary to survey or evacuate the area to ensure the public risks are within the criteria given in proposed § 450.101, as explained in the discussion of hazard area surveillance and publication. Proposed § 450.133(a) would also revise the technical factors for which the hazard area analysis must account to remove language limiting those factors to launch activity alone, thus making consistent the regulations for all types of commercial space transportation operations. The proposal would merge current § 417.223(a)(2), (3), and (4) with slight changes into § 450.133(a)(1) to require an operator to account for the ‘‘regions of land, sea, and air potentially exposed to debris impact resulting from normal flight events and from debris hazards resulting from any potential malfunction.’’ Proposed § 450.133(a)(5) would also clarify that the analysis must account for all foreseeable sources of debris dispersion during freefall, including wind effects, guidance and control, velocity imparted by break-up or jettison, lift, and drag forces with winds that are no less severe than the worst wind conditions under which flight might be attempted, and uncertainty in the wind conditions. In § 417.223(a)(4), the current regulation implies that the analysis only needed to account for some exposed populations in the vicinity of the launch site. The proposed § 450.133(a) would further clarify that all sources of debris dispersion must be accounted for by removing any ambiguity associated with VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 what constitutes ‘‘in the vicinity of the launch site;’’ by eliminating that phrase, and thus ensuring equal protection for all public exposures. Finally, the proposal would clarify that valid flight hazard area analyses would be required to treat all planned debris hazards, planned impacts, and planned landings as a virtual certainty, consistent with current practice and the regulations in sections A417.23 and B417.13. Again, part 431 does not address flight hazard areas, but current practice for RLVs is generally consistent with the ELV regulations. Proposed § 450.133(b)(1), (c)(1), and (d)(1) would align FAA regulations with practices at the Federal launch ranges by allowing operators to reduce or otherwise optimize the size of the regions for warnings of potential hazardous debris resulting from normal flight events. Specifically, in § 417.223(b), the FAA currently requires hazard area analyses to establish ship and aircraft hazard area warnings in regions that encompass the three-sigma impact dispersion area for each planned debris impact. Similar language appears in § 431.43(b), and the FAA previously took the position that ‘‘three-sigma’’ in this context referred to 99.7 percent probability of containment (as explained earlier). However, the current regulations do not specify if the confidence of containment applies to all planned debris or only debris capable of causing a casualty. In any case, current practice includes the establishment of flight hazard areas sufficient for 97 percent probability of containment of debris capable of causing a casualty. Thus, the proposed requirements in § 450.133 (b)(1), (c)(1), and (d)(1) would be revised to include language reflecting that the provision applies to debris capable of causing a casualty to any person located on land, sea, or air. Finally, proposed § 450.133(e) would list flight hazard area application requirements. An applicant would need to submit a description of the methodology to be used in the flight hazard area analysis, including all assumptions and justifications for the assumptions, vulnerability models, analysis methods, and input data. This information would include the worst wind conditions under which flight might be attempted accounting for uncertainty in the wind conditions, the classes of waterborne vessels and vulnerability criteria employed, and the classes of aircraft and vulnerability criteria employed. Section 450.133(e)(2) would require an applicant to submit representative hazard area analysis outputs to include tabular data and graphs of the results of the flight hazard PO 00000 Frm 00096 Fmt 4701 Sfmt 4702 area analysis. Note that the proposal would require hazard area results to identify the regions of land, sea, and air considered hazardous, regardless of location or ownership.203 The proposed requirement to show contours of probability of impact (PI) and PC that are an order of magnitude lower than those used to define the flight hazard areas is necessary to demonstrate sufficient computational resolution and analysis fidelity for the results that are critical to public safety. Furthermore, the FAA Air Traffic Organization currently requires identification of regions of air where the PI exceeds 1 × 10¥7 for all debris capable of causing a casualty to persons on an aircraft, in order to facilitate safe and efficient integration of launch and reentry operations into the NAS. Proposed § 450.133(e)(3) would specifically provide that applicants must provide additional products if requested by the FAA to conduct an independent analysis. 12. Debris Risk Analysis The FAA proposes to streamline, clarify, and make consistent its regulations on debris risk analysis used to evaluate compliance with the public safety criteria in proposed § 450.101. The proposal would require launch and reentry operators to conduct a debris risk analysis that demonstrates compliance with proposed § 450.101 either prior to the day of the operation, accounting for all foreseeable conditions within the flight commit criteria, or during the countdown using the best available input data. A debris risk analysis determines the expected average number of casualties to the public, individually and collectively, due to inert and explosive debris hazards. This analysis includes an evaluation of risk to populations on land, including areas following passage through any gate in a flight safety limit boundary. The current FAA regulations require a debris risk analysis, but only part 417 provides any specificity about what constitutes a valid analysis including prescriptive requirements in section A417.25 of appendix A. Part 431 provides no requirements to clarify what constitutes a valid debris risk analysis. In practice though, RLV license applicants often abided by debris risk performance requirements set in part 417, such as the need to use trajectory time intervals sufficient to 203 However, as provided in proposed § 450.161(c), an operator would only be required to publicize warnings for flight hazard areas that exclude any regions of land, sea, or air under the control of the vehicle or site operator or other entity by agreement. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules produce smooth and continuous individual risk contours. Section A417.1 states that the appendix applies to the methods for performing analysis required by §§ 417.107 and 417.225, and provides (1) an acceptable means of compliance, and (2) a standard and a measure of fidelity against which the FAA will measure any proposed alternative analysis approach. However, in some cases the 417 appendices are overly prescriptive and unduly burdensome. For example, section A417.25(c) requires an operator to file with the FAA a debris risk analysis report that includes all populated areas included in the debris risk analysis, which typically translates into many thousands of population centers for an orbital launch, as well as the values of probability of impact and expected casualty for each populated area. In other cases, the part 417 appendices mistakenly neglected to direct an applicant to account for important phenomena, such as the influence of uncertainties in atmospheric conditions on the propagation of debris from each predicted breakup location to impact. The FAA proposes to streamline, clarify, and make consistent its regulations regarding debris risk analyses to determine if public risks posed by a proposed launch or reentry can comply with the public safety criteria in proposed § 450.101. The proposal would provide performancebased regulations regarding the level of fidelity required for key elements of a valid debris risk analysis, including analyses for the propagation of debris, public exposure and critical assets model, and casualty areas. The proposed debris risk analysis requirements in § 450.135 would supplement the more generic requirements for flight safety methods proposed in § 450.115. The proposal would also align FAA regulations with practices at the Federal launch ranges. Proposed § 450.135(a) provides applicants an option to perform a debris risk analysis that demonstrates compliance with public safety criteria in § 450.101, either prior to the day of the operation, by accounting for all foreseeable conditions within the flight commit criteria, or during the countdown using the best available input data. Thus, the proposal provides flexibility that was lacking in both parts 417 and 431. Proposed § 450.135(b) would include performance-based requirements to clarify the phenomena the propagationof-debris portion of the analysis must consider. The propagation of debris is a physics-based analysis that predicts VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 where debris impacts are likely to occur in the case of a debris event while the vehicle is in flight, such as jettison of a vehicle stage or an explosion. As mentioned previously, section A417 provides some requirements regarding the sources of debris impact dispersions that must be accounted for, but in some cases that was either overly prescriptive or incomplete. A debris risk analysis must compute statistically-valid debris impact probability distributions using the input data produced by FSAs required in proposed §§ 450.117 through 450.133. The propagation of debris from each predicted breakup location to impact would be required to account for all foreseeable forces that can influence any debris impact location, and all foreseeable sources of impact dispersion. At a minimum, the foreseeable sources of impact dispersion must include the uncertainties in atmospheric conditions, debris aerodynamic parameters, pre-breakup position and velocity, and breakupimparted velocities.204 Proposed § 450.135(c) would provide performance-based regulations that specify features of a valid exposure model. An exposure model provides critical input data on the geographical location of people and critical assets at various times when the launch or reentry operation could occur. A debris risk analysis must use an exposure model that accounts for the distribution of people and critical assets. The exposure input data would be required to include the entire region where there is a significant probability of impact of hazardous debris, to characterize the distribution and vulnerability of people and critical assets both geographically and temporally, and to account for the distribution of people in various structure and vehicle types with a resolution consistent with the characteristic size of the impact probability distributions for relevant fragment groups. It would be required to have sufficient temporal and spatial resolution that a uniform distribution of people within each defined region can be treated as a single average set of characteristics without degrading the accuracy of any debris analysis output, and to use accurate source data from demographic sources, physical surveys, or other methods. As well, the exposure 204 The level of fidelity of the analysis would be subject to the requirements in proposed § 450.101(g) which, as proposed, requires an operator’s flight safety analysis method to use accurate data and scientific principles and be statistically valid. The method must produce results consistent with or more conservative than the results available from previous mishaps, tests, or other valid benchmarks, such as higher-fidelity methods. PO 00000 Frm 00097 Fmt 4701 Sfmt 4702 15391 input data would be required to be regularly updated to account for recent land-use changes, population growth, migration, and construction. Finally, it would be required to account for uncertainty in the source data and modeling approach. In § 450.135(d), the proposal would provide performance-based regulations that set forth the features of a valid casualty area and consequence analysis. The proposal would include a definition of casualty area in § 401.5. ‘‘Casualty area’’ would mean the area surrounding each potential debris or vehicle impact point where serious injuries, or worse, can occur. A debris risk analysis would be required to model the casualty area and compute the predicted consequences of each reasonably foreseeable vehicle response mode in terms of conditional expected casualties. The casualty area and consequence analysis would be required to account for all relevant debris fragment characteristics and the characteristics of a representative person exposed to any potential debris hazard; any direct impacts of debris fragments, intact impact, or indirect impact effects; and vulnerability of people and critical assets to debris impacts. The vulnerability of people and critical assets to debris impacts would be required to account for the effects of buildings, ground vehicles, waterborne vessel, and aircraft upon the vulnerability of any occupants; for all hazard sources, such as the potential for any toxic or explosive energy releases; and for indirect or secondary effects such as bounce, splatter, skip, slide or ricochet, including accounting for terrain. It would also be required to account for the effect of wind on debris impact vector and toxic releases, and for impact speed and angle (also accounting for motion of vehicles). Finally, it would be required to account for uncertainty in fragment impact parameters, and uncertainty in modeling methodology. These broad performance-based items would replace the unduly narrow and prescriptive requirements in appendix A which would give operators more flexibility in demonstrating that public risk criteria have been met. In order to provide adequate protection from public safety risks such as the risk of casualties, it is important that analyses used to protect public safety account for all known influences on the vulnerability of people and critical assets. At the same time, the proposal recognizes in § 450.101(g) that a valid method must produce results consistent with or more conservative than the results available from previous mishaps, tests, or other valid E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15392 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules benchmarks. Hence, the proposal would not require a vulnerability model to account explicitly for each known influence on the empirical results per se, but the proposal would require that a valid vulnerability model produce results that are either consistent with the standard in proposed § 450.101(g). Proposed § 450.135(e) would list application requirements, which are designed to be more balanced and less prescriptive and ambiguous than current requirements in appendix A to part 417, section A417. The proposal would require an application to describe the methods used to compute debris impact distributions, population exposure data, atmospheric data, as well as how the operator proposes to account for the conditions immediately prior to enabling the launch or reentry flight, per § 450.135(e)(1) through (5). Proposed § 450.135(e)(6) and (7) would require an applicant to submit sample debris risk analysis outputs, including the effective unsheltered casualty area for all fragment classes, assuming a representative impact vector; and the effective casualty area for all fragments classes for a representative type of building, ground vehicle, waterborne vessel, and aircraft, assuming a representative impact vector. This is not a new requirement because the effective casualty area was always necessary for computing the EC. The proposal would define effective casualty area in § 401.5 as the aggregate casualty area of each piece of debris created by a vehicle failure at a particular point on its trajectory. The effective casualty area for each piece of debris is a modeling construct in which the area within which 100 percent of the population are assumed to be a casualty, and outside of which 100 percent of the population are assumed not to be a casualty. In proposed § 450.135(e)(8), an applicant would be required to submit sample collective and individual outputs under representative conditions and the worst foreseeable conditions, including the total collective casualty expectation for the proposed operation; a list of the collective risk contribution for at least the top ten population centers and all centers with collective risk exceeding 1 percent of the collective risk criterion in proposed § 450.101; a list of the maximum individual PC for the top ten population centers and all centers that exceed 10 percent of the individual risk criterion in proposed § 450.101. The applicant would also be required to submit a list of the probability of loss of functionality of any critical asset that exceeds 1 percent of the critical asset criterion in VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 proposed § 450.101. Proposed § 450.135(e)(9) would require an operator to submit a list of the conditional collective casualty expectation for each vehicle response mode for each one-second interval of flight under representative conditions and the worst foreseeable conditions. Finally, in all FSAs, the applicant must also submit additional products that allow an independent analysis, if requested by the FAA, in order to assure that the public risk criteria are satisfied. 13. Far-field Overpressure Blast Effects The FAA proposes to consolidate its regulations on far-field overpressure blast effects analyses in proposed § 450.137 (Far-Field Overpressure Blast Effect Analysis), used to demonstrate compliance with the public safety criteria in proposed § 450.101. This analysis looks at the potential public hazard from broken windows as a result of impacting explosive debris, including impact of an intact launch vehicle. The near-field effects of explosions are covered under debris risk analysis, where meteorological conditions do not significantly influence the attenuation of overpressure. However, the FAA would require a far-field blast effect analysis for peak incident overpressures below 1 pound per square inch (psi,) the point where meteorological conditions can significantly influence the attenuation of explosive overpressures. A launch and reentry operator would be required to conduct a far-field overpressure blast effects analysis (also known as distance focusing overpressure, or DFO) that demonstrates compliance with public safety criteria in proposed § 450.101. An operator would need to complete the analysis either prior to the day of the operation accounting for all foreseeable conditions within the flight commit criteria or during the countdown using the best available input data. An applicant would be required to describe the critical input data, such as the meteorological measurements, and develop flight commit criteria to include any hazard controls derived from this FSA in accordance with proposed § 450.165(b)(6). Impacting explosive materials, both liquid and solid, have the potential to explode. Given the appropriate combination of atmospheric pressure and temperature gradients, the impact explosion can produce distant focus overpressure at significant distance from the original blast point. Overpressures from as low as 0.1 psi may cause windows to break. However, other forms of overpressure, such as multiple pulses, may also prove hazardous PO 00000 Frm 00098 Fmt 4701 Sfmt 4702 depending on the size and thickness of windows and the number of windowpanes. Moreover, levels of overpressure will change depending on distance, atmospherics, and a vehicle’s explosive yield. Multiple historical events involving large explosions, including rocket failures, have shown that under unfavorable atmospheric conditions, a shock wave may focus to produce significant peak overpressures at communities beyond the boundaries of the launch site, potentially causing window breakage and injuries. In light of the historical evidence of blast damage due to overpressure focusing, and building on the legacy of U.S. agency efforts to protect against the potential public risks associated with rocket explosions, the FAA adopted regulations to protect the public from the DFO phenomena in § 417.229 (Farfield overpressure blast effect analysis) and appendix A to part 417 (section A417.29.) In § 417.229, the FAA requires an FSA to establish flight commit criteria that protect the public from any hazard associated with DFO effects and demonstrate compliance with the public risk criterion. Section 417.229(b) currently lists appropriate constraints on the analysis and section A417.29 provides an acceptable means of compliance. Section A417.29 includes hazard controls based on ANSI S2.20–183 Standard,205 as well as a standard and a measure of fidelity used to assess any proposed alternative analytic approach. Section A417.29 also lists the products of a valid DFO analysis. However, current regulations lack clarity on when a day-of-launch DFO analysis is necessary. Specifically, section A417.29(c) requires that an operator conduct a risk analysis that accounts for ‘‘current meteorological conditions,’’ unless the operator complies with the prescriptive requirements in § 417.229(b) that include the extremely conservative method prescribed by the ANSI S2.20– 183 Standard. These requirements have led to situations where an operator was technically required to perform a day-oflaunch risk analysis to protect against the DFO hazard, when in fact the public risks due to the DFO phenomena were insignificant based on every weather condition measured over a period of many years. Part 431 does not explicitly address the potential public hazard posed by 205 ANSI S2.20–1983, Estimating Air Blast Characteristics for Single Point Explosions in Air, with a Guide to Evaluation of Atmospheric Propagation and Effects, Acoustical Society of America, New York (1983). E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules DFO. However, since 2016, § 431.35(b)(1)(i) has required an applicant to demonstrate that the total collective risk does not exceed 1 × 10¥4 EC, where the total risk consists of risk posed by impacting inert and explosive debris, toxic release, and far-field blast overpressure. Because the RLVs licensed to date under part 431 have relatively low potential explosive yields (compared to large ELVs), some part 431 license applicants were able to perform hazard analyses based on the extremely conservative method prescribed by the ANSI S2.20–183 Standard to demonstrate that the public risks due to the DFO phenomena were insignificant. The FAA proposes to streamline and clarify its regulations on DFO analyses. Whereas part 417 regulations and relevant appendices contain prescriptive methodology requirements in Appendix A, the proposal would distill these sections into performance requirements applicable to both launch and reentry flight operations. Proposed § 450.137(a) would provide applicants an option to perform a DFO risk analysis that demonstrates compliance with public safety criteria in proposed § 450.101, either prior to the day of the operation, by accounting for all foreseeable conditions within the flight commit criteria, or during the countdown using the best available input data. If an operator could satisfy § 450.137(a)(1), then it would not be required to satisfy § 450.137(a)(2). There are at least two different screening analyses that would demonstrate compliance with § 450.137(a)(1). Method one would be a very simple deterministic window breakage screening analysis. Method two would be a simplified risk-based screening analysis. If either screening analysis indicates no potential hazards or insignificant risks, with or without mitigations, then an operator would not be required to comply with § 450.137(a)(2). Conversely, an operator would be required to satisfy proposed § 450.137(a)(2) if it could not demonstrate compliance with § 450.137(a)(1). Thus, the proposal would provide clarity regarding how to determine if a day-of-operations risk analysis is necessary, and flexibility to establish flight commit criteria to limit the contribution of DFO public risks based on analysis done prior to the day of the operation. This clarity and flexibility were lacking in both parts 417 and 431. Proposed § 450.137(b) would set required performance outcomes and the specific factors that a DFO FSA must consider. Substantively, § 450.137(b) would contain the same requirements as VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 those currently in § 417.229(b). Note that the level of fidelity of the DFO analysis would be subject to the requirements in proposed § 450.101(g), so that the analysis methods used must produce results consistent with, or more conservative than, the results available from valid benchmarks. Proposed § 450.137(c) would clarify the materials an operator must submit with its license application, which are generally consistent with those currently required to comply with part 417. This paragraph would clarify the level of fidelity required for the products of a DFO analysis by specifying the key input data and critical model elements that an application would be required to describe. The proposal would require an application to include: (1) A description of the population centers, terrain, building types, and window characteristics used as input to the farfield overpressure analysis; (2) a description of the methods used to compute the foreseeable explosive yield probability pairs, and the complete set of yield-probability pairs, used as input to the far-field overpressure analysis; (3) a description of the methods used to compute peak incident overpressures as a function of distance from the explosion and prevailing meteorological conditions, including sample calculations for a representative range of the foreseeable meteorological conditions, yields, and population center locations; (4) a description of the methods used to compute the probability of window breakage, including tabular data and graphs for the probability of breakage as a function of the peak incident overpressure for a representative range of window types, building types, and yields accounted for; (5) a description of the methods used to compute the PC for a representative individual, including tabular data and graphs for the PC, as a function of location relative to the window and the peak incident overpressure for a representative range of window types, building types, and yields accounted for; (6) tabular data and graphs showing the hypothetical location of any member of the public that could be exposed to a PC of 1 × 10¥5 or greater for neighboring operations personnel, and 1 × 10¥6 or greater for other members of the public, given foreseeable meteorological conditions, yields, and population exposures; (7) the maximum expected casualties that could result from farfield overpressure hazards greater given foreseeable meteorological conditions, yields, and population exposures; and PO 00000 Frm 00099 Fmt 4701 Sfmt 4702 15393 (8) a description of the meteorological measurements used as input to any realtime far-field overpressure analysis. It would also require the submission of any additional products that allow an independent analysis, as requested by the Administrator. 14. Toxic Hazards for Flight The FAA proposes to replace current § 417.227 and appendix I to part 417 with the following two performancebased regulations: § 450.139 for toxic hazard analyses for flight operations and § 450.187 for toxic hazards mitigation for ground operations. Currently, the requirements for a toxic release hazard analysis are specified in § 417.227. Section 417.277 requires that an FSA establish flight commit criteria that protect the public from any hazard associated with toxic release and demonstrate compliance with the public risk criteria of § 417.107(b). This analysis must account for any toxic release that will occur during the proposed flight of a launch vehicle or that would occur in the event of a flight mishap, and for all members of the public that may be exposed to toxic release. Additionally, § 417.405 sets forth the requirements for a ground safety analysis, and, although toxic release is not explicitly enumerated, a launch operator must identify each potential hazard including the sudden release of a hazardous material. Appendix I to part 417 provides methodologies for performing toxic release hazard analysis for the flight of a launch vehicle and for launch processing at a launch site in the U.S. as required by § 417.407(f). Similarly, § 431.35 requires that for a reusable launch vehicle mission, an applicant must demonstrate that the proposed mission does not exceed the acceptable risk defined in § 417.107(b)(1) that includes the risk associated with toxic release. Further, § 431.35(c) requires that an applicant employ a system safety process to identify the hazards and assess the risks to public health and safety of property associated with the mission. Although parts 431 and 435 have the same risk criteria for toxic release as are contained in part 417, unlike part 417, they have no explicit requirements for establishing toxic thresholds. Instead, toxic hazards are addressed as part of the systems safety process. The lack of definitive requirements in parts 431 and 435 has created a lack of clarity as to the requirements for toxic release hazard analysis during the system safety process. The current toxic hazard requirements have a number of shortcomings. The E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15394 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules requirements of § 417.227 are not sufficiently definitive for an operator to establish the toxic concentration and exposure duration threshold for a toxic propellant, to evaluate toxic hazards for flight or for ground operations, to determine a toxic hazard area in the event of a release during flight or from a ground operations mishap, or to require toxic containment or evacuation of the public from a toxic hazard area. Conversely, the existing appendix I to part 417 is overly prescriptive in defining permissible values for assumptions and data inputs to analyses but, as discussed later, lacks important items. In many instances, appendix I requires specific methods, formulas, acceptable sources, specific conditions, and assumptions. However, often these are not the only ways in which the requirements or required demonstrations can be made. There are numerous examples of the prescriptive nature of appendix I to part 417. For example, section I417.3(c)(1) identifies only three agencies of the U.S. Government, namely, the Environmental Protection Agency, the Federal Emergency Management Agency, and the Department of Transportation, that the launch operator is permitted to use as sources of toxicant levels of concern (LOC). There are no common standards in toxicological dose-response data. The data bases of concentration thresholds are different from agency to agency. Specific toxic chemicals that are released may not be included in some or many lists, and some databases account for exposure durations where others do not. Additionally, some databases account for differences in the age and vulnerability of populations exposed, while others do not. Furthermore, some databases account for differences in the severity of physiological responses to exposure, when others do not. Therefore, excluding available doseresponse databases limits the capability of the operator to select the most appropriate LOC. Other U.S Government agencies that have established airborne toxic concentration thresholds of exposure, including the National Research Council (NRC), the U.S. Occupational Safety and Health Administration (OSHA), the National Institute for Occupational Safety and Health (NIOSH), the National Oceanic and Atmospheric Administration (NOAA), the American Conference of Government Industrial Hygienists (ACGIH), the U.S. Department of Defense, the National Institutes of Health (NIH), the U.S. National Institute of Medicine, and the U.S. National Library of Medicine. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Other prescriptive examples in Appendix I include section I417.3(c)(3) which requires the launch operator to use only one formulation to determine the toxic concentration threshold for mixtures of two or more toxicants, and section I417.5(c)(2), which prescribes a set of single-valued worst-case conditions that a launch operator must apply in an analysis of toxic hazard conditions for uncommon or unique propellants. Other sections of the appendix mandate specific assumptions.206 In addition to being overly prescriptive, Appendix I also contains inaccuracies and out of date information. For example, section I417.7(b) (Process hazards analysis) provides that an analysis that complies with 29 CFR 1910.119(e) satisfies section I417.7(b)(1) and (2). However, the specific requirements of 29 CFR 1910.119(e) are not completely congruent with the specific requirements of section I417.7(b)(1) and (2). In particular, the following requirements of section I417.7(b)(2) do not have counterparts in § 1910.119(e): location of the source of the release; each opportunity for equipment malfunction or human error that can cause an accidental release; and each safeguard used or needed to control each hazard or prevent equipment malfunctions or human error. Thus, if an operator chooses to satisfy § 1910.119(e), important parts of section I417.7(b)(2) may not be addressed, such as the location of the source of the release which is needed to determine the toxic hazard area necessary to achieve toxic containment. The tables in appendix I are also problematic and in many cases omit important information. For example, Table I417–1, Commonly Used NonToxic Propellants, contains only three propellants, designated as commonly used non-toxic propellants. However, this list leaves other non-toxic liquid propellants such as liquid methane or liquefied natural gas without an explicit exemption from performing a toxic release hazard analysis. The FAA proposes to consolidate the requirements for toxic release analysis for the launch of an ELV currently contained in parts 415 and 417, the 206 For example, section I417.7(e)(2), the worstcase release scenario for toxic liquids, requires an assumption that liquid spreads to one centimeter deep, and that the volatilization rate must account for the highest daily maximum temperature occurring the past 3 years precluding more severe or more realistic worst-case conditions, such as assuming the liquid spreads to a lesser depth, exposing a greater surface area for evaporation. This may not be conservative enough to provide acceptable public safety in some cases. PO 00000 Frm 00100 Fmt 4701 Sfmt 4702 launch and reentry of an RLV in part 431, and the launch of a reentry vehicle other than a reusable launch vehicle in part 435. Specifically, the FAA proposes to replace current § 417.227 and appendix I to part 417, with two performance-based regulations— proposed §§ 450.139 and 450.187. The proposed requirements would apply to all launches and reentries, and would provide more definitive application requirements for the toxic release hazard analysis. Both proposed §§ 450.139 and 450.187 would apply to launch and reentry vehicles, including all components and payloads that have toxic propellants or other toxic chemicals, making it explicitly clear that reentry operations require a toxic hazard release analysis where the requirement was not previously explicit in parts 431 and 435. The FAA decided to split the toxic release analysis regulations into two sections, one for flight and the other for ground operations, because ground operations and flight operations have different criteria available to establish an acceptable level of public safety. Specifically, the FAA proposes to apply a quantitative public risk acceptability criteria for flight consistent with the risk criteria in § 450.101 and to apply a qualitative hazard acceptability criterion for ground hazards that is consistent with the standard in § 450.109(a)(3).207 Proposed § 450.139(b)(1) would require an operator to conduct a toxic release hazard analysis. Additionally, under paragraph (b)(2) an operator would be required to manage the risk of casualties that could arise from exposure to toxic release either through containing hazards in accordance with proposed § 450.139(d) or performing a toxic risk assessment under proposed paragraph (e) that protects the public in compliance with proposed § 450.101, including toxic release. Furthermore, under proposed § 450.139(b)(3) an operator would be required to establish flight commit criteria based on the results of its toxic release hazard analysis, containment analysis, or toxic risk assessment for any necessary evacuation of the public from any toxic hazard area. Section 450.139(c) would contain the requirements for a toxic release hazard analysis, which are currently lacking in 207 Section 450.109(a)(3) would require that the risk associated with each hazard meets the following criteria: (i) The likelihood of any hazardous condition that may cause death or serious injury to the public must be extremely remote and (ii) the likelihood of any hazardous condition that may cause major damage to public property or critical assets must be remote. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules § 417.227. Specifically, under proposed § 450.139(c) the toxic release hazard analysis would require an operator to account for any toxic releases that could occur during nominal or non-nominal launch or reentry for flight operation. Furthermore, an operator’s toxic release hazard analysis would be required to include a worst-case release scenario analysis or a maximum-credible release scenario analysis for each process that involves a toxic propellant or other chemical; determine if toxic release can occur based on an evaluation of the chemical compositions and quantities of propellants, other chemicals, vehicle materials, and projected combustion products, and the possible toxic release scenarios; account for both normal combustion products and any unreacted propellants and phase change or molecular derivatives of released chemicals; and account for any operational constraints and emergency procedures that provide protection from toxic release. While the proposed § 450.139(c) would contain more definitive requirements than current regulations, it would also provide the operator more flexibility in the analysis because unlike the current regulations it would not require an operator to make specific assumptions when performing a worst-case release scenario analysis to determine worst-case released quantities of toxic propellants, toxic liquids, or toxic gases from ground operations. Proposed § 450.139(b)(2) would require an operator to manage the risk of casualties arising from toxic release either by containing the hazards in accordance with paragraph (d) or by performing a toxic risk assessment in accordance with paragraph (e) that protects the public in compliance with the risk criteria of § 450.101. If an operator chose toxic containment to comply with proposed § 450.139(b)(2), the operator would be required to manage the risk of casualties by either (1) evacuating, or being prepared to evacuate, the public from a toxic hazard area, where an average member of the public would be exposed to greater than one percent conditional individual PC in the case of worst-case release or maximum credible release scenario, or (2) by employing meteorological constraints to limit a launch operation to times when the prevailing winds would transport a toxic release away from populated areas otherwise at risk. The conditional individual PC would be computed assuming that (1) a maximum credible release event occurs, and (2) average members of the public are present along the boundary of the toxic hazard area. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 If an operator chose to comply with proposed § 450.139(b)(2) by conducting a toxic risk assessment that protects the public in compliance with proposed § 450.101, in accordance with § 450.139(e), the toxic risk assessment would require the operator to account for airborne concentration and duration thresholds of toxic propellants or other chemicals. For any toxic propellant, other chemicals, or combustion product, an operator would be required to use airborne toxic concentration and duration thresholds identified in a means of compliance accepted by the Administrator. Currently, the thresholds set by the Acute Exposure Guideline Level 2 (AEGL–2), the Emergency Response Planning Guidelines Level 2 (ERPG–2), or the Short-term Public Emergency Guidance Level (SPEGL) 208 would be accepted means of compliance for proposed § 450.139(e)(1) (and § 450.187(d)(1)). These are thresholds designed to anticipate casualty-causing health effects from exposure to certain airborne chemical concentrations. The FAA anticipates, as discussed earlier, that additional agencies’ threshold values could satisfy the requirements and would identify any additional accepted thresholds. By requiring an operator to use airborne toxic concentration thresholds identified in a means of compliance accepted by the Administrator under proposed § 450.35, the FAA anticipates that operators would be provided with some flexibility to utilize toxic concentration thresholds identified by agencies other than the three currently identified in appendix I to part 417 thereby enhancing the capability of the operator to select the most appropriate LOC for its operation. An operator also would be required under § 450.139(e)(2) to account for physical phenomena (such as meteorological conditions and characterization of the terrain) expected to influence any toxic concentration and duration in the area surrounding the potential release site instead of prescribing a set of single-valued wind speed and atmospheric stability classes and dictating how an operator must derive the variance of the mean wind directions. Hence, under proposed § 450.139(e)(2) the toxic assessment would likely be more appropriate for the actual situation. Proposed § 450.139(e)(3) would require an operator to determine a toxic hazard area for the launch or reentry, surrounding the potential release site for 208 AEGLs are used by EPA, the American Industrial Hygiene Association’s ERPGs are used by NOAA, and the National Research Council’s SPEGL is used by the DOD. PO 00000 Frm 00101 Fmt 4701 Sfmt 4702 15395 each toxic propellant or other chemical based on the amount and toxicity of the propellant or other chemical, the exposure duration, and the meteorological conditions involved. Finally, under proposed § 450.139(e)(4) and (5) the toxic assessment would be required to account for all members of the public that may be exposed to the toxic release, including all members of the public on land and on any waterborne vessels, populated offshore structures, and aircraft that are not operated in direct support of the launch or reentry, and for any risk mitigation measures applied in the risk assessment. In many respects, proposed §§ 450.139 and 450.187 are nearly identical, and the rationale behind the revisions proposed in § 450.139 would be the same for proposed § 450.187. As discussed previously, proposed § 450.187 would apply to any launch or reentry vehicle, including all vehicle components and payloads, that uses toxic propellants or other toxic chemicals. Like § 450.139, § 450.187(b) would require a toxic hazard analysis. Under the proposed rule an operator would be required to manage risk from a toxic release hazard or demonstrate compliance with proposed § 450.109(a)(3) 209 with a toxic risk assessment. The requirements for a toxic risk assessment under proposed § 450.187(e) are substantially similar to those of proposed § 450.139, except that ground operations use a qualitative acceptability criteria and flight operations can use quantitative risk criteria. FAA has not proposed quantitative criteria for ground operations because there are no commonly accepted criteria. The proposed application requirements under § 450.139(f) toxic hazards for flight and under § 450.187(e) for ground operations would be similar. The FAA believes that the proposed approach will provide applicants with a clear understanding of what the FAA requires in order to avoid repeated requests for clarifications and additional information. Both would require the applicant to submit: (1) The identity of the toxic propellant, chemical, or toxic combustion products or derivatives in the possible toxic release; (2) its selected airborne toxic concentration and duration thresholds; (3) meteorological conditions for the atmospheric 209 As discussed earlier, § 450.109(a)(3) would require that the risk associated with each hazard meets the following criteria: (i) The likelihood of any hazardous condition that may cause death or serious injury to the public must be extremely remote and (ii) the likelihood of any hazardous condition that may cause major damage to public property or critical assets must be remote. E:\FR\FM\15APP2.SGM 15APP2 15396 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 transport, and buoyant cloud rise of any toxic release from its source to downwind receptor locations; (4) characterization of the terrain; (5) the identity of the toxic dispersion model used, and any other input data; (6) representative results of toxic dispersion modeling to predict concentrations and durations at selected downwind receptor locations; (7) a description of the failure modes and associated relative probabilities for potential toxic release scenarios used in the risk evaluation; (8) the methodology and representative results of the worst-case or maximum-credible quantity of any toxic release; (9) a demonstration that the public will not be exposed to airborne concentrations above the toxic concentration and duration thresholds; (10) the population density in receptor locations that are identified by toxic dispersion modeling as toxic hazard areas; and (11) a description of any risk mitigations applied in the toxic risk assessment; and (12) the identity of the population database used. Like other risk analyses, the FAA may request additional products that allow the FAA to conduct an independent analysis. 15. Wind Weighting for the Flight of an Unguided Suborbital Launch Vehicle The FAA proposes to consolidate three current part 417 provisions expressly regulating unguided suborbital launch vehicle operations into § 450.141. The proposed rule would retain the performance requirements and remove the prescriptive provisions in §§ 417.125 and 417.233. The FAA also proposes to incorporate the overarching safety performance requirements in appendix C to part 417 related to wind weighting analysis products. This proposal applies specifically to the flight of unguided suborbital launch vehicles using wind weighting to meet the public safety criteria of proposed § 450.101. An unguided suborbital launch vehicle is a suborbital rocket that does not contain active guidance or a directional control system. Unlike the launch of a guided launch vehicle, an unguided suborbital launch vehicle may safely fly by adjusting the launcher azimuth and elevation (aiming the rocket) shortly before launch to correct for the effects of wind conditions at the time of flight. This process limits impact locations to those that minimize public exposure. The FAA refers to this safety process as ‘‘wind weighting,’’ which involves unique organizational and operational safety requirements. Section 417.125 provides the broad requirements for launching an unguided suborbital launch vehicle. Specifically, VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 it lays out provisions for a flight safety system, a wind weighting safety system, public risk criteria, stability, tracking, and post launch review. Section 417.125(b) requires an applicant to use an FSS if the vehicle can reach a populated area and the applicant does not use an effective wind weighting system. Section 417.125(c) sets requirements for a wind weighting system if that system is used in place of an FSS. It provides that the vehicle must not contain a guidance or directional control system. It also requires the launcher azimuth and elevation setting to be wind weighted to correct for the effects of wind conditions at the time of flight in compliance with § 417.233’s FSA requirements, and requires specific nominal launcher elevation angle for proven (85°, and 86° with wind correction) and unproven (80°, and 84° with wind correction) unguided suborbital launch vehicles. These prescriptive launch elevation angles are used so that the vehicle does not fly uprange. In other words, the rocket should not be angled so vertically that winds could force the rocket uprange instead of the intended downrange direction. Section 417.125(d) expressly requires unguided suborbital launch vehicles to fly in accordance with the public risk criteria required for all launch vehicles under part 417. In addition, the current rule has stability, tracking, and post-launch review requirements that are specific to unguided suborbital launch vehicles. Section § 417.125(e) requires specific stability requirements measured in calibers to ensure that the unguided suborbital launch vehicle is stable throughout flight. The tracking requirements in § 417.125(f) require that a launch operator track impact locations after launch to verify that the preflight wind weighting analysis was accurate. Section 417.125(g) is related to postlaunch review and states that the launch operator must provide these impact locations, a comparison of actual to predicted nominal performance, and investigation results of any launch anomaly. Current § 417.233 describes the FSA requirements particular to unguided suborbital launch vehicles with wind weighting systems. The analyses must establish flight commit criteria, wind constraints under which launch may occur, and launcher azimuth and elevation settings that correct for wind effects on the launch vehicle. This last requirement is known as the wind weighting analysis. Appendix C to part 417 contains flight safety methodologies and products for an unguided suborbital launch vehicle PO 00000 Frm 00102 Fmt 4701 Sfmt 4702 flown with a wind weighting safety system. These includes methodologies and products for a trajectory analysis, a wind weighting analysis, a debris analysis, a risk analysis, and a collision avoidance analysis. Section C417.3 requires the launch operator perform a six-degrees-of-freedom trajectory simulation in order to determine a nominal trajectory, impact point, and potential three-sigma dispersions about the nominal impact point. Section C417.5 is related to wind weighting and describes the methodology an applicant must use to measure winds and incorporate them into the trajectory simulation in order to determine launch elevation angle and azimuth settings. The debris (section C417.7) and risk (section C417.9) analyses describe methodologies and analysis products applicable to all launch vehicles for calculating EC. The parts of appendix C that are covered elsewhere in the proposed rule because they are applicable to all vehicles have not been transferred to proposed § 450.141. This includes the debris, risk, and collision avoidance analyses. Proposed § 450.141 would consolidate the requirements of §§ 417.125 and 417.233 and appendix C, but would not carry over the detailed methodological and prescriptive requirements. Proposed § 450.141(a) would explain that the section applies to the flight of an unguided suborbital launch vehicle using a wind weighting safety system to meet the public safety criteria of proposed § 450.101. The FAA proposes to define a wind weighting safety system as equipment, procedures, analysis, and personnel functions used to determine the launcher elevation and azimuth setting that correct for wind effects that an unguided suborbital launch vehicle will experience during flight. The FAA proposes the wind weighting safety system be a means to satisfy the safety requirements in proposed § 450.101. Proposed § 450.141(b) would set the requirements for the wind weighting safety system. It would require that the launcher azimuth and elevation angle settings (1) be wind weighted to correct for the effects of wind conditions at the time of flight to provide a safe impact location, and (2) ensure the rocket will not fly in an unintended direction given wind uncertainties. This section would replace current § 417.125(b), which requires a flight safety system unless the vehicle uses wind weighting or does not have sufficient energy to reach a populated area. Rather than the blanket FSS requirement in current § 417.125(b), the consequence analysis in proposed § 450.135(d) would determine the need E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules for an FSS. This section also eliminates the requirement in § 417.125(c)(3) regarding specific nominal launcher elevation angle for proven (85° and 86° with wind correction) and unproven (80° and 84° with wind correction) vehicles to prevent the vehicle from flying uprange. Rather than requiring specific launcher elevation angles to prevent a vehicle from flying uprange, the FAA would require an operator to determine what angles would ensure the rocket not fly in unintended direction given wind uncertainties. This flexibility would allow a licensee to determine the best angle to both maximize mission objectives given the particularities of their operation while simultaneously ensuring safety. Proposed § 450.141(c) would contain FSA performance requirements that apply only to the launch of an unguided suborbital launch vehicle flown with a wind weighting safety system. It is necessary to establish the flight commit criteria and other flight safety rules to control risk to the public and satisfies the public safety criteria in proposed § 450.101. Proposed § 450.141(c) would require an operator to establish any wind constraints under which launch could occur, and conduct a wind weighting analysis that establishes the launcher azimuth and elevation settings. Proposed § 450.141(c) is, in essence, the same as § 417.233. Proposed § 450.141(d) would require an unguided suborbital launch vehicle to remain stable in all configurations throughout each stage of powered flight. This performance outcome would eliminate the need for the specific prescriptive stability requirements of current § 417.125(e), which requires a suborbital launch vehicle be stable in flexible body to 1.5 calibers and rigid body to 2.0 calibers throughout each stage of powered flight. Finally, proposed § 450.141(e) would establish the agency’s application requirements specific to unguided suborbital launch vehicles. The FAA would require a description of wind weighting analysis methods, description of wind weighting system and equipment, and a sample wind weighting analysis, all derived from part 417, appendix C, section C417.5(d). The remainder of appendix C was not included in the proposal because these are all prescriptive methodologies, or are requirements applying to all launch vehicles covered in other sections of the proposal. For instance, the Trajectory Analysis of section C417.3 would be covered by proposed §§ 450.117 and 450.119. Except for section C417.5(d) as described earlier, section C417.5 was not included in the proposal since this VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 is a prescriptive methodology. The methodologies for debris analysis from section C417.7 are not in the proposal and the debris analysis proposal would now be in proposed § 450.121. Similarly, section C417.9 would be covered by proposed § 450.135 without the prescribed methodologies. Lastly, the collision avoidance section of the appendix, section C417.11 would be covered by proposed § 450.169. B. Software As discussed earlier, the FAA proposes software safety requirements in § 450.111. The risk mitigation measures that result from this rule are meant to be minimums, and software development processes tend to benefit from consistency across projects, so an applicant may apply the requirements from its most critical software to all of its software, but the FAA does not require that an applicant do so. Software can contribute to accidents or losses in several ways. Software may contain errors that, in certain system conditions, cause unintended behaviors or prevent intended behaviors. Software may also perform actions that while correct and intended in isolation, cause hazards when interacting with other components or the system as a whole. Software may provide accurate information to an operator in a manner that confuses the operator, leading to a software-human interaction error. Software safety therefore typically requires separate analyses of the software, software and computing system interaction, and the integration of software, hardware, and humans into the entire system. Software becomes safety-critical when the applicant uses its outputs in safety decisions. The development, validation, and evaluation of safety-critical software requires a level of rigor commensurate with the severity of the potential hazards and the software’s degree of control over those hazards. Reliance on software differs among operators. For example, some launch systems employ Autonomous Flight Safety Systems (AFSS) that rely on rigorouslydeveloped and thoroughly-tested software to make safety decisions to protect the public without human intervention. Other systems require human intervention to make safety decisions, such as when a pilot or ground transmitter operator must make decisions for launch systems. Current FAA licensing regulations segregate software safety requirements by type of vehicle (ELV, RLV, or reentry PO 00000 Frm 00103 Fmt 4701 Sfmt 4702 15397 vehicle) in three separate sections.210 Current software safety regulations in parts 415, 417, and 431 are flexible. With this flexibility comes uncertainty. For example, § 415.123(b) requires that a launch operator provide all plans for software development, the results of software hazard analyses, and plans and results of software validation and verification, but does not give guidance on the minimum-acceptable levels of rigor for those products or guidance on their contents. The FAA and the operator must determine the appropriate level of rigor, scope, and content of each plan and result for each operation. This process can be labor-intensive, requiring multiple meetings over a period of weeks or months. Also, § 417.123(c), applicable to ELVs, requires that a launch operator conduct computing system and software hazard analyses for the integrated system. This requirement does not specify the requisite forms of the analyses, the scope and contents of the analyses, or the application data required to demonstrate compliance with the requirement. The FAA and the applicant must negotiate the specifics for each of those items for every application. Similarly, § 417.123(d) requires that a launch operator develop and implement computing system and software validation and verification plans, but is silent regarding the contents of the plans. This again requires that the FAA and the applicant discuss, often at length, the software test plans for every operation. Unlike §§ 415.123 and 417.123, § 431.35 does not contain any explicit references to software safety. However, in practice, the FAA has set software safety requirements under the current system safety process requirements in § 431.35(c). Pursuant to § 431.35(c), the FAA has required applicants satisfy § 417.123 or demonstrate an equivalent level of safety, in order to meet § 431.35 for software safety. This lack of detail forces the FAA and applicant to work collaboratively to develop the system safety process criteria on a case-by-case basis. Operators have offered consistent feedback on the FAA’s software safety requirements. Applicants frequently asked whether §§ 417.123(b) and 431.35(c)’s verification and validation plan requirement included a requirement for independent verification and validation. Independent verification and validation is a common 210 Part 415 covers launch license application procedures for ELVs; part 417 addresses launch safety requirements for ELVs, and part 431 sets launch license and safety requirements for RLVs. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15398 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules and effective method of mitigating software hazards for high-criticality software, one for which there is no known substitute. Thus, although not explicitly stated in the regulations, the FAA has required independent verification and validation as part of the verification and validation requirements in §§ 417.123(b) and 431.35(c). The FAA considers software testers independent when the test organization is independent of the development organization up to the senior-executive level. Generally, an in-house software testing team can be sufficiently independent to perform a credible independent verification and validation function when rigorously insulated from software development authorities and incentives. Still more independence may be required for highly safetycritical autonomous software, such as an independent contractor, depending on the risks and the other mitigation measures implemented by the applicant. The FAA has required at least independence up to the seniormanagement level and expected an applicant to show evidence of this independence in its application. Applicants have also often asked whether the FAA requires submissions of software code. The FAA has not historically required executable code submissions and does not plan to do so in this proposal. Instead, the FAA’s requirements focus on the software development and testing processes, combined with analysis of the software’s use in the context of the system as a whole. Firstly, the FAA seeks to understand the software development processes used for the design, production, verification, and qualification of software to determine the code quality. Proposed § 450.111(a), (b), and (c) would provide these general software process requirements that are independent of the degree of control exercised by a given software component. Secondly, the FAA must understand the impacts of the software on the system as a whole. It is important to understand design risks, which are those risks inherent to the software design and architecture; and also process risks, which arise from the software development processes and standards of the applicant. The FAA uses these two components, process and implementation, to evaluate software components and processes for the appropriate level of rigor. The FAA must also understand the relationship between software actions and system risks to set the appropriate level of rigor. Establishing the required level of rigor and understanding its implementation form the basis of VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 software safety determinations. Configuration management, including version control, then ensures the operator uses the intended processes and functionality for the correct software in the system’s operation. Applicants have often sought help in determining whether software is safetycritical in accordance with §§ 417.123(b) and 415.123(a). For instance, operators sometimes use software to generate information used in safety-critical decisions, such as initiating a deorbit burn. The FAA has consistently found software that generates information used in safety-critical decisions to be safetycritical software, albeit with a low degree of control over the system. Applicants have also asked whether the FAA requires redundant processing such as running a second instance of a software component on a second independent computer, and if so, the required level of risk. The FAA has made such determinations based on the hazards involved and on the software’s degree of control over those hazards. The FAA has chosen not to prescribe a requirement for redundant processing because such a requirement is best derived from the applicant’s individual approach to hazard mitigation at the system level. Redundant copies of identical software contain identical software faults, so redundant processing is best described as a mitigation for hardware failures. The proposal would allow for software without redundant processing whenever processing redundancy is not necessary to achieve acceptable risk. For example, the FAA may not require redundant processing in fail-safe systems, low-criticality systems, or where hardware ensures software processing integrity by using hardware features such as watchdog timers or error-correcting memory. In light of the range of design strategies between commercial space operators, the FAA realized that a onesize-fits-all approach to software safety would not be practical. Instead, in proposed § 450.111(d) through (g) the FAA would establish requirements for each safety category of software. The safety categories, commonly known in the software safety industry as ‘‘levels of rigor’’ or ‘‘software criticality indexes,’’ would range from autonomous software with catastrophic hazards to software with no safety impact. Applicants may rely upon Federal launch range standards to show compliance with the proposed rule, provided the standards meet the regulations. The FAA maintains awareness of the Federal launch range safety standards through the CSWG. The FAA currently incorporates the known PO 00000 Frm 00104 Fmt 4701 Sfmt 4702 and coordinated standards maintained by the Federal launch ranges into FAA licensing in order to avoid duplication of effort. The Federal launch ranges have an extensive launch safety history, and their standards meet or exceed the level of safety required by the FAA. The FAA intends to retain the ability to apply Federal launch range safety standards toward license evaluation and issuance. In developing this proposed rule, the FAA has tried to remain consistent with prevalent industry standards related to the ‘‘level of rigor’’ approach to software safety. Specifically, the FAA has used the level of rigor approaches applied by the Department of Defense and NASA to inform the FAA’s proposed level of rigor approach to software safety regulation. The FAA proposes to use the Department of Defense’s MIL–STD– 882E concept of ‘‘level of rigor’’ to categorize software according to the amount of risk it presents to the operation and use its ‘‘level of rigor tasks’’ to derive appropriate regulatory requirements for each level of rigor. MIL–STD–882E uses a software hazard severity category with a software control category to assign level of rigor tasks to software. This method has proven successful in achieving an acceptable level of safety for space operations. The FAA also used RCC 319, Flight Termination Systems Commonality Standard, to develop the requirements for autonomous software in proposed § 450.111(d). RCC 319–14 provides detailed software requirements for autonomous flight safety systems, which have been extensively reviewed by the space community. RCC 319–14 creates software categories that combine hazard severity and degree of control in a single step, and provides deep detail on the appropriate risk reduction tasks for each category. AFSPCMAN 91–712 (draft) is the source of RCC 319–14’s software categories and risk reduction tasks. The FAA also reviewed NASA’s Software Safety Standard (NASA–STD– 8719.13C), which provides standards applicable to defining the requirements for implementing a systematic approach to software safety. Like RCC 319–14, NASA–STD–8719.13C combines software hazard’s severity with the software’s degree of control to assign analysis and testing tasks. However, NASA expands its software control category definitions to include software autonomy, software complexity, timecriticality, and degree of hazard control. The FAA also considered NASA’s Software Assurance Standard (NASA– STD–8739.8), which provides criticality, risk, resource investment, and financial impact categorizations and correlates E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules these to levels of software assurance effort. These two NASA documents provided the FAA with a wealth of potential software safety requirements and methods to determine the requirements that would be most appropriate for a variety of space systems. These documents also provided a checklist of key aspects of software projects that enable software safety. The FAA has drawn from these documents the minimum set of requirements that would enable space operators to protect the public, and the minimum set of data that would enable the FAA to verify that space operators will protect the public in the course of their innovations. Finally, the FAA reviewed the Air Force Space Command’s draft 91–712, Launch Safety Software and Computing System Requirements. The Air Force has successfully used 91–712 for military space projects and it is the source of many RCC 319–14 requirements. 91–712, and the standards discussed earlier, all prescribe increasing the effort devoted to software safety in proportion to the severity of the hazards that software can create and in proportion to the degree of control that software exercises over those hazards. The proposed software safety regulations would categorize software and computing functions into the following degrees of control as defined in proposed § 450.111(d) through (g): Autonomous software, semiautonomous software, redundant faulttolerant software, influential software, and no safety impact. This proposal for software safety would address the causes of software faults and software failures. Software faults are design flaws in software that cause unintended behaviors or prevent intended behaviors. Software faults include errors in syntax, definitions, steps, or processes that can cause a program to produce an unintended or unanticipated result. The presence of software faults might not always result in an observable software failure that is evident to the user because it may appear to be behaving properly. A software failure, in contrast, is an unintended or undesirable event caused by, or unintentionally allowed by, one or more software faults. A software fault is a defect or vulnerability in software while a software failure results from the execution of faulty software.211 211 An example of a software failure is the ‘‘blue screen of death,’’ which causes a computer to end all processing. An example of software fault is a fault in requirements for measurement units and a fault in test procedures. The Mars Climate Orbiter was lost as a result of these two faults when one VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 This proposal would address faults in software requirements by analytical means in proposed § 450.111. Specifically, the proposal would require an applicant to describe the functions and features, including interfaces, of the software. The FAA has interpreted the need to describe software to include providing the software requirements for each safety-critical software component even though not explicitly required by § 431.35 or § 417.123. The proposal therefore codifies current practice. Software requirements are an excellent, even indispensable, means of understanding any software component’s safety implications. Software requirements, both documented and implied, are the basis of the software design and constitute a key part of § 417.123(a) through (e) requirement for software designs. The FAA proposes to clarify the necessity and scope of software requirements that would be required to be included in an application in proposed § 450.111(h). Software requirements would need to be documented and analyzed whenever safety-critical software is present.212 Software requirements are frequently inherited from system requirements, and both must be internally and mutually consistent and valid for the resulting software to work safely. A system-level hazard analysis finds out what hazards software presents to the system. The software analyses can use the system-level analyses as initial assessments of software’s criticality when starting software safety analyses. If software requirements are flawed, the software written to those software requirements will be flawed as well. This causal path, where software faults originate in software requirements, is the reason for the proposal’s focus on identification, documentation, validation, and verification of software requirements. This proposal addresses faults in implementation by requiring specific types of software verification and validation testing in proposed § 450.111(d)(4), (e)(4), (f)(3), and (g)(2). This proposal would clarify the required types of software verification and validation testing that are required under current §§ 417.123(d) and 415.123(b)(8).213 Verification and validation are standard aspects of a function was written in English units while the rest were written in metric. 212 Implied or undocumented software requirements are common sources of software faults. 213 Examples of testing include unit testing to verify some of the smallest units of code, such as functions, and acceptance testing to validate highlevel software requirements. PO 00000 Frm 00105 Fmt 4701 Sfmt 4702 15399 software development cycle and are used together to determine that software meets its intended purpose. In this context, verification refers to ensuring software meets the software requirements and design specifications. Validation ensures that the software achieves its intended purpose.214 While testing does not ensure the absence of software faults, it helps detect and therefore reduce their presence. The proposal would address faults in configuration with explicit requirements to establish and verify software configuration management processes. Configuration management is the set of processes that ensure that the flight components, including software components, are the correct components with the appropriate development and test heritage. Faults in configuration management can lead to unsuitable or incompatible components in a system, resulting in an increased potential for unintended and unsafe system actions. Proposed § 450.111(a) would require operators to document a process that identifies the risks to the public health and safety and the safety of property arising from computing systems and software. This is consistent with the § 417.123(a) requirement for a description of the computing system and software system safety process. It adds no more requirements than part 415 because § 415.123(b)(6) requires an applicant to describe the computing system and software system safety process as required by § 417.123(a). Unlike § 431.35(c), proposed § 450.111(a) specifically mentions computing systems and software as items to be included in the system safety process. Proposed § 450.111(b) would require an operator to identify all safety-critical functions associated with its computing systems and software. The 10 listed functions are a minimum set of items to include whenever they are present in a system, because they represent the most common safety-critical roles in which software can be employed. For example, software used to control or monitor safety-critical systems is capable of hazardous actions by definition. Similarly, software that accesses safetycritical data is safety-critical because it may alter safety-critical data or prevent other components from accessing safetycritical data at required times. The software safety process must then demonstrate that the software that accesses safety-critical data cannot 214 Verification takes place while the software is under development while validation is performed after completing software development and implementation. E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15400 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules cause a hazard by doing so. These requirements are the same as in the current § 417.123(b), with the addition of one new criterion for software that displays safety-critical information. Proposed § 450.111 would retain the requirement of § 417.123(b) for the identification of safety-critical functions. The proposal would add detail and clarity to this requirement, specifying that the identified functions must be accompanied by assessments of the criticality of each software function. This is normally done by assessing the consequences of a functional failure or error and assessing the degree of control that the software can exercise to implement the function. The proposal would retain the examples of software that may have safety-critical functions, with the expectation that the full list of safety-critical functions is not limited to the examples. It differs from § 415.123(b), which describes the documents and materials that the applicant must provide, whereas proposed § 450.111(b) would list the safety-critical computing system and software functions that must be identified and would not list the application requirements in the same section. The proposal would depart from § 431.35(d)(3) by specifically requiring the applicant to identify all safety-critical functions associated with its computing systems and software instead of implicitly requiring the identification of safety-critical software as part of the process of identifying safety-critical systems. Proposed § 450.111(c) would require the identification of safety-critical software functions by consequence and degree of control. It would elaborate on the requirements of §§ 415.123(a) and 417.123(a), which require the identification and assessment of the software risks to public safety by specifying that the assessments must include the public safety consequences of each safety-critical software function and the degree of control that software exercises over the performance of that function. Proposed § 450.111(c) would provide the classification for the applicants to use while the application requirements are contained in proposed § 450.111(h). Requiring software degree of control would allow the FAA to request less information for software components with reduced or no influence on public safety. The proposal would differ from § 431.35 by explicitly requiring identification of software hazards by function and specifying the documentation requirements related to computing systems and software in proposed § 450.111(h). Even though this VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 language is different from § 431.35, this is not a new requirement. The requirements in the proposal vary based on the software degree of control and degree of hazard presented. The first and highest degree of control is autonomous software. Autonomous software would mean software that exercises autonomous control over safety-critical systems, subsystems, or components such that a control entity cannot detect or intervene to prevent a hazard that may impact public health and safety or the safety of property. It is any software that can act without an opportunity for meaningful human intervention. The FAA would impose the most stringent requirements for autonomous software with potential catastrophic public safety consequences. Proposed § 450.111(d) would set forth five criteria specific to autonomous software. Under proposed § 450.111(d)(1), the software component would be required to undergo full path coverage testing and any inaccessible code must be documented and addressed. Full path coverage testing is a systematic technique for ensuring that all routes through the code have been tested. Path coverage testing includes decision, statement, and entry and exit coverage. Proposed § 450.111(d)(1) would retain and clarify the current requirements in § 431.35(d). Full path coverage testing and documentation of inaccessible code would be required for autonomous components because the presence of inaccessible code segments presents a potential for the execution of untested instructions, which is obviously deleterious for an autonomous system that, by definition, depends on the correctness of its instructions for safe operation. Under proposed § 450.111(d)(2), the software component’s functions would be required to be tested on flight-like hardware. Testing would be required also to include nominal operation and fault responses for all functions. The proposal would retain and clarify the current requirements in §§ 431.35(d) and 415.123(b)(8). Testing software components on flight-like hardware, including nominal operation and fault responses, is an industry standard for ensuring that the software interfaces with the hardware as designed. All autonomous safety-critical components require this testing. Under proposed § 450.111(d)(3), an operator would be required to conduct hazard analyses of computing systems and software for the integrated system and for each autonomous, safety-critical software component. A software hazard analysis identifies those hazards PO 00000 Frm 00106 Fmt 4701 Sfmt 4702 associated with safety-critical computer system functions, assesses their risk, identifies methods for mitigating them, and specifies evidence of the implementation of those mitigation measures. This requirement is currently in §§ 415.123(b)(7), 417.123(c), and 431.35(d)(4). All software components, regardless of degree of control, require this analysis for the integrated system. This analysis is also required for each autonomous, safety-critical software component. Hazard analyses provide the essential foundation for risk assessment and management of any system. This analysis is necessary throughout the lifecycle of the system, from development to disposal. As a system is modified during design, operation, and maintenance, changes to any part of the system can lead to unexpected consequences that may incur new hazards to public safety. It is important to consider risks that result from software and computing errors as a class or subsystem, as well as those resulting from the operation and interaction of software with all other components of the system. Proposed § 450.111(d)(4) would require an operator to validate and verify any computing systems and software. Current §§ 415.123(b)(8) and 417.123(d) already require verification and validation although this proposed rule would add the requirement that testing be conducted by testers who are independent from the software developers. Independence is essential because it enables testing of cases and conditions that the software developers may not have considered or may have inadvertently omitted. Under proposed § 450.111(d)(5), an operator would be required to develop and implement software development plans as currently required in §§ 415.123(b)(9) and 417.123(e)(1) through (5). A software development plan is a means to consolidate and standardize the management of a software development process. These plans would include descriptions of coding standards used, configuration control, programmable logic controllers, and policies on use of commercial-offthe-shelf software and software reuse. It would be updated as necessary throughout the lifecycle of the project, and may be comprised of one or several documents. The configuration control of a software development project is particularly important to ensure and facilitate an efficient and accurate development process. Therefore, the proposal would retain the existing, if implicit, requirements of § 417.123(e)(2) to limit faults in configuration by E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules requiring robust configuration management. Proper configuration management ensures consistency and accuracy throughout a system’s design, development, operation, and maintenance. In software engineering terms, it is a fundamental aspect of a disciplined approach to the software lifecycle that provides a continuously current baseline for the system. The FAA would set configuration management requirements for all safetycritical documentation and code, including but not limited to software requirements, hazard analysis, test plans, test results, change requests, and development plans. Tools, processes, and procedures for configuration management are employed throughout the software industry. Proposed § 450.111(e) would apply to semi-autonomous software, with a definition nearly identical to that stated in MIL–STD–882E. The FAA regards semi-autonomous software as software that exercises control over safety-critical hardware systems, subsystems, or components, allowing time for safe detection and intervention by a control entity. The software safety requirements for semi-autonomous software are a subset of those required for autonomous software as described in proposed § 450.111(d). Under proposed § 450.111(e)(1), the software component’s safety-critical functions, as categorized by the process in proposed § 450.111(a), (b), and (c), would be required to be subjected to full path coverage testing and any inaccessible code must be documented and addressed. Proposed § 450.111(e)(1) would retain and clarify current § 431.35(d) as described in proposed § 450.111(d)(1). The rationale for proposed § 450.111(e)(1) and (d)(1) are identical. Under proposed § 450.111(e)(2), the semi-autonomous software component’s safety-critical functions would be required to be tested on flight-like hardware, including testing of nominal operation and fault responses for all safety-critical functions. Proposed § 450.111(e)(2) would also retain and clarify the current requirements in § 431.35(d) as described in proposed § 450.111(d)(2). Under proposed § 450.111(e)(3), an operator would be required to conduct computing system and software hazard analyses for the integrated system. The proposal would retain the requirement of conducting computing system and software hazard analyses that exists in current §§ 415.123(b)(7), 417.123(c), and 431.35(d)(4). All software components, regardless of level of control, would require this analysis for the integrated VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 system. The rationale for proposed § 450.111(e)(3) and (d)(3) are identical. Under proposed § 450.111(e)(4), an operator would need to verify and validate any computing systems and software related to semi-autonomous software as described earlier, with the associated rationale, for autonomous software relative to proposed § 450.111(d)(4). This verification and validation would be required to include testing by a test team independent of the software development division or organization. This would retain the requirement for verification and validation of computing systems and software, including testing by an independent test team, as currently required in §§ 415.123(b)(8) and 417.123(d). Under proposed § 450.111(e)(5), an operator would be required to develop and implement software development plans as currently required in §§ 415.123(b)(9) and 417.123(e)(1) through (5). The rationale for proposed § 450.111(e)(5) and (d)(5) are identical. Proposed § 450.111(f) would apply to redundant fault-tolerant software, which is defined as software that exercises control over safety-critical hardware systems, subsystems, or components, for which a non-software component must also fail in order to impact public health and safety or the safety of property.215 There are redundant sources of safetysignificant information, and mitigating functionality can respond within any time-critical period. The proposal would include four criteria for redundant fault-tolerant software. Proposed § 450.111(f)(1) is consistent with the second criteria for autonomous and semi-autonomous software in proposed § 450.111(d)(2) and (e)(2), in that the software component’s safetycritical functions would be required to be tested on flight-like hardware, including testing of nominal operation and fault responses for all safety-critical functions. The proposal would retain and clarify the current requirements in § 431.35(d). Proposed § 450.111(f)(2) would repeat the third criteria for autonomous and semi-autonomous software as described in proposed § 450.111(d)(3) and (e)(3). It would require that an operator conduct computing system and software hazard analyses for the integrated system. The proposal would retain the requirement of conducting computing system and software hazard analyses that exists in 215 MIL–STD–882E elaborates that the definition of redundant fault-tolerant assumes that there is adequate fault detection, annunciation, tolerance, and system recovery to prevent the hazard occurrence if software fails, malfunctions, or degrades. PO 00000 Frm 00107 Fmt 4701 Sfmt 4702 15401 the current §§ 415.123(b)(7), 417.123(c), and 431.35(d)(4). All software components, regardless of level of control, would require this analysis for the integrated system. The rationale for this part is the same as that for proposed § 450.111(d)(3). Under proposed § 450.111(f)(3), an operator would be required to verify and validate any computing systems and software related to redundant faulttolerant software as described earlier, with associated rationale, for autonomous software related to proposed § 450.111(d)(4) and semiautonomous software in proposed § 450.111(e)(4). This verification and validation would be required to include testing by a test team independent of the software development division or organization. This would retain the requirement for verification and validation of computing systems and software, including testing by an independent test team, as currently required under §§ 415.123(b)(8) and 417.123(d). Under proposed § 450.111(f)(4), an operator would be required to develop and implement software development plans as currently required under §§ 415.123(b)(9) and 417.123(e)(1) through (5). The same rationale applies here as for proposed § 450.111(d)(5) and (e)(5). Proposed § 450.111(g) would apply to software that provides information to a person who uses the information to take actions or make decisions that can impact public health and safety or the safety of property, but does not require operator action to avoid a mishap. Influential software provides information that is used in safetycritical decisions, but cannot cause a hazard on its own. The proposal would include three criteria for influential software. Proposed § 450.111(g)(1) would require an operator to conduct computing system and software hazard analyses for the integrated system. The proposed rule would retain the requirement of conducting computing system and software hazard analyses that exists in the current §§ 415.123(b)(7), 417.123(c), and 431.35(d)(4). All software components, regardless of level of control, would require this analysis for the integrated system. The rationale for this proposed section is the same as that for proposed § 450.111(d)(3). Proposed § 450.111(g)(2) would require an operator to verify and validate any computing systems and software related to influential software. This verification and validation would be required to include testing by a test E:\FR\FM\15APP2.SGM 15APP2 15402 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules team independent of the software development division or organization. This would retain the requirement for verification and validation of computing systems and software, including testing by an independent test team, as currently required under §§ 415.123(b)(8) and 417.123(d). The rationale for this proposed section is the same as that for proposed § 450.111(d)(4). Proposed § 450.111(g)(3) would require an operator to develop and implement software development plans as required in existing §§ 415.123(b)(9) and 417.123(e)(1) through (5). The same rationale applies here as for proposed § 450.111(d)(5), (e)(5), and (f)(4). Proposed § 450.111(h) would retain the application requirements of §§ 415.123 and 417.123, but would vary in the required amount of detail according to the level of control of the software. The amount of application materials would depend on the software component’s risk to safety. The proposal would differ from § 431.35 by expressly requiring documentation related to computing systems and software. This requirement was implicit in § 431.35 and the FAA has requested these documents in practice. The FAA would require descriptions of software components with no safety impact but would not impose process requirements. This information would be required to supplement the vehicle description requirements contained elsewhere in this proposal. It would also lead to a shared understanding of the systems and components that do not have known safety significance allowing the FAA only cursorily to review those systems during the license application evaluation without undue concern over undocumented systems, functions, or features. amozie on DSK9F9SC42PROD with PROPOSALS2 C. Changes to Parts 401, 413, 414, 420, 437, 440 1. Part 401—Definitions The FAA proposes to modify definitions in parts 401, 414, 417, 420, 437, and 440. This would include adding new definitions to or modifying current definitions in § 401.5 (Definitions) to align with the new proposed regulations. The FAA also proposes to clarify and move some of the definitions that are currently in part 417 to proposed part 450. Also, the proposal would not retain some of the definitions currently in part 417. Finally, the FAA proposes to remove various current definitions from §§ 401.5 and 420.5. The FAA proposes to add new definitions to § 401.5. These definitions VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 would be necessary additions to accompany the proposed part 450 requirements, especially in the area of flight safety analysis. Proposed §§ 450.113 through 450.139 would require the addition of ‘‘Casualty Area,’’ ‘‘Critical Asset,’’ ‘‘Deorbit,’’ ‘‘DoseResponse Relationship,’’ ‘‘Disposal,’’ ‘‘Effective Casualty Area,’’ ‘‘Expected Casualty,’’ ‘‘Flight Abort,’’ ‘‘Flight Abort Rules,’’ ‘‘Flight Hazard Area,’’ ‘‘Liftoff,’’ ‘‘Limits of a Useful Mission,’’ ‘‘Orbital Insertion,’’ and ‘‘Probability of Casualty.’’ Most important within that group are ‘‘Critical Asset,’’ which is driven by proposed protection criteria for assets that are essential to the national interests of the United States, and ‘‘Disposal,’’ which is driven by proposed upper stage disposal risk criteria. The other terms and associated definitions that would be added to support proposed §§ 450.113 through 450.139 are referenced in the proposed FSA requirements. The proposed system safety regulations would require the addition of the following terms and associated definitions: ‘‘Hazard Control’’ and ‘‘Launch or Reentry System.’’ Proposed § 450.101(a)(1) and (b)(1) would require a definition for ‘‘Neighboring Operations Personnel’’; proposed § 450.107(b) would require a clear definition of ‘‘Physical Containment’’; proposed § 450.111 would require a definition for ‘‘Control Entity’’ and ‘‘Software Function’’; proposed §§ 450.139 and 450.187 would require a definition for ‘‘Toxic Hazard Area.’’ Proposed § 450.101(c) would require the addition of ‘‘Vehicle Response Mode.’’ The collision avoidance requirements in proposed § 450.169 would require the addition of ‘‘Reentry Window’’ and ‘‘Window Closure’’ to § 401.5, while the unguided suborbital requirements in proposed § 450.141 would require the addition of ‘‘Unguided Suborbital Launch Vehicle’’ and ‘‘Wind Weighting Safety System.’’ These new definitions are discussed in detail in corresponding sections of this preamble, including the proposed meaning and usage. Current § 401.5 definitions that would be modified by this rule are as follows: ‘‘Contingency Abort,’’ which would be simplified; ‘‘Flight Safety System,’’ which would be simplified to incorporate the new term ‘‘Flight Abort;’’ and ‘‘Instantaneous Impact Point,’’ which would remove drag effects and clarify that this term means a predicted impact point. ‘‘Mishap’’ would be defined as having four classes or categories, from most to least severe, based on lessons learned as discussed earlier in this preamble. The current PO 00000 Frm 00108 Fmt 4701 Sfmt 4702 definition of ‘‘Public Safety’’ would be removed from § 401.5 and the definition of ‘‘Public’’ would be removed from § 420.5, and a new definition for ‘‘Public’’ would be added to § 401.5. ‘‘Launch’’ and ‘‘Reenter; Reentry’’ would be modified to remove language that further scopes what aspects of space transportation are licensed, as discussed earlier. Scoping language would be transferred to proposed § 450.3. ‘‘Safety Critical’’ would be modified to remove the last sentence because it is unnecessary. The definition for ‘‘State and United States’’ would fix a minor printing error. Section 417.3 contains the definitions for part 417, only some of which would be preserved and added to § 401.5 by this proposed rulemaking. These are ‘‘Command Control System,’’ ‘‘Countdown,’’ ‘‘Crossrange,’’ ‘‘Data Loss Flight Time,’’ ‘‘Downrange,’’ ‘‘Explosive Debris,’’ ‘‘Flight Abort Crew,’’ ‘‘Flight Safety Limit,’’ ‘‘Gate,’’ ‘‘Launch Window,’’ ‘‘Normal Flight,’’ ‘‘Normal Trajectory,’’ ‘‘Operating Environment,’’ ‘‘Operation Hazard,’’ ‘‘Service Life,’’ ‘‘System Hazard,’’ ‘‘Sub-Vehicle Point,’’ ‘‘Tracking Icon,’’ and ‘‘Uprange.’’ A number of changes have been made as follows: • ‘‘Command Control System’’ would be modified to take out unnecessary detail. • ‘‘Countdown,’’ ‘‘Downrange,’’ ‘‘Explosive Debris,’’ and ‘‘Normal Flight’’ would be modified to add reentry. • ‘‘Crossrange,’’ ‘‘Launch Window,’’ ‘‘Normal Trajectory,’’ ‘‘Service Life,’’ and ‘‘System Hazard’’ would be unchanged. • The term ‘‘Flight Abort Crew’’ would be changed from ‘‘Flight Safety Crew,’’ and would be simplified. • ‘‘Operating Environment’’ would be changed to add reentry, and would use the term ‘‘lifecycle’’ within the definition instead of the limiting reference to acceptance testing, launch countdown, and flight. • ‘‘Operation Hazard’’ would be modified to clarify that a system hazard is not an operation hazard. • The term ‘‘Protected Area’’ would be removed, and the term ‘‘Uncontrolled Area’’ would be added to § 401.5 but with the inclusion of a launch or reentry site operator, an adjacent site operator, or other entity by agreement who can control an area of land. • The term ‘‘Service life’’ would be changed to replace reference to a flight termination system component with any safety-critical system component. • The last sentence in ‘‘Sub-Vehicle Point’’ and ‘‘Uprange’’ would be E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules removed because these sentences are unnecessary. • ‘‘Tracking Icon’’ would be modified to include autonomous flight safety systems. • ‘‘Data Loss Flight Time,’’ ‘‘Flight Safety Limit,’’ and ‘‘Gate’’ would be changed as discussed earlier in this preamble. In part 414, ‘‘Safety Approval’’ would be changed to ‘‘Safety Element Approval,’’ so that a part 414 approval is not confused with a proposed part 450 safety approval. Its meaning, however, would remain the same as discussed earlier in this preamble. The definition of ‘‘Maximum Probable Loss (MPL)’’ in § 440.3 would be modified to include Neighboring Operations Personnel. The definition of ‘‘Anomaly’’ would be removed from part 437 and added to § 401.5 with a revised meaning. Definitions that would not be retained from part 417 are ‘‘Command Destruct Systems,’’ ‘‘Conjunction on Launch,’’ ‘‘Destruct,’’ ‘‘Drag Impact Point,’’ ‘‘Dwell Time,’’ ‘‘Fail-Over,’’ ‘‘Family Performance Data,’’ ‘‘Flight Safety System,’’ ‘‘Flight Termination System,’’ ‘‘Inadvertent Separation Destruct System,’’ ‘‘In-Family,’’ ‘‘Launch Azimuth,’’ ‘‘Launch Crew,’’ ‘‘Launch Wait,’’ ‘‘Meets Intent Certification,’’ ‘‘Non-Operating Environment,’’ ‘‘Operating Life,’’ ‘‘Out-of-Family,’’ ‘‘Passive Component,’’ ‘‘Performance Specifications,’’ ‘‘Safe-Critical Computer System Function,’’ ‘‘Storage Life,’’ and ‘‘Waiver.’’ These would no longer be a part of commercial space regulations because they have been replaced with different terms (i.e., ‘‘Conjunction on Launch’’ and ‘‘Launch Wait’’), are already defined in § 401.5 (i.e., ‘‘Flight Safety System’’), or are simply not used (all others). This proposed rule would also remove from § 401.5, ‘‘Human Space Flight Incident,’’ ‘‘Launch Accident,’’ ‘‘Launch Incident,’’ ‘‘Reentry Accident,’’ and ‘‘Reentry Incident.’’ In addition, it would remove ‘‘Launch Site Accident’’ from § 420.5. These definitions would be removed because of the proposed changes in definitions related to mishaps. The proposed rule would also remove from § 401.5 ‘‘Emergency Abort,’’ because it is no longer in use, and ‘‘Vehicle Safety Operations Personnel,’’ because those personnel are referred to as ‘‘Safety Critical Personnel’’ in proposed part 450. The FAA also proposes to remove the definition of ‘‘Instantaneous Impact Point’’ from § 420.5. This definition would be removed because a new definition with a modified meaning would be added to § 401.5. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 15403 iv. Electronic Submission email as a link to a secure server, and remove the requirement that an application be in a format that cannot be altered. In 2015, the FAA published the ‘‘Electronic Applications for Licenses, Permits, and Safety Approvals’’ rule.216 In that rule, the FAA made the application process more flexible and efficient by providing an applicant with the option to submit applications to the FAA electronically, either via email or on an electronic storage device, rather than submitting a paper application. Specifically, § 413.7(a)(3) requires that an application made via email be submitted as an email attachment to ASTApplications@faa.gov in a format that cannot be altered. The FAA’s intent was to allow applicants to transact with the agency electronically, in accordance with the Government Paperwork Elimination Act. However, since the rule published, the FAA has found that many of the files containing the necessary application materials are too large to be transmitted successfully by email. When this occurs, applicants have transmitted an email message with a File Transfer Program (FTP) link or a link to a digital repository where the materials can be downloaded by the FAA. The FAA has found this to be an acceptable means of submitting an application. Because the FAA proposes to amend application procedures in this rulemaking, the FAA also proposes to align the regulations with the current acceptable practice of allowing this form of electronic application submission. Accordingly, the FAA proposes to amend § 413.7(a)(3) to allow an applicant the option to submit its application by email as a link to a secure server. Additionally, the 2015 rulemaking identified that in requiring a file format that could not be altered, the FAA would accept a PDF document or a readonly Word file. Because both of these file types can actually be modified, the FAA has found it is impossible to comply with the requirement in § 413.7(a)(3)(ii). However, the need for document and version control of applications still exists for accurate record keeping and to ensure that the application materials the FAA evaluates and enforces represent the final and accurate submission from the applicant and have not been altered in any way. As nearly every form of electronic file submitted could be altered in some way or another, the FAA proposes to replace the current § 413.7(a)(3)(ii) with a new This rule proposes to amend § 413.7(a)(3) to allow an applicant the option to submit its application by 216 Electronic Applications for Licenses, Permits, and Safety Approvals, Direct Final Rule. 80 FR 30147 (May 27, 2015). 2. Part 413—Application Procedures i. § 413.1 Clarification of the Term ‘‘Application’’ The FAA proposes to modify § 413.1 to clarify the term ‘‘application.’’ Specifically, the FAA would add to § 413.1 that the term application means either an application in its entirety, or a portion of an application for incremental review and determination in accordance with § 450.33. This change is necessary to enable incremental review as discussed earlier. ii. § 413.21 Denial of a License or Permit Application The FAA proposes to correct the section heading of § 413.21 to reflect the content of the section, and also correct paragraph (c) of this section to reference both license and permit applications. Section 413.21 applies to a license or permit application. However, the section heading and paragraph (c) of this section only reference ‘‘license.’’ To correct this oversight, the FAA proposes to revise the section heading to read, ‘‘Denial of a license or permit application.’’ In addition, the FAA proposes to remove the reference to ‘‘license’’ from paragraph (c) so that it would apply to both license and permit applications. iii. ‘‘Complete Enough’’ and ‘‘Sufficiently Complete’’ The FAA proposes to change the term ‘‘sufficiently complete’’ in part 414 to ‘‘complete enough,’’ as used in § 413.11, because the two terms mean the same thing. That is, they both describe the point at which the FAA has determined it has sufficient information to accept an application and begin its evaluation to make findings regarding issuing a license or permit. Section 413.11 uses ‘‘complete enough’’ to describe when the FAA will accept an application and begin its review for a launch license or permit. The original intent was to use the same term in other chapter III sections. However, the term ‘‘sufficiently complete’’ in §§ 414.15(a), 415.107(a), and 417.203(c) was never changed to ‘‘complete enough.’’ Therefore, the agency proposes to change the term ‘‘sufficiently complete’’ to ‘‘complete enough’’ for consistency and clarity. The proposed change would be made in part 414 and in proposed part 450, since parts 415 and 417 would be consolidated under this new part. PO 00000 Frm 00109 Fmt 4701 Sfmt 4702 E:\FR\FM\15APP2.SGM 15APP2 15404 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules requirement that an applicant’s email submission would be required to identify each document appended to the email, including any that are included as an attachment or that are stored on a secure server. The FAA further proposes to include a new § 413.7(a)(3)(iii) which would require all electronic files be date stamped and include version control documentation. The replacement of § 413.7(a)(3)(ii) and the addition of § 413.7(a)(3)(iii) would further the FAA’s intent to prevent any unrecognized alteration. The proposed amendments to § 414.13(a)(3) would mirror the proposed text of § 413.7(a)(3). The FAA also proposes to remove § 414.11(a)(3) because those requirements would be addressed in the proposed text of § 414.13(a)(3). These changes would remove unactionable application requirements and replace them with regulations that align with current practice and practicable compliance. The FAA also proposes to change the heading of part 413 from ‘‘License Application Procedures’’ to ‘‘Application Procedures.’’ The proposed heading change reflects the multiple application procedures under part 413, which includes launch and reentry licenses, launch and reentry site licenses, and experimental permits. The FAA proposes this title change to improve the regulatory clarity for future experimental permit applicants. 3. Part 414—Safety Element Approvals As discussed earlier, the FAA proposes to change the part 414 term from ‘‘safety approval’’ to ‘‘safety element approval’’ to distinguish it from ‘‘safety approval’’ as used in parts 415, 431, and 435, and proposed part 450. Also, the FAA proposes to modify part 414 to enable applicants to request a safety element approval in conjunction with a license application as provided in proposed part 450.217 amozie on DSK9F9SC42PROD with PROPOSALS2 4. Part 420—License To Operate a Launch Site As discussed earlier, the proposal would modify the environmental requirements in § 420.15 to match the environmental requirements in proposed § 450.47. Also, the proposal would remove the definitions of ‘‘instantaneous impact point,’’ ‘‘launch site accident,’’ and ‘‘public’’ from § 420.5, and allow alternate time frames in § 420.57. In addition, it would change the heading of § 420.59 from ‘‘Launch Site Accident Investigation Plan’’ to 217 Discussion on safety element approval changes to part 414 can be found in the Process Improvements section A portion of this preamble. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 ‘‘Mishap Plan,’’ and modify the section as discussed earlier. Further, it would make a minor edit in § 420.51. 5. Part 433—License To Operate a Reentry Site As discussed earlier, the proposal would modify the environmental requirements in §§ 433.7 and 433.9 to align them with the environmental requirements in proposed § 450.47. 6. Part 437—Experimental Permits As discussed earlier, the FAA proposes to modify part 437 (Experimental Permits) in six ways. First, the proposal would remove the definition of ‘‘anomaly’’ from § 437.3 and include a modified version in § 401.5. Second, the proposal would modify the environmental requirements in § 437.21(b)(1) to match the environmental requirements proposed in § 450.47. Third, it would change the name of ‘‘safety approval’’ to ‘‘safety element approval’’ in § 437.21. Fourth, it would modify the mishap plan requirements in §§ 437.41 and 437.75. Fifth, it would change the requirements for collision avoidance to match proposed § 450.169. Sixth, it would allow for alternate time frames in § 437.89. 7. Part 440—Financial Responsibility As discussed earlier, the FAA proposes to modify § 440.15 to allow for alternate time frames, and modify the definition of ‘‘maximum probable loss’’ in § 440.3 to align it with the new, proposed definition of ‘‘neighboring operations personnel.’’ IV. Regulatory Notices and Analyses A. Regulatory Evaluation Changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866 and Executive Order 13563 direct that each federal agency shall propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96–354) requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Trade Agreements Act (Pub. L. 96–39 as amended) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, the Trade Agreements Act requires agencies to consider international standards and, where appropriate, that they be the basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 (Pub. L. PO 00000 Frm 00110 Fmt 4701 Sfmt 4702 104–4) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation with base year of 1995). The FAA has provided a more detailed Preliminary Regulatory Impact Analysis of the benefits and costs of this proposed rule in the docket of this rulemaking. This portion of the preamble summarizes this analysis. In conducting these analyses, the FAA has determined that this proposed rule: (1) Has benefits that justify its costs, (2) is not an economically ‘‘significant regulatory action’’ as defined in section 3(f) of Executive Order 12866, (3) is ‘‘significant’’ as defined in DOT’s Regulatory Policies and Procedures, (4) will have a significant economic impact on a substantial number of small entities, (5) will not create unnecessary obstacles to the foreign commerce of the United States, and (6) will not impose an unfunded mandate on state, local, or tribal governments, or on the private sector by exceeding the threshold identified earlier. These analyses are summarized below. Baseline Problem and Statement of Need The FAA is proposing this deregulatory action to comply with President Donald J. Trump’s Space Policy Directive-2 (SPD–2) ‘‘Streamlining Regulations on Commercial Use of Space.’’ The directive instructed the Secretary of Transportation to publish for notice and comment, proposed rules rescinding or revising the launch and reentry licensing regulations. Section 2 of SPD– 2 charged the Department of Transportation with revising regulations to require a single license for all types of commercial space flight operations and replace prescriptive requirements with performance-based criteria. The subject proposed rule would implement this section of SPD–2. The FAA’s existing regulations have been criticized as overly-prescriptive, lacking sufficient clarity, outdated, and inconsistent with the requirements of other Government agencies. The regulations for ELV launches in parts 415 and 417 have proven to be too prescriptive and one-size-fits-all. The requirements of these parts were written in a very detailed fashion, which has caused some sections to become outdated or obsolete. In contrast, the regulations for RLV launches have proven to be too general, lacking E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules regulatory clarity. For example, part 431 does not contain specificity regarding the qualification of flight safety systems, acceptable methods for flight safety analysis, and ground safety requirements. The purpose of the proposed rule is to streamline and simplify the licensing of launch and reentry operations by relying on performance-based regulations rather than prescriptive regulations. This action would consolidate and revise multiple commercial space launch and reentry regulations addressing licensing into a single regulatory part that states safety objectives to be achieved for the launch of suborbital and orbital expendable and reusable launch vehicles, and the reentry of reentry vehicles. This action would also enable flexible timeframes, remove unnecessarily burdensome ground safety regulations, redefine when launch begins to allow specified pre-flight operations prior to license approval, and allow applicants to seek a license to launch from multiple sites. This proposal is necessary to reduce the need to file and process waivers, improve clarity of the regulations, and relieve administrative and cost burdens on industry and the FAA. The intended effect of this action is to make commercial space transportation regulations more efficient and effective, while maintaining public safety. Since the last comprehensive update to the regulations in 2006, the differences between ELVs and RLVs have blurred. Vehicles that utilize traditional flight safety systems now are partially reusable. For example, the Falcon 9 first stage, launched by Space Exploration Technologies Corp. (SpaceX), routinely returns to the launch site or lands on a barge and other operators are developing launch vehicles with similar capabilities. Although the reuse of safety critical systems or components can have public safety implications, labeling a launch vehicle as expendable or reusable has not shown to impact the primary approach necessary to protect public safety, certainly not to the extent suggested in the differences between part 431 and parts 415 and 417. This deregulatory action would consolidate and revise multiple commercial space regulatory parts to apply a single set of licensing and safety regulations across several types of operations and vehicles. It would also 218 See the Preliminary Regulatory Impact Analysis of this proposed rule in the docket for more information. The FAA Office of Commercial Space Transportation derived the launches affected VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 15405 Over a 5-year period of analysis, this proposed rule would result in net present value cost savings to industry of about $19 million using a 7% discount rate or about $21 million using a 3% discount rate, with annualized net cost savings to industry of about $4.6 million using either discount rate. This proposed rule would also result in net present value savings for FAA of about $0.8 million using a 7% discount rate or about $1 million using a 3% discount rate, with annualized net cost savings to FAA of about $0.2 million using either discount rate. The largest quantified cost savings for industry would result from eliminating or relaxing requirements for a flight safety system on some launches (about $11 million in present value savings over 5 years at a discount rate of 7% or about $12 million at a discount rate of 3%) and from reducing the number of personnel that would have to be evacuated from neighboring launch sites (about $8 million in present value savings over 5 years at a discount rate of 7% or about $9 million at a discount rate of 3%). These cost savings are described in more detail below. The FAA proposes to move from prescriptive flight safety system requirements to performance-based requirements. As a result, the proposed rule would not require all launch vehicles to have a full flight safety system. Launch vehicles that have a very low probability of multiple casualties even if vehicle control fails would not be required to have a flight safety system. In addition, vehicles that have moderately low probability of casualty even if vehicle control fails would not be required to have robust flight safety systems.219 These performance-based requirements would reduce costs for some vehicle operators, especially for small vehicles or those operating in remote locations. The proposed rule would provide a new definition of neighboring operations personnel and establish new criteria for neighboring launch site personnel for the purposes of risk and financial responsibility. The change would allow affected operators to potentially reduce the number of personnel that have to evacuate and enable more concurrent operations by accepting a small safety risk tradeoff. The FAA has monetized the value of this small increased safety risk as summarized in the following tables. The FAA estimates the present value of these small increased safety risks to be about $1.4 million discounted at 7% or about $1.5 discounted at 3% over the five years. The FAA estimates some small costs to industry that would assist both industry and the FAA in the implementation of this proposed rule, such as providing information to the FAA that other agencies frequently request or performing one-time updates of flight safety limit analyses and ground hazard analyses that would be used to determine performance-based means of compliance that provide future savings. In addition, there may be additional costs for the modification of existing licenses to benefit from the cost saving provisions of this proposed rule. The FAA would also incur small costs for payload review, ground hazard analysis, and the review of modifications to existing licenses. The following table summarizes total quantified savings, costs, and net impacts. by this proposed rule for a 5-year period of analysis due to the rapidly changing environment of commercial space transportation. 219 See discussion in the preamble regarding being compliant with the flight safety systems of part 417. replace many prescriptive regulations with performance-based regulations, giving industry greater flexibility to develop a means of compliance that maximizes their business objectives. This proposed rule would result in net cost savings for industry and enable future innovation in U.S. commercial space transportation. Affected Operators and Launches At the time of writing based on FAA license data, the FAA estimates this proposed rule would affect 12 operators that have an active license or permit to conduct launch or reentry operations. In addition, the FAA estimates this proposed rule would affect approximately 276 launches over the next 5 years based on actual launch and reentry numbers and forecasted numbers.218 The FAA anticipates that the proposed rule would reduce the costs of current and future launch operations by removing current prescriptive requirements that are often burdensome to meet or require a waiver. The FAA expects these changes would lead to more efficient launch operations and have a positive effect on expanding the number of future launch and reentry operations. Summary of Impacts PO 00000 Frm 00111 Fmt 4701 Sfmt 4702 E:\FR\FM\15APP2.SGM 15APP2 15406 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules SUMMARY OF TOTAL 5-YEAR QUANTIFIED SAVINGS, COSTS AND NET IMPACTS [Presented in thousands of dollars] Industry present value (7%) Impact Industry present value (3%) FAA present value (7%) FAA present value (3%) Cost Savings .................................................................................................... Costs ................................................................................................................ $19,386.1 ¥542.6 $21,844.5 ¥569.5 $1,045.7 ¥222.3 $1,208.9 ¥237.0 Net Cost Savings ...................................................................................... 18,843.5 21,275.0 823.4 971.8 Annualized Net Cost Savings ............................................................ 4,595.7 4,645.5 200.8 212.2 Increased Safety Risks .................................................................................... ¥1,370.2 ¥1,540.6 ........................ ........................ Net Cost Savings less Increased Safety Risks ........................................ 17,473.3 19,734.4 823.4 971.8 Annualized Net Cost Savings less Increased Safety Risks .............. 4,261.6 4,309.1 200.8 212.2 Table notes: The sum of individual items may not equal totals due to rounding. Negative signs are used to indicate costs and increased safety risks in this table. Present value estimates provided at 7% and 3% per OMB guidance. The following table summarizes quantified impacts by provision category. SUMMARY OF 5-YEAR QUANTIFIED SAVINGS, COSTS AND NET IMPACTS BY PROVISIONS [Presented in thousands of dollars] Industry present value (7%) amozie on DSK9F9SC42PROD with PROPOSALS2 Provision category/impact Industry present value (3%) FAA present value (7%) FAA present value (3%) Waiver Avoidance: —Definition of Launch .............................................................................. —Waterborne Vessel Hazard Areas ........................................................ —Waiver for 48 Hour Readiness ............................................................. System Safety Program—Safety Official ......................................................... Duration of a Vehicle License ......................................................................... Readiness—Elimination of pre-launch meeting 15 days prior ........................ Flight Safety System—Not required for all launches ...................................... Flight Safety Analysis no longer required for hybrids ..................................... Neighboring Operations * ................................................................................. Ground Hazard Analysis .................................................................................. $32.8 65.6 41.0 39.1 50.6 709.9 10,612.6 22.1 7,698.9 113.3 $36.7 73.3 45.8 43.7 56.5 799.0 11,981.3 25.0 8,656.7 126.6 $10.3 20.5 12,8 45.7 104.3 127.7 572.5 2.8 ........................ 149.2 $11.5 22.9 14.3 51.0 116.5 143.6 679.2 3.2 ........................ 166.6 Total Cost Savings ................................................................................... 19,386.1 21,844.5 1,045.7 1,208.9 Payload Review and Determination ................................................................ Flight Safety Limit Analysis ............................................................................. Ground Hazard Analysis .................................................................................. Modification Costs for Existing Licenses ......................................................... ¥45.6 ¥157.7 ¥24.0 ¥315.4 ¥51.2 ¥163.8 ¥26.8 ¥327.6 ¥46.4 ........................ ¥27.2 ¥148.7 ¥52.2 ........................ ¥30.4 ¥154.5 Total Costs ............................................................................................... ¥542.6 ¥569.5 ¥222.3 ¥237.0 Net Cost Savings .............................................................................. 18,843.5 21,275.0 823.4 971.8 Annualized Net cost Savings ..................................................... 4,595.7 4,645.5 200.8 212.2 Increased Safety Risks: Neighboring Operations * .......................................... ¥1,370.2 ¥1,540.6 ........................ ........................ Net Cost Savings less Increased Safety Risks ........................................ 17,473.3 19,734.4 823.4 971.8 Annualized Net Cost savings Less Increased Safety Risks ............. 4,261.6 4,309.1 200.8 212.2 * Changes to Neighboring Operations requirements result in net savings less increased safety risks. Table notes: The sum of individual items may not equal totals due to rounding. Negative signs are used to indicate costs and increased safety risks in this table. Present value estimates provided at 3% and 7% per OMB guidance. The FAA also expects industry will gain additional unquantified savings and benefits from the proposed rule, since it provides flexibility and scalability through performance-based VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 requirements that would reduce the future cost of innovation and improve the efficiency and productivity of U.S. commercial space transportation. PO 00000 Frm 00112 Fmt 4701 Sfmt 4702 The following table summarizes some of the proposed changes that would result unquantified savings. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules 15407 UNQUANTIFIED SAVINGS Change Savings Time Frames ................... The proposal would revise time frames in parts 404, 413, 414, 415, 417, 420, 431, 437, and 440 that may be burdensome for some operators. This would increase flexibility by allowing an operator the option to propose alternative time frames that better suit their operations. Eligible time frames include preflight and post-flight reporting among others listed in proposed Appendix A to Part 404—Alternative Time Frames. The proposal would remove the requirement in part 414 to publish in the Federal Register the criteria upon which safety element approvals were based. The purpose of this notification requirement was to make clear the criteria and standards the FAA used to assess a safety element, particularly when no clear regulatory requirement existed and there could be other potential users of the safety approval. However, the FAA has found that this requirement is unnecessary, and has potentially discouraged applications for safety element approvals due to concerns that propriety data may be disclosed. FAA anticipates that removing this requirement will lead to increased use of safety element approvals, reducing industry burden and potentially improving safety. The proposal would provide the following mishap-related enhancements, which FAA expects to better tailor mishap responses. • Replace current part 400 mishap related definitions with a consolidated mishap classification system (streamlines and reduces confusion). • Consolidate existing part 400 mishap/accident investigation and emergency response plan requirements into a single part (streamlines and reduces confusion). • Exempt pre-coordinated test-induced property damage from being a mishap (removes need to consider test-induced property damages from mishap requirements and likely results in fewer investigations of minor mishaps). • This proposal also eliminates the small $25,000 monetary threshold from the current mishap and accident investigation requirements potentially reducing the number of mishaps being investigated that do not pose a threat to public safety. A minor damage that does not pose a threat to public safety can easily exceed the $25,000 monetary threshold, triggering potentially costly and burdensome notification, reporting, and investigation requirements. The proposal would replace part 417 toxic release hazard analysis requirements with performance-based regulations that would provide flexibility for operators to comply with the required risk criteria in varied and innovative ways relative to their operations. The proposal would remove appendix G to part 417, Natural and Triggered Lightning Flight Commit Criteria, and replace it with the performance-based requirements. The current requirements are outdated, inflexible, overly conservative, and not explicitly applicable to RLVs and RVs. The proposed revision would provide an operator with more flexibility, and allow it to take into account the vehicle’s mission profile when determining how to mitigate the direct and indirect effects of a lightning discharge. Safety Element Approval Mishaps ........................... Toxics .............................. Lightning protection requirement. The FAA intends to update its analysis with additional information and data identified during the comment period to better assess the impacts of this deregulatory action. Estimates may change for the final rule as a result. The FAA invites comments on the benefits, savings, or costs of this proposed rule. Send comments by any of the methods identified under Addresses in this proposed rule. Specifically, the FAA requests information and data that can be used to quantify the additional savings of this proposed rule. Please provide references and sources for information and data. amozie on DSK9F9SC42PROD with PROPOSALS2 B. Regulatory Flexibility Determination The Regulatory Flexibility Act of 1980 (Pub. L. 96–354) (RFA) establishes ‘‘as a principle of regulatory issuance that agencies shall endeavor, consistent with the objectives of the rule and of applicable statutes, to fit regulatory and informational requirements to the scale of the businesses, organizations, and governmental jurisdictions subject to regulation. To achieve this principle, agencies are required to solicit and consider flexible regulatory proposals and to explain the rationale for their actions to assure that such proposals are given serious consideration.’’ The RFA covers a wide-range of small entities, VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 including small businesses, not-forprofit organizations, and small governmental jurisdictions. Agencies must perform a review to determine whether a rule will have a significant economic impact on a substantial number of small entities. If the agency determines that it will, the agency must prepare a regulatory flexibility analysis as described in the RFA. Under Section 603(b) of the RFA, the initial regulatory flexibility analysis for a proposed rule must: • Describe reasons the agency is considering the action; • State the legal basis and objectives; • Describe the recordkeeping and other compliance requirements; • State all federal rules that may duplicate, overlap, or conflict; • Describe an estimated number of small entities impacted; and • Describe alternatives considered. 1. Description of Reasons the Agency Is Considering the Action The Chair of the National Space Council, the Vice President, directed the Secretaries of Transportation and Commerce, and the Director of the Office of Management and Budget, to conduct a review of the U.S. regulatory framework for commercial space activities and report back within 45 PO 00000 Frm 00113 Fmt 4701 Sfmt 4702 days with a plan to remove barriers to commercial space enterprises. The Council approved four recommendations, including the Department of Transportation’s recommendation that the launch and reentry regulations should be reformed into a consolidated, performance-based licensing regime. Codifying the recommendations of the Council, SPD–2 was issued on May 24, 2018. SPD–2 instructed the Secretary of Transportation to publish for notice and comment proposed rules rescinding or revising the launch and reentry licensing regulations, no later than February 1, 2019. SPD–2 charged the Department with revising the regulations such that they would require a single license for all types of commercial space flight operations and replace prescriptive requirements with performance-based criteria. The current action is complying with this recommendation. Current regulations setting forth procedures and requirements for commercial space transportation licensing were based largely on the distinction between expendable or reusable launch vehicles. Specifically, 14 CFR parts 415 and 417 address the launch of expendable launch vehicles, part 431 addresses the launch and E:\FR\FM\15APP2.SGM 15APP2 15408 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules amozie on DSK9F9SC42PROD with PROPOSALS2 reentry of reusable launch vehicles, and part 435 addresses the reentry of reentry vehicles. The regulations in parts 415 and 417 are based on the Federal launch range standards developed in the 1990s. Parts 431 and 435 are primarily processbased, relying on a license applicant to derive safety requirements through a ‘‘system safety’’ process. While these regulations satisfied the need of the commercial launch industry at the time they were issued, the industry has changed and continues to evolve, thus rendering the current regulatory structure cumbersome and outdated. 2. Statement of the Legal Basis and Objectives The Commercial Space Launch Act of 1984, as amended and re-codified at 51 U.S.C. 50901–50923 (the Act), authorizes the Department of Transportation, and the FAA through delegation, to oversee, license, and regulate commercial launch and reentry activities, and the operation of launch and reentry sites as carried out by U.S. citizens or within the United States. Section 50905 directs the FAA to exercise this responsibility consistent with public health and safety, safety of property, and the national security and foreign policy interests of the United States. The FAA is authorized to regulate only to the extent necessary to protect the public health and safety, safety of property, and national security and foreign policy interests of the United States. In addition, section 50903 requires that the FAA encourage, facilitate, and promote commercial space launches and reentries by the private sector. If adopted as proposed, this rulemaking would streamline and increase flexibility in the FAA’s commercial space regulations. This action would consolidate and revise multiple regulatory parts to apply a single set of licensing and safety regulations across several types of operations and vehicles. It would also replace many prescriptive regulations with performance-based rules, giving industry greater flexibility to develop means of compliance that maximize their business objectives while maintaining an equivalent level of safety to the agency’s current regulations. Because this rulemaking would amend the FAA’s launch and reentry requirements, it falls under the authority delegated by the Act. 3. Description of the Recordkeeping and Other Compliance Requirements The FAA is not proposing any substantive changes to the requirements VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 specified below. However, the agency is proposing to consolidate these requirements into a new, proposed part 450 (Launch and Reentry License Requirements); clarify that the consolidated requirements apply to any licensed launch or reentry; and make other minor, clarifying edits. The following is a summary of the proposed changes: i. Public Safety Responsibility and Compliance With License The FAA would consolidate the public safety responsibility requirements in current §§ 417.7 and 431.71(a) into proposed § 450.201, Public Safety Responsibility. Also, the FAA would move the compliance requirement in current § 431.71(b) to its own section, proposed § 450.203 (Compliance with License). Although the location of these requirements would change, the requirements themselves would not change. Therefore, proposed § 450.201 would provide that a licensee is responsible for ensuring public safety and safety of property during the conduct of a licensed launch or reentry. And proposed § 450.203 would require that a licensee conduct a licensed launch or reentry in accordance with representations made in its license application, the requirements of part 450, subparts C and D, and the terms and conditions contained in the license. A licensee’s failure to act in accordance with these items would be sufficient basis to revoke a license, or some other appropriate enforcement action. ii. Records. The FAA would consolidate the current record requirements in §§ 417.15(a) and (b) and 431.77(a) and (b) into proposed § 450.219(a) and (b). However, the FAA would replace the term ‘‘launch accident’’ in paragraph (b) with ‘‘class 1 or class 2 mishap.’’ As discussed in more detail in the Part 401—Definitions section of this preamble, the FAA is proposing to replace current part 401 definitions involving ‘‘accident,’’ ‘‘incident,’’ and ‘‘mishap’’ with specified mishap classes. As such, the proposed regulation would require a licensee to maintain, for 3 years, all records, data, and other material necessary to verify that a launch or reentry is conducted in accordance with representations contained in the licensee’s application. The exception would be for a class 1 or class 2 mishap, where a licensee would be required to preserve all records related to the event. These records would be required to be retained until PO 00000 Frm 00114 Fmt 4701 Sfmt 4702 the completion of any Federal investigation and the FAA has notified the licensee that the records need not be retained. The licensee would be required to make all records required to be maintained under the regulations available to Federal officials for inspection and copying. 4. All Federal Rules That May Duplicate, Overlap, or Conflict No other federal rules duplicate, overlap, or conflict with FAA’s launch and reentry licensing requirements. 5. Description and an Estimated Number of Small Entities Impacted The FAA has identified two potential small entities that this proposed rule would impact, Vector Launch, Inc. and Generation Orbit. Both operators employ fewer than 1,500 people and both were in pre-application consultation to launch under parts 415 and 417 at the time of this writing.220 These two companies are the only small entities identified in this analysis that may be directly affected by this proposed rule. 6. Alternatives Considered The FAA considered three alternatives to the proposed rule. i. No Change to Current Regulations This alternative was not chosen because the current regulations are outdated, prescriptive, and do not adequately reflect industry current practices or technology development. The inefficiency of the licensing process due to current regulations risks stifling innovation and growth of the industry, especially for small operators. ii. Propose a More Process-Based Regulatory Approach With this alternative, the FAA would propose less detailed regulations that would rely primarily on the outcome of an operator’s system safety process to protect public safety. This alternative was not chosen because it would lack regulatory clarity without adding any additional flexibility for a launch or reentry operator which may be more burdensome to small operators compared to large operators. iii. Propose a Defined Modular Application Process With this alternative, the FAA would propose similar safety requirements but would add a more defined incremental 220 The FAA uses the current Small Business Administration size standard of 1,500 employees for passenger and freight air transportation. This information is found in https://www.sba.gov/sites/ default/files/files/Size_Standards_Table_2017.pdf. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules or modular application process. The current proposal enables an incremental application process, but does not define one with explicit modules and time frames. This alternative was not chosen because the FAA has no experience with an incremental or modular application process with which to base a proposal. In addition, a more defined incremental or modular application process may be less flexible and scalable and therefore more burdensome to small operators. The FAA expects this proposed rule would provide regulatory relief to small entities from current prescriptive requirements and result in net savings. As discussed previously in this section, the FAA identified two possible small entities that would be affected by this proposed rule but they are in the pre-application stage for potential ELV and RLV launches and we have little information on how they may comply with existing or proposed requirements. As these entities have not begun operations, we do not have estimates of the costs savings or costs that would reliably apply. However, the following are some estimates of per entity cost savings and costs based on data representing existing ELV and RLV operators. We note that some of the estimated savings and costs of this proposed rule may not apply to these entities. Cost Savings i. Readiness—Elimination of Pre-Launch Meeting 15 Days Prior (§ 450.155) ELV operators might save $4,600 per avoided launch readiness meeting, however this assumes the average number of people at each meeting would be 25 and this might not apply to a small business. amozie on DSK9F9SC42PROD with PROPOSALS2 ii. Flight Safety System—Not Required for All Launches (§ 450.145) For launches where an FSS would not be required under the proposal, RLV operators might save $195,000 per launch vehicle for a vehicle using an existing design. An ELV operator might save $680,000 per launch. Both ELV and RLV operators might save an estimated $1.3 million for new vehicle designs by not having to incur all the research, design, testing, materials and installation costs for an FSS. iii. Ground Hazard Analysis (§ 450.185) An ELV operator might save $28,000 per application by not having to do a ground hazard analysis under this proposal. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Costs i. Payload Review and Determination (§ 450.43) The proposed rule could cause small operators to incur about $204 more per launch than due to additional payload review and determination costs. ii. Ground Hazard Analysis (§ 450.185) RLV applicants might incur about $3,000 more per application due to having to perform ground hazard analyses under the proposal. The FAA invites comments on this initial regulatory flexibility analysis for the proposed rule. Send comments by any of the methods identified under Addresses in this proposed rule. Specifically, the FAA requests information and data that can be used to quantify savings and costs to small operators directly affected by this proposed rule. Please provide references and sources for information and data. C. International Trade Impact Assessment The Trade Agreements Act of 1979 (Pub. L. 96–39), as amended by the Uruguay Round Agreements Act (Pub. L. 103–465), prohibits federal agencies from establishing standards or engaging in related activities that create unnecessary obstacles to the foreign commerce of the United States. Pursuant to these Acts, the establishment of standards is not considered an unnecessary obstacle to the foreign commerce of the United States, so long as the standard has a legitimate domestic objective, such as the protection of safety, and does not operate in a manner that excludes imports that meet this objective. The statute also requires consideration of international standards and, where appropriate, that they be the basis for U.S. standards. The FAA has assessed the potential effect of this proposed rule and determined that it will not create unnecessary obstacles to the foreign commerce of the United States. D. Unfunded Mandates Assessment Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104–4) requires each federal agency to prepare a written statement assessing the effects of any Federal mandate in a proposed or final agency rule that may result in an expenditure of $100 million or more (in 1995 dollars) in any one year by State, local, and tribal governments, in the aggregate, or by the private sector; such a mandate is deemed to be a ‘‘significant regulatory action.’’ The threshold after adjustment for inflation is $150 million using the most current annual (2017) PO 00000 Frm 00115 Fmt 4701 Sfmt 4702 15409 Implicit Price Deflator for Gross Domestic Product from the U.S. Bureau of Economic Analysis. This proposed rule does not contain such a mandate; therefore, the requirements of Title II of the Act do not apply. E. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires that the FAA consider the impact of paperwork and other information collection burdens imposed on the public. According to the 1995 amendments to the Paperwork Reduction Act (5 CFR 1320.8(b)(2)(vi)), an agency may not collect or sponsor the collection of information, nor may it impose an information collection requirement unless it displays a currently valid Office of Management and Budget (OMB) control number. This action contains the following proposed consolidation of two existing information collection requirements, previously approved under OMB Control Numbers 2120–0608 and 2120– 0643, under a new OMB control number. As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), the FAA will submit the proposed information collection requirements to OMB for its review. In addition, the FAA has published a separate notice of the proposed requirements for public comment, and has included the notice in the docket for this rulemaking. The notice includes instructions on how to submit comments specifically to the proposed information collection requirements. Additional details on assumptions and calculations used in this section are presented in the Preliminary Regulatory Impact Analysis available in the docket of this rulemaking. The following estimates are included in the total savings and costs summarized in the Regulatory Evaluation section and considered in the Regulatory Flexibility Determination section of this proposed rule. Summary: The FAA proposes to consolidate under a new part 450, the requirements currently contained in parts 415 and 417 for the launch of an ELV, in part 431 for the launch and reentry of an RLV, and in part 435 for the reentry of a reentry vehicle other than an RLV. The result of this effort would be streamlined regulations designed to be more flexible and scalable, with reduced timelines and minimal duplicative jurisdiction. The net result would be reduced paperwork for operators, although for some provisions paperwork would increase. Use: The information would be used by FAA to evaluate the launch and E:\FR\FM\15APP2.SGM 15APP2 15410 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules reentry operators’ applications and to ensure safety. Paperwork Impact to Industry Respondents (including number of): The information collection would potentially affect 12 operators based on available data at the time of writing. Annual Burden Estimate: Most changes in part 450 would result in a reduction in the paperwork burden. The paperwork associated with industry requesting waivers to certain provisions would be alleviated. Paperwork associated with industry requesting license modifications would also be reduced because an operator would not have to modify a license if the specific safety official were to change. In addition, with the extension of RLV licenses to up to five years, it is likely that fewer licenses would be issued, resulting in less paperwork. Due to the change in launch scope, the documentation accompanying a ground hazard analysis for ELV operators would be reduced. Industry Cost Savings The following table indicates the frequency of responses, the estimated time per response, the burdened wage rate, annual hours, and the cost for each cost saving provision. Response frequency is provided for the estimated number of waivers avoided (§ 450.3), estimated reduction in annual number of licenses modified (§ 450.103), estimated reduction in annual license renewals, and the estimated annual number of launches for which there would be a reduction in ground hazard analysis paperwork (§ 450.185). An estimated time for each response is also indicated below, as are burdened hourly wage rates for the specific personnel associated with each provision and annual hours and total cost savings. INDUSTRY PAPERWORK COST SAVINGS Estimated time per response (hours) Response frequency Description Industry wage rate Annual hours Cost savings Waiver Avoidance (§ 450.3) ................................................. System Safety Program—Safety Official (§ 450.103) .......... Duration of a Vehicle License (§ 450.7) .............................. Ground Safety (§ 450.185) ................................................... 17 5.6 1.2 1 20 24 126.5 340 $100.03 71.01 81.28 81.28 340 134.4 151.8 340 $34,010 9,544 12,338 27,634 Total Annual Savings .................................................... ........................ ........................ ........................ 966 83,526 Cost savings includes paperwork related to waivers avoided due to the definition of launch, waterborne vessel protection, and removal of 48-hour readiness requirement. Industry Paperwork Burden Other changes would result in an increase in paperwork burden. The Payload Review and Determination section (§ 450.43) would add requirements for applicants to provide explosive potential of payload materials, alone and in combination with other materials on the payload for launches, as well as the appropriate transit time to final orbit for payloads with significant transit time after release from vehicle. The FAA is adding requirements for ground hazard analysis (§ 450.185) for RLV launches. The proposed rule would require RLVs to submit information to the FAA. The table below indicates the frequency of responses, estimated time per response, burdened hourly wage rate, annual hours, and the cost for each provision that would add burden. Response frequency is provided for the estimated number of explosive potential and transit time calculations, and the estimated number of annual RLV applications which would require ground hazard analysis. An estimated time per response is also indicated below, as are burdened hourly wage rates for the specific personnel associated with each provision and annual hours and total cost savings. INDUSTRY PAPERWORK BURDEN Industry wage rate Annual hours Cost Explosive Potential (§ 450.43) ............................................. Transit time (§ 450.43) ......................................................... Ground Safety (§ 450.185) ................................................... 50 50 2 2 0.5 36 $81.28 81.28 81.28 100 25 72 $8,128 2,032 5,852 Total Cost Burden ......................................................... ........................ ........................ ........................ 197 16,012 The following table summarizes the industry total annual paperwork amozie on DSK9F9SC42PROD with PROPOSALS2 Estimated time per response (hours) Response frequency Description savings, total annual burden and the net annual savings. INDUSTRY NET PAPERWORK SAVINGS Annual hours Description Total Annual Savings ............................................................................................................................................... Total Annual Burden ................................................................................................................................................ VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 PO 00000 Frm 00116 Fmt 4701 Sfmt 4702 E:\FR\FM\15APP2.SGM 15APP2 Cost savings 966 197 $83,526 16,012 15411 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules INDUSTRY NET PAPERWORK SAVINGS—Continued Annual hours Description Net Annual Savings .......................................................................................................................................... Paperwork Burden to the Federal Government The following tables summarizes FAA paperwork savings and burden. Similar to industry burden savings, the FAA would receive burden relief from waivers avoided due to the definition of launch, waterborne vessel protection, and removal of the 48-hour readiness Cost savings 769 67,514 requirement. See the Regulatory Impact Analysis available in the docket for more details on these estimates and calculations. FAA PAPERWORK COST SAVINGS Estimated time per response (hours) Description FAA wage rate Annual hours Cost savings Waiver Avoidance (§ 450.3) ............................................................................. System Safety Program—Safety Official (§ 450.103) ...................................... Duration of a Vehicle License (§ 450.7) .......................................................... Ground Safety (§ 450.185) .............................................................................. 7.5 24 253.5 439 $83.26 82.88 83.61 82.88 127.5 134.4 304.2 439 $10,616 11,139 25,434 36,384 Total Annual Savings ............................................................................... ........................ ........................ 1,005 83,573 FAA PAPERWORK BURDEN Estimated time per response (hours) Description FAA wage rate Annual hours Cost savings Explosive Potential (§ 450.43) ......................................................................... Transit time (§ 450.43) ..................................................................................... Ground Safety (§ 450.185) .............................................................................. 2.0 0.5 40 $82.88 82.88 82.88 100 25 80 $8,288 2,072 6,630 Total Annual Burden ................................................................................. ........................ ........................ 205 16,990 FAA NET PAPERWORK SAVINGS Annual hours Description Total Annual Savings ............................................................................................................................................... Total Annual Burden ................................................................................................................................................ 1,005 205 $83,573 16,990 Net Annual Savings .......................................................................................................................................... 800 66,583 Voluntary One-Time Modification of Existing Licenses amozie on DSK9F9SC42PROD with PROPOSALS2 Cost savings There are currently 24 active licenses held by 12 operators. Once the rule is in effect, existing licenses would be grandfathered under the current provisions, unless the licenses are modified. Operators may choose to modify their licenses to benefit from the cost saving provisions of the proposed rule—some operators may choose also to wait until they apply for a new VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 license. The FAA assumes modifications of licenses would occur within the first year after the rule is effective. The FAA assumes it would take about one month for an industry aerospace engineer to develop documentation and analysis to apply for a modification of an existing license and about two weeks for an FAA employee to review an application for a modification of an existing license. The following estimates assume all licenses would be modified. This PO 00000 Frm 00117 Fmt 4701 Sfmt 4702 overestimates paperwork costs, since some operators may not find it advantageous to modify their existing licenses. The FAA requests comment on these assumptions and the following estimates to apply for applications to modify existing licenses. Specifically, the FAA requests information if licenses holders would modify existing licenses for changes from this proposed rule or wait to apply for new licenses. The FAA may revise these assumptions and estimates for the final rule. E:\FR\FM\15APP2.SGM 15APP2 15412 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules INDUSTRY BURDEN COSTS FOR APPLICATIONS TO MODIFY EXISTING LICENSES Year Wage rate Time (one month of work hours) * Cost per license Number of licenses Total burden hours Total costs 1 ............................................................... $81.28 173 $14,061 24 4,152 $337,457 * One month of work hours based on the following calculations: 52 work weeks/year × 40 work hours/week = 2,080 work hours/year; and, 2,080 work hours/year ÷ 12 months = 173 work hours/month (rounded). FAA BURDEN COSTS TO REVIEW APPLICATIONS TO MODIFY EXISTING LICENSES Year Wage rate Hours (two weeks of work hours) Cost per license Number of licenses Total burden hours Total costs 1 ............................................................... $82.88 80 $6,630 24 1,920 $159,130 amozie on DSK9F9SC42PROD with PROPOSALS2 The agency is soliciting comments to— (1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (2) Evaluate the accuracy of the agency’s estimate of the burden; (3) Enhance the quality, utility, and clarity of the information to be collected; and (4) Minimize the burden of collecting information on those who are to respond, including by using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. Individuals and organizations may send comments on the information collection requirement to the address listed in the ADDRESSES section at the beginning of this preamble by June 14, 2019. Comments also should be submitted to the Office of Management and Budget, Office of Information and Regulatory Affairs, Attention: Desk Officer for FAA, New Executive Building, Room 10202, 725 17th Street NW, Washington, DC 20053. F. International Compatibility In keeping with U.S. obligations under the Convention on International Civil Aviation, it is FAA policy to conform to International Civil Aviation Organization (ICAO) Standards and Recommended Practices to the maximum extent practicable. The FAA has determined that there are no ICAO Standards and Recommended Practices that correspond to these proposed regulations. G. Environmental Analysis FAA Order 1050.1F identifies FAA actions that are categorically excluded from preparation of an environmental assessment or environmental impact statement under the National VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Environmental Policy Act in the absence of extraordinary circumstances. The FAA has determined this rulemaking action qualifies for the categorical exclusion identified in paragraph 5–6.6 and involves no extraordinary circumstances. V. Executive Order Determinations A. Executive Order 13132, Federalism The FAA has analyzed this proposed rule under the principles and criteria of Executive Order 13132, Federalism. The agency has determined that this action would not have a substantial direct effect on the States, or the relationship between the Federal Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, would not have Federalism implications. B. Executive Order 13211, Regulations That Significantly Affect Energy Supply, Distribution, or Use The FAA analyzed this proposed rule under Executive Order 13211, Actions Concerning Regulations that Significantly Affect Energy Supply, Distribution, or Use (May 18, 2001). The agency has determined that it would not be a ‘‘significant energy action’’ under the executive order and would not be likely to have a significant adverse effect on the supply, distribution, or use of energy. C. Executive Order 13609, International Cooperation Executive Order 13609, Promoting International Regulatory Cooperation, promotes international regulatory cooperation to meet shared challenges involving health, safety, labor, security, environmental, and other issues and to reduce, eliminate, or prevent unnecessary differences in regulatory requirements. The FAA has analyzed this action under the policies and PO 00000 Frm 00118 Fmt 4701 Sfmt 4702 agency responsibilities of Executive Order 13609, and has determined that this action would have no effect on international regulatory cooperation. D. Executive Order 13771, Reducing Regulation and Controlling Regulatory Costs This proposed rule is expected to be a deregulatory action under Executive Order 13771 and would result in net cost savings for industry that would likely reduce the future cost of innovation in U.S. commercial space transportation. The Preliminary Regulatory Impact Analysis for the proposed rule provides additional information. VI. Additional Information A. Comments Invited The FAA invites interested persons to participate in this rulemaking by submitting written comments, data, or views. Also, the agency invites comments regarding potential overlap with the regulatory requirements of other agencies not addressed in this proposed rule. In addition, the FAA invites comments relating to the economic, environmental, energy, or federalism impacts that might result from adopting the proposals in this document. The most helpful comments reference a specific portion of the proposal, explain the reason for any recommended change, and include supporting data. To ensure the docket does not contain duplicate comments, commenters should send only one copy of written comments, or if comments are filed electronically, commenters should submit only one time. The FAA will file in the docket all comments it receives, as well as a report summarizing each substantive public contact with FAA personnel concerning this proposed rulemaking. Before acting on this proposal, the FAA will consider all comments it receives on or before the E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules closing date for comments. The FAA will consider comments filed after the comment period has closed if it is possible to do so without incurring expense or delay. The agency may change this proposal in light of the comments it receives. Proprietary or Confidential Business Information: Commenters should not file proprietary or confidential business information in the docket. Such information must be sent or delivered directly to the person identified in the FOR FURTHER INFORMATION CONTACT section of this document, and marked as proprietary or confidential. If submitting information on a disk or CD ROM, mark the outside of the disk or CD ROM, and identify electronically within the disk or CD ROM the specific information that is proprietary or confidential. Under 14 CFR 11.35(b), if the FAA is aware of proprietary information filed with a comment, the agency does not place it in the docket. It is held in a separate file to which the public does not have access, and the FAA places a note in the docket that it has received it. If the FAA receives a request to examine or copy this information, it treats it as any other request under the Freedom of Information Act (5 U.S.C. 552). The FAA processes such a request under Department of Transportation procedures found in 49 CFR part 7. amozie on DSK9F9SC42PROD with PROPOSALS2 B. Availability of Rulemaking Documents An electronic copy of rulemaking documents may be obtained from the internet by—Searching the Federal eRulemaking Portal (https:// www.regulations.gov); Visiting the FAA’s Regulations and Policies web page at https:// www.faa.gov/regulations_policies or Accessing the Government Printing Office’s web page at https:// www.gpo.gov/fdsys/. Copies may also be obtained by sending a request to the Federal Aviation Administration, Office of Rulemaking, ARM–1, 800 Independence Avenue SW, Washington, DC 20591, or by calling (202) 267–9680. Commenters must identify the docket or notice number of this rulemaking. All documents the FAA considered in developing this proposed rule, including economic analyses and technical reports, may be accessed from the internet through the Federal eRulemaking Portal referenced in item (1) above. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 List of Subjects 14 CFR Part 404 Administrative practice and procedure, Space transportation and exploration. 14 CFR Part 413 Confidential business information, Space transportation and exploration. 14 CFR Part 414 Airspace, Aviation safety, Space transportation and exploration. 14 CFR Part 420 Environmental protection, Reporting and recordkeeping requirements, Space transportation and exploration. 14 CFR Part 437 Aircraft, Aviation safety, Reporting and recordkeeping requirements, Space transportation and exploration. 14 CFR Part 440 Indemnity payments, Insurance, Reporting and recordkeeping requirements, Space transportation and exploration. 14 CFR Part 450 Aircraft, Aviation safety, Environmental protection, Investigations, Reporting and recordkeeping requirements, Space transportation and exploration. The Proposed Amendment In consideration of the foregoing, the Federal Aviation Administration proposes to amend chapter III of title 14, Code of Federal Regulations as follows: PART 401—ORGANIZATION AND DEFINITIONS 1. The authority citation for part 401 continues to read as follows: ■ Authority: 51 U.S.C. 50101–50923. 2. In § 401.5: a. Add, in alphabetical order, the definitions of ‘‘Anomaly,’’ ‘‘Casualty area,’’ and ‘‘Command control system’’; ■ b. Revise the definition of ‘‘Contingency abort’’; ■ c. Add, in alphabetical order, the definitions of ‘‘Control entity,’’ ‘‘Countdown,’’ ‘‘Critical asset,’’ ‘‘Crossrange,’’ ‘‘Data loss flight time,’’ ‘‘Deorbit,’’ ‘‘Disposal,’’ ‘‘Dose-response relationship,’’ ‘‘Downrange,’’ and ‘‘Effective casualty area’’; ■ d. Remove the definition of ‘‘Emergency abort’’; ■ ■ Frm 00119 Fmt 4701 e. Add, in alphabetical order, the definition of ‘‘Expected casualty,’’ ‘‘Explosive debris,’’ ‘‘Flight abort,’’ ‘‘Flight abort crew,’’ ‘‘Flight abort rules,’’ ‘‘Flight hazard area,’’ and ‘‘Flight safety limit’’; ■ f. Revise the definition of ‘‘Flight safety system’’; ■ g. Add, in alphabetical order, the definitions of ‘‘Gate’’ and ‘‘Hazard control’’; ■ h. Remove the definition of ‘‘Human space flight incident’’; ■ i. Revise the definitions of ‘‘Instantaneous impact point’’ and ‘‘Launch’’; ■ j. Remove the definitions of ‘‘Launch accident’’ and ‘‘Launch incident’’; ■ k. Add, in alphabetical order, the definitions of ‘‘Launch or reentry system,’’ ‘‘Launch window,’’ ‘‘Liftoff,’’ and ‘‘Limits of a useful mission’’; ■ l. Revise the definition of ‘‘Mishap’’; ■ m. Add, in alphabetical order, the definitions of ‘‘Mishap, Class 1,’’ ‘‘Mishap, Class 2,’’ ‘‘Mishap, Class 3’’, ‘‘Mishap, Class 4,’’ ‘‘Neighboring operations personnel,’’ ‘‘Normal flight,’’ ‘‘Normal trajectory,’’ ‘‘Operating environment,’’ and ‘‘Operation hazard’’; ■ n. Revise the definition of ‘‘Operator’’; ■ o. Add, in alphabetical order, the definitions of ‘‘Orbital insertion,’’ ‘‘Physical containment,’’ ‘‘Probability of casualty,’’ and ‘‘Public’’; ■ p. Remove the definition of ‘‘Public safety’’; ■ q. Revise the definition of ‘‘Reenter; reentry’’; ■ r. Remove the definitions of ‘‘Reentry accident’’ and ‘‘Reentry incident’’; ■ s. Add, in alphabetical order, the definition of ‘‘Reentry window’’; ■ t. Revise the definition of ‘‘Safety critical’’; ■ u. Add, in alphabetical order, the definitions of ‘‘Service life’’ and ‘‘Software function’’; ■ v. Revise the definition of ‘‘State and United States’’; ■ w. Add, in alphabetical order, the definitions of ‘‘Sub-vehicle point,’’ ‘‘System hazard,’’ ‘‘Toxic hazard area,’’ ‘‘Tracking icon,’’ ‘‘Uncontrolled area,’’ ‘‘Unguided suborbital launch vehicle,’’ ‘‘Uprange,’’ and ‘‘Vehicle response modes’’; ■ x. Remove the definition of ‘‘Vehicle safety operations personnel’’; and ■ y. Add, in alphabetical order, the definitions of ‘‘Wind weighting safety system’’ and ‘‘Window closure’’. The additions and revisions read as follows: ■ 14 CFR Part 401 Organization and functions (Government agencies), Space transportation and exploration. PO 00000 15413 Sfmt 4702 § 401.5 Definitions. * * * * * Anomaly means any condition during licensed or permitted activity that E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15414 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules deviates from what is standard, normal, or expected, during the verification or operation of a system, subsystem, process, facility, or support equipment. * * * * * Casualty area means the area surrounding each potential debris or vehicle impact point where serious injuries, or worse, can occur. Command control system means the portion of a flight safety system that includes all components needed to send a flight abort control signal to the onboard portion of a flight safety system. Contingency abort means a flight abort with a landing at a planned location that has been designated in advance of vehicle flight. Control entity means a person or device that can control another device or process. Countdown means the timed sequence of events that must take place to initiate flight of a launch vehicle or reentry of a reentry vehicle. * * * * * Critical asset means an asset that is essential to the national interests of the United States. Critical assets include property, facilities, or infrastructure necessary to maintain national defense, or assured access to space for national priority missions. Crossrange means the distance measured along a line whose direction is either 90 degrees clockwise (right crossrange) or counter-clockwise (left crossrange) to the projection of a vehicle’s planned nominal velocity vector azimuth onto a horizontal plane tangent to the ellipsoidal Earth model at the vehicle’s sub-vehicle point. The terms right crossrange and left crossrange may also be used to indicate direction. Data loss flight time means the shortest elapsed thrusting or gliding time during which a vehicle flown with a flight safety system can move from its trajectory to a condition where it is possible for the vehicle to violate a flight safety limit. Deorbit means the flight of a vehicle that begins with the final command to commit to a perigee below 70 nautical miles (approximately 130 kilometers), and ends when all vehicle components come to rest on the Earth. Disposal means the return or attempt to return, purposefully, a launch vehicle stage or component, not including a reentry vehicle, from Earth orbit to Earth, in a controlled manner. Dose-response relationship means a quantitative methodology used to assign a probability of casualty within a population group given exposure to a toxic chemical of known or predicted concentration and duration. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Downrange means the distance measured along a line whose direction is parallel to the projection of a vehicle’s planned nominal velocity vector azimuth into a horizontal plane tangent to the ellipsoidal Earth model at the vehicle sub-vehicle point. The term downrange may also be used to indicate direction. Effective casualty area means the aggregate casualty area of each piece of debris created by a vehicle failure at a particular point on its trajectory. The effective casualty area for each piece of debris is a modeling construct in which the area within which 100 percent of the population are assumed to be a casualty, and outside of which 100 percent of the population are assumed not to be a casualty. * * * * * Expected casualty means the mean number of casualties predicted to occur per flight operation if the operation were repeated many times. * * * * * Explosive debris means solid propellant fragments or other pieces of a vehicle or payload that result from breakup of the vehicle during flight and that explode upon impact with the Earth’s surface and cause overpressure. * * * * * Flight abort means the process to limit or restrict the hazards to public health and safety, and the safety of property, presented by a launch vehicle or reentry vehicle, including any payload, while in flight by initiating and accomplishing a controlled ending to vehicle flight. Flight abort crew means the personnel who make a flight abort decision. Flight abort rules means the conditions under which a flight safety system must abort the flight to ensure compliance with public safety criteria. * * * * * Flight hazard area means any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to protect public health and safety and the safety of property. Flight safety limit means criteria to ensure that public safety is protected from the flight of a vehicle when a flight safety system functions properly. Flight safety system means a system used to implement flight abort. A human can be a part of a flight safety system. Gate means the portion of a flight safety limit boundary through which the tracking icon of a vehicle flown with a flight safety system may pass without flight abort, provided the flight remains within specified parameters. PO 00000 Frm 00120 Fmt 4701 Sfmt 4702 Hazard control means a preventative measure or mitigation put in place for systems or operations to reduce the severity of a hazard or the likelihood of the hazard occurring. * * * * * Instantaneous impact point means a predicted impact point, following thrust termination of a vehicle. Launch means to place or try to place a launch vehicle or reentry vehicle and any payload or human being from Earth in a suborbital trajectory, in Earth orbit in outer space, or otherwise in outer space, including activities involved in the preparation of a launch vehicle or payload for launch, when those activities take place at a launch site in the United States. * * * * * Launch or reentry system means the integrated set of subsystems, personnel, products, and processes that, when combined together, safely carries out a launch or reentry. * * * * * Launch window means a period of time during which the flight of a launch vehicle may be initiated. Liftoff means any motion of the launch vehicle with intention to initiate flight. Limits of a useful mission means the trajectory data or other parameters that describe the limits of a mission that can attain the primary objective, including flight azimuth limits. Mishap means any event, or series of events associated with a licensed or permitted activity, that meets the criteria of a Class 1, 2, 3 or 4 mishap. Mishap, Class 1 means any event resulting in one or more of the following: (1) A fatality or serious injury (as defined in 49 CFR 830.2) as a result of licensed or permitted activity to any person who is not associated with the licensed or permitted activity, including ground activities at a launch or reentry site; or (2) A fatality or serious injury to any space flight participant, crew, or government astronaut. Mishap, Class 2 means any event, other than a Class 1 mishap, resulting in one or more of the following: (1) A malfunction of a flight safety system or safety-critical system; or (2) A failure of the licensee’s or permittee’s safety organization, safety operations, safety procedures; or (3) High risk, as determined by the FAA, of causing a serious or fatal injury to any space flight participant, crew, government astronaut, or member of the public; or E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (4) Substantial damage, as determined by the FAA, to property not associated with licensed or permitted activity. Mishap, Class 3 means any unplanned event, other than a Class 1 or Class 2 mishap, resulting in one or more of the following: (1) Permanent loss of a launch or reentry vehicle during licensed activity; or (2) The impact of a licensed or permitted launch or reentry vehicle, its payload, or any component thereof outside the planned landing site or designated hazard area. Mishap, Class 4 means an unplanned event, other than a Class 1, Class 2, or Class 3 mishap, resulting in one or more of the following: (1) Permanent loss of a vehicle during permitted activity; (2) Failure to achieve mission objectives; or (3) Substantial damage, as determined by the FAA, to property associated with licensed or permitted activity. Neighboring operations personnel means, as determined by the Federal or licensed launch or reentry site operator, those members of the public located within a launch or reentry site, or an adjacent launch or reentry site, who are not associated with a specific hazardous licensed or permitted operation currently being conducted but are required to perform safety, security, or critical tasks at the site and are notified of the operation. * * * * * Normal flight means the flight of a properly performing vehicle whose realtime vacuum instantaneous impact point does not deviate from the nominal vacuum instantaneous impact point by more than the sum of the wind effects and the three-sigma guidance and performance deviations in the uprange, downrange, left-crossrange, or rightcrossrange directions. Normal trajectory means a trajectory that describes normal flight. Operating environment means an environment that a launch or reentry vehicle component will experience during its lifecycle. Operating environments include shock, vibration, thermal cycle, acceleration, humidity, and thermal vacuum. Operation hazard means a hazard created by an operating environment or by an unsafe act. * * * * * Operator means a holder of a license or permit under 51 U.S.C. Subtitle V, chapter 509. Orbital insertion means the point at which a vehicle achieves a minimum VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 70-nautical mile perigee based on a computation that accounts for drag. * * * * * Physical containment means a launch vehicle does not have sufficient energy for any hazards associated with its flight to reach the public or critical assets. * * * * * Probability of casualty means the likelihood that a person will suffer a serious injury or worse, including a fatal injury, due to all hazards from an operation at a specific location. Public means, for a particular licensed or permitted launch or reentry, people and property that are not involved in supporting the launch or reentry and includes those people and property that may be located within the launch or reentry site, such as visitors, individuals providing goods or services not related to launch or reentry processing or flight, and any other operator and its personnel. Reenter; reentry means to return or attempt to return, purposefully, a reentry vehicle and its payload or human being, if any, from Earth orbit or from outer space to Earth. * * * * * Reentry window means a period of time during which the reentry of a reentry vehicle may be initiated. * * * * * Safety critical means essential to safe performance or operation. A safetycritical system, subsystem, component, condition, event, operation, process, or item, is one whose proper recognition, control, performance, or tolerance, is essential to ensuring public safety. Service life means, for a safety-critical system component, the sum total of the component’s storage life and operating life. * * * * * Software function means a collection of computer code that implements a requirement or performs an action. This includes firmware and operating systems. * * * * * State and United States means, when used in a geographical sense, the several States, the District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the United States Virgin Islands, Guam, and any other commonwealth, territory, or possession of the United States. Sub-vehicle point means the location on an ellipsoidal Earth model where the normal to the ellipsoid passes through the vehicle’s center of gravity. System hazard means a hazard associated with a system and generally PO 00000 Frm 00121 Fmt 4701 Sfmt 4702 15415 exists even when no operation is occurring. * * * * * Toxic hazard area means a region on the Earth’s surface where toxic concentrations and durations may be greater than approved toxic thresholds for acute casualty, in the event of a release during launch or reentry. Tracking icon means the representation of a vehicle’s instantaneous impact point, debris footprint, or other vehicle performance metric used during real-time tracking of the vehicle’s flight. Uncontrolled area is an area of land not controlled by a launch or reentry operator, a launch or reentry site operator, an adjacent site operator, or other entity by agreement. Unguided suborbital launch vehicle means a suborbital rocket that does not contain active guidance or a directional control system. * * * * * Uprange means the distance measured along a line that is 180 degrees to the downrange direction. * * * * * Vehicle response modes means mutually exclusive scenarios that characterize foreseeable combinations of vehicle trajectory and debris generation. * * * * * Wind weighting safety system means equipment, procedures, analysis and personnel functions used to determine the launcher elevation and azimuth settings that correct for wind effects that an unguided suborbital launch vehicle will experience during flight. Window closure means a period of time when launch or reentry is not permitted in order to avoid a collision with an object in orbit. A window closure may occur within a launch or reentry window, may delay the start of a window, or terminate a window early. PART 404—REGULATIONS AND LICENSING REQUIREMENTS 3. The authority citation for part 404 continues to read as follows: ■ Authority: 51 U.S.C. 50901–50923. ■ 4. Revise § 404.5 to read as follows: § 404.5 Filing a petition for waiver. (a) A petition for waiver must be submitted at least 60 days before the proposed effective date of the waiver, unless the Administrator agrees to a different time frame in accordance with § 404.15. (b) The petition for waiver must include: (1) The specific section or sections of this chapter from which the petitioner seeks relief; E:\FR\FM\15APP2.SGM 15APP2 15416 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (2) The extent of the relief sought and the reason the relief is being sought; (3) The reason why granting the request for relief is in the public interest and will not jeopardize the public health and safety, safety of property, and national security and foreign policy interests of the United States; and (4) Any additional facts, views, and data available to the petitioner to support the waiver request. ■ 5. Add § 404.15 to read as follows: § 404.15 Alternative time frames. (a) General. Unless otherwise approved by the Administrator, an applicant, a licensee, a permittee, or a safety element approval holder must meet the time frames set forth in this chapter. (b) Request to change a time frame. A person may file a written request to the FAA to propose an alternative time frame to any of the time frames included in the sections listed in appendix A to this part. The request must be— (1) Submitted no later than the specific time frame included in the regulation; and (2) Emailed to ASTApplications@ faa.gov; or (3) Mailed to the Federal Aviation Administration, Associate Administrator for Commercial Space Transportation, Room 331, 800 Independence Avenue SW, Washington, DC 20591. Attention: Alternative Time Frame Request. (c) Administrator review. The Administrator will review and make a decision or grant a request for an alternative time-frame as follows: (1) The FAA will conduct its review on a case-by-case basis, taking into account the complexity of the request and whether it allows sufficient time for the FAA to conduct its review and make the requisite public health and safety, safety of property, and national security and foreign policy findings; and (2) The FAA will provide its decision in writing. ■ 6. Add appendix A to part 404 the read as follows: Appendix A to Part 404—Alternative Time Frames A404.1 GENERAL Alternative time frames. This appendix lists the sections and corresponding paragraphs in this chapter that provide the eligible time frames for an applicant, licensee, permittee or a safety element approval holder, as applicable, to request an alternative time frame. TABLE A404.1—ELIGIBLE TIME FRAMES 49 CFR Paragraphs § 404.5—Filing a petition for waiver ................................................................................................................................................... § 413.23—License or permit renewal ................................................................................................................................................. § 414.31—Safety element approval renewal ..................................................................................................................................... § 420.57—Notifications ....................................................................................................................................................................... § 437.89—Preflight reporting .............................................................................................................................................................. § 440.15—Demonstration of compliance ........................................................................................................................................... (a) (a) (a) (d) (a), (b) (a)(1), (a)(2), (a)(3), (a)(4) (f)(1) (b), (c), (d), (e) (a) § 450.169— Launch and Reentry Collision Avoidance Analysis Requirements ............................................................................... § 450.213—Preflight reporting ............................................................................................................................................................ § 450.215—Post-flight reporting ......................................................................................................................................................... ■ PART 413—APPLICATION PROCEDURES 9. Revise § 413.1 to read as follows: § 413.1 7. The authority citation for part 413 continues to read as follows: ■ Scope of this part. (a) This part explains how to apply for a license or experimental permit. These procedures apply to all applications for obtaining a license or permit, transferring a license, and renewing a Authority: 51 U.S.C. 50901–50923. 8. Revise the heading for part 413 to read as set forth above. ■ license or permit. In this part, the term application means either an application in its entirety, or a portion of an application for incremental review and determination in accordance with § 450.33 of this chapter. (b) Use the following table to locate specific requirements: TABLE 1 TO PARAGRAPH (b) Subject Part License to Operate a Launch Site ....................................................................................................................................................... License to Operate a Reentry Site ...................................................................................................................................................... Experimental Permits ........................................................................................................................................................................... Launch And Reentry License Requirements ....................................................................................................................................... 10. Amend § 413.7 by revising the section heading and paragraph (a)(3) to read as follows: amozie on DSK9F9SC42PROD with PROPOSALS2 ■ § 413.7 Application submission. (a) * * * (3) For an application submitted by email, an applicant must send the application as an email attachment, or as a link to a secure server, to ASTApplications@faa.gov. The application and the email to which the VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 application is attached or linked must also satisfy the following criteria: (i) The email to which the application is attached or linked must be sent from an email address controlled by the person who signed the application or by an authorized representative of the applicant; (ii) The email must identify each document that is included as an attachment or that is stored on a secure server; and PO 00000 Frm 00122 Fmt 4701 Sfmt 4702 420 433 437 450 (iii) The electronic files must be datestamped and have version control documentation. * * * * * ■ 11. Amend § 413.11 by revising paragraph (a) to read as follows: § 413.11 Acceptance of an application. * * * * * (a) The FAA accepts the application and will initiate review; or * * * * * E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules ■ 12. Revise § 413.15 to read as follows: § 413.15 Review period. (a) Review period duration. Unless otherwise specified in this chapter, the FAA reviews and makes a license or permit determination on an application within 180 days of receiving an accepted license application or within 120 days of receiving an accepted permit application. The FAA will establish the time frame for any incremental review and determination with an applicant on a case-by-case basis during pre-application consultation. (b) Review period tolled. If an accepted application does not provide sufficient information to continue or complete the reviews or evaluations required by this chapter for a license, permit, or incremental determination, or an issue exists that would affect a determination, the FAA notifies the applicant, in writing, and informs the applicant of any information required to complete the application. If the FAA cannot review an accepted application because of lack of information or for any other reason, the FAA will toll the review period until the FAA receives the information it needs or the applicant resolves the issue. (c) Notice. Unless applying under incremental review and determination in accordance with § 450.33 of this chapter, if the FAA does not make a decision within 120 days of receiving an accepted license application or within 90 days of receiving an accepted permit application, the FAA informs the applicant, in writing, of any outstanding information needed to complete the review, or of any issues that would affect the decision. ■ 13. Amend § 413.21 by revising the section heading and paragraphs (b) and (c) to read as follows: § 413.21 Denial of a license or permit application. amozie on DSK9F9SC42PROD with PROPOSALS2 * * * * * (b) If the FAA has denied an application in its entirety, the applicant may either— (1) Attempt to correct any deficiencies identified and ask the FAA to reconsider the revised application. The FAA has 60 days or the number of days remaining in the review period, whichever is greater, within which to reconsider the decision; or (2) Request a hearing in accordance with part 406 of this chapter, for the purpose of showing why the application should not be denied. (c) An applicant whose application is denied after reconsideration under paragraph (b)(1) of this section may VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 request a hearing in accordance with paragraph (b)(2) of this section. ■ 14. Revise part 414 to read as follows: PART 414—SAFETY ELEMENT APPROVALS Sec. Subpart A—General 414.1 Scope. 414.3 Definitions. 414.5 Applicability. 414.7 Eligibility. Subpart B—Application Procedures 414.9 Pre-application consultation. 414.11 Application. 414.13 Application separate from a vehicle operator license application. 414.15 Application concurrent with vehicle operator license application. 414.17 Confidentiality. 414.19 Processing the initial application. 414.21 Maintaining the continued accuracy of the initial application. Subpart C—Safety Element Approval Review and Issuance 414.23 Technical criteria for reviewing a safety element approval application. 414.25 Terms and conditions for issuing a safety element approval; duration of a safety element approval. 414.27 Maintaining the continued accuracy of the safety element approval application. 414.29 Safety element approval records. 414.31 Safety element approval renewal. 414.33 Safety element approval transfer. 414.35 Monitoring compliance with the terms and conditions of a safety element approval. 414.37 Modification, suspension, or revocation of a safety element approval. 414.39 [Reserved] Subpart D—Appeal Procedures 414.41 Hearings in safety element approval actions. 414.43 Submissions; oral presentations in safety element approval actions. 414.45 Administrative law judge’s recommended decision in safety element approval actions. Authority: 51 U.S.C. 50901–50923. Subpart A—General § 414.1 Scope. This part establishes procedures for obtaining a safety element approval and renewing and transferring an existing safety element approval. Safety element approvals issued under this part may be used to support the application review for one or more vehicle operator license requests under other parts of this chapter. § 414.3 Definitions. For purposes of this part the following definitions apply: PO 00000 Frm 00123 Fmt 4701 Sfmt 4702 15417 Safety element approval. A safety element approval is an FAA document containing the FAA determination that one or more of the safety elements listed in paragraphs (1) and (2) of this definition, when used or employed within a defined envelope, parameter, or situation, will not jeopardize public health and safety or safety of property. A safety element approval may be issued independent of a license, and it does not confer any authority to conduct activities for which a license is required under this chapter. A safety element approval does not relieve its holder of the duty to comply with all applicable requirements of law or regulation that may apply to the holder’s activities. (1) Launch vehicle, reentry vehicle, safety system, process, service, or any identified component thereof; or (2) Qualified and trained personnel, performing a process or function related to licensed activities or vehicles. Safety element. A safety element is any one of the items or persons (personnel) listed in paragraphs (1) and (2) of the definition of ‘‘safety approval’’ in this section. § 414.5 Applicability. This part applies to an applicant that wants to obtain a safety element approval for any of the safety elements defined under this part and to persons granted a safety element approval under this part. Any person eligible under this part may apply to become the holder of a safety element approval. § 414.7 Eligibility. (a) There is no citizenship requirement to obtain a safety element approval. (b) You may be eligible for a safety element approval if you are— (1) A designer, manufacturer, or operator of a launch or reentry vehicle or component thereof; (2) The designer or developer of a safety system or process; or (3) Personnel who perform safety critical functions in conducting a licensed launch or reentry. (c) A safety element approval applicant must have sufficient knowledge and expertise to show that the design and operation of the safety element for which safety element approval is sought qualify for a safety element approval. (d) Only the safety elements defined under this part are eligible for a safety element approval. The applicant must consult with the FAA before submitting an application. Unless the applicant or the FAA requests another form of consultation, consultation is oral discussion with the FAA about the E:\FR\FM\15APP2.SGM 15APP2 15418 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules application process and the potential issues relevant to the FAA’s safety element approval decision. Subpart B—Application Procedures § 414.9 Pre-application consultation. The applicant must consult with the FAA before submitting an application. Unless the applicant or the FAA requests another form of consultation, consultation is oral discussion with the FAA about the application process and the potential issues relevant to the FAA’s safety approval decision. § 414.11 Application. An applicant may submit an application for a safety element approval in one of two ways: (a) Separate from a vehicle operator license application in accordance with § 414.13; or (b) Concurrent with a vehicle operator license application in accordance with § 414.15. amozie on DSK9F9SC42PROD with PROPOSALS2 § 414.13 Application separate from a vehicle operator license application. (a) An applicant must make an application in writing and in English. The applicant must file the application with the Federal Aviation Administration either by paper, by use of physical electronic storage, or by email in the following manner: (1) For an application submitted on paper, an applicant must send two copies of the application to the Federal Aviation Administration, Associate Administrator for Commercial Space Transportation, Room 331, 800 Independence Avenue SW, Washington, DC 20591. Attention: Application Review. (2) For an application submitted by use of physical electronic storage, the applicant must either mail the application to the address specified in paragraph (a)(1) of this section or handdeliver the application to an authorized FAA representative. The application and the physical electronic storage containing the application must also satisfy all of the following criteria: (i) The application must include a cover letter that is printed on paper and signed by the person who signed the application or by an authorized representative of the applicant; (ii) The cover letter must identify each document that is included on the physical electronic storage; and (iii) The physical electronic storage must be in a format such that its contents cannot be altered. (3) For an application submitted by email, an applicant must send the application as an email attachment, or as a link to a secure server, to VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 ASTApplications@faa.gov. The application and the email to which the application is attached must also satisfy the following criteria: (i) The email to which the application is attached must be sent from an email address controlled by the person who signed the application or by an authorized representative of the applicant; and (ii) The email must identify each document that is included as an attachment or that is stored on a secure server; and (iii) The electronic files must be datestamped and have version control documentation. (b) The application must identify the following basic information: (1) Name and address of the applicant. (2) Name, address, and telephone number of any person to whom inquiries and correspondence should be directed. (3) Safety element as defined under this part for which the applicant seeks a safety element approval. (c) The application must contain the following technical information: (1) A Statement of Conformance letter, describing the specific criteria the applicant used to show the adequacy of the safety element for which a safety element approval is sought, and showing how the safety element complies with the specific criteria. (2) The specific operating limits for which the safety element approval is sought. (3) The following as applicable: (i) Information and analyses required under this chapter that may be applicable to demonstrating safe performance of the safety element for which the safety element approval is sought. (ii) Engineering design and analyses that show the adequacy of the proposed safety element for its intended use, such that the use in a licensed launch or reentry will not jeopardize public health or safety or the safety of property. (iii) Relevant manufacturing processes. (iv) Test and evaluation procedures. (v) Test results. (vi) Maintenance procedures. (vii) Personnel qualifications and training procedures. (d) The application must be legibly signed, dated, and certified as true, complete, and accurate by one of the following: (1) For a corporation, an officer or other individual authorized to act for the corporation in licensing or safety element approval matters. PO 00000 Frm 00124 Fmt 4701 Sfmt 4702 (2) For a partnership or a sole proprietorship, a general partner or proprietor, respectively. (3) For a joint venture, association, or other entity, an officer or other individual duly authorized to act for the joint venture, association, or other entity in licensing matters. (e) Failure to comply with any of the requirements set forth in this section is sufficient basis for denial of a safety element approval application. § 414.15 Application concurrent with vehicle operator license application. (a) An applicant for a vehicle operator license may also identify one or more sections of its application for which it seeks to obtain a safety element approval concurrently with a license. An applicant applying for a safety element approval concurrently with a license must— (1) Meet the applicable requirements of part 450 of this chapter; (2) Provide the information required in § 414.13(b)(3) and (c)(2) and (3); and (3) Specify the sections of the license application that support its application for a safety element approval. (b) The scope of the safety element approval will be limited to what the application supports. The technical criteria for reviewing a safety element submitted as part of a vehicle operator license application are limited to the applicable requirements of part 450 of this chapter. § 414.17 Confidentiality. (a) To ensure confidentiality of data or information in the application, the applicant must— (1) Send a written request with the application that trade secrets or proprietary commercial or financial data be treated as confidential, and include in the request the specific time frame confidential treatment is required. (2) Mark data or information that require confidentiality with an identifying legend, such as ‘‘Proprietary Information,’’ ‘‘Proprietary Commercial Information,’’ ‘‘Trade Secret,’’ or ‘‘Confidential Treatment Requested.’’ Where this marking proves impracticable, attach a cover sheet that contains the identifying legend to the data or information for which confidential treatment is sought. (b) If the applicant requests confidential treatment for previously submitted data or information, the FAA will honor that request to the extent practicable in case of any prior distribution of the data or information. (c) Data or information for which confidential treatment is requested or data or information that qualifies for E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules exemption under 5 U.S.C. 552(b)(4) will not be disclosed to the public unless the Associate Administrator determines that withholding the data or information is contrary to the public or national interest. § 414.19 Processing the initial application. (a) The FAA will initially screen an application to determine if the application is complete enough for the FAA to start its review. (b) After completing the initial screening, the FAA will inform the applicant in writing of one of the following: (1) The FAA accepts the application and will begin the reviews or evaluations required for a safety element approval determination under this part. (2) The FAA rejects the application because it is incomplete or indefinite making initiation of the reviews or evaluations required for a safety element approval determination under this part inappropriate. (c) The written notice will state the reason(s) for rejection and corrective actions necessary for the application to be accepted. The FAA may return a rejected application to the applicant or may hold it until the applicant provides more information. (d) The applicant may withdraw, amend, or supplement an application any time before the FAA makes a final determination on the safety element approval application by making a written request to the Associate Administrator. If the applicant amends or supplements the initial application, the revised application must meet all the applicable requirements under this part. amozie on DSK9F9SC42PROD with PROPOSALS2 § 414.21 Maintaining the continued accuracy of the initial application. The applicant is responsible for the continuing accuracy and completeness of information provided to the FAA as part of the safety element approval application. If at any time after submitting the application, circumstances occur that cause the information to no longer be accurate and complete in any material respect, the applicant must submit a written statement to the Associate Administrator explaining the circumstances and providing the new or corrected information. The revised application must meet all requirements under § 414.13 or § 414.15. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 Subpart C—Safety Element Approval Review and Issuance § 414.23 Technical criteria for reviewing a safety element approval application. The FAA will determine whether a safety element is eligible for and may be issued a safety approval. We will base our determination on performancebased criteria, against which we may assess the effect on public health and safety and on safety of property, in the following hierarchy: (a) FAA or other appropriate Federal regulations. (b) Government-developed or adopted standards. (c) Industry consensus performancebased criteria or standard. (d) Applicant-developed criteria. Applicant-developed criteria are performance standards customized by the manufacturer that intends to produce the system, system component, or part. The applicant-developed criteria must define— (1) Design and minimum performance; (2) Quality assurance system requirements; (3) Production acceptance test specifications; and (4) Continued operational safety monitoring system characteristics. § 414.25 Terms and conditions for issuing a safety element approval; duration of a safety approval. (a) The FAA will issue a safety element approval to an applicant that meets all the requirements under this part. (b) The scope of the safety element approval will be limited by the scope of the safety demonstration contained in the application on which the FAA based the decision to grant the safety element approval. (c) The FAA will determine specific terms and conditions of a safety element approval individually, limiting the safety element approval to the scope for which it was approved. The terms and conditions will include reporting requirements tailored to the individual safety element approval. (d) A safety element approval is valid for five years and may be renewed. § 414.27 Maintaining the continued accuracy of the safety element approval application. (a) The holder of a safety element approval must ensure the continued accuracy and completeness of representations contained in the safety element approval application, on which the approval was issued, for the entire term of the safety element approval. PO 00000 Frm 00125 Fmt 4701 Sfmt 4702 15419 (b) If any representation contained in the application that is material to public health and safety or safety of property ceases to be accurate and complete, the safety element approval holder must prepare and submit a revised application according to § 414.13 or § 414.15. The safety element approval holder must point out any part of the safety element approval or the associated application that would be changed or affected by a proposed modification. The FAA will review and make a determination on the revised application under the terms of this part. § 414.29 Safety element approval records. The holder of a safety element approval must maintain all records necessary to verify that the holder’s activities are consistent with the representations contained in the application for which the approval was issued for the duration of the safety element approval plus one year. § 414.31 Safety element approval renewal. (a) Eligibility. A holder of a safety element approval may apply to renew it by sending the FAA a written application at least 90 days before the expiration date of the approval, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter. (b) Application. (1) A safety element approval renewal application must meet all the requirements under § 414.13 or § 414.15. (2) The application may incorporate by reference information provided as part of the application for the expiring safety element approval or any modification to that approval. (3) Any proposed changes in the conduct of a safety element for which the FAA has issued a safety element approval must be described and must include any added information necessary to support the fitness of the proposed changes to meet the criteria upon which the FAA evaluated the safety element approval application. (c) Review of application. The FAA conducts the reviews required under this part to determine whether the safety element approval may be renewed. We may incorporate by reference any findings that are part of the record for the expiring safety element approval. (d) Grant of safety element approval renewal. If the FAA makes a favorable safety element approval determination, the FAA issues an order that amends the expiration date of the safety element approval or issues a new safety element approval. The FAA may impose added or revised terms and conditions E:\FR\FM\15APP2.SGM 15APP2 15420 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules necessary to protect public health and safety and the safety of property. (e) Written notice. The FAA will provide written notice to the applicant of our determination on the safety element approval renewal request. (f) Denial of a safety element approval renewal. If the FAA denies the renewal application, the applicant may correct any deficiency the FAA identified and request a reconsideration of the revised application. The applicant also has the right to appeal a denial as set forth in subpart D of this part. § 414.33 Safety element approval transfer. (a) Only the FAA may approve a transfer of a safety element approval. (b) Either the holder of a safety element approval or the prospective transferee may request a safety element approval transfer. (c) Both the holder and prospective transferee must agree to the transfer. (d) The person requesting the transfer must submit a safety element approval application according to § 414.13 or § 414.15, must meet the applicable requirements of this part, and may incorporate by reference relevant portions of the initial application. (e) The FAA will approve a transfer of a safety element approval only after all the approvals and determinations required under this chapter for a safety element approval have been met. In conducting reviews and issuing approvals and determinations, the FAA may incorporate by reference any findings made part of the record to support the initial safety element approval determination. The FAA may modify the terms and conditions of a safety element approval to reflect any changes necessary because of a safety element approval transfer. (f) The FAA will provide written notice to the person requesting the safety element approval transfer of our determination. amozie on DSK9F9SC42PROD with PROPOSALS2 § 414.35 Monitoring compliance with the terms and conditions of a safety element approval. Each holder of a safety element approval must allow access by, and cooperate with, Federal officers or employees or other individuals authorized by the Associate Administrator to inspect manufacturing, production, testing, or assembly performed by a holder of a safety element approval or its contractor. The FAA may also inspect a safety element approval process or service, including training programs and personnel qualifications. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 § 414.37 Modification, suspension, or revocation of a safety element approval. (a) The safety element approval holder. The safety element approval holder may submit an application to the FAA to modify the terms and conditions of the holder’s safety element approval. The application must meet all the applicable requirements under this part. The FAA will review and make a determination on the application using the same procedures under this part applicable to an initial safety element approval application. If the FAA denies the request to modify a safety element approval, the holder may correct any deficiency the FAA identified and request reconsideration. The holder also has the right to appeal a denial as set forth in subpart D of this part. (b) The FAA. If the FAA finds it is in the interest of public health and safety, safety of property, or if the safety element approval holder fails to comply with any applicable requirements of this part, any terms and conditions of the safety approval, or any other applicable requirement, the FAA may— (1) Modify the terms and conditions of the safety element approval; or (2) Suspend or revoke the safety element approval. (c) Effective date. Unless otherwise stated by the FAA, any modification, suspension, or revocation of a safety element approval under paragraph (b) of this section— (1) Takes effect immediately; and (2) Continues in effect during any reconsideration or appeal of such action under this part. (d) Notification and Right to Appeal. If the FAA determines it is necessary to modify, suspend, or revoke a safety element approval, we will notify the safety element approval holder in writing. If the holder disagrees with the FAA’s determination, the holder may correct any deficiency the FAA identified and request a reconsideration of the determination. The applicant also has the right to appeal the determination as set forth in subpart D of this part. § 414.39 [Reserved] Subpart D—Appeal Procedures § 414.41 Hearings in safety element approval actions. (a) The FAA will give the safety element approval applicant or holder, as appropriate, written notice stating the reason for issuing a denial or for modifying, suspending, or revoking a safety element approval under this part. (b) A safety element approval applicant or holder is entitled to a PO 00000 Frm 00126 Fmt 4701 Sfmt 4702 determination on the record after an opportunity for a hearing. § 414.43 Submissions; oral presentations in safety element approval actions. (a) Determinations in safety element approval actions under this part will be made on the basis of written submissions unless the administrative law judge, on petition or on his or her own initiative, determines that an oral presentation is required. (b) Submissions must include a detailed exposition of the evidence or arguments supporting the petition. (c) Petitions must be filed as soon as practicable, but in no event more than 30 days after issuance of decision or finding under § 414.37. § 414.45 Administrative law judge’s recommended decision in safety element approval actions. (a) The Associate Administrator, who will make the final decision on the matter at issue, will review the recommended decision of the administrative law judge. The Associate Administrator will make such final decision within 30 days of issuance of the recommended decision. (b) The authority and responsibility to review and decide rests solely with the Associate Administrator and may not be delegated. PART 415 [REMOVE AND RESERVE] ■ 15. Remove and reserve part 415. PART 417 [REMOVE AND RESERVE] ■ 16. Remove and reserve part 417. PART 420—LICENSE TO OPERATE A LAUNCH SITE 17. The authority citation for part 420 continues to read as follows: ■ Authority: 51 U.S.C. 50901–50923. § 420.5 [Amended] 18. Amend § 420.5 by removing the definitions for ‘‘Instantaneous impact point,’’ ‘‘Launch site accident,’’ and ‘‘Public.’’ ■ 19. Amend § 420.15 by revising paragraph (b) to read as follows: ■ § 420.15 Information requirements. * * * * * (b) Environmental. The FAA is responsible for complying with the procedures and policies of the National Environmental Policy Act (NEPA) and other applicable environmental laws, regulations, and Executive Orders prior to issuing a launch site license. An applicant must provide the FAA with information needed to comply with such requirements. The FAA will E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules consider and document the potential environmental effects associated with issuing a launch site license. (1) Environmental Impact Statement or Environmental Assessment. An applicant must— (i) Prepare an Environmental Assessment with FAA oversight; (ii) Assume financial responsibility for preparation of an Environmental Impact Statement by an FAA-selected and -managed consultant contractor; or (iii) Submit a written re-evaluation of a previously submitted Environmental Assessment or Environmental Impact Statement when requested by the FAA. (2) Categorical exclusion. An applicant may request a categorical exclusion determination from the FAA by submitting the request and supporting rationale. (3) Environmental information. An application must include an approved FAA Environmental Assessment, Environmental Impact Statement, categorical exclusion determination, or written re-evaluation covering all planned licensed activities in compliance with NEPA and the Council on Environmental Quality Regulations for Implementing the Procedural Provisions of NEPA. * * * * * ■ 20. Revise § 420.51 to read as follows: § 420.51 Responsibilities—general. A licensee must operate its launch site in accordance with the representations in its application. ■ 21. Amend § 420.57 by revising paragraph (d) to read as follows: § 420.57 Notifications. * * * * * (d) At least 2 days prior to flight of a launch vehicle, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter, the licensee must notify local officials and all owners of land adjacent to the launch site of the flight schedule. ■ 22. Revise § 420.59 to read as follows: amozie on DSK9F9SC42PROD with PROPOSALS2 § 420.59 Mishap plan. (a) A licensee must submit a mishap response plan that meets the requirements of § 450.173 of this chapter. (b) A launch site operator’s mishap plan must also contain— (1) Procedures for participating in an investigation of a launch mishap for launches launched from the launch site; and (2) Require the licensee to cooperate with FAA or National Transportation Safety Board (NTSB) investigations of a mishap for launches launched from the launch site. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (c) Emergency response and investigation procedures developed in accordance with 29 CFR 1910.119 and 40 CFR part 68 will satisfy the requirements of § 450.173(d) and (e) to the extent that they include the elements required by § 450.173(d) and (e). PART 435 [REMOVED AND RESERVED] ■ 23. Remove and reserve part 431. PART 433—LICENSE TO OPERATE A REENTRY SITE 24. The authority citation for part 433 continues to read as follows: ■ Authority: 51 U.S.C. 50901–50923. ■ 25. Revise § 433.7 to read as follows: § 433.7 Environmental. (a) General. The FAA is responsible for complying with the procedures and policies of the National Environmental Policy Act (NEPA) and other applicable environmental laws, regulations, and Executive Orders prior to issuing a reentry site license. An applicant must provide the FAA with information needed to comply with such requirements. The FAA will consider and document the potential environmental effects associated with issuing a license for a reentry site. (b) Environmental Impact Statement or Environmental Assessment. An applicant must— (1) Prepare an Environmental Assessment with FAA oversight; (2) Assume financial responsibility for preparation of an Environmental Impact Statement by an FAA-selected and -managed consultant contractor; or (3) Submit a written re-evaluation of a previously submitted Environmental Assessment or Environmental Impact Statement when requested by the FAA. (c) Categorical exclusion. An applicant may request a categorical exclusion determination from the FAA by submitting the request and supporting rationale. (d) Environmental information. An application must include an approved FAA Environmental Assessment, Environmental Impact Statement, categorical exclusion determination, or written re-evaluation covering all planned licensed activities in compliance with NEPA and the Council on Environmental Quality Regulations for Implementing the Procedural Provisions of NEPA. § 433.9 ■ [Removed and Reserved] 26. Remove and reserve § 433.9. PO 00000 Frm 00127 Fmt 4701 Sfmt 4702 27. Remove and reserve part 435. PART 437—EXPERIMENTAL PERMITS 28. The authority citation for part 437 continues to read as follows: ■ Authority: 51 U.S.C. 50901–50923. PART 431 [REMOVE AND RESERVE] ■ 15421 § 437.3 [Amended] 29. Amend § 437.3 by removing the definition for ‘‘Anomaly.’’ ■ 30. Amend § 437.21 by revising paragraphs (b) and (c) to read as follows: ■ § 437.21 General. * * * * * (b) Other regulations—(1) Environmental—(i) General. The FAA is responsible for complying with the procedures and policies of the National Environmental Policy Act (NEPA) and other applicable environmental laws, regulations, and Executive Orders to consider and document the potential environmental effects associated with proposed reusable suborbital rocket launches or reentries. An applicant must provide the FAA with information needed to comply with such requirements. The FAA will consider and document the potential environmental effects associated with proposed reusable suborbital rocket launches or reentries. (ii) Environmental Impact Statement or Environmental Assessment. An applicant must— (A) Prepare an Environmental Assessment with FAA oversight; (B) Assume financial responsibility for preparation of an Environmental Impact Statement by an FAA-selected and -managed consultant contractor; or (C) Submit a written re-evaluation of a previously submitted Environmental Assessment or Environmental Impact Statement when requested by the FAA. (iii) Categorical exclusion. An applicant may request a categorical exclusion determination from the FAA by submitting the request and supporting rationale. (iv) Information requirements. An application must include an approved FAA Environmental Assessment, Environmental Impact Statement, categorical exclusion determination, or written re-evaluation covering all planned licensed activities in compliance with NEPA and the Council on Environmental Quality Regulations for Implementing the Procedural Provisions of NEPA. (2) Financial responsibility. An applicant must provide the information required by part 3 of appendix A of part 440 of this chapter for the FAA to E:\FR\FM\15APP2.SGM 15APP2 15422 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules conduct a maximum probable loss analysis. (3) Human space flight. An applicant proposing launch or reentry with flight crew or a space flight participant on board a reusable suborbital rocket must demonstrate compliance with §§ 460.5, 460.7, 460.11, 460.13, 460.15, 460.17, 460.51 and 460.53 of this subchapter. (c) Use of a safety element approval. If an applicant proposes to use any reusable suborbital rocket, safety system, process, service, or personnel for which the FAA has issued a safety element approval under part 414 of this chapter, the FAA will not reevaluate that safety element to the extent its use is within its approved envelope. As part of the application process, the FAA will evaluate the integration of that safety element into vehicle systems or operations. * * * * * ■ 31. Revise § 437.41 to read as follows: § 437.41 Mishap plan. An applicant must submit a mishap plan that meets the requirements of § 450.173 of this chapter. ■ 32. Revise § 437.65 to read as follows: § 437.65 Collision avoidance analysis. For a permitted flight with a planned maximum altitude greater than 150 kilometers, a permittee must obtain a collision avoidance analysis in accordance with § 450.169 of this chapter. § 437.75 [Removed and Reserved] 33. Remove and reserve § 437.75. 34. Amend § 437.89 by: a. Revising paragraph (a) introductory text; ■ b. In paragraphs (a)(1) through (3), removing the comma at the end of the paragraphs and adding a semicolon in its place; and ■ c. Revise paragraph (b). The revisions read as follows: ■ ■ ■ amozie on DSK9F9SC42PROD with PROPOSALS2 § 437.89 Pre-flight reporting. (a) Not later than 30 days before each flight or series of flights conducted under an experimental permit, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter, a permittee must provide the FAA with the following information: * * * * * (b) Not later than 15 days before each permitted flight planned to reach greater than 150 km altitude, unless the Administrator agrees to a different time frame in accordance with § 404.15, a of this chapter permittee must provide the FAA its planned trajectory for a collision avoidance analysis. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 PART 440—FINANCIAL RESPONSIBILITY 35. The authority citation for part 440 continues to read as follows: ■ Authority: 51 U.S.C. 50901–50923. 36. Amend § 440.3 by revising the definition for ‘‘Maximum probable loss’’ to read as follows: ■ § 440.3 Definitions. * * * * * Maximum probable loss (MPL) means the greatest dollar amount of loss for bodily injury or property damage that is reasonably expected to result from a licensed or permitted activity: (1) Losses to third parties, excluding Government personnel and other launch or reentry participants’ employees involved in licensed or permitted activities and neighboring operations personnel, that are reasonably expected to result from a licensed or permitted activity are those that have a probability of occurrence of no less than one in ten million. (2) Losses to Government property and Government personnel involved in licensed or permitted activities and neighboring operations personnel that are reasonably expected to result from licensed or permitted activities are those that have a probability of occurrence of no less than one in one hundred thousand. * * * * * ■ 37. Amend § 440.15 by revising paragraphs (a)(1) through (4) to read as follows: § 440.15 Demonstration of compliance. (a) * * * (1) All reciprocal waiver of claims agreements required under § 440.17(c) must be submitted at least 30 days before the start of any licensed or permitted activity involving a customer, crew member, or space flight participant; unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter; (2) Evidence of insurance must be submitted at least 30 days before commencement of any licensed launch or permitted activity, and for licensed reentry no less than 30 days, before commencement of launch activities involving the reentry licensee, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter; (3) Evidence of financial responsibility in a form other than insurance, as provided under § 440.9(f) must be submitted at least 60 days before commencement of a licensed or PO 00000 Frm 00128 Fmt 4701 Sfmt 4702 permitted activity, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter; and (4) Evidence of renewal of insurance or other form of financial responsibility must be submitted at least 30 days in advance of its expiration date, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter. * * * * * ■ 38. Add part 450 to read as follows: PART 450—LAUNCH AND REENTRY LICENSE REQUIREMENTS Sec. Subpart A—General Information 450.1 Applicability. 450.3 Scope of a vehicle operator license. 450.5 Issuance of a vehicle operator license. 450.7 Duration of a vehicle operator license. 450.9 Additional license terms and conditions. 450.11 Transfer of a vehicle operator license. 450.13 Rights not conferred by a vehicle operator license. Subpart B—Requirements to Obtain a Vehicle Operator License 450.31 General. 450.33 Incremental review and determinations. 450.35 Accepted means of compliance. 450.37 Equivalent level of safety. 450.39 Use of safety element approval. 450.41 Policy review and approval. 450.43 Payload review and determination. 450.45 Safety review and approval. 450.47 Environmental review. Subpart C—Safety Requirements Public Safety Criteria 450.101 Public safety criteria. System Safety Program 450.103 System safety program. Preliminary Safety Assessment for Flight and Hazard Control Strategies 450.105 Preliminary safety assessment for flight. 450.107 Hazard control strategies. Flight Hazard Analyses for Hardware and Software 450.109 Flight hazard analysis. 450.111 Computing systems and software. Flight Safety Analyses 450.113 Flight safety analysis requirements—scope and applicability. 450.115 Flight safety analysis methods. 450.117 Trajectory analysis for normal flight. 450.119 Trajectory analysis for malfunction flight. 450.121 Debris analysis. 450.123 Flight safety limits analysis. 450.125 Gate analysis. 450.127 Data loss Flight time and planned safe flight state analyses. E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules 450.129 Time delay analysis. 450.131 Probability of failure analysis. 450.133 Flight hazard area analysis. 450.135 Debris risk analysis. 450.137 Far-field overpressure blast effects analysis. 450.139 Toxic hazards for flight. 450.141 Wind weighting for the flight of an unguided suborbital launch vehicle. Prescribed Hazard Controls 450.143 Safety-critical system design, test, and documentation. 450.145 Flight safety system. 450.147 Agreements. 450.149 Safety-critical personnel qualifications. 450.151 Work shift and rest requirements. 450.153 Radio frequency management. 450.155 Readiness. 450.157 Communications. 450.159 Preflight procedures. 450.161 Surveillance and publication of hazard areas. 450.163 Lightning hazard mitigation. 450.165 Flight safety rules. 450.167 Tracking. 450.169 Launch and reentry collision avoidance analysis requirements. 450.171 Safety at end of launch. 450.173 Mishap plan—reporting, response, and investigation requirements. 450.175 Test-induced damage. 450.177 Unique Policies, requirements, and practices. Ground Safety 450.179 Ground safety—general. 450.181 Coordination with a site operator. 450.183 Explosive site plan. 450.185 Ground hazard analysis. 450.187 Toxic hazards mitigation for ground operations. 450.189 Ground safety prescribed hazard controls. Subpart D—Terms and Conditions of a Vehicle Operator License. 450.201 Public safety responsibility. 450.203 Compliance with license. 450.205 Financial responsibility requirements. 450.207 Human Spaceflight Requirements. 450.209 Compliance monitoring. 450.211 Continuing accuracy of license application; application for modification of license. 450.213 Preflight reporting. 450.215 Post-flight reporting. 450.217 Registration of space objects. 450.219 Records. Appendix A to Part 450—Collision Analysis Worksheet Authority: 51 U.S.C. 50901–50923. amozie on DSK9F9SC42PROD with PROPOSALS2 Subpart A—General Information § 450.1 Applicability. (a) General. This part prescribes requirements for obtaining and maintaining a license to launch, reenter, or both launch and reenter, a launch or reentry vehicle. (b) Grandfathering. Except for §§ 450.169 and 450.101(a)(4) and (b)(4), VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 this part does not apply to any launch or reentry that an operator elects to conduct pursuant to a license issued by the FAA or an application accepted by the FAA no later than [EFFECTIVE DATE OF FINAL RULE]. The Administrator will determine the applicability of this part to an application for a license modification submitted after [EFFECTIVE DATE OF FINAL RULE] on a case-by-case basis. § 450.3 Scope of a vehicle operator license. (a) A vehicle operator license authorizes a licensee to conduct one or more launches or reentries using the same vehicle or family of vehicles. A vehicle operator license identifies the scope of authorization as defined in paragraphs (b) and (c) of this section or as agreed to by the Administrator. (b) A vehicle operator license authorizes launch, which includes the flight of a launch vehicle and pre- and post-flight ground operations as follows: (1) Launch begins when hazardous preflight ground operations commence at a U.S. launch site that pose a threat to the public. Unless a later point is agreed to by the Administrator, hazardous preflight ground operations commence when a launch vehicle or its major components arrive at a U.S. launch site. (2) At a non-U.S. launch site, launch begins at ignition or at the first movement that initiates flight, whichever occurs earlier. (3) Launch ends when any of the following events occur: (i) For an orbital launch of a vehicle without a reentry of the vehicle, launch ends after the licensee’s last exercise of control over its vehicle on orbit, after vehicle stage impact on Earth, after activities necessary to return the vehicle or stage to a safe condition on the ground after landing, or after activities necessary to return the site to a safe condition, whichever occurs later; (ii) For an orbital launch of a vehicle with a reentry of the vehicle, launch ends after deployment of all payloads, upon completion of the vehicle’s first steady-state orbit if there is no payload, or after activities necessary to return the site to a safe condition, whichever occurs later; (iii) For a suborbital launch that includes a reentry, launch ends after reaching apogee; or (iv) For a suborbital launch that does not include a reentry, launch ends after the vehicle or vehicle component impact on Earth, after activities necessary to return the vehicle or vehicle component to a safe condition on the ground after landing, or after PO 00000 Frm 00129 Fmt 4701 Sfmt 4702 15423 activities necessary to return the site to a safe condition, whichever occurs later. (c) A vehicle operator’s license authorizes reentry, which includes activities conducted in Earth orbit or outer space to determine reentry readiness and that are critical to ensuring public health and safety and the safety of property during reentry flight. Reentry also includes activities necessary to return the reentry vehicle to a safe condition on the ground after landing. § 450.5 Issuance of a vehicle operator license. (a) The FAA issues a vehicle operator license to an applicant who has obtained all approvals and determinations required under this part for a license. (b) A vehicle operator license authorizes a licensee to conduct launches or reentries, in accordance with the representations contained in the licensee’s application, with subparts C and D of this part, and subject to the licensee’s compliance with terms and conditions contained in license orders accompanying the license, including financial responsibility requirements. § 450.7 Duration of a vehicle operator license. A vehicle operator license is valid for the period of time determined by the Administrator as necessary to conduct the licensed activity but may not exceed 5 years from the issuance date. § 450.9 Additional license terms and conditions. The FAA may modify a vehicle operator license at any time by modifying or adding license terms and conditions to ensure compliance with the Act (as defined in § 401.5 of this chapter) and its implementing regulations in this chapter. § 450.11 license. Transfer of a vehicle operator (a) Only the FAA may transfer a vehicle operator license. (b) An applicant for transfer of a vehicle operator license must submit a license application in accordance with part 413 of this chapter and must meet the requirements of part 450 of this chapter. The FAA will transfer a license to an applicant that has obtained all of the approvals and determinations required under this part for a license. In conducting its reviews and issuing approvals and determinations, the FAA may incorporate by reference any findings made part of the record to support the initial licensing determination. The FAA may modify a E:\FR\FM\15APP2.SGM 15APP2 15424 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules license to reflect any changes necessary as a result of a license transfer. § 450.13 Rights not conferred by a vehicle operator license. Issuance of a vehicle operator license does not relieve a licensee of its obligation to comply with all applicable requirements of law or regulation that may apply to its activities, nor does issuance confer any proprietary, property or exclusive right in the use of any Federal launch range or related facilities, airspace, or outer space. Subpart B—Requirements to Obtain a Vehicle Operator License § 450.31 General. (a) To obtain a vehicle operator license, an applicant must— (1) Submit a license application in accordance with the procedures in part 413 of this chapter; (2) Obtain a policy approval from the Administrator in accordance with § 450.41; (3) Obtain a favorable payload determination from the Administrator in accordance with § 450.43; (4) Obtain a safety approval from the Administrator in accordance with § 450.45; (5) Satisfy the environmental review requirements of § 450.47; and (6) Provide the information required by appendix A of part 440 of this chapter for the Administrator to conduct a maximum probable loss analysis for the applicable licensed operation. (b) An applicant may apply for the approvals and determinations in paragraphs (a)(2) through (6) of this section separately or all together in one complete application, using the application procedures contained in part 413 of this chapter. (c) An applicant may also apply for a safety approval in an incremental manner, in accordance with § 450.33. (d) An applicant may reference materials previously provided as part of a license application in order to meet the application requirements of this part. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.33 Incremental review and determinations. An applicant may submit its application for a safety review incrementally using an approach approved by the Administrator. (a) An applicant must identify to the Administrator, prior to submitting an application, whether it will submit an incremental application for any approval or determination. (b) An applicant using an incremental approach must have the approach VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 approved by the Administrator prior to submitting an application. (c) The Administrator may make incremental determinations as part of this review process. § 450.35 Accepted means of compliance. (a) An applicant must demonstrate compliance with applicable sections of this part using a means of compliance accepted by the Administrator. These applicable sections specify that only an accepted means of compliance can be used to demonstrate compliance. (b) The FAA will provide public notice of each means of compliance that the Administrator has accepted. (c) An applicant requesting acceptance of an alternative means of compliance must submit the alternative means of compliance to the FAA in a form and manner acceptable to the Administrator. § 450.37 Equivalent level of safety. (a) An applicant must demonstrate compliance with each requirement of this part, unless the applicant clearly and convincingly demonstrates that an alternative approach provides an equivalent level of safety to the requirement of this part. (b) Paragraph (a) of this section does not apply to the requirements of § 450.101. § 450.39 Use of safety element approval. If an applicant proposes to use any vehicle, safety system, process, service, or personnel for which the FAA has issued a safety element approval under part 414 of this chapter, the FAA will not reevaluate that safety element during a license application evaluation to the extent its use is within its approved envelope. § 450.41 Policy review and approval. (a) General. The FAA issues a policy approval to an applicant unless the FAA determines that a proposed launch or reentry would jeopardize U.S. national security or foreign policy interests, or international obligations of the United States. (b) Interagency consultation. (1) The FAA consults with the Department of Defense to determine whether a license application presents any issues affecting U.S. national security. (2) The FAA consults with the Department of State to determine whether a license application presents any issues affecting U.S. foreign policy interests or international obligations. (3) The FAA consults with other Federal agencies, including the National Aeronautics and Space Administration, authorized to address issues identified PO 00000 Frm 00130 Fmt 4701 Sfmt 4702 under paragraph (a) of this section, associated with an applicant’s proposal. (c) Issues during policy review. The FAA will advise an applicant, in writing, of any issue raised during a policy review that would impede issuance of a policy approval. The applicant may respond, in writing, or amend its license application as required by § 413.17 of this chapter. (d) Denial of policy approval. The FAA notifies an applicant, in writing, if it has denied policy approval for a license application. The notice states the reasons for the FAA’s determination. The applicant may respond in writing to the reasons for the determination and request reconsideration in accordance with § 413.21 of this chapter. (e) Application requirements for policy review. In its license application, an applicant must— (1) Identify the model, type, and configuration of any vehicle proposed for launch or reentry by the applicant; (2) Describe the vehicle by characteristics that include individual stages, their dimensions, type and amounts of all propellants, and maximum thrust; (3) Identify foreign ownership of the applicant as follows: (i) For a sole proprietorship or partnership, identify all foreign ownership; (ii) For a corporation, identify any foreign ownership interests of 10 percent or more; and (iii) For a joint venture, association, or other entity, identify any participating foreign entities; and (4) Identify proposed vehicle flight profile, including: (i) Launch or reentry site, including any contingency abort locations; (ii) Flight azimuths, trajectories, and associated ground tracks and instantaneous impact points for the duration of the licensed activity, including any contingency abort profiles; (iii) Sequence of planned events or maneuvers during flight; (iv) Normal impact or landing areas for all mission hardware; and (v) For each orbital mission, the range of intermediate and final orbits of each vehicle upper stage and their estimated orbital lifetimes. § 450.43 Payload review and determination. (a) General. The FAA issues a favorable payload determination for a launch or reentry to a license applicant or payload owner or operator if— (1) The applicant, payload owner, or payload operator has obtained all required licenses, authorizations, and permits; and E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (2) Its launch or reentry would not jeopardize public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. (b) Relationship to other executive agencies. The FAA does not make a determination under paragraph (a)(2) of this section for— (1) Those aspects of payloads that are subject to regulation by the Federal Communications Commission or the Department of Commerce; or (2) Payloads owned or operated by the U.S. Government. (c) Classes of payloads. The FAA may review and issue findings regarding a proposed class of payload, including communications, remote sensing, or navigation. However, prior to a launch or reentry, each payload is subject to verification by the FAA that its launch or reentry would not jeopardize public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States. (d) Payload owner or payload operator may apply. In addition to a launch or reentry operator, a payload owner or payload operator may request a payload review and determination. (e) Interagency consultation. The FAA consults with other agencies as follows: (1) The Department of Defense to determine whether launch or reentry of a proposed payload or payload class would present any issues affecting U.S. national security; (2) The Department of State to determine whether launch or reentry of a proposed payload or payload class would present any issues affecting U.S. foreign policy interests or international obligations; or (3) Other Federal agencies, including the National Aeronautics and Space Administration, authorized to address issues of public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States, associated with the launch or reentry of a proposed payload or payload class. (f) Issues during payload review. The FAA will advise a person requesting a payload determination, in writing, of any issue raised during a payload review that would impede issuance of a license to launch or reenter that payload or payload class. The person requesting payload review may respond, in writing, or amend its application as required by § 413.17 of this chapter. (g) Denial of a payload determination. The FAA notifies an applicant, in writing, if it has denied a favorable payload determination. The notice VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 states the reasons for the FAA’s determination. The applicant may respond in writing to the reasons for the determination and request reconsideration in accordance with § 413.21 of this chapter. (h) Incorporation of payload determination in license application. A favorable payload determination issued for a payload or class of payload may be included by a license applicant as part of its application. However, any change in information provided under paragraph (i) of this section must be reported in accordance with § 413.17 of this chapter. The FAA determines whether a favorable payload determination remains valid in light of reported changes and may conduct an additional payload review. (i) Application requirements. A person requesting review of a particular payload or payload class must identify the following: (1) For launch of a payload: (i) Payload name or class, and function; (ii) Description, including physical dimensions, weight, composition, and any hosted payloads; (iii) Payload owner and payload operator, if different from the person requesting payload review and determination, (iv) Any foreign ownership of the payload or payload operator, as specified in § 450.41(e)(3); (v) Hazardous materials as defined in § 401.5 of this chapter, radioactive materials, and the amounts of each; (vi) Explosive potential of payload materials, alone and in combination with other materials found on the payload; (vii) For orbital launches, parameters for parking, transfer and final orbits, and approximate transit times to final orbit; (viii) Delivery point in flight at which the payload will no longer be under the licensee’s control; (ix) Intended operations during the lifetime of the payload, including anticipated life span and any planned disposal; (x) Any encryption associated with data storage on the payload and transmissions to or from the payload; and (xi) Any other information necessary to make a determination based on public health and safety, safety of property, U.S. national security or foreign policy interests, or international obligations of the United States; or (2) For reentry of a payload: (i) Payload name or class and function; (ii) Physical characteristics, dimensions, and weight of the payload; PO 00000 Frm 00131 Fmt 4701 Sfmt 4702 15425 (iii) Payload owner and payload operator, if different from the person requesting the payload review and determination; (iv) Type, amount, and container of hazardous materials and radioactive materials in the payload; (v) Explosive potential of payload materials, alone and in combination with other materials found on the payload or reentry vehicle during reentry; and (vi) Designated reentry site. § 450.45 Safety review and approval. (a) General. The FAA issues a safety approval to an applicant if it determines that an applicant can conduct launch or reentry without jeopardizing public health and safety and safety of property. A license applicant must satisfy the application requirements in this section and subpart C of this part. (b) Services or property provided by a Federal launch range. The FAA will accept any safety-related launch or reentry service or property provided by a Federal launch range or other Federal entity by contract, as long as the FAA determines that the launch or reentry services or property provided satisfy this part. (c) Issues during safety review. The FAA will advise an applicant, in writing, of any issues raised during a safety review that would impede issuance of a safety approval. The applicant may respond, in writing, or amend its license application as required by § 413.17 of this chapter. (d) Denial of a safety approval. The FAA notifies an applicant, in writing, if it has denied a safety approval for a license application. The notice states the reasons for the FAA’s determination. The applicant may respond in writing to the reasons for the determination and request reconsideration in accordance with § 413.21 of this chapter. (e) Application requirements. An applicant must submit the application requirements information in subpart C of this part, as well as the following: (1) General. An application must— (i) Contain a glossary of unique terms and acronyms used in alphabetical order; (ii) Contain a listing of all referenced material; (iii) Use equations and mathematical relationships derived from or referenced to a recognized standard or text, and define all algebraic parameters; (iv) Include the units of all numerical values provided; and (v) Include a legend or key that identifies all symbols used for any schematic diagrams. (2) Site description. An applicant must identify the proposed launch or E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15426 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules reentry site, including contingency abort locations, and submit the following: (i) Boundaries of the site; (ii) Launch or landing point locations, including latitude and longitude; (iii) Identity of any site operator; and (iv) Identity of any facilities at the site that will be used for pre- or post-flight ground operations. (3) Vehicle description. An applicant must submit the following: (i) A written description of the vehicle or family of vehicles, including structural, thermal, pneumatic, propulsion, electrical, and avionics and guidance systems used in each vehicle, and all propellants. The description must include a table specifying the type and quantities of all hazardous materials on each vehicle and must include propellants, explosives, and toxic materials; and (ii) A drawing of each vehicle that identifies: (A) Each stage, including strap-on motors; (B) Physical dimensions and weight; (C) Location of all safety-critical systems; (D) Location of all major vehicle control systems, propulsion systems, pressure vessels, and any other hardware that contains potential hazardous energy or hazardous material; and (E) For an unguided suborbital launch vehicle, the location of the rocket’s center of pressure in relation to its center of gravity for the entire flight profile. (4) Mission schedule. An applicant must submit a generic launch or reentry processing schedule that identifies any readiness activities, such as reviews and rehearsals, and each safety-critical preflight operation to be conducted. The mission schedule must also identify day of flight activities. (5) Human space flight. For a proposed launch or reentry with a human being on board a vehicle, an applicant must demonstrate compliance with §§ 460.5, 460.7, 460.11, 460.13, 460.15, 460.17, 460.51, and 460.53 of this chapter. (6) Radionuclides. The FAA will evaluate the launch or reentry of any radionuclide on a case-by-case basis, and issue an approval if the FAA finds that the launch or reentry is consistent with public health and safety, safety of property, and national security and foreign policy interests of the United States. For any radionuclide on a launch or reentry vehicle, an applicant must— (i) Identify the type and quantity; (ii) Include a reference list of all documentation addressing the safety of its intended use; and VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (iii) Describe all approvals by the Nuclear Regulatory Commission for preflight ground operations. (7) Additional material. The FAA may also request— (i) Any information incorporated by reference in the license application; and (ii) Additional products that allow the FAA to conduct an independent safety analysis. § 450.47 Environmental review. (a) General. The FAA is responsible for complying with the procedures and policies of the National Environmental Policy Act (NEPA) and other applicable environmental laws, regulations, and Executive Orders prior to issuing a launch or reentry license. An applicant must provide the FAA with information needed to comply with such requirements. The FAA will consider and document the potential environmental effects associated with issuing a launch or reentry license consistent with paragraph (b) of this section. (b) Environmental Impact Statement or Environmental Assessment. An applicant must— (1) Prepare an Environmental Assessment with FAA oversight; (2) Assume financial responsibility for preparation of an Environmental Impact Statement by an FAA-selected and -managed consultant contractor; or (3) Submit a written re-evaluation of a previously submitted Environmental Assessment or Environmental Impact Statement when requested by the FAA. (c) Categorical exclusion. An applicant may request a categorical exclusion determination from the FAA by submitting the request and supporting rationale. (d) Application requirements. An application must include an approved FAA Environmental Assessment, Environmental Impact Statement, categorical exclusion determination, or written re-evaluation, which should address compliance with any other applicable environmental laws, regulations, and Executive Orders covering all planned licensed activities in compliance with NEPA and the Council on Environmental Quality Regulations for Implementing the Procedural Provisions of NEPA. Subpart C—Safety Requirements Public Safety Criteria § 450.101 Public safety criteria. (a) Launch risk criteria. An operator may initiate the flight of a launch vehicle only if all risks to the public satisfy the criteria in paragraphs (a)(1) through (4) of this section. The PO 00000 Frm 00132 Fmt 4701 Sfmt 4702 following criteria apply to each launch from liftoff through orbital insertion for an orbital launch, and through final impact or landing for a suborbital launch: (1) Collective risk. The collective risk, measured as expected number of casualties (EC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. The FAA will determine whether to approve public risk due to any other hazard associated with the proposed flight of a launch vehicle on a case-by-case basis. (i) The risk to all members of the public, excluding persons in aircraft and neighboring operations personnel, must not exceed an expected number of 1 × 10¥4 casualties. (ii) The risk to all neighboring operations personnel must not exceed an expected number of 2 × 10¥4 casualties. (2) Individual risk. The individual risk, measured as probability of casualty (PC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. The FAA will determine whether to approve public risk due to any other hazard associated with the proposed flight of a launch vehicle on a case-by-case basis. (i) The risk to any individual member of the public, excluding neighboring operations personnel, must not exceed a probability of casualty of 1 × 10¥6 per launch. (ii) The risk to any individual neighboring operations personnel must not exceed a probability of casualty of 1 × 10¥5 per launch. (3) Aircraft risk. A launch operator must establish any aircraft hazard areas necessary to ensure the probability of impact with debris capable of causing a casualty for aircraft does not exceed 1 × 10¥6. (4) Risk to critical assets. The probability of loss of functionality for each critical asset must not exceed 1 × 10¥3, or a more stringent probability if the FAA determines, in consultation with relevant Federal agencies, it is necessary to protect the national security interests of the United States. (b) Reentry risk criteria. An operator may initiate the deorbit of a vehicle only if all risks to the public satisfy the criteria in paragraphs (b)(1) through (4) of this section. The following criteria apply to each reentry, from the final health check prior to the deorbit burn through final impact or landing: (1) Collective risk. The collective risk, measured as expected number of casualties (EC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules overpressure. The FAA will determine whether to approve public risk due to any other hazard associated with the proposed deorbit of a reentry vehicle on a case-by-case basis. (i) The risk to all members of the public, excluding persons in aircraft and neighboring operations personnel, must not exceed an expected number of 1 × 10¥4 casualties. (ii) The risk to all neighboring operations personnel must not exceed an expected number of 2 × 10¥4 casualties. (2) Individual risk. The individual risk, measured as probability of casualty (PC), consists of risk posed by impacting inert and explosive debris, toxic release, and far field blast overpressure. The FAA will determine whether to approve public risk due to any other hazard associated with the proposed flight of a launch vehicle on a case-by-case basis. (i) The risk to any individual member of the public, excluding neighboring operations personnel, must not exceed a probability of casualty of 1 × 10¥6 per reentry. (ii) The risk to any individual neighboring operations personnel must not exceed a probability of casualty of 1 × 10¥5 per reentry. (3) Aircraft risk. A reentry operator must establish any aircraft hazard areas necessary to ensure the probability of impact with debris capable of causing a casualty for aircraft does not exceed 1 × 10¥6. (4) Risk to critical assets. The probability of loss of functionality for each critical asset must not exceed 1 × 10¥3, or a more stringent probability if the FAA determines, in consultation with relevant Federal agencies, it is necessary to protect the national security interests of the United States. (c) Flight abort. An operator must use flight abort with a flight safety system that meets the requirements of § 450.145 as a hazard control strategy if the consequence of any reasonably foreseeable vehicle response mode, in any one-second period of flight, is greater than 1 × 10¥3 conditional expected casualties for uncontrolled areas. This requirement applies to all phases of flight, unless otherwise agreed to by the Administrator based on the demonstrated reliability of the launch or reentry vehicle during that phase of flight. (d) Disposal safety criteria. A launch operator must ensure that any disposal meets the criteria of paragraphs (b)(1), (2), and (3) of this section, or targets a broad ocean area. (e) Protection of people and property on-orbit. (1) A launch or reentry operator must prevent the collision VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 between a launch or reentry vehicle stage or component and people or property on-orbit, in accordance with the requirements in § 450.169(a). (2) For any launch vehicle stage or component that reaches Earth orbit, a launch operator must prevent the creation of debris through the conversion of energy sources into energy that fragments the stage or component, in accordance with the requirements in § 450.171. (f) Notification of planned impacts. For any launch, reentry, or disposal, an operator must notify the public of any region of land, sea, or air that contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty. (g) Validity of the analysis. For any analysis used to demonstrate compliance with this section, an operator must use accurate data and scientific principles and be statistically valid. The method must produce results consistent with or more conservative than the results available from previous mishaps, tests, or other valid benchmarks, such as higher-fidelity methods. System Safety Program § 450.103 System safety program. An operator must implement and document a system safety program throughout the operational lifecycle of a launch or reentry system that includes the following: (a) Safety organization. An operator must maintain and document a safety organization that has clearly defined lines of communication and approval authority for all public safety decisions. At a minimum, the safety organization must have the following positions: (1) Mission director. For each launch or reentry, an operator must designate a position responsible for the safe conduct of all licensed activities and authorized to provide final approval to proceed with licensed activities. This position is referred to as the mission director in this part. (2) Safety official. For each launch or reentry, an operator must designate a position with direct access to the mission director that is— (i) Responsible for communicating potential safety and noncompliance issues to the mission director; and (ii) Authorized to examine all aspects of the operator’s ground and flight safety operations, and to independently monitor compliance with the operator’s safety policies, safety procedures, and licensing requirements. (3) Addressing safety concerns. The mission director must ensure that all of PO 00000 Frm 00133 Fmt 4701 Sfmt 4702 15427 the safety official’s concerns are addressed. (b) Procedures. An operator must establish procedures to evaluate the operational lifecycle of the launch or reentry system: (1) An operator must conduct a preliminary safety assessment as required by § 450.105, and the system safety program must include: (i) Methods to review and assess the validity of the preliminary safety assessment throughout the operational lifecycle of the launch or reentry system; (ii) Methods for updating the preliminary safety assessment; and (iii) Methods for communicating and implementing the updates throughout the organization. (2) For operators that must conduct a flight hazard analysis as required by § 450.109, the system safety program must include: (i) Methods to review and assess the validity of the flight hazard analysis throughout the operational lifecycle of the launch or reentry system; (ii) Methods for updating the flight hazard analysis; (iii) Methods for communicating and implementing the updates throughout the organization; and (iv) A process for tracking hazards, risks, mitigation and hazard control measures, and verification activities. (c) Configuration management and control. An operator must— (1) Employ a process that tracks configurations of all safety-critical systems and documentation related to the operation; (2) Ensure the use of correct and appropriate versions of systems and documentation tracked in paragraph (c)(1) of this section; and (3) Maintain records of launch or reentry system configurations and document versions used for each licensed activity, as required by § 450.219. (d) Post-flight data review. An operator must employ a process for evaluating post-flight data to— (1) Ensure consistency between the assumptions used for the preliminary safety assessment, any hazard or flight safety analysis, and associated mitigation and hazard control measures; (2) Resolve any identified inconsistencies prior to the next flight of the vehicle; (3) Identify any anomaly that may impact any flight hazard analysis, flight safety analysis, or safety critical system, or is otherwise material to public health and safety and the safety of property; and (4) Address any anomaly identified in paragraph (d)(3) of this section prior to E:\FR\FM\15APP2.SGM 15APP2 15428 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules the next flight, including updates to any flight hazard analysis, flight safety analysis, or safety critical system. (e) Application requirements. An applicant must submit in its application the following: (1) A description of the applicant’s safety organization as required by paragraph (a) of this section, identifying the applicant’s lines of communication and approval authority, both internally and externally, for all public safety decisions and the provision of public safety services; and (2) A summary of the processes and products identified in the system safety program requirements in paragraphs (b), (c), and (d) of this section. Preliminary Safety Assessment for Flight and Hazard Control Strategies § 450.105 for flight. Preliminary safety assessment amozie on DSK9F9SC42PROD with PROPOSALS2 (a) Preliminary safety assessment. An operator must conduct and document a preliminary safety assessment for the flight of a launch or reentry vehicle that identifies— (1) Vehicle response modes; (2) Public safety hazards associated with vehicle response modes, including impacting inert and explosive debris, toxic release, and far field blast overpressure; (3) Geographical areas where vehicle response modes could jeopardize public safety; (4) Any population exposed to public safety hazards in or near the identified geographical areas; (5) The CEC, unless otherwise agreed to by the Administrator based on the demonstrated reliability of the launch or reentry vehicle during any phase of flight; (6) A preliminary hazard list which documents all hardware, operational, and design causes of vehicle response modes that, excluding mitigation, have the capability to create a hazard to the public; (7) Safety-critical systems; and (8) A timeline of all safety-critical events. (b) Application requirements. An applicant must submit the result of the preliminary safety assessment, including all of the items identified in paragraph (a) of this section. § 450.107 Hazard control strategies. (a) General. For each phase of a launch or reentry vehicle’s flight— (1) If the public safety hazards identified in the preliminary safety assessment can be mitigated adequately to meet the requirements of § 450.101 using physical containment, wind weighting, or flight abort, in accordance VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 with paragraphs (b), (c), and (d) of this section, an operator does not need to conduct a flight hazard analysis for that phase of flight. (2) If the public safety hazards identified in the preliminary safety assessment cannot be mitigated adequately to meet the public risk criteria of § 450.101 using physical containment, wind weighting, or flight abort, in accordance with paragraphs (b), (c), and (d) of this section, an operator must conduct a flight hazard analysis in accordance with § 450.109 to derive hazard controls for that phase of flight. (b) Physical containment. To use physical containment as a hazard control strategy, an operator must— (1) Ensure that the launch vehicle does not have sufficient energy for any hazards associated with its flight to reach outside the flight hazard area developed in accordance with § 450.133; and (2) Apply other mitigation measures to ensure no public exposure to hazards as agreed to by the Administrator on a case-by-case basis. (c) Wind weighting. To use wind weighting as a hazard control strategy— (1) The launch vehicle must be a suborbital rocket that does not contain any guidance or directional control system; and (2) An operator must conduct the launch using a wind weighting safety system in accordance with § 450.141. (d) Flight abort. To use flight abort as a hazard control strategy an operator must employ a flight safety system, or other safeguards agreed to by the Administrator, that meets the requirements of § 450.145. (e) Application requirement. An applicant must— (1) Describe its hazard control strategy for each phase of flight; and (2) If using physical containment as a hazard control strategy— (i) Demonstrate that the launch vehicle does not have sufficient energy for any hazards associated with its flight to reach outside the flight hazard area developed in accordance with § 450.133; and (ii) Describe the methods used to ensure that flight hazard areas are cleared of the public and critical assets. Flight Hazard Analyses for Hardware and Software § 450.109 Flight hazard analysis. Unless an operator uses physical containment, wind weighting, or flight abort as a hazard control strategy, an operator must perform and document a flight hazard analysis, and continue to PO 00000 Frm 00134 Fmt 4701 Sfmt 4702 maintain it throughout the lifecycle of the launch or reentry system. Hazards associated with computing systems and software are further addressed in § 450.111. (a) Flight hazard analysis. A flight hazard analysis must identify, describe, and analyze all reasonably foreseeable hazards to public safety and safety of property resulting from the flight of a launch or reentry vehicle. Each flight hazard analysis must— (1) Identify all reasonably foreseeable hazards, and the corresponding vehicle response mode for each hazard, associated with the launch or reentry system relevant to public safety and safety of property, including those resulting from: (i) Vehicle operation, including staging and release; (ii) System, subsystem, and component failures or faults; (iii) Software operations; (iv) Environmental conditions; (v) Human factors; (vi) Design inadequacies; (vii) Procedure deficiencies; (viii) Functional and physical interfaces between subsystems, including any vehicle payload; (ix) Reuse of components or systems; and (x) Interactions of any of the items in paragraphs (a)(1)(i) through (ix) of this section. (2) Assess each hazard’s likelihood and severity. (3) Ensure that the risk associated with each hazard meets the following criteria: (i) The likelihood of any hazardous condition that may cause death or serious injury to the public must be extremely remote; and (ii) The likelihood of any hazardous condition that may cause major damage to public property or critical assets must be remote. (4) Identify and describe the risk elimination and mitigation measures required to satisfy paragraph (a)(3) of this section. (5) Demonstrate that the risk elimination and mitigation measures achieve the risk levels of paragraph (a)(3) of this section through validation and verification. Verification includes: (i) Analysis; (ii) Test; (iii) Demonstration; or (iv) Inspection. (b) Identification of new hazards. An operator must establish and document the criteria and techniques for identifying new hazards throughout the lifecycle of the launch or reentry system. (c) Completeness for each flight. For every launch or reentry, the flight E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules hazard analysis must be complete and all hazards must be mitigated to an acceptable level in accordance with paragraph (a)(3) of this section. (d) Updates throughout the lifecycle. An operator must continually update the flight hazard analysis throughout the operational lifecycle of the launch or reentry system. (e) Application requirements. An applicant must submit in its application the following: (1) Flight hazard analysis products of paragraphs (a)(1) through (5) of this section, including data that verifies the risk elimination and mitigation measures resulting from the applicant’s flight hazard analyses required by paragraph (a)(5) of this section; and (2) The criteria and techniques for identifying new hazards throughout the lifecycle of the launch or reentry system as required by paragraph (b) of this section. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.111 Computing systems and software. (a) General. An operator must implement and document a process that identifies the hazards and assesses the risks to public health and safety and the safety of property arising from computing systems and software. (b) Safety-critical functions. An operator must identify all safety-critical functions associated with its computing systems and software. Safety-critical computing system and software functions include the following: (1) Software used to control or monitor safety-critical systems; (2) Software that transmits safetycritical data, including time-critical data and data about hazardous conditions; (3) Software that computes safetycritical data; (4) Software that accesses or manages safety-critical data; (5) Software that displays safetycritical data; (6) Software used for fault detection in safety-critical computer hardware or software; (7) Software that responds to the detection of a safety-critical fault; (8) Software used in a flight safety system; (9) Processor-interrupt software associated with safety-critical computer system functions; and (10) Software used for wind weighting. (c) Consequence and the degree of control. Safety-critical functions must be identified by consequence and the degree of control exercised by the software component as defined by paragraphs (d) through (h) of this section. VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (d) Autonomous software. This section applies to software that exercises autonomous control over safety-critical hardware systems, subsystems, or components, such that a control entity cannot detect and intervene to prevent a hazard that may impact public health and safety or the safety of property. Autonomous software must meet the following criteria: (1) The software component must be subjected to full path coverage testing. Any inaccessible code must be documented and addressed; (2) The software component’s functions must be tested on flight-like hardware. Testing must include nominal operation and fault responses for all functions; (3) An operator must conduct computing system and software hazard analyses for the integrated system and for each autonomous, safety-critical software component; (4) An operator must verify and validate any computing systems and software. Verification and validation must include testing by a test team independent of the software development division or organization; and (5) An operator must develop and implement software development plans, including descriptions of the following: (i) Coding standards used; (ii) Configuration control; (iii) Programmable logic controllers; (iv) Policy on use of any commercialoff-the-shelf software; and (v) Policy on software reuse. (e) Semi-autonomous software. This section applies to software that exercises control over safety-critical hardware systems, subsystems, or components, allowing time for predetermined safe detection and intervention by a control entity to detect and intervene to prevent a hazard that may impact public health and safety or the safety of property. Semi-autonomous software must meet the following criteria: (1) The software component’s safetycritical functions must be subjected to full path coverage testing. Any inaccessible code in a safety-critical function must be documented and addressed; (2) The software component’s safetycritical functions must be tested on flight-like hardware. Testing must include nominal operation and fault responses for all safety-critical functions; (3) An operator must conduct computing system and software hazard analyses for the integrated system; PO 00000 Frm 00135 Fmt 4701 Sfmt 4702 15429 (4) An operator must verify and validate any computing systems and software. Verification and validation must include testing by a test team independent of the software development division or organization; and (5) An operator must develop and implement software development plans, including descriptions of the following: (i) Coding standards used; (ii) Configuration control; (iii) Programmable logic controllers; (iv) Policy on use of any commercialoff-the-shelf software; and (v) Policy on software reuse. (f) Redundant fault-tolerant software. This section applies to software that exercises control over safety-critical hardware systems, subsystems, or components, for which a non-software component must also fail in order to impact public health and safety or the safety of property. Redundant faulttolerant software must meet the following criteria: (1) The software component’s safetycritical functions must be tested on flight-like hardware. Testing must include nominal operation and fault responses for all safety-critical functions; (2) An operator must conduct computing system and software hazard analyses for the integrated system; (3) An operator must verify and validate any computing systems and software. Verification and validation must include testing by a test team independent of the software development division or organization; and (4) An operator must develop and implement software development plans, including descriptions of the following: (i) Coding standards used; (ii) Configuration control; (iii) Programmable logic controllers; (iv) Policy on use of any commercialoff-the-shelf software; and (v) Policy on software reuse. (g) Influential software. This section applies to software that provides information to a person who uses the information to take actions or make decisions that can impact public health and safety or the safety of property, but does not require operator action to avoid a mishap. Influential software must meet the following criteria: (1) An operator must conduct computing system and software hazard analyses for the integrated system; (2) An operator must verify and validate any computing systems and software. Verification and validation must include testing by a test team independent of the software development division or organization; and E:\FR\FM\15APP2.SGM 15APP2 15430 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (3) An operator must develop and implement software development plans, including descriptions of the following: (i) Coding standards used; (ii) Configuration control; (iii) Programmable logic controllers; (iv) Policy on use of any commercialoff-the-shelf software; and (v) Policy on software reuse. (h) Application requirements. An applicant must document and include in its application the following: (1) For autonomous software: (i) Test plans and results as required by paragraphs (d)(1) and (2) of this section; (ii) All software requirements, and design and architecture documentation; (iii) The outputs of the hazard analyses as required by paragraph (d)(3) of this section; and (iv) Computing system and software validation and verification plans as required by paragraph (d)(4) of this section. (2) For semi-autonomous software: (i) Test plans and results as required by paragraphs (e)(1) and (2) of this section; (ii) All software requirements, and design and architecture documentation; (iii) The outputs of the hazard analyses as required by paragraph (e)(3) of this section; and (iv) Computing system and software validation and verification plans as required by paragraph (e)(4) of this section. (3) For redundant fault-tolerant software: (i) Test plans and results as required by paragraph (f)(1) of this section; and (ii) All software requirements and design documents. (4) For influential software: (i) The software component’s development and testing; and (ii) The software component’s functionality. (5) For software that the applicant has determined to have no safety impact, the software component’s functionality must be described in detail. Flight Safety Analyses amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.113 Flight safety analysis requirements—scope and applicability. (a) Scope. An operator must perform and document a flight safety analysis— (1) For orbital launch, from liftoff through orbital insertion, and any component or stage landings; (2) For suborbital launch, from liftoff through final impact; (3) For disposal, from the beginning of the deorbit burn through final impact; (4) For reentry, from the beginning of the deorbit burn through landing; and VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (5) For hybrid vehicles, for all phases of flight, unless the Administrator determines otherwise based on demonstrated reliability. (b) Applicability. (1) Sections 450.115 through 450.121 and 450.131 through 450.139 apply to all launch and reentry vehicles; (2) Sections 450.123 through 450.129 apply to a launch or reentry vehicle that relies on flight abort to comply with § 450.101; and (3) Section 450.141 applies to the launch of an unguided suborbital launch vehicle. § 450.115 Flight safety analysis methods. (a) Scope of the analysis. An operator’s flight safety analysis method must account for all reasonably foreseeable events and failures of safetycritical systems during nominal and non-nominal launch or reentry that could jeopardize public health and safety, and the safety of property. (b) Level of fidelity of the analysis. An operator’s flight safety analysis method must have a level of fidelity sufficient to— (1) Demonstrate that any risk to the public satisfies the public safety criteria of § 450.101, including the use of mitigations, accounting for all known sources of uncertainty, using a means of compliance accepted by the Administrator; and (2) Identify the dominant source of each type of public risk with a criterion in § 450.101(a) or (b) in terms of phase of flight, source of hazard (such as toxic exposure, inert, or explosive debris), and vehicle response mode. (c) Application requirements. An applicant must submit a description of the flight safety analysis methodology, including identification of: (1) The scientific principles and statistical methods used; (2) All assumptions and their justifications; (3) The rationale for the level of fidelity; (4) The evidence for validation and verification required by § 450.101(g); (5) The extent that the benchmark conditions are comparable to the foreseeable conditions of the intended operations; and (6) The extent that risk mitigations were accounted for in the analyses. § 450.117 flight. Trajectory analysis for normal (a) General. A flight safety analysis must include a trajectory analysis that establishes— (1) For any phase of flight within the scope as provided by § 450.113(a), the limits of a launch or reentry vehicle’s PO 00000 Frm 00136 Fmt 4701 Sfmt 4702 normal flight as defined by the nominal trajectory, and the following sets of trajectories sufficient to characterize variability and uncertainty during normal flight: (i) A set of trajectories to characterize variability. This set must describe how the intended trajectory could vary due to conditions known prior to initiation of flight; and (ii) A set of trajectories to characterize uncertainty. This set must describe how the actual trajectory could differ from the intended trajectory due to random uncertainties. (2) A fuel exhaustion trajectory that produces instantaneous impact points with the greatest range for any given time after liftoff for any stage that has the potential to impact the Earth and does not burn to propellant depletion before a programmed thrust termination. (3) For vehicles with a flight safety system, trajectory data or parameters that describe the limits of a useful mission. (b) Trajectory model. A final trajectory analysis must use a six-degree of freedom trajectory model to satisfy the requirements of paragraph (a) of this section. (c) Wind effects. A trajectory analysis must account for all wind effects, including profiles of winds that are no less severe than the worst wind conditions under which flight might be attempted, and for uncertainty in the wind conditions. (d) Application requirements. An applicant must submit the following: (1) A description of the methodology used to characterize the vehicle’s flight behavior throughout normal flight and limits of a useful mission, including: (i) The scientific principles and statistical methods used; (ii) All assumptions and their justifications; (iii) The rationale for the level of fidelity, and (iv) The evidence for validation and verification required by § 450.101(g). (2) A description of the input data used to characterize the vehicle’s flight behavior throughout normal flight and limits of a useful mission, including: (i) The worst wind conditions under which flight might be attempted, and a description of how the operator will evaluate the wind conditions and uncertainty in the wind conditions prior to initiating the operation; (ii) A description of the wind input data, including uncertainties; (iii) A description of the parameters with a significant influence on the vehicle’s behavior throughout normal flight, including a quantitative description of the nominal value for E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules each significant parameter throughout normal flight; (iv) A description of the random uncertainties with a significant influence on the vehicle’s behavior throughout normal flight, including a quantitative description of the statistical distribution for each significant parameter; and (v) The primary mission objectives and the conditions that describe the limits of a useful mission. (3) Representative normal flight trajectory analysis outputs, including the position, velocity, and vacuum instantaneous impact point, for each second of flight for— (i) The nominal trajectory; (ii) A fuel exhaustion trajectory under otherwise nominal conditions; (iii) A set of trajectories that characterize variability in the intended trajectory based on conditions known prior to initiation of flight; (iv) A set of trajectories that characterize how the actual trajectory could differ from the intended trajectory due to random uncertainties, and (v) A set of trajectories that characterize the limits of a useful mission as described in paragraph (a)(3) of this section. (4) Additional products that allow an independent analysis, as requested by the Administrator. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.119 Trajectory analysis for malfunction flight. (a) General. A flight safety analysis must include a trajectory analysis that establishes— (1) The vehicle’s capability to depart from normal flight; and (2) The vehicle’s deviation capability in the event of a malfunction during flight. (b) Characterizing foreseeable trajectories. A malfunction trajectory analysis must account for each cause of a malfunction flight, including software and hardware failures. For each cause of a malfunction trajectory, the analysis must characterize the foreseeable trajectories resulting from a malfunction. The analysis must account for— (1) All trajectory times during the thrusting phases, or when the lift vector is controlled, during flight; (2) The duration, starting when a malfunction begins to cause each flight deviation throughout the thrusting phases of flight; (3) Trajectory time intervals between malfunction turn start times that are sufficient to establish flight safety limits, if any, and individual risk contours that are smooth and continuous; VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (4) The relative probability of occurrence of each malfunction turn of which the vehicle is capable; (5) The probability distribution of position and velocity of the vehicle when each malfunction will terminate due to vehicle breakup, along with the cause of termination and the state of the vehicle; and (6) The vehicle’s flight behavior from the time when a malfunction begins to cause a flight deviation until ground impact or predicted structural failure, with trajectory time intervals that are sufficient to establish individual risk contours that are smooth and continuous. (c) Application requirements. An applicant must submit— (1) A description of the methodology used to characterize the vehicle’s flight behavior throughout malfunction flight, including: (i) The scientific principles and statistical methods used; (ii) All assumptions and their justifications; (iii) The rationale for the level of fidelity; and (iv) The evidence for validation and verification required by § 450.101(g). (2) A description of the input data used to characterize the vehicle’s malfunction flight behavior, including: (i) A list of each cause of malfunction flight considered; (ii) A list of each type of malfunction flight for which malfunction flight behavior was characterized; (iii) A description of the parameters with a significant influence on the vehicle’s behavior throughout malfunction flight for each type of malfunction flight characterized, including a quantitative description of the nominal value for each significant parameter throughout normal flight; and (iv) A description of the random uncertainties with a significant influence on the vehicle’s behavior throughout malfunction flight for each type of malfunction flight characterized, including a quantitative description of the statistical distribution for each significant parameter. (3) Representative malfunction flight trajectory analysis outputs, including the position, velocity, and vacuum instantaneous impact point for each second of flight for— (i) Each set of trajectories that characterizes a type of malfunction flight; and (ii) The probability of each trajectory that characterizes a type of malfunction flight. (4) Additional products that allow an independent analysis, as requested by the Administrator. PO 00000 Frm 00137 Fmt 4701 Sfmt 4702 § 450.121 15431 Debris analysis. (a) General. A flight safety analysis must include a debris analysis that characterizes the debris generated for each foreseeable vehicle response mode as a function of vehicle flight time, accounting for the effects of fuel burn and any configuration changes. (b) Vehicle impact or breakup. A debris analysis must account for each foreseeable cause of vehicle breakup, including any breakup caused by flight safety system activation, and for impact of an intact vehicle. (c) Debris thresholds. A debris analysis must account for all inert, explosive, and other hazardous vehicle, vehicle component, and payload debris foreseeable from normal and malfunctioning vehicle flight. At a minimum, the debris analysis must identify— (1) All inert debris that can cause a casualty or loss of functionality of a critical asset, including all debris that could— (i) Impact a human being with a mean expected kinetic energy at impact greater than or equal to 11 ft-lbs; (ii) Impact a human being with a mean impact kinetic energy per unit area at impact greater than or equal to 34 ft-lb/in2; (iii) Cause a casualty due to impact with an aircraft; (iv) Cause a casualty due to impact with a waterborne vessel; or (v) Pose a toxic or fire hazard. (2) Any explosive debris that could cause a casualty or loss of functionality of a critical asset. (d) Application requirements. An applicant must submit: (1) A description of the debris analysis methodology, including input data, assumptions, and justifications for the assumptions; (2) A description of all vehicle breakup modes and the development of debris lists; (3) All debris fragment lists necessary to quantitatively describe the physical, aerodynamic, and harmful characteristics of each debris fragment or fragment class; and (4) Additional products that allow an independent analysis, as requested by the Administrator. § 450.123 Flight safety limits analysis. (a) General. A flight safety analysis must identify the location of uncontrolled areas and establish flight safety limits that define when an operator must initiate flight abort to— (1) Ensure compliance with the public safety criteria of § 450.101; and (2) Prevent debris capable of causing a casualty from impacting in E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15432 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules uncontrolled areas if the vehicle is outside the limits of a useful mission. (b) Flight safety limits. The analysis must identify flight safety limits for use in establishing flight abort rules. The flight safety limits must— (1) Account for temporal and geometric extents on the Earth’s surface of any vehicle hazards resulting from any planned or unplanned event for all times during flight; (2) Account for potential contributions to the debris impact dispersions; and (3) Be designed to avoid flight abort that results in increased collective risk to people in uncontrolled areas, compared to continued flight. (c) Gates. For an orbital launch, or any launch or reentry where one or more trajectories that represents a useful mission intersects a flight safety limit that provides containment of debris capable of causing a casualty, the flight safety analysis must include a gate analysis as required by § 450.125. (d) Real-time flight safety limits. As an alternative to flight safety limits analysis, flight abort time can be computed and applied in real-time during vehicle flight as necessary to meet the criteria in § 450.101. (e) Application requirements. An applicant must submit: (1) A description of how each flight safety limit will be computed including references to public safety criteria of § 450.101; (2) Representative flight safety limits and associated parameters; (3) An indication of which flight abort rule from § 450.165(c) is used in conjunction with each example flight safety limit; (4) A graphic depiction or series of depictions of representative flight safety limits, the launch or landing point, all uncontrolled area boundaries, and vacuum instantaneous impact point traces for the nominal trajectory, extents of normal flight, and limits of a useful mission trajectories; (5) If the requirement for flight abort is computed in real-time in lieu of precomputing flight safety limits, a description of how the real-time flight abort requirement is computed including references to public safety criteria of § 450.101; and (6) Additional products that allow an independent analysis, as requested by the Administrator. § 450.125 Gate analysis. (a) Applicability. The flight safety analysis must include a gate analysis for an orbital launch or any launch or reentry where one or more trajectories that represent a useful mission intersect VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 a flight safety limit that provides containment of debris capable of causing a casualty. (b) Analysis requirements. The analysis must establish— (1) A relaxation of the flight safety limits that allows continued flight or a gate where a decision will be made to abort the launch or reentry, or allow continued flight; (2) If a gate is established, a measure of performance at the gate that enables the flight abort crew or autonomous flight safety system to determine whether the vehicle is able to complete a useful mission, and abort the flight if it is not; (3) Accompanying flight abort rules; and (4) For an orbital launch, a gate at the last opportunity to determine whether the vehicle’s flight is in compliance with the flight abort rules and can make a useful mission, and abort the flight if it is not. (c) Gate extents. The extents of any gate or relaxation of the flight safety limits must be based on normal trajectories, trajectories that may achieve a useful mission, collective risk, and consequence criteria as follows: (1) Flight safety limits must be gated or relaxed where they intersect with a normal trajectory if that trajectory would meet the individual and collective risk criteria of § 450.101(a)(1) and (2) or (b)(1) and (2) when treated like a nominal trajectory with normal trajectory dispersions. The predicted average consequence from flight abort resulting from any reasonable vehicle response mode, in any one-second period of flight, using the modified flight safety limits, must not exceed 1 × 10¥2 conditional expected casualties; (2) Flight safety limits may be gated or relaxed where they intersect with a trajectory within the limits of a useful mission if that trajectory would meet the individual and collective risk criteria of § 450.101(a)(1) and (2) or (b)(1) and (2) when treated like a nominal trajectory with normal trajectory dispersions. The predicted average consequence from flight abort resulting from any reasonable vehicle response mode, in any one-second period of flight, using the modified flight safety limits, must not exceed 1 × 10¥2 conditional expected casualties; and (3) For an orbital launch, in areas where no useful mission trajectories intersect with flight safety limits, the final gate may extend no further than necessary to allow vehicles on a useful mission to continue flight. (d) Application requirements. An applicant must submit: PO 00000 Frm 00138 Fmt 4701 Sfmt 4702 (1) A description of the methodology used to establish each gate or relaxation of a flight safety limit; (2) A description of the measure of performance used to determine whether a vehicle will be allowed to cross a gate without flight abort, the acceptable ranges of the measure of performance, and how these ranges were determined; (3) A graphic depiction or depictions showing representative flight safety limits, any uncontrolled area overflight regions, and instantaneous impact point traces for the nominal trajectory, extents of normal flight, and limits of a useful mission trajectories; and (4) Additional products that allow an independent analysis, as requested by the Administrator. § 450.127 Data loss flight time and planned safe flight state analyses. (a) General. For each flight, a flight safety analysis must establish data loss flight times and a planned safe flight state to establish each flight abort rule that applies when vehicle tracking data is not available for use by the flight abort crew or autonomous flight safety system. (b) Data loss flight times. (1) A flight safety analysis must establish a data loss flight time for each trajectory time interval along the nominal trajectory from initiation of the flight of a launch or reentry vehicle through that point during nominal flight when the minimum elapsed thrusting or gliding time is no greater than the time it would take for a normal vehicle to reach the final gate crossing, or the planned safe flight state established under paragraph (c) of this section, whichever occurs earlier. (2) Data loss flight times must account for forces that may stop the vehicle before reaching a flight safety limit. (3) Data loss flight times may be computed and applied in real-time during vehicle flight in which case the state vector just prior to loss of data should be used as the nominal state vector. (c) Planned safe flight state. For a vehicle that performs normally during all portions of flight, the planned safe flight state is the point during the nominal flight of a vehicle where— (1) The vehicle cannot reach a flight safety limit for the remainder of the flight; (2) The vehicle achieves orbital insertion; or (3) The vehicle’s state vector reaches a state where the vehicle is no longer required to have a flight safety system. (d) Application requirements. An applicant must submit: (1) A description of the methodology used to determine data loss flight times; E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (2) Tabular data describing the data loss flight times from a representative mission; (3) The safe flight state for a representative mission and methodology used to determine it; and (4) Additional products that allow an independent analysis, as requested by the Administrator. § 450.129 Time delay analysis. (a) General. A flight safety analysis must include a time delay analysis that establishes the mean elapsed time between the violation of a flight abort rule and the time when the flight safety system is capable of aborting flight for use in establishing flight safety limits. The time delay analysis must determine a time delay distribution that accounts for all foreseeable sources of delay. (b) Application requirements. An applicant must submit: (1) A description of the methodology used in the time delay analysis; (2) A tabular listing of each time delay source and the total delay, with uncertainty; and (3) Additional products that allow an independent analysis, as requested by the Administrator. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.131 Probability of failure analysis. (a) General. For each hazard and phase of flight, a flight safety analysis for a launch or reentry must account for vehicle failure probability. The probability of failure must be consistent for all hazards and phases of flight. (1) For a vehicle or vehicle stage with fewer than two flights, the failure probability estimate must account for the outcome of all previous flights of vehicles developed and launched or reentered in similar circumstances. (2) For a vehicle or vehicle stage with two or more flights, vehicle failure probability estimates must account for the outcomes of all previous flights of the vehicle or vehicle stage in a statistically valid manner. The outcomes of all previous flights of the vehicle or vehicle stage must account for data on partial failures and anomalies, including Class 3 and Class 4 mishaps, as defined in § 401.5 of this chapter. (b) Failure. For flight safety analysis purposes, a failure occurs when a vehicle does not complete any phase of normal flight or when any anomalous condition exhibits the potential for a stage or its debris to impact the Earth or reenter the atmosphere outside the normal trajectory envelope during the mission or any future mission of similar vehicle capability. Also, a Class 1 or Class 2 mishap, as defined in § 401.5 of this chapter, constitutes a failure. (c) Previous flight. For flight safety analysis purposes— VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (1) The flight of a launch vehicle begins at a time in which a launch vehicle normally or inadvertently lifts off from a launch platform; and (2) The flight of a reentry vehicle or deorbiting upper stage begins at a time in which a vehicle attempts to initiate a deorbit. (d) Allocation. The vehicle failure probability estimate must be distributed across flight time and vehicle response mode. The distribution must be consistent with— (1) The data available from all previous flights of vehicles developed and launched or reentered in similar circumstances; and (2) Data from previous flights of vehicles, stages, or components developed and launched or reentered by the subject vehicle developer or operator. Such data may include previous experience involving similar— (i) Vehicle, stage, or component design characteristics; (ii) Development and integration processes, including the extent of integrated system testing; and (iii) Level of experience of the vehicle operation and development team members. (e) Observed vs. conditional failure rate. Probability of failure allocation must account for significant differences in the observed failure rate and the conditional failure rate. A probability of failure analysis must use a constant conditional failure rate for each phase of flight, unless there is clear and convincing evidence of a different conditional failure rate for a particular vehicle, stage, or phase of flight. (f) Application requirements. An applicant must submit: (1) A description of the probability of failure analysis, including all assumptions and justifications for the assumptions, analysis methods, input data, and results; (2) A representative set of tabular data and graphs of the predicted failure rate and cumulative failure probability for each foreseeable vehicle response mode; and (3) Additional products that allow an independent analysis, as requested by the Administrator. § 450.133 Flight hazard area analysis. (a) General. A flight safety analysis must include a flight hazard area analysis that identifies any region of land, sea, or air that must be surveyed, publicized, controlled, or evacuated in order to control the risk to the public. A flight hazard area analysis must account for all reasonably foreseeable vehicle response modes during nominal and non-nominal flight that could result PO 00000 Frm 00139 Fmt 4701 Sfmt 4702 15433 in a casualty. The analysis must account for, at a minimum— (1) The regions of land, sea, and air potentially exposed to debris impact resulting from normal flight events and from debris hazards resulting from any potential malfunction; (2) Any hazard controls implemented to control risk to any hazard; (3) The limits of a launch or reentry vehicle’s normal flight, including winds that are no less severe than the worst wind conditions under which flight might be attempted and uncertainty in the wind conditions; (4) The debris identified for each foreseeable cause of breakup, and any planned jettison of debris, launch or reentry vehicle components, or payload; (5) All foreseeable sources of debris dispersion during freefall, including wind effects, guidance and control, velocity imparted by break-up or jettison, lift, and drag forces; and (6) A probability of one for any planned debris hazards or planned impacts. (b) Waterborne vessel hazard areas. The flight hazard area analysis for waterborne vessels must determine the areas and durations for regions of water— (1) That are necessary to contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty to persons on waterborne vessels; (2) That are necessary to contain either where the probability of debris capable of causing a casualty impacting on or near a vessel would exceed 1 × 10¥5, accounting for all relevant hazards, or where the individual probability of casualty for any person on board a vessel would exceed the criterion in § 450.101(a)(2) or (b)(2); and (3) Where reduced vessel traffic is necessary to meet collective risk criterion in § 450.101(a)(1) or (b)(1). (c) Land hazard areas. The flight hazard area analysis for land must determine the durations and areas regions of land— (1) That are necessary to contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty to any person on land; (2) Where the individual probability of casualty for any person on land would exceed the criterion in § 450.101(a)(2) or (b)(2); and (3) Where reduced population is necessary to meet the collective risk criterion in § 450.101(a)(1) or (b)(1). (d) Airspace hazard volumes. The flight hazard area analysis for airspace must determine the durations and E:\FR\FM\15APP2.SGM 15APP2 15434 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules volumes for regions of air to be submitted to the FAA for approval— (1) That are necessary to contain, with 97 percent probability of containment, all debris resulting from normal flight events capable of causing a casualty to persons on an aircraft; and (2) Where the probability of impact on an aircraft would exceed the criterion in § 450.101(a)(3) or (b)(3). (e) Application requirements. An applicant must submit: (1) A description of the methodology to be used in the flight hazard area analysis including all assumptions and justifications for the assumptions, vulnerability models, analysis methods, input data, including: (i) Input wind data and justification that those represent the worst wind conditions under which flight might be attempted accounting for uncertainty in the wind conditions; (ii) Classes of waterborne vessel and vulnerability criteria employed; and (iii) Classes of aircraft and vulnerability criteria employed. (2) Tabular data and graphs of the results of the flight hazard area analysis, including: (i) Geographical coordinates of all hazard areas that are representative of those to be published prior to any proposed operation; (ii) Representative 97 percent probability of containment contours for all debris resulting from normal flight events capable of causing a casualty, regardless of location, including regions of land, sea, or air; (iii) Representative individual probability of casualty contours regardless of location; (iv) If applicable, representative 1 × 10¥5 and 1 × 10¥6 probability of impact contours for all debris capable of causing a casualty to persons on an waterborne vessel regardless of location; and (v) Representative 1 × 10¥6 and 1 × 10¥7 probability of impact contours for all debris capable of causing a casualty to persons on an aircraft regardless of location. (3) Additional products that allow an independent analysis, as requested by the Administrator. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.135 Debris risk analysis. (a) General. A debris risk analysis must demonstrate compliance with public safety criteria in § 450.101, either— (1) Prior to the day of the operation, accounting for all foreseeable conditions within the flight commit criteria; or (2) During the countdown using the best available input data. (b) Propagation of debris. A debris risk analysis must compute statistically VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 valid debris impact probability distributions using the input data produced by flight safety analyses required in §§ 450.117 through 450.133. The propagation of debris from each predicted breakup location to impact must account for— (1) All foreseeable forces that can influence any debris impact location; and (2) All foreseeable sources of impact dispersion, including, at a minimum: (i) The uncertainties in atmospheric conditions; (ii) Debris aerodynamic parameters; (iii) Pre-breakup position and velocity; and (iv) Breakup-imparted velocities. (c) Exposure model. A debris risk analysis must account for the distribution of people and critical assets. The exposure input data must— (1) Include the entire region where there is a significant probability of impact of hazardous debris; (2) Characterize the distribution and vulnerability of people and critical assets both geographically and temporally; (3) Account for the distribution of people in various structures and vehicle types with a resolution consistent with the characteristic size of the impact probability distributions for relevant fragment groups; (4) Have sufficient temporal and spatial resolution that a uniform distribution of people within each defined region can be treated as a single average set of characteristics without degrading the accuracy of any debris analysis output; (5) Use accurate source data from demographic sources, physical surveys, or other methods; (6) Be regularly updated to account for recent land-use changes, population growth, migration, and construction; and (7) Account for uncertainty in the source data and modeling approach. (d) Casualty area and consequence analysis. A debris risk analysis must model the casualty area, and compute the predicted consequences of each reasonably foreseeable vehicle response mode in any one-second period of flight in terms of conditional expected casualties. The casualty area and consequence analysis must account for— (1) All relevant debris fragment characteristics and the characteristics of a representative person exposed to any potential debris hazard. (2) Any direct impacts of debris fragments, intact impact, or indirect impact effects. PO 00000 Frm 00140 Fmt 4701 Sfmt 4702 (3) The vulnerability of people and critical assets to debris impacts, including: (i) Effects of buildings, ground vehicles, waterborne vessel, and aircraft upon the vulnerability of any occupants; (ii) All hazard sources, such as the potential for any toxic or explosive energy releases; (iii) Indirect or secondary effects such as bounce, splatter, skip, slide or ricochet, including accounting for terrain; (iv) Effect of wind on debris impact vector and toxic releases; (v) Impact speed and angle, accounting for motion of impacted vehicles; (vi) Uncertainty in fragment impact parameters; and (vii) Uncertainty in modeling methodology. (e) Application requirements. An applicant must submit: (1) A description of the methods used to compute the parameters required to demonstrate compliance with the public safety criteria in § 450.101, including a description of how the operator will account for the conditions immediately prior to enabling the flight of a launch vehicle or the reentry of a reentry vehicle, such as the final trajectory, atmospheric conditions, and the exposure of people and critical assets; (2) A description of the methods used to compute debris impact distributions; (3) A description of the methods used to develop the population exposure input data; (4) A description of the exposure input data, including, for each population center, a geographic definition and the distribution of population among shelter types as a function of time of day, week, month, or year; (5) A description of the atmospheric data used as input to the debris risk analysis; (6) The effective unsheltered casualty area for all fragment classes assuming a representative impact vector; (7) The effective casualty area for all fragment classes for a representative type of building, ground vehicle, waterborne vessel, and aircraft, assuming a representative impact vector; (8) Collective and individual debris risk analysis outputs under representative conditions and the worst foreseeable conditions, including: (i) Total collective casualty expectation for the proposed operation; (ii) A list of the collective risk contribution for at least the top ten population centers and all centers with collective risk exceeding 1 percent of the collective risk criterion in § 450.101; E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (iii) A list of the maximum individual probability of casualty for the top ten population centers and all centers that exceed 10 percent of the individual risk criterion in § 450.101; and (iv) A list of the probability of loss of functionality of any critical asset that exceeds 1 percent of the critical asset criterion in § 450.101; (9) A list of the conditional collective casualty expectation for each vehicle response mode for each one-second interval of flight under representative conditions and the worst foreseeable conditions; and (10) Additional products that allow an independent analysis, as requested by the Administrator. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.137 Far-field overpressure blast effects analysis. (a) General. The far-field overpressure blast effect analysis must demonstrate compliance with public safety criteria in § 450.101, either— (1) Prior to the day of the operation, accounting for all foreseeable conditions within the flight commit criteria; or (2) During the countdown using the best available input data. (b) Analysis constraints. The analysis must account for— (1) The potential for distant focus overpressure or overpressure enhancement given current meteorological conditions and terrain characteristics; (2) The potential for broken windows due to peak incident overpressures below 1.0 psi and related casualties; (3) The explosive capability of the vehicle at impact and at altitude and potential explosions resulting from debris impacts, including the potential for mixing of liquid propellants; (4) Characteristics of the vehicle flight and the surroundings that would affect the population’s susceptibility to injury, including shelter types and time of day of the proposed operation; (5) Characteristics of the potentially affected windows, including their size, location, orientation, glazing material, and condition; and (6) The hazard characteristics of the potential glass shards, including falling from upper building stories or being propelled into or out of a shelter toward potentially occupied spaces. (c) Application requirements. An applicant must submit a description of the far-field overpressure analysis, including all assumptions and justifications for the assumptions, analysis methods, input data, and results. At a minimum, the application must include: (1) A description of the population centers, terrain, building types, and VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 window characteristics used as input to the far-field overpressure analysis; (2) A description of the methods used to compute the foreseeable explosive yield probability pairs, and the complete set of yield-probability pairs, used as input to the far-field overpressure analysis; (3) A description of the methods used to compute peak incident overpressures as a function of distance from the explosion and prevailing meteorological conditions, including sample calculations for a representative range of the foreseeable meteorological conditions, yields, and population center locations; (4) A description of the methods used to compute the probability of window breakage, including tabular data and graphs for the probability of breakage as a function of the peak incident overpressure for a representative range of window types, building types, and yields accounted for; (5) A description of the methods used to compute the probability of casualty for a representative individual, including tabular data and graphs for the probability of casualty, as a function of location relative to the window and the peak incident overpressure for a representative range of window types, building types, and yields accounted for; (6) Tabular data and graphs showing the hypothetical location of any member of the public that could be exposed to a probability of casualty of 1 × 10¥5 or greater for neighboring operations personnel, and 1 × 10¥6 or greater for other members of the public, given foreseeable meteorological conditions, yields, and population exposures; (7) The maximum expected casualties that could result from far-field overpressure hazards greater given foreseeable meteorological conditions, yields, and population exposures; (8) A description of the meteorological measurements used as input to any real-time far-field overpressure analysis; and (9) Additional products that allow an independent analysis, as requested by the Administrator. § 450.139 Toxic hazards for flight. (a) Applicability. This section applies to any launch or reentry vehicle, including all vehicle components and payloads, that use toxic propellants or other toxic chemicals. (b) General. An operator must— (1) Conduct a toxic release hazard analysis in accordance with paragraph (c) of this section; (2) Manage the risk of casualties that could arise from the exposure to toxic PO 00000 Frm 00141 Fmt 4701 Sfmt 4702 15435 release through one of the following means: (i) Contain hazards caused by toxic release in accordance with paragraph (d) of this section; or (ii) Perform a toxic risk assessment, in accordance with paragraph (e) of this section, that protects the public in compliance with the risk criteria of § 450.101, including toxic release hazards. (3) Establish flight commit criteria based on the results of its toxic release hazard analysis, containment analysis, or toxic risk assessment for any necessary evacuation of the public from any toxic hazard area. (c) Toxic release hazard analysis. A toxic release hazard analysis must— (1) Account for any toxic release that could occur during nominal or nonnominal flight; (2) Include a worst-case release scenario analysis or a maximumcredible release scenario analysis; (3) Determine if toxic release can occur based on an evaluation of the chemical compositions and quantities of propellants, other chemicals, vehicle materials, and projected combustion products, and the possible toxic release scenarios; (4) Account for both normal combustion products and any unreacted propellants and phase change or chemical derivatives of released substances; and (5) Account for any operational constraints and emergency procedures that provide protection from toxic release. (d) Toxic containment. An operator using toxic containment must manage the risk of any casualty from the exposure to toxic release either by— (1) Evacuating, or being prepared to evacuate, the public from a toxic hazard area, where an average member of the public would be exposed to greater than one percent conditional individual probability of casualty in the event of a worst-case release or maximum credible release scenario; or (2) Employing meteorological constraints to limit a launch operation to times during which prevailing winds and other conditions ensure that an average member of the public would not be exposed to greater than one percent conditional individual probability of casualty in the event of a worst-case release or maximum credible release scenario. (e) Toxic risk assessment. An operator using toxic risk assessment must establish flight commit criteria that demonstrate compliance with the public risk criterion of § 450.101. A toxic risk assessment must— E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15436 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (1) Account for airborne concentration and duration thresholds of toxic propellants or other chemicals. For any toxic propellant, other chemicals, or combustion product, an operator must use airborne toxic concentration and duration thresholds identified in a means of compliance accepted by the Administrator; (2) Account for physical phenomena expected to influence any toxic concentration and duration in the area surrounding the potential release site; (3) Determine a toxic hazard area for the launch or reentry, surrounding the potential release site for each toxic propellant or other chemical based on the amount and toxicity of the propellant or other chemical, the exposure duration, and the meteorological conditions involved; (4) Account for all members of the public that may be exposed to the toxic release, including all members of the public on land and on any waterborne vessels, populated offshore structures, and aircraft that are not operated in direct support of the launch or reentry; and (5) Account for any risk mitigation measures applied in the risk assessment. (f) Application requirements. An applicant must submit: (1) The identity of toxic propellant, chemical, or combustion products or derivatives in the possible toxic release; (2) The applicant’s selected airborne toxic concentration and duration thresholds; (3) The meteorological conditions for the atmospheric transport and buoyant cloud rise of any toxic release from its source to downwind receptor locations; (4) Characterization of the terrain, as input for modeling the atmospheric transport of a toxic release from its source to downwind receptor locations; (5) The identity of the toxic dispersion model used, and any other input data; (6) Representative results of an applicant’s toxic dispersion modeling to predict concentrations and durations at selected downwind receptor locations, to determine the toxic hazard area for a released quantity of the toxic substance; (7) For toxic release hazard analysis in accordance with paragraph (c) of this section: (i) A description of the failure modes and associated relative probabilities for potential toxic release scenarios used in the risk evaluation; and (ii) The methodology and representative results of an applicant’s determination of the worst-case or maximum-credible quantity of any toxic release that might occur during the flight of a vehicle; VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (8) For toxic risk assessment in accordance with paragraph (e) of this section: (i) A demonstration that the public will not be exposed to airborne concentrations above the toxic concentration and duration thresholds, based upon representative results of the toxic release hazard analysis; (ii) The population density in receptor locations that are identified by toxic dispersion modeling as toxic hazard areas; (iii) A description of any risk mitigations applied in the toxic risk assessment; and (iv) The identity of the population database used; and (9) Additional products that allow an independent analysis, as requested by the Administrator. § 450.141 Wind weighting for the flight of an unguided suborbital launch vehicle. (a) Applicability. This section applies to the flight of an unguided suborbital launch vehicle using wind weighting to meet the public safety criteria of § 450.101. (b) Wind weighting safety system. The flight of an unguided suborbital launch vehicle that uses a wind weighting safety system must meet the following: (1) The launcher azimuth and elevation settings must be wind weighted to correct for the effects of wind conditions at the time of flight to provide a safe impact location; and (2) An operator must use launcher azimuth and elevation angle settings that ensures the rocket will not fly in an unintended direction given wind uncertainties. (c) Analysis. An operator must— (1) Establish flight commit criteria and other flight safety rules that control the risk to the public from potential adverse effects resulting from normal and malfunctioning flight; (2) Establish any wind constraints under which flight may occur; and (3) Conduct a wind weighting analysis that establishes the launcher azimuth and elevation settings that correct for the windcocking and wind-drift effects on the unguided suborbital launch vehicle. (d) Stability. An unguided suborbital launch vehicle, in all configurations, must be stable throughout each stage of powered flight. (e) Application requirements. An applicant must submit: (1) A description of its wind weighting analysis methods, including its method and schedule of determining wind speed and wind direction for each altitude layer; (2) A description of its wind weighting safety system and identify all PO 00000 Frm 00142 Fmt 4701 Sfmt 4702 equipment used to perform the wind weighting analysis; (3) A representative wind weighting analysis using actual or statistical winds for the launch area and provide samples of the output; and (4) Additional products that allow an independent analysis, as requested by the Administrator. Prescribed Hazard Controls § 450.143 Safety-critical system design, test, and documentation. (a) Applicability. This section applies to all safety-critical systems. Flight safety systems that are required to meet the requirements of § 450.101(c) must meet additional requirements in § 450.145. (b) Fault-tolerant design. An operator must design safety-critical systems to be fault-tolerant such that there is no single credible fault that can lead to increased risk to public safety beyond nominal safety-critical system operation. (c) Qualification testing of design. An operator must functionally demonstrate the design of the vehicle’s safety-critical systems at conditions beyond its predicted operating environment. The operator must select environmental test levels that ensure the design is sufficiently stressed to demonstrate that system performance is not degraded due to design tolerances, manufacturing variances, or uncertainties in the environment. (d) Acceptance of hardware. An operator must— (1) Functionally demonstrate any safety-critical system while exposed to its predicted operating environment with margin to demonstrate that it is free of defects, free of integration and workmanship errors, and ready for operational use; or (2) Combine in-process controls and a quality assurance process to ensure functional capability of any safetycritical system during its service life. (e) Lifecycle of safety-critical systems. (1) The predicted operating environment must be based on conditions predicted to be encountered in all phases of flight, recovery, and transportation. (2) An operator must monitor the flight environments experienced by safety-critical system components to the extent necessary to— (i) Validate the predicted operating environment; and (ii) Assess the actual component life remaining or adjust any inspection period. (f) Application requirements. An applicant must submit to the FAA the following as part of its application: E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (1) A list and description of each safety-critical system; (2) Drawings and schematics for each safety-critical system; (3) A summary of the analysis to determine the predicted operating environment and duration to be applied to qualification and acceptance testing covering the service life of any safetycritical system; (4) A description of any instrumentation or inspection processes to monitor aging of any safety-critical system; and (5) The criteria and procedures for disposal or refurbishment for service life extension of safety-critical system components. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.145 Flight safety system. (a) General. For each phase of flight for which an operator must implement flight abort to meet the requirement of § 450.101(c), the operator must use a flight safety system, or other safeguards agreed to by the Administrator, on the launch or reentry vehicle, vehicle component, or payload with the following reliability: (1) If the consequence any vehicle response mode is 1 × 10¥2 conditional expected casualties or greater for uncontrolled areas, an operator must employ a flight safety system with design reliability of 0.999 at 95 percent confidence and commensurate design, analysis, and testing; or (2) If the consequence of any vehicle response mode is between 1 × 10¥2 and 1 × 10¥3 conditional expected casualties for uncontrolled areas, an operator must employ a flight safety system with a design reliability of 0.975 at 95 percent confidence and commensurate design, analysis, and testing. (b) Accepted means of compliance. To comply with paragraph (a) of this section, an applicant must use a means of compliance accepted by the Administrator. (c) Monitoring. An operator must monitor the flight environments experienced by any flight safety system component. (d) Application requirements. An applicant must submit the information identified in paragraphs (d)(1) through (5) of this section, for any flight safety system including any flight safety system located on board a launch or reentry vehicle; any ground based command control system; any support system, including telemetry subsystems and tracking subsystems, necessary to support a flight abort decision; and the functions of any personnel who operate the flight safety system hardware or software: VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (1) Flight safety system description. An applicant must describe the flight safety system and its operation in detail, including all components, component functions, and possible operational scenarios. (2) Flight safety system diagram. An applicant must submit a diagram that identifies all flight safety system subsystems and shows the interconnection of all the elements of the flight safety system. The diagram must include any subsystems used to implement flight abort both on and off the vehicle, including any subsystems used to make the decision to abort flight. (3) Flight safety system analyses. An applicant must submit any analyses and detailed analysis reports of all flight safety system subsystems necessary to demonstrate the reliability and confidence levels required by paragraph (a) of this section. (4) Tracking validation procedures. An applicant must document and submit the procedures for validating the accuracy of any vehicle tracking data utilized by the flight safety system to make the decision to abort flight. (5) Flight safety system test plans. An applicant must submit acceptance, qualification, and preflight test plans of any flight safety system, subsystems, and components. The test plans must include test procedures and test environments. § 450.147 Agreements. (a) General. An operator must establish a written agreement with any entity that provides a service or property that meets a requirement in this part, including: (1) Launch and reentry site use agreements. A Federal launch range operator, a licensed launch or reentry site operator, or any other person that provides services or access to or use of property required to support the safe launch or reentry under this part; (2) Agreements for notices to mariners. Unless otherwise addressed in agreements with the site operator, for overflight of navigable water, the U.S. Coast Guard or other applicable maritime authority to establish procedures for the issuance of a Notice to Mariners prior to a launch or reentry and other measures necessary to protect public health and safety; (3) Agreements for notices to airmen. Unless otherwise addressed in agreements with the site operator, the FAA Air Traffic Organization or other applicable air navigation authority to establish procedures for the issuance of a Notice to Airmen prior to a launch or reentry, for closing of air routes during PO 00000 Frm 00143 Fmt 4701 Sfmt 4702 15437 the respective launch and reentry windows, and for other measures necessary to protect public health and safety; and (4) Mishap response. Emergency response providers, including local government authorities, to satisfy the requirements of § 450.173. (b) Roles and responsibilities. The agreements required in this section must clearly delineate the roles and responsibilities of each party to support the safe launch or reentry under this part. (c) Effective date. The agreements required in this section must be in effect before a license can be issued, unless otherwise agreed to by the Administrator. (d) Application requirement. The applicant must describe each agreement in this section. The applicant must provide a copy of any agreement, or portion thereof, to the FAA upon request. § 450.149 Safety-critical personnel qualifications. (a) Qualification requirements. An operator must ensure safety-critical personnel are trained, qualified, and capable of performing their safetycritical tasks, and that their training is current. (b) Application requirements. An applicant must— (1) Identify safety-critical tasks that require qualified personnel; (2) Provide internal training and currency requirements, completion standards, or any other means of demonstrating compliance with the requirements of this section; and (3) Describe the process for tracking training currency. § 450.151 Work shift and rest requirements. (a) General. For any launch or reentry, an operator must document and implement rest requirements that ensure safety-critical personnel are physically and mentally capable of performing all assigned tasks. (b) Specific items to address. An operator’s rest requirements must address the following: (1) Duration of each work shift and the process for extending this shift, including the maximum allowable length of any extension; (2) Number of consecutive work shift days allowed before rest is required; (3) Minimum rest period required— (i) Between each work shift, including the period of rest required immediately before the flight countdown work shift; and (ii) After the maximum number of work shift days allowed; and E:\FR\FM\15APP2.SGM 15APP2 15438 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (4) Approval process for any deviation from the rest requirements. (c) Application requirements. An applicant must submit rest rules that demonstrate compliance with the requirements of this section. § 450.153 Radio frequency management. (a) Frequency management. For any radio frequency used, an operator must— (1) Identify each frequency, all allowable frequency tolerances, and each frequency’s intended use, operating power, and source; (2) Provide for the monitoring of frequency usage and enforcement of frequency allocations; and (3) Coordinate use of radio frequencies with any site operator and any local and Federal authorities. (b) Application requirements. An applicant must submit procedures or other means to demonstrate compliance with the radio frequency requirements of this section. § 450.155 Readiness. (a) Flight readiness. An operator must document and implement procedures to assess readiness to proceed with the flight of a launch or reentry vehicle. These procedures must address, at minimum, the following: (1) Readiness of vehicle and launch, reentry, or landing site, including any contingency abort location; (2) Readiness of safety-critical personnel, systems, software, procedures, equipment, property, and services; and (3) Readiness to implement the mishap plan required by § 450.173. (b) Application requirements. An applicant must— (1) Demonstrate compliance with the requirements of paragraph (a) of this section through procedures that may include a readiness meeting close in time to flight; and (2) Describe the criteria for establishing readiness to proceed with the flight of a launch or reentry vehicle. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.157 Communications. (a) Communication procedures. An operator must implement communication procedures during the countdown and flight of a launch or reentry vehicle that— (1) Define the authority of personnel, by individual or position title, to issue ‘‘hold/resume,’’ ‘‘go/no go,’’ and abort commands; (2) Assign communication networks so that personnel identified in paragraph (a)(1) of this section have direct access to real-time safety-critical information required to issue ‘‘hold/ VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 resume,’’ ‘‘go/no go,’’ and any abort commands; (3) Ensure personnel, identified in paragraph (a)(1) of this section, monitor each common intercom channel during countdown and flight; and (4) Implement a protocol for using defined radio telephone communications terminology. (b) Currency. An operator must ensure the currency of the communication procedures, and that all personnel are working with the approved version of the communication procedures. (c) Communication records. An operator must record all safety-critical communications network channels that are used for voice, video, or data transmissions that support safety critical systems during each countdown. § 450.159 Preflight procedures. (a) Preflight procedures. An operator must implement preflight procedures that— (1) Verify that each flight commit criterion is satisfied before flight is initiated; and (2) Ensure the operator can return the vehicle to a safe state after a countdown abort or delay. (b) Currency. An operator must ensure the currency of the preflight procedures, and that all personnel are working with the approved version of the preflight procedures. § 450.161 Surveillance and publication of hazard areas. (a) General. The operator must publicize, survey, and evacuate each flight hazard area prior to initiating flight of a launch vehicle or the reentry of a reentry vehicle to the extent necessary to ensure compliance with § 450.101. (b) Verification. The launch or reentry operator must perform surveillance sufficient to verify or update the assumptions, input data, and results of the flight safety analyses. (c) Publication. An operator must publicize warnings for each flight hazard area, except for regions of land, sea, or air under the control of the vehicle operator, site operator, or other entity by agreement. If the operator relies on another entity to publicize these warnings, it must verify that the warnings have been issued. (d) Application requirements. An applicant must submit: (1) A description of how it will provide for day-of-flight surveillance of flight hazard areas, if necessary, to ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight commit criteria developed for each launch or reentry as required by § 450.165(b); and PO 00000 Frm 00144 Fmt 4701 Sfmt 4702 (2) A description of how it will establish flight commit criteria based on the results of its toxic release hazard analysis, containment analysis, or toxic risk assessment for any necessary evacuation of the public from any toxic hazard area. § 450.163 Lightning hazard mitigation. (a) Lighting hazard mitigation. An operator must— (1) Establish flight commit criteria that mitigate the potential for a launch or reentry vehicle intercepting or initiating a lightning strike, or encountering a nearby discharge, using a means of compliance accepted by the Administrator; (2) Use a vehicle designed to continue safe flight in the event of a direct lightning strike or nearby discharge; or (3) Ensure compliance with § 450.101, given any direct lightning strike or an encounter with a nearby discharge. (b) Application requirements. (1) An applicant electing to comply with paragraph (a)(1) of this section must submit flight commit criteria that mitigate the potential for a launch or reentry vehicle intercepting or initiating a direct lightning strike, or encountering a nearby lightning discharge. (2) An applicant electing to comply with paragraph (a)(2) of this section must submit documentation providing evidence that the vehicle is designed to protect safety-critical systems against the effects of a direct lightning strike or nearby discharge. (3) An applicant electing to comply with paragraph (a)(3) of this section must submit documentation providing evidence that the safety criteria in § 450.101 will be met given any direct lightning strike or an encounter with a nearby discharge. § 450.165 Flight safety rules. (a) General. For each launch or reentry, an operator must establish and observe flight safety rules that govern the conduct of the launch or reentry. (b) Flight commit criteria. The flight safety rules must include flight commit criteria that identify each condition necessary prior to flight of a launch vehicle or the reentry of a reentry vehicle to satisfy the requirements of § 450.101, and must include: (1) Surveillance of any region of land, sea, or air in accordance with § 450.161; (2) Monitoring of any meteorological condition necessary to— (i) Be consistent with any safety analysis required by this part; and (ii) If necessary in accordance with § 450.163, mitigate the potential for a launch or reentry vehicle intercepting a lightning strike, or encountering a nearby discharge; E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules (3) Implementation of any launch or reentry window closure in the launch or reentry window for the purpose of collision avoidance in accordance with § 450.169; (4) Confirmation that any safetycritical system is ready for flight; (5) For any reentry vehicle, except a suborbital vehicle, monitoring by the operator or an on board system that the status of safety-critical systems are healthy before enabling reentry flight, to assure the vehicle can reenter safely to Earth; and (6) Any other hazard controls derived from any safety analysis required by this part. (c) Flight abort rules. (1) For a vehicle that uses a flight safety system, the flight safety rules must identify the conditions under which the flight safety system, including the functions of any flight abort crew, must abort the flight to: (i) Ensure compliance with § 450.101; and (ii) Prevent debris capable of causing a casualty from impacting in uncontrolled areas if the vehicle is outside the limits of a useful mission. (2) Vehicle data required to evaluate flight abort rules must be available to the flight safety system across the range of normal and malfunctioning flight. (3) The flight abort rules must include the following: (i) The flight safety system must abort flight when valid, real-time data indicate the vehicle has violated any flight safety limit; (ii) The flight safety system must abort flight when the vehicle state approaches conditions that are anticipated to compromise the capability of the flight safety system and further flight has the potential to violate a flight safety limit; (iii) The flight safety system must incorporate data loss flight times to abort flight at the first possible violation of a flight safety limit, or earlier, if valid tracking data is insufficient for evaluating a minimum set of flight abort rules required to maintain compliance with § 450.101; and (iv) Flight may continue past any gate established under § 450.125 only if the parameters used to establish the ability of the vehicle to complete a useful mission are within limits. (d) Application requirements. An applicant must submit: (1) For flight commit criteria, a list of all flight commit criteria; and (2) For flight abort rules: (i) A description of each rule, and the parameters that will be used to evaluate each rule; (ii) A list that identifies the rules necessary for compliance with each requirement in § 450.101; and VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (iii) A description of the vehicle data that will be available to evaluate flight abort rules across the range of normal and malfunctioning flight. § 450.167 Tracking. (a) Vehicle tracking. During the flight of a launch or reentry vehicle, an operator must measure and record in real time the position and velocity of the vehicle. The system used to track the vehicle must provide data to determine the actual impact locations of all stages and components, and to obtain vehicle performance data for comparison with the preflight performance predictions. (b) Application requirements. An applicant must identify and describe each method or system used to meet the tracking requirements of paragraph (a) of this section. § 450.169 Launch and reentry collision avoidance analysis requirements. (a) Criteria. For an orbital or suborbital launch or reentry, an operator must establish window closures needed to ensure that the launch or reentry vehicle, any jettisoned components, or payloads meet the following requirements with respect to orbiting objects, not including any object being launched or reentered. (1) For inhabitable objects, one of three criteria in paragraphs (a)(1)(i) through (iii) of this section must be met: (i) The probability of collision between the launching or reentering objects and any inhabitable object must not exceed 1 × 10¥6; (ii) The launching or reentering objects must maintain an ellipsoidal separation distance of 200 km in-track and 50 km cross-track and radially from the inhabitable object; or (iii) The launching or reentering objects must maintain a spherical separation distance of 200 km from the inhabitable object. (2) For objects that are neither orbital debris nor inhabitable, one of the two criteria in paragraphs (a)(2)(i) and (ii) of this section must be met: (i) The probability of collision between the launching or reentering objects and any object must not exceed 1 × 10¥5; or (ii) The launching or reentering objects must maintain a spherical separation distance of 25 km from the object. (3) For all other known orbital debris identified by the FAA or other Federal Government entity as 10 cm squared or larger, the launching or reentering objects must maintain a spherical separation distance of 2.5 km from the object. (b) Screening time. A launch or reentry operator must ensure the PO 00000 Frm 00145 Fmt 4701 Sfmt 4702 15439 requirements of paragraph (a) of this section are follows: (1) Through the entire flight of a suborbital launch vehicle; (2) For an orbital launch, during ascent from a minimum of 150 km to initial orbital insertion and for a minimum of 3 hours from liftoff; (3) For reentry, during descent from initial reentry burn to 150 km altitude; and (4) For disposal, during descent from initial disposal burn to 150 km altitude. (c) Rendezvous. Planned rendezvous operations that occur within the screening time frame are not considered a violation of collision avoidance if the involved operators have pre-coordinated the rendezvous or close approach. (d) Analysis not required. A launch collision avoidance analysis is not required if the maximum altitude attainable by a launch operator’s suborbital launch vehicle and any released debris is less than 150 km. The maximum altitude attainable means an optimized trajectory, assuming maximum performance within 99.7% confidence bounds, extended through fuel exhaustion of each stage, to achieve a maximum altitude. (e) Analysis. Collision avoidance analysis must be obtained for each launch or reentry from a Federal entity identified by the FAA. (1) An operator must use the results of the collision avoidance analysis to establish flight commit criteria for collision avoidance; and (2) Account for uncertainties associated with launch or reentry vehicle performance and timing, and ensure that each window closure incorporates all additional time periods associated with such uncertainties. (f) Timing and information required. An operator must prepare a collision avoidance analysis worksheet for each launch or reentry using a standardized format that contains the input data required by appendix A to this part, as follows: (1) An operator must file the input data with a Federal entity identified by the FAA and the FAA at least 15 days before the first attempt at the flight of a launch vehicle or the reentry of a reentry vehicle, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter; (2) An operator must obtain a collision avoidance analysis performed by a Federal entity identified by the FAA 6 hours before the beginning of a launch or reentry window; and (3) If an operator needs an updated collision avoidance analysis due to a launch or reentry delay, the operator E:\FR\FM\15APP2.SGM 15APP2 15440 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules must file the request with the Federal entity and the FAA at least 12 hours prior to the beginning of the new launch or reentry window. § 450.171 Safety at end of launch. (a) Debris mitigation. An operator must ensure for any proposed launch that for all vehicle stages or components that reach Earth orbit— (1) There is no unplanned physical contact between the vehicle or any of its components and the payload after payload separation; (2) Debris generation does not result from the conversion of energy sources into energy that fragments the vehicle or its components. Energy sources include chemical, pressure, and kinetic energy; and (3) For all vehicle stages or components that are left in orbit, stored energy is removed by depleting residual fuel and leaving all fuel line valves open, venting any pressurized system, leaving all batteries in a permanent discharge state, and removing any remaining source of stored energy. (b) Application requirements. An applicant must demonstrate compliance with the requirements in paragraph (a) of this section. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.173 Mishap plan—reporting, response, and investigation requirements. (a) General. An operator must report, respond, and investigate class 1, 2, 3, and 4 mishaps, as defined in § 401.5 of this chapter, in accordance with paragraphs (b) through (h) of this section using a plan or other written means. (b) Responsibilities. An operator must document— (1) Responsibilities for personnel assigned to implement the requirements of this section; (2) Reporting responsibilities for personnel assigned to conduct investigations and for anyone retained by the licensee to conduct or participate in investigations; and (3) Allocation of roles and responsibilities between the launch operator and any site operator for reporting, responding to, and investigating any mishap during ground activities at the site. (c) Cooperation with FAA and NTSB. An operator must report to, and cooperate with, the FAA and NTSB investigations and designate one or more points of contact for the FAA and NTSB. (d) Mishap reporting requirements. An operator must— (1) Immediately notify the FAA Washington Operations Center in case of a mishap that involves a fatality or VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 serious injury (as defined in 49 CFR 830.2); (2) Notify within 24 hours the FAA Washington Operations Center in the case of a mishap that does not involve a fatality or serious injury (as defined in 49 CFR 830.2); and (3) Submit a written preliminary report to the FAA Office of Commercial Space Transportation within five days of any mishap. The preliminary report must include the following information, as applicable: (i) Date and time of the mishap; (ii) Description of the mishap and sequence of events leading to the mishap, to the extent known; (iii) Intended and actual location of the launch or reentry or other landing on Earth; (iv) Vehicle or debris impact points, including those outside a planned landing or impact area; (v) Identification of the vehicle; (vi) Identification of any payload; (vii) Number and general description of any fatalities or injuries; (viii) Description and estimated costs of any property damage; (ix) Identification of hazardous materials, as defined in § 401.5 of this chapter, involved in the event, whether on the vehicle, any payload, or on the ground; (x) Action taken by any person to contain the consequences of the event; (xi) Weather conditions at the time of the event; and (xii) Potential consequences for other similar vehicles, systems, or operations. (e) Emergency response requirements. An operator must— (1) Activate emergency response services to protect the public following a mishap as necessary including, but not limited to: (i) Evacuating and rescuing members of the public, taking into account debris dispersion and toxic plumes; and (ii) Extinguishing fires; (2) Maintain existing hazard area surveillance and clearance as necessary to protect public safety; (3) Contain and minimize the consequences of a mishap, including: (i) Securing impact areas to ensure that no members of the public enter; (ii) Safely disposing of hazardous materials; and (iii) Controlling hazards at the site or impact areas; (4) Preserve data and physical evidence; and (5) Implement agreements with government authorities and emergency response services, as necessary, to satisfy the requirements of this section. (f) Mishap investigation requirements. In the event of a mishap, an operator must— PO 00000 Frm 00146 Fmt 4701 Sfmt 4702 (1) Investigate the root causes of the mishap; and (2) Report investigation results to the FAA. (g) Preventative measures. An operator must identify and implement preventive measures for avoiding recurrence of the mishap prior to the next flight, unless otherwise approved by the Administrator. (h) Mishap records. An operator must maintain records associated with the mishap in accordance with § 450.219(b). (i) Application requirements. An applicant must submit the plan or other written means required by this section. § 450.175 Test-induced damage. (a) Coordination of anticipated testinduced damage. Test-induced damage is not a mishap if all of the following are true: (1) An operator coordinates potential test-induced damage with the FAA before the planned activity, and with sufficient time for the FAA to evaluate the operator’s proposal during the application process or as a license modification; and (2) The test-induced damage did not result in any of the following: (i) Serious injury or fatality (as defined in 49 CFR 830.2); (ii) Damage to property not associated with the licensed activity; and (iii) Hazardous debris leaving the predefined hazard area; or (3) The test-induced damage falls within the scope of activities coordinated with the FAA in paragraph (a)(1) of this section. (b) Application requirements. An applicant must submit the following information: (1) Test objectives; (2) Test limits; (3) Expected outcomes; (4) Potential risks, including the applicant’s best understanding of the uncertainties in environments, test limits, or system performance; (5) Applicable procedures; (6) Expected time and duration of the test; and (7) Additional information as required by the FAA to ensure protection of public health and safety, safety of property, and the national security and foreign policy interests of the United States. § 450.177 Unique policies, requirements, and practices. (a) Operator identified unique hazards. An operator must review operations, system designs, analysis, and testing, and identify any unique hazards not otherwise addressed by this part. An operator must implement any E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules unique safety policy, requirement, or practice needed to protect the public from the unique hazard. (b) FAA unique policy, requirement, or practice. The FAA may identify and impose a unique policy, requirement, or practice as needed to protect the public health and safety, safety of property, and the national security and foreign policy interests of the United States. (c) Application requirements. (1) An operator must identify any unique safety policy, requirement, or practice necessary in accordance with paragraph (a) of this section, and demonstrate that each unique safety policy, requirement, or practice protects public health and safety and the safety of property. (2) An operator must demonstrate that each unique safety policy, requirement, or practice imposed by the FAA in accordance with paragraph (b) of this section, protects public health and safety, safety of property, and the national security and foreign policy interests of the United States. Ground Safety § 450.179 Ground safety—general. At a U.S. launch or reentry site, an operator must protect the public from adverse effects of hazardous operations and systems associated with— (a) Preparing a launch vehicle for flight; (b) Returning a launch or reentry vehicle to a safe condition after landing, or after an aborted launch attempt; and (c) Returning a site to a safe condition. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.181 operator. Coordination with a site (a) General. For a launch or reentry conducted from or to a Federal launch or reentry site or a site licensed under part 420 or 433 of this chapter, an operator must coordinate with the site operator to ensure— (1) Public access is controlled where and when necessary to protect public safety; (2) Launch or reentry operations are coordinated with other launch and reentry operators and other affected parties to prevent unsafe interference; (3) Any ground hazard area that affects the operations of a launch or reentry site is coordinated with the Federal or licensed launch or reentry site operator; and (4) Prompt and effective response in the event of a mishap that could impact public safety. (b) Licensed site operator. For a launch or reentry conducted from or to a site licensed under part 420 or 433 of this chapter, an operator must also coordinate with the site operator to establish roles and responsibilities for VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 reporting, responding to, and investigating any mishap during ground activities at the site. (c) Application requirements. An applicant must describe how it is coordinating with a Federal or licensed launch or reentry site operator in compliance with this section. § 450.183 Explosive site plan. (a) Exclusive use sites. For a launch or reentry conducted from or to a site exclusive to its own use, an operator must comply with the explosive siting requirements of §§ 420.63, 420.65, 420.66, 420.67, 420.69, and 420.70 of this chapter. (b) Application requirements. An applicant must submit an explosive site plan in accordance with paragraph (a) of this section. § 450.185 Ground hazard analysis. An operator must perform and document a ground hazard analysis, and continue to maintain it throughout the lifecycle of the launch or reentry system. The analysis must— (a) Hazard identification. Identify system and operation hazards posed by the vehicle and ground hardware, including site and ground support equipment. Hazards identified must include the following: (1) System hazards, including: (i) Vehicle over-pressurization; (ii) Sudden energy release, including ordnance actuation; (iii) Ionizing and non-ionizing radiation; (iv) Fire or deflagration; (v) Radioactive materials; (vi) Toxic release; (vii) Cryogens; (viii) Electrical discharge; and (ix) Structural failure; and (2) Operation hazards, including: (i) Propellant handling and loading; (ii) Transporting of vehicle or vehicle components; (iii) Vehicle testing; and (iv) Vehicle or system activation. (b) Hazard assessment. Assess each hazard’s likelihood and severity. (c) Risk criteria. Ensure that the risk associated with each hazard meets the following criteria: (1) The likelihood of any hazardous condition that may cause death or serious injury to the public must be extremely remote; and (2) The likelihood of any hazardous condition that may cause major damage to public property or critical assets must be remote. (d) Risk elimination and mitigation. Identify and describe the risk elimination and mitigation measures required to satisfy paragraph (c) of this section. PO 00000 Frm 00147 Fmt 4701 Sfmt 4702 15441 (e) Validation and verification. Demonstrate that the risk elimination and mitigation measures achieve the risk levels of paragraph (c) of this section through validation and verification. Verification includes: (1) Analysis; (2) Test; (3) Demonstration; or (4) Inspection. (f) Application requirements. An applicant must submit— (1) A description of the methodology used to perform the ground hazard analysis; (2) A list of all systems and operations that may cause a hazard involving the vehicle or any payload; and (3) The ground hazard analysis products of paragraphs (a) through (e) of this section, including data that verifies the risk elimination and mitigation measures. § 450.187 Toxic hazards mitigation for ground operations. (a) Applicability. This section applies to any launch or reentry vehicle, including all vehicle components and payloads, that use toxic propellants or other toxic chemicals. (b) Toxic release hazard analysis. An operator must conduct a toxic release hazard analysis that— (1) Accounts for any toxic release that could occur during nominal or nonnominal launch or reentry ground operations; (2) Includes a worst-case release scenario analysis or a maximumcredible release scenario analysis for each process that involves a toxic propellant or other chemical; (3) Determines if toxic release can occur based on an evaluation of the chemical compositions and quantities of propellants, other chemicals, vehicle materials, and projected combustion products, and the possible toxic release scenarios; (4) Accounts for both normal combustion products and any unreacted propellants and phase change or chemical derivatives of released substances; and (5) Accounts for any operational constraints and emergency procedures that provide protection from toxic release. (c) Toxic containment. An operator using toxic containment must manage the risk of casualty from the exposure to toxic release either by— (1) Evacuating, or being prepared to evacuate, the public from a toxic hazard area, where an average member of the public would be exposed to greater than one percent conditional individual probability of casualty in the event of a E:\FR\FM\15APP2.SGM 15APP2 amozie on DSK9F9SC42PROD with PROPOSALS2 15442 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules worst-case release or maximum credible release scenario; or (2) Employing meteorological constraints to limit a ground operation to times during which prevailing winds and other conditions ensure that an average member of the public would not be exposed to greater than one percent conditional individual probability of casualty in the event of a worst-case release or maximum credible release scenario. (d) Toxic risk assessment. An operator using toxic risk assessment must manage the risk from any toxic release hazard and demonstrate compliance with the criteria in § 450.109(a)(3). A toxic risk assessment must— (1) Account for airborne concentration and duration thresholds of toxic propellants or other chemicals. For any toxic propellant, other chemicals, or combustion product, an operator must use airborne toxic concentration and duration thresholds identified in a means of compliance accepted by the Administrator; (2) Account for physical phenomena expected to influence any toxic concentration and duration in the area surrounding the potential release site; (3) Determine a toxic hazard area for each process, surrounding the potential release site for each toxic propellant or other chemical based on the amount and toxicity of the propellant or other chemical, the exposure duration, and the meteorological conditions involved; (4) Account for all members of the public that may be exposed to the toxic release; and (5) Account for any risk mitigation measures applied in the risk assessment. (e) Application requirements. An applicant must submit: (1) The identity of the toxic propellant, chemical, or toxic combustion products in the possible toxic release; (2) The applicant’s selected airborne toxic concentration and duration thresholds; (3) The meteorological conditions for the atmospheric transport and buoyant cloud rise of any toxic release from its source to downwind receptor locations; (4) Characterization of the terrain, as input for modeling the atmospheric transport of a toxic release from its source to downwind receptor locations; (5) The identity of the toxic dispersion model used, and any other input data; (6) Representative results of an applicant’s toxic dispersion modeling to predict concentrations and durations at selected downwind receptor locations, to determine the toxic hazard area for a released quantity of the toxic substance; VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 (7) For toxic release hazard analysis in accordance with paragraph (b) of this section: (i) A description of the failure modes and associated relative probabilities for potential toxic release scenarios used in the risk evaluation; and (ii) The methodology and results of an applicant’s determination of the worstcase or maximum-credible quantity of any toxic release that might occur during ground operations; (8) For toxic risk assessment in accordance with paragraph (d) of this section: (i) A demonstration that the public will not be exposed to airborne concentrations above the toxic concentration and duration thresholds, based upon the representative results of the toxic release hazard analysis; (ii) The population density in receptor locations that are identified by toxic dispersion modeling as toxic hazard areas; (iii) A description of any risk mitigation measures applied in the toxic risk assessment; and (iv) The identity of the population database used; and (9) Additional products that allow an independent analysis, as requested by the Administrator. § 450.189 controls. Ground safety prescribed hazard (a) General. In addition to the hazard controls derived form an operator’s ground hazard analysis and toxic hazard analysis, an operator must comply with paragraphs (b) through (e) of this section. (b) Protection of public on the site. An operator must document a process for protecting members of the public who enter any area under the control of a launch or reentry operator, including: (1) Procedures for identifying and tracking the public while on the site; and (2) Methods the operator uses to protect the public from hazards in accordance with the ground hazard analysis and toxic hazard analysis. (c) Countdown abort. Following a countdown abort or recycle operation, an operator must establish, maintain, and perform procedures for controlling hazards related to the vehicle and returning the vehicle, stages, or other flight hardware and site facilities to a safe condition. When a launch vehicle does not liftoff after a command to initiate flight was sent, an operator must— (1) Ensure that the vehicle and any payload are in a safe configuration; (2) Prohibit entry of the public into any identified hazard areas until the site is returned to a safe condition; and PO 00000 Frm 00148 Fmt 4701 Sfmt 4702 (3) Maintain and verify that any flight safety system remains operational until verification that the launch vehicle does not represent a risk of inadvertent flight. (d) Fire suppression. An operator must have reasonable precautions in place to report and control any fire caused by licensed activities. (e) Emergency procedures. An operator must have general emergency procedures that apply to any emergencies not covered by the mishap plan of § 450.173 that may create a hazard to the public. (f) Application requirements. An applicant must submit the process for protecting members of the public who enter any area under the control of a launch or reentry operator in accordance with paragraph (b) of this section. Subpart D—Terms and Conditions of a Vehicle Operator License § 450.201 Public safety responsibility. A licensee is responsible for ensuring public safety and safety of property during the conduct of a licensed launch or reentry. § 450.203 Compliance with license. A licensee must conduct a licensed launch or reentry in accordance with representations made in its license application, the requirements of subpart C of this part and this subpart, and the terms and conditions contained in the license. A licensee’s failure to act in accordance with the representations made in the license application, the requirements of subpart C of this part and this subpart, and the terms and conditions contained in the license, is sufficient basis for the revocation of a license or other appropriate enforcement action. § 450.205 Financial responsibility requirements. A licensee must comply with financial responsibility requirements as required by part 440 of this chapter and as specified in a license or license order. § 450.207 Human spaceflight requirements. A licensee conducting a launch or reentry with a human being on board the vehicle must comply with human spaceflight requirements as required by part 460 of this chapter and as specified in a license or license order. § 450.209 Compliance monitoring. (a) A licensee must allow access by, and cooperate with, Federal officers or employees or other individuals authorized by the FAA to observe any of its activities, or of its contractors or E:\FR\FM\15APP2.SGM 15APP2 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules subcontractors, associated with the conduct of a licensed launch or reentry. (b) For each licensed launch or reentry, a licensee must provide the FAA with a console or other means for monitoring the progress of the countdown and communication on all channels of the countdown communications network. A licensee must also provide the FAA with the capability to communicate with the mission director designated by § 450.103(a)(1). (c) If the FAA finds a licensee has not complied with any of the requirements in subpart C of this part or this subpart, the FAA may require the licensee to revise its procedures to achieve compliance. amozie on DSK9F9SC42PROD with PROPOSALS2 § 450.211 Continuing accuracy of license application; application for modification of license. (a) A licensee is responsible for the continuing accuracy of representations contained in its application for the entire term of the license. After a license has been issued, a licensee must apply to the FAA for modification of the license if— (1) The licensee proposes to conduct a launch or reentry in a manner not authorized by the license; or (2) Any representation contained in the license application that is material to public health and safety or the safety of property is no longer accurate and complete or does not reflect the licensee’s procedures governing the actual conduct of a launch or reentry. A change is material to public health and safety or the safety of property if it alters or affects the— (i) Class of payload; (ii) Type of launch or reentry vehicle; (iii) Type or quantity of hazardous material; (iv) Flight trajectory; (v) Launch site or reentry site or other landing site; or (vi) Any system, policy, procedure, requirement, criteria, or standard that is safety critical. (b) An application to modify a license must be prepared and submitted in accordance with part 413 of this chapter. If requested during the application process, the FAA may approve an alternate method for requesting license modifications. The licensee must indicate any part of its license or license application that would be changed or affected by a proposed modification. (c) Upon approval of a modification, the FAA issues either a written approval to the licensee or a license order amending the license if a stated term or condition of the license is changed, VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 added, or deleted. An approval has the full force and effect of a license order and is part of the licensing record. § 450.213 Preflight reporting. (a) Preflight reporting methods. An operator must send the information in this section as an email attachment to ASTOperations@faa.gov, or other method as agreed to by the Administrator in the license. (b) Mission information. A licensee must submit to the FAA the following mission-specific information not less than 60 days before each mission conducted under the license, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter in the license, except when the information was provided in the license application: (1) Payload information in accordance with § 450.43(i); and (2) Flight information, including the vehicle, launch site, planned flight path, staging and impact locations, each payload delivery point, intended reentry or landing sites including any contingency abort location, and the location of any disposed launch or reentry vehicle stage or component that is deorbited. (c) Flight safety analysis products. An operator must submit to the FAA updated flight safety analysis products, using previously-approved methodologies, for each mission no less than 30 days before flight, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter in the license. (1) An operator is not required to submit the flight safety analysis products if— (i) The analysis submitted in the license application satisfies all the requirements of this section; or (ii) The operator demonstrated during the application process that the analysis does not need to be updated to account for mission-specific factors. (2) If the operator is required to submit the flight safety analysis products, the operator— (i) Must account for vehicle and mission specific input data; (ii) Must account for potential variations in input data that may affect any analysis product within the final 30 days before flight; (iii) Must submit the analysis products using the same format and organization used in its license application; and (iv) May not change an analysis product within the final 30 days before flight unless the operator has a process, approved in the license, for making a change in that period as part of the operator’s flight safety analysis process. PO 00000 Frm 00149 Fmt 4701 Sfmt 4702 15443 (d) Flight safety system test data. Any licensee that is required to use a flight safety system to protect public safety as required by § 450.101(c) must submit to the FAA, or provide the FAA access to, any test reports, in accordance with approved flight safety system test plans, no less than 30 days before flight, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter in the license. These reports must include: (1) A summary of the system, subsystem, and component-level test results, including all test failures and corrective actions implemented; (2) A summary of test results demonstrating sufficient margin to predicted operating environments; (3) A comparison matrix of the actual qualification and acceptance test levels used for each component in each test compared against the predicted flight levels for each environment, including any test tolerances allowed for each test; and (4) A clear identification of any components qualified by similarity analysis or a combination of analysis and test. (e) Collision avoidance analysis. In accordance with § 450.169(f), at least 15 days before the first attempt at the flight of a launch vehicle or the reentry of a reentry vehicle, or at least 12 hours prior to the beginning of a new launch or reentry window due to a launch or reentry delay, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter, a licensee must submit to a Federal entity identified by the FAA and the FAA the collision avoidance information in appendix A to this part. (f) Launch or reentry schedule. A licensee must file a launch or reentry schedule that identifies each review, rehearsal, and safety-critical operation. The schedule must be filed and updated in time to allow FAA personnel to participate in the reviews, rehearsals, and safety-critical operations. § 450.215 Post-flight reporting. (a) An operator must submit to the FAA the information in paragraph (b) of this section no later than 90 days after a launch or reentry, unless the Administrator agrees to a different time frame in accordance with § 404.15 of this chapter. (b) An operator must send the following information as an email attachment to ASTOperations@faa.gov, or other method as agreed to by the Administrator in the license: (1) Any anomaly that occurred during countdown or flight that is material to E:\FR\FM\15APP2.SGM 15APP2 15444 Federal Register / Vol. 84, No. 72 / Monday, April 15, 2019 / Proposed Rules public health and safety and the safety of property; (2) Any corrective action implemented or to be implemented after the flight due to an anomaly or mishap; (3) The number of humans on board the vehicle; (4) The actual trajectory flown by the vehicle, if requested by the FAA; and (5) For an unguided suborbital launch vehicle, the actual impact location of all impacting stages and impacting components, if requested by the FAA. § 450.217 Registration of space objects. (a) To assist the U.S. Government in implementing Article IV of the 1975 Convention on Registration of Objects Launched into Outer Space, each licensee must submit to the FAA the information required by paragraph (b) of this section for all objects placed in space by a licensed launch, including a launch vehicle and any components, except any object owned and registered by the U.S. Government. (b) For each object that must be registered in accordance with this section, not later than 30 days following the conduct of a licensed launch, an operator must file the following information: (1) The international designator of the space object; (2) Date and location of launch; (3) General function of the space object; (4) Final orbital parameters, including: (i) Nodal period; (ii) Inclination; (iii) Apogee; and (iv) Perigee; and (5) Ownership, and country of ownership, of the space object. (c) A licensee must notify the FAA when it removes an object that it has previously placed in space. § 450.219 Records. amozie on DSK9F9SC42PROD with PROPOSALS2 (a) Except as specified in paragraph (b) of this section, a licensee must maintain for 3 years all records, data, and other material necessary to verify that a launch or reentry is conducted in accordance with representations contained in the licensee’s application, VerDate Sep<11>2014 18:49 Apr 12, 2019 Jkt 247001 the requirements of subpart C of this part and this subpart, and the terms and conditions contained in the license. (b) In the event of a class 1 or class 2 mishap, as defined in § 401.5 of this chapter, a licensee must preserve all records related to the event. Records must be retained until completion of any Federal investigation and the FAA advises the licensee that the records need not be retained. The licensee must make all records required to be maintained under the regulations available to Federal officials for inspection and copying. Appendix A to Part 450—Collision Analysis Worksheet (a) Launch or reentry information. An operator must file the following information: (1) Mission name and launch location. A mnemonic given to the launch vehicle/ payload combination identifying the launch mission from all others. Launch site location in latitude and longitude; (2) Launch or reentry window. The launch or reentry window opening and closing times in Greenwich Mean Time (referred to as ZULU time) and the Julian dates for each scheduled launch or reentry attempts including primary and secondary launch or reentry dates; (3) Epoch. The epoch time, in Greenwich Mean Time (GMT), of the expected launch vehicle liftoff time; (4) Segment number. A segment is defined as a launch vehicle stage or payload after the thrusting portion of its flight has ended. This includes the jettison or deployment of any stage or payload. For each segment, an operator must determine the orbital parameters; (5) Orbital parameters. An operator must identify the orbital parameters for all objects achieving orbit including the parameters for each segment after thrust end (such as SECO– 1 and SECO–2); (6) Orbiting objects to evaluate. An operator must identify all orbiting object descriptions including object name, length, width, depth, diameter, and mass; (7) Time of powered flight and sequence of events. The elapsed time in hours, minutes, and seconds, from liftoff to passivation or disposal. The input data must include the time of powered flight for each stage or jettisoned component measured from liftoff; and (8) Point of contact. The person or office within an operator’s organization that PO 00000 Frm 00150 Fmt 4701 Sfmt 9990 collects, analyzes, and distributes collision avoidance analysis results. (b) Collision avoidance analysis results transmission medium. An operator must identify the transmission medium, such as voice or email, for receiving results. (c) Deliverable schedule/need dates. An operator must identify the times before flight, referred to as ‘‘L-times,’’ for which the operator requests a collision avoidance analysis. The final collision avoidance analysis must be used to establish flight commit criteria for a launch. (d) Trajectory files. Individual position and velocity trajectory files, including: (1) The position coordinates in the EarthFixed Greenwich (EFG) coordinates coordinate system measured in kilometers and the EFG velocity components measured in kilometers per second, of each launch vehicle stage or payload starting below 150 km through screening time frame; (2) Radar cross section values for each individual file; (3) Covariance, if probability of impact analysis option is desired; and (4) Separate trajectory files identified by valid window time frames, if launch or reentry trajectory changes during launch or reentry window. (e) Screening. An operator must select spherical, ellipsoidal, or collision probability screening as defined in this paragraph (e) for determining any conjunction: (1) Spherical screening. Spherical screening centers a sphere on each orbiting object’s center-of-mass to determine any conjunction; (2) Ellipsoidal screening. Ellipsoidal screening utilizes an impact exclusion ellipsoid of revolution centered on the orbiting object’s center-of-mass to determine any conjunction. An operator must provide input in the UVW coordinate system in kilometers. The operator must provide deltaU measured in the radial-track direction, delta-V measured in the in-track direction, and delta-W measured in the cross-track direction; or (3) Probability of Collision. Collision probability is calculated using position and velocity information with covariance in both position and velocity. Issued under authority provided by 49 U.S.C. 106(f) and 51 U.S.C. chapter 509 in Washington, DC, on March 22, 2019. Wayne R. Monteith, Associate Administrator, Office of Commercial Space Transportation. [FR Doc. 2019–05972 Filed 4–12–19; 8:45 am] BILLING CODE 4910–13–P E:\FR\FM\15APP2.SGM 15APP2

Agencies

[Federal Register Volume 84, Number 72 (Monday, April 15, 2019)]
[Proposed Rules]
[Pages 15296-15444]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-05972]



[[Page 15295]]

Vol. 84

Monday,

No. 72

April 15, 2019

Part II





Department of Transportation





-----------------------------------------------------------------------





Federal Aviation Administration





-----------------------------------------------------------------------





14 CFR Parts 401, 404, 413, et al.





 Streamlined Launch and Reentry Licensing Requirements; Proposed Rule

Federal Register / Vol. 84 , No. 72 / Monday, April 15, 2019 / 
Proposed Rules

[[Page 15296]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Parts 401, 404, 413, 414, 415, 417, 420, 431, 433, 435, 437, 
440, and 450

[Docket No.: FAA-2019-0229; Notice No. 19-01]
RIN 2120-AL17


Streamlined Launch and Reentry Licensing Requirements

AGENCY: Federal Aviation Administration (FAA), Department of 
Transportation (DOT).

ACTION: Notice of proposed rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: This rulemaking would streamline and increase flexibility in 
the FAA's commercial space launch and reentry regulations, and remove 
obsolete requirements. This action would consolidate and revise 
multiple regulatory parts and apply a single set of licensing and 
safety regulations across several types of operations and vehicles. The 
proposed rule would describe the requirements to obtain a vehicle 
operator license, the safety requirements, and the terms and conditions 
of a vehicle operator license.

DATES: Send comments on or before June 14, 2019.

ADDRESSES: Send comments identified by docket number FAA-2019-0229 
using any of the following methods:
    Federal eRulemaking Portal: Go to https://www.regulations.gov and 
follow the online instructions for sending your comments 
electronically.
    Mail: Send comments to Docket Operations, M-30; U.S. Department of 
Transportation (DOT), 1200 New Jersey Avenue SE, Room W12-140, West 
Building Ground Floor, Washington, DC 20590-0001.
    Hand Delivery or Courier: Take comments to Docket Operations in 
Room W12-140 of the West Building Ground Floor at 1200 New Jersey 
Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through 
Friday, except Federal holidays.
    Fax: Fax comments to Docket Operations at 202-493-2251.
    Privacy: In accordance with 5 U.S.C. 553(c), DOT solicits comments 
from the public to better inform its rulemaking process. DOT posts 
these comments, without edit, including any personal information the 
commenter provides, to www.regulations.gov, as described in the system 
of records notice (DOT/ALL-14 FDMS), which can be reviewed at 
www.dot.gov/privacy.
    Docket: Background documents or comments received may be read at 
https://www.regulations.gov at any time. Follow the online instructions 
for accessing the docket or go to the Docket Operations in Room W12-140 
of the West Building Ground Floor at 1200 New Jersey Avenue SE, 
Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, 
except Federal holidays.

FOR FURTHER INFORMATION CONTACT: For questions concerning this action, 
contact Randy Repcheck, Office of Commercial Space Transportation, 
Federal Aviation Administration, 800 Independence Avenue SW, 
Washington, DC 205914; telephone (202) 267-8760; email 
[email protected].

SUPPLEMENTARY INFORMATION: 

Authority for This Rulemaking

    The Commercial Space Launch Act of 1984, as amended and codified at 
51 U.S.C. 50901-50923 (the Act), authorizes the Department of 
Transportation, and the FAA through delegation, to oversee, license, 
and regulate commercial launch and reentry activities, and the 
operation of launch and reentry sites as carried out by U.S. citizens 
or within the United States. Section 50905 directs the FAA to exercise 
this responsibility consistent with public health and safety, safety of 
property, and the national security and foreign policy interests of the 
United States. In addition, section 50903 requires the FAA encourage, 
facilitate, and promote commercial space launches and reentries by the 
private sector.
    If adopted as proposed, this rulemaking would consolidate and 
revise multiple regulatory parts to apply a single set of licensing and 
safety regulations across several types of operations and vehicles. It 
would also streamline the commercial space regulations by, among other 
things, replacing many prescriptive regulations with performance-based 
rules, giving industry greater flexibility to develop means of 
compliance that maximize their business objectives while maintaining 
public safety. Because this rulemaking would amend the FAA's launch and 
reentry requirements, it falls under the authority delegated by the 
Act.

List of Abbreviations and Acronyms Frequently Used in This Document

AC--Advisory Circular
CEC--Conditional expected casualty
EC--Expected casualty
ELOS determination--Equivalent-level-of-safety determination
ELV--Expendable launch vehicle
FSA--Flight safety analysis
FSS--Flight safety system
PC--Probability of casualty
PI--Probability of impact
RLV--Reusable launch vehicle

Table of Contents

I. Overview of Proposed Rule
II. Background
    A. History
    B. Licensing Process
    C. National Space Council
    D. Streamlined Launch and Reentry Licensing Requirements 
Aviation Rulemaking Committee
III. Discussion of the Proposal
    A. The FAA's Approach To Updating and Streamlining Launch and 
Reentry Regulations
    B. Single Vehicle Operator License
    C. Performance-Based Requirements and Means of Compliance
    D. Launch From a Federal Launch Range
    E. Safety Framework
Flight Safety
    A. Public Safety Criteria
    1. Neighboring Operations Personnel
    2. Property Protection (Critical Assets)
    3. Consequence Protection Criteria for Flight Abort and Flight 
Safety System
    B. System Safety Program
    1. Safety Organization
    2. Procedures
    3. Configuration Management and Control
    4. Post-Flight Data Review
    C. Preliminary Safety Assessment for Flight
    D. Hazard Control Strategy
    E. Flight Abort
    1. Flight Safety Limits and Uncontrolled Areas
    2. Flight Abort Rules
    3. Flight Safety System
    F. Flight Hazard Analysis
    G. Computing Systems and Software Overview
    H. Hybrid Launch Vehicles
    I. Flight Safety Analysis Overview
    J. Safety-Critical Systems
    1. Safety-Critical Systems Design, Test, and Documentation
    2. Flight Safety System
    K. Other Prescribed Hazard Controls
    1. Agreements
    2. Safety-Critical Personnel Qualifications
    3. Work Shift and Rest Requirements
    4. Radio Frequency Management
    5. Readiness: Reviews and Rehearsals
    6. Communications
    7. Preflight Procedures
    8. Surveillance and Publication of Hazard Areas
    9. Lightning Hazard Mitigation
    10. Flight Safety Rules
    11. Tracking
    12. Launch and Reentry Collision Avoidance Analysis Requirements
    13. Safety at End of Launch
    14. Mishaps: Definition, Plan, Reporting, Response, 
Investigation, Test-Induced Damage
    L. Pre- and Post-Flight Reporting
    1. Preflight Reporting
    2. Post-Flight Reporting
Ground Safety
    A. Definition and Scope of Launch
    B. Ground Safety Requirements
Process Improvements

[[Page 15297]]

    A. Safety Element Approval
    B. Incremental Review of a License Application
    C. Time Frames
    D. Continuing Accuracy of License Application and Modification 
of License
Other Changes
    A. Pre-Application Consultation
    B. Policy Review and Approval
    C. Payload Review and Determination
    D. Safety Review and Approval
    E. Environmental Review
    F. Additional License Terms and Conditions, Transfer of a 
Vehicle Operator License, Rights Not Conferred by a Vehicle Operator 
License
    G. Unique Safety Policies, Requirements, and Practices
    H. Compliance Monitoring
    I. Registration of Space Objects
    J. Public Safety Responsibility, Compliance With License, 
Records, Financial Responsibility, and Human Spaceflight 
Requirements
    K. Applicability
    L. Equivalent Level of Safety
Additional Technical Justification and Rationale
    A. Flight Safety Analyses
    1. Scope and Applicability
    2. Flight Safety Analysis Methods
    3. Trajectory Analysis for Normal Flight
    4. Trajectory Analysis for Malfunction Flight
    5. Debris Analysis
    6. Flight Safety Limits Analysis
    7. Gate Analysis
    8. Data Loss Flight Time and Planned Safe Flight State Analyses
    9. Time Delay Analysis
    10. Probability of Failure
    11. Flight Hazard Areas
    12. Debris Risk Analysis
    13. Far-Field Overpressure Blast Effects
    14. Toxic Hazards for Flight
    15. Wind Weighting for the Flight of an Unguided Suborbital 
Launch Vehicle
    B. Software
    C. Changes to Parts 401, 413, 414, 420, 437, 440
    1. Part 401--Definitions
    2. Part 413--Application Procedures
    3. Part 414--Safety Element Approvals
    4. Part 420--License To Operate a Launch Site
    6. Part 437--Experimental Permits
    7. Part 440--Financial Responsibility
IV. Regulatory Notices and Analyses
    A. Regulatory Evaluation
    B. Regulatory Flexibility Determination
    C. International Trade Impact Assessment
    D. Unfunded Mandates Assessment
    E. Paperwork Reduction Act
    F. International Compatibility
    G. Environmental Analysis
V. Executive Order Determinations
    A. Executive Order 13132, Federalism
    B. Executive Order 13211, Regulations That Significantly Affect 
Energy Supply, Distribution, or Use
    C. Executive Order 13609, International Cooperation
    D. Executive Order 13771, Reducing Regulation and Controlling 
Regulatory Costs
VI. Additional Information
    A. Comments Invited
    B. Availability of Rulemaking Documents
The Proposed Amendment

I. Overview of Proposed Rule

    The FAA commercial space transportation regulations protect public 
health and safety and the safety of property from the hazards of launch 
and reentry. In addition, the regulations address national security and 
foreign policy interests of the United States, financial 
responsibility, environmental impacts, informed consent for crew and 
space flight participants, and, to a limited extent, authorization of 
payloads not otherwise regulated or owned by the U.S. Government. The 
FAA is proposing this deregulatory action consistent with President 
Donald J. Trump's Space Policy Directive--2 (SPD-2) ``Streamlining 
Regulations on Commercial Use of Space.'' \1\ The directive charged the 
Department of Transportation with revising regulations to require a 
single license for all types of commercial space flight operations and 
replace prescriptive requirements with performance-based criteria. 
Streamlining these regulations would lower administrative burden and 
regulatory compliance costs and bolster the U.S. space commercial 
sector and industrial base.
---------------------------------------------------------------------------

    \1\ Space Policy Directive--2, Streamlining Regulations on 
Commercial Use of Space; May 24, 2018 (https://www.whitehouse.gov/presidential-actions/space-policy-directive-2-streamlining-regulations-commercial-use-space/).
---------------------------------------------------------------------------

    Additionally, this proposed rule incorporates industry input and 
recommendations provided primarily by the Streamlined Launch and 
Reentry Licensing Requirements Aviation Rulemaking Committee (ARC). The 
subject proposed rule would implement the applicable section of SPD-2 
and address industry. The recommendation report is provided in the 
docket for this rulemaking.
    Current regulations setting forth application procedures and 
requirements for commercial space transportation licensing were based 
largely on the distinction between expendable and reusable launch 
vehicles. Specifically, title 14 of the Code of Federal Regulations (14 
CFR) parts 415 and 417 address the launch of expendable launch vehicles 
(ELVs) and are based on the Federal launch range standards developed in 
the 1990s. Part 431 addresses the launch and reentry of reusable launch 
vehicles (RLVs), and part 435 addresses the reentry of reentry vehicles 
other than RLVs. Parts 431 and 435 are primarily process-based, relying 
on a license applicant to derive safety requirements through a ``system 
safety'' process. That being said, the FAA has used the more detailed 
part 417 requirements to inform parts 431 and 435. While these separate 
regulatory parts and requirements satisfied the need of the commercial 
space transportation industry at the time they were issued,\2\ the 
industry has changed and continues to evolve.
---------------------------------------------------------------------------

    \2\ The current 14 CFR parts 415, 417, 431, and 435 regulatory 
text can be found at https://www.ecfr.gov/ under their respective 
links. The eCFR contains Federal Register citations for each time a 
regulation is modified by rulemaking.
---------------------------------------------------------------------------

    The FAA proposes to consolidate, update, and streamline all launch 
and reentry regulations into a single performance-based part to better 
fit today's fast-evolving commercial space transportation industry. 
Proposed part 450 would include regulations applicable to all launch 
and reentry vehicles, whether they have reusable components or not. The 
FAA looked to balance the regulatory certainty but rigidity of current 
ELV regulations with the flexibility but vagueness of current RLV 
regulations. As a result, these proposed regulations are flexible and 
scalable to accommodate innovative safety approaches while also 
protecting public health and safety, safety of property, and the 
national security and foreign policy interests of the United States.
    The FAA proposes to continue reviewing licenses in five component 
parts: Policy review, payload review, safety review, maximum probable 
loss determination, and environmental review. However, after consulting 
with the FAA, applicants would have the option of submitting portions 
of applications for incremental review and approval by the FAA. In 
terms of the applications themselves, the FAA has streamlined and 
better defined application requirements.
    In terms of safety requirements, the FAA would maintain a high 
level of safety. Neighboring operations requirements would result in a 
minimal risk increase compared to current regulations, offset by 
operational benefits. The FAA would anchor the proposed requirements on 
public safety criteria. The FAA would continue to use the current 
collective and individual risk criteria. However, this proposal would 
implement risk criteria for neighboring operations personnel, critical 
asset protection, and conditional risk to protect from an unlikely but 
catastrophic event.\3\ In particular, the

[[Page 15298]]

conditional risk would be used to determine the need for a flight 
safety system \4\ and the reliability of that system. To meet these 
public safety criteria, most operators would have the option of using 
traditional hazard controls or to derive alternate controls through a 
system safety approach. These rules would also revise quantitative 
flight safety analyses to better define their applicability and to 
reduce the level of prescriptiveness. In terms of ground safety, the 
FAA has scoped its oversight to better fit the safety risks and to 
increase operator flexibility.
---------------------------------------------------------------------------

    \3\ As will be discussed later, ``neighboring operations 
personnel'' would be defined as those members of the public located 
within a launch or reentry site, or an adjacent launch or reentry 
site, who are not associated with a specific hazardous licensed or 
permitted operation currently being conducted but are required to 
perform safety, security, or critical tasks at the site and are 
notified of the operation. ``Critical asset'' means an asset that is 
essential to the national interests of the United States. Critical 
assets include property, facilities, or infrastructure necessary to 
maintain national defense, or assured access to space for national 
priority missions. For ``conditional risk,'' the FAA would require 
that operators quantify the consequence of a catastrophic event, by 
calculating the conditional risk as conditional expected casualties 
for any one-second period of flight. Unlike collective risk that 
determines the expected casualties factoring in the probability that 
a dangerous event will occur, conditional risk determines the 
expected casualties assuming the dangerous event will occur.
    \4\ The FAA proposes to revise the definition in Sec.  401.5 of 
``flight safety system'' to mean a system used to implement flight 
abort. A human can be a part of a flight safety system. The proposed 
definition is discussed later in this preamble.
---------------------------------------------------------------------------

    To satisfy the proposed performance-based regulations, operators 
would be able to use a means of compliance that has already been 
accepted by the FAA or propose an alternate approach. To retain the 
maximum flexibility to adjust to dynamic industry changes, the FAA 
would continue to offer operators the choice to request waivers of 
regulations and equivalent level of safety determinations.
    The proposed rule is a deregulatory action under Executive Order 
13771.\5\ This deregulatory action would consolidate and revise 
multiple commercial space regulatory parts to apply a single set of 
licensing and safety regulations across several types of operations and 
vehicles. It would also replace many prescriptive regulations with 
performance-based regulations, giving industry greater flexibility to 
develop a means of compliance that maximizes their business objectives. 
This proposed rule would result in net cost savings for industry and 
enable future innovation in U.S. commercial space transportation.
---------------------------------------------------------------------------

    \5\ Executive Order 13771, Reducing Regulation and Controlling 
Regulatory Costs, January 30, 2017, (https://www.whitehouse.gov/presidential-actions/presidential-executive-order-reducing-regulation-controlling-regulatory-costs/).
---------------------------------------------------------------------------

    At the time of writing, the FAA estimates this proposed rule would 
affect 12 operators that have an active license or permit to conduct 
launch or reentry operations. In addition, the FAA estimates this 
proposed rule would affect approximately 276 launches over the next 5 
years (2019 through 2023). The FAA anticipates this proposed rule would 
reduce the costs of current and future launch operations by removing 
prescriptive requirements that are burdensome to meet or require a 
waiver. The FAA expects these changes would lead to more efficient 
launch operations and have a positive effect on expanding the number of 
future launch and reentry operations.
    Based on the preliminary analysis, the FAA estimates industry 
stands to gain about $19 million in discounted present value net 
savings over 5 years or about $5 million in annualized net savings 
(using a discount rate of 7 percent). In addition, the FAA will save 
about $1 million in the same time period. The FAA expects industry will 
gain additional unquantified savings and benefits as the proposed rule 
is implemented, since it would provide flexibility and scalability 
through performance-based requirements that would reduce the future 
cost of innovation and improve the efficiency and productivity of U.S. 
commercial space transportation.\6\
---------------------------------------------------------------------------

    \6\ 51 U.S.C. 50904 grants the FAA authority to oversee, 
license, and regulate commercial launch and reentry activities, and 
the operation of launch and reentry sites as carried out by U.S. 
citizens or within the United States.
---------------------------------------------------------------------------

    Throughout this document, the FAA uses scientific notation to 
indicate probabilities. For example, 1 x 10^-\2\ means one in 
a hundred and 1 x 10^-\6\ means one in a million.

II. Background

A. History

    As noted earlier, the Act authorizes the Secretary of 
Transportation to oversee, license, and regulate commercial launch and 
reentry activities and the operation of launch and reentry sites as 
carried out by U.S. citizens or within the United States. The Act 
directs the Secretary to exercise this responsibility consistent with 
public health and safety, safety of property, and the national security 
and foreign policy interests of the United States, and to encourage, 
facilitate, and promote commercial space launches by the private 
sector. The FAA carries out the Secretary's responsibilities under the 
Act.
    In the past 30 years, the Department of Transportation (DOT) 
regulations addressing launch and reentry have gone through a number of 
iterations intended to be responsive to an emerging industry while at 
the same time ensuring public safety. A review of this history is 
provided to put this rulemaking in perspective.
1. First Licensing Regulations in 1988
    DOT's first licensing regulations for commercial launch activities 
became effective over 30 years ago, on April 4, 1988. The regulations 
replaced previous guidance and constituted the procedural framework for 
reviewing and authorizing all proposals to conduct non-Federal launch 
activities, including the launching of launch vehicles, operation of 
launch sites, and payload activities that were not licensed by other 
federal agencies. They included general administrative procedures and a 
revised compilation of DOT's information requirements.
    No licensed launches had yet taken place when DOT initially issued 
these regulations. Accordingly, DOT established a flexible regime 
intended to be responsive to an emerging industry while at the same 
time ensuring public safety. This approach worked well because all 
commercial launches at the time took place from Federal launch ranges 
where safety practices were well established and had proven effective 
in protecting public safety. In 1991, when the industry reached about 
ten launches a year, DOT took further steps designed to simplify the 
licensing process for launch operators with established safety records 
by instituting a launch operator license, which allowed one license to 
cover a series of launches where the same safety resources support 
identical or similar missions.
2. Licensing Changes in 1999
    On June 21, 1999,\7\ the FAA amended its commercial space 
transportation licensing regulations to clarify its license application 
process generally, and for launches from Federal launch ranges 
specifically. The FAA intended the regulations to provide an applicant 
or an operator with greater specificity and clarity regarding the scope 
of a license and to codify and amend licensing requirements and 
criteria. Notable changes were dividing launch into preflight and 
flight activities; defining launch to begin with the arrival of the 
launch vehicle or its major components at a U.S. launch site; 
separating what had been a safety and mission review into a safety, 
policy, and

[[Page 15299]]

payload review; and the addition of a specific requirement to 
``passivate'' any vehicle stage left on orbit to avoid the potential of 
creating orbital debris through a subsequent explosion.
---------------------------------------------------------------------------

    \7\ Commercial Space Transportation Licensing Regulations, Final 
Rule. 64 FR 19586 (April 21, 1999).
---------------------------------------------------------------------------

3. Reusable Launch Vehicle Regulations in 2000
    In the mid-1990s, prospective RLV operators identified the absence 
of adequate regulatory oversight over RLV operations, particularly 
their reentry, as an impediment to technology development. The need for 
a stable and predictable regulatory environment in which RLVs could 
operate was considered critical to the capability of the emerging RLV 
industry to obtain the capital investment necessary for research and 
development and ultimately vehicle operations. The Commercial Space Act 
of 1998, Public Law 105-303, extended DOT's licensing authority to the 
reentry of reentry vehicles and the operation of reentry sites by non-
Federal entities. In September 2000, the FAA amended the commercial 
space transportation licensing regulations by establishing requirements 
for the launch of an RLV, the reentry of a reentry vehicle, and the 
operation of launch and reentry sites.\8\
---------------------------------------------------------------------------

    \8\ Commercial Space Transportation Reusable Launch Vehicle and 
Reentry Licensing Regulations, Final Rule. 65 FR 56617 (September 
19, 2000).
---------------------------------------------------------------------------

    At the time, the FAA believed that the differences between ELVs and 
RLVs justified a different regulatory approach. There was a long 
history of successful ELV launches from Federal launch ranges using 
detailed prescriptive regulations, encouraging the FAA to follow suit. 
Also, ELVs and RLVs used different means of terminating flight. ELV 
launches typically relied on flight safety systems (FSS) that 
terminated flight to ensure flight safety by preventing a vehicle from 
traveling beyond approved limits. Unlike an ELV, the FAA contemplated 
that an RLV might rely upon other means of ending vehicle flight, such 
as returning to the launch site or using an alternative landing site, 
in case the vehicle might not be able to safely conclude a mission as 
planned. Importantly, other than NASA's Space Shuttle, there was little 
experience with RLVs. For these reasons, the FAA decided to enact 
flexible process-based regulations for RLVs and other reentry vehicles. 
These regulations reside in 14 CFR parts 431 and 435.
4. Further Regulatory Changes in 2006
    The last major change to FAA launch regulations occurred in 
2006.\9\ The FAA believed that it would be advantageous for its ELV 
regulations to be consistent with Federal launch range requirements and 
worked with the United States Air Force (Air Force) and the National 
Aeronautics and Space Administration (NASA) to codify safety practices 
for ELVs. Those regulations reside in 14 CFR parts 415 and 417. The 
2006 rule also codified safety responsibilities and requirements that 
applied to any licensed launch, regardless of whether the launch occurs 
from a Federal launch range or a non-Federal launch site.
---------------------------------------------------------------------------

    \9\ Licensing and Safety Requirements for Launch, Final Rule. 71 
FR 50508 (August 25, 2006).
---------------------------------------------------------------------------

    In developing the technical requirements, the FAA built on the 
safety success of Federal launch ranges and sought to achieve their 
same high level of safety by using Federal launch range practices as a 
basis for FAA regulations consistent with its authority. The 
regulations specified detailed processes, procedures, analyses, and 
general safety system design requirements. For safety-critical hardware 
and software, where necessary, the rule provided design and detailed 
test requirements. The FAA attempted to provide flexibility by allowing 
a launch operator the opportunity to demonstrate an alternative means 
of achieving an equivalent level of safety.
5. Evolution of Launch Vehicles and the Need for Updated and 
Streamlined Regulations
    Since 2006, the differences between ELVs and RLVs have blurred. 
Vehicles that utilize traditional flight safety systems now are 
partially reusable. For example, the Falcon 9 first stage, launched by 
Space Exploration Technologies Corporation (SpaceX), routinely returns 
to the launch site or lands on a barge, and other operators are 
developing launch vehicles with similar return and reuse capabilities. 
Although the reuse of safety critical systems or components can have 
public safety implications, labeling a launch vehicle as expendable or 
reusable has not impacted the primary approach necessary to protect 
public safety, certainly not to the extent suggested in the differences 
between part 431 and parts 415 and 417.
    Moreover, the regulations for ELV launches in parts 415 and 417 
have proven to be too prescriptive and one-size-fits-all, and the 
significant detail has caused the regulations to become obsolete in 
many instances. For example, part 417 requires all launch operators to 
have at least 11 plans that define how launch processing and flight of 
a launch vehicle will be conducted, each with detailed requirements. 
This can lead an operator to produce documents that are not necessary 
to conduct safe launch operations. In contrast, the regulations for RLV 
launches have proven to be too general, lacking regulatory clarity. For 
example, part 431 does not contain specificity regarding the 
qualification of flight safety systems, acceptable methods for flight 
safety analyses, and ground safety requirements. This lack of clarity 
can cause delays in the application process to allow for discussions 
between the FAA and the applicant. Operators frequently rely upon the 
requirements in part 417 to demonstrate compliance.
    Since 2015, the launch rate has only increased, from 9 licensed 
launches a year to 33 licensed launches in 2018. Beginning in 2016, the 
FAA developed a comprehensive strategy to consolidate and streamline 
the regulatory parts associated with commercial space launch and 
reentry operations and licensing of space vehicles. Actions by the 
National Space Council confirmed and accelerated FAA rulemaking plans 
regarding launch and reentry licenses.

B. Licensing Process

    When it issues a license, the Act requires the FAA to do so 
consistent with public health and safety, safety of property, and 
national security and foreign policy interests of the United 
States.\10\ The FAA currently conducts its licensing application review 
in five component parts: Policy Review, Payload Review, Safety Review, 
Maximum Probable Loss Determination, and Environmental Review. The 
license application review is depicted in figure 1. A policy review, in 
consultation with other government agencies, determines whether the 
launch or reentry would jeopardize U.S. national security or foreign 
policy interests, or international obligations of the United States. A 
payload review, also in consultation with other government agencies, 
determines whether the launch or reentry of a payload would jeopardize 
public health and safety, safety of property, U.S. national security or 
the foreign policy interests, or international obligations of the 
United States. A safety review examines whether the launch or reentry 
would jeopardize public health and safety and safety of property, and 
typically is the most extensive part of FAA's review. The Act also 
requires the FAA to determine financial responsibility of the licensee 
for third party liability and losses to U.S. Government property based 
on the maximum probable loss. Lastly, the National Environmental Policy 
Act requires the FAA to consider and

[[Page 15300]]

document the potential environmental effects associated with issuing a 
launch or reentry license.
---------------------------------------------------------------------------

    \10\ 51 U.S.C. 50905(a).
    [GRAPHIC] [TIFF OMITTED] TP15AP19.000
    
    This proposal would not alter this 5-pronged approach to licensing. 
Although the FAA usually evaluates components concurrently, as noted 
later in this preamble, the FAA may make separate determinations after 
considering the interrelationship between the components. For instance, 
this proposal would allow an applicant to apply for a Safety Review 
component in an incremental manner. This preamble will discuss the 
proposed incremental review process in further detail later.

C. National Space Council

    The National Space Council was established by President George H.W. 
Bush on April 20, 1989 by Executive Order 12675 to have oversight of 
U.S. national space policy and its implementation. Chaired by Vice 
President Dan Quayle until its disbanding in 1993, the first National 
Space Council consisted of the Secretaries of State, Treasury, Defense, 
Commerce, Transportation, Energy, the Director of the Office of 
Management and Budget, the Chief of Staff to the President, the 
Assistant to the President for National Security Affairs, the Assistant 
to the President for Science and Technology, the Director of Central 
Intelligence, and the NASA Administrator.
    On June 30, 2017, President Donald J. Trump signed Executive Order 
13803, which reestablished the National Space Council to provide a 
coordinated process for developing and monitoring the implementation of 
national space policy and strategy. The newly-reinstituted body met for 
the first time on October 5, 2017. As Chair of the Council, the Vice 
President directed the Secretaries of Transportation and Commerce, and 
the Director of the Office of Management and Budget, to conduct a 
review of the U.S. regulatory framework for commercial space activities 
and report back within 45 days with a plan to remove barriers to 
commercial space enterprises. The assigned reports and recommendations 
for regulatory streamlining were presented at the second convening of 
the National Space Council on February 21, 2018. The Council approved 
four recommendations, including DOT's recommendation that the launch 
and reentry regulations should be reformed into a consolidated, 
performance-based licensing regime.
    On May 24, 2018, the Council memorialized its recommendations in 
SPD-2. SPD-2 instructed the Secretary of Transportation to publish for 
notice and comment proposed rules rescinding or revising the launch and 
reentry licensing regulations, no later than February 1, 2019. SPD-2 
charged the Department with revising the regulations such that they 
would require a single license for all types of commercial space flight 
operations and replace prescriptive requirements with performance-based 
criteria. SPD-2 further commended the Secretary to coordinate with the 
members of the National Space Council, especially the Secretary of 
Defense and the NASA Administrator, to minimize requirements associated 
with commercial space flight launch and reentry operations from Federal 
launch ranges as appropriate.

D. Streamlined Launch and Reentry Licensing Requirements Aviation 
Rulemaking Committee

    On March 8, 2018, the FAA chartered the Streamlined Launch and 
Reentry Licensing Requirements Aviation Rulemaking Committee (ARC) to 
provide a forum to discuss regulations to set forth procedures and 
requirements for commercial space transportation launch and reentry 
licensing. The FAA tasked the ARC to develop recommendations for a 
performance-based regulatory approach in which the

[[Page 15301]]

regulations set forth the safety objectives to be achieved while 
providing the applicant with the flexibility to produce tailored and 
innovative means of compliance.
    The ARC's membership represented a broad range of stakeholder 
perspectives, including members from aviation and space communities. 
The ARC was supported by the FAA and other federal agency subject 
matter experts. The following table identifies ARC participants from 
the private sector:

------------------------------------------------------------------------
 
-------------------------------------------------------------------------
Aerospace industries association.
Airlines for America.
Alaska Aerospace Corporation.
Astra Space.
Blue Origin.
Boeing.
Coalition for Deep Space Exploration.
Commercial Spaceflight Federation.
Exos Aerospace Systems & Technologies, Inc.
Generation Orbit.
Lockheed Martin Corporation.
MLA Space, LLC.
Mojave air and spaceport.
Orbital ATK.
RocketLab.
Sierra Nevada Corp.
Spaceport America.
SpaceX.
Space Florida.
Stratolaunch.
United Launch Alliance.
Vector Launch, Inc.
Virgin Galactic/Virgin Orbit.
World View Enterprises.
------------------------------------------------------------------------

    On April 30, 2018, the ARC produced its final recommendation 
report, which has been placed in the docket to this rulemaking.\11\ The 
ARC recommended that the proposed regulations should--
---------------------------------------------------------------------------

    \11\ Streamlined Launch and Reentry Licensing Requirements ARC, 
Recommendations Final Report (April 30, 2008). The ARC Report is 
available for reference in the docket for this proposed rule.
---------------------------------------------------------------------------

    1. Be performance-based, primarily based upon the ability of the 
applicant to comply with expected casualty limits.
    2. Be flexible.
    i. Adopt a single license structure to accommodate a variety of 
vehicle types and operations and launch or reentry sites.
    ii. Allow for coordinated determination of applicable regulations 
prior to the application submission.
    iii. Develop regulations that can be met without waivers.
    iv. Use guidance documents to facilitate frequent updates.
    3. Reform the pre-application consultation process and 
requirements.
    i. Use ``complete enough'' as the real criterion for entering 
application evaluation and remove the requirement for pre-application 
consultation.
    ii. Use a level-of-rigor approach to scope an applicant-requested 
pre-application consultation process as the basis for a ``complete 
enough'' determination, considering both an applicant's prior 
experience and whether the subject vehicle is known or unknown.
    4. Contain defined review timelines.
    i. Support significantly-reduced timelines and more efficient 
review.
    ii. Increase predictability for industry.
    iii. Create reduced review timelines for both new and continuing 
accuracy submissions.
    5. Contain continuing accuracy requirements. Continuing accuracy 
submissions should be based upon impact to public safety as measured by 
the Expected Casualty (EC).
    6. Limit FAA jurisdiction.
    i. Limit FAA jurisdiction to activities so publicly hazardous as to 
warrant FAA-oversight.
    ii. Identify well-defined inspection criteria.
    7. Eliminate duplicative jurisdiction on Federal launch ranges.
    The FAA will address these recommendations in more detail 
throughout the remainder of this document.
    During the course of the ARC, volunteer industry members formed a 
Task Group to provide draft regulatory text reflecting proposed 
revisions to the commercial space transportation regulations. The 
volunteer industry members of the Task Group were Blue Origin, Sierra 
Nevada Corporation, Space Florida, and SpaceX. The majority of the ARC 
opposed the formation of this Task Group and disagreed with including 
the proposed regulatory text into the ARC's recommendation report. The 
FAA will not specifically address the proposed regulatory text in this 
document because it did not receive broad consensus within the ARC.

III. Discussion of the Proposal

A. The FAA's Approach To Updating and Streamlining Launch and Reentry 
Regulations

    The FAA's approach to meeting SPD-2's mandate is to consolidate, 
update, and streamline all launch and reentry regulations into a single 
performance-based part. Pursuant to SPD-2, and in the interest of 
updating the FAA's regulations to reflect the current commercial space 
industry, the FAA proposes to consolidate requirements for the launch 
and reentry of ELVs, RLVs, and reentry vehicles other than an RLV.\12\ 
The FAA would also update a number of safety provisions, including 
areas such as software safety and flight safety analyses (FSA), to 
reflect recent advancements. Finally, the FAA proposes to streamline 
its regulations by designing them to be flexible and scalable, to 
reduce timelines, to remove or minimize duplicative jurisdiction, and 
to limit FAA jurisdiction over ground safety to operations that are 
hazardous to the public. This streamlining was the focus of the ARC.
---------------------------------------------------------------------------

    \12\ These requirements currently appear in parts 415, 417, 431, 
and 435.
---------------------------------------------------------------------------

    The FAA proposal would follow the ARC recommendations to enable 
greater regulatory flexibility. First, the proposed rule would be 
primarily performance-based, codifying performance standards and 
relying on FAA guidance or other standards to provide acceptable means 
of compliance. This would allow the regulations to better adapt to 
advancements in the industry. Second, the FAA proposes to change the 
structure of its launch and reentry license to be more flexible in the 
number and types of launches and reentries one license can accommodate. 
Third, as the ARC suggested, system safety principles would be 
prominent. All applicants would need to comply with core system safety 
management principles and conduct a preliminary safety assessment. Some 
applicants may also be required to use a flight hazard analysis to 
derive hazard controls particular to their operation. Lastly, for any 
particular requirement, the FAA would maintain the ability for an 
applicant or operator to propose an alternative approach for 
compliance, and then clearly demonstrate that the alternative approach 
would provide an equivalent level of safety to the requirement.
    The ARC recommended that the level of rigor of an applicant's 
safety demonstration vary based on vehicle history, company history, 
and the relative risk of the launch or reentry. It also recommended 
that the FAA not always require a flight safety system. The FAA 
recognizes that different operations require different levels of rigor, 
and is proposing a more scalable regulatory regime. Given performance-
based regulations are inherently scalable, the FAA proposal is 
consistent with the ARC recommendation, even though it does not 
explicitly account for vehicle or operator history as a means of 
scaling requirements. In addition to performance-based requirements, 
this proposal would implement a specific level-of-rigor approach to 
ensure safety requirements are proportionate to the public safety risk 
in the need for a flight safety system and its required

[[Page 15302]]

reliability, in flight safety analysis,\13\ and in software safety. 
These are all discussed in greater detail later in this preamble.
---------------------------------------------------------------------------

    \13\ For flight safety analyses, various levels of rigor would 
be outlined in ACs.
---------------------------------------------------------------------------

    Because the rulemaking process is time-consuming and labor 
intensive, the FAA seeks to minimize the need for regulatory updates to 
proposed part 450 through the proposed performance-based regulations 
which would allow for a variety of FAA-approved means of compliance. 
Approving new means of compliance creates flexibility for operators 
without reducing safety. Additionally, approving new means of 
compliance is easier to accomplish than updating regulatory standards 
through the rulemaking process. Thus, the proposed regulatory scheme 
would be more adaptable to the fast-evolving commercial space industry.
    The ARC recommended that the FAA should design a modular approach 
to application submittal and evaluation and significantly reduce FAA 
review timelines. This proposal would allow an applicant to apply for a 
license in an incremental manner,\14\ to be developed on a case-by-case 
basis during pre-application consultation. Most timelines in the 
proposal would have a default value, followed by an option for the FAA 
to agree to a different time frame, taking into account the complexity 
of the request and whether it would allow sufficient time for the FAA 
to conduct its review and make its requisite findings. Lastly, the FAA 
proposes to make it easier for a launch or reentry operator to obtain a 
safety element approval, which would reduce the time and effort of an 
experienced operator in a future license application. Although these 
provisions should reduce the time for experienced operators, the FAA 
does not propose to reduce by regulation the statutory review period of 
180 days to make a decision on a license application.
---------------------------------------------------------------------------

    \14\ In this rulemaking, the term ``incremental'' would be 
synonymous with the ARC's proposed term of ``modular.''
---------------------------------------------------------------------------

    It might be useful to provide some perspective concerning the time 
the FAA actually takes to make license determinations. The average of 
the last ten new license determinations through calendar year 2018 was 
141 days; the median was 167 days. The FAA strives to expedite 
determinations when possible to accommodate launch schedules. In three 
of these ten, the FAA made determinations in 54, 73, and 77 days, all 
without tolling. Three determinations were tolled for 73, 77, and 171 
days. The lengthy tolling was the result of a software issue concerning 
a flight safety system that the applicant needed to resolve. To our 
knowledge, a launch has never been delayed as a result of the time it 
took the FAA to make a license determinations.
    The ARC recommended that the FAA propose rules that eliminate 
duplicative U.S. Government requirements when an operator conducts 
operations at a Federal launch range. The FAA's proposal would allow 
for varying levels of Federal launch range involvement, including a 
single FAA authorization. It would also minimize duplicative work by a 
launch or reentry operator. This issue is discussed in more detail 
later in this preamble.
    Also, the ARC recommended that the FAA limit its jurisdiction over 
ground operations to activities so publicly hazardous as to warrant the 
FAA's oversight. This proposal would scope ground activities overseen 
by FAA to each operation. It would also permit neighboring operations 
personnel to be present during launch activities in certain 
circumstances.
    The ARC also recommended that the FAA require the pre-application 
process only for new operators or new vehicle programs, and that pre-
application occur at the operator's discretion for all other 
operations.\15\ The FAA proposes to retain the requirement for pre-
application consultation because of the various flexibilities proposed 
in this rule. These include incremental review, timelines, and the 
performance-based nature of many of the regulatory requirements. Pre-
application consultation would assist operators with the licensing 
process and accommodate all operators, including those that choose to 
avail themselves of the flexibilities provided in this proposal. The 
FAA acknowledges, however, that pre-application consultation can be 
minimal for operators experienced with FAA requirements. In such cases, 
consultation may consist of a telephone conversation.
---------------------------------------------------------------------------

    \15\ ARC Report at p. 23.
---------------------------------------------------------------------------

B. Single Vehicle Operator License

    As part of its streamlining effort, the FAA proposes in Sec.  450.3 
(Scope of Vehicle Operator License) to establish one license, a vehicle 
operator license, for commercial launch and reentry activity. A vehicle 
operator license would authorize a licensee to conduct one or more 
launches or reentries using the same vehicle or family of vehicles and 
would specify whether it covers launch, reentry, or launch and reentry. 
The FAA would eliminate the current limitation in Sec.  415.3 
specifying a launch license covers only one launch site, and would 
eliminate the designations of launch-specific license and launch 
operator license, mission-specific license and operator license, and 
reentry-specific license and reentry-operator license. The proposal 
would also allow the FAA to scope the duration of the license to the 
operation.
    Although the FAA has not defined a ``family of vehicles,'' launch 
operators often do so themselves. Usually, the vehicles share a common 
core, i.e., the booster and upper stage. Sometimes multiple boosters 
are attached together to form a larger booster. Historically, solid 
rocket motors have been attached to core boosters to enhance 
capability. There has never been an issue concerning what operators and 
the FAA consider to be members of the same family. It is merely a 
convenient way to structure licenses.
    SPD-2 directed the DOT to revise the current launch and reentry 
licensing regulations with special consideration to requiring a single 
license for all types of commercial launch and reentry operations. 
Similarly, the ARC recommended that the FAA adopt a single license 
structure to accommodate a variety of vehicle types, operations, and 
launch and reentry sites. In accordance with these recommendations, the 
FAA proposes a single vehicle operator license that could be scoped to 
the operation. In order to accommodate the increasingly similar 
characteristics of some ELVs and RLVs, as well as future concepts, 
these proposed regulations would no longer distinguish between ELVs and 
RLVs. Rather, this proposal would consolidate the licensing 
requirements for all commercial launch and reentry activities under one 
part, and applicants would apply for the same type of license.
    In addition to accommodating different vehicles and types of 
operations, this proposal would allow launches or reentries under a 
single vehicle operator license from or to multiple sites. Under the 
current regulations, in order for an operator to benefit from using 
multiple sites for launches authorized by a part 415 license, the 
operator must apply for a new license.\16\ This process is 
unnecessarily burdensome. This

[[Page 15303]]

proposed change would facilitate the application process because an 
operator would no longer be required to apply for a separate license to 
launch or reenter from a launch site other than that specified by the 
license.
---------------------------------------------------------------------------

    \16\ For example, in 2018, a launch operator held a launch 
license under part 415 that authorized it to launch from Kennedy 
Space Center (KSC) in Florida; however, the operator contemplated 
launching from a nearby launch site, Cape Canaveral Air Force 
Station (CCAFS). Under current part 415, in order to launch from 
CCAFS instead of KSC, the operator has to file a separate 
application for a license to launch from CCAFS.
---------------------------------------------------------------------------

    In order to apply for a license that includes multiple sites, an 
applicant would need to provide the FAA with application materials that 
would allow the FAA to conduct separate reviews for each site to 
determine, for example: Maximum probable loss required by part 440; 
public risk to populated areas, aircraft, and waterborne vessels; and 
the environmental impacts associated with proposed launches or 
reentries. The FAA foresees that a license that authorizes launches or 
reentries at more than one site would make it administratively easier 
for an operator to change sites for a particular operation. For 
example, an operator could move a launch from one site to another due 
to launch facility availability. A launch might move from CCAFS to KSC. 
Additionally, FAA foresees multiple sites will be utilized by operators 
of hybrid vehicles at launch sites with runways as well as vehicles 
supporting operationally responsive space missions such as DARPA Launch 
Challenge. Under this proposed licensing regime, an applicant should be 
prepared to discuss its intent to conduct activity from multiple sites 
during pre-application consultation. This discussion would give both 
the applicant and the agency an opportunity to scope the application 
and identify any potential issues early on when changes to the 
application or proposed licensed activities would be less likely to 
cause additional issues or significant delays. The launch operator 
would not need to specify the specific launches that would be planned 
for each site. The FAA would continue its current practice for operator 
licenses of requiring a demonstration that a proposed range of 
activities, not every trajectory variation within that range, can be 
safely conducted in order to scope the license. The license would not 
need to be modified unless the proposed operation fell outside the 
authorized range.
    The FAA further notes that under Sec.  413.11, after an initial 
screening the FAA determines whether an application is complete enough 
to begin its review. If an application that includes multiple launch 
sites is complete enough for the FAA to accept it and begin its review, 
the 180-day review period under Sec.  413.15(a) would begin. However, 
if during the FAA's initial review it determines that an application is 
sufficiently complete to make a license determination for at least one 
launch site but not all launch sites included in the application, the 
FAA would have the option to toll the review period, as provided in 
Sec.  413.15(b). Alternatively, the FAA could continue its review of 
the part of the application with complete enough information and toll 
the portion involving any launch site with insufficient information to 
make a licensing determination. In either case, the FAA would notify 
the applicant as required by Sec.  413.15(c).
    Finally, the FAA proposes a more flexible approach to the duration 
of a vehicle operator license under Sec.  450.7 (Duration of a Vehicle 
Operator License). Specifically, the FAA would determine, based on 
information received from an applicant, the appropriate duration of the 
license, not to exceed five years. In making this determination, the 
FAA would continue its current practice of setting the duration of a 
license for specified launches to be approximately one year after the 
expected date of the activity. Currently, a launch-specific license 
expires upon completion of all launches authorized by the license or 
the expiration date stated in the license, whichever occurs first. An 
operator license remains in effect for two years for an RLV and five 
years for an ELV from the date of issuance. The FAA considered setting 
all license durations to five years, but rejected this option to allow 
an applicant to obtain a license for a limited specific activity rather 
than for a more general range of activities. An applicant may prefer a 
shorter license duration for a specific activity because a licensee has 
obligations under an FAA license, such as the requirements to 
demonstrate financial responsibility and allow access to FAA safety 
inspectors, and a shorter license duration would relieve an applicant 
of compliance with these requirements after the activity has ended. 
Unless an operator requests an operator license, currently good for 
either two or five years, the operator does not typically request a 
license duration. The FAA initially sets the duration to encompass the 
authorized activity. The FAA plans to continue its current practice of 
extending licenses through renewals or modifications to accommodate 
delays in authorized launches or reentries.

C. Performance-Based Requirements and Means of Compliance

    SPD-2 directs the FAA to consider replacing prescriptive 
requirements in the commercial space flight launch and reentry 
licensing process with performance-based criteria. The ARC echoed the 
SPD-2 recommendation for performance-based requirements that allowed 
varying means of compliance proposed by the operator.\17\ In response 
to SPD-2 and the ARC recommendations, the FAA is proposing to replace 
many of the prescriptive licensing requirements with performance-based 
requirements. These performance-based requirements would provide 
flexibility, scalability, and adaptability as discussed in the 
introduction. An operator would be able to use an acceptable means of 
compliance to demonstrate compliance with the requirements.
---------------------------------------------------------------------------

    \17\ ARC Report, at p. 7.
---------------------------------------------------------------------------

    Currently, the FAA uses both prescriptive and performance-based 
requirements for launches and reentries respectively.\18\ Parts 415 and 
417 provide detailed prescriptive requirements for ELVs. Although these 
requirements provide regulatory certainty, they have proven inflexible. 
As the industry grows and innovates, ELV operators have identified 
alternate ways of operating safely that do not comply with the 
regulations as written. This has forced operators to request waivers or 
equivalent-level-of safety-determinations (ELOS determinations), often 
close to scheduled launch dates. On the other hand, the performance-
based regulations in parts 431 and 435 lack the detail to efficiently 
guide operators through the FAA's regulatory regime. Indeed, the FAA 
often fills these regulatory gaps by adopting part 417 requirements in 
practice. The process of adding regulatory certainty to these 
performance-based regulations by adopting part 417 requirements has 
been frustrating and contentious for both operators and the FAA.
---------------------------------------------------------------------------

    \18\ Parts 415 and 417, and their associated appendices, provide 
primarily prescriptive requirements for licensing and launch of an 
ELV. Part 431 provides primarily performance- and process-based 
requirements for a launch and reentry of a reusable launch vehicle. 
Part 435 provides similar requirements to part 431 for the reentry 
of a reentry vehicle other than a reusable launch vehicle. Parts 431 
and 435 rely on a system safety process performed by an operator in 
order to demonstrate adequate safety of the operation.
---------------------------------------------------------------------------

    Adopting performance-based requirements that allow operators to use 
an acceptable means of compliance would decrease the need for waivers 
or ELOS determinations to address new technology advancements. An 
acceptable means of compliance is one means, but not the only means, by 
which a requirement could be met. The FAA would set the safety standard 
in regulations and identify any acceptable means of compliance 
currently available. The FAA would provide public notice of each means 
of compliance that the Administrator has accepted by publishing the 
acceptance

[[Page 15304]]

on its website, for example. This notification would communicate to the 
public and the industry that the FAA has accepted a means of compliance 
or any revision to an existing means of compliance. A consensus 
standards body, any individual, or any organization would be able to 
submit means of compliance documentation to the FAA for consideration 
and potential acceptance.
    An operator could also develop its own means of compliance to 
demonstrate it met the safety standard. Once the Administrator has 
accepted a means of compliance for that operator, the operator could 
use it in future license applications. The FAA would not provide public 
notice of individual operator-developed means of compliance. If any 
information submitted to the FAA as part of a means of compliance for 
acceptance is proprietary, it would be afforded the same protections as 
are applied today to license applications submitted under Sec.  413.9.
    For five of the proposed requirements, an operator would have to 
demonstrate compliance using a means of compliance that has been 
approved by the FAA before an operator could use it in a license 
application. These five requirements are flight safety systems 
(proposed Sec.  450.145), FSA methods (proposed Sec.  450.115), 
lightning flight commit criteria (proposed Sec.  450.163(a)), and 
airborne toxic concentration and duration thresholds (proposed 
Sec. Sec.  450.139 and 450.187). The FAA has developed Advisory 
Circulars (ACs) or identified government standards that discuss an 
acceptable means of compliance for each of these requirements, and has 
placed these documents in the docket for the public's review and 
comment. If an operator wishes to use a means of compliance not 
previously accepted by the FAA to demonstrate compliance with one of 
the five requirements, the FAA would have to review and accept it prior 
to an operator using that means of compliance to satisfy a licensing 
requirement.
    If an operator is interested in applying for the acceptance of a 
unique means of compliance, it should submit any data or documentation 
to the FAA necessary to demonstrate that the means of compliance 
satisfies the safety requirements established in the regulation. An 
operator should note that the FAA will take into account such factors 
as complexity of the means of compliance; whether the means of 
compliance is an industry, government, or voluntary consensus standard; 
and whether the means of compliance has been peer-reviewed during its 
review and determination. These factors may affect how quickly the FAA 
is able to review and make a determination. The time could range from a 
few days to many weeks.
    Although applying for the acceptance of a new means of compliance 
may take time, once an operator's unique means of compliance is 
accepted by the FAA, the operator can use it in future license 
applications. The FAA also anticipates that this process will result in 
flexibility for industry and will encourage innovation as industry and 
consensus standards bodies \19\ develop multiple ways for an operator 
to meet the requisite safety standards. The FAA believes this is the 
best approach to enabling new ways of achieving acceptable levels of 
safety through industry innovation, and seeks public comment on whether 
this approach may induce additional innovation through industry-
developed consensus standards.
---------------------------------------------------------------------------

    \19\ The FAA intends to rely increasingly on voluntary consensus 
standards as means of compliance. Section 12(d) of the National 
Technology Advancement Act (Pub. L. 104-113; 15 U.S.C. 3701, et 
seq.) directs federal agencies to use voluntary consensus standards 
in lieu of government-unique standards except where inconsistent 
with law or otherwise impractical. Because voluntary consensus 
bodies are made up of a wide selection of industry participants, and 
often also include FAA participation, the FAA expects its review of 
a means of compliance developed by a voluntary consensus standards 
body would be more expeditious than a custom means of compliance. 
Unlike means of compliance developed by a voluntary consensus 
standards body, a custom means of compliance would not be subject to 
peer review or independent review of the viability of the technical 
approach.
---------------------------------------------------------------------------

D. Launch From a Federal Launch Range

    Both industry and the National Space Council have urged government 
agencies involved in the launch and reentry of vehicles by commercial 
operators to work towards common standards and to remove duplicative 
oversight. The ARC recommended an end goal of either exclusive FAA 
jurisdiction over commercial launches at a range, or a range adopting 
the same flight safety regulations used by the FAA. SPD-2 directed the 
Secretary of Defense, the Secretary of Transportation, and the NASA 
Administrator to coordinate to examine all existing U.S. Government 
requirements, standards, and policies associated with commercial space 
flight launch and reentry operations from Federal launch ranges and 
minimize those requirements, except those necessary to protect public 
safety and national security, that would conflict with the efforts of 
the Secretary of Transportation in implementing the Secretary's 
responsibilities to review and revise its launch and reentry 
regulations.\20\ Most recently, the John S. McCain National Defense 
Authorization Act for Fiscal Year 2019 includes a provision stating 
that the Secretary of Defense may not impose any requirement on a 
licensee or transferee that is duplicative of, or overlaps in intent 
with, any requirement imposed by the Secretary of Transportation under 
51 U.S.C. chapter 509, unless imposing such a requirement is necessary 
to avoid negative consequences for the national security space 
program.\21\
---------------------------------------------------------------------------

    \20\ SPD-2; May 24, 2018 (https://www.whitehouse.gov/presidential-actions/space-policy-directive-2-streamlining-regulations-commercial-use-space).
    \21\ Section 1606(2)(A), John S. McCain National Defense 
Authorization Act for Fiscal Year 2019, Public Law 115-232 (amending 
51 U.S.C. 50918 note).
---------------------------------------------------------------------------

    Currently, the FAA issues a safety approval to a license applicant 
proposing to launch from a Federal launch range if the applicant 
satisfies the requirements of part 415, subpart C, and has contracted 
with the range for the provision of safety-related launch services and 
property, as long as an FAA Launch Site Safety Assessment (LSSA) \22\ 
shows that the range's launch services and launch property satisfy part 
417. The FAA assesses each range and determines if the range meets FAA 
safety requirements. If the FAA assessed a range, through its LSSA, and 
found that an applicable range safety-related launch service or 
property satisfies FAA requirements, then the FAA treats the range's 
launch service or property as that of a launch operator's, and there is 
no need for further demonstration of compliance to the FAA. The FAA 
reassesses a range's practices only when the range chooses to change 
its practice.
---------------------------------------------------------------------------

    \22\ LSSA is an FAA evaluation of Federal range services and 
launch property.
---------------------------------------------------------------------------

    The ARC recommended that ranges and the FAA have common flight 
safety regulations and guidance documents. To address this 
recommendation, the FAA proposes performance-based requirements for 
both ground and flight safety that an operator could meet using Air 
Force and NASA practices as a means of compliance. The FAA expects that 
there will be few, if any, instances where Air Force or NASA practices 
do not satisfy the proposed performance-based requirements. 
Additionally, the proposed requirements should provide enough 
flexibility to accommodate changes in Air Force and NASA practices in 
the future. The FAA expects that range services that a range applies to 
U.S. Government launches and

[[Page 15305]]

reentries will almost invariably satisfy the FAA's proposed 
requirements. The FAA currently accepts flight safety analyses 
performed by Air Force on behalf of an operator without additional 
analysis and anticipates that it would give similar deference to other 
analyses by federal agencies once it established that they meet FAA 
requirements.
    The FAA developed this approach to reduce operator burden to the 
largest extent possible. The FAA is bound to execute its statutory 
mandates and may do so only to the extent authorized by those statutes. 
Although federal entities often have complimentary mandates and 
statutory authorities, they are rarely identical. That is, each federal 
department or agency has been given separate mission. Federal entities 
establish interagency processes to manage closely related functions in 
as smoothly and least burdensome manner possible. Coordinating FAA 
requirements, range practices, and those practices implemented at other 
Federal facilities is largely an interagency issue, this proposal does 
not include language to eliminate duplicative approvals. Instead, the 
FAA will continue to work with the appropriate agencies to streamline 
commercial launch and reentry requirements at ranges and Federal 
facilities by leveraging the Common Standards Working Group (CSWG).\23\
---------------------------------------------------------------------------

    \23\ The CSWG consists of range safety personnel from the Air 
Force and NASA, and was chartered in the early 2000's to develop and 
maintain common launch safety standards among agencies.
---------------------------------------------------------------------------

E. Safety Framework

    In addition to proposing a single vehicle operator license and 
replacing prescriptive requirements with performance-based 
requirements, this rule would rely on a safety framework that provides 
the flexibility needed to accommodate current and future operations and 
the regulatory certainty lacking in some of the current regulations.
    This proposal would consolidate the launch and reentry safety 
requirements in subpart C. Figure 2 depicts the safety framework on 
which the FAA relied in developing its proposed safety requirements. In 
developing this framework, the FAA considered following the approach 
taken in parts 431 and 435 and relying almost exclusively on a robust 
systems safety approach. As noted earlier, experience has shown that 
part 431 does not offer enough specificity and, as a result, it has 
been unclear to operators what safety measures the FAA requires to 
achieve an acceptable level of safety. In particular, there are no 
explicit requirements for ground safety, flight safety analysis, or 
flight safety systems. On the other hand, part 417 is too prescriptive, 
particularly regarding design and detailed procedural requirements for 
ground safety, detailed design and test requirements for flight safety 
systems, and numerous plans that placed needless burden on operators 
and impeded innovation. Thus, the framework described below is designed 
to strike a balance between these two parts. The proposed regulations 
clearly lay out FAA expectations, but should provide a launch or 
reentry operator with flexibility on how it achieves acceptable public 
safety. The framework also seeks to allow operators that wish to 
conduct operations using proven hazard control strategies to do so.
[GRAPHIC] [TIFF OMITTED] TP15AP19.001

    System Safety Program. All operators would be required to have a 
system safety program that would establish system safety management 
principles for both ground and flight safety throughout the operational 
lifecycle of a launch or reentry system. The system safety program 
would include a safety organization, procedures, configuration control, 
and post-flight data review.
    Preliminary Flight Safety Assessment. For flight safety, an 
operator would conduct a preliminary flight safety assessment to 
identify public hazards and determine the appropriate hazard control 
strategy for a phase of flight or an entire flight. An operator could 
use traditional hazard controls such as physical containment, wind 
weighting, or flight abort to mitigate hazards. Physical containment is 
when a launch vehicle does not have sufficient energy for any hazards 
associated with its flight to reach the public or critical assets.

[[Page 15306]]

Wind weighting is when the operator of an unguided suborbital launch 
vehicle adjusts launcher azimuth and elevation settings to correct for 
the effects of wind conditions at the time of flight to provide a safe 
impact location for the launch vehicle or its components. Flight Abort 
is the process to limit or restrict the hazards to public health and 
safety and the safety of property presented by a launch vehicle or 
reentry vehicle, including any payload, while in flight by initiating 
and accomplishing a controlled ending to vehicle flight. Flight abort 
as a hazard control strategy would be required for a phase of flight 
that is shown by a consequence analysis to potentially have significant 
public safety impacts. Otherwise, an operator would be able to bypass 
these traditional hazard control strategies and conduct a flight hazard 
analysis.
    Flight Hazard Analysis. As an alternative to traditional hazard 
control measures, an operator would be able to conduct a flight hazard 
analysis to derive hazard controls. Hazard analysis is a proven 
engineering discipline that, when applied during system development and 
throughout the system's lifecycle, identifies and mitigates hazards 
and, in so doing, eliminates or reduces the risk of potential mishaps 
and accidents. In addition, a separate hazard analysis methodology is 
outlined for computing systems and software.
    Flight Safety Analysis. Regardless of the hazard control strategy 
chosen or mandated, an operator would be required to conduct a number 
of flight safety analyses. At a minimum, these analyses would 
quantitatively demonstrate that a launch or reentry meets the public 
safety criteria for debris, far-field overpressure, and toxic hazards. 
Other analyses support flight abort and wind weighting hazard control 
strategies and determine flight hazard areas.\24\ For a detailed 
discussion, please see the ``Additional Technical Justification and 
Rationale'' discussion later in the preamble.
---------------------------------------------------------------------------

    \24\ Note that flight hazard analysis and flight safety analysis 
are interdependent in that each can help inform the other. Flight 
safety analysis quantifies the risks posed by hazards, which are 
typically identified and mitigated during the flight hazard 
analysis, by using physics to model how the vehicle will respond to 
specific failure modes. The FSA is also useful to define when 
operational restrictions are necessary to meet quantitative risk 
requirements.
---------------------------------------------------------------------------

    Derived Hazard Controls. An operator would derive a number of 
hazard controls through its conduct of a flight hazard analysis and 
flight safety analyses.
    Prescribed Hazard Controls. Regardless of the hazard controls 
derived from a flight hazard analysis and flight safety analyses, the 
FAA would require a number of other hazard controls that have 
historically been necessary to achieve acceptable public safety. These 
include requirements for flight safety and other safety critical 
systems, agreements, safety-critical personnel qualifications, crew 
rest, radio frequency management, readiness, communications, preflight 
procedures, surveillance and publication of hazard areas, lightning 
hazard mitigation, flight safety rules, tracking, collision avoidance, 
safety at the end of launch, and mishap planning.
    Acceptable Flight Safety. All elements of the safety framework 
combine to provide acceptable public safety during flight. In proposed 
Sec.  450.101 (Public Safety Criteria), the FAA would outline specific 
public safety criteria to clearly define how safe is safe enough. 
Section 450.101 is discussed in detail later in this preamble.
    Ground Safety. With respect to ground safety, an operator would 
conduct a ground hazard analysis to derive ground hazard controls. 
Those, along with prescribed hazard controls, would provide acceptable 
public safety during ground operations.

Flight Safety

A. Public Safety Criteria

    Proposed Sec.  450.101 would consolidate all public safety criteria 
for flight into one section. It would contain the core performance-
based safety requirements to protect people and property on land, at 
sea, in the air, and in space. All other flight safety requirements in 
proposed part 450 subpart C would support the achievement of these 
criteria. The Sec.  450.101 requirements would define how safe is safe 
enough for the flight of a commercial launch or reentry vehicle.
    Proposed Sec.  450.101(a) contains launch risk criteria, or the 
risk thresholds an operator may not exceed during flight. An operator 
would be permitted to initiate the flight of a launch vehicle only if 
the collective, individual, aircraft, and critical asset risk satisfy 
the proposed criteria. The criteria would apply to every launch from 
liftoff through orbital insertion for an orbital launch, and through 
final impact or landing for a suborbital launch, which is the same 
scope used for current launch risk criteria in parts 417 and 431. Each 
measure of risk serves a different purpose. Collective risk addresses 
the risk to a population as a whole, whereas individual risk addresses 
the risk to each person within a population. The measure of aircraft 
risk is unique, due to the difficulty of modeling collective and 
individual risk for aircraft in flight. Lastly, critical asset risk 
addresses the loss of functionality of an asset that is essential to 
the national interests of the United States. Critical assets include 
property, facilities, or infrastructure necessary to maintain national 
defense, or assured access to space for national priority missions.
    Proposed Sec.  450.101(a)(1) would establish the collective risk 
criteria for flight, measured by expected casualties (EC). 
The proposal would define EC as the mean number of 
casualties predicted to occur per flight operation if the operation 
were repeated many times. The term casualties refers to serious 
injuries or worse, including fatalities. It would require the risk to 
all members of the public, excluding persons in aircraft and 
neighboring operations personnel, to not exceed an expected number of 1 
x 10^-\4\ casualties, posed by impacting inert and explosive 
debris, toxic release, and far field blast overpressure.\25\ With two 
exceptions, this is the same criteria currently used in Sec. Sec.  
417.107(b)(1) and 431.35(b)(1)(i). The first exception applies to 
people on waterborne vessels, who would now be included in the 
collective risk criteria to all members of the public. The second 
exception applies to neighboring operations personnel. This proposal 
would require the risk to all neighboring operations personnel not 
exceed an expected number of 2 x 10^-\4\ casualties. Both of 
these topics are discussed separately later in this preamble.
---------------------------------------------------------------------------

    \25\ Far field blast overpressure is a phenomenon resulting from 
the air blast effects of large explosions that may be focused by 
certain conditions in the atmosphere through which the blast waves 
propagate. Population may be at risk from broken window glass 
shards.
---------------------------------------------------------------------------

    Proposed Sec.  450.101(a)(2) would establish the individual risk 
criteria for flight, measured by probability of casualty 
(PC). The proposal would define PC as the 
likelihood that a person will suffer a serious injury or worse, 
including a fatal injury, due to all hazards from an operation at a 
specific location. It would require the risk to any individual member 
of the public, excluding neighboring operations personnel, to not 
exceed a PC of 1 x 10^-\6\ per launch, posed by 
impacting inert and explosive debris, toxic release, and far field 
blast overpressure. With one exception, this is the same criteria 
currently in Sec. Sec.  417.107(b)(2) and 431.35(b)(1)(iii). The 
exception is neighboring operations personnel would have separate 
individual risk criteria, which is discussed later in this preamble.
    Proposed Sec.  450.101(a)(3) would set aircraft risk criteria for 
flight. It would

[[Page 15307]]

require a launch operator to establish any aircraft hazard areas 
necessary to ensure the probability of impact with debris capable of 
causing a casualty for aircraft does not exceed 1 x 10^-6. 
This is the same requirement as current Sec.  417.107(b)(4). Part 431 
does not have aircraft risk criteria, although the FAA's current 
practice is to use the part 417 criteria for launches licensed under 
part 431. With this proposal, the FAA would expressly apply this 
criterion to all launches. The FAA does not propose any other changes 
for the protection of aircraft at this time. The FAA has an ongoing 
Airspace Access ARC, composed of commercial space transportation and 
aviation industry representatives, whose recommendations may inform a 
future rulemaking on protection of aircraft.
    Proposed Sec.  450.101(a)(4) would set the launch risk criteria for 
critical assets. It would require the probability of loss of 
functionality for each critical asset to not exceed 1 x 
10^-\3\, or some other more stringent probability if deemed 
necessary to protect the national security interests of the United 
States. This would be a new requirement and is discussed separately 
later in this preamble.
    Proposed Sec.  450.101(b) would define risk criteria for reentry. 
These would be the same as the risk criteria for launch, except that 
the proposed criteria would apply to each reentry, from the final 
health check prior to the deorbit burn through final impact or landing. 
The same discussion earlier regarding collective risk, individual risk, 
aircraft risk, and risk to critical assets would apply to the reentry 
risk criteria.
    Proposed Sec.  450.101(c) would set the flight abort criteria for 
both launch and reentry. It represents the most significant change to 
public safety criteria in this proposed rule. It would require that an 
operator use flight abort as a hazard control strategy if the 
consequence of any reasonably foreseeable vehicle response mode,\26\ in 
any one-second period of flight, is greater than 1 x 10^-3 
conditional expected casualties (CEC) for uncontrolled 
areas.\27\ CEC is the consequence, measured in terms of 
EC, without regard to the probability of failure, and will 
be discussed in the Consequence Protection Criteria for Flight Abort 
and Flight Safety System section. Flight abort with the use of an FSS 
and applying the CEC criteria in proposed part 450 is 
discussed later in this preamble. Proposed Sec.  450.101(c) would apply 
to all phases of flight, unless otherwise agreed to by the FAA based on 
the demonstrated reliability of the launch or reentry vehicle during 
that phase of flight. The flight of a certificated aircraft that is 
carrying a rocket to a drop point is an example of when the use of an 
FSS would likely not be necessary even though the CEC could 
be above the threshold, because the aircraft would have a demonstrated 
high reliability.
---------------------------------------------------------------------------

    \26\ Vehicle response mode means a mutually exclusive scenario 
that characterizes foreseeable combinations of vehicle trajectory 
and debris generation.
    \27\ Uncontrolled Area is an area of land not controlled by a 
launch or reentry operator, a launch or reentry site operator, an 
adjacent site operator, or other entity by agreement.
---------------------------------------------------------------------------

    Proposed Sec.  450.101(d) would establish disposal \28\ safety 
criteria. It would require that an operator conducting a disposal of a 
vehicle stage or component from Earth orbit either meet the criteria of 
Sec.  450.101(b)(1), (2), and (3), or target a broad ocean area. 
Because a launch vehicle stage or component will not survive a disposal 
substantially intact, disposal is not considered a reentry.\29\ 
Disposal is an effective method of orbital debris prevention because it 
eliminates the vehicle stage or component as a piece of orbital debris 
and as a risk for future debris creation through collision. The FAA is 
not proposing to require that a launch operator dispose of any upper 
stage or component in this rulemaking. The current proposal would only 
apply if a launch operator chooses to dispose of its upper stage or 
other launch vehicle component. Although an operator could choose to 
demonstrate that the proposed collective and individual risk criteria 
are met for a disposal, the FAA expects most, if not all, disposals to 
target a broad ocean area.\30\ This is consistent with current practice 
and NASA Technical Standards.\31\ Because the broad ocean area has such 
a low density of people that are exposed almost exclusively in large 
waterborne vessels, objects that survive reentry to impact in these 
areas produce an insignificant PC. Therefore, operators 
disposing a vehicle stage or component into a broad ocean area would 
not need to demonstrate compliance with the collective, individual, or 
aircraft risk criteria. For purposes of this proposal, the FAA 
considers ``broad ocean'' as an area 200 nautical miles (nm) from land. 
Two hundred nm is also the recognized limit of exclusive economic zones 
(EEZ), which are zones prescribed by the United Nations Convention on 
the Law of the Sea \32\ over which the owning state has exclusive 
exploitation rights over all natural resources. Disposal beyond an EEZ 
further reduces the chance of disrupting economic operations such as 
commercial fishing.
---------------------------------------------------------------------------

    \28\ The FAA proposes to define ``disposal'' in Sec.  401.5 to 
mean the return or attempt to return, purposefully, a launch vehicle 
stage or component, not including a reentry vehicle, from Earth 
orbit to Earth, in a controlled manner. The proposed definition is 
discussed later in this preamble.
    \29\ A ``reentry'' is defined in 51 U.S.C. 50902, as ``to return 
or attempt to return, purposefully, a reentry vehicle and its 
payload or human beings, if any, from Earth orbit or from outer 
space to Earth.'' A ``reentry vehicle'' is defined as ``a vehicle 
designed to return from Earth orbit or outer space to Earth, or a 
reusable launch vehicle designed to return from Earth orbit or outer 
space to Earth, substantially intact.''
    \30\ A disposal that ``targets a broad ocean area'' would wholly 
contain the disposal hazard area within a broad ocean area.
    \31\ NASA-STD-8715.14A, paragraph 4.7.2.1.b, states, ``For 
controlled reentry, the selected trajectory shall ensure that no 
surviving debris impact with a kinetic energy greater than 15 joules 
is closer than 370 km from foreign landmasses, or is within 50 km 
from the continental U.S., territories of the U.S., and the 
permanent ice pack of Antarctica.''
    \32\ United Nations Convention on the Law of the Sea, Dec. 10, 
1982, 1833 U.N.T.S. 397. Although the United States has not ratified 
UNCLOS, its comprehensive legal framework codifies customary 
international law governing uses of the ocean.
---------------------------------------------------------------------------

    Proposed Sec.  450.101(e) would address the protection of people 
and property on-orbit, through collision avoidance requirements during 
launch or reentry and through requirements aimed at preventing 
explosions of launch vehicle stages or components on-orbit. 
Specifically, proposed Sec.  450.101(e)(1) would require a launch or 
reentry operator to prevent the collision between a launch or reentry 
vehicle stage or component, and people or property on-orbit, in 
accordance with the requirements in proposed Sec.  450.169(a) (Launch 
and Reentry Collision Avoidance Analysis Requirements). Proposed Sec.  
450.101(e)(2) would require that a launch operator prevent the creation 
of debris through the conversion of energy sources into energy that 
fragments the stage or component, in accordance with the requirements 
in proposed Sec.  450.171 (Safety at End of Launch). Proposed Sec.  
450.171 would contain the same requirements as in Sec. Sec.  417.129 
and 431.43(c)(3). Both Sec. Sec.  450.169(a) and 450.171 are addressed 
in greater detail later in the preamble.
    Proposed Sec.  450.101(f) would require that an operator for any 
launch, reentry, or disposal notify the public of any region of land, 
sea, or air that contains, with 97 percent probability of containment, 
all debris resulting from normal flight events capable of causing a 
casualty. The requirement to notify the public of planned impacts is 
currently in Sec. Sec.  417.111(i)(5) and 431.75(b). The calculation of 
such hazard areas is discussed later in this preamble in the

[[Page 15308]]

discussion of proposed Sec.  450.133 (Flight Hazard Areas). 
Notification of planned impacts would be included in proposed Sec.  
450.101 because it is not tied to risk and is therefore not covered by 
the other public safety criteria of proposed Sec.  450.101.
    In proposed Sec.  450.101(g), the FAA would establish performance 
level requirements for the validity of analysis methods. Specifically, 
consistent with the existing language in Sec.  417.203(c) and current 
practice for launch and reentry assessments, an operator's analysis 
method would have to use accurate data and scientific principles and be 
statistically valid. ``Accurate data'' would continue to refer to 
completeness, exactness, and fidelity to the maximum extent 
practicable. In this context, ``scientific principles'' would continue 
to refer to knowledge based on the scientific method, such as that 
established in the fields of physics, chemistry, and engineering. An 
analysis based on non-scientific principles, such as astrology, would 
not be consistent with this standard. A ``statistically valid'' 
analysis would be the result of a sound application of mathematics and 
would account for the uncertainty in any statistical inference due to 
sample size limits, the degree of applicability of data to a particular 
system, and the degree of homogeneity of the data.
1. Neighboring Operations Personnel
    Two of the proposed requirements in Sec.  450.101 that do not exist 
in the current regulations carve out separate individual and collective 
risk criteria for neighboring operations personnel. With the increase 
in operations and launch rate, the Air Force, NASA, and the industry 
have expressed concerns about the FAA's public risk criteria because in 
certain circumstances they force an operator to clear or evacuate any 
other launch operator and its personnel not involved with a specific 
FAA-licensed operation from a hazard area or safety clear zone during 
certain licensed activities.\33\ The clearing or evacuation of other 
launch operator personnel, which can range from a handful of workers to 
over a thousand for a significant portion of a day, results in 
potential schedule impacts and lost productivity costs to other range 
users. These impacts will increase as the launch tempo increases and 
similar operations are conducted at other sites.
---------------------------------------------------------------------------

    \33\ To illustrate the problematic nature of the current risk 
requirements as they are applied to the public, flybacks and 
landings of reusable boosters at Cape Canaveral Air Force Station 
conducted under an FAA license are causing operational impacts to 
other range users due to FAA requirements to clear the public, 
including range users not involved with the launch, to meet public 
safety criteria.
---------------------------------------------------------------------------

    The Air Force, NASA, and industry have recommended that the FAA 
treat certain personnel of other launch operators, referred to in this 
proposed rulemaking as ``neighboring operations personnel,'' 
differently than the rest of the public who are typically visitors, 
tourists, or people who are located outside a launch site and are not 
aware of the hazards nor trained and prepared to respond to them. 
Specifically, they recommend that the FAA characterize neighboring 
operations personnel who work at a launch site as either non-public or 
subject to a higher level of risk than the rest of the public, to 
minimize the need to evacuate them during certain licensed 
operations.\34\
---------------------------------------------------------------------------

    \34\ The Air Force requested that the FAA propose an approach 
that allows certain neighboring operations personnel during an FAA-
licensed launch to be assessed at the Air Force's higher launch 
essential risk criteria of 10 x 10^-6 individual 
probability of casualty. Also, Air Force and NASA members of the 
CSWG have asked for increased flexibility with the collective risk 
EC for flight to accommodate neighboring operations 
personnel. As one of its recommendations to the National Space 
Council in November 2017, NASA suggested a change to operational 
requirements to clear employees from hazard areas during commercial 
operations under an FAA license.
---------------------------------------------------------------------------

    The ARC recommended: (1) Excluding permanently badged personnel and 
neighboring launch operations from the definition of ``public''; (2) 
revising the definition of ``public safety'' because the current 
definition is overly broad, ambiguous, and inconsistent with other 
federal agencies, including the Air Force; (3) distinguishing between 
``public'' (i.e., those uninvolved individuals located outside the 
controlled-access boundaries of a launch or reentry site or clustered 
sites within a defined Federal or private spaceport) and people who 
work regularly within the controlled-access boundaries of a Federal or 
private spaceport or an operator's dedicated launch or reentry site; 
\35\ and (4) employing mitigation measures for uninvolved neighboring 
operations personnel when a hazardous operation or launch is 
scheduled.\36\
---------------------------------------------------------------------------

    \35\ According to the ARC, these individuals who work regularly 
within the boundaries of a federal range or private spaceport are 
industry workers who know and accept the risks associated with the 
hazardous environment in which they work.
    \36\ These mitigations might include: facility separation 
distances (e.g., separation between launch points on a multi-user 
spaceport) that anticipate and allow for safe concurrent operations; 
terms in site and use agreements with the Federal or non-Federal 
property owner that indemnify and hold harmless the government or 
other landlord; and potential reciprocal waivers (not required by 
regulation) that may be entered into among neighboring operations to 
share risks of hazards to each other's property and personnel.
---------------------------------------------------------------------------

i. FAA Proposed Definitions of Public and Neighboring Operations 
Personnel in Sec.  401.5
    To address these concerns, the FAA proposes to add two definitions 
to Sec.  401.5. The first is ``public,'' which the FAA would define in 
Sec.  401.5, for a particular licensed or permitted launch or reentry, 
as people and property that are not involved in supporting the launch 
or reentry. This would include those people and property that may be 
located within the launch or reentry site, such as visitors, 
individuals providing goods or services not related to launch or 
reentry processing or flight, and any other operator and its personnel. 
This language is similar to the current definition of ``public safety'' 
in Sec.  401.5, which the FAA proposes to delete, except that the FAA 
has included reentry and permitted activities in the definition.\37\
---------------------------------------------------------------------------

    \37\ The FAA would also delete the definition of ``public'' in 
Sec.  420.5 for launch sites, which means people and property that 
are not involved in supporting a licensed or permitted launch. The 
new definition of public in Sec.  401.5 will apply to all parts, 
including part 420.
---------------------------------------------------------------------------

    The second is the definition of ``neighboring operations 
personnel,'' which the FAA would define in Sec.  401.5 as those members 
of the public located within a launch or reentry site, as determined by 
the Federal or licensed launch or reentry site operator,\38\ or an 
adjacent launch or reentry site, who are not associated with a specific 
hazardous licensed or permitted operation currently being conducted but 
are required to perform safety, security, or critical tasks at the site 
and are notified of the hazardous operation. While neighboring 
operations personnel would still fall under the proposed definition of 
public, this proposal would apply different individual and collective 
risk criteria to them. The FAA seeks comment on this approach.
---------------------------------------------------------------------------

    \38\ Since neighboring operations personnel, as defined in this 
proposal, work at a launch or reentry site, the FAA expects that the 
site operator (i.e., an operator of a Federal site or FAA-licensed 
launch or reentry site), not the launch operator, would identify 
these personnel.
---------------------------------------------------------------------------

    In developing its proposal, the FAA looked to NASA and Air Force 
requirements, which treat a portion of the public differently than the 
FAA regulations by allowing some other launch operators and their 
personnel, referred to as ``neighboring operations personnel'' by the 
Air Force \39\ and

[[Page 15309]]

``critical operations personnel'' by NASA,\40\ to be subjected to a 
higher level of risk than the rest of the public. This approach lessens 
the impact to multiple users and enables concurrent operations at a 
site. The FAA's proposed definition more closely aligns with the 
definitions of neighboring operations personnel and critical operations 
personnel adopted by the Air Force and NASA, respectively, because it 
distinguishes neighboring operations personnel as personnel required to 
perform safety, security, or critical tasks and who are notified of 
neighboring hazardous operations. Critical tasks may include 
maintaining the security of a site or facility or performing critical 
launch processing tasks such as monitoring pressure vessels or testing 
safety critical systems of a launch vehicle for an upcoming mission.
---------------------------------------------------------------------------

    \39\ The Air Force has two sub-categories of public: Neighboring 
operations personnel and the general public. For a specific launch, 
the general public includes all visitors, media, and other non-
essential personnel at the launch site, as well as persons located 
outside the boundaries of the launch site. For the Air Force, 
neighboring operations personnel are individuals, not associated 
with the specific operation or launch currently being conducted, 
required to perform safety, security, or critical tasks at the 
launch base, and who are notified of a neighboring hazardous 
operation and are either trained in mitigation techniques or 
accompanied by a properly trained escort. In accordance with 
guidance information in AFSPCMAN 91-710V1, neighboring operations 
personnel may include individuals performing launch processing tasks 
for another launch, but do not include individuals in training for 
any job or individuals performing routine activities such as 
administrative, maintenance, support, or janitorial. AFSPCMAN 91-
710V1 can be found at https://static.e-publishing.af.mil/production/1/afspc/publication/afspcman91-710v1/afspcman91-710v1.pdf. The Air 
Force may allow neighboring operations personnel to be within safety 
clearance zones and hazardous launch areas, and neighboring 
operations personnel would not be evacuated with the general public. 
The Air Force includes neighboring operations personnel in the same 
risk category as launch-essential personnel. The allowable 
collective aggregated risk for launch essential personnel is 300 x 
10^-6 and the allowable individual risk for launch 
essential personnel is 10 x 10^-6.
    \40\ NASA, for the purposes of range safety risk management, 
defines public as visitors and personnel inside and outside NASA-
controlled locations who are not critical operations personnel or 
mission essential personnel and who may be on land, on waterborne 
vessels, or in aircraft. Similar to the Air Force's definition of 
neighboring operations personnel, NASA considers critical operations 
personnel to include persons not essential to the specific operation 
(launch, reentry, flight) being conducted, but who are required to 
perform safety, security, or other critical tasks at the launch, 
landing, or flight facility; are notified of the hazardous operation 
and either trained in mitigation techniques or accompanied by a 
properly trained escort; are not in training for any job or 
individuals performing routine activities such as administrative, 
maintenance, or janitorial activities; and may occupy safety 
clearance zones and hazardous areas, and are not evacuated with the 
public. NASA includes critical operations personnel in the same risk 
category as mission essential personnel. For flight, the allowable 
collective aggregated risk for the combination of mission essential 
personnel and critical operations personnel is 300 x 10^-6 
and the allowable individual risk for mission essential or critical 
operations personnel is 10 x 10^-6.
---------------------------------------------------------------------------

    Because of these specific duties, neighboring operations personnel 
are more likely than the rest of the public to be specially trained and 
prepared to respond to hazards present at a launch or reentry site. 
Those hazards include exposure to debris, overpressure, toxics, and 
fire. The Air Force and NASA definitions specify that these personnel 
are either trained in mitigation techniques or accompanied by a 
properly trained escort. Note, however, that the FAA would not require 
that neighboring operations personnel be trained or accompanied by a 
trained escort. It would be burdensome to require a licensee to ensure 
neighboring operations personnel are trained, and training is not 
necessary to justify the slight increase in risk allowed for workers 
performing safety, security, or critical tasks.
    The FAA proposal would not include all permanently badged personnel 
on a launch or reentry site as neighboring operations personnel. While 
neighboring operations personnel are permanently-badged personnel, 
including all permanently-badged personnel as neighboring operations 
personnel could then include individuals performing routine activities 
such as administrative, maintenance, or janitorial duties. These 
individuals are not necessary for critical tasks. Unlike for 
neighboring operations personnel, the disruption to routine activities 
does not sufficiently justify allowing these individuals to remain on 
site during hazardous operations.
ii. Individual Risk Level for Neighboring Operations Personnel
    Currently, for ELVs, the individual risk criterion for the public 
in Sec.  417.107(b)(2) allows a launch operator to initiate flight only 
if the risk to any individual member of the public does not exceed 1 x 
10^-6 per launch for each hazard. Part 431 is similar for an 
RLV mission. Thus, any person not involved in supporting a launch or 
reentry, whether within or outside the bounds of the launch or reentry 
site, are required to have a risk of casualty no higher than 1 x 
10^-6 per launch or reentry for each hazard.
    The FAA proposes in Sec.  450.101(a)(2) a higher individual risk 
criterion of 1 x 10^-5 for neighboring operations personnel 
compared to 1 x 10^-6 for the rest of the public for launch 
and reentry. Although neighboring operations personnel would still fall 
under the FAA's definition of public, this proposal would establish a 
higher risk threshold for neighboring operations personnel as compared 
to other members of the public. This proposal would permit neighboring 
operations personnel to remain on site because--unlike other members of 
the public such as visitors or tourists--the presence of these 
personnel at a launch or reentry site is necessary for security or to 
avoid the disruption of launch or reentry activities at neighboring 
sites. In addition, the proposed increased risk to which these 
personnel would be exposed is minimal.
iii. Collective Risk Level for Neighboring Operations Personnel
    Sections 417.107(b)(1) and 431.35(b)(1)(i) and (ii) currently 
require that for each proposed launch or reentry, the risk level to the 
collective members of the public, which would include neighboring 
operations personnel but exclude persons in water-borne vessels and 
aircraft, must not exceed an expected number of 1 x 10^-4 
casualties from impacting inert and explosive debris and toxic release 
associated with the launch or reentry.
    Similar to individual risk, the FAA proposes a separate collective 
risk criterion for neighboring operations personnel in Sec.  
450.101(a)(1). This proposal would permit a launch operator to initiate 
the flight of a launch vehicle only if the total risk associated with 
the launch to all members of the public, excluding neighboring 
operations personnel and persons in aircraft, does not exceed an 
expected number of 1 x 10^-4 casualties. Additionally, a 
launch operator would be permitted to initiate the flight of a launch 
vehicle only if the total risk associated with the launch to 
neighboring operations personnel did not exceed an expected number of 2 
x 10^-4 casualties. These risk criteria would also apply to 
reentry.
    These proposed requirements would enable neighboring operations 
personnel to remain within safety clear zones and hazardous launch 
areas during flight. Additionally, neighboring operations personnel 
would not be required to evacuate with the rest of the public as long 
as their collective risk does not exceed 2 x 10^-4. The 
rationale is the same as that for individual risk. While the FAA 
proposal would add a separate collective risk limit for neighboring 
operations personnel, the collective risk limit for the public other 
than neighboring operations personnel would not be able to exceed 1 x 
10^-4 for flight.
iv. Maximum Probably Loss (MPL) Thresholds for Neighboring Operations 
Personnel
    Under a license, an operator must obtain liability insurance or 
demonstrate financial responsibility to compensate for the maximum 
probable loss from claims by a third party for

[[Page 15310]]

death, bodily injury, or property damage or loss.\41\ For financial 
responsibility purposes under 14 CFR part 440, neighboring operations 
personnel qualify as third parties.\42\ Thus, allowing neighboring 
operations personnel to remain within hazard areas has the potential to 
increase the maximum probable loss, and therefore the amount of third 
party liability insurance that a licensee would be required to obtain. 
However, this would be fully or partially mitigated by changing the 
threshold value used to determine MPL for neighboring operations 
personnel.
---------------------------------------------------------------------------

    \41\ An operator must also obtain liability insurance or 
demonstrate financial responsibility to compensate the U.S. 
Government for damage or loss to government property, but this is 
not affected by the neighboring operations personnel proposal.
    \42\ Title 51 U.S.C. 50902 defines third party as a person 
except the U.S. Government or its contractors or subcontractors 
involved in the launch or reentry services; a licensee or transferee 
under Chapter 509 and its contractors, subcontractors or customers 
involved in launch or reentry services; the customer's contractors 
or subcontractors involved in launch or reentry services; or crew, 
government astronauts, or space fight participants. Section 440.3 
incorporates this definition into the regulations.
---------------------------------------------------------------------------

    The MPL is the greatest dollar amount of loss that is reasonably 
expected to result from a launch or reentry. Current regulations define 
what is reasonable by establishing probability thresholds:
     Losses to third parties that are reasonably expected to 
result from a licensed or permitted activity are those that have a 
probability of occurrence of no less than one in ten million.
     Losses to government property and government personnel 
involved in licensed or permitted activities that are reasonably 
expected to result from licensed or permitted activities are those that 
have a probability of occurrence of no less than one in one hundred 
thousand.
    Therefore, for any launch or reentry, there should only be a 1 in 
10,000,000 (1 x 10^-\7\) chance that claims from third 
parties would exceed the MPL value, and a 1 in 100,000 (1 x 
10^-\5\) chance that claims from the government for 
government property loss would exceed the MPL value. Because it is much 
less likely that claims from third parties would exceed the MPL value, 
the FAA's calculation of MPL takes into account a larger number of rare 
events that could result in a third party claim than could result in a 
government property claim. And, because the MPL calculation for third 
party liability involves consideration of more events related to non-
government personnel third party losses than events related to 
government personnel losses, non-government third party losses are more 
likely to influence the MPL calculation. The difference in thresholds 
reflects the government's acceptance of greater risk in supporting 
launch and reentry activities than that accepted by the uninvolved 
public.\43\
---------------------------------------------------------------------------

    \43\ Subject to congressional appropriation, the Federal 
Government indemnifies a launch or reentry operator for claims above 
the insured amount up to $1.5 billion, adjusted for inflation from 
January 1989 (approximately $3 billion as of 2016). The lower the 
threshold used for calculating MPL, the greater chance that the 
Federal Government may need to indemnify a licensee.
---------------------------------------------------------------------------

    The FAA proposes, for the purpose of determining MPL, that the 
threshold for neighboring operations personnel be the same as the 
threshold for losses to government property and involved government 
personnel, such that losses to neighboring operations personnel would 
have a probability of occurrence of no less than 1 x 10^-\5\. 
This approach would be appropriate because unlike other third parties, 
except for involved government personnel, the presence of neighboring 
operations personnel at a launch or reentry site is necessary for 
security or to avoid the disruption of launch or reentry activities at 
neighboring sites. The presence of neighboring operations personnel 
during licensed activities would not influence the MPL value for third-
party liability in most cases because, as discussed above, the 1 x 
10^-\5\ threshold would capture fewer events and therefore 
have less of an influence on MPL. The FAA seeks comment on this 
approach.
v. Ground Operations Pertinent to Neighboring Operations Personnel
    For ground operations, the FAA currently does not have, nor is it 
proposing at this time, quantitative public risk criteria for 
neighboring operations personnel or the rest of the public. As will be 
discussed in greater detail later, an operator would conduct a ground 
hazard analysis to derive ground hazard controls. This analysis would 
be a qualitative, not quantitative. Thus, there would be no 
quantitative criteria to treat neighboring operations personnel 
differently than other members of the public during ground operations. 
An operator would be expected to use hazard controls to contain hazards 
within defined areas and to control public access to those areas. An 
operator may use industry or government standards to determine proper 
mitigations to protect the public, including neighboring operations 
personnel, from hazards. The impact on neighboring operations personnel 
during ground activities should be minimal.
    Additionally and as discussed later, the FAA is proposing that 
launch would begin at the start of preflight ground operations that 
pose a threat to the public, which could be when a launch vehicle or 
its major components arrive at a U.S. launch site, or at a later point 
as agreed to by the Administrator.\44\ Scoping preflight ground 
operations to only those that require FAA oversight would alleviate 
many of the previously-discussed issues associated with neighboring 
operations personnel.
---------------------------------------------------------------------------

    \44\ The clause ``as agreed to by the Administrator'' is used 
throughout the proposed regulations, particularly in relation to 
timeframes discussed in detail later in this preamble. Where the 
clause is used, it means that an operator may submit an alternative 
to the proposed requirement to the FAA for review. The FAA must 
agree to the operator's proposal in order for the operator to use 
the alternative. By whatever means the FAA's agreement to an 
alternative is communicated to the operator, the agreement means 
that the alternative does not jeopardize public health and safety 
and the FAA has no objection to the submitted alternative. Unless 
the context of the situation clearly provides otherwise, ``as agreed 
to by the Administrator'' does not simply mean receipt by the FAA 
(i.e., that the item was given to a representative of the FAA and 
that person received it on behalf of the FAA).
---------------------------------------------------------------------------

2. Property Protection (Critical Assets)
    Another proposed requirement in Sec.  450.101 that does not exist 
in the current regulations is the proposal to adopt a critical asset 
protection criterion in proposed Sec.  450.101. To better inform this 
proposed requirement, the FAA would also amend Sec.  401.5 to add a 
definition of critical asset. Specifically, the probability of loss of 
functionality for each critical asset would not be able to exceed 1 x 
10^-\3\, or a more stringent probability if the FAA 
determines, in consultation with relevant federal agencies, it is 
necessary to protect the national security interests of the United 
States. This requirement is necessary to ensure a high probability of 
the continuing functionality of critical assets. A critical asset would 
be defined as an asset that is essential to the national interests of 
the United States, as determined in consultation with relevant federal 
agencies. Critical assets would include property, facilities, or 
infrastructure necessary to maintain national defense, or assured 
access to space for national priority missions. Critical assets would 
also include certain military, intelligence, and civil payloads, 
including essential infrastructure when directly supporting the payload 
at the launch site. Under this proposal, the FAA anticipates that it 
would work with relevant authorities, including a launch or reentry 
site operator or Federal property owner, to identify each ``critical 
asset'' and its potential vulnerability to launch and reentry hazards.

[[Page 15311]]

    The FAA's existing risk criteria, currently found in Sec. Sec.  
417.107(b) and 431.35(b), do not explicitly set any limit on the 
probability of loss of functionality for any assets on the surface of 
the Earth due to launch or reentry operations. An example of loss of 
functionality would be if a launch vehicle crashed on a nearby launch 
complex and resulted in damage that prevented the use of the launch 
complex until repaired. Currently, FAA requirements provide some 
protection for the safety of property during launch or reentry by 
limiting individual and collective risks because people are generally 
co-located with property. However, no protection is afforded for assets 
within areas that are evacuated.
    The proposed property protection criteria would be consistent with 
current practice at Federal launch ranges. Launch operations from NASA-
operated ranges are subject to requirements that limit the probability 
of debris impact to less than or equal to 1 x 10^-\3\ for 
designated assets. While the Air Force does not have a formal 
requirement, in practice, launch operations from Air Force-operated 
ranges have adopted the NASA standard. In the past, Federal launch 
ranges have, on occasion, applied a more stringent requirement limiting 
the probability of debris impact caused by launch or reentry hazards to 
less than or equal to 1 x 10^-\4\ for national security 
payloads, including essential infrastructure when directly supporting 
the payload at the launch site. The FAA is looking to extend the 
protection of critical assets to non-Federal launch or reentry sites. 
The Pacific Spaceport (located on Kodiak Island, Alaska) is an example 
of a non-Federal launch or reentry site that is a dual-use commercial 
and military spaceport (meaning that commercial missions have been 
conducted there, as well as missions for the Department of Defense), 
which has no regulatory assurance of protection from loss of 
functionality of critical assets.
    For these reasons, the FAA has determined that a requirement to 
maintain a high probability of continuing functionality of critical 
assets at a launch site is necessary to ensure the safety of property 
and national security interests of the United States. Launch and 
reentry infrastructure used for commercial operations are increasingly 
in close proximity to critical assets, such as infrastructure used to 
support the national interests of the United States. The national 
interests of the U.S. relevant to this proposal go beyond national 
security interests, and include infrastructure used to serve high 
priority NASA missions as well. For example, the FAA considers launch 
and reentry services to deliver cargo to and from the International 
Space Station as national priority missions. As another example, the 
launch infrastructure used by SpaceX to launch the Falcon 9 from 
Kennedy Space Center is within 2 nm of the launch infrastructure used 
by ULA to launch the Atlas V, which are both used to support commercial 
operations and operations that serve the national interests of the 
United States. The FAA coordinated the development of this proposed 
critical asset protection requirement with NASA, the Department of 
Defense, and the Intelligence Community.
    Furthermore, the proposed property protection requirement would 
also help achieve the goal of common standards for launches from any 
U.S. launch site, Federal or non-Federal. Common standards are public 
safety related requirements and practices that are consistently 
employed by the Air Force, the FAA, and NASA during launch and reentry 
activities. Common standards would provide launch and reentry operators 
certainty in planning and enable a body of expertise to support those 
standards.
    Finally, the proposed property protection standards would apply to 
all FAA-licensed launches, whether to or from a Federal launch range or 
a non-Federal launch or reentry site. Applying the provision to non-
Federal sites would ensure continuity in the protection of critical 
assets and that the probability of loss of functionality of critical 
assets is the same for all commercial launch and reentry operations. 
The FAA sees no reason for imposing different standards of safety for 
critical assets based on whether a launch takes place from a non-
Federal launch site or from a Federal launch range, especially in light 
of the fact that some non-Federal sites are dual use, supporting both 
commercial and military operations.
    During the interagency review process, the Department of Defense 
requested and the FAA considered specifying a more stringent criterion 
for certain critical assets of utmost importance. This subcategory of 
critical assets would be known as critical payloads. Specifically, the 
FAA considered requiring the probability of loss of functionality for 
critical payloads, including essential infrastructure when directly 
supporting the payload at the launch site, not exceed 1 x 
10^-\4\. The FAA considered defining a critical payload as a 
critical asset that (1) is so costly or unique that it cannot be 
readily replaced, or (2) the time frame for its replacement would 
adversely affect the national interests of the United States. Critical 
payloads may include vital national security payloads, and high-
priority NASA and NOAA payloads. For example, a payload such as NASA's 
Curiosity rover would likely be afforded this protection. The higher 
protection criterion would have safeguarded those payloads of utmost 
importance to the United States meriting a greater degree of protection 
than other critical assets. The specific 1 x 10^-\4\ 
criterion would apply to those national priority payloads at a launch 
or reentry site, including essential infrastructure when directly 
supporting the payload. A federal agency would identify payloads 
meeting the definition of ``critical payload'' as warranting protection 
at the 1 x 10^-\4\ level. These may include commercial 
payloads that meet the national interest described above.
    The FAA opted to not include this higher protection criterion due 
to uncertainty about its impact on future launch or reentry operations. 
Therefore, in order to properly analyze this request, the FAA requests 
comment on the following:
    (1) If the FAA adopted the more-stringent 1 x 10^-\4\ 
criterion for critical payloads, what impacts would it have on your 
operation?
    (2) Should FAA consider applying this more-stringent criterion to 
any commercial payload? Please provide specific examples and rationale.
    (3) If this criterion is applied to commercial space launch and 
reentry operations, what would be the additional, incremental costs and 
benefits on your current and future operations compared to the proposed 
1 x 10^-\3\ criterion? Specifically, the FAA requests 
information and data to quantify additional costs and benefits of this 
criterion compared to the proposed 1 x 10^-\3\ criterion. 
Please provide sources for information and data provided.
3. Consequence Protection Criteria for Flight Abort and Flight Safety 
System
    This proposal would expand the FAA's use of consequence criteria to 
protect the public from an unlikely but catastrophic event. Proposed 
Sec.  450.101(c) would require that operators quantify the consequence 
of a catastrophic event by calculating CEC for any one-
second period of flight. Unlike EC that determines the 
expected casualties factoring in the probability that a dangerous event 
will occur, CEC determines the expected casualties assuming 
the dangerous event will occur. In essence, it represents the

[[Page 15312]]

consequence of the worst foreseeable events during a launch or reentry. 
The FAA proposes to use CEC to determine the need for flight 
abort with a reliable FSS as a hazard control strategy, to set 
reliability standards for any required FSS, and to determine when to 
initiate a flight abort. In other words, the more severe the potential 
consequences from an unplanned event, the more stringent the flight 
abort requirements.
    The current ELV flight abort regulations are essentially a one-
size-fits-all approach. In practice, the current requirement in Sec.  
417.107(a) requires an FSS for any orbital launch vehicle to prevent 
hazards from reaching protected areas at all times during flight. 
Regardless of the individual and collective risks, or the consequences 
in the case of a catastrophic event, all FSSs must satisfy part 417, 
subparts D and E, requirements.\45\ These include reliability 
requirements (0.999 reliable at 95 percent confidence) \46\ and 
extensive testing requirements. Besides requiring a potentially 
expensive FSS, the part 417 hazard control approach also has the 
potential to limit vehicle flight paths unnecessarily, even when those 
flight paths would produce low public risks and consequences. This 
preamble will discuss these areas in further detail later.
---------------------------------------------------------------------------

    \45\ Part 417 sets specific FSS requirements covering general 
command control system requirements, command control system testing, 
FSS support systems, FSS analysis, and flight safety crew roles and 
qualifications.
    \46\ Section 417.309 requires that each onboard flight 
termination system and each command control system must have a 
predicted reliability of 0.999 at the 95 percent confidence level 
when operating, as well as predicted reliability of 0.999 at the 95 
percent confidence for multiple component systems such as the 
ordnance train to propagate a charge, any safe-and-arm device, and 
ordinance interrupters and initiators. As these component systems 
define the reliability of the FSS and approximate the design 
reliability of the entire flight safety system, for the purpose of 
the preamble the current requirements are discussed as requiring an 
FSS to have predicted reliability of 0.999 at a 95 percent 
confidence level. This will be discussed later in the preamble in 
further detail.
---------------------------------------------------------------------------

    The FAA also recognizes shortcomings in its current part 431 hazard 
control approach. Part 431 does not expressly require the use of an FSS 
to manage hazards. Rather, Sec.  431.35(c) requires a system safety 
process to identify hazards and assess the risk to public health and 
safety and the safety of property. The system safety approach has 
consistently resulted in the use of an FSS as a hazard control 
strategy. In practice, the FAA has applied part 417 FSS requirements to 
part 431 to ensure proper reliability and flight abort rules.
    Part 417 FSS requirements have proven difficult to scale to 
different operations. Indeed, the FAA has had to issue numerous waivers 
to these requirements to accommodate the fast-evolving commercial space 
industry. The need for waivers has been partially driven by changes to 
Air Force requirements, which diverged from FAA regulations beginning 
in 2013.\47\ For example, the FAA has repeatedly waived its requirement 
to activate an FSS to ensure no debris greater than 3 pounds per square 
foot (psf) ballistic coefficient \48\ reaches protected areas.\49\ In 
granting these waivers, the FAA has adopted the conditional risk 
management approach, noting that the predicted consequence was below a 
threshold of 1 x 10^-\2\ CEC. The FAA has 
concluded that measuring the consequence from reasonably foreseeable, 
albeit unlikely, failures is an appropriate metric to assess prudent 
mitigations of risks to public health and safety and the safety of 
property.\50\
---------------------------------------------------------------------------

    \47\ The FAA regulations and Air Force requirements regarding 
flight abort were virtually identical from the time part 417 was 
promulgated in 2006 until 2013 when the Air Force provided permanent 
relief from the requirement for impact limit lines to bound where 
debris with a ballistic coefficient greater than 3 pounds per square 
foot can impact if the FSS works properly. The Air Force cited an 
ELOS determination when it issued the permanent relief, stating that 
the public risk criteria would still apply.
    \48\ Ballistic coefficient is a measure of an object's ability 
to overcome air resistance, and it is defined as the gross weight in 
pounds divided by the frontal area of the vehicle (in square feet) 
times the coefficient of drag.
    \49\ Waiver of Debris Containment Requirements for Launch. 81 FR 
1470, 1470-1472 (January 12, 2016).
    \50\ Using consequence as safety criteria in FAA commercial 
space regulations is not without precedent. Section 431.43(d) sets a 
limit for foreseeable public consequences in terms of 
CEC, but only for an unproven RLV. Section 431.43(d) 
provides that an unproven RLV may only be operated so that during 
any portion of flight, the expected number of casualties does not 
exceed 1 x 10^-\4\ given assuming a vehicle failure will 
occur at any time the instantaneous impact point is over a populated 
area.
---------------------------------------------------------------------------

    The ARC also made recommendations with respect to flight abort and 
FSS requirements. It recommended the FAA tier the level of rigor for 
FSSs into three risk categories. In relevant part, ARC members proposed 
that the lowest risk category not require an FSS, that the medium risk 
category require streamlined FSS test requirements (e.g., reduce from 
three to one qualification units) and not require configuration and 
risk management, and the highest risk category require a Range 
Commanders Council (RCC) \51\ 319-compliant FSS. It also suggested the 
highest risk category could use another operational or design approach 
proven to address concerns of low probability/high consequence event. 
The ARC only identified risk as a means of scaling FSS requirements and 
did not recommend specific risk thresholds.\52\
---------------------------------------------------------------------------

    \51\ The Range Commanders Council addresses the common concerns 
and needs of operational ranges within the United States. It works 
with other government departments and agencies to establish various 
technical standards to assist range users.
    \52\ ARC Report at p. 12.
---------------------------------------------------------------------------

    In light of the shortcomings identified by the FAA and ARC 
recommendations, the FAA agrees that the FAA's FSS requirements should 
be scaled. For that reason, the FAA proposes to use consequence to 
determine the need for an FSS, the required FSS reliability, and when 
to activate an FSS.
    To determine whether or not an FSS is needed, an operator would be 
required to calculate CEC in any one second period of 
flight. The calculation of CEC can range from a 
straightforward product of the effective casualty area and the 
population density to a high fidelity analysis.\53\ Proposed Sec.  
450.101(c) would require, at a minimum, that an operator compute the 
effective casualty area and identify the population density that would 
be impacted for each reasonably foreseeable vehicle response mode in 
any one-second period of flight in terms of CEC. The 
casualty area, population density, and predicted consequence for each 
vehicle response mode are intermediate quantities that are necessary to 
demonstrate compliance with the individual and collective risk criteria 
currently, thus these new requirements would not necessarily impart 
significant additional burden on operators.
---------------------------------------------------------------------------

    \53\ The FAA referenced the need to prevent a high consequence 
event in its evaluation of a 2016 waiver request, which enabled the 
first Return to Launch Site (RTLS) mission (Orbcomm-2). 
Specifically, the FAA noted that the 3 psf ballistic coefficient 
requirement of Sec.  417.213(d) was intended to (1) capture the 
current practice of the U.S. Air Force, (2) provide a clear and 
consistent basis to establish impact limit lines to determine the 
occurrence of an accident as defined by Sec.  401.5, and (3) help 
prevent a high consequence to the public given FSS activation. As 
part of the waiver rationale, the FAA cited the longstanding 
governing principle applied to launch safety: ``to provide for the 
public safety, the Ranges, using a Range Safety Program, shall 
ensure that the launch and flight of launch vehicles and payloads 
present no greater risk to the general public than that imposed by 
the over-flight of conventional aircraft.'' (Eastern and Western 
Range 127-1, Range Safety Requirements, Oct. 31, 1997) The waiver 
rationale also cited an analysis of 30 years of empirical evidence 
provided by the NTSB that showed that the public safety consequence 
associated with general aviation accidents is 1 x 10^-\2\ 
expected fatalities. The FAA's analysis demonstrated that the 
consequence of events that could produce debris outside of the 
impact limit lines was consistent with the threshold of 1 x 
10^-\2\ CEC, even with input data corresponding 
to the worst-case weather conditions. Thus, the FAA concluded that 
the waiver would not jeopardize public health and safety or the 
safety of property.
---------------------------------------------------------------------------

    The FAA is proposing to rely on CEC rather than 
EC to determine whether or

[[Page 15313]]

not an FSS is needed because FAA believes it is the best approach to 
implement the ARC's recommendation that the FAA treat high consequence 
events differently than lower consequence events. As noted earlier, the 
ARC recommended a three tiered approach--high risk would require a 
highly reliable FSS, medium risk would require an FSS with more 
streamlined requirements, and low risk would require no FSS. The FAA's 
approach of using a consequence analysis instead of a risk analysis 
would use the same factors as used in a risk analysis, such as casualty 
area, population density, and predicted consequence for each vehicle 
response.
    Proposed Sec.  450.145 (Flight Safety System), in paragraph (a), 
would require an operator to employ an FSS with design reliability of 
0.999 at 95 percent confidence and commensurate design, analysis, and 
testing if the consequence of any vehicle response mode is 1 x 
10^-\2\ CEC or greater, consistent with the 
current FSS requirements in part 417.\54\ If the consequence of any 
vehicle response mode is between 1 x 10^-\2\ and 1 x 
10^-\3\ CEC, the required design reliability would 
be relaxed to no lower than 0.975 at 95 percent confidence \55\ with 
commensurate design, analysis, and testing requirements necessary to 
support this reliability. If the CEC is less than 1 x 
10^-\3\, and the individual and collective risk criteria are 
met, an operator would not be required to have an FSS. The FAA 
coordinated with NASA and the Department of Defense in the Common 
Standards Working Group to arrive at this proposal.
---------------------------------------------------------------------------

    \54\ Sections 417.303 and 417.309.
    \55\ In statistics, a confidence interval is the range of values 
that includes the true value at a specified confidence level. A 
confidence level of 95% is commonly used which means that there is a 
95% chance that the true value is encompassed in the interval.
---------------------------------------------------------------------------

    An RCC 319-compliant FSS would only be required for any phase of 
flight in which the CEC exceeds 1 x 10^-\2\. This 
threshold is consistent with past precedent, FAA waivers, and U.S. 
Government consensus standards. Other government entities use a 
consequence threshold of 1 x 10^-\2\ to protect against 
explosive hazards.\56\ This threshold is also rooted in the 
longstanding and often cited principle that launch and reentry should 
present no greater risk to the public than that imposed by the over-
flight of conventional aircraft. The Air Force, the RCC, and an 
American National Standard (ANSI/AIAA S-061-1998) ^{57 58} have 
identified the public risks posed by conventional aircraft as an 
important benchmark for the acceptable risks posed by launch vehicles. 
Like commercial space operations, civil aviation poses an involuntary 
hazard to the public on the ground. Therefore, the FAA looked to this 
risk to the public on the ground to derive consequence limits for 
commercial space activities. The FAA analyzed National Transportation 
Safety Board (NTSB) aviation accident data and determined that the 
average consequences on the ground from all fatal civil aviation 
accidents are 0.06 casualties and 0.02 fatalities. The average ground 
fatality of an airline crash is 1, and of a general aviation crash is 
0.01.\59\ The proposed threshold appears reasonable given this range of 
aviation related accident consequences.
---------------------------------------------------------------------------

    \56\ The Department of Defense, NASA, and the FAA use quantity-
distance limits originally designed to limit conditional individual 
risk of fatality to 1 x 10^-\2\ from inert debris fragment 
impacts. They define minimum separation distances between potential 
sources of high speed fragments (propelled by accidental explosions) 
and areas with exposed personnel to ensure no more than one 
hazardous fragment impact per 600 sqft, with the assumption that any 
exposed person has a vulnerable area of 6 sqft. NASA only permits 
inhabited buildings at closer distances if proved sufficient to 
limit hazardous debris to 1/600 sqft, and thus enforces a 
consequence limit of no more than 1 x 10^-\2\ conditional 
expected fatalities (NASA-STD-8719.12A--2018-05-23, p. 63).
    \57\ Waiver of Debris Containment Requirements for Launch. 81 FR 
1470 (January 12, 2016), at 1470-1472.
    \58\ According to ANSI/AIAA S-061-1998, ``during the launch and 
flight phase of commercial space vehicle operations, the safety risk 
for the general public should be no more hazardous than that caused 
by other hazardous human activities (e.g., general aviation over 
flight).''
    \59\ The FAA looked at NTSB data on injuries and fatalities of 
people on the ground from fatal civil aviation accidents (where an 
occupant of the aircraft died) for the 30-year period between 1984 
and 2013.
---------------------------------------------------------------------------

    The FAA proposes a threshold of 1 x 10^-\3\ 
CEC as a metric for determining the need for any FSS. This 
is an order of magnitude less than the threshold that determines the 
need for a highly-reliable FSS, and which is scaled to the reliability 
of the required FSS. Combined with the individual risk and cumulative 
risk thresholds, the FAA believes that this proposed threshold would 
ensure public safety.
    The use of a consequence metric is consistent with the ARC 
comments. The ARC suggested that an FSS with a reliability of 0.999 at 
95 percent confidence is appropriate for high consequence, low 
probability events and a lower reliability could be acceptable under 
the right circumstances. The FAA notes that the ARC did not identify 
any threshold values to define ``high consequence''; however, the 
proposal does identify specific quantitative consequence thresholds in 
terms of CEC. The FAA invites comments on this approach in 
general, as well as the specific thresholds proposed.
    Lastly, proposed Sec.  450.125 (Gate Analysis), in paragraph (c), 
would limit the predicted average consequence from flight abort 
resulting from a failure in any one-second period of flight to 1 x 
10^-\2\ CEC. Flight abort will be discussed in 
more detail later in the preamble.

B. System Safety Program

    Proposed Sec.  450.103 (System Safety Program) would require an 
operator to implement and document a system safety program throughout 
the lifecycle of a launch or reentry system that includes at least the 
following: (1) Safety organization, including a mission director and 
safety official; (2) procedures to evaluate the operational lifecycle 
of the launch or reentry system to maintain current preliminary safety 
assessments and any flight hazard analyses; (3) configuration 
management and control; and (4) post-flight data review. Due to the 
complexity and variety of vehicle concepts and operations, a system 
safety program would be necessary to ensure that an operator considers 
and addresses all risks to public safety.
    Currently, parts 415 and 417 have a more prescriptive philosophy of 
flight safety hazard mitigation. While the requirements ensure safety, 
they neither provide the flexibility needed to address the diverse and 
dynamic nature of today's commercial space transportation industry nor 
address the unique aspects of non-traditional launch and reentry 
vehicles. For example, except for unguided suborbital launch vehicles, 
it is virtually impossible for operations that can reach populated 
areas but that do not use an FSS to comply with parts 415 and 417.
    Regulations applicable to reentry and RLVs in part 431 expressly 
established system safety requirements as a flexible approach to 
approving a safety process that encompasses design and operation. 
Section 431.33 sets the requirements for the maintenance and 
documentation of a safety organization. Specifically, it requires: (1) 
The identification of lines of communication and approval authority for 
all mission decisions possibly affecting public safety including 
internal and external lines of communication with the launch or reentry 
site to ensure compliance with required plans and procedures; (2) the 
designation of a person responsible for conducting all licensed RLV 
mission activities; and (3) designation of a qualified safety official 
by name, title, and qualifications.

[[Page 15314]]

    Section 431.35(c) specifically requires the use of a system safety 
process to identify hazards and assess the risks to public health and 
safety and the safety of property and to demonstrate compliance with 
the acceptable risk criteria.\60\ It also incorporates core components 
of a hazard analysis.
---------------------------------------------------------------------------

    \60\ Section 431.35(c) also fails to provide a detailed 
description of the composition of a compliant system safety process. 
This lack of detail has often led to the submission of deficient 
applications because the applicant failed to demonstrate that the 
system safety process was adequate to meet public safety 
requirements and therefore the FAA did not find the application to 
be complete enough for acceptance. The ARC noted the confusion 
around the FAA's evaluation of an application's system safety 
submission and recommended changing the regulation to increase 
regulatory certainty.
---------------------------------------------------------------------------

    Section 431.35(d) requires several deliverables to demonstrate 
compliance with acceptable risk criteria and a compliant system safety 
process. Despite the explicit deliverables, the structure of the 
regulation has proved to be confusing for applicants. For instance, 
some system safety analysis element requirements are intermixed with 
vehicle design element requirements. Similarly, general information 
requirements such as the identification of hazardous material can be 
found listed with unrelated requirements such as the description of the 
RLV. The inclusion of these elements in the section governing system 
safety has led applicants to produce application deliverables that were 
scattered and not easily understood by the FAA. Also, some less 
experienced applicants did not understand that the regulation required 
a system safety analysis and provided general information and an 
informal assessment of how that general information may have affected 
public safety.
    The ARC made specific suggestions on the role of system safety in 
the FAA's safety regulatory scheme. It recommended the FAA use a system 
safety process at the core of its safety requirements to identify 
hazards and develop hazard control strategies that are verified by 
means of an FSA, relevant operational constraints, and means of meeting 
those constraints. It noted the FAA could provide better detail on its 
safety requirements. For instance, Sec.  431.35(c) could be expanded to 
include risk-informed decision making and continuous risk management 
requirements. It further suggested the FAA incorporate varying levels 
of rigor that would scale required verification requirements, like test 
plans and performance results, by vehicle, operator category, and 
relative risk as a means of scoping requirements to vehicle hazards and 
potential population exposure. The FAA agrees that the system safety 
process should form the core of its safety requirements as a means of 
making the safety requirements more flexible for novel operations and 
processes.
    Proposed Sec.  450.103 lists the minimum components all operators 
would be required to have in their system safety programs to protect 
public health and safety and the safety of property. Part 431 
established a process-based requirement for a system safety program but 
did not define its components or a safety standard. This lack of 
definition has led to many operators establishing system safety 
programs that are missing components necessary for public safety. This 
lengthened some applicants' pre-application consultation and the 
license application evaluation process. The FAA intends to further 
define the system safety program to lessen the potential for 
misunderstandings between applicants and the FAA. This proposal should 
allow potential operators to design system safety programs that better 
address public safety concerns prior to license application submittal.
1. Safety Organization
    Proposed Sec.  450.103(a) would require an operator to maintain and 
document a safety organization with clearly defined lines of 
communication and approval authority for all public safety decisions. 
This safety organization would include at least two positions, referred 
to as a mission director and a safety official. The mission director 
would be responsible for the safe conduct of all licensed activities 
and authorized to provide final approval to proceed with licensed 
activities. The safety official \61\ would be required to communicate 
potential safety and non-compliance matters to the mission director 
during flight and ground operations. The safety official would also be 
authorized to examine all aspects of an operator's ground safety and 
flight safety operations. It is common practice in any safety 
organization, including those within the commercial space industry, to 
establish who will be responsible for ensuring safety and to have clear 
processes for communicating safety concerns effectively throughout the 
organization.
---------------------------------------------------------------------------

    \61\ In 1999, the FAA added the requirement for a safety 
official possessing authority to examine launch safety operations 
and to monitor independently personnel compliance with safety 
policies and procedures. The FAA stated in the preamble to the final 
rule that the person responsible for safety should have the ability 
to perform independently of those parts of the applicant's 
organization responsible for mission assurance. 64 FR 19604 (April 
21, 1999).
---------------------------------------------------------------------------

    This proposal would allow for one person, or several, to perform 
the safety official's functions. Unlike current regulations, an 
operator would not have to name a specific safety official in its 
license application. Instead, an operator would be required to 
designate a position to accomplish the necessary tasks of a safety 
official. The FAA seeks comment on this approach, and whether it 
provides an appropriate level of flexibility to industry.
    Many operators have complained about the burden of naming a 
specific safety official in a license application. One challenge is 
that, in many cases, an operator applies for a license before selecting 
a safety official. As such, many operators must submit a modification 
of their application once they have chosen a safety official. Another 
issue is that operators that conduct activities at a frequent rate must 
employ several persons that serve as safety officials to keep pace with 
their operations. These persons may serve as safety officials on 
several different types of operations on multiple licenses. Therefore, 
the operator must frequently submit license application modifications 
every time it selects a new person to serve in that capacity. An 
operator is further burdened when safety officials leave the launch 
operator's organization or assume a new role within the organization 
that would prohibit them from serving as a safety official. The FAA 
believes a safety organization that includes a safety official is 
essential to public safety; however, identifying that individual by 
name is not necessary.
    Under the proposal, the operator would still be required to 
designate a safety official for any licensed activity prior to the 
start of that activity. The FAA has previously noted that licensed 
ground operations have commenced without designating a safety official. 
Many applicants mistakenly assumed the safety official was only 
necessary for flight operations. These operators conducted preflight 
ground operations in advance of flight without a safety official 
monitoring the operation. This proposal would require a safety official 
for all licensed operations to independently monitor licensed activity 
to ensure compliance with the operator's safety policies. Additionally, 
the safety official would report directly to the mission director. The 
absence of a safety official could result in a lack of independent 
safety oversight and a potential for a break down in communications of 
important safety-related information. The FAA would continue to inspect 
licensed operations

[[Page 15315]]

to ensure that a safety official is in place throughout the course of 
the licensed activity.
2. Procedures
    Proposed Sec.  450.103(b) would require that an operator establish 
procedures to evaluate hazards throughout the complete operational 
lifecycle of a program. This is important because design and 
operational changes to a system can have an impact on public safety. 
This proposed requirement was implied in Sec.  431.35(c) but was not 
explicitly stated. Specifically, Sec.  450.103(b) would require the 
operator to implement a process to update the preliminary safety 
assessment and any flight hazard analysis to reflect the knowledge 
gained during the lifecycle of the system. To accomplish this, an 
operator would be required to establish methods to review and assess 
the validity of the preliminary safety assessment and any flight hazard 
analysis throughout the operational lifecycle of the launch or reentry 
system. An operator would also need to have methods for updating the 
assessment or analysis, and to communicate the updates throughout its 
organization. For any flight hazard analysis, an operator would also 
have to have a process for tracking hazards, risks, mitigation and 
hazard control measures, and verification activities.
3. Configuration Management and Control
    Proposed Sec.  450.103(c) would lay out configuration management 
and control requirements. The FAA has chosen to consolidate 
configuration management and control requirements within the system 
safety program requirements. Requirements addressing configuration 
control were previously scattered throughout the regulations, including 
in Sec. Sec.  417.111(e), 417.123(e)(2), 417.303(e), and 417.407(c). 
Operators frequently make changes to their vehicles, such as new 
manufacturing techniques for a component or changes to the materials on 
key structures. Operators may also make operational changes such as new 
analysis techniques, automating processes that were previously 
conducted by personnel, or changing the surveillance techniques in 
hazard areas. These types of changes can have significant impacts on 
public safety.
    This proposal would require an operator to track configurations of 
all safety-critical systems and documentation, ensure the correct and 
appropriate versions of the systems and documentation are used, and 
maintain records of system configurations and versions used for each 
licensed activity. The FAA expects that an operator would design 
configuration management and control into its operations. The FAA also 
expects that an operator would provide the capability to both alert 
responsible individuals when key documentation must be updated and 
ensure that all stakeholders--internal and external to the launch 
operator's organization--are using current and accurate information.
4. Post-Flight Data Review
    Proposed Sec.  450.103(d) would require that an applicant conduct a 
post-flight data review. The proposed requirements in Sec.  450.103(d) 
are not explicitly contained in part 415, 417 or 431. However, it is 
industry practice to review post-flight data to address vehicle 
reliability and mission success, so any added burden from proposed 
Sec.  450.103(d) would be minimal. Operator review of post-flight data 
provides valuable safety information on future operations, particularly 
the identification of anomalies. At a minimum, proposed Sec.  
450.103(d)(1) would require that an operator employ a process for 
evaluating post-flight data to ensure consistency between the 
assumptions used for the preliminary safety assessment, any flight 
hazard or flight safety analysis, and associated mitigation and hazard 
control measures.
    Proposed Sec.  450.103(d)(2) would require that an operator resolve 
any inconsistencies identified in proposed Sec.  450.103(d)(1) prior to 
the next flight of the vehicle. The FAA expects that the operator would 
address any inconsistencies by updating analyses using the best 
available data for the upcoming mission, or documenting the rationale 
explaining how changes to the data inputs would not have an impact on 
the results of the analysis for a proposed mission. The FAA would add 
this requirement to ensure that the operator makes all appropriate 
updates to the analysis identifying all public safety impacts in order 
to avoid inconsistencies in future missions that could jeopardize 
public safety.
    Proposed Sec.  450.103(d)(3) would require that an operator 
identify any anomaly that may impact the flight hazard analysis, flight 
safety analysis, safety critical system, or is otherwise material to 
public safety and safety of property. An examination and understanding 
of launch or reentry vehicle system and subsystem anomalies throughout 
the lifecycle of the vehicle system can alert an operator of an 
impending mishap. An operator should review post-flight data to 
identify unexpected issues or critical systems that are operating 
outside of predicted limits. Flight safety systems are examples of 
safety-critical systems that could jeopardize public safety if they do 
not perform nominally.
    Proposed Sec.  450.103(d)(4) would require an operator to address 
any anomaly identified in proposed Sec.  450.103(d)(3). Prior to the 
next flight, an operator would be required to address each anomaly by, 
at a minimum, updating any flight hazard analysis, flight safety 
analysis, or safety critical system.
    The FAA seeks comment on whether proposed Sec.  450.103(d) would 
change an operator's approach to reviewing post-flight data.
5. Application Requirements
    Proposed Sec.  450.103(e) would set the system safety program 
application requirements. An applicant would be required to provide a 
summary of how it plans to satisfy the system safety program 
requirements. It is currently common practice for applicants to provide 
the FAA with a system safety program plan or documents containing the 
necessary information to determine compliance with the system safety 
program requirements in Sec.  431.35(c). A system safety program plan 
that covers the elements in Sec.  450.103(e) would satisfy the proposed 
application requirements. The FAA also recommends an applicant consult 
with the FAA during the development of its system safety program prior 
to implementation.
    With respect to the safety organization, an applicant would be 
required to describe the applicant's safety organization, identifying 
the applicant's lines of communication and approval authority, both 
internally and externally, for all public safety decisions and the 
provision of public safety services. In the past, many applicants have 
chosen to provide an organization chart depicting the safety 
organization. The FAA encourages the continuation of this practice. 
However, the applicant would be required to provide a sufficient 
narrative describing the organization, particularly the lines of 
communication. For example, if an engineer in the safety organization 
becomes aware of a hazard, the applicant should describe how that 
engineer would communicate that hazard to the safety official.
    An applicant would also be required to provide a summary of the 
processes and products identified in the system safety program 
requirements. The FAA expects that processes would be scalable based on 
the size of the operation or the potential public safety impacts of the 
proposed operation. For example, an

[[Page 15316]]

applicant with a dozen employees and a relatively small launch or 
reentry vehicle may use meetings or less formal ways to develop its 
preliminary hazard list. However, an applicant with a larger vehicle 
operating from multiple sites and hundreds of employees would need a 
more formal means of tracking information and developing the required 
analyses.

C. Preliminary Safety Assessment for Flight

    Under proposed Sec.  450.105 (Preliminary Safety Assessment for 
Flight), every operator would be required to conduct and document a 
preliminary safety assessment (PSA) for the flight of a launch or 
reentry vehicle. The PSA would identify operation-specific information 
relevant to public safety and would help the operator scope the 
analyses that must be conducted to ensure that the operation satisfies 
the public safety criteria in proposed Sec.  450.101. An operator could 
use the knowledge obtained from the PSA to identify the effect of 
design and operational decisions on public safety and thus determine 
potential hazard control strategies. The products of the PSA are 
consistent with products that are currently produced for preliminary 
flight safety analyses and preliminary system safety analyses. The PSA 
will allow operators to quickly identify and demonstrate the hazard 
control strategy appropriate for their proposed operation.
    The FAA intends the PSA to be a top-level assessment of the 
potential public safety impacts identifiable early in the design 
process. This assessment should be broad enough that minor changes in 
vehicle design or operations would not have a significant impact on, or 
invalidate the products produced by, the PSA. At the same time, the PSA 
should be detailed enough to identify the public safety and hazard 
control implications associated with key design trade studies. The FAA 
recommends that an operator perform an initial PSA at the outset of the 
design phase of a proposed operation. Thereafter, the operator should 
update the assessment as needed in accordance with the launch 
operator's established procedures to evaluate the complete operational 
lifecycle of a launch or reentry system. The results of the PSA would 
provide the operator with an appropriate hazard control strategy for 
its proposed operation.\62\
---------------------------------------------------------------------------

    \62\ As mentioned previously and discussed in greater detail in 
the next section, traditional hazard controls include physical 
containment, wind weighting, or flight abort.
---------------------------------------------------------------------------

    Under proposed Sec.  450.105(a), an acceptable PSA would identify 
at least the following key elements: (1) The vehicle response modes; 
(2) the types of hazards associated with the vehicle response modes; 
(3) the geographical area where the public may be exposed to a hazard; 
(4) the population of the public exposed to the hazard; (5) the 
CEC; (6) a preliminary hazard list which documents all 
causes of vehicle response modes that, excluding mitigation, have the 
capability to create a hazard to the public; (7) safety-critical 
systems; and (8) the timeline identifying all safety critical events. 
The FAA expects that an operator would use many of these PSA elements 
in subsequent analyses. For instance, population data, vehicle response 
modes, and the associated effects are part of a valid quantitative risk 
analysis. These items could also be useful for a flight hazard 
analysis.
    A vehicle response mode is a mutually exclusive scenario that 
characterizes foreseeable combinations of vehicle trajectory and debris 
generation. Examples include on-trajectory explosion, on-trajectory 
loss of thrust, and tumble turns. The types of hazards associated with 
any vehicle response mode can include inert and explosive debris, 
overpressure, and toxics. By understanding the potential vehicle 
response modes and the hazards associated with those vehicle response 
modes, an operator can then determine the geographical areas where the 
public may be exposed to a hazard. This information, along with the 
population of the public exposed to the hazard, would allow an operator 
to begin to characterize the potential risk during any particular phase 
of flight. Calculating CEC as discussed earlier, is 
important to understand the need for an FSS and its required 
reliability. All of these elements, which comprise Sec.  450.105(a)(1) 
through (5), are important to develop hazard control strategies.
    Proposed Sec.  450.105(a)(6) would require an operator to produce a 
preliminary hazard list. The operator would be required to review the 
operation to determine what hazards exist in order to generate the 
preliminary hazard list. This assessment is different from the 
quantitative risk analysis and is meant to give an operator an 
understanding of how public safety is affected at the subsystem or 
component level of the operation. An operator should use common system 
safety tools such as Fault Trees, Failure Modes and Effects Analyses 
(FMEA), safety panels, and engineering judgement to develop the 
preliminary hazard list.
    An operator should describe hazards in terms that identify each 
potential source of harm, the mechanism by which the harm may be 
caused, and the potential outcome if the harm were to remain 
unaddressed.\63\ The operator should ensure that the hazard is 
described in enough detail so that the safety critical personnel within 
the operator's organization would be able to review the hazard and 
easily ascertain the source, mechanism, and the public safety-related 
outcome of the hazard. In developing the preliminary hazard list, an 
operator would not be required to assess the risk associated with each 
hazard or potential mitigation measures. These items would be 
determined in the flight hazard analysis, if required, as discussed in 
the ``Flight Hazard Analysis'' section of this preamble.
---------------------------------------------------------------------------

    \63\ For example, a potential source of harm could be a leak in 
a rocket engine fuel system line caused by a manufacturing defect, 
overpressure, or improper installation. The mechanism for harm could 
be a fire resulting from that leak. The outcome could be loss of the 
vehicle with impact on population.
---------------------------------------------------------------------------

    When developing the preliminary hazard list, the operator would 
also be required to address items that are not specific to the vehicle 
hardware but necessary for the launch or reentry system. These items 
would include things like human factors, training, and other 
operational concerns.
    The FAA believes the preliminary hazard list is critical as the 
regulatory approach changes from narrowly prescribed methods to 
performance-based standards that focus on the applicant demonstrating 
safety through system safety management and engineering. As the 
industry moves toward to a more performance-based regime, there is a 
growing need for operators to produce the analyses specific to their 
unique operations in order to ensure public safety and detail the 
appropriate hazard mitigation strategies for their proposed operation. 
Additionally, an operator that makes changes to its operation could 
potentially move from a regulatory pathway that does not require a 
hazard analysis to one that does. The existence of a preliminary hazard 
list should alleviate some of the existing burdens on operators by 
requiring only those analyses necessary to ensure the safety of a 
particular operation.
    It would also more quickly facilitate analyses demonstrating public 
safety, thus creating the potential for operational changes closer to 
flight of the vehicle. For example, consider an operation where a 
flight hazard analysis

[[Page 15317]]

was unnecessary because of the use of an FSS under proposed Sec.  
450.145(a)(1). In that case, a change in FSS design, testing or 
qualification, or disabling the abort system during some phases of 
flight, could result in the need for a flight hazard analysis. Because 
the operator would be required to generate a preliminary hazard list, 
it would already have the initial step of the flight hazard analysis 
completed, excluding any impacts of the change. The operator would then 
be required to complete the final steps of the hazard analysis to 
complete its safety documentation.
    Proposed Sec.  450.105(a)(7) would require an operator to identify 
safety-critical systems. A safety critical system would be a system 
that is essential to safe performance or operation. A safety-critical 
system, subsystem, component, condition, event, operation, process, or 
item, is one whose proper recognition, control, performance, or 
tolerance, is essential to ensuring public safety. It is important for 
an operator to clearly identify safety critical systems because many 
requirements in proposed part 450 relate to these systems.
    Proposed Sec.  450.105(a)(8) would require an operator to identify 
a timeline identifying all safety critical events. This timeline is 
important to identify the potential public safety consequences during 
any particular phase of flight.
    Proposed Sec.  450.105(b) would set the PSA application 
requirements. The applicant would be required to provide the results of 
the preliminary safety assessment in its application. The applicant 
would be required to provide information for every requirement listed 
under Sec.  450.105(a). These application requirements are consistent 
with those currently in part 431. Although these specific system safety 
requirements would be new for ELV operators, the FAA does not expect 
they would add a substantial burden given that part 417 operators were 
performing similar work, albeit not under the system management 
umbrella. ELV operators must already identify vehicle failure modes; 
debris, toxics, distant-focusing overpressure, and other hazards; 
geographical containment and overflight trajectories; consequences that 
determine flight limits; and all safety critical systems and events. 
The PSA codifies these concerns as primary to safety and the 
development of hazard control strategies and requires all vehicle 
operators to document such considerations.
    Development of the PSA would allow the operator to determine 
whether they must perform a flight hazard analysis. The operator would 
be required to assess each phase of flight to determine how public 
safety hazards are mitigated. If there is a phase of flight where all 
identified public safety hazards are not mitigated using physical 
containment, wind weighting, or flight abort, the operator would be 
required to perform a flight hazard analysis, discussed later in this 
preamble, for that particular phase of flight.

D. Hazard Control Strategy

    Proposed Sec.  450.107 (Hazard Control Strategies) would provide 
options for hazard control strategies that an operator could use to 
meet the public safety criteria in proposed Sec.  450.101 for each 
phase of a launch or reentry vehicle's flight. An operator could use 
physical containment, wind weighting, or flight abort and would not be 
required to conduct a flight hazard analysis. Alternatively, an 
operator could conduct a flight hazard analysis to derive hazard 
controls. As part of its application, an operator would be required to 
identify the selected hazard control strategy for each phase of flight.
    The use of a flight hazard analysis to derive hazard controls 
provides the most flexibility of any of the hazard control strategies. 
The ARC recommended this approach and stated that the system safety 
process should be used to identify hazards and develop control 
strategies, which would then be verified by means of flight safety 
analysis and relevant operational constraints and means of meeting 
those constraints.\64\ In certain circumstances, however, historical 
methods may also provide an acceptable level of safety. If the public 
safety hazards identified in the preliminary safety assessment can be 
mitigated adequately to meet the public safety requirements of proposed 
Sec.  450.101 using physical containment, wind weighting, or flight 
abort with a highly reliable FSS, an operator would not need to conduct 
a flight hazard analysis for that phase of flight. This proposal is 
different than current regulations, where the option of conducting a 
hazard analysis to derive hazard controls is only available to reusable 
launch vehicles. Under proposed part 450, the option to use a flight 
hazard analysis would not rest on whether a vehicle is expendable or 
reusable.
---------------------------------------------------------------------------

    \64\ ARC Report at p. 10.
---------------------------------------------------------------------------

    Under proposed Sec.  450.107(b), an operator could use physical 
containment to satisfy the public safety requirements of proposed Sec.  
450.101 when an operator's launch vehicle does not have sufficient 
energy for any hazards associated with its flight to reach an area 
where it exposes the public or critical assets to a hazard. These 
launches can take place from any launch site, depending on the size of 
the launch vehicle, the expected trajectory, and other factors. The 
more remote a launch site is, the greater its capacity to accommodate a 
launch using physical containment.
    This approach is consistent with current practice because the FAA 
has always accepted a demonstration of physical containment as a means 
of satisfying risk requirements. The use of physical containment as a 
hazard control strategy is the easiest way to meet the public safety 
requirements of proposed Sec.  450.101 and may, in a remote location, 
involve a simple showing that the maximum distance vehicle hazards can 
reach defines an area that is unpopulated and does not contain any 
critical assets. Because physical containment precludes the need for an 
FSS, an operator would not be required to meet any requirements 
relevant to an FSS. If an operator shows its vehicle does not have 
sufficient energy for any of its associated hazards to reach outside 
the flight hazard area, the operator would not have to perform a flight 
hazard analysis. Further, many other requirements would be either not 
applicable or easily met. Because physical containment may also involve 
visitor control, wind constraints, real-time toxic analysis, and other 
mitigation measures, the FAA would require an operator to apply other 
mitigation measures to ensure no public exposure to hazards, as agreed 
to by the Administrator on a case-by-case basis.
    Under proposed Sec.  450.107(c), an operator could use wind 
weighting to satisfy the public safety requirements of proposed Sec.  
450.101 when an operator uses launcher elevation and azimuth settings 
to correct for wind effects that an unguided suborbital launch vehicle, 
typically called a sounding rocket, would experience during flight. Due 
to its relative simplicity and effectiveness, wind weighting has 
historically been used by NASA, the Department of Defense, and 
commercial operators as the primary method to ensure public safety for 
the launch of a sounding rocket. This approach is currently codified in 
part 417. Under part 431, an operator can use wind weighting as an 
acceptable hazard mitigation measure determined through the system 
safety process. Under proposed part 450, an operator launching a 
sounding rocket could use wind weighting or it could propose other 
hazard controls in its application through a flight hazard analysis. 
The specific wind weighting requirements are discussed in the

[[Page 15318]]

``Additional Technical Justification and Rationale'' section.
    Under proposed Sec.  450.107(d), an operator could use flight abort 
to satisfy the public safety requirements of proposed Sec.  450.101 
when an operator limits or restricts the hazards to the public or 
critical assets presented by a launch vehicle or reentry vehicle, 
including any payload, while in flight by initiating and accomplishing 
a controlled ending to vehicle flight, when necessary. This is 
discussed in more detail in the ``Flight Abort'' section.
    If the public safety hazards identified in the preliminary safety 
assessment cannot be mitigated adequately to meet the public risk 
criteria of proposed Sec.  450.101 using physical containment, wind 
weighting, or flight abort, an operator would be required to conduct a 
flight hazard analysis in accordance with proposed Sec.  450.109 
(Flight Hazard Analysis) to derive hazard controls for that phase of 
flight. The use of a flight hazard analysis to derive hazard controls 
is the primary approach used in current parts 431, 435, and 437. The 
FAA has previously required the use of a flight hazard analysis for 
reentry, for the captive carry portion of an air-launched vehicle, and 
for piloted suborbital vehicles. A detailed discussion of flight hazard 
analysis is included later in this preamble.
    In its application, an applicant would be required to describe its 
hazard control strategy for each phase of flight. An applicant may 
elect to use different hazard control strategies for different phases 
of flight, depending on risks associated with those phases. For 
example, an applicant using an air-launched system might use a flight 
hazard analysis during the captive carry phase of flight, and flight 
abort during the rocket-powered phase of flight. Additionally, if using 
physical containment as a hazard control strategy, an applicant would 
be required to demonstrate that the launch vehicle does not have 
sufficient energy for any hazards associated with its flight to reach 
outside the flight hazard area. The applicant would also be required to 
describe the methods used to ensure that flight hazard areas are 
cleared of the public and critical assets.

E. Flight Abort

    As discussed earlier, flight abort is a hazard control strategy to 
limit or restrict the hazards to the public or critical assets 
presented by a launch vehicle or reentry vehicle, including any 
payload, while in flight. Flight abort is a controlled ending to 
vehicle flight and is initiated by an operator when ending flight poses 
less risk to public safety and the safety of property than continued 
flight without a safety intervention. Flight abort is the primary 
hazard control strategy used today for orbital expendable launch 
vehicles under part 417, and under Air Force and NASA launch range 
requirements.
    The FAA proposes to require this approach, with a reliable FSS, 
only when certain conditional risks are present. Specifically, proposed 
Sec.  450.101(c) would require an operator to use flight abort with an 
FSS that meets the requirements of Sec.  450.145 as a hazard control 
strategy if the consequence of any reasonably foreseeable vehicle 
response mode, in any one-second period of flight, is greater than 1 x 
10^-3 conditional expected casualties for uncontrolled 
areas.\65\ The basis for this number is discussed in the ``Consequence 
Protection Criteria for Flight Abort and Flight Safety System'' 
section. Under this test, a typical orbital launch from the Air Force 
Eastern and Western ranges would require an FSS capable of initiating 
flight abort. Small orbital launch vehicles launched from more remote 
locations, however, would not normally be required to use flight abort 
as a hazard control strategy. The FAA seeks comment on this approach.
---------------------------------------------------------------------------

    \65\ The proposed requirement to use flight abort as a hazard 
control strategy is less restrictive than Sec.  417.107(a), which 
requires a launch operator to use an FSS in the vicinity of the 
launch site if any hazard from a launch vehicle, vehicle component, 
or payload can reach any protected area at any time during flight, 
or if a failure of the launch vehicle would have a high consequence 
to the public.
---------------------------------------------------------------------------

    To implement flight abort as a hazard control strategy, an operator 
would establish flight safety limits and gates in accordance with 
proposed Sec. Sec.  450.123 (Flight Safety Limits Analysis) and 
450.125, establish flight abort rules in accordance with Sec.  450.165 
(Flight Safety Rules), and employ an FSS in accordance with Sec.  
450.145 and software in accordance with Sec.  450.111.
    Flight abort as a hazard control strategy can be used by an 
operator, even if it is not required under Sec.  450.101(c), as a 
hazard mitigation measure derived from the flight hazard analysis. For 
example, a piloted vehicle with low conditional expected casualty 
during powered flight may use an FSS in combination with other 
measures, such as propellant dumping, to keep vehicle hazards from 
reaching a populated area.
1. Flight Safety Limits and Uncontrolled Areas
    An operator would have to identify the location of uncontrolled 
areas and establish flight safety limits that define when an operator 
must initiate flight abort to:
     Prevent debris capable of causing a casualty from 
impacting in uncontrolled areas if the vehicle is outside the limits of 
a useful mission, and
     Ensure compliance with the public safety criteria of Sec.  
450.101.
    The FAA would define debris capable of causing a casualty with 
kinetic energy or other thresholds as will be discussed later. The 
public safety criteria that would go into determining flight safety 
limits would be collective risk, individual risk, risk to critical 
assets, and conditional risk. An uncontrolled area would be an area of 
land not controlled by a launch or reentry operator, a launch or 
reentry site operator, an adjacent site operator, or other entity by 
agreement. Under current regulations, these areas are referred to as 
``protected areas.'' Importantly, as discussed earlier, the conditional 
risk criteria would not apply to controlled areas, which are areas that 
are controlled by any of the entities listed earlier, because by 
exercising control over these areas the entity would have a greater 
ability to ensure that catastrophic risk is mitigated by other means.
    In addition to establishing flight safety limits, an operator would 
establish gates, if the vehicle would need to overfly a landmass during 
its flight. A gate is an opening in a flight safety limit through which 
a vehicle may fly, provided the vehicle meets certain pre-defined 
conditions such that the vehicle performance indicates an ability to 
continue safe flight. If the vehicle fails to meet the required 
conditions to pass a gate, then flight abort would occur at the flight 
safety limit. In other words, the gate would be closed.
    Flight safety limits and gates are discussed in greater detail 
later in this preamble.
2. Flight Abort Rules
    An operator would identify the conditions under which the FSS, 
including the functions of any flight abort crew, must abort the flight 
to ensure compliance with Sec.  450.101. An operator would be required 
to abort a flight if a flight safety limit is violated, or if some 
condition exists that could lead to a violation, such as a compromised 
FSS or loss of data.
    Flight abort rules are discussed in greater detail later in this 
preamble.
3. Flight Safety System
    To enable flight abort, an operator must use an FSS. An FSS is an 
integral

[[Page 15319]]

part of positive control of a launch or reentry vehicle because it 
allows an operator to destroy the vehicle, terminate thrust, or 
otherwise achieve flight abort to limit or restrict the hazards to 
public health and safety and the safety of property presented by a 
vehicle while in flight. Traditional FSSs are comprised of an onboard 
flight termination system, a ground-based command and control system, 
and tracking and telemetry systems. Historically, the flight safety 
crew monitoring the course of a vehicle would send a command to the 
vehicle to terminate flight if the vehicle violated a flight abort 
rule. Recently, operators are favoring autonomous FSSs, negating the 
need for a ground-based command and control system or flight abort 
crew.
    As discussed earlier, the CEC would establish whether an 
FSS is required, and if so, its reliability.
     If the consequence of any vehicle response mode is 1 x 
10^-2 conditional expected casualties or greater for 
uncontrolled areas, an operator would be required to employ an FSS with 
design reliability of 0.999 at 95 percent confidence and commensurate 
design, analysis, and testing; or
     If the consequence of any vehicle response mode is between 
1 x 10^-2 and 1 x 10^-3, an operator would be 
required to employ an FSS with a design reliability of 0.975 at 95 
percent confidence and commensurate design, analysis, and testing.
    Note that if the consequence of any vehicle response mode is less 
than 1 x 10^-3, the FAA would not require an FSS or mandate 
its reliability if an operator chooses to use one.
    Unlike part 417, the FAA would not propose specific design or 
testing requirements for an FSS. Instead, the FAA would accept 
specified government or industry standards as meeting the FSS 
reliability requirements. At this time, only one government standard 
would meet the requirement for a design reliability of 0.999 at 95 
percent confidence and commensurate design, analysis, and testing, and 
that is RCC 319.\66\
---------------------------------------------------------------------------

    \66\ RCC 319 can be found at https://www.wsmr.army.mil/RCCsite/Documents/319-14_Flight_Termination_Systems_Commonality_Standard/RCC_319-14_FTS_Commonality.pdf.
---------------------------------------------------------------------------

    The FSS requirements codified in part 417, including component 
performance requirements and acceptance and qualification testing, were 
originally written to align FAA launch licensing requirements with the 
Federal launch range standards in RCC 319. Like part 417, RCC 319 
requires qualification tests to demonstrate reliable operation in 
environments exceeding the expected operating environment for the 
system components, acceptance tests to demonstrate that the selected 
batch of components meets the requirements of the design 
specifications, and other preflight testing at the system or subsystem 
level to demonstrate functionality after installation.
    In the short term, the FAA expects individual applicants to create 
their own FSS requirements based on RCC 319 and have them approved as 
an accepted means of compliance by the FAA prior to application 
submittal. This would be akin to ``tailoring'' RCC 319, which is 
current practice at the Federal launch ranges. In the long run, the FAA 
expects the industry to develop voluntary consensus standards for FSSs, 
particularly for those FSSs that are only required to have a design 
reliability of 0.975 at 95 percent confidence. By removing detailed 
design and testing requirements from FAA regulations and relying on 
standards to meet reliability thresholds, the FAA would encourage 
innovation in flight abort. The FAA seeks comment on whether this 
approach would encourage innovation and more rapid evolution of FSS 
designs.

F. Flight Hazard Analysis

    Proposed Sec.  450.109 would require that an operator conduct and 
document a flight hazard analysis and continue to maintain the flight 
hazard analysis throughout the lifecycle of the launch or reentry 
system unless an operator uses proven hazard control strategies such as 
physical containment, wind weighting, or flight abort. At its most 
basic, a flight hazard analysis identifies all reasonably foreseeable 
hazards and the necessary measures to eliminate or mitigate that risk. 
A flight hazard analysis would be required only for those phases of 
flight for which the operator does not employ a traditional hazard 
control (e.g., physical containment). As noted earlier, the use of a 
flight hazard analysis to derive hazard controls would provide 
flexibility that does not currently exist under the prescriptive 
requirements in part 417 \67\ and is broadly consistent with the 
practice in parts 431 and 435.\68\
---------------------------------------------------------------------------

    \67\ The current ELV regulatory scheme in parts 415 and 417 
mitigates flight hazards for all launches by requiring a reliable 
FSS and prescriptive flight abort requirements.
    \68\ Current RLV and reentry vehicle regulations in parts 431 
and 435 do not specifically require a flight hazard analysis. 
However, Sec.  431.35(c) and (d) require a system safety process to 
identify hazards, assess the risks, and the elimination or 
mitigation of the risk. In practice, the FAA has interpreted this 
broad section to require a flight hazard analysis.
---------------------------------------------------------------------------

    Proposed Sec.  450.109(a) would require that an operator further 
refine the flight hazard list developed during the earlier PSA, 
including verifying the list of items identified in Sec.  450.109 and 
any new hazards identified since completing the PSA. A hazard is a real 
or potential condition that could lead to an unplanned event or series 
of events resulting in death, serious injury, or damage to or loss of 
equipment or property. The list of items in proposed Sec.  
450.109(a)(1) is a list of hazard categories that exist in all 
commercial space operations and must therefore be eliminated or 
mitigated to acceptable levels.
    After identifying and describing hazards, proposed Sec.  
450.109(a)(2) would require that an operator assess each hazard's 
likelihood and severity. This assessment would be used to establish 
mitigation priorities. The operator would then determine the severity 
of the specific potential hazardous condition with respect to public 
safety. An operator should determine the severity for a specific hazard 
by identifying the worst credible event that may result from the 
hazard. For example, if an operator identifies a hazard such as 
incorrect vehicle position data due to inertial measurement unit (IMU) 
drift leading to an off nominal trajectory, the operator would 
determine the public impact using the greatest off nominal vehicle 
trajectory and the worst credible public safety outcome. Meaning, if 
the vehicle would break up aerodynamically due to an off nominal 
trajectory caused by IMU drift, the operator should base its severity 
assessment on the debris event generated by the break up taking into 
account the population in the area. If the vehicle operates in a remote 
area the severity may be low; however, if the operation occurs within 
the reach of the population, the severity would be catastrophic.
    After severity and likelihood are assessed, proposed Sec.  
450.109(a)(3) would require that an operator ensure that any hazard 
that may cause a casualty is extremely remote, and any hazard that can 
cause major damage to public property or critical assets is remote. If 
a particular hazard source has been observed in a similar operation 
under similar conditions, it will be difficult to justify that the 
likelihood of the reoccurrence of the event will qualify as remote or 
extremely remote. This requirement is substantively the same as current 
practice under Sec.  431.35(c) and is specifically called out in Sec.  
437.55(a)(3) for experimental permits. Examples of suggested likelihood 
categories for remote and extremely remote are provided in FAA's 
Advisory Circular (AC) 437.55-1

[[Page 15320]]

``Hazard Analyses for the Launch or Reentry of a Reusable Suborbital 
Rocket Under an Experimental Permit'' as 1 x 10^-5 and 1 x 
10^-6, respectively.
    The operator would then need to identify and describe risk 
elimination and mitigation measures as required by proposed Sec.  
450.109(a)(4). The operator should always consider whether the risk 
mitigation measures introduce new hazards. This proposed section 
codifies current practice under the Sec.  431.35(c) broad system safety 
analysis requirement. Although not required, system safety standards 
and advisory material such as MIL-STD-882E, AC 437.55-1, and AC 431.35-
2A ``Reusable Launch and Reentry Vehicle System Safety Process'' 
recommend that operators develop risk elimination or mitigation 
approaches in the following order:
    1. Design for minimum risk. The first priority should be to 
eliminate hazards through appropriate design or operational 
choices.\69\ If an operator cannot eliminate a risk, it should minimize 
it through design or operational choices.
---------------------------------------------------------------------------

    \69\ An example of designing out risk to the public would be to 
operate in an unpopulated area.
---------------------------------------------------------------------------

    2. Incorporate safety devices. If an operator cannot eliminate 
hazards through design or operation selection, then an operator should 
reduce risks through the use of active or passive safety devices.\70\
---------------------------------------------------------------------------

    \70\ An example of an active safety device would be a computing 
system that automatically shuts down the rocket engine when a sensor 
detects high thrust chamber temperatures. A passive safety device 
might be a firewall to prevent a fire from reaching a pilot.
---------------------------------------------------------------------------

    3. Provide warning devices. When neither design nor safety devices 
can eliminate or adequately reduce identified risks, the operator 
should use a device to detect and warn of the hazardous condition to 
minimize the likelihood of inappropriate human reaction and 
response.\71\
---------------------------------------------------------------------------

    \71\ An example of a warning device would be an abort indicator 
such as a flashing light or a message on a cockpit instrument panel.
---------------------------------------------------------------------------

    4. Implement procedures and training. When it is impractical to 
eliminate risks through design or safety and warning devices, the 
operator should develop and implement procedures and training that 
mitigate the risks.\72\
---------------------------------------------------------------------------

    \72\ An example of risk mitigation procedures and training are 
abort procedures and rehearsals of those procedures.
---------------------------------------------------------------------------

    Proposed Sec.  450.109(a)(5) would require that the risk 
elimination and mitigation measures achieve the proposed risk levels in 
Sec.  450.109(a)(3) through verification and validation. Verification 
ensures the measures themselves are properly developed and implemented 
while validation ensures the measures will actually achieve the desired 
outcome. Verification takes place while developing the measures and 
validation after development and implementation. This requirement is 
substantively the same as current practice under Sec.  431.35(c). The 
acceptable methods of verifying safety measures are:
    1. Analysis: Technical or mathematical evaluation, mathematical 
models, simulations, algorithms, and circuit diagrams.
    2. Test: Actual operation to evaluate performance of system 
elements during ambient conditions or in operational environments at or 
above expected levels. These tests include functional tests and 
environmental tests.
    3. Demonstration: Actual operation of the system or subsystem under 
specified scenarios, often used to verify reliability, 
transportability, maintainability, serviceability, and human 
engineering factors.
    4. Inspection: Examination of hardware, software, or documentation 
to verify compliance of the feature with predetermined criteria.
    An operator could use methods separately or combine them depending 
on the feasibility of the methods and the maturity of the vehicle and 
operation.
    Proposed Sec.  450.109(b) would require that an applicant establish 
and document the criteria and techniques for identifying new hazards 
throughout the launch or reentry system lifecycle. Development, 
implementation, and continued operation of any system requires that 
changes be made throughout the lifecycle. Changes to the vehicle, 
especially to safety-critical systems and operations, can have 
significant impacts on public safety and will result in changes to the 
hazard analysis. Anomalies and failures can also identify unknown 
hazards. This requirement is substantively the same as the FAA's 
current practice under Sec.  431.35(c). Parts 415 and 417 do not have a 
flight hazard analysis requirement.
    Proposed Sec.  450.109(c) would require that the flight hazard 
analysis be updated and complete for every launch or reentry. In other 
words, the analysis must be applicable to the specific mission. A 
hazard analysis for a previous mission may be used only if the vehicle 
and operational details of the mission do not impact the validity of 
any aspect of the hazard analysis. The FAA has not prescribed the 
methodology that an operator must follow to ensure the accuracy of a 
flight hazard analyses. However, this item is key to ensuring that the 
operator is aware of the hazards in the proposed operation.
    Proposed Sec.  450.109(d) requires that an operator continually 
update the flight hazard analysis throughout the operational lifecycle 
of the launch or reentry system. This requirement is substantively the 
same as current FAA practice under Sec.  431.35(c).
    Proposed Sec.  450.109(e) establishes the flight hazard analysis 
application requirements. An applicant would be required to submit a 
flight hazard analysis in its application to provide the FAA with 
sufficient detail to evaluate the applicant's flight hazard analyses 
and its criteria and techniques for identifying new hazards throughout 
the lifecycle of the launch or reentry system. The FAA recommends that 
the applicant provide at a minimum a hazard table that provides a 
description of each hazard identified, associated severity and 
likelihood of each hazard, the mitigation measures identified for each 
hazard, and a summary of the validation and verification of each 
hazard. For hazards that require mitigation, the applicant would also 
be required to provide the data showing the verification of those 
mitigations measures. The FAA expects the results of any testing or 
analysis associated with the verification to be in a format that is 
easily understood by an experienced technical evaluator. For items 
verified by analysis, the applicant should provide the assumptions and 
methodology used to conduct the analyses if it is not easily understood 
by evaluating the results. These application requirements would not 
require more than the current practices under Sec.  431.35(c) and (d).

G. Computing Systems and Software Overview

    The FAA is proposing to address hazards associated with computing 
systems and software separate from flight hazard analysis. The FAA 
would consolidate all software safety requirements applicable to launch 
or reentry operations in a single section, in proposed Sec.  450.111 
(Computing Systems and Software).\73\ These proposed regulations 
address both software and how the software operates on the intended 
hardware and computing systems.\74\ While the FAA discusses

[[Page 15321]]

hardware requirements elsewhere under the safety-critical systems 
requirements, it is important to recognize that software safety cannot 
be evaluated outside of the computing system in which it operates.\75\ 
A computing system is a complete system made up of the central 
processing unit, memory, related electronics, and peripheral devices.
---------------------------------------------------------------------------

    \73\ For the purpose of this discussion, the phrase ``software 
safety requirements'' refers to software safety regulations and 
``software requirements'' refers to the specifications that define a 
software component's intended functionality.
    \74\ The FAA understands software to mean a combination of 
computer instructions and computer data that enables a computer to 
perform computational and control functions.
    \75\ Hardware is the collection of physical parts of a computer 
system, including memory storage devices, power sources, and 
processors that execute software.
---------------------------------------------------------------------------

    These proposed software safety requirements would streamline the 
software safety evaluation process by adding detail to the performance-
based requirements in the existing rules. The software safety 
requirements in the proposed rule are levied in proportion to the 
potential software hazards and the degree of control over those 
hazards.\76\ In other words, software safety requirements would 
increase in rigor with the rise in potential safety risks and degree of 
autonomy. Conversely, software safety requirements would decrease in 
rigor with reductions in the potential safety risk or degree of 
autonomy.\77\ This approach would codify existing FAA practice of 
modulating the stringency of review commensurate with the level of 
public risk. The FAA would also add more clarity to the software scaled 
requirements to guide applicants to appropriate and predictable 
engineering judgments when determining the proper depth and breadth of 
software development, analysis, and verification activities. The FAA 
expects these changes would enable innovation by setting predictable 
safety requirements based on knowable characteristics of new software 
systems and in proportion to the risks involved with the innovation. 
For a detailed discussion, please see the Additional Technical 
Justification and Rationale discussion later in the preamble.
---------------------------------------------------------------------------

    \76\ For the purpose of this rulemaking, software hazards are 
those hazardous conditions created by the execution of software, or 
for which software is used as a mitigation or control.
    \77\ The FAA uses the phrase ``level of rigor'' to describe the 
amount of precision and effort applied by an applicant to address 
the severity of a hazard and associated software autonomy.
---------------------------------------------------------------------------

H. Hybrid Launch Vehicles

    Hybrid vehicles are vehicles that have some characteristics of 
aircraft and other characteristics of traditional launch or reentry 
vehicles. This proposal would allow an operator to forego the use of 
flight abort as a hazard control strategy during certain phases of 
flight if the hybrid launch or reentry vehicle has a high demonstrated 
reliability during those phases of flight. The FAA would make these 
determinations on a case-by-case basis based on a vehicle's 
demonstrated reliability.
    The FAA may regulate hybrid vehicles under either the commercial 
space transportation or the civil aircraft regulations, depending on 
the operation. For a flight of a hybrid vehicle where a carrier 
aircraft has been modified to carry a rocket and the operator intends 
to ignite the rocket, the FAA considers the aircraft a component of the 
launch vehicle.\78\ The combination launch vehicle system is authorized 
solely by a vehicle operator license or experimental permit under Title 
51. The FAA currently authorizes the operation of hybrid vehicles using 
a license or permit for the entire mission from preflight ground 
activities through taxi, take off, flight, landing, wheel stop, and 
post-flight safing for all components of the combined launch vehicle 
system. The FAA has granted a license to hybrid vehicles such as the 
Stargazer/Pegasus, WhiteKnightOne/SpaceShipOne, WhiteKnightTwo/
SpaceShipTwo, and Cosmic Girl/LauncherOne combinations. In addition to 
carrier aircraft models, hybrid vehicles may also include future 
concepts such as a single vehicle with both air-breathing and rocket 
engines, winged launch or reentry vehicles, balloon-launched rockets, 
and other concepts that may have characteristics of both aviation and 
traditional launch or reentry vehicles.\79\ The FAA will work with 
applicants using hybrid vehicles during pre-application to identify the 
appropriate regulatory path. To date, the FAA has issued guidance in 
two legal interpretations on the process for determining whether 
flights or portions of flights of hybrid vehicles are regulated under 
title 49 or Title 51.\80\ As new hybrid concepts are unveiled, the FAA 
anticipates issuing additional guidance to assist operators.
---------------------------------------------------------------------------

    \78\ ``Chapter 509 applies when [a hybrid] system operates as a 
launch vehicle from the flight of the carrier aircraft, through 
ignition of the rocket, to the return and landing of the carrier 
aircraft and the suborbital rocket. For a mission that does not 
entail ignition of the rocket, the FAA's aviation statute and 
regulations apply.'' See Legal Interpretation to Pamela L. Meredith 
from Mark W. Bury (September 26, 2013).
    \79\ An example of a hybrid vehicle that does not use a carrier 
aircraft is the World View capsule. This capsule is not a rocket, 
but it meets the definition of a launch vehicle because it operates 
at an altitude where it needs to be designed, built, and tested to 
operate in outer space. See Legal Interpretation to Pamela L. 
Meredith from Mark W. Bury, September 26, 2013; (https://www.faa.gov/about/office_org/headquarters_offices/agc/practice_areas/regulations/interpretations/data/interps/2013/meredith-zuckertscoutt&rasenberger%20-%20(2013)%20legal%20interpretation.pdf). Similar to other hybrid 
vehicles, when not operating as a launch vehicle, World View will 
operate under the appropriate aviation provisions of title 49.
    \80\ Legal Interpretation to Kelvin B. Coleman from Lorelei 
Peter, July 23, 2018; (https://www.faa.gov/about/office_org/headquarters_offices/agc/practice_areas/regulations/interpretations/data/interps/2018/coleman-ast-1%20-%20(2018)%20legal%20interpretation.pdf); Legal Interpretation to 
Pamela L. Meredith from Mark W. Bury, Sept. 26, 2013; (https://www.faa.gov/about/office_org/headquarters_offices/agc/practice_areas/regulations/interpretations/data/interps/2013/meredith-zuckertscoutt&rasenberger%20-%20(2013)%20legal%20interpretation.pdf).
---------------------------------------------------------------------------

    The FAA has worked with and received input from industry on how to 
regulate hybrid vehicles. For instance, in 2017 and 2018, the FAA 
convened a Safety Risk Management (SRM) panel consisting of FAA and 
industry representatives to review and assess hazards associated with 
captive carry operations.\81\ The panel recommended dispensing with any 
aircraft hazard area requirement during the captive carry phase of 
flight for previously licensed hybrid vehicles with fixed-wing carrier 
aircraft. The ARC also recommended that the FAA set a different 
standard for hybrid vehicles, specifically that the FAA not require an 
FSA for operations where the agency has already considered impacts to 
public safety during the airworthiness certification process. 
Additionally, the ARC recommended that an operator only be required to 
conduct an FSA for those portions of flight when the hazardous 
configuration of the hybrid system differs from that approved under an 
experimental airworthiness certificate or equivalent authorization.
---------------------------------------------------------------------------

    \81\ The SRM panel members included FAA representatives from the 
Air Traffic Organization, Aviation Safety, and the Office of 
Commercial Space Transportation. The panel also included civil 
aviation and commercial space participants such as the Air Line 
Pilots Association, the National Air Traffic Controllers 
Association, Orbital ATK, Virgin Galactic, Virgin Orbit, and Mojave 
Air and Space Port.
---------------------------------------------------------------------------

    As discussed earlier, the FAA proposes to provide flexibility for 
certain phases of flight with respect to FSA (proposed Sec.  
450.113(a)(5)) and FSS (proposed Sec.  450.101(c)) requirements. This 
is consistent with the ARC's recommendation. The FAA recognizes that 
airworthiness certificates and licenses, when developed collaboratively 
between the Aviation Safety and Commercial Space Transportation lines 
of business, sufficiently protect the public. In these cases, the FAA 
would include a license term and condition for a current airworthiness 
certificate. Specifically, the license would impose terms and 
conditions such as compliance with certain part 91 (General Operating 
and

[[Page 15322]]

Flight Rules) requirements and airworthiness operating limitations, not 
including any restrictions on compensation or hire. This blended 
approach of combining airworthiness with part 450's system safety 
requirements would ensure public safety without the need for an FSA.
    This proposal would reduce FSA, CEC, and FSS 
requirements for phases of flight such as the captive carry phase, the 
carrier-vehicle-alone phase, and any rocket component glide back. The 
captive carry phase of flight starts when the carrier vehicle takes off 
carrying the rocket aloft and transports it to the rocket release 
location. The carrier-vehicle-alone phase starts when the carrier 
vehicle releases the rocket, and includes all flight activities in 
support of the mission until the carrier vehicle lands and is safed. 
During the carrier-vehicle-alone phase, the rocket component is 
conducting its rocket-powered and coast phases. The rocket coast phase 
occurs immediately after the rocket engine shuts down, and is not 
considered an aviation-like glide phase because the pilot does not have 
significant control authority over the instantaneous impact point (the 
predicted impact point following thrust termination of a vehicle). For 
returning rockets, there may be a glide phase which begins at a point 
to be determined on a case-by-case basis after the vehicle completes 
any reconfiguration necessary and demonstrates non-rocket powered 
control authority and ends when the vehicle lands.
    The FAA would work with hybrid vehicle applicants during pre-
application consultation to determine the applicability of FSA, 
CEC, and FSS requirements. For example, the FAA might 
determine the quantitative FSA requirement for those portions of a 
mission where the vehicle operates as a civil aviation aircraft 
governed by civil aviation regulations (as incorporated into the 
license) is unnecessary because the vehicle has demonstrated 
reliability during that phase as indicated by the issuance of an 
airworthiness certificate. Thus, an applicant would not have to conduct 
the quantitative FSA for the aircraft-like controllable phases of 
flight, such as the captive carry phase or for phases with non-rocket 
powered or glide phases previously authorized under an airworthiness 
certificate. This would not normally be the case during the rocket-
powered, coast, reentry, or glide back phases of flight that are unique 
to space flight. All other regulatory requirements, including system 
safety requirements, would apply to the entire mission. Due to the 
unknown operating characteristics of future hybrid vehicles, the FAA is 
not proposing to provide a blanket FSA exemption for all hybrid 
systems.

I. Flight Safety Analysis Overview

    For purposes of this proposed rule, a flight safety analysis 
consists of a set of quantitative analyses used to determine flight 
commit criteria, flight abort rules, flight hazard areas, and other 
mitigation measures, and to verify compliance with the public safety 
criteria in proposed Sec.  450.101. The FAA proposes 15 sections for 
flight safety analysis. The analyses are described here briefly because 
of their overall importance to the regulation and are discussed in 
greater detail in the ``Additional Technical Justification and 
Rationale'' section. Furthermore, the FAA plans to publish updated ACs 
and guidelines to describe acceptable means to conduct these analyses.
    The first two sections for FSA would outline the scope, 
applicability, and methods for conducting FSAs:
    1. Flight Safety Analysis Requirements--Scope and Applicability 
(Sec.  450.113). This section would establish the portions of flight 
for which an operator would be required to perform and document an FSA 
and would identify the analyses required for each type of operation.
    2. Flight Safety Analysis Methods (Sec.  450.115). This section 
would set methodology requirements for FSAs, including level of 
fidelity.
    Three sections would require fundamental flight safety analyses:
    1. Trajectory Analysis for Normal Flight (Sec.  450.117). All the 
FSAs depend on some form of analysis of the trajectory under normal 
conditions, referred to as a normal trajectory.
    2. Trajectory Analysis for Malfunction Flight (Sec.  450.119). A 
malfunction trajectory analysis is necessary to determine how far a 
vehicle can deviate from its normal flight path in case of a 
malfunction. This analysis helps determine impact points in case of a 
malfunction and is therefore a vital input for the analyses needed to 
demonstrate compliance with risk criteria.
    3. Debris Analysis (Sec.  450.121). A debris analysis is necessary 
to characterize the debris generated in various failure scenarios, 
including those that could produce an intact vehicle impact.
    Four analyses would produce information necessary to implement 
flight abort as a hazard control strategy:
    1. Flight Safety Limits Analysis (Sec.  450.123). A flight safety 
limit analysis is necessary to identify uncontrolled areas and 
establish flight safety limits that define when an operator must 
initiate flight abort to (1) ensure compliance with the public safety 
criteria of proposed Sec.  450.101, and (2) prevent debris capable of 
causing a casualty from impacting in uncontrolled areas if the vehicle 
is outside the limits of a useful mission.
    2. Gate Analysis (Sec.  450.125). A gate analysis is necessary to 
determine necessary openings in a flight safety limit through which a 
vehicle may fly, provided the vehicle meets certain pre-defined 
conditions indicating an ability to continue safe flight.
    3. Data Loss Flight Time and Planned Safe Flight State Analyses 
(Sec.  450.127). A data loss flight time analysis is necessary to 
establish when an operator must abort a flight following the loss of 
vehicle tracking information. A planned safe flight state analysis is 
necessary to determine when an FSS is no longer necessary.
    4. Time Delay Analysis (Sec.  450.129). A time delay analysis is 
necessary to establish the mean elapsed time between the violation of a 
flight abort rule and the time when the flight safety system is capable 
of aborting flight for use in establishing flight safety limits.
    One section addresses probability of failure analysis:
    1. Probability of Failure Analysis (Sec.  450.131). During any 
particular flight or phase of flight, an estimated probability of 
failure, and how that probability is allocated across flight time and 
vehicle response mode, is necessary to support the determination of 
hazard areas and risk.
    One section addresses the determination of flight hazard areas:
    1. Flight Hazard Area Analysis (Sec.  450.133). This analysis is 
necessary to determine any region of land, sea, or air that must be 
surveyed, publicized, controlled, or evacuated in order to protect the 
public health and safety, and safety of property.
    Three sections would be necessary to determine whether risk 
criteria are met for different types of hazards:
    1. Debris Risk Analysis (Sec.  450.135). A debris risk analysis is 
necessary to determine whether the individual and collective risks of 
public casualties, due to inert and explosive debris hazards meets 
public safety criteria.
    2. Far-field Overpressure Blast Effects Analysis (Sec.  450.137). 
This analysis is necessary to determine whether the potential public 
hazard from broken windows as a result of impacting explosive debris, 
including impact of an intact launch vehicle, meets public safety 
criteria.

[[Page 15323]]

    3. Toxic Hazards for Flight (Sec.  450.139). This analysis is 
necessary to determine whether hazards associated with toxic release 
meet public safety criteria.
    Lastly, one section is necessary for the launch of an unguided 
suborbital launch vehicle using wind weighting as a hazard control 
strategy. A launch vehicle using other mitigations would not be 
required to conduct this analysis:
    1. Wind Weighting for the Flight of an Unguided Suborbital Launch 
Vehicle (Sec.  450.141). This section would outline a wind weighting 
analysis that is required to ensure that the launch of an unguided 
suborbital launch vehicle using wind weighting as a hazard control 
strategy meets public safety criteria.

J. Safety-Critical Systems

1. Safety-Critical Systems Design, Test, and Documentation
    The FAA proposes to consolidate the design, test, and documentation 
requirements for safety-critical components in proposed Sec.  450.143 
(Safety-Critical System Design, Test, and Documentation). A common set 
of requirements is needed for clarity and consistency.
    Safety-critical systems or components include those systems or 
components whose performance is essential to ensuring public safety. 
Historically, the FAA has considered the FSS to be the only safety-
critical system on an ELV. For RLVs and reentry vehicles, the use of a 
systematic, logical, and disciplined system safety process is meant to 
identify safety-critical systems and the extent of prudent operational 
controls.\82\ If a system failure would cause any hazards and those 
hazards could reach a populated area, then the system is likely a 
safety-critical system. Generally, RLV operators incorporate FSSs, 
although they may also incorporate other safety-critical elements of 
risk mitigation and hazard control. Non-RLV reentry vehicles also 
require a thorough system safety process to identify safety-critical 
hardware.
---------------------------------------------------------------------------

    \82\ Some of the more commonly used methodologies include 
Preliminary Hazard Lists (PHL), Preliminary Hazard Analyses (PHA), 
Event Tree Analyses (ETA), Fault Tree Analyses (FTA), FMEAs, and 
FMECAs. Generally, these methodologies help operators determine 
whether a system failure could cause a loss of vehicle control, a 
vehicle breakup or other creation of uncontrolled debris, a 
discharge of hazardous material, or would prevent safe landing.
---------------------------------------------------------------------------

    The current rules for ELV, RLV, and reentry vehicle safety-critical 
systems are quite different. However, in practice, the evaluation of 
the safety of such systems is very similar. Parts 415 and 417 require 
ELVs to have very reliable hazard-constraining FSSs that ensure public 
safety. These FSSs are subject to design requirements, extensive design 
qualification testing, and acceptance testing of all components. RLVs 
and reentry vehicles are required to undergo a comprehensive system 
safety engineering process that, in part, identifies and eliminates 
hazards to reduce the associated risk to acceptable levels by defining 
safety-critical systems and identifying associated hazards and risks. 
Under system safety, an operator develops design-level safety 
requirements and provides evidence for verification and validation of 
safety-critical systems and requirements. For safety-critical systems 
this serves the purpose of design qualification and acceptance. Given 
that RLVs are built to experience multiple flights, the lifecycle \83\ 
of safety-critical systems must also be considered as part of the 
design, testing, and documentation.
---------------------------------------------------------------------------

    \83\ Many operators seek to refurbish or otherwise reuse safety-
critical systems for multiple flights. Operators must design, test, 
and document safety-critical systems to demonstrate their safety-
critical systems can continue to operate reliably throughout the 
component life in all predicted operating environments.
---------------------------------------------------------------------------

i. Current Qualification and Acceptance Testing Requirements
    Qualification testing is an assessment of a prototype or other 
structural article to verify the structural integrity of a design. 
Generally, qualification testing involves testing the design under a 
number of different environmental factors to stress the design, with a 
multiplying factor applied to the expected environmental testing limit. 
This qualification testing is conducted for temperatures, tensile 
loads, handling shocks, and other expected environmental stressors.
    Unlike qualification testing that is performed on qualification 
units, acceptance testing is performance testing conducted on the 
actual hardware to be used on a vehicle after the completion of the 
manufacturing process. Generally, acceptance tests are performed on 
each article of the safety-critical flight hardware to verify that it 
is free of defects, free of integration and workmanship errors, and 
ready for operational use. Acceptance testing includes testing for 
defects, along with environmental testing similar to the qualification 
testing described earlier.
    For ELVs, qualification and acceptance testing are important 
verification of the reliability of all FSSs at the subsystem and 
component level, and ensures the safe operability of the only safety-
critical system on any given ELV. For ELVs, current qualification and 
acceptance testing requirements and procedures for FSS subsystems and 
components are listed in Sec. Sec.  417.305, 417.307, and appendix E of 
part 417 (E417). As FSSs are the only safety-critical systems on 
traditional ELVs, the component-level testing requirements in part 417 
describe the testing of specific possible components in great detail, 
going so far as to differentiate testing requirements for silver-zinc 
batteries in E417.21 from nickel-cadmium batteries in E417.22. While 
the FAA has approved alternative FSSs, the prescription level of the 
current requirements discourages significant innovation.
    The same emphasis on validation of design and verification of 
hardware tolerances applies to components that have been identified as 
safety-critical during a system safety process. For RLVs and reentry 
vehicles, a system safety process is required by Sec.  431.35(c).\84\ 
Under the system safety process, a vehicle designer must assess nominal 
and non-nominal flight scenarios of the vehicle and must account for 
any possible safety-critical system failures during flight that could 
result in a casualty to the public. Those vehicle operators are 
required, by Sec.  431.35(d)(3), to identify all safety-critical 
systems and are required by Sec.  431.35(d)(7) to demonstrate the risk 
elimination in relation to those safety-critical systems. While not 
explicitly called out in the current part 431 or 435, qualification and 
acceptance testing are the widely accepted standards for demonstrating 
that safety-critical systems, subsystems, and components are not at 
risk of failing during flight.
---------------------------------------------------------------------------

    \84\ Section 431.35(c) is required for reentry vehicles by Sec.  
435.33.
---------------------------------------------------------------------------

    Current regulations are undefined with respect to the applicability 
of qualification and testing of safety-critical components that are not 
listed in Sec. Sec.  417.301(b), 417.305 and 417.307, or appendix E of 
part 417. The regulations are similarly ambiguous if the vehicle does 
not have a traditional FSS but still has components that are considered 
safety-critical, like many vehicles licensed under part 431. This 
ambiguity has led to regulatory uncertainty, which in turn has resulted 
in lengthy exchanges between the FAA and license applicants about what 
components and systems needed to be tested, what testing would be 
acceptable to the FAA, and why that testing was necessary to be 
compliant. Testing is currently generally required for safety-critical 
systems across all vehicle types, either explicitly or as verification 
and validation in the

[[Page 15324]]

system safety process, but this is often not well-reflected in the 
current regulations. As a result, applicants often are confused by 
qualification testing requirements asserted by the FAA for RLVs when 
there are no explicit qualification testing requirements in part 431.
ii. Current Fault Tolerance Requirements
    Fault-tolerance is the idea that a system must be designed so that 
it is able to perform its function in the event of a failure of one or 
more of its components. In a fault-tolerant design of a safety-critical 
system, no single credible fault should be capable of increasing the 
risk to public safety beyond that of a nominal operation. Typically, a 
fault-tolerant design applies redundancy or a system of safety barriers 
to ensure the system can function, though perhaps with reduced 
performance. An example of a fault-tolerant design is an aircraft with 
multiple engines that can continue flying even if one of the engines 
fails.
    The current part 417 regulations cover fault-tolerant design of FSS 
components as a set of explicit prescriptive requirements. For 
instance, Sec.  417.303(d) specifically lists fault-tolerance as a 
requirement of an FSS command control system design, requiring that no 
single failure point be able to inhibit the system's function or 
inadvertently transmit a flight termination command. An operator must 
demonstrate that the command system, in accordance with Sec.  
417.309(c), is fault tolerant through analysis, identification of 
possible failure modes, implementation of redundant systems or other 
mitigation measures, and verification that the mitigation measures will 
not fail simultaneously. Appendix D of part 417 (section D417.5) 
further details single fault tolerance and prescribes redundancy of 
command strings that are structurally, electrically, and mechanically 
separated to ensure that any failure that would damage, destroy, or 
otherwise inhibit the operation of one redundant component would not 
inhibit the operation of the other redundant component.
    The current ELV regulations are prescriptive and often dictate 
specific implementations of fault-tolerance where other forms may be 
adequate. For instance, a fail-safe approach has been used in the 
rationale of past applicants that use thrust termination systems to 
protect public safety. A fail-safe design is a system that can fail in 
a controlled way, such that the failure will still ensure public 
safety, like elevator brakes held open by the tension of the elevator 
cable such that if the cable snaps the brakes engage and stop the 
elevator from falling. The FAA has granted waivers to the redundancy 
requirement of section D417.5(c) for fail-safe safety-critical systems 
that have been integrated in such a way that a loss of power to that 
system would result in direct thrust termination of the launch vehicle 
though deactivation of normally-closed valves. Also, ELOS 
determinations have been issued for flight termination receivers that 
have fail-safe commands that are issued on signal loss because the 
failure of the system automatically results in termination of the 
flight and the constraint of flight hazards. Less prescriptive fault-
tolerant design regulations could enable such designs instead of 
requiring waivers or ELOS determinations.
    Operations licensed under parts 431 and 435 may not have 
traditional FSSs, but the need for fault-tolerance is implicitly 
derived from the system safety process of Sec.  431.35(c) and (d), as 
it is often a necessary control for an identified hazard. The FAA views 
fault-tolerance as a necessary characteristic of any reliable system.
    The current fault tolerance provisions lack clarity in the scope of 
their applicability to RLVs and reentry vehicles because they are 
implicit in the system safety processes of hazard identification and 
mitigation. As with the testing requirements, a lack of regulatory 
clarity is detrimental to both applicants and the FAA, leading to 
confusion, a drawn-out application acceptance process, and lengthy 
discussions to arrive at a clear understanding of how fault tolerance 
is applicable to a proposed operation.
iii. Current Reuse Requirements
    Safety-critical FSSs of ELVs generally undergo a single flight. 
Therefore, very little life-cycle planning is required for them unless 
an operator seeks to reuse certain safety-critical components. However, 
ELV operators must still account for environments that the FSS is 
expected to encounter throughout the lifecycle of the system, including 
storage, transportation, installation, and flight, which generally are 
built into qualification and acceptance testing levels. Lifecycle 
planning is a more significant concern for reusable safety-critical 
systems because near-total reuse is an expected part of their 
operation.
    Current parts 415 and 417 contain requirements for the reuse of ELV 
FSS components. To be a licensed ELV operator, an applicant must submit 
to the FAA any reuse qualification testing, refurbishment, and 
acceptance testing plans, in accordance with Sec.  415.129(f). Those 
test plans must show that any FSS component is still capable of 
performing as required when subjected to the qualification test 
environmental levels plus the total number of exposures to the maximum 
expected environmental levels for each of the flights to be flown. 
Previously flown FSSs must also abide by Sec.  E417.13(a)(3), and the 
components must undergo one or more reuse acceptance tests before each 
flight to demonstrate that the component still satisfies all its 
performance specifications when subjected to each maximum predicted 
environment. Additionally, tests for reuse must compare performance 
measurements to all previous tests to ensure no trends emerge that 
indicate performance degradation in the component that could prevent 
the component from satisfying all its performance specifications during 
flight. As the lines have blurred between ELVs with significantly 
reusable safety-critical systems and RLVs, these requirements still 
contain good safety policy, but they are constrained by their limited 
coverage of only traditional FSSs.
    While operations licensed under part 431 are focused on RLVs, 
neither part 431 nor part 435 contain any explicit requirements placed 
on reuse. Like all other aspects of safety-critical system 
requirements, reuse under these parts is governed by the system safety 
process of Sec.  431.35. Safety-critical systems that do not account 
for expected lifecycle, refurbishment, and reuse do not adequately meet 
the hazard identification and risk mitigation of the system safety 
requirements. Implicit in the system safety requirements, commensurate 
testing is required to demonstrate that the planned lifecycle 
performance remains accurate. Reuse of safety-critical components is a 
potential hazard that needs to be mitigated.
    Reuse induces stress on components and systems that can degrade 
operational performance if not accounted for in design and testing. 
Additionally, ``reuse'' implies multiple uses of a component after its 
initial intended lifetime or outside of its initial intended operating 
environments. Based on industry best practices, intended use and 
lifetime should be designed into components initially; qualification 
and acceptance testing should be based on predicted operating 
environments that encompass the entire lifetime of a system; and 
lifecycle management practices should be used to refine initial 
predictions. The current lack of a clear, unified, and simple 
requirement that explicitly covers reuse for all safety-critical 
systems leads to prescriptive

[[Page 15325]]

constraints on ELV operators and regulatory confusion for RLV and 
reentry operators who are unfamiliar with the implicit requirements of 
a system safety process.
iv. Consolidation of Design, Test and Documentation Requirements
    The FAA proposes to consolidate the design, test and documentation 
requirements for safety-critical systems and components, both 
identified by a system safety process and as part of an FSS, currently 
found in parts 415 and 417, 431, and 435. Specifically, the FAA 
proposes to provide performance-based requirements for safety-critical 
systems, including fault tolerant design, design qualification testing, 
hardware acceptance testing, and the verification of flight 
environments to assess the life-cycle of safety-critical systems for 
reuse purposes.
    Under proposed Sec.  450.143, all safety-critical systems would be 
required to meet these requirements, including a FSS that also would be 
required to meet the additional requirements of proposed Sec.  450.145. 
By having a consistent set of overarching requirements regulating the 
design, testing, and documentation of safety-critical systems and 
hardware, the FAA anticipates that applicants would be enabled to 
implement new risk-mitigating design strategies under a clear and 
consolidated regulatory regime. New technologies that emerge would be 
covered by the general requirements without causing regulatory delays 
due to confusion, increasing paperwork burdens required for requesting 
waivers, or waiting for future rulemaking changes necessary to allow 
emerging technologies. These criteria would be the standards for 
demonstrating that such systems can survive and perform to an adequate 
level of safety in all operating environments.
    The ARC recommended that better standards need to be developed 
regarding safety-critical systems. The ARC pointed out that there is no 
single process or procedure that documents an acceptable way to go 
through a system design and determine safety-criticality, and it asked 
for better guidance on safety-criticality, given that usually industry 
views criticality more from a mission assurance point of view. More 
generally, the ARC requested a more performance-based regulatory 
regime, with a clearer focus on safety and greater flexibility for 
novel operations. In regards to reuse and maintenance, the ARC 
suggested that requirements should be focused on maintaining 
reliability of inputs. The ARC specifically called out the section 
E417.13 requirement to remove and recomplete acceptance testing prior 
to reuse of flight safety system components between each flight as an 
untenable burden both in terms of cost and time. Furthermore, the ARC 
also noted that continued acceptance testing of flight hardware to 
predict environmental levels plus margins puts undue strain on flight 
systems and can significantly reduce their lifespan.
    To remedy the confusion resulting from a current lack of regulatory 
clarity for RLVs and reentry vehicles, proposed Sec.  450.143(c) and 
(d) would explicitly require qualification testing of the design and 
acceptance testing of the safety-critical flight hardware. To remedy 
the implied design constraints of current detailed requirements for 
ELVs, proposed Sec.  450.143(c) and (d) would be general, high-level 
requirements for demonstrating the performance of safety-critical 
system design, and that the system is operational and free from defects 
and errors.
    Specifically, proposed Sec.  450.143(c) would require an operator 
to functionally demonstrate \85\ the design of a vehicle's safety-
critical systems at conditions beyond its predicted operating 
environment. The design qualification tests should include enough 
margin beyond predicted operating environments to demonstrate that the 
system design can tolerate manufacturing variance or environmental 
uncertainties without performance degradation.
---------------------------------------------------------------------------

    \85\ Functional demonstration is generally achieved through 
testing.
---------------------------------------------------------------------------

    Proposed Sec.  450.143(d)(1) would require operators to perform a 
functional demonstration of any safety-critical systems by exposing 
them to their predicted operating environment with margin. The 
performance of the flight hardware during the test would be required to 
demonstrate that the flight units are free of defects, integration or 
workmanship errors, and are ready for operational use. Alternatively, 
an applicant would be able to comply with proposed Sec.  450.143(d)(2) 
instead of proposed Sec.  450.143(d)(1). If an applicant chooses to 
comply with proposed Sec.  450.143(d)(2), it would be required to 
ensure functional capability and that the flight hardware remains free 
from error and defect during its service life through a combination of 
in-process controls and a quality assurance process. This flexible 
approach to acceptance testing would relieve some of the burdens of a 
traditional acceptance testing regime and would add clarity that these 
demonstrations are required for all safety-critical flight hardware.
    Proposed Sec.  450.143 would clearly state the requirements for all 
safety-critical system components and eliminate the ambiguity that 
exists in the current regulations regarding required testing of safety-
critical system components that are not a part of an FSS. While FSSs 
are safety-critical systems, their criticality requires additional 
requirements beyond proposed Sec.  450.143. The consolidated 
performance requirements for FSS components are detailed in proposed 
Sec.  450.145, and are discussed in the ``Flight Safety System'' 
section of this preamble.
    As the proposed rule seeks to make the safety requirements of Sec.  
450.143 applicable to all commercial space launch and reentry vehicles, 
there should be better clarity across the industry and the government 
regarding what is required of safety-critical systems for both design 
qualification testing and flight hardware acceptance testing. Also, as 
recommended by the ARC, the FAA's proposal would allow for the 
possibility of other forms of acceptance testing methodologies and 
quality controls, subject to approval of the FAA, for safety-critical 
components that are not directly covered by the flight safety system 
requirements. This option should enable new business practices but 
maintain the safety verification necessary to ensure public safety.
    The ARC did not speak specifically to fault tolerant design but did 
indicate that vehicle reliability and architecture should be 
considerations in the FAA's evaluation of novel systems. Proposed Sec.  
450.143(b) would require an applicant's safety-critical system to be 
designed so that no single credible fault would impact public safety. 
This proposal would provide clarity to the scope of the requirement of 
fault-tolerance by defining it as an explicit design performance 
requirement. It would replace many specific prescriptive requirements 
in part 417's subpart D and appendices D and E with a single general 
performance requirement and clarify the scope of applicability for RLV 
and reentry vehicle applicants. Additionally, by requiring only that 
the safety-critical systems be designed to be fault tolerant so that no 
single credible fault can lead to increased risk to public safety, the 
proposed regulations would allow flexibility as to the method an 
operator uses to comply with the requirements. For example, the FAA 
anticipates that an operator might choose to comply with proposed Sec.  
450.143(b) with a design that provides for redundancy for systems that 
can be duplicated or

[[Page 15326]]

through damage-tolerant design for those safety-critical systems (like 
primary structures) that cannot be redundant. It is expected that this 
flexibility would accommodate technical innovation. Additionally, an 
operator would be able to satisfy the fault-tolerance requirement by 
fail-safe designs that have traditionally been approved through ELOS 
determinations, eliminating the need for applicants to apply for 
additional FAA review and evaluation.
    The ARC advised the FAA to focus on verifying the veracity of 
maintenance processes for reuse, combined with alternatives to 
acceptance testing on per flight basis. The FAA believes it has 
addressed the testing alternatives in this NPRM and agrees that the 
processes and procedures to ensure safety-critical systems are safe for 
reuse are an important part of lifecycle validation. Given safety-
critical systems are essential to public safety, the FAA proposes that 
an operator would be required to validate predicted operating 
environments against actual operating environments and assess component 
life throughout the lifecycle of the safety-critical unit. This 
validation can be done through an initial fatigue life assessment and 
continual accounting of remaining components life or through a 
comprehensive inspection and maintenance program that accounts for 
damage accumulation and fault detection.
    Proposed Sec.  450.143(e) would require that predicted operating 
environments be based on conditions expected to be encountered in all 
phases of flight, recovery, preparation, and transportation. It would 
also require an operator to monitor the environments experienced by 
safety-critical systems in order to validate the predicated operating 
environment and assess the actual component life left or to adjust 
inspection periods. While the system safety and FSS approaches to reuse 
can further define specific requirements, the FAA proposes more general 
requirements on the operator to account for the complete lifecycle of 
each safety-critical system, considering the design, testing, and use 
of safety-critical components. Allowing operators to determine a 
proposed lifecycle for a safety-critical system, to demonstrate 
operational capabilities and environmental endurance through testing, 
to devise processes for monitoring the lifecycle of the safety-critical 
system, and setting criteria and procedures for refurbishment or 
replacement allows operators flexibility in their business plans. 
Having this flexibility would allow applicants to demonstrate to the 
FAA how they would ensure reused safety-critical components will not 
degrade in performance. The FAA anticipates that such a demonstration 
would include elements such as qualification of the design for its 
intended lifetime; acceptance testing to screen components; monitoring 
of environmental levels during use; and monitoring component health 
through inspections for either disposal or refurbishment.
    While the lifecycle management requirement would give the applicant 
flexibility on implementation, the proposed rule would require 
applicants to consider the implementation details such as maintenance, 
inspection, and consumable replacement. With the flexibility of the 
top-level requirement, applicants could continue to employ rigorous, 
per flight acceptance testing of safety-critical components, or with 
enough flight data they may be able to employ a system more similar to 
commercial aviation where flown components can be assessed in light of 
the actual operating environment and planned component reuse does not 
require component testing on a per flight basis. Monitoring of 
environments and assessment of safety-critical hardware for reuse is 
expected to affect the probability of failure that would feed back into 
FSAs as a check that risk to public safety is not increased. These 
flexible, top-level requirements for safety-critical systems would make 
explicit the currently implicit reuse requirements of parts 431 and 
435's system safety process, improving regulatory clarity and 
operational flexibility, while still requiring the important planning, 
monitoring, and assessments necessary to ensure public safety.
    To demonstrate compliance with the proposed performance 
requirements, the FAA proposes clear application requirements in Sec.  
450.143(f). As in the current Sec.  431.35(d)(3) and (5), an applicant 
would have to describe and diagram all safety-critical systems in its 
application. Similar requirements exist for ELV flight safety systems 
of part Sec.  415.127(b) and (c). Section 450.143(f)(3) also would 
require a summary of the analysis detailing how applicants arrived at 
the predicted operating environment and duration for all qualification 
and acceptance testing. This is current practice, and proposed Sec.  
450.143(e) makes this requirement explicit for RLVs and reentry 
vehicles. The proposed requirements are also more generalized and 
adaptable than the current component-level requirements for ELVs. Under 
proposed Sec.  450.143(f)(4) and (5), applicants would be required to 
detail their plans for lifecycle monitoring by describing any 
instrumentation or inspection processes used to assess reused safety-
critical systems, and the criteria and procedures for any service life 
extension proposed for those system components. Much like the rest of 
the FAA's proposal, applicants of any vehicle type are already expected 
to provide this information, but the requirements have been distilled 
into high-level, generalized requirements to allow for maximum 
operational flexibility while still identifying the inputs the FAA 
needs to verify compliance with the safe performance and operation 
requirements. While FSSs are additionally subject to the requirements 
of proposed Sec.  450.145, the proposed requirements for safety-
critical systems would clarify existing practice and enable novel 
concepts of safety and safety-critical design.
2. Flight Safety System
    An FSS is an integral tool to protect public health and safety and 
the safety of property from hazards presented by a vehicle in flight. 
An FSS allows an operator to exercise positive control of a launch or 
reentry vehicle, allowing an operator to destroy the vehicle, terminate 
thrust, or otherwise achieve flight abort. An extremely reliable FSS 
that controls the ending of vehicle flight according to properly 
established rules nearly ensures containment of hazards within 
acceptable limits. For that reason, the FAA considers an FSS a safety-
critical system. The FAA currently requires an FSS for ELVs. Most 
RLVs--aside from unguided suborbital vehicles utilizing a wind 
weighting system or certain vehicles where the vehicle's operation is 
contained by physics--derive from the system safety process the need 
for some FSS to mitigate flight hazards.
    Traditional FSSs for ELVs are comprised of an onboard flight 
termination system (FTS), a ground-based command and control system, 
and tracking and telemetry systems. Historically, the flight safety 
crew monitoring the course of a vehicle would send a command to self-
destruct if the vehicle crossed flight safety limit lines and in doing 
so threatened a protected area. Redundant transceivers in the launch 
vehicle would receive the destruct command from the ground, set off 
charges in the vehicle to destroy the vehicle and disperse the 
propellants so that an errant vehicle's hazards would not impact 
populated areas. While this method of flight abort through ordnance is 
conventional, the FAA currently does

[[Page 15327]]

not require an FSS to be destructive, as made explicit in the 
definitions of FSS in both Sec. Sec.  401.5 and 417.3.
    There has been some innovation in FSSs--thrust termination systems 
are used frequently and most RLVs can demonstrate regulatory compliance 
with part 431 with a safety system that achieves a controlled landing 
in the event of an aborted flight. As the commercial space 
transportation industry has matured, operators have proposed FSS 
alternatives. These alternative approaches include fail-safe single 
string systems that trade off mission assurance and redundancy, other 
fail-safe consequence mitigation systems, and dual purpose systems such 
as FSSs that reuse the output of safety-critical GPS components for 
primary navigation avionics. These alternative approaches are not well 
governed by the existing regulations.
i. Current Regulatory Framework for FSS
    The present ELV licensing requirements in parts 415 \86\ and 417 
include lengthy and detailed requirements for the performance of an FSS 
and its components, as well as detailed testing and reporting 
requirements. These requirements were originally adopted to match 
current practices at Federal ranges. Section 417.107(a) identifies the 
need for an FSS while subpart D (Sec. Sec.  417.301-417.311) identifies 
the performance requirements of an FSS and its component systems. 
Appendices D \87\ and E \88\ include prescriptive FSS design, 
performance, testing, and analysis requirements. Under part 417, an FSS 
must consist of an FTS, a command and control system,\89\ support 
systems (like tracking and telemetry),\90\ and identification of the 
functions of any personnel who operate FSS hardware or software.\91\ 
Together, these requirements allow for a very limited range of FSS 
concepts because they are primarily focused on containment of hazards 
by destruction of the vehicle or stage.
---------------------------------------------------------------------------

    \86\ Part 415 contains the application requirements to 
demonstrate compliance with part 417 and the test report 
requirements to demonstrate compliance with the relevant appendices 
of part 417. Specifically, Sec.  415.127 requires detailed 
descriptions and diagrams of the FSS and subsystems, a list of all 
system components that have a critical storage or service life, 
detailed descriptions of controls and displays, the system analyses 
of Sec.  417.309, demonstration of compliance with the performance 
requirements, installation procedures, and tracking and monitoring 
validation procedures. Applicants must file all preliminary design 
data no later than 18 months before bringing any launch vehicle to a 
proposed launch site.
    \87\ Appendix D lists very detailed performance requirements and 
design reliability requirements including fault tolerance and 
redundancy, environment survivability requirements, radio command 
destruct parameters, remote and redundant safing mechanisms, 
positively controlled arming mechanisms, installation procedures, 
and system health monitoring. It also requires vehicles to have an 
automatic or inadvertent separation destruct system for any stage 
that does not possess a complete command destruct system but is 
capable of reaching a protected area before the planned safe flight 
state.
    \88\ Appendix E to part 417 contains the tests and analysis 
requirements to verify the performance requirements of FTSs and 
their components. It contains detailed component level charts for 
acceptance and qualification performance testing, including the 
number of samples (or percentage of the lot) that must undergo each 
test type. The testing plans must detail the environment, equipment, 
pass/fail criteria, measurements, other testing parameters, and any 
analyses planned in lieu of testing.
    \89\ A command control system transmits a command signal that 
has the radio frequency characteristics and power needed for receipt 
of the signal by the flight termination system onboard the launch 
vehicle. The command control system must include equipment to ensure 
that an onboard flight termination system will receive a transmitted 
command signal and must meet specific performance requirements in 
Sec.  417.303.
    \90\ Currently, under Sec.  417.307 an FSS must include two 
independent tracking sources and provide the launch vehicle position 
and status to the flight safety crew from liftoff until the vehicle 
reaches its planned safe flight state. Additionally, data 
processing, display, and recording systems must display, and record, 
raw input and processed data at no less than 0.1 second intervals.
    \91\ As part of the current requirements for an FSS, Sec.  
417.311(a) requires human intervention capability for flight 
termination to be initiated by flight safety crew. Therefore, Sec.  
417.307 requires design, test, and functional requirements for 
systems that support the functions of a flight safety crew, 
including any vehicle tracking system.
---------------------------------------------------------------------------

    Section 417.301(b) permits applicants to propose alternative FSSs, 
which do not need to satisfy one or more of the prescriptive 
requirements of subpart D of part 417. This provision is intended to 
enable greater flexibility for innovation without negatively impacting 
safety. The FAA approves an alternative FSS if an operator establishes 
through a clear and convincing demonstration that a launch would 
achieve an equivalent level of safety to an operation that satisfies 
all of the existing FSS requirements. Alternative FSS, like traditional 
FSS, must still undergo rigorous analysis and testing to demonstrate 
the system's reliability to perform each intended function.
    Unlike ELVs, RLVs are not explicitly required to have an FSS, but 
the requirement for an FSS and its reliability requirement is derived 
as an essential hazard mitigation from a robust system safety process 
under part 431. This requirement falls under the Sec.  431.35(c) 
requirement for applicants to use a system safety process to identify 
the hazards and mitigate risks to public health and safety under non-
nominal flight of the vehicle and payload. An acceptable system safety 
analysis identifies and assesses the probability and consequences of 
any reasonably foreseeable hazardous event and safety-critical system 
failures during launch flight that could result in a casualty to the 
public. Based on current practice, most RLVs must have some method to 
reliably achieve flight abort to fully mitigate flight risks and 
consequences, either in the form of a pilot that can safely abort 
flight using system controls, a more traditional FSS that is designed 
and tested in the same manner as is required for ELVs, or a system that 
can meet the requirements for an alternative FSS under Sec.  
417.301(b). The lack of an explicit requirement for an FSS in part 431 
often leads to confusion regarding what is expected for applicants 
mitigating hazards through flight abort.
    Reentry vehicles under part 435 are also subject to a system safety 
process to identify hazards and mitigate risks to public health and 
safety under non-nominal flight of the reentry vehicle and any payload. 
Because Sec.  435.33 points to part 431, an acceptable system safety 
analysis for reentry also assesses the probability and consequences of 
any reasonably foreseeable hazardous events during the reentry flight 
that could result in a casualty to the public. Unlike part 431, most 
part 435 reentries do not require an FSS because it is generally 
accepted that, if controlled reentries become uncontrolled, the vehicle 
is unlikely to substantially survive reentry. Due to the nature of the 
hazards associated with reentry, and since breakup is expected for non-
nominal reentries, an FSS often cannot significantly ameliorate a 
reentry flight's risk or consequence. A reentry applicant must still 
account for the possibility of a random reentry in its risk analysis 
after attempting a reentry burn.
ii. Autonomous Systems
    Current regulations do not allow an operator to rely solely on an 
autonomous system to terminate a flight. At the time of their 
publication, human control capability was considered critical to safety 
because neither software nor hardware had been proven reliable to make 
flight termination decisions. Since that time, the FAA has approved the 
use of autonomous FSSs for ELVs by finding that they can meet the 
requirements of an alternative FSS under Sec.  417.301(b). Applicants 
were able to demonstrate that the autonomous FSS achieved an equivalent 
level of safety to a launch with a human-in-the-loop as the risk to 
public safety was extremely low and the autonomous system had been 
flight tested in shadow mode. In past

[[Page 15328]]

rulemakings, the FAA has made clear that, in requiring human 
intervention capability for activation of an FSS, the FAA did not 
intend to foreclose development or use of autonomous systems. However, 
despite those assurances and the FAA findings of equivalent safety, 
current FAA regulations still expressly require that a capability exist 
for a person to intervene and make decisions for FSS activation.
    The FAA is proposing to update the regulations to match the current 
practice of allowing autonomous FSSs. By removing the outdated 
requirements for a human in-the-loop, the FAA believes that it would 
encourage further innovation without negatively impacting safety. The 
consequence analysis and reliability thresholds would continue to hold 
any potential autonomous FSS to the rigorous standards previously 
required of a human-initiated FSS, and the software as part of the 
autonomous FSS must be demonstrated to meet reliability requirements. 
With the recent advancements of the requisite technology and the 
performance constraints of the FSS, the FAA is confident that it is 
beneficial both to the commercial space transportation industry and 
public safety to explicitly allow flight abort to be governed by 
capable autonomous systems.
iii. Current Requirement for Reliability of a FSS
    Each FTS and command and control system must satisfy the predicted 
reliability requirement of 0.999 at the 95 percent confidence level. 
For FSSs on both ELVs and RLVs, there are effectively only two methods 
of currently demonstrating that a system meets reliability standards. 
The first method is to test 2,995 units at expected operating 
environment levels with 0 failures to demonstrate a 0.999 design 
reliability at a 95 percent confidence level. Given the cost of FSS 
components, the cost of testing, and the time required to conduct such 
tests, this is not practicable.
    The second method arises out of RCC 319. The FSS requirements 
codified in part 417, including component performance requirements, and 
acceptance and qualification testing, were originally written to align 
FAA launch licensing requirements with the Federal launch range 
standards in RCC 319. Like part 417, RCC 319 requires qualification 
tests to demonstrate reliable operation in environments exceeding the 
expected operating environment for the system components, acceptance 
tests to demonstrate that the selected batch of components meets the 
requirements of the design specifications, and other preflight testing 
at the system or subsystem level to demonstrate functionality after 
installation.
    The benefit of the part 417 and RCC 319 method is that for 
qualification tests, generally only three test units are required. 
Three units are required instead of many more because the units are 
tested with margin above their predicted operating environment. Testing 
three units with the margin specified achieves the required reliability 
and confidence levels of 0.999 design reliability at 95 percent 
confidence level, rather than having to test 2,995 units at the 
predicted operating environment with no margin.
iv. Proposed Reliability Standards for FSS
    Given the FAA anticipates that most commercial space vehicles will 
continue to control flight hazards through the use of FSSs, the FAA 
proposes in Sec.  450.145 to continue to require a very reliable FSS in 
most instances. Under the current regulations, FSS not only enable an 
operation to meet the collective and individual risk criteria during 
flight but also protect against low-probability but high-consequence 
events near the launch site or when flying over populated areas. As 
previously discussed, the FAA's proposal to quantify these low-
probability but high-consequence events as CEC in proposed 
Sec.  450.101(c) would clearly delineate which operations are required 
to use an FSS to control for risks and consequences.\92\ The 
CEC calculation is the consequence, measured in terms of 
EC, without regard to the probability of failure.
---------------------------------------------------------------------------

    \92\ As noted earlier, only operations that have a predicted 
consequence of 1 x 10^-3 CEC or above for 
uncontrolled areas for each reasonably foreseeable vehicle response 
mode in any one-second period of flight would be required to 
implement an FSS to abort flight as a hazard control strategy. An 
FSS would not be required for operations that can be shown to have a 
predicted consequence of less than 1 x 10^-3 
CEC; however, a hazard analysis would be required for any 
operations without a FSS or demonstrable physical containment.
---------------------------------------------------------------------------

    The underlying intent of the current prescriptive requirements was 
to have an FSS that could reliably perform flight abort to restrict 
hazards from reaching populated or otherwise protected areas. The FAA 
also recognizes that vehicles operating in remote areas are less likely 
to have significant consequences in the case of a flight failure. For 
operations where the consequence of a flight failure is less, the FAA 
has determined that, while still being highly reliable, the FSS may not 
need to be as highly reliable as an FSS for a vehicle operating in an 
area where the consequence of a flight failure is higher. Generally, 
this proposed relaxation of the FSS reliability requirement--based on 
reduced potential consequence--is expected to be applicable to 
operations launching or reentering in remote locations or for stages 
that do not overfly population centers. In order to achieve these 
scalable, performance-based requirements, proposed Sec.  450.145(a) 
would contain two reliability standards for an FSS.
    Proposed Sec.  450.145(a)(1) would require any operator with a 
consequence of 1 x 10^-2 CEC or greater in any 
uncontrolled area for any vehicle response mode to employ an FSS with 
the standard design reliability of 0.999 at 95 percent confidence and 
commensurate design, analysis, and testing. This reliability standard 
would be consistent with various sections of part 417, in particular 
Sec.  417.309(b)(2), that require major FSS component systems, such as 
onboard flight termination systems and ground-based command control 
systems, to be tested to demonstrate 0.999 design reliability at 95 
percent confidence. This reliability threshold would have to be 
demonstrated for the operation of the entire system, including any 
systems located on-board the launch or reentry vehicle, any ground-
based systems, and any other component or support systems.
    Alternatively, in order to make regulations adaptable to innovative 
operations while maintaining appropriate levels of safety, operations 
with lower potential consequences would require an FSS with less 
demonstrated design reliability at the same confidence. Proposed Sec.  
450.145(a)(2) would require any operator with a consequence of between 
1 x 10^-2 and 1 x 10^-3 CEC in any 
uncontrolled area for any vehicle response mode to only employ an FSS 
with design reliability of at least 0.975 at 95 percent confidence and 
commensurate testing. The FAA considered simply setting the proposed 
Sec.  450.145(a)(2) threshold an order of magnitude lower, at 0.99 
design reliability with a 95 percent confidence, to reflect the order 
of magnitude less CEC from the consequence analysis. Absent 
other standards to demonstrate compliance with the reliability 
threshold, that would mean testing 299 units with 0 failures, instead 
of testing 2,995 units with 0 failures. However, in consultation with 
NASA and Air Force representatives in the CSWG, the FAA has elected to 
propose that the reduced reliability threshold should be set at

[[Page 15329]]

0.975 design reliability with a 95 percent confidence for lower 
consequence vehicles.
    While there are no established standards to demonstrate the 0.975 
reliability number, that threshold is consistent with reliability 
parameters in RCC 324 and represents existing single string flight 
reliability requirements. The FAA is confident that industry 
associations will develop consensus standards regarding design and 
testing that sufficiently demonstrate that a novel FSS design meets 
this reliability threshold. Until such time as an industry standard is 
established, proposed Sec.  450.145(a)(2) in practice may result in 
single string or equivalent FSSs being approved for operations in 
remote areas or for phases of flight that do not overfly populated 
areas. Similar to FSS that must meet the more reliable threshold, all 
means of compliance would be required to be accepted by the FAA in 
accordance with proposed Sec. Sec.  450.145(b) and 450.35.
    These proposed reliability requirements would replace the existing 
launch and reentry FSS licensing requirements on all commercial space 
transportation missions. However, the FAA anticipates that, with the 
consequence analysis driving the requirement to have an FSS, most 
reentry operations would continue to not require an FSS as is the 
current case under part 435. For launch operators, applicants would 
still be required to demonstrate the reliability by submitting to 
review of their design, testing, and analysis. Operators would still be 
required to monitor the flight environments actually experienced by 
their FSSs in accordance with proposed Sec.  450.145(c) to corroborate 
the qualification test data submitted to the FAA.
    Proposed part 450 would consolidate and clarify the performance 
requirements for future FSSs. In doing so, the FAA anticipates that 
some operations will be relieved of the burden of unnecessarily 
stringent FSS reliability requirements and that some operations will be 
able to utilize innovative concepts to achieve flight abort. By 
appropriately scaling FSS reliability to consequence analysis, the FAA 
expects to see the emergence of new industry standards, increased use 
of autonomous FSSs, and no measurable adverse impact to public health 
and safety or the safety of property. There is expected to be no 
measurable adverse impact to public health and safety or the safety of 
property because the lowered reliability threshold will only apply to 
launches and reentries which would not create significant consequences, 
given a flight failure. Furthermore, while rigorous tests and analysis 
should still be expected for most FSSs, FAA regulations would no longer 
prescribe a particular form of FSS. The proposed performance measure of 
reliability to achieve safe flight abort to meet collective and 
individual risk limits and to mitigate the possibility of low 
probability but high consequence events is the best method for 
maintaining safety while scoping FAA regulations to govern only the 
function, not the form, of FSSs.
v. FSS Design, Testing, and Documentation Requirements
    Applicants using a FSS of any reliability threshold would be 
required to meet the proposed Sec.  450.143 safety-critical system 
design, test, and documentation requirements discussed previously. As 
an FSS will always be considered a safety critical system, any operator 
utilizing an FSS must comply with the requirements to design their 
system as fault tolerant, conduct qualification and acceptance testing, 
and provide evidence to validate predicted operating environments and 
component life.
    Proposed Sec.  450.145(d) would include the application 
requirements for an FSS. Similar to the current part 415 requirements, 
proposed Sec.  450.145 would require applicants to describe the FSS, 
including its proposed operation, and diagram the FSS in detail. The 
FAA's intent is to make these requirements less prescriptive than 
current regulations and also to allow more flexible time frames. 
Proposed Sec.  450.145(d) would require applicants to submit any 
analyses reports and acceptance, qualification, and preflight test 
plans used to demonstrate that the reliability and confidence levels 
are met. Any test plans or documentation would be required to detail 
the planned test procedures and the test environments. Further, an 
applicant would have to submit procedures for validating the accuracy 
of any vehicle tracking data utilized by the flight safety crew or the 
FSS to make the decision to abort flight. While proposed Sec.  
450.145(d) consolidates these application requirements and removes 
prescriptive component-level design requirements, the proposed 
regulations would not require substantially different information than 
the FAA requires today to demonstrate that FSSs meet performance 
standards and will undergo the required testing prior to flight.
vi. Reporting Requirements
    Under the preflight reporting requirements in proposed Sec.  
450.213(d), operators would be required to submit, or to provide the 
FAA access to, any test reports associated with the flight safety 
system test plans approved during the application process. These 
reports must be submitted or made available no less than 30 days before 
flight unless the Administrator agrees to a different time frame under 
Sec.  404.15. In the reports, licensees would have to clearly show that 
the testing results demonstrate compliance with the reliability 
requirements in proposed Sec.  450.145(a). This is current practice 
under Sec.  417.17(c)(1) and (4) through (6).
    To show the FSS is in compliance and can support the mission as 
intended, FSS reports would continue to be required to include testing 
reports that detail the results of the approved subsystem and 
component-level testing, including any failures, any actions necessary 
to correct for any failures, actual testing environment showing 
sufficient margin to predicted operating environments, and a comparison 
matrix of the actual qualification and acceptance test levels used for 
each component compared against the predicted flight levels for each 
environment. Proposed Sec.  450.213(d)(4) would require licensees to 
report any components qualified by similarity analysis or some 
combination of analysis and testing. Preflight reporting is necessary 
to demonstrate compliance with the test plans approved in the 
application and to demonstrate that the FSS meets the reliability 
threshold prior to flight.
    Proposed Sec.  450.215 (Post-Flight Reporting) would continue to 
require licensees to submit a post-flight report no later than 90 days 
after an operation if there were any anomalies in the flight 
environment material to public health and safety and the safety of 
property, including those experienced by any FSS components; a practice 
currently required by Sec.  417.25(c). RLV operators licensed under 
part 431 are not currently required to submit a post-flight report 
identifying anomalies that are material to public safety and corrective 
actions, but the added burden is expected to be minimal. To accurately 
report any such anomalies so that they may be corrected in future 
flights, operators would also be required to monitor the FSS during 
each flight, in accordance with proposed Sec.  450.145(c). Any 
anomalies experienced by the FSS would be considered material to public 
health and safety and the safety of property and, therefore, would need 
to be included in post-flight reporting.

[[Page 15330]]

vii. ARC Recommendations
    The ARC suggested that, in a performance-based licensing scheme, 
the regulations should be flexible with regard to FSSs and allow an 
operator to propose a means of achieving the performance metric without 
dictating a specific hardware approach. For example, the ARC 
recommended that an operator should be able to propose an alternative 
to having a destruct flight termination system. While, the FAA believes 
that the current regulations allow for non-destructive FSSs, it 
acknowledges that the preponderance of the existing prescriptive 
requirements address FSSs that terminate flight through destructive 
means. The ARC recommended the current prescriptive requirements be 
moved to a guidance document. As discussed previously, the FAA intends 
to recognize RCC 319 as the accepted means of compliance in 
demonstrating that a FSS has a design reliability of 0.999 at 95 
percent confidence. The RCC 319 document would maintain the common 
standards between all Federal launch and reentry safety authorities but 
also would be updated periodically to address the evolving space 
transportation industry. Industry could also develop new means of 
compliance in the future, as discussed below.
    The ARC also recommended that an FSS should not be required, 
proposing instead that an operator should only be required to meet risk 
calculations in the FSA and may do so by utilizing a FSS. The FAA 
disagrees that an FSS should not be required, as there are other safety 
factors to be considered beyond simple individual or collective risk, 
namely, the consequence of a failure as discussed earlier. However, the 
FAA has attempted to propose more flexible regulations that would allow 
some operations to be licensed without an FSS, or with novel concepts 
of FSS, or an FSS that may require less extensive demonstration of 
reliability. In quantifying the low probability but high consequence 
events that necessitate an FSS beyond collective and individual risk 
limits, the FAA intends to more clearly delineate when it would be 
appropriate for an operation to forego an extremely reliable FSS or an 
FSS completely. If an FSS is not required, the applicant would be 
required to demonstrate that hazards are contained or mitigated through 
a hazard analysis and system safety principles. In addition to 
proposing the acceptability of FSSs with a design reliability of 0.975 
at 95 percent confidence, under certain situations, the FAA proposes to 
indicate more clearly that FSS concept and design is flexible and open 
to innovation as long as the reliability thresholds for flight abort 
are met.
    The ARC also discussed a number of concepts that industry believes 
should be considered in scaling an FSS's necessary reliability as 
determined through the FSA. The ARC pointed specifically to population 
density, the realm of reasonably foreseeable failures, trajectory, 
size, and explosive capabilities of the vehicle. The FAA proposes that 
these factors would be contemplated as a part of the consequence 
analysis required in the public safety criteria of proposed Sec.  
450.101(c), alongside traditional measures of risk. In identifying FSS 
reliability thresholds pegged to potential consequence, or 
CEC, the reliability of FSSs is determined through analysis 
that accounts for factors such as what population centers a vehicle or 
debris can reach and potential failure modes. The FAA anticipates that 
this would address the ARC's recommendation that vehicles with low risk 
to the public, especially vehicles operating in remote and sparsely 
populated areas, may require a lower demonstrated reliability.
    To the question of how an applicant might demonstrate the 
reliability of an FSS with a less than extremely reliable design that 
does not otherwise meet current common standards like RCC 319, such as 
the FAA proposed threshold of 0.975 at 95 percent confidence, the ARC 
advised that several approaches may already exist. As previously 
discussed, the less reliable FSS can be demonstrated by testing several 
hundred units under expected environments, instead of the 2,995 tests 
required to demonstrate design reliability of 0.999 at 95 percent--but 
it is still likely that neither is practical or viable for most 
operators. In their place, alternative standards are necessary to 
approximate the demonstration of the reliability threshold through less 
burdensome means. The ARC report pointed to the Air Force Space 
Command's Space and Missile Systems Center Standard SMC-S-016, ``Test 
Requirements For Launch, Upper-Stage and Space Vehicles,'' as an 
example of a standard that allows for one unit of qualification 
testing, instead of the standard three units required by RCC-319.\93\ 
The ARC noted that standard may be useful for heritage systems that are 
already considered reliable. The FAA maintains that for 0.999 design 
reliability at 95 percent, the qualification testing of three or more 
units may be required to reduce the likelihood of either anomalous test 
passes or failures. The FAA seeks comment on this approach. The FAA 
also seeks comment on how SMC-S-016 could be incorporated as an 
accepted means of compliance for reliability demonstration of the lower 
reliability criteria.
---------------------------------------------------------------------------

    \93\ As one company pointed out in the ARC report, SMC-S-016 and 
similar standards are for general vehicle testing and do not 
consider the higher reliability required for FSS, whereas RCC 319 
and AFSPCMAN91-710 require additional margins and certainty. The 
company believes that testing a single unit is not sufficient, 
unless there was a tradeoff that increased the required test margin.
---------------------------------------------------------------------------

    In discussions with Federal launch range personnel, it has been 
suggested that testing and analysis requirements in RCC 324 may be a 
more appropriate basis for evaluating a FSS meeting the lower 
reliability threshold. The FAA remains interested in identifying 
standards that are applicable or could be drawn upon to develop means 
of compliance to the proposed regulations.
    The FAA is also not foreclosing the idea that vehicles can 
demonstrate the reliability of the FSS or vehicle through flight 
history. The ARC pointed out in their report that certain aspects of 
FSSs can be tested in flight--for example using an autonomous FSS in 
``shadow mode'' on-board a vehicle and testing the system's function 
with no ordnance or other active destruct capabilities. The FAA 
ultimately decided to not propose any explicit requirements pertaining 
to acceptable flight testing as a means of allowing industry applicants 
and the FAA to develop new accepted means of compliance in the 
demonstration of reliability. While the FAA wishes to encourage the 
innovation and development of novel reliability demonstration 
standards, the FAA also recognizes that such standards are not 
currently developed and would require extensive evaluation before they 
could be accepted as demonstrating fidelity and safety. Because the FSS 
is so critical to flight safety in the instances where it is required, 
new reliability and compliance demonstration strategies must be 
accepted by the FAA prior to application acceptance.
    In discussing the scalability of FSS requirements, the ARC proposed 
that the FAA delineate categories of operators and vehicles. The 
suggested categories included a new vehicle by a new operator, a proven 
vehicle by an experienced operator, a derived vehicle by an experienced 
operator, and considerations for vehicle hazard class and population 
density in operating areas. The FAA considered operator and vehicle 
categories as a means of scaling FSS reliability requirements as an 
alternative to consequence analysis, but determined that the relevant 
measure of public protection indicating the need for

[[Page 15331]]

an FSS is not experience, but risk and possible consequence. While less 
experienced operators will likely pose a higher risk, as accounted for 
in the probability of failure, experience does not account for the 
potential consequences of a vehicle failure. Experienced operators with 
experienced vehicle designs can propose operations that still pose a 
high risk to the public, or an operation with low risk but high 
potential consequences in the event of a failure. The FAA seeks comment 
on the proposal to use consequence, not operator experience, as a 
factor in level-of-rigor.

K. Other Prescribed Hazard Controls

1. Agreements
    The FAA proposes to streamline the existing agreement requirements 
by removing specific requirements for a variety of agreements and 
procedures and allowing an operator to determine what agreements would 
be needed for its particular operation. In Sec.  450.147 (Agreements), 
a vehicle operator would be required to have written agreements with 
any entity that provides a service or use of property to meet a 
requirement in part 450.
    Current Sec.  417.13 requires a launch operator to enter into an 
agreement with a Federal launch range to have access to and the use of 
U.S. Government property and services required to support a licensed 
launch from the facility and for public-safety related operations and 
support before conducting a licensed launch from a Federal launch 
range. The Federal launch range arranges for the issuances of 
notifications to mariners and airmen.
    Currently, for launches from a non-Federal launch site in the 
United States, a launch operator must ensure that launch processing at 
the launch site satisfies the requirements of part 417. For a launch 
from a launch site licensed under part 420, a launch operator must 
conduct its operations in accordance with any agreements that the 
launch site operator has entered into with any Federal and local 
authorities. These include agreements with the local U.S. Coast Guard 
district to establish procedures for the issuance of a Notice to 
Mariners (NTM) prior to a launch and with the FAA air traffic control 
(ATC) facility having jurisdiction over the airspace through which the 
launch will take place to establish procedures for the issuance of a 
Notice to Airmen (NOTAM) prior to the launch and for the closing of air 
routes during the launch window. For a launch from an exclusive-use 
site, where there is no licensed launch site operator, a launch 
operator must satisfy the requirements of part 420. In addition, a 
launch operator must: (1) Describe its procedures for informing local 
authorities of each designated hazard area near the launch site 
associated with a launch vehicle's planned trajectory and any planned 
impacts of launch vehicle components and debris; (2) provide any hazard 
area information to the local U. S. Coast Guard, or equivalent local 
authority, for the issuance of NTMs and to the FAA ATC office, or 
equivalent local authority, that have jurisdiction over the airspace 
through which the launch will take place for the issuance of NOTAMs; 
and (3) coordinate with any other local agency that supports the 
launch, such as local law enforcement agencies, emergency response 
agencies, fire departments, the National Park Service, and the Mineral 
Management Service.
    For launches of RLVs under part 431 and reentries under part 435, 
an operator must enter into launch and reentry site use agreements with 
a Federal launch range or a licensed launch or reentry site operator 
that provide for access to and the use of property and services 
required to support a licensed RLV mission or reentry and public 
safety-related operations and support. Additionally, an operator must 
enter into agreements with the U.S. Coast Guard and the FAA regional 
office that has jurisdiction over the airspace through which a launch 
and reentry will take place to establish procedures for the issuance of 
NTMs and NOTAMs.
    As discussed earlier, there are currently similar requirements 
under parts 417 and 431 and, by reference, part 435, for agreements to 
ensure that NTMs and NOTAMs are implemented. Part 417 references part 
420, which also contains requirements for these notices and requires 
operators to describe procedures to ensure that these and other 
notifications are accomplished. Part 417 requires an operator to 
execute agreements with multiple entities. None of the current 
requirements adequately addresses NTMs and NOTAMs when the U.S. Coast 
Guard or the FAA does not have jurisdiction, such as with launches or 
reentries from or to foreign or international territories. Currently, 
these agreements must be in place before a license is issued. However, 
in practice, the FAA sometimes accepts draft agreements or makes the 
submission of the executed agreements a condition of the license.
    Under proposed Sec.  450.147, a vehicle operator would be required 
to enter into a written agreement with any entity that provides a 
service or property that meets a requirement in part 450. Such entities 
would include a Federal launch range operator, a licensed launch or 
reentry site operator, any party that provides access to or use of 
property and services required to support a safe launch or reentry 
under part 450, the U.S. Coast Guard, and the FAA. Other entities that 
provide a service or property could also include local, state, or 
federal agencies, or private parties. For instance, a local fire 
department might provide a standby service to control a possible fire, 
a state agency could provide any number of services such as road 
closures, and NASA might provide telemetry capability. Although 
agreements with local agencies, for example, may be necessary to ensure 
public safety, the FAA believes that it is overly prescriptive to list 
in regulation the specific entities with which each operator must enter 
into an agreement.
    This proposal would require an operator to enter into only those 
agreements necessary for its particular operation. If an operator works 
with multiple entities to satisfy requirements in proposed part 450, it 
would need multiple agreements. However, if agreements required under 
this proposed section are already addressed in agreements executed by 
the site operator, an operator would only need to enter into agreements 
with either the Federal launch range or other site operator and any 
entity with which the site operator does not perform the necessary 
coordination. In particular, Federal launch ranges almost always 
arrange for the issuance of NTMs and NOTAMs for launches.\94\
---------------------------------------------------------------------------

    \94\ Typically, Federal ranges do not arrange for the issuance 
of NTMs and NOTAMs for the disposal of a launch vehicle from orbit 
or the reentry of a reusable launch or reentry vehicle.
---------------------------------------------------------------------------

    The proposal also contemplates agreements between a maritime or 
aviation authority other than the U.S. Coast Guard or the FAA. Unless 
otherwise addressed in agreements with the site operator, the proposed 
rule would require an operator to enter into such agreements for a 
launch or reentry that crosses airspace or impacts water not under the 
jurisdiction or authority of the U.S. Coast Guard or the FAA.
    Section 450.147(b) would require all agreements to clearly 
delineate the roles and responsibilities of each party in order to 
avoid confusion concerning responsibility for executing safety-related 
activities. Section 450.147(c) would require all agreements to be in 
effect before a license can be issued. However, as noted earlier, the 
FAA recognizes that agreements might not be finalized by the time the 
FAA is

[[Page 15332]]

prepared to make a licensing determination. Therefore, the regulation 
would allow an operator to request a later effective date, contingent 
upon the Administrator's approval. An operator could do this by 
providing the FAA the status of the negotiations involving the 
agreement including any significant issues that require resolution and 
the expected date for its execution.
    Under proposed Sec.  450.147(d), an applicant would be required to 
describe each agreement in its vehicle operator license application. An 
applicant should clearly delineate the roles and responsibilities of 
each party to the agreement to support a safe launch or reentry. The 
applicant would also need to provide a copy of any agreement, or 
portion thereof, to the FAA upon request. The FAA recognizes that some 
portions of agreements may contain business-related provisions that do 
not pertain to FAA requirements. Those portions would not be required. 
The FAA seeks comment on its proposed approach to agreements.
2. Safety-Critical Personnel Qualifications
    The FAA proposes to remove the certification requirements found in 
Sec. Sec.  417.105, 417.311, and 415.113 and replace them with 
performance-based requirements in Sec.  450.149 (Safety-Critical 
Personnel Qualifications). Section 450.149 would require qualified 
personnel to perform safety-critical tasks for launch and reentry 
operations. The FAA also proposes to expand personnel qualification 
requirements to ensure that safety-critical personnel are qualified to 
perform their assigned safety tasks.
    An operator must qualify and train its safety-critical personnel in 
performing their safety-critical tasks for all vehicle and license 
types because training mitigates the potential for human error during 
safety-critical operations. Currently, the FAA requires a personnel 
certification program in part 417 for personnel that perform safety-
related tasks. Specifically, Sec.  417.105 requires that a launch 
operator employ a personnel certification program that documents the 
qualifications, including education, experience and training, for each 
member of the launch crew. The launch operator's certification program 
must include annual reviews and revocation of certifications for 
negligence or failure to satisfy certification requirements. Section 
415.113 requires an operator to submit a safety review document that 
describes how the applicant will satisfy the personnel certification 
program requirements of Sec.  417.105 and identify by position 
individuals who implement the program. The document must also 
demonstrate how the launch operator implements the program, contain a 
table listing each hazardous operation or safety critical task 
certified personnel must perform, and include the position of the 
individual who reviews personnel qualifications and certifies the 
personnel performing the task. In Sec.  417.105(b), an operator is 
required to review personnel qualifications and issue individual 
certifications. The intent behind this requirement was to ensure that 
qualified people perform the required safety tasks.
    Neither part 431 nor part 435 have a personnel certification 
program requirement or any personnel training requirement; however, the 
need for personnel qualifications is a natural outcome of the system 
safety process.
    The FAA recognizes that the current regulations in part 417 are 
inflexible and that using a certification program is not the only 
method to ensure qualified personnel perform safety-critical tasks. 
Operators may use other methods to verify all training and experience 
required for personnel to perform a task is current. For example, an 
operator may maintain training records to document internal training 
and currency requirements or completion standards for its safety 
critical personnel. An operator's issuance of individual certifications 
does not itself enhance public safety. If the personnel are qualified 
through training and experience for each safety task performed, 
additional certification is unnecessary because no additional training 
is required for an individual to be issued a certification. Removing 
the certification requirement would also reduce cost to the industry by 
removing the two-step process to allow qualified personnel to perform 
safety-related tasks.
    Additionally, the flight safety crew roles and qualifications 
requirements in Sec.  417.311, are prescriptive. Section 417.311(a) 
requires a flight safety crew to document each position description and 
maintain documentation of individual crew qualifications, including 
education, experience, and training, as part of the personnel 
certification program of Sec.  417.105. Section 417.311(b) describes 
the roles of the flight safety crew and explicitly states subjects and 
tasks that the crew must be trained in and references the certification 
program. Finally, Sec.  417.311(c) requires the flight safety crew 
members to complete a training and certification program to ensure 
familiarization with launch site, launch vehicle, and FSS functions, 
equipment, and procedures related to a launch prior to being called on 
to support a launch. It also requires a preflight readiness training 
and certification program be completed and prescribes the content that 
must be included in such training. The current regulations are a burden 
to operators because they focus on FSSs and do not account for evolving 
technologies, including autonomous FSSs. Removing the prescriptive 
requirements in Sec.  417.311 and replacing them with performance-based 
requirements would alleviate this burden.
    The ARC recommends that the proposed regulation ensure that the 
applicant has a structure in place to protect public safety, and that 
the FAA use current requirements as guidelines for evaluation and 
approval when necessary. The FAA agrees that the regulations should 
ensure that personnel performing tasks that impact public safety are 
qualified to perform those tasks. As the industry grows and operations 
become more frequent and varied, operators need greater flexibility in 
operational practices. Employing a qualification program to ensure 
personnel performing safety-critical tasks are trained is one factor in 
protecting safety of public and public property.
    Therefore, the FAA proposes to remove the requirements for a 
certification program described in Sec. Sec.  415.113 and 417.105 and 
replace the prescriptive requirements of Sec.  417.311 with 
performance-based requirements that capture the intent of the current 
regulations--to ensure that an operator's safety-critical personnel are 
trained, qualified, and capable of performing their safety critical 
tasks, and that their training is current. Under proposed Sec.  
450.149, an applicant would be required to identify in its application 
the safety-critical tasks that require qualified personnel and provide 
its internal training and currency requirements, completion standards, 
or any other means of demonstrating compliance with proposed Sec.  
450.149(a).
    The proposed performance-based requirements would allow each 
operator to identify the safety-critical operations and personnel 
needed for the operation. It would also allow an operator to determine 
what training, experience, and qualification should be required for 
each safety-critical task. The FAA would consider any task that may 
have an effect on public safety and meets the definition of safety-
critical found in Sec.  401.5 subject to the requirements of Sec.  
450.149. These tasks would include, but are not limited to, operating 
and installing flight safety system hardware,

[[Page 15333]]

operating safety support systems, monitoring vehicle performance, 
performing flight safety analysis, conducting launch operations, 
controlling public access, surveillance, and emergency response. With 
the many different kinds of operations currently underway, an operator 
is in the best position to identify the operations, personnel, and 
training needed for its operation.
    The FAA would also require that an operator ensure personnel are 
qualified, and that those qualifications are current, without requiring 
certification. The regulation would require proper training of 
personnel and verification that each person performing safety critical 
tasks is qualified. Under Sec.  450.149, an applicant would be required 
to document all safety-critical tasks and internal requirements or 
standards for personnel to meet prior to performing the identified 
tasks during the application phase. The applicant would be required to 
provide internal training and currency requirements, completion 
standards, or any other means of demonstrating compliance with the 
requirements of Sec.  450.149 in its application. The applicant would 
also be required to describe the process for tracking training 
currency. In the event that a person's qualification was not current, 
either because their qualification does not meet the training currency 
requirements detailed in the application or because a new process or 
procedure has been instituted that has made the training inaccurate or 
incomplete, the individual would not be qualified to perform safety-
related tasks specific to the expired qualification.
    Lastly, part 460 contains training and qualification requirements 
for flight crew. Compliance with these requirements would meet the 
training and qualification requirements in proposed Sec.  450.149 for 
flight crew.
3. Work Shift and Rest Requirements
    The FAA proposes to combine the rest requirements of Sec. Sec.  
417.113(f) and 431.43(c)(4)(i) through (iv) into proposed Sec.  450.151 
(Work Shift and Rest Requirements) which would require an applicant to 
document and implement rest requirements that ensure personnel are 
physically and mentally capable of performing tasks assigned. An 
applicant would be required to submit its rest rules during the 
application phase.
    Personnel involved in the launch or reentry of expendable and 
reusable vehicles need to be physically and mentally capable of 
performing their duties, especially those people making decisions or 
performing operations that affect public safety. Fatigue can degrade a 
person's ability to function and make the necessary decisions to 
conduct a safe launch or reentry operation. Since the FAA started 
requiring rest rules, there have been no incidents resulting from 
fatigue during a licensed launch or reentry. To maintain this level of 
safety, the FAA proposes to continue requiring rest rules in order to 
prevent fatigue and ensure operator personnel can perform their duties 
safely.
    A 1993 NTSB investigation of an anomaly that occurred during a 
commercial launch from a Federal launch range found a high probability 
that fatigue and lack of rest prior to launch operations contributed to 
mistakes that resulted in the vehicle initiating flight while the range 
was in a no-go condition.\95\ Launching in a no-go condition increases 
risk to the public because the vehicle operates outside of established 
boundaries and analysis. The NTSB found that the person who decided to 
proceed with the launch was not given enough time to rest after working 
extra hours the previous day. In addition, the launch was scheduled for 
early in the morning so the on-console time was around 2:00 a.m. The 
NTSB report recommended instituting rest rules that allow for 
sufficient rest before the launch operation.
---------------------------------------------------------------------------

    \95\ Special Investigation Report: Commercial Space Launch 
Incident, Launch Procedure Anomaly Orbital Sciences Corporation, 
Pegasus/SCD-1, 80 Nautical Miles East of Cape Canaveral, Florida, 
February 9, 1993. Report PB 93-917003/NTSB/SIR93-02, July 23, 1993; 
(https://www.ntsb.gov/safety/safety-studies/Documents/SIR9302.pdf).
---------------------------------------------------------------------------

    As a result of the 1993 NTSB report, the FAA issued rest rules in 
its 1999 final rule. The 1999 final rule required an applicant to 
ensure that its flight safety personnel adhere to Federal launch range 
rest rules. In its 2000 final rule for RLVs, the FAA required rest 
rules, in Sec.  431.43(c)(4), similar to the Air Force work and rest 
standards for launches and the FAA's ELV requirements.\96\ The specific 
and detailed requirements set forth in Sec.  431.43(c)(4) fail to 
account for the various factors that can affect crew rest such as the 
time of day of an operation, length of preflight operations, and travel 
to and from the launch or reentry site.
---------------------------------------------------------------------------

    \96\ Section 431.43(c)(4) contains requirements that are 
detailed and prescriptive. It requires vehicle safety operations 
personnel to adhere to specific work and rest standards. These 
requirements prescribe the maximum length of workshift and the 
minimum rest period after such work shift preceding initiation of an 
RLV reentry mission or during the conduct of the mission. It also 
prescribes the maximum hours permitted to be worked in the 7 days 
preceding initiation of an RLV mission, the maximum number of 
consecutive work days, and the minimum rest period after 5 
consecutive days of 12-hour shifts.
---------------------------------------------------------------------------

    The 2006 final rule adopted the current Sec.  417.113(f), which is 
more performance-based than Sec.  431.43(c)(4). Section 417.113(f) 
requires that for any operation that has the potential to have an 
adverse effect on public safety, the launch rules must ensure that the 
launch crew is physically and mentally capable of performing all 
assigned tasks. It also requires those rules to govern the length, 
number, and frequency of work shifts, and the rest afforded to launch 
crew between shifts.
    The ARC recommended the FAA use the Sec.  417.113(f) approach as a 
basis for the proposed rest rules. The ARC recommended that the 
regulations should require each license applicant and operator to 
establish crew rest requirements applicable to their individual 
operation and suggested that the FAA consider each operator's rules 
through the application review and approval process. The FAA agrees 
with this approach. Additionally, the ARC suggested that the rest rules 
apply to specific personnel with direct control of the vehicle or 
launch or reentry decision making. While the FAA agrees with the intent 
of requiring all safety critical personnel to adhere to rest rules, it 
does not want to limit safety critical personnel to the roles the ARC 
identified because it is prescriptive and does not allow for 
operational flexibility.
    The FAA also agrees with the ARC that it is up to the company to 
monitor compliance with its rest rules. The FAA does not have an 
explicit requirement for an operator to monitor its employees, only 
that it documents and implements rest requirements. The FAA seeks 
comment on whether a specific requirement for operator monitoring would 
be necessary. Regardless, the FAA would monitor compliance on occasion 
with its inspection program, as it does today with current crew rest 
rules.
    The FAA recognizes that launch and reentry operations are varied. 
The FAA considered using prescriptive requirements like those in Sec.  
431.43(c)(4) to address rest rules. However, there are many factors 
that can affect crew rest that make a prescriptive regulation 
impracticably complex and inflexible for allowing alternate methods of 
compliance that take into account mitigations and unique circumstances.
    Section 450.151 would retain the current performance-based 
requirements of Sec.  417.113(f) with modifications to include launch 
and reentry operations. The proposed requirements would cover 
operations of expendable, reusable, and reentry vehicles and allow an 
operator flexibility to employ rest rules that fit

[[Page 15334]]

the particular operations. Current Sec.  417.113(f) requires that crew 
rest rules govern the length, number, and frequency of work shifts, 
including the rest afforded the launch crew between shifts. Similarly, 
proposed Sec.  450.151(a) would require an operator to document and 
implement rest requirements that ensure safety-critical personnel are 
physically and mentally capable of performing all assigned tasks. 
Proposed Sec.  450.151(b) would provide additional requirements 
regarding the aspects of work shifts and rest periods critical to 
public safety, and would add a process for extending work shifts.
    Proposed Sec.  450.151(b)(1) would require an operator's rest rules 
to include the duration of each work shift and the process for 
extending this shift; including the maximum allowable length of any 
extension. This requirement would provide each operator with the 
flexibility to identify the duration of each work shift most suited to 
the operation such that safety-critical personnel are physically and 
mentally capable of performing all assigned tasks. It would also 
require a process for extending a work shift. Work shift length is 
important because performance decreases and fatigue increases as the 
length of the work shift increases. An operator should determine the 
optimum length for a work shift that ensures personnel are capable of 
performing their assigned tasks. Unforeseen circumstances can require 
personnel to work beyond the established work shift length. In such 
cases, under this proposal, the operator would be required to have a 
process for extending the work shift length up to a limit where 
personnel are no longer considered capable of performing their duties.
    Proposed Sec.  450.151(b)(2) would require an operator's rest rules 
to include the number of consecutive work shift days allowed before 
rest is required. This requirement would provide each operator with the 
flexibility to identify the number of consecutive work shift days 
safety-critical personnel may work such that they remain physically and 
mentally capable of performing all assigned tasks. Proposed Sec.  
450.151(b)(3) would require an operator's rest rules to include the 
minimum rest period required between each work shift, including the 
period of rest required immediately before the flight countdown work 
shift. An operator would also be required to identify the minimum rest 
period required after the maximum number of work shift days allowed. 
Having enough rest between work shifts is important to ensure personnel 
are able to perform critical tasks. The rest period before a countdown 
is particularly important because it can be affected by time of launch, 
reviews, and work needed to get a vehicle ready for operation.
    The FAA also proposes to remove the term ``crew'' from the rest 
requirements. The use of ``crew'' can be misleading and limiting. 
Operators could interpret crew to be flight crew only, whereas the rest 
rules are intended to apply to any position affecting public safety. 
Under this proposal, an applicant would be required to submit rest 
rules to the FAA that demonstrate compliance with proposed Sec.  
450.151. The FAA would evaluate an operator's rest rules in the same 
way as it currently does under Sec.  417.113(f) to ensure that 
personnel affecting public safety are mentally and physically capable 
of performing their duties during launch or reentry operations, and 
that the rest rules satisfy the requirements of proposed Sec.  450.151.
    While an operator would be able to create its own rest rules under 
proposed Sec.  450.151, an applicant would also be able to use current 
rest rules. That is, Sec.  431.43(c)(4) would be an acceptable means of 
compliance to proposed Sec.  450.151. The FAA would evaluate other rest 
rules against this benchmark and relevant standards.
4. Radio Frequency Management
    The FAA proposes to maintain the current substantive requirements 
of Sec.  417.111(f) for radio frequency management and to expand the 
applicability of these requirements to RLVs and reentry vehicles in 
proposed Sec.  450.153 (Radio Frequency Management). The FAA also would 
remove the current requirements to implement a frequency management 
plan and to identify agreements for coordination of use of radio 
frequencies with any launch site operator and local and federal 
authorities.
    Under Sec.  415.119 and appendix B of part 415, an applicant for a 
launch license is required to include a frequency management plan \97\ 
in its application, and that plan must satisfy the requirements of 
Sec.  417.111(f). Specifically, current Sec.  417.111(f) requires an 
operator to implement a frequency management plan that identifies each 
frequency, all allowable frequency tolerances, and each frequency's 
intended use, operating power, and source. The plan must also provide 
for the monitoring of frequency usage and enforcement of frequency 
allocations and identify agreements and procedures for coordinating use 
of radio frequencies with any launch site operator and any local and 
Federal authorities, including the FCC.
---------------------------------------------------------------------------

    \97\ A radio frequency management plan describes how an operator 
manages radio frequencies to meet termination or tracking 
requirements.
---------------------------------------------------------------------------

    While parts 431 and 435 do not contain explicit frequency 
management requirements, an operator is required to identify and 
mitigate hazards, including hazards associated with frequency 
management as part of the system safety process in Sec.  431.35(c) and 
(d). Section 431.35(c) requires operators to perform a hazard analysis 
and identify, implement, and verify mitigations are in place.\98\
---------------------------------------------------------------------------

    \98\ One such hazard is radio interference that could disable a 
commanded FSS. An operator might mitigate such a hazard by ensuring 
that the power level of the command transmitter is sufficient to 
ensure termination with high reliability (i.e., 0.999 at 95 
percent). For reentry vehicles, radio frequencies for tracking are 
coordinated to ensure there is coverage where needed as well as 
communication with the vehicle.
---------------------------------------------------------------------------

    Section 450.153 would replace the current requirement in Sec.  
417.111(f) to implement a frequency management plan. In proposed Sec.  
450.153(a), the FAA proposes to make these radio frequency management 
requirements applicable to any radio frequency used. This proposed 
requirement would include radio frequencies used not only in launch 
vehicles, but also in RLVs and reentry vehicles. Because radio 
frequency requirements are a mitigation for hazards associated with 
frequency management, the proposed requirements would not necessarily 
be new requirements for RLVs or reentry vehicles but would codify the 
need for radio frequency management for RLVs and reentry vehicles.
    The FAA also proposes to maintain the substantive radio frequency 
requirements of current Sec.  417.111(f) in proposed Sec.  450.153(a). 
Although the increased use of autonomous termination systems makes 
frequency management less critical for flight termination, there are 
still many operators that use command termination systems. Moreover, 
these requirements remain applicable to autonomous termination systems 
because operators still need to allocate radio frequencies to telemetry 
and tracking. There are also other hazards, such as electromagnetic 
interference and induced currents, that can result from radio frequency 
interference and that require mitigation. Therefore, an operator would 
continue to be required to: (1) Identify each frequency, all allowable 
frequency tolerances and each frequency's intended use, operating power 
and source; (2) provide for monitoring of frequency usage and 
enforcement of frequency allocations; and (3)

[[Page 15335]]

coordinate the use of radio frequencies with any site operator and any 
local and Federal authorities.
    While no substantive changes are proposed to the radio frequency 
requirements, this proposal would remove the current requirement that 
an operator's frequency management plan identify agreements and 
procedures for coordinating the use of radio frequencies with any 
launch site operator and any local or federal authorities. Many of the 
agreements necessary for radio frequency management would be covered in 
proposed Sec.  450.147.
    In proposed Sec.  450.153(b), an applicant would be required to 
submit procedures or other means to demonstrate compliance with the 
requirements of Sec.  450.153(a) as part of its application. This 
requirement would provide an applicant flexibility in the manner of 
demonstrating compliance, such as using checklists or continuing to use 
a frequency management plan.
5. Readiness: Reviews and Rehearsals
    The FAA proposes to revise and consolidate the readiness 
requirements of parts 417 and 431 into a performance-based regulation 
that would require an operator to document and implement procedures to 
assess readiness to proceed with the flight of a launch or reentry 
vehicle. The FAA currently requires an operator to be ready to perform 
launch or reentry operations. Readiness, which is currently addressed 
through readiness reviews and rehearsals, has three components--
readiness of the vehicle, of the personnel, and of the equipment. In 
consolidating these parts, the FAA proposes to remove the current 
requirements to conduct rehearsals, to poll the FAA at the launch 
readiness review, and to provide a signed written decision to proceed. 
The FAA also proposes to eliminate the specific review requirements of 
Sec. Sec.  417.117 and 431.37.
    Launch rates have increased substantially since the adoption of 
parts 417 and 431. In 2007, an operator might only launch one to three 
times a year. Currently, there are operators that have launch rates 
exceeding 20 launches per year. Readiness requirements have become 
overly burdensome as operators spend time on rehearsals and reviews 
that were meant to ensure readiness. Timing requirements have resulted 
in additional reviews or non-compliances. Operators in a high launch 
rate environment may not benefit much from rehearsals and added 
reviews.
    Currently, Sec.  417.117 requires that a launch operator (1) review 
the status of operations, systems, equipment and personnel required by 
part 417, (2) maintain and implement documented criteria for successful 
completion of each review, (3) track and document corrective actions or 
issues identified during the review, and (4) ensure that launch 
operator personnel overseeing the review attest to successful 
completion of the reviews criteria in writing. Section 417.117(b)(3) 
requires an operator to conduct a launch readiness review for flight 
within 48 hours of flight. The decision to proceed with launch must be 
in writing and signed by the launch director and any launch site 
operator or Federal launch range. The launch operator must also poll 
the FAA to verify that the FAA has not identified any issues related to 
the launch operator's license.
    For RLV operations, Sec.  431.37 requires an applicant to submit 
procedures that ensure readiness of the vehicle, personnel, and 
equipment as part of the application process. These procedures must 
involve the vehicle safety operations personnel and the launch site and 
reentry site personnel involved in the mission. The procedures must 
include a mission readiness review and specify that the individual 
responsible for the conduct of the licensed activities is provided 
specific information upon which he or she can make a judgement as to 
mission readiness.
    Additionally, as part of the readiness requirements, Sec.  417.119 
requires an operator to rehearse its launch crew and systems to 
identify corrective actions necessary to ensure public safety that 
cover the countdown, communications, and emergency procedures, and it 
specifically directs the launch operator in how to conduct its 
rehearsals. Section 431.33(c)(1) similarly requires an applicant to 
monitor and evaluate operational dress rehearsals to ensure they are 
conducted in accordance with procedures required by Sec.  431.37 to 
ensure the readiness of vehicle safety operations personnel.
    The requirements of both parts 417 and 431 are prescriptive and do 
not provide an operator with much flexibility as to compliance. The 
lack of flexibility is evidenced by the issuance of waivers and 
documentation of non-compliances. This requirement has created a burden 
on operators because they must spend extra resources requesting waivers 
and responding to enforcement actions. Processing waivers and 
conducting additional reviews costs time and money for the FAA, as 
well. For example, Sec.  417.117(b)(3) requires a flight operator to 
hold a launch readiness review no earlier than 48 hours before flight. 
Since 2007, the FAA has processed over 20 waivers to the 48-hour 
requirement. In situations where ELV operators have not requested a 
waiver to the timing requirement, they have held additional reviews 
just to meet the timing requirement of the flight readiness review. 
Additionally, the FAA has issued at least three enforcement letters 
because operators did not meet the timing requirement.
    The ARC recommended that the FAA distill reviews down to intent, 
list the minimum items the FAA reviews, and let the operator inform the 
FAA in the license application where those items are and how they would 
be reported. The FAA agrees that specific reviews are not required and 
proposes a list of items required to address readiness. The FAA also 
agrees that specific rehearsals are not required because there are a 
variety of methods by which an operator could meet readiness 
requirements. As discussed later, the FAA proposes to remove the 
specific requirement for rehearsals.
    The FAA proposes to revise and consolidate the readiness 
requirements of parts 417 and part 431 into proposed Sec.  450.155, 
which would require an operator to document and implement procedures to 
assess readiness to proceed with the flight of a launch or reentry 
vehicle. The FAA anticipates that under this proposal an operator would 
be able to achieve readiness by various methods including, but not 
limited to, readiness meetings, tests, rehearsals, static fire tests, 
wet dress rehearsals,\99\ training, and experience.
---------------------------------------------------------------------------

    \99\ A wet dress rehearsal includes at least a partial fueling 
of a vehicle with a liquid propellant.
---------------------------------------------------------------------------

    While current regulations require specific readiness reviews, 
proposed Sec.  450.155 (Readiness) would remove the requirement for 
flight readiness reviews, including the requirements for a launch 
readiness review no earlier than 15 days before flight and the flight 
readiness review no earlier than 48 hours before flight. The FAA 
proposes to remove these requirements because it has found that 
multiple readiness reviews may not be necessary to demonstrate 
readiness. For instance, readiness can be determined by a single 
meeting close enough in time to the launch or reenty to ensure there 
have been no material changes to readiness, such as failure of a radar 
or telemetry system. Under the proposed rule, it would be up to the 
operator to propose how it would ensure readiness, and whether such 
procedures would include one or more readiness reviews, testing, or 
some other means. By eliminating the timing requirements, operators 
with high launch rates could propose how they

[[Page 15336]]

will ensure they are ready for launch and whether that involves one or 
more readiness reviews held close enough in time to the launch to 
ensure no significant changes occur between the review and the launch. 
Removing the specific requirements for reviews and tests would not 
relieve the operator from having to perform a test or hold a review 
that is necessary for determining readiness, rather it would provide 
the operator with flexibility to develop and propose those tests and 
reviews most suitable for the operation in order to ensure readiness. 
The FAA would evaluate and make a determination on the adequacy of the 
proposed procedures during the licensing process. The FAA plans to 
publish a draft means-of-compliance guide with the publication of the 
proposed rule, which should include acceptable approaches. In the long 
term, the FAA plans to refer to an AC or standard for every 
performance-based requirement.
    Instead of requiring specific readiness reviews, proposed Sec.  
450.155 would require that an operator document and implement 
procedures to assess readiness to proceed with the flight of a launch 
or reentry vehicle. As part of the application requirements, the 
operator would be required to demonstrate compliance with the 
requirements of proposed Sec.  450.155 through procedures that may 
include a readiness meeting close in time to flight. Unlike Sec. Sec.  
417.117 and 431.37, proposed Sec.  450.155 would not specify 
particulars of what the procedures must contain. However, the operator 
would be required to document and implement procedures that at a 
minimum address: (1) Readiness of vehicle and launch, reentry, or 
landing site, including any contingency abort location; (2) readiness 
of safety-critical personnel, systems, software, procedures, equipment, 
property and services; and (3) readiness to implement a mishap plan. 
The FAA proposes to require that the procedures address these 
particular areas because the FAA has determined that a safe launch or 
reentry, at a minimum, requires the vehicle, site, and safety personnel 
to be ready and all safety systems and safety support equipment to be 
working properly. Additionally, being prepared to implement a mishap 
plan would ensure that public safety is maintained during a mishap 
because personnel would be familiar with their roles and ready to 
perform their duties in order to return the vehicle and site to a safe 
condition after the mishap.
    The FAA also proposes to remove the requirement that an operator 
poll the FAA at the launch readiness review and provide a signed 
certificate of the decision to proceed contained in Sec.  417.117. This 
polling is unnecessary because the FAA will always inform the operator 
of any licensing issues as soon as the FAA becomes aware of them. The 
FAA also proposes to remove the requirement that an operator provide a 
signed certificate of the decision to proceed with launch or reentry 
operations because the FAA has not used any signed certificate required 
under Sec.  417.117 for any launch or reentry. All the certificates 
have been filed and have not served any purpose other than to comply 
with the requirement under Sec.  417.117. The FAA believes that 
removing the requirements to poll the FAA and to have a signed 
certificate to proceed would not affect public safety and would relieve 
burdens to comply with those requirements from the operator and the 
FAA.
    The FAA proposes to remove the requirements in Sec.  417.119 
because rehearsals are not always needed to achieve readiness. It is 
important that the launch team be familiar with operations. Rehearsals 
are a good way to ensure proficiency with procedures, exercise 
communications and critical safety positions as a team, and identify 
areas where the operator needs to improve. However, the FAA 
acknowledges that rehearsals are not the only way to ensure the 
readiness performance requirement is met. This proposal would allow an 
operator to determine what methods would be best suited to ensure 
readiness for its operation. Operators that have high launch rates may 
not need to rehearse personnel that were involved in a similar launch 
days or weeks earlier. However, licensees that have not launched for a 
long time or that are launching for the first time may need rehearsals 
to meet some of the readiness requirements. Operators with high launch 
rates could demonstrate readiness with a readiness review and would not 
have to hold rehearsals, and training could fill gaps where actual 
operations do not provide familiarity with certain aspects of 
operations. For example, if no anomalies are experienced during actual 
operations, the operator could hold a rehearsal or provide additional 
training to exercise the anomaly resolution process.
    Current Sec.  417.117(b)(3)(xi) requires an operator to review 
launch failure initial response actions and investigation roles and 
responsibilities and Sec.  417.119(c) requires an operator to have a 
mishap plan rehearsal; current Sec.  431.45 contains the requirements 
for a mishap plan for RLVs. Section 450.155(a)(3) would require an 
operator to document and implement procedures to ensure readiness to 
implement a mishap plan in the event of a mishap. The proposal would 
allow flexibility to meet the readiness requirement for implementing a 
mishap plan by allowing an operator to propose a procedure acceptable 
to the FAA. Thus, an operator would have the ability to develop 
procedures to ensure readiness through training, rehearsals, or other 
means that might be more applicable to its vehicle and mission. The FAA 
would still expect an operator to review any lesson learned, corrective 
action, or changes to procedures resulting from any mishap plan 
rehearsals or mishap investigations.
    Under Sec.  450.155(b), an applicant would need to demonstrate 
compliance with the requirements through procedures that may include a 
readiness meeting close in time to flight and describe the criteria for 
establishing readiness to proceed with the flight of a launch or 
reentry vehicle.
6. Communications
    Currently, the FAA requires operators to implement communications 
plans to ensure that clear lines of authority and situational awareness 
are maintained during countdown operations. The communications plan was 
the result of a 1993 NTSB investigation discussed earlier. One of the 
contributing factors identified in the investigation was the lack of 
clear communications between different ranges and the operator. The FAA 
requirements for communications plans are currently found in Sec. Sec.  
417.111(k) and 431.41 and are nearly identical. Currently, Sec. Sec.  
417.111(k) and 431.41 require an operator to implement a communications 
plan. Part 435 requires a reentry vehicle operator to comply with the 
safety requirements of part 431, including Sec.  431.41. Both 
Sec. Sec.  417.111(k) and 431.41 require an operator's communications 
plan to define the authority of personnel, by individual or position 
title, to issue ``hold/resume,'' ``go/no-go,'' and abort commands; 
assign communication networks so that personnel have direct access to 
real-time safety-critical information required to issue ``hold/
resume,'' ``go/no-go,'' and any abort decisions and commands; ensure 
personnel monitor common intercom channels during countdown and flight; 
and implement a protocol for using defined radio telephone 
communications terminology.
    Additionally, Sec.  431.41(b) requires that the applicant submit 
procedures to ensure that the licensee and reentry site personnel 
receive copies of the communications plan, and that the reentry site 
operator concurs with the plan. For launches from a Federal

[[Page 15337]]

launch range, Sec.  417.111(k) also requires the Federal launch range 
to concur with the communications plan.
    Operators launching from Federal launch ranges comply with Sec.  
417.111(k). Operators submit a communications plan during the 
application process and coordinate with the Air Force. The 
communications plan includes lines of authority, identification of who 
has access to which channels, protocols for communication and 
procedures for decision processes. Often, the communication plan is not 
fully developed at the time the operator applies for a license, so 
operators often submit a representative plan during the application 
process and then provide a final plan prior to the first launch under a 
license.
    The FAA proposes to retain the substantive communications 
requirements in Sec. Sec.  417.111(k) and 431.41 in Sec.  450.157 
(Communications), in paragraph (a), and remove the specific requirement 
to implement a communications plan. Section 450.157(b) would also 
require an operator to ensure currency of the communication procedures, 
similar to the current requirement in Sec.  417.111(e). The FAA would 
preserve these requirements because all key participants must work from 
the same communications procedures in order to avoid miscommunication 
that could lead to a mishap.\100\
---------------------------------------------------------------------------

    \100\ NTSB Special Investigation Report: Commercial Space Launch 
Incident, Launch Procedure Anomaly Orbital Science Corporation, 
Pegasus/SCD-1, 80 Nautical Miles East of Cape Canaveral, Florida 
(February 9, 1993); at p. 53.
---------------------------------------------------------------------------

    Section 450.157(c) would require an operator during each countdown 
to record all safety-critical communications network channels that are 
used for voice, video, or data transmissions to support safety-critical 
systems. This is substantially the same requirement as in Sec. Sec.  
417.111(l)(5)(vii) and 431.41. The FAA would retain this requirement 
because communications recording is often critical to mishap 
investigations.
    Lastly, the FAA would not require operators to submit communication 
procedures during the application process because generally such 
procedures are not mature at the time of application, and hence are 
unlikely to be the ones used during the actual countdown. Under the 
proposal, the FAA would not approve the communications procedures prior 
to licensing and would rely instead on an inspection process that 
ensures the operator is following the requirements for communications 
procedures. These inspections would be consistent with current 
practice, where FAA inspectors often review the operator's final 
communications procedures. Given that the FAA would no longer require 
demonstrations of compliance at the application stage for 
communications and preflight procedures, operators may be required to 
make revisions to those procedures to resolve issues identified during 
compliance monitoring.
7. Preflight Procedures
    Under Sec.  417.111(l), an operator is required to develop and 
implement a countdown plan that verifies each launch safety rule and 
launch commit criterion is satisfied, personnel can communicate during 
the countdown, the communication is available after the flight, and a 
launch operator will be able to recover from a launch abort or delay. 
This countdown plan must cover the period of time when any launch 
support personnel are required to be at their designated stations 
through initiation of flight. It also must include procedures for 
handling anomalies that occur during countdown and any constraints to 
initiation of flight, for delaying or holding a launch when necessary, 
and for resolving issues. It must identify each person by position who 
approves the corrective actions, and each person by position who 
performs each operation or specific action. It also must include a 
written countdown checklist that must include, among other items, 
verification that all launch safety rules and launch commit criteria 
have been satisfied. In case of a launch abort or delay, the countdown 
plan must identify each condition that must exist in order attempt 
another launch, including a schedule depicting the flow of tasks and 
events in relation to when the abort or delay occurred and the new 
planned launch time, and identify each interface and entity needed to 
support recovery operations. Currently Sec.  415.37(a)(2) requires that 
the applicant file procedures that ensure mission constraints, rules 
and abort procedures are listed and consolidated in a safety directive 
or notebook. Similarly, the mission readiness requirements of Sec.  
431.37(a)(2) require that procedures that ensure mission constraints, 
rules, and abort plans are listed and consolidated in a safety 
directive notebook.
    Currently some operators have paper notebooks containing all the 
checklists and countdown plans. These notebooks are updated frequently, 
even up to the day before a launch with change pages by every member of 
the launch team. This process can sometimes lead to confusion and 
configuration issues. Other operators have electronic systems that 
contain all the checklists and countdown procedures. There are many 
advantages to electronic records, such as ease of dissemination and 
configuration control. As electronic file use becomes more common, the 
need for a physical notebook becomes unnecessary. What is critical for 
safety is that all launch personnel have the same set of procedures. 
Due to the dynamic nature of countdown procedures, operators provide 
checklists and procedures used in prior launches to meet the 
application requirements. The FAA evaluates these checklists and 
procedures during the license evaluation. However, because the 
checklists and procedures being evaluated are not final, operators must 
submit all updates to these documents as part of the continuing 
accuracy of the license requirements. FAA inspectors ensure the 
checklists and procedures are the most current, and that configuration 
control is maintained.
    The FAA proposes to streamline the current countdown procedures and 
requirements in Sec. Sec.  415.37(a)(2), 417.111(l), and 431.39(a)(2) 
and replace them in Sec.  450.159 (Preflight Procedures). In doing so, 
the FAA proposes to remove the requirements for safety directives or 
safety notebooks and for a countdown plan, and the requirement to file 
such plans because there are many methods of documenting the preflight 
procedures that do not involve a plan or notebook. Although the 
proposed preflight procedures would not be required to be submitted as 
part of the license application process, FAA inspectors would still 
ensure that such preflight procedures are implemented.
    Unlike the current regulations, the FAA proposes a performance-
based requirement where an operator would need to implement preflight 
procedures would verify that all flight commit criteria are satisfied 
before flight and that ensure the operator is capable of returning the 
vehicle to a safe state after a countdown abort or delay.\101\ This 
aligns with the intent of current regulations while permitting 
flexibility on how the safety goal is achieved. As a result, there 
would be no impact on safety resulting from the removal of the current 
prescriptive requirements.
---------------------------------------------------------------------------

    \101\ A countdown abort includes launch scrubs, recycle 
operations, hang-fires, or any instance in which the launch vehicle 
does not lift-off after a command to initiate flight has been sent.
---------------------------------------------------------------------------

    Additionally, proposed Sec.  450.159(b) would require an operator 
to ensure the currency of the preflight procedures, and that all 
personnel are working with the approved version of the preflight

[[Page 15338]]

procedures, similar to the current requirement in Sec. Sec.  
415.37(a)(3) and 431.39(c). The FAA would preserve these requirements 
because all key participants must work from the same preflight 
procedures in order to avoid a mishap.
    The FAA anticipates that the current requirements of Sec.  
417.111(l)(1) through (6) would be a means of compliance under the 
proposal, but not the only means of compliance. By allowing alternative 
means of compliance, the proposed regulations would provide greater 
operational flexibility and procedure streamlining across all operation 
types.
8. Surveillance and Publication of Hazard Areas
    The FAA proposes to adopt surveillance of a flight hazard area 
regulations based on recent granted waivers and to better align with 
current practices at the Federal launch ranges, where most commercial 
launches take place, and to codify current practice that eliminates 
unnecessary launch delays while maintaining public safety. This 
proposal would only alter the substantive requirements applicable to 
the surveillance of ship (waterborne vessel) hazard areas not the 
surveillance of land or aircraft hazard areas. Therefore, this 
discussion will focus primarily on the proposal's effect on the 
surveillance of waterborne vessel hazard areas. The specific 
requirements for conducting a flight hazard area analysis are discussed 
later in the preamble.
    Current regulations on establishing and surveilling hazard areas, 
including ship hazard areas, for ELVs are found in Sec. Sec.  417.205 
\102\ and 417.223 \103\ and part 417, appendix B.\104\ Part 431 does 
not set explicit requirements for the surveillance of waterborne vessel 
hazard areas, and the FAA has not yet issued a license under part 431 
over water. However, both Sec. Sec.  417.107(b)(2) and 431.35(b)(1)(ii) 
require that an operator ensure all members of the public are cleared 
of all regions, whether land, sea, or air, where any individual would 
be exposed to more than 1 x 10^-6 PC. Although not 
explicit, the current regulations for ELV and RLV operations 
effectively require surveillance and evacuation of all regions where 
the individual risk criterion would be violated by the presence of any 
member of the public.
---------------------------------------------------------------------------

    \102\ Section 417.205 requires the flight safety analysis to 
employ risk assessment, hazard isolation, or a combination of risk 
assessment and partial isolation of the hazards to demonstrate 
control of risk to the public.
    \103\ Section 417.223 requires, in part, that an FSA include a 
flight hazard area analysis that identifies any regions of land, 
sea, or air that must be surveyed, publicized, controlled, or 
evacuated in order to control the risk to the public from debris 
impact hazards.
    \104\ Section B417.5(a) of appendix B to part 417 states that a 
launch operator must perform a launch site hazard area analysis that 
protects the public, aircraft, and ships from the hazardous 
activities in the vicinity of the launch site.
---------------------------------------------------------------------------

    The net effects of the current ELV regulations are: (1) An operator 
must establish a ship hazard area sufficient to ensure the 
PI for any ship does not exceed 1 x 10^-5 for any 
debris that could cause a casualty, (2) an operator must monitor the 
ship hazard area prior to initiating the flight operation, and (3) if a 
large enough ship enters the waterborne vessel hazard area to exceed 
the 1 x 10^-5 PI criterion, then the launch must 
be scrubbed or delayed until the ship exits the hazard area. Appendix B 
to part 417 directs a launch operator to evacuate and monitor each 
launch site hazard area to ensure compliance with the risk criteria in 
Sec.  417.107(b)(2) and (3) and provide an adequate methodology to 
achieve this end. The FAA designed this methodology to be consistent 
with Air Force range safety requirements in 2006 and to ensure that the 
cumulative PI to any ships would not exceed 1 x 
10^-5 for any debris expected to exceed the kinetic energy or 
overpressure thresholds established by Sec.  417.107(c).
    Current Sec.  417.223(b) requires public notices for flight hazard 
areas. A flight hazard area analysis must establish the ship hazard 
areas for notices to mariners that encompass the three-sigma impact 
dispersion area for each planned debris impact.\105\ Section 417.121(e) 
contains procedural requirements for issuing notices to mariners (and 
airmen). Furthermore, Sec.  417.111(j) requires a launch operator to 
implement a plan that defines the process for ensuring that any 
unauthorized persons, ships, trains, aircraft or other vehicles are not 
within any hazard areas identified by the FSA or the ground safety 
analysis. In the plan, the launch operator must list each hazard area 
that requires surveillance to meet Sec. Sec.  417.107 and 417.223, as 
well as describe how the launch operator will provide for day-of-flight 
surveillance of the flight hazard area to ensure that the presence of 
any member of the public in or near a flight hazard area is consistent 
with flight commit criteria developed for each launch. In practice, 
these regulations have been comprehensive enough to ensure public 
safety, but at times overly prescriptive and unduly conservative.
---------------------------------------------------------------------------

    \105\ In addition, a flight hazard area analysis must establish 
the aircraft hazard areas for notices to airmen that encompass the 
3-sigma impact dispersion volume for each planned debris impact.
---------------------------------------------------------------------------

    The FAA has waived several waterborne vessel protection 
requirements \106\ in light of advanced ship monitoring technology and 
risk calculation models. The FAA's first waiver of the Sec.  
417.107(b)(3) requirement illustrates the need for this proposed 
change.\107\ In approving the first waiver and numerous subsequent 
waivers to enable the proposed option, the FAA assessed the 
technological advances previously discussed. In this assessment, the 
FAA reviewed the Federal launch range input data and probabilistic 
casualty models that the Air Force at the 45th Space Wing uses to 
quantify individual and collective risks to people on waterborne 
vessels during the launch countdown for space launch missions. The FAA 
found that the 45th Space Wing's public risk analyses use accurate data 
and scientific methods that are mathematically valid, with reasonably 
conservative assumptions applied in areas where significant uncertainty 
exists. In that instance, the FAA performed independent analyses using 
alternative methods to estimate the casualty risks for multiple 
foreseeable scenarios involving debris impacts on various types of 
waterborne vessels and found that large passenger vessels anywhere 
between the launch point and the first stage disposal zone can 
contribute significantly to the estimated EC from a launch. 
The FAA also found that small boats (too small to have Automatic 
Identification System (AIS) required \108\) located close to the launch 
point should not produce significant individual risks. However, no past 
waivers involved changes in the areas where surveillance was mandatory 
in current practice, only where ships were allowed to be present in 
order for the launch to proceed.
---------------------------------------------------------------------------

    \106\ For example, see Waivers of Ship Protection Probability of 
Impact Requirement, 81 FR 28930 (May 10, 2016).
    \107\ 81 FR 28930 (May 10, 2016).
    \108\ AIS is required on commercial vessels 65 feet in length or 
more, towing vessels 26 feet in length or more, and other self-
propelled vessels certified to carry more than 150 passengers or 
carrying dangerous cargo.
---------------------------------------------------------------------------

    Section 450.161 (Surveillance and Publication of Hazard Areas) 
would require an operator to publicize, survey, and evacuate each 
flight hazard area before initiating flight or reentry, to the extent 
necessary to ensure compliance with proposed Sec.  450.101. Proposed 
Sec.  450.161(a) does not change the need for surveillance relative to 
the current requirements in parts 417 or 431 for people on land or 
aircraft because the proposal would continue to require that

[[Page 15339]]

an operator ensure all regions where any individual member of the 
public would be exposed to more than 1 x 10^-6 PC 
are evacuated. However, the proposal would remove the requirement to 
evacuate and monitor areas where a waterborne vessel would be exposed 
to greater than 1 x 10^-5 PI currently required by 
Appendix B to part 417, paragraph 417.5(a).
    The FAA proposal to include people on ships in the collective risk 
computation (see proposed Sec.  450.101(a)(1) and (b)(1)) would 
explicitly allow the application of risk management principles to 
protect people on waterborne vessels. For example, an applicant could 
apply conservative estimates of the ship traffic and vulnerability to 
demonstrate acceptable public risks. In proposed Sec.  450.161(a), 
surveillance would only be required to the extent necessary to ensure 
compliance with the public safety criteria, including individual and 
collective risks as well as notification of planned impacts from normal 
flight events capable of causing a casualty. For instance, an operator 
would not need to perform surveillance of areas where the risk to any 
individual would be no more than 1 x 10^-6 PC, 
unless surveillance was necessary to ensure acceptable collective 
risks.
    The proposal would generally allow operators the option to use the 
current approach in part 417, where surveillance is required to ensure 
no ship is exposed to more than 1 x 10^-5 PI, 
because that would generally be sufficient to ensure compliance with 
proposed Sec.  450.101. In addition, the proposal would also provide 
the option for launch and reentry operators to use the new technology, 
including modern surveillance techniques, and include people in 
waterborne vessels as part of the collective risk calculation as 
approved by previous waivers.\109\ Current practice is to issue waivers 
to operators as an alternative to scrubbing or delaying a launch or 
reentry due to waterborne vessels in an area where the PI 
exceeds 1 x 10^-5. Thus, the proposal would curtail the need 
for waivers.
---------------------------------------------------------------------------

    \109\ 81 FR 28930 (May 10, 2016).
---------------------------------------------------------------------------

    While the proposal would relax the current part 417 requirement to 
ensure that no ship is exposed to more the 1 x 10^-5 PI, the 
FAA notes that the requirement to ensure no ships are present in areas 
where the individual risk exceeds 1 x 10^-6 PC is 
consistent with international guidelines. The International Maritime 
Organization (IMO) is the United Nations organization for safety and 
environmental protection regulations for maritime activities. The IMO 
has developed a risk-based approach to safety and environmental 
protection regulations, which identifies a key threshold of one in a 
million (1 x 10^-6) probability of fatality per year for 
individual crewmembers, passengers, and members of the public ashore 
(considered third parties by the IMO). The IMO guidelines equate 
individual risks at the 1 x 10^-6 probability of fatality per 
year as broadly acceptable for maritime activities, and specifically 
state that individual risks below this level are negligible and no risk 
reduction required. The proposed Sec.  450.101(a)(2) and (b)(2) 
requirements would ensure that no person will be present on ships where 
the individual risk exceeds 1 x 10^-6 PC . This 
requirement is consistent, and reasonably conservative, with respect to 
the IMO guidelines as explained in the RCC 321-07 Supplement.\110\ 
Thus, the FAA proposes to codify requirements for the development and 
surveillance of ship hazard area that are reasonably consistent with 
IMO guidelines for formal safety assessments.
---------------------------------------------------------------------------

    \110\ Range Commanders Council Risk Committee of the Range 
Safety Group, Common Risk Criteria for National Test Ranges: 
Supplement. RCC 321-07 Supplement, White Sands Missile Range, New 
Mexico, 2007, p. 5-50.
---------------------------------------------------------------------------

    As previously discussed, there were important advances in ship 
surveillance techniques in recent years. In the past, observation 
techniques posed significant risks to launch operators. For example, 
the only known deaths related to launch operations at Cape Canaveral 
were five occupants of a helicopter that crashed at sea shortly after 2 
a.m. on April 7, 1984, while flying surface surveillance for the 
scheduled launch of a Trident 1 missile from the USS Georgia.\111\ In 
many cases, the proposal would relieve the requirement for the type of 
surveillance that posed significant risks to launch operators in the 
past.
---------------------------------------------------------------------------

    \111\ Air Force News Print Today (Apr. 8, 2011).
---------------------------------------------------------------------------

    Section 450.161(b) would require surveillance sufficient to verify 
or update the assumptions, input data, and results of the flight safety 
analyses. Given there are numerous assumptions and input data that are 
critical to the validity of the flight safety analyses, this 
requirement could have a variety of surveillance implications beyond 
the surveillance necessary to ensure the public exposure at the time of 
the operation is consistent with the assumptions and input data for the 
flight safety analyses. For example, an FSA could assume that a 
jettisoned stage remains intact to impact or breaks up into numerous 
pieces that are all capable of causing casualties to people in a class 
of aircraft (e.g., business jets). An operator would be required to 
employ some type of surveillance (e.g., telemetry data, or remote 
sensors such as a camera or radar) to verify that the jettisoned stage 
behaves as assumed by the FSA if that behavior is germane to the size 
of the aircraft hazard area.
    Additionally, Sec.  450.161(c) would require an applicant to 
publicize warnings for each flight hazard area, except for regions of 
land, sea, or air under the control of the vehicle or site operator or 
other entity by agreement. If the operator relies on another entity to 
publicize these warnings, the proposal requires the operator to verify 
that the warnings have been issued. The FAA notes that some operators 
already follow this practice. The proposed requirements would allow 
warnings that are consistent with current practice but would also allow 
more flexibility for warnings to mariners in accordance with proposed 
Sec.  450.133(b). Notably, Sec.  450.133(b)(1) would be consistent with 
current practice at the Federal launch ranges based on input from the 
CSWG, and Sec.  450.133(b)(2) and (3) are based on current U.S. 
Government consensus standards).\112\ Proposed Sec.  450.161(d) would 
also require an applicant to describe how it will provide for day-of-
flight surveillance of flight hazard areas, if necessary, to ensure 
that the presence of any member of the public in or near a flight 
hazard area is consistent with flight commit criteria developed for 
each launch or reentry.
---------------------------------------------------------------------------

    \112\ RCC 321-17 Standard.
---------------------------------------------------------------------------

    This proposal is consistent with the executive branch policy to 
replace prescriptive requirements with performance-based criteria.\113\ 
Specifically, the FAA proposes to replace the ``one-size-fits-all'' 
approach to ship protection that effectively prevents launch or reentry 
operations to proceed if ships are in identified hazard areas 
irrespective of the estimated risks posed to people on those vessels. 
For example, during the launch of the Falcon 9 from CCAFS to deliver 
the SES-9 payload to orbit, SpaceX was delayed by the presence of a tug 
boat towing a large barge inside the ship hazard area in compliance 
with the FAA's requirement in Sec.  417.107(b) to limit the 
PI for waterborne vessels to 1 x 10^-5.\114\ Under 
the proposal, delays such as this would be avoided without the need for 
waivers. The FAA proposes to replace the ``one-size-fits-all'' approach 
with the performance-based criteria of the collective and individual

[[Page 15340]]

risk limits in proposed Sec.  450.101, and in doing so would require an 
operational delay only when necessary to ensure acceptable individual 
and collective risks. This approach was safely and successfully used, 
by waiver, for all Falcon 9 launches from the CCAFS and KSC starting in 
2016. The FAA seeks comment on the proposed approach.
---------------------------------------------------------------------------

    \113\ SPD-2 (May 24, 2018), at Section 2b.
    \114\ 81 FR 28930 (May 10, 2016).
---------------------------------------------------------------------------

    Application of public risk management for the protection of people 
in waterborne vessels has the potential for reducing launch costs by 
reducing the number of operational delays and scrubs due to ships in 
areas where the individual and collective risks are nevertheless 
acceptable. Because it is a major procurer of launch services, reduced 
launch costs would be of direct benefit to the U.S. Government. It 
would also help to make the U.S. launch industry more competitive 
internationally by reducing launch delays and scrubs.
9. Lightning Hazard Mitigation
    The FAA proposes to remove appendix G to part 417 and replace it 
with the performance-based requirements of Sec.  450.163 (Lightning 
Hazard Mitigation). The current requirements in appendix G to part 417 
are outdated, inflexible, overly conservative, and not explicitly 
applicable to many RLVs and reentry vehicles.
    Lightning is an atmospheric discharge of electricity, and can 
either occur naturally or be ``triggered.'' Triggered lightning can be 
initiated as a result of a launch vehicle and its electrically-
conductive exhaust plume passing through a strong pre-existing electric 
field.\115\ However, the triggering phenomenon is unpredictable because 
there are many conditions that must occur in order for the breakdown of 
the electric field resulting in a lightning strike to occur. One 
condition is the enhancement factor of the launch or reentry vehicle 
that acts as a conductor. The extremities of the vehicle, such as the 
nose radius of curvature coupled with the effective length of the 
vehicle (taking into account the plume length) will establish the 
viability of a lightning strike. Furthermore, a launch vehicle's 
propellants will have different conductivity characteristics, leading 
to varying lengths; \116\ as a result, not every vehicle will trigger a 
lightning strike under the same environmental conditions. This 
unpredictability is exacerbated further by the fact that a triggered 
lightning strike can occur even when the vehicle is penetrating a 
benign cloud, or is outside a cloud that is not producing lightning.
---------------------------------------------------------------------------

    \115\ Roeder, William P. and Todd M. McNamara, A Survey Of The 
Lightning Launch Commit Criteria, American Meteorological Society, 
Aviation Range and Meteorology Conference.
    \116\ E. P. Krider, M. C. Noogle, M. A. Uman, and R. E. Orville. 
``Lightning and the Apollo 17/Saturn V Exhaust Plume,'' Journal of 
Spacecraft and Rockets, Vol. 11, No. 2 (1974), p. 72-75.
---------------------------------------------------------------------------

    Lightning can and has caused or necessitated the destruction of 
launch and reentry vehicles in flight. This destruction may occur both 
by physical damage (direct effect) to structural or electronic 
components from lightning attachment to the vehicle and by damage or 
upset to electronic systems from a nearby discharge (indirect effect). 
The direct and indirect effects of a lightning discharge pose hazards 
to the safety critical systems of launch and reentry vehicles, such as 
the FSS. If damage to the vehicle's safety critical components renders 
it inoperable or causes safety-critical systems to malfunction, there 
may be no way to stop the vehicle from reaching the public. For 
example, the damage may cause the command signal that instructs the 
vehicle to stop thrusting, or to abort the mission, to not be received.
    Two such triggered lightning events occurred in 1969 and 1987, 
during ascent. In 1969, when a manned Apollo XII \117\ vehicle lost 
power to its Command Module, the launch was seconds away from beginning 
initiation of its abort command. In 1987, an unmanned ELV lost its 
guidance, navigation and control \118\ and began careening towards the 
range safety impact limit lines. The range safety officer had to 
terminate its flight.
---------------------------------------------------------------------------

    \117\ Merceret et al., ed., A History of the Lightning Launch 
Commit Criteria and the Lightning Advisory Panel for America's Space 
Program. NASA/TP-2010-216283, 10, Section 2.3 (August 2010).
    \118\ Merceret et al., ed., A History of the Lightning Launch 
Commit Criteria and the Lightning Advisory Panel for America's Space 
Program. NASA/TP-2010-216283, 31, Section 4.3.2 (August 2010).
---------------------------------------------------------------------------

    These two incidents led to the establishment of the present-day 
lightning launch commit criteria (LLCC), which the Air Force and NASA 
adhere to for all launches from a Federal launch range. The Lightning 
Advisory Panel (LAP),\119\ an advisory body to the Air Force and NASA, 
is responsible for reviewing and proposing modifications to the LLCC. 
Adherence to the LLCC has resulted in zero lightning-caused launch 
incidents for over thirty years.
---------------------------------------------------------------------------

    \119\ The LAP's expertise range from in-depth knowledge of the 
physics of lightning, electric fields, and clouds, to lightning 
impacts on launch vehicles and statistics of electric field strength 
in specific environmental conditions. Its membership is primarily 
academia, although the Air Force and NASA fund this organization.
---------------------------------------------------------------------------

    The FAA codified the LLCC into Appendix G to part 417 to address 
concerns that the direct and indirect effects of a natural or triggered 
lightning strike may disable a vehicle's FSS such that the launch 
operator could not stop the vehicle if it veered outside the impact 
limit lines (i.e., due to degraded signal). The FAA renamed these 
requirements to ``Lightning Flight Commit Criteria'' (LFCC).
    The LFCC in appendix G to part 417 consist of 10 natural and 
triggered lightning avoidance rules that provide criteria to minimize 
the risk of a launch vehicle being struck by lightning or triggering 
lightning. One rule contains criteria for avoiding natural lightning, 
the remaining nine contain avoidance criteria for triggering or 
initiating lightning when flying through, or near, specific cloud types 
or phenomena known to produce natural or triggered lightning. Taking 
into account the electrification process and the properties of electric 
fields within clouds, the triggered lightning rules establish time and 
distance requirements for distinct cloud types (e.g., cumulus cloud, 
attached or detached anvil cloud, thick clouds) believed to contain the 
necessary environmental conditions to produce elevated electric fields. 
These time and distance criteria help mitigate the threat of triggering 
lightning by increasing the probability that the electric field, at a 
given distance or after a length of time, will be below the threshold 
needed to produce lightning. Other rules contain prescriptive 
requirements and thresholds for not launching if there are high-surface 
electric fields as measured by a ground-based field mill, or if there 
is a threat of a vehicle becoming charged if it penetrates a cloud that 
contains frozen precipitation.\120\
---------------------------------------------------------------------------

    \120\ Triboelectrification is a phenomenon that can occur when a 
launch vehicle flies through a region in a cloud that contains 
frozen precipitation. Under the right conditions, frozen 
precipitation can deposit a charge on the vehicle. If the launch 
vehicle is not treated, an electrostatic discharge could result.
---------------------------------------------------------------------------

    Unfortunately, codifying the LLCC into appendix G of part 417 has 
led to two major challenges. First, because the science behind 
triggering lightning is not fully known, the criteria were developed 
with a margin of safety for large ELVs, such as the Titan IV. As a 
consequence, the criteria may be overly conservative for certain types 
of vehicles. While the LAP has updated the LLCC to keep pace with the 
advances in science and technology, the FAA rulemaking process is 
lengthy, and does not permit appendix G to be updated with the 
frequency necessary to keep up with the changes to the LLCCs. Revisions 
to appendix G are likely to be

[[Page 15341]]

out-of-date by the time they are finalized and published. As a result, 
appendix G preserves much of the original LLCCs outdated standards, 
which leaves a discrepancy between the LLCC and appendix G.
    In an effort to address this issue, the FAA made four ELOS 
determinations. The first ELOS determination permitted the use of a new 
maximum radar reflectivity method \121\ to determine whether the radar 
reflectivity values were below the risk threshold for triggering 
lightning in the cloud. Because this new measurement technique was not 
in appendix G, the launch operator could not benefit from this 
improvement unless it requested and received approval to use this 
technique rather than follow the criteria currently in appendix G. The 
ELOS determination relieved the burden on the operator to seek approval 
to use a different radar reflectivity measurement process; therefore, 
allowing more opportunity for the launch operator to take advantage of 
the improvement rather than wait until a final rulemaking incorporated 
the change.
---------------------------------------------------------------------------

    \121\ This radar reflectivity method allowed measurement of a 
hydrometeor by a radar with a wavelength of less than 5 centimeters 
but greater than 3 centimeters if: (1) The surface of the radome of 
the radar was hydrophobic and the precipitation rate at the radar 
site was less than 15 mm/hr (0.59 in/hr) rainfall equivalent, and 
(2) For each point that was measured, the horizontal extent of 
composite radar reflectivity greater than lOdBZ along the line of 
sight between the radar and the point did not exceed the 
reflectivity extent in kilometers for a 3 cm radar due to radar beam 
attenuation.
---------------------------------------------------------------------------

    When the LAP updated the LLCCs again, the FAA issued a second ELOS 
determination reducing the distance requirement for the flight path of 
the launch vehicle in relation to a thick cloud, if the radar 
reflectivity thresholds were satisfied.\122\ The issuance of this ELOS 
determination was necessary to enable operators to use the most recent 
thick cloud rule without needing to seek individual ELOS determinations 
from the FAA or waiting for the FAA to update appendix G through a 
rulemaking.
---------------------------------------------------------------------------

    \122\ The Launch operator can launch within 5nm of a thick cloud 
layer if the radar reflectivity is below 0 dBZ.
---------------------------------------------------------------------------

    The third ELOS determination also resulted from an update to the 
LLCCs and allowed for use of a shorter radar wavelength to measure 
radar reflectivity if the criteria for attenuation due to rainfall and 
beam spreading were met. This modification allowed a launch operator to 
make use of weather radars that have wavelengths between 3 and 5 cm, in 
addition to radars with wavelengths of 5 cm or greater. Similar to the 
other ELOS determinations, this relieved the burden from the operator 
to seek approval from the FAA, and allowed the operator to immediately 
use different radar wavelengths or wait until the FAA updated appendix 
G.
    The fourth ELOS determination informed the launch operator that 
satisfying NASA-STD-4010 would meet the requirements of appendix G to 
part 417.\123\ This ELOS determination enabled an operator to use the 
more up-to-date LLCC in place of the outdated LFCC in appendix G. It 
also recognized that the NASA-STD-4010 contained the most current LLCCs 
and removed the burden from the FAA to issue an ELOS determination for 
every new update to the LLCC.
---------------------------------------------------------------------------

    \123\ The NASA-STD-4010 has been adopted by both NASA and the 
Air Force. When NASA published the LLCCs in a NASA Standard document 
it provided uniform engineering and technical requirements in one 
location lessening confusion to which version of the LLCCs were 
currently being applied.
---------------------------------------------------------------------------

    The FAA only codified the LFCCs into part 417, and not parts 431 
and 435. While the LFCCs are not explicitly included in part 431 or 
435, Sec.  431.35(c) requires an applicant to employ a system safety 
process to identify and mitigate hazards, including lightning. 
Additionally, while not all launch and reentry vehicles have the same 
threshold to trigger lightning, they do have the potential to incur 
direct or indirect effects that may impact their safety critical 
systems. Therefore, in order to protect public health and safety, the 
LFCCs are an appropriate mitigation strategy for suborbital RLVs and 
reentry vehicles that can induce lightning that could affect public 
safety. In 2006, the FAA sponsored a study to conduct a triggered 
lightning risk assessment for five different concept suborbital RLVs, 
from two different launch sites, to gain an understanding of the 
potential risk of triggering lightning for these new categories of 
vehicles.\124\ The study took into account the vehicle design, mission 
profile, and propellants, as well as the lightning climatology of a 
given launch site. In 2010,\125\ a follow-on study was performed for 
four concept vehicles at a total of four different launch sites.\126\ 
The study showed that all concept vehicles had a much higher triggering 
threshold (i.e., it was harder to initiate lightning) than that of a 
Titan IV ELV and that they each had different triggering thresholds 
within each concept vehicle and phase of mission. For instance, the 
glide phase was shown to have a higher triggering threshold than a 
powered phase. On the other hand, the study noted that many 
uncertainties remain with understanding the triggering conditions. 
Therefore, the results of the study recommended that until more 
accurate triggering thresholds for the differing vehicle concepts can 
be quantified, the avoidance criteria should be followed. The FAA 
requests comments on this proposal.
---------------------------------------------------------------------------

    \124\ Krider, Phil, E. et al., Triggered Lightning Risk 
Assessment for Reusable Launch Vehicles at the Southwest Regional 
and Oklahoma Spaceports, Report No: ATR-2006(5195)-1, Jan 30, 2006 
(https://www.faa.gov/about/office_org/headquarters_offices/ast/reports_studies/media/ATR-2006(5195)-1.pdf).
    \125\ Krider, Phil, E., et al., Triggered Lightning Risk 
Assessment for Reusable Launch Vehicles at Four Regional Spaceports, 
Report No: ATR-2010(4387)-1, Apr 30, 2010. (https://www.faa.gov/about/office_org/headquarters_offices/ast/reports_studies/media/ATR-2010%20(5387)-1.pdf).
---------------------------------------------------------------------------

    The ARC recommended the intent or performance goal of the current 
LFCC be captured into performance-based requirements that allow for the 
consideration of each launcher's mission profile, general vehicle and 
flight safety system components, and other factors that may reduce the 
currently-required 30-minute wait.\127\ The ARC also recommended that 
the prescriptive requirements in Appendix G be placed in a guidance 
document that provides acceptable means of meeting the performance-
based requirements. Finally, the ARC estimated that launch and site 
operators could save hundreds of thousands of dollars, or more, for 
each avoidance of launch scrubs and no-go calls due to unnecessarily 
conservative weather restrictions.
---------------------------------------------------------------------------

    \127\ The ARC stated, ``intent or performance goal, of the 
stated requirements.'' The FAA has interpreted the phrase ``of the 
stated requirements'' to mean of the current LFCC found in appendix 
G to part 417.
---------------------------------------------------------------------------

    The FAA generally agrees with the ARC's recommendation and proposes 
to replace the detailed prescriptive LFCC in appendix G with 
performance-based requirements in proposed Sec.  450.163. It would also 
provide an AC that contains an accepted means of compliance with the 
proposed Sec.  450.163(a)(1), including reference to NASA-STD-4010 
\128\ and would also include other relevant standards for the design of 
a vehicle to withstand the direct and indirect effects of a lightning 
discharge. The FAA seeks comment on this approach.
---------------------------------------------------------------------------

    \128\ NASA-STD-4010 is the current lighting launch commit 
criteria employed by NASA and the Air Force. The FAA uses this 
standard as its basis for the requirements in Appendix G and has 
issued a broad-based ELOS determination allowing an operator to 
comply with the current NASA-STD-4010 instead of the existing 
Appendix G which is outdated.
---------------------------------------------------------------------------

    The FAA anticipates that a performance-based regulation, 
accompanied by an associated AC and government standards, would resolve

[[Page 15342]]

many of the issues with the current Appendix G. While a thorough 
understanding of whether a given launch vehicle and its mission profile 
will trigger lightning is far from being understood, a performance-
based requirement for mitigating natural and triggered lightning 
strikes or encountering a nearby lightning discharge would allow an 
operator to use up-to-date lightning avoidance criteria without having 
to wait for the regulation to be updated, or for the FAA to issue an 
ELOS determination or a waiver.
    The intent of the current requirements found in Appendix G to part 
417 is to avoid and mitigate natural and triggered lightning. Under the 
proposed regulations, the FAA would require operators to avoid and 
mitigate the potential for intercepting or initiating lightning strike 
or encountering discharge through implementation of flight commit 
criteria. Alternatively, an operator would be able to use a vehicle 
designed to continue safe flight if struck by lightning or encountering 
a nearby discharge. Finally, an operator would be able to comply with 
the proposed regulation by ensuring that compliance with public safety 
criteria would be met in the event of a lightning strike on the 
vehicle.
    Proposed Sec.  450.163(a)(1), would require an operator to mitigate 
the potential for a vehicle to intercept or initiate a lightning strike 
or encounter a nearby discharge through flight commit criteria using a 
means of compliance accepted by the Administrator. Currently, the FAA 
is only aware of one standard, NASA-STD-4010, that is currently 
acceptable and would satisfy the requirements of proposed Sec.  
450.163(a)(1). While FAA anticipates that industry might develop new 
standards as technology advances, such standards would be required to 
be submitted as alternative means of compliance under Sec.  450.35 
(Accepted Means of Compliance) paragraph (c) and accepted by the 
Administrator prior to use. If an operator were to submit an 
alternative means of compliance to NASA-STD-4010, the proposed 
lightning standard would need to be evaluated and accepted by the FAA, 
including any consultation with outside expert, prior to being used in 
any license application using the new standard.
    The FAA anticipates that this revision would provide more 
flexibility to an operator than the current appendix G, which 
prescribes the specific lightning flight commit criteria that an 
operator must use. While the only method currently accepted by the 
Administrator is NASA-STD-4010, operators would have the flexibility to 
propose lightning flight commit criteria based on a certain vehicle's 
mission profile (e.g., whether it is a piloted RLV launching a payload 
to low Earth orbit, or a piloted suborbital reusable launch vehicle 
with spaceflight participants on board).\129\ However, as previously 
discussed, such a proposed means of compliance would need to be 
accepted prior to being used in a license application to satisfy 
proposed Sec.  450.165(a)(1).
---------------------------------------------------------------------------

    \129\ The piloted vehicles can control and maneuver the vehicle 
leading up the release point or area thus limiting the exposure of 
the vehicle to elevated electric fields upon its launch.
---------------------------------------------------------------------------

    An operator may choose instead to mitigate lightning strikes and 
the initiation of lighting by using a vehicle designed to continue safe 
flight in the event of a lightning strike, in accordance with proposed 
Sec.  450.163(a)(2). To accomplish this, an operator would need to 
demonstrate that the vehicle design adheres to design standards for 
lightning protection of the vehicle and its safety critical systems. 
The FAA is currently evaluating current aircraft lightning protection 
standards, such as AC 20-136B and AC20-107B, to determine whether a 
launch or reentry vehicle designed to those standards would allow for 
the continued safe flight of the vehicle.\130\ The FAA anticipates that 
it would accept other industry standards for lightning protection or 
certification standards during vehicle design, such as SAE Aerospace 
Recommended Practices, or European Organization for Civil Aviation 
Equipment, as an acceptable means of compliance to proposed Sec.  
450.163(a)(2).
---------------------------------------------------------------------------

    \130\ AC 20-136B, Aircraft Electrical and Electronic Lightning 
System Lightning Protection, provides information and guidance on 
the protection of aircraft electrical and electronic systems from 
the effects of lightning. AC 20-107B, provides information and 
guidance on composite aircraft structure.
---------------------------------------------------------------------------

    Finally, an operator would be able to choose to comply with 
proposed Sec.  450.163(c) by ensuring that it would be in compliance 
with the public safety criteria of proposed Sec.  450.101 should it 
encounter discharge or take a direct lightning strike. The use of 
physical containment as a hazard control strategy would be a prime 
example, but other scenarios may also apply.
    Section 450.163 would apply to all launch and reentry vehicles, 
including ELVs, RLVs, hybrids, and reentry vehicles. Because the 
proposed requirement is performance based, each operator would be able 
to provide lightning mitigation methods designed for a specific 
vehicle's mission profile. Under Sec.  450.163, the FAA anticipates 
that an operator would be able to apply new research findings or 
methodologies in a more timely manner than under appendix G. Further, 
the FAA would be able to update guidance materials in a timely manner 
to include those means of compliance that result from advances in 
science, information, or technology. Additionally, the FAA believes 
that, by providing an operator with the flexibility to mitigate natural 
and triggered lightning strikes through standards and best practices, 
the operators could avoid costly delays resulting from compliance with 
the requirements in the current appendix G.
    Section 450.163(b) would establish application requirements. To 
comply with proposed Sec.  450.163(a)(1), an applicant would be 
required to submit lightning flight commit criteria that mitigate the 
potential for a launch or reentry vehicle intercepting or initiating a 
lightning strike, or encountering a nearby discharge using a means of 
compliance accepted by the Administrator. As previously discussed, the 
only current method to comply with Sec.  450.165(a)(1) would be to use 
NASA-STD-4010. If an applicant chooses instead to comply with Sec.  
450.163(a)(2), it would be required to provide documentation 
demonstrating that the vehicle is designed to protect safety critical 
systems, such as electrical and electronic systems, or FSSs. The FAA 
anticipates that this documentation would include proof and validation 
that the vehicle has followed lightning protections standards that 
would protect the vehicle's safety critical systems from a direct or 
indirect lightning discharge. If an applicant chooses to comply with 
Sec.  450.163(a)(3), it would be required to provide documentation 
demonstrating compliance with Sec.  450.101 in the event of a lightning 
discharge. As previously discussed, the FAA expects that this would be 
demonstrated through any number of analyses that validate that the 
vehicle is able to control individual and collective risk to the 
public,
    The FAA considered using direct measurement of the electric field 
within a cloud as an option for a launch operator to comply with 
proposed Sec.  450.163. However, it is the FAA's understanding that 
there is currently no consensus among the scientific community on the 
electric field value threshold to initiate lightning. Without a 
definite threshold value, the FAA would not be able to make a safety 
determination if an operator were to take direct measurements of the 
electric field. In addition, further research and data is required to 
establish procedures for measuring within the cloud, for how many 
measurements to make within a

[[Page 15343]]

period of time or distance from the cloud, and such other 
considerations. Nevertheless, given the performance-based nature of 
Sec.  450.163, it is possible that in the future, an accepted means for 
obtaining real time electric field readings along the flight profile 
could lead to less restrictive criteria.
10. Flight Safety Rules
    In proposed Sec.  450.165, an operator would be required to 
establish and observe flight safety rules that govern the conduct of 
each launch or reentry. These would include flight commit criteria and 
flight abort rules.
i. Flight Commit Criteria
    The FAA proposes to consolidate the flight-commit criteria 
requirements currently contained in parts 417, 431, and 435. Flight-
commit criteria are conditions necessary prior to the flight of a 
launch vehicle or the reentry of a reentry vehicle to ensure that the 
launch or reentry does not exceed the public safety criteria in 
proposed Sec.  450.101. Although this proposal restates flight-commit 
requirements differently than the current regulations, the changes 
would not alter substantive requirements, and are intended solely for 
clarification purposes.
    The ELV launch requirements for flight readiness are contained in 
Sec. Sec.  415.37 and 417.113. Section 415.37 requires an applicant to 
file procedures for verifying readiness for safe flight, which result 
in flight-commit criteria. Section 417.113(c) requires that the launch 
safety rules include flight-commit criteria that identify each 
condition that must be met in order to initiate flight. The flight-
commit criteria must implement the FSA; for a launch that uses an FSS, 
must ensure that the FSS is ready for flight; and for each launch, must 
document the actual conditions used for the flight-commit criteria at 
the time of lift-off and verify whether the flight-commit criteria are 
satisfied.
    Flight-commit criteria for launch and reentry of a reusable launch 
vehicle are contained in Sec. Sec.  431.37 and 431.39, and by extension 
in Sec.  435.33 for the reentry of a reentry vehicle other than a RLV. 
Unlike part 417, the parts 431 and 435 requirements are performance-
based and required as part of the system safety analysis requirements.
    Flight-commit criteria-related requirements appear throughout 
proposed part 450. The main requirements would be found in Sec. Sec.  
450.155, 450.159, and 450.165. Section 450.155 would require an 
operator to document and implement procedures to assess readiness to 
proceed with the flight of a launch or reentry vehicle. Proposed Sec.  
450.159 would require an operator to implement preflight procedures to 
verify that each flight-commit criterion has been met before initiating 
flight.
    Proposed Sec.  450.165 would mandate that an operator's flight 
safety rules include flight-commit criteria identifying each condition 
necessary prior to initiating flight to satisfy proposed Sec.  450.101. 
These commit criteria would include surveillance, monitoring of 
meteorological conditions, implementing window closures for the purpose 
of collision avoidance, monitoring the status of any flight safety 
system, and any other hazard controls derived from system safety, 
software safety, or flight safety analyses. Also, for any reentry 
vehicle, the commit criteria would include monitoring the status of 
safety-critical systems before enabling reentry flight.
    Part 450 also includes requirements to develop flight-commit 
criteria based on the results of various analysis. For instance, Sec.  
450.135 (Debris Risk Analysis) would require operators to demonstrate 
compliance with public safety criteria in proposed Sec.  450.101. In 
Sec.  450.137, the far-field overpressure blast effect analysis would 
have to demonstrate compliance with public safety criteria in proposed 
Sec.  450.101. Sections 450.139 (Toxic Hazards for Flight) and 450.187 
(Toxic Hazards Mitigation for Ground Operations) would require an 
operator to derive flight-commit criteria based on the results of its 
toxic release hazard analysis, containment analysis, or toxic risk 
assessment to ensure any necessary evacuation of the public from any 
toxic hazard area prior to flight. Proposed Sec.  450.141 (Wind 
Weighting for the Flight of an Unguided Suborbital Launch Vehicle) 
would require an operator to establish flight-commit criteria that 
control the risk to the public from potential adverse effects from 
normal and malfunctioning flight. Proposed Sec.  450.161 would require 
an applicant to describe how it will provide for day-of-flight 
surveillance of flight hazard areas, if necessary, to ensure that the 
presence of any member of the public in or near a flight hazard area is 
consistent with flight-commit criteria. Section 450.163 would require 
an operator to derive flight-commit criteria that mitigate the 
potential for a launch or reentry vehicle intercepting or initiating a 
lightning strike, or encountering a nearby discharge. Finally, Sec.  
450.169 (Launch and Reentry Collision Avoidance Analysis) would require 
an operator use the results of the collision avoidance analysis to 
develop flight-commit criteria for collision avoidance.
ii. Flight Abort Rules
    The FAA proposes to include flight abort rules as part of proposed 
flight safety rules in Sec.  450.165. Flight abort rules apply to a 
vehicle that uses an FSS and are the conditions under which an FSS must 
abort the flight to ensure compliance with flight safety criteria. 
Current regulations in parts 417 and 431 address flight abort rules.
    Section 417.113(d) sets flight termination rules for ELVs. It 
requires operators to identify the conditions under which the FSS, 
including the functions of the flight safety system crew, must 
terminate flight to ensure public safety. The flight termination rules 
must implement the FSA, and specifically requires operators to 
terminate flight in the following six scenarios:
    1. When real-time data indicate a flight safety limit has been 
reached.
    2. At the straight-up time if the vehicle flies straight up.
    3. If the vehicle becomes erratic and may endanger protected areas, 
while potentially losing control of the flight safety system.
    4. No later than at the expiration of the data loss flight time if 
tracking data is lost.
    5. If a vehicle is performing erratically prior to entering an 
overflight gate, or if the vehicle is not flying parallel to or 
converging to the nominal trajectory prior to entering a gate.
    6. If a vehicle is performing erratically prior to entering a hold 
gate, or if the vehicle is not flying parallel to or converging to the 
nominal trajectory prior to entering a hold gate.
    Some of these current requirements may be overly prescriptive. For 
example, flight abort at the straight-up time is only one method of 
mitigating risk to the launch area in the event of a vehicle that fails 
to program and flies straight up. Although other methods may mitigate 
risk to an acceptable level, under the current requirements, an 
operator would be forced to abort flight at the straight up time. Also, 
the rules for allowing vehicles to enter gates are too subjective and 
not easily tied to specific hazards.
    Part 431, applicable to RLVs, does not impose specific flight abort 
rules. However, Sec.  431.39(a) requires an applicant to submit mission 
rules and contingency abort plans that ensure safe conduct of mission 
operations during nominal and non-nominal vehicle flight. These would 
encompass flight abort rules because Sec.  401.5 defines contingency 
abort as the cessation of

[[Page 15344]]

vehicle flight during ascent or descent in a manner that does not 
jeopardize public health and safety and the safety of property, in 
accordance with mission rules and procedures. Part 431 requires flight 
abort when needed to mitigate risk and a set of rules to that end, yet 
does so without following part 417's more detailed and prescriptive 
approach. In practice, orbital rockets licensed under part 431 have 
used an AFSS with flight abort rules that are conservatively consistent 
with the six scenarios identified in 417.113(d), when applicable (e.g., 
no straight-up time for a horizontal launch).
    Section 450.165(c) lays out the proposed consolidation and 
clarification of flight abort rules. Although the FAA would maintain 
much of Sec.  417.113(d)'s structure and requirements, the FAA looked 
for opportunities to replace prescriptive requirements with outcome 
objectives. The FAA would require operators to develop flight abort 
rules to comply with the public safety criteria of Sec.  450.101, as 
well as to prevent debris capable of causing a casualty from impacting 
in uncontrolled areas if the vehicle is outside the limits of a useful 
mission. Operators would also need to identify the functions of any 
flight abort crew, as specifically required in part 417. This is also 
consistent with the FAA's practice in implementing part 431. Although 
not specifically stated in Sec.  431.39(a), the FAA has required 
operators to identify crew functions. The FAA proposes to eliminate the 
straight-up rule, as it is not reasonable to include the rule at the 
exclusion of other existing mitigation options. Also, the FAA proposes 
to simplify the current requirements for gate passage to allow a 
vehicle to pass through a gate if it can achieve a useful mission. This 
would allow the operator to specify which vehicle parameters are the 
most useful for determining whether a vehicle should be allowed to 
enter a gate. For orbital launches, vehicles unable to achieve orbit 
cannot achieve a useful mission and should be terminated. The FAA would 
delete separate requirements for hold-and-resume gates, as analysis 
should show which types of gates are most effective for the proposed 
flight, and those should be implemented.
    These proposed rules, which would be similar to those from part 
417, were chosen over the generic requirement for mission rules from 
part 431 because they correspond to other sections in the proposed rule 
describing flight safety limits, gates, and other requirements. This is 
consistent with the ARC's recommendation to change part 431 to better 
capture the intent of the flight abort rules. An operator should 
balance potentially competing objectives as necessary to minimize risk 
when writing specific flight abort rules. For example, if there is a 
rule to destruct a vehicle to prevent an intact impact in order to 
reduce distant focused overpressure risk, the operator should also 
consider the resulting risk to aircraft when establishing the timing of 
the destruct action.
    Proposed Sec.  450.165(d) lays out the application requirements for 
flight safety rules. For flight commit criteria, the FAA would require 
an applicant to provide a list of all flight commit criteria. These 
would include any criteria related to surveillance, monitoring of 
meteorological conditions, implementation of launch or reentry windows 
closures for the purpose of collision avoidance, confirmation that any 
safety-critical system is ready for flight, monitoring of safety-
critical systems prior to enabling re-entry flight, and any other 
hazard controls. For flight abort rules, the FAA would require an 
applicant to provide a description of each rule, and the parameters 
that will be used to evaluate each rule, as well as a list that 
identifies the rules necessary for compliance with each requirement in 
Sec.  450.101. All conditions in which flight abort action would be 
taken must be described, as well as rules and conditions allowing 
flight to continue past a gate. Lastly, the FAA would require an 
applicant to provide a description of the vehicle data that will be 
available to evaluate flight abort rules across the range of normal and 
malfunctioning flight. This information is necessary to ensure that 
compliance with the flight abort rules is achievable.
11. Tracking
    The FAA proposes to adopt vehicle tracking requirements. 
Specifically, proposed Sec.  450.167 (Tracking) would require an 
operator to measure and record in real time the position and velocity 
of the vehicle. The system used to track the vehicle would be required 
to provide data to determine the actual impact locations of all stages 
and components, and to obtain vehicle performance data for comparison 
with the preflight performance predictions. The proposed requirements 
would be consistent with current practice for a wide variety of 
vehicles, including the widespread use of telemetry data, and various 
requirements of parts 417, 431, and 437.
    Current regulations for ELVs require a vehicle tracking system as 
part of the FSS. For example, in Sec.  417.113(c), as part of the 
flight commit criteria for a launch that uses an FSS, readiness for 
flight includes that the launch vehicle tracking system has no less 
than two tracking sources prior to lift-off. Also, the launch vehicle 
tracking system must have no less than one verified tracking source at 
all times from lift-off to orbit insertion for an orbital launch, to 
the end of powered flight for a suborbital launch. Of course, the need 
for tracking is implicit in other requirements for launch of a vehicle 
with an FSS, including the requirements regarding data loss flight 
times in Sec.  417.219.
    Section Sec.  417.125 also requires an operator of an unguided 
suborbital launch vehicle to track the flight of its vehicle. 
Specifically, Sec.  417.125(f) requires an operator to provide data to 
determine the actual impact locations of all stages and components, to 
verify the effectiveness of a launch operator's wind weighting safety 
system, and to obtain rocket performance data for comparison with the 
preflight performance predictions.
    Part 431 has no explicit requirements related to tracking. However, 
currently every operation licensed under part 431 is required to employ 
a telemetry system that provides, among other safety critical 
information, data on the position and velocity of the vehicle in real-
time. In addition, the one orbital RLV operation licensed to date 
employed an FSS and established data loss flight times. The use of data 
loss flight times is an explicit recognition that a vehicle without 
tracking poses a potential hazard to the public.
    Tracking is also required under Experimental Permit regulations. 
Under Sec.  437.67, an operator must, during permitted flight, measure 
in real-time the position and velocity of its reusable suborbital 
rocket. The requirements for an operator to measure in real time the 
position and velocity of its rocket, coupled with the requirement to 
communicate with ATC during all phases of flight, are intended (among 
other things) to provide ATC with enough information to protect the 
public if the vehicle flies outside its planned trajectory envelope.
    Tracking data sufficient to identify the location of any vehicle 
impacts following an unplanned event are necessary to ensure a proper 
response to an emergency. Specifically, a launch operator must 
implement its mishap response plan if an unplanned event occurring 
during the flight of a launch vehicle results in the impact of a launch 
vehicle, its payload or any component thereof outside designated impact 
limit lines for an expendable launch vehicle; and, for an RLV, outside 
a designated landing site. More generally, vehicle-

[[Page 15345]]

tracking data provide a level of awareness that enables an appropriate 
response to an off-nominal situation, such as knowing where to apply 
fire suppression resources or where to evacuate the public to protect 
against predicted toxic plumes. More specifically, tracking data are an 
important element of current U.S. Government consensus standards, in 
accordance with RCC 321, to ensure the safety of people in aircraft. 
Specifically, since 2007, RCC 321 has included a requirement (in 
paragraph 3.3.4) to coordinate with the FAA to ensure timely 
notification of any expected air traffic hazard associated with range 
activities. In the event of a mishap, RCC 321 requires that the 
operator must immediately inform the FAA of the volume and duration of 
airspace where an aircraft hazard is predicted.\131\
---------------------------------------------------------------------------

    \131\ Range Commanders Council, Common Risk Criteria for 
National Test Ranges, RCC 321-07, White Sands Missile Range, New 
Mexico, 2007.
---------------------------------------------------------------------------

    Tracking data are also necessary to evaluate vehicle safety 
performance, even for normal flight. For example, Sec.  417.125(g)(3) 
requires a launch operator of an unguided suborbital launch vehicle to 
compare the actual and predicted nominal performance (i.e., trajectory) 
of the vehicle. Accurate data to describe the vehicle normal trajectory 
envelope are necessary for valid quantitative public risk assessments.
    Current practice demonstrates that tracking data will help 
facilitate safe and efficient integration of launch and reentry 
operations into the NAS. The increasingly congested and constrained NAS 
creates a need to transition from segregation, to full integration of 
space vehicles. The FAA has several efforts underway to ensure the safe 
and efficient transition of launch and reentry vehicles through the 
NAS, while minimizing the effects of these operations on other users of 
the NAS. The FAA has contemplated the need to obtain real time data 
tracking data, including vehicle state vectors, reports of mission 
events, and indications of vehicle status, to help accomplish this. 
However, the FAA is deferring that discussion until after the Airspace 
Access Priorities ARC.\132\
---------------------------------------------------------------------------

    \132\ Information regarding the Airspace Access Priorities ARC 
is available at https://www.faa.gov/regulations_policies/rulemaking/committees/documents/index.cfm/document/information/documentID/3443.
---------------------------------------------------------------------------

    Proposed Sec.  450.167(a) would require an operator to measure and 
record in real time the position and velocity of the vehicle. The 
system used to track the vehicle would need to provide data to 
determine the actual impact locations of all stages and components, and 
to obtain vehicle performance data for comparison with the preflight 
performance predictions. The proposed requirements are consistent with 
current practice for a wide variety of vehicles, including the 
widespread use of telemetry data, and various requirements levied under 
parts 417, 431, and 437.
    Proposed Sec.  450.167(a) would consolidate and standardize the 
current regulatory requirements for vehicle tracking-related 
information. Vehicle-tracking data facilitate appropriate emergency 
responses, and an ability to determine the actual vehicle impact 
locations due to an unplanned event is critical to evaluate the class 
of mishap. Comparison of the actual vehicle safety performance, such as 
the trajectory, with preflight predictions helps ensure the continued 
accuracy of the FSA input, and thus the validity of the public risk 
assessments and hazard areas. A comparison of the actual vehicle safety 
performance data to predict performance provides the FAA with a means 
to evaluate an operator's understanding of its safety margins, which is 
a measure of maturity of the operation and thus a potential factor in 
the probability of failure analysis.
    Proposed Sec.  450.167(b) would require an applicant to identify 
and describe each method or system used to meet the tracking 
requirements of proposed Sec.  450.167(a) of this section. Because the 
proposed requirements are consistent with current practice, and in some 
cases less restrictive, the application requirements would not increase 
burden on license applicants.
12. Launch and Reentry Collision Avoidance Analysis Requirements
    The FAA proposes to modernize the launch and reentry collision 
avoidance analysis criteria to match current common practice and 
provide better protection for inhabitable and active orbiting objects. 
It would also allow launch and reentry operators to obtain a launch 
collision avoidance analysis from Federal entities identified by the 
FAA. Previously, the FAA established identical rules for expendable 
launches from Federal and non-Federal launch ranges, RLV operations, 
and permitted launch operations. The proposed rule would consolidate 
launch and reentry collision avoidance analysis requirements from these 
three different parts into a single safety rule.
    The FAA anticipates that proposed changes to the collision 
avoidance analysis criteria would not significantly affect operators. 
The changes would capture current practice, provide alternative means 
of meeting existing requirements, and clarify the time period that the 
analysis must address.
    Launch and reentry collision avoidance measures are necessary 
actions for responsible and safe launches and reentries. Under current 
regulations, a launch collision avoidance analysis is performed prior 
to each launch to protect against collision with only inhabitable 
objects, including the International Space Station, as required 
screening objects. It is important to avoid collisions during launches 
because the energy released through an impact during launch would most 
likely be catastrophic for the launch vehicle and the object it 
impacted.
    In addition to mission assurance, to ensure the successful launch 
of an object, there are significant reasons to mitigate debris creation 
through collision avoidance. Launch collision avoidance analysis occurs 
prior to launch and entails the determination of times when a launch 
should not be initiated. There is a balance between launch 
opportunities and orbital safety that must be established to protect 
both the launch vehicle and on-orbit objects. Reentry collision 
avoidance analysis occurs prior to the initiation of a reentry maneuver 
and provides for the review of the maneuver trajectory to establish 
when reentry should not be initiated. Section 431.43(c)(1)(ii) 
documents the requirement for reentry collision avoidance.
    The creation of orbital debris is an expected result of a collision 
during launch or reentry.\133\ As stated earlier, limiting orbital 
debris is a vital part of protecting the space environment and is a 
national objective. Therefore, the FAA believes it is paramount to 
avoid all collisions during launch and reentry. The Department of 
Defense created a tiered level of separation distance to avoid 
collisions and still allow ample opportunity for launch. The FAA agrees 
with the tiers, identified in the chart below. This chart excludes the 
object launching or reentering, which would be damaged or destroyed in 
all cases.
---------------------------------------------------------------------------

    \133\ Orbital debris is all human-generated debris in Earth 
orbit that is greater than 5 mm in any dimension. This includes, but 
is not limited to, payloads that can no longer perform their 
mission, rocket bodies and other hardware (e.g., bolt fragments and 
covers) left in orbit as a result of normal launch and operational 
activities, and fragmentation debris produced by failure or 
collision. Gases and liquids in free state are not considered 
orbital debris.

[[Page 15346]]



                                              Figure 2--Launch Collision Avoidance Justifications and Tiers
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                 U.S. national
                                      Separation        Protect public                            security or        International       Avoid debris
                                       distance        health and safety  Safety of property    foreign policy        obligations         generation
                                                                                                   interests
--------------------------------------------------------------------------------------------------------------------------------------------------------
Inhabitable Objects.............  200 km............  Yes...............  Yes...............  Yes...............  Yes...............  Yes.
Active Satellites...............  25 km.............  ..................  Yes...............  Yes...............  Yes...............  Yes.
Trackable Debris >10 cm\2\ (LEO)  2.5 km............  ..................  ..................  Yes, if it creates  Yes, if it creates  Yes.
                                                                                               significant         significant
                                                                                               debris.             debris.
Un-trackable Debris <10 cm \2\    Not applicable....  ..................  ..................  ..................  ..................  Protect with
 (LEO).                                                                                                                                shielding &
                                                                                                                                       design.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    With space becoming more congested every year, it is vitally 
important for launch or reentry collision avoidance to extend beyond 
inhabitable objects to include all active orbiting objects and 
trackable orbital debris. Records from a recent Intelsat launch showed 
that if the launch occurred 35 minutes into the 2-hour launch window, 
the launch vehicle could have passed by a defunct but still orbiting 
COSMOS navigation satellite by only 600 meters. The FAA believes not 
proposing launch collision avoidance in this instance is unnecessarily 
hazardous.
    Sections 417.107(e), 417.231, and 437.65 require launch operators 
to ensure that the launch vehicle does not pass closer than 200 km 
(approximately 124 statute miles) to a manned or mannable orbital 
object to avoid collisions during launch. A collision avoidance 
analysis must be obtained through a Federal entity. The analysis must 
be used to determine any launch holds to avoid potential collisions.
    In Sec.  417.107(e), a launch operator must ensure that a launch 
vehicle, any jettisoned component, and its payload do not pass closer 
than 200 km to a manned or mannable orbital object throughout a sub-
orbital launch, and for an orbital launch, during ascent to initial 
orbital insertion and through at least one complete orbit, and during 
each subsequent orbital maneuver or burn from initial park orbit, or 
direct ascent to a higher or interplanetary orbit, or until clear of 
all manned or mannable objects, whichever occurs first. A launch 
operator is also required under Sec.  417.107(e) to obtain a collision 
avoidance analysis for each launch from United States Strategic Command 
or from a Federal launch range having an approved launch site safety 
assessment. The detailed requirements for obtaining a collision 
avoidance analysis are found in Sec.  417.231 and section A417.31 of 
appendix A to part 417. The results of the collision avoidance analysis 
must be used to develop flight commit criteria for collision avoidance 
as required by Sec.  417.113(c).
    These requirements and processes for ascertaining launch collision 
avoidance are unnecessarily complicated and are inconsistent with the 
current practices executed at Federal launch ranges that provides an 
equivalent level of safety. The current practice is to use a common 
analysis time frame instead of a single orbit as identified in the 
current regulations. The safety standard for the standoff distance of 
200 km remains consistent throughout launch (and reentry) requirements 
for launches of expendable and reusable launch vehicles and for 
launches from both Federal launch ranges as well as non-Federal launch 
sites.
    Section 417.231 requires a launch operator to include in its flight 
safety analysis a collision avoidance analysis that (1) establishes 
each launch wait in a planned launch window during which a launch 
operator must not initiate a flight in order to protect any manned or 
mannable orbiting object, and (2) accounts for uncertainties associated 
with launch vehicle performance and timing and ensures that any 
calculated launch waits incorporate additional time periods associated 
with such uncertainties. It also requires the launch operator to 
implement any launch waits into its flight commit criteria under Sec.  
417.113(c) to ensure that the operator's launch vehicle, any jettisoned 
components, and its payload do not pass closer than 200 km to a manned 
or mannable orbiting object during ascent to initial orbital insertion 
through one complete orbit. Further, under Sec.  417.231 no collision 
avoidance analysis is required if the maximum altitude attainable, 
using an optimized trajectory, assuming 3-sigma maximum performance, by 
a launch operator's unguided suborbital launch vehicle is less than the 
altitude of the lowest manned or mannable orbiting object. Appendices 
A, section A417.31, and C, section C417.11, of part 417 provide 
constraints for performing the collision avoidance analysis as part of 
the flight safety analysis required by Sec.  417.231. Section 437.65 
establishes the minimum required altitude as 150 km, which is the 
current standard practice.
    Section 431.43(c)(1) and (3) also requires a collision avoidance 
analysis for RLVs to be performed to maintain at least a 200 km 
separation from any inhabitable orbiting object during launch and 
reentry. It requires the analysis to address closures in a planned 
launch window for ascent to outer space for an orbital RLV to initial 
orbit through at least one complete orbit; for reentry, the reentry 
trajectory; and expansions for the closure period. For reentry of 
vehicles not part of a reusable system, Sec.  435.33 refers to part 
431, subpart C, including Sec.  431.43(c)(1) as a requirement.
    Appendix A to part 415 contains a worksheet for the data input for 
launch. However, Appendix A to part 415 is a U.S. Space Command form 
that is no longer in use.\134\ The current practice is to submit the 
launch collision avoidance analysis data prior to launch in a form and 
manner accepted by the Administrator, which is currently the R-15 
launch plan worksheet. The data collected on the R-15 launch plan 
worksheet are detailed in sections A417.31 and C417.11 and are used by 
the agency performing the launch collision avoidance analysis.
---------------------------------------------------------------------------

    \134\ The U.S. Space Command was deactivated in 2002.
---------------------------------------------------------------------------

    A number of issues are unclear or outdated under section A417.31. 
In section A417.31(c)(8), the option to use an ellipsoidal screening 
method does not identify the size of the ellipsoid required. Section 
A417.31(b)(3) limits an operator to use collision avoidance analysis 
(COLA) products to 12 hours from when ``manned'' objects were last 
tracked. This information is not provided to launch or reentry 
operators and therefore is not implemented in the current practices. 
Section A417.31(b)(4) and (c)(7) also includes two expansions of window 
closures. The first expansion is for every 90 minutes, a 15 second 
buffer should be added before and after the provided window closures, 
and the second is a 10-minute addition to the screening time. Neither 
of these practices are currently implemented at Federal launch ranges 
or non-Federal launch sites.
    With proposed Sec.  450.169 and appendix A to part 450, the FAA 
would align the collision avoidance analysis

[[Page 15347]]

criteria with current practice and provide better protection for 
inhabitable and active orbiting objects. The FAA also proposes to allow 
a launch operator to obtain a collision avoidance analysis from a 
Federal entity identified by the FAA. The proposed changes balance 
increased options and additional requirements and would allow more 
flexibility and accuracy in avoiding collision with orbiting objects.
    The FAA also proposes to remove appendix A to part 415 in its 
entirety because the Launch Notification Form is no longer used by the 
FAA or launch operators. The data is currently collected via the R-15 
work sheet and associated trajectory files and is detailed in sections 
A417.31 and C417.11. Sections A417.31 and C417.11 would be replaced 
with appendix A to part 450, which would contain the Collision Analysis 
Worksheet information requirements and captures current practice.
    The FAA proposes a few format and editorial changes in the 
collision avoidance requirements of proposed Sec.  450.169. First, the 
proposal would refer to ``inhabitable'' rather than ``manned or 
mannable'' objects for greater simplicity and ease of understanding. 
Similarly, the proposal would refer to ``separation distances'' rather 
than ``miss distances,'' as this terminology is more accurate and 
better connotes the FAA's goal of maintaining a safe separation of 
objects on orbit. Finally, the proposal would refer to ``window 
closures'' for launch and reentry rather than ``waits'' in a launch or 
reentry window to provide a more cogent and accurate description. These 
updated terms would have the same meaning as the terms they 
replace.\135\
---------------------------------------------------------------------------

    \135\ The FAA recognizes reentry windows as a number of discrete 
or short duration windows during which a reentry may be commanded. 
Past experience shows window closures are insignificant for reentry. 
The safety requirements for launch or reentry window management are 
intended to be equitable.
---------------------------------------------------------------------------

    Substantively, the FAA proposes to consolidate the launch and 
reentry collision avoidance analysis requirements into proposed Sec.  
450.169. Proposed Sec.  450.169(a) would require, for orbital or 
suborbital launch or reentry, an operator to establish any window 
closures needed to ensure that the vehicle, any jettisoned components, 
or payload meet the specified requirements of that section. When 
performing a launch or reentry collision avoidance analysis for 
inhabitable objects, under proposed Sec.  450.169(a)(1), an operator 
would have two alternatives in addition to maintaining a spherical 
separation distance. An operator would be able to stipulate an 
ellipsoidal rather than a spherical separation distance between its 
vehicle and an inhabitable object or satisfy a probability of collision 
threshold rather than calculating a separation distance. The FAA also 
would maintain the current requirement to maintain a spherical 
separation distance as a third option. These proposed requirements are 
discussed more fully later in this section.
    The FAA also proposes to require that a collision avoidance 
analysis address other orbiting objects, such as active spacecraft and 
tracked debris. The uninhabitable active objects would be protected 
with significantly less restrictive clearance distances than provided 
to inhabitable objects. This would require no extra work from the 
operators, including those from non-Federal launch sites. Additionally, 
no launches have been scrubbed for COLA closures, and the FAA does not 
anticipate any impact to future operations due to this requirement.
    Proposed Sec.  450.169(b) would require an operator to ensure that 
the requirements of proposed Sec.  450.169(a) are met for the durations 
specified. Specifically, proposed Sec.  450.169(b)(1) would require 
screening through the entire flight of a suborbital vehicle. Proposed 
Sec.  450.169(b)(2) would standardize the time period of the launch 
collision avoidance analysis for an orbital launch to ascent from a 
minimum of 150 km to initial orbital insertion and for a minimum of 3 
hours from liftoff. Proposed Sec.  450.169(b)(3) would identify the 
screening time frame for reentry as the time frame from initial reentry 
burn to an altitude of 150 km. Similarly, proposed Sec.  450.169(b)(4) 
would cover a disposal reentry with the same altitude.
    Proposed Sec.  450.169(c) would establish that planned rendezvous 
operations that occur within the screening time frame are not 
considered a violation of collision avoidance if the involved operators 
have pre-coordinated the rendezvous or close approach.
    Proposed Sec.  450.169(d) would establish the exclusion of 
collision avoidance for launch vehicles that do not reach a maximum 
altitude of 150 km. The FAA also proposes to change from a 3-sigma 
maximum performance established in current Sec.  C417.11 and replace it 
with maximum performance within 99.7% confidence level, extended 
through fuel exhaustion of each stage. The intention of the 3-sigma 
rule was the use of a 99.7% confidence level. However, the 3-sigma rule 
does not hold true (the same percentage confidence level) when the 
analysis adds multiple dimensions. Therefore, the FAA proposes the 
requirement with 99.7% confidence level instead of the 3-sigma rule in 
the existing regulation.
    In proposed Sec.  450.169(e) an operator would be required to 
obtain a collision avoidance analysis for each launch or reentry from a 
Federal entity identified by the FAA. An operator would be required to 
use the results of the collision avoidance analysis to establish flight 
commit criteria for collision avoidance, account for uncertainties 
associated with launch or reentry vehicle performance and timing, and 
ensure that each window closure incorporates all additional time 
periods associated with such uncertainties. This latter proposed 
requirement would remove outdated practices from the launch collision 
avoidance requirements that are currently found in sections 
A417.31(c)(7)(iv) and C417.11(d)(7)(iv), which require adding 10 
minutes to the screen duration time, sections A417.31(b)(4) and 
C417.11(c)(4) and Sec.  431.43(c)(1)(iii) which require adding 15-
second buffers to the launch window closures, and appendix A to part 
415 which is a redundant form to the worksheet specified in sections 
A417.31 and C417.11. The current practices no longer require a 10-
minute extra pad as the screening time is no longer a single orbit. 
Also, the 15-second buffers are no longer required because the service 
provider accounts for the accuracy of the result products and the 15-
second buffers were based upon the last time the orbital objects were 
tracked. The launch operator is not responsible for tracking orbital 
objects and is not provided data on when the orbital objects were last 
tracked making the existing requirement difficult to apply. The launch 
or reentry operator would only be required to account for uncertainties 
associated with launch or reentry vehicle performance and timing in 
accordance with proposed Sec.  450.169(e)(2). This is consistent with 
the existing requirement in Sec.  417.231(a).
    In proposed Sec.  450.169(f), the FAA would require an operator to 
prepare a collision avoidance analysis worksheet for each launch or 
reentry using a standardized format that contains the input data 
required by appendix A to part 450. Proposed Sec.  450.169(f)(1) would 
require an operator to file the input data with a Federal entity 
identified by the FAA and the FAA at least 15 days before the first 
attempt at the flight of a launch vehicle or the reentry of a reentry 
vehicle or in a different time frame in accordance with proposed Sec.  
404.15. The FAA anticipates that it initially would identify the Air 
Force Space Command (AFSPC) as an entity

[[Page 15348]]

with whom to file the collision avoidance analysis inputs.
    The FAA also proposes to maintain the current 15-day requirement of 
sections A417.31(b)(1) and C417.11(c)(1) in proposed Sec.  
450.169(f)(1). The 15-day requirement is necessary for federal agencies 
to evaluate the content of the submission and ensure the trajectory 
files and data provide acceptable data and can be processed 
successfully. It would also allow federal agencies to determine early 
potential conjunctions with national systems or human space flight 
activities, and would provide adequate time for federal agencies to 
develop a strategy for early orbit detection and tracking including 
taskings to global sensors and expected trajectories for sensors to aid 
in initial acquisition.
    Proposed Sec.  450.169(f)(2) would require an operator to obtain a 
collision avoidance analysis performed by a Federal entity identified 
by the FAA 6 hours before the beginning of a launch or reentry window. 
This is consistent with existing sections A417.31(b)(2) and 
C417.11(c)(2).
    Consistent with current sections A417.31(b)(3) and C417.11(c)(3), 
proposed Sec.  450.169(f)(3) would require an operator that needs an 
updated collision avoidance analysis due to a launch or reentry delay 
to file the request with the Federal entity and the FAA at least 12 
hours prior to the beginning of the new launch or reentry window. 
Additionally, the current regulations, sections A417.31(b)(3) and 
C417.11(c)(3), limit the use of products to 12 hours from the time U.S. 
Strategic Command determines the state vectors of manned or mannable 
objects. The FAA intends to remove this limitation, as launch or 
reentry operators are not provided with the last time of observation of 
inhabitable objects and therefore cannot determine a 12-hour expiration 
time. The removal of this requirement would place the responsibility on 
the service provider to provide the time frame that the analysis is 
valid. For most cases, the analysis would be valid for the entire 
launch or reentry window. However, an extremely long launch window or 
sporadic reentry window may require additional analysis. The service 
provider would identify to an operator when its analysis in no longer 
valid, which is similar in intent to the original 12-hour expiration 
time, but more flexible in its application.
i. Inhabitable Objects
    Inhabitable objects are those that are or may be occupied by 
persons. An inhabitable object need not be inhabited, and the FAA views 
the term as encompassing any object that may be inhabited, regardless 
of whether it is at the time of launch. One point that merits 
clarification in light of inquiries the FAA has received--a launch 
operator's own vehicle, if it is inhabitable, does not impose a 
corresponding obligation on a space station to keep away from it. A 
launch operator whose vehicle carries people should not construe the 
requirement to mean that the operator must always keep the vehicle 200 
km away from any other object. Current FAA regulations do not protect 
persons on board a launch or reentry vehicle.
    Vehicles deliberately approaching each other for rendezvous or 
docking purposes will have to get within 200 km of each other. In these 
instances, collision avoidance remains paramount for those orbital 
objects other than the intended rendezvous spacecraft. Under proposed 
Sec.  450.169(c), planned close approaches for rendezvous would not be 
considered violations of collision avoidance if the involved operators 
have previously coordinated the rendezvous. The proposed requirement to 
perform collision avoidance would apply during launches that have a 
rendezvous within the screening period and for licensed reentries that 
originate from orbiting spacecraft or objects. For planned reentry, 
coordinated close approaches and departures would not be considered 
violations of collision avoidance requirements if the involved 
operators have previously coordinated the operation.
ii. Probability of Collision
    The FAA also proposes to amend the collision avoidance screening 
methods to include new options for analysis. The current regulation 
offers spherical or ellipsoidal screening, however, it fails to provide 
distances for ellipsoidal screening and identifies a spherical distance 
of 200 km as default. The FAA proposes an additional option of 
collision probability screening using a covariance matrix. A covariance 
matrix is a mathematical construct that describes the upper stage's 
position and the uncertainty of that position in all dimensions.
    In proposed Sec.  450.169(a)(1)(i), the FAA would permit a launch 
operator to employ a probability of collision of 1 x 10^-6, 
consistent with current Air Force practice, rather than relying solely 
on the spherical or ellipsoidal separation distance of 200 km currently 
required by section A417.31(c)(8)(i) and (ii) and Sec.  431.43(c)(1). 
The spherical separation-distance option is the most conservative 
option and requires the least detail about the location of the launch 
vehicle and therefore results in the largest window closures. If launch 
operators have covariance--that is, uncertainty--information applicable 
to their nominal trajectories, the option of limiting the probability 
of collision allows for greater fidelity in avoiding a collision with 
inhabitable objects.
    For collision probability screening, proposed Sec.  
450.169(a)(1)(i) would require a covariance information, typically 
provided in a matrix, that identifies the uncertainty of the launch 
vehicle trajectory. When an operator can provide sufficient covariance 
(as identified in proposed appendix A to part 450, paragraph (d)(3)), 
the probability of its collision with an inhabitable object can be 
accurately calculated and launch window closures can be limited to only 
those times where actual high risk exists. In essence, this fine-tuned 
launch collision avoidance would provide assurance against collisions 
while minimizing potential launch window closures.
    The FAA proposes to allow the use of a probability of collision 
because the 18th Space Control Squadron's (SPCS) use of the proposed 
probability threshold has prevented collisions while still allowing for 
maximum availability of launch windows. The FAA agrees that using 
probability assessment adequately protects inhabitable spacecraft while 
maximizing the time available for launch. Probability of collision is 
also the preferred analysis method for reentry collision avoidance.
    According to NASA,\136\ the Department of Defense's 18th SPCS 
current practice for on-orbit debris regarding the ISS is to assess 
potential conjunctions inside specific-sized boxes centered on the ISS. 
Any object predicted to pass within this box is tracked with higher 
priority. The 18th SPCS then uses the best available data set to 
compute the probability of collision with the potentially-threatening 
catalogued object. If that probability is greater than 1 x 
10^-4, the ISS performs a collision avoidance maneuver. If 
that probability is greater than 1 x 10^-5, then the ISS 
would perform a collision avoidance maneuver when doing so would not 
compromise its mission objectives. Additionally, the proposed 
requirements in Sec.  450.169 for a launch and reentry collision 
avoidance probability of collision criteria of 1 x 10^-6 
against inhabitable

[[Page 15349]]

objects is consistent with current NASA practices.
---------------------------------------------------------------------------

    \136\ Operational Interface Procedures. Volume A, Report Number 
SSP-50643-A, Section 7.16.2. Published June 28, 2003, and last 
modified October 17, 2008.
---------------------------------------------------------------------------

iii. Separation Distance Calculations by Sphere or Ellipsoid
    Section 417.231 currently requires a launch operator to ensure a 
separation distance of 200 km between its launch vehicle, any 
jettisoned components, or its payload, and an inhabitable object.\137\ 
The regulation does not specify whether the separation distance must be 
spherical or may be ellipsoidal. Section A417.31(c)(8) of Appendix A 
does, however, permit a launch operator to use spherical or ellipsoidal 
screening. In practice, the 18th SPCS provided ellipsoidal distances in 
the standardized collision avoidance request form, and the FAA has 
allowed the 18th SPCS methods as acceptable for launch screening 
volumes. The FAA anticipates that identifying these options in proposed 
Sec.  450.169(a) will reduce confusion and accurately capture the 
requirements for ellipsoidal screening. Additionally, the FAA's 
proposal would clarify that either method of calculation would be 
acceptable.
---------------------------------------------------------------------------

    \137\ 14 CFR 417.231(b).
---------------------------------------------------------------------------

    Using ellipsoidal separation calculation would permit a launch 
vehicle to come within a predicted 50 km from an inhabitable object in 
the cross-track and radial directions. The in-track distance would be 
maintained at 200 km. The result is an ellipse around the inhabitable 
object that looks approximately like a pencil with the tip in the 
direction of travel. In accordance with longstanding Federal range 
standards, the 50-km separation distance in the cross-track and radial 
directions would provide an equivalent level of safety compared to a 
separation distance based on a sphere because the uncertainty in 
orbital location is significantly less side-to-side than it is along 
the velocity vector. Because the velocity vector is greatest in-track, 
a small change in velocity results in a significant variation in 
arrival time, and therefore requires the greatest compensation (200 
km). However variations in orbital altitude are possible, but occur at 
a significantly reduced rate, allowing the exclusion distance to be 
reduced to 50 km radially. Variations laterally are also minimal and 
require the smallest compensation, allowing the reduction to 50 km in 
the cross-track directions. The FAA agrees with the Federal range 
conclusions that the ellipsoidal calculation maintains an equivalent 
level of safety as the 200-km spherical calculation.
iv. Collision Avoidance for Objects That Are Not Inhabitable
    Sections A417.31(c)(8) and C417.11(d)(8) require that if a launch 
operator requests launch collision avoidance analysis for unmanned or 
unmannable objects, the analysis must use the spherical screening 
method with a separation distance of 25 km (approximately 15.5 statute 
miles). The screening was optional but, if used, the distance was 
mandated. The FAA proposes to alter the collision avoidance 
requirements for uninhabitable objects. Launches from federal ranges 
require screening for uninhabitable objects to meet Air Force or NASA 
requirements, therefore there most space launch operators are already 
familiar with the process and requirements. The FAA proposal creates a 
common standard for all commercial space launches.
    In proposed Sec.  450.169(a)(2) and (3), the screening for 
potential conjunctions would include avoidance of uninhabitable 
objects, active objects, and trackable debris. The required minimum 
separation distance would remain at 25 km, or a PC of 1 x 
10^-5, for active satellites. For those objects that are 
tracked and not active, such as debris, defunct rocket bodies, and dead 
or inactive satellites, for which the FAA currently has no requirement, 
the FAA proposes a required minimum separation distance of 2.5 km 
(approximately 1.6 statute miles), consistent with 18th SPCS screening 
practice. This proposed separation distance would provide increased 
safety for launches and reentries.
    The proposed screening would coincide with the screening for 
inhabitable objects and would cover the same time frames. This is 
consistent with current 18th SPCS operational procedures.
    Launch availability during the launch window is a concern of the 
FAA because excessive launch window closures could limit launch 
opportunities, increase the effects of prolonged airspace closures on 
aviation, and increase launch operations costs. The FAA analyzed 
previous U.S. launches--commercial, civil, and military--to determine 
the consequence to the launch window availability of adding 
uninhabitable objects as a mandatory launch collision avoidance 
requirement. Of the worldwide launches between September 2011 and June 
2012, the maximum impact was the closing of approximately 12% of the 
launch window. The average impact was only 2% of each launch window 
closed due to launch collision avoidance accounting for both 
inhabitable and uninhabitable objects. This level of impact was 
validated for launch closures for launches conducted in 2017. The 
worst-case scenarios for launch collision avoidance are launches of low 
inclination that pass through the densest part of the low earth orbit 
(LEO) population, around 800 km (approximately 497 statute miles) in 
altitude. The FAA believes implementing collision avoidance for 
inhabitable objects, active satellites, and trackable debris would 
adequately prevent collisions without placing excessive restrictions on 
launch opportunities. The FAA seeks comment on the potential impact of 
implementing these requirements.
v. Accounting for A Conjunction Up to 3 Hours After Launch
    The current FAA requirement for screening time is one orbit (at 
least 100 minutes) plus 10 minutes padding.\138\ The current Federal 
screening practice at the 18th SPCS covers 3 hours. The FAA proposes to 
adopt 18th SPCS's current practice as the minimum standard to ensure 
the necessary level of safety to inhabitable and active space objects 
and to avoid the generation of space debris. Under proposed Sec.  
450.169(b), the collision avoidance analysis for orbital launches would 
have to account for a conjunction that could occur up to 3 hours after 
launch. This change would be in line with practices for Federal 
launches. In actual practice, the 18th SPCS performs an analysis from 
launch to about 3 hours against all objects and debris in the catalog. 
However, commercial launchers currently can request screening through 
only one orbit after launch.
---------------------------------------------------------------------------

    \138\ 14 CFR 417.107(e)(1)(ii)(B).
---------------------------------------------------------------------------

    Pre-launch collision avoidance analysis ensures there are no 
immediate conjunctions during orbital insertion and shortly thereafter 
but is dependent on pre-launch estimated trajectories. Extending this 
collision avoidance analysis to three hours post-launch provides 
sufficient time for creation of the first orbital element set (ELSET), 
at which point collision avoidance analysis begins being calculated 
using real positioning information. To create an ELSET, the Department 
of Defense uses multiple tracking information to establish the first 
ELSET and reduce the position error significantly. Once an ELSET has 
been created when the vehicle is on-orbit, an on-orbit collision 
avoidance analysis is routinely run out to 72 hours. Pre-launch 
collision avoidance analysis is the only possible method to prevent a 
collision until that first ELSET is created.

[[Page 15350]]

    There is a significant collision avoidance warning time gap between 
the end of 18th SPCS's 3-hour launch screening time and when 18th SPCS 
determines an ELSET. Pre-launch collision avoidance analysis beyond 3 
hours is currently of limited utility. As positional errors based on 
predicted trajectories grow, data validity becomes increasingly 
suspect. Additionally, it is possible to create large launch window 
closures or even close the launch window entirely. Therefore, without a 
significant development in prediction calculation fidelity and 
accuracy, the FAA proposes to extend pre-launch collision avoidance to 
3 hours. The accuracy of pre-launch collision avoidance analysis would 
be dependent on the accuracy of the trajectories provided.
    This 3-hour extension is important to protect inhabitable objects 
on-orbit. The ISS incurs collision risk from every launch. There is a 
warning time gap between the end of the pre-launch collision avoidance 
analysis and the start of on-orbit collision analysis done by the 18th 
SPCS. Until the 18th SPCS can determine the ELSET, the location of 
upper stages, payloads, and any released debris is unknown. During that 
time, whether the ISS is at risk from a collision would also be 
unknown. Extending the pre-launch collision avoidance requirement from 
one orbit to 3 hours would codify current practice.
    Additionally, although not required by FAA regulation, operators 
should promptly provide the 18th SPCS positional updates after orbital 
insertion until such time as the ELSET is established and on-orbit 
collision avoidance analysis commences.
    The FAA proposes to remove the requirements to expand the collision 
avoidance analysis screening time by 10 minutes to ensure that the 
entire first orbit of the launch vehicle is screened in sections 
A417.31(c)(7)(iv) and C417.11(d)(7)(iv). The expanded screening time 
required by those appendices would be unnecessary if the FAA extends 
the screening to 3 hours as described in proposed Sec.  450.169(b).
vi. Submitting Collision Avoidance Inputs to the FAA
    Proposed Sec.  450.169(f) would require a launch operator to submit 
launch collision avoidance trajectory data to both AFSPC and the FAA. 
The current regulations only requires an operator to submit the data to 
the AFSPC. However, the AFSPC does not review launch operator data to 
ensure it complies with FAA requirements. The proposal would ensure the 
FAA receives and reviews the same data that is provided to AFSPC for 
launch collision avoidance. As this data is generally submitted 
electronically, sending the data to both the FAA and AFSPC is not 
expected to increase cost or paperwork burden of the submission. Direct 
submission to AFSPC and the FAA will facilitate a quicker response to 
the operator than having the FAA act as a middleman between the 
operator and AFSPC, and enables coordination throughout the process.
    In the past, the FAA has found discrepancies between operator 
trajectory data and operator requests to AFSPC for specific launch 
collision avoidance analysis methods. On multiple occasions, operators 
have misapplied existing launch collision avoidance regulations. To 
ensure proper application of launch collision avoidance regulations the 
FAA must be able to review the launch collision data. A specific 
example of a discrepancy occurred when a launch operator directed the 
exclusion of the ISS from launch collision avoidance analysis in a 
request to AFSPC. The launch operator incorrectly assumed the 
protections for the ISS, the ultimate destination for one of the 
launched payloads, did not apply. In actuality, the planned rendezvous 
with the station was days into the mission, and not all objects 
launched were planned to rendezvous with the ISS. Collision avoidance 
analysis should have been requested for all launched objects against 
the catalog of space objects, including the ISS. FAA review of launch 
collision avoidance trajectory data would have identified that 
oversight.
vii. Appendix A to Part 450--Collision Analysis Worksheet
    The FAA proposes to consolidate the data input requirements of 
sections A417.31 and C417.11 and to clarify the data and process for 
collision avoidance in appendix A to part 450. Existing sections 
A417.31 and C417.11 provide nearly identical requirements for mission 
information. However, some elements are no longer useful or require an 
update to meet current practices. Specifically, proposed appendix A to 
part 450, paragraph (a)(1) mission name and launch location, paragraph 
(a)(2) launch or reentry window, paragraph (a)(3) epoch, time of 
powered flight, and point of contact remain the same as existing 
requirements. Proposed paragraph (a)(4) segment number has been updated 
to change the requirement to provide vector at injection to instead 
provide orbital parameters. The substantive requirement to identify how 
the operator would receive analysis results in current sections 
A417.31(c)(3) and C417.11(d)(3) also remains unchanged in proposed 
paragraph (b); however, minor editorial revisions were made to the 
examples of the transmission mediums provided to reflect modern 
technology.
    The proposed rule provides clarifications for some data elements. 
Specifically, the FAA proposes to change the requirement to identify 
orbital objects to evaluate contained in section A417.31(c)(9). As 
written, section A417.31(c)(9) requires the operator to identify the 
orbiting objects to be included in the analysis. In all cases the 
analysis must include all objects. However, the current practice is to 
identify the characteristics of the orbiting object, i.e., name, 
length, width, depth, diameter, and mass. The FAA proposes to capture 
current practice in proposed paragraph (a)(6). Also, the proposed 
appendix would replace ``vector at injection'' in sections 
A417.31(c)(5) and C417.11(d)(5), with orbital parameters at proposed 
paragraph (a)(5). The proposed change would require an operator to 
identify the orbital parameters for all objects achieving orbit 
including the parameters for each segment after thrust end instead of 
the vector at injection for each segment. This requirement would allow 
accurate COLA calculations that consider changes in trajectory after 
orbital insertion.
    The FAA also proposes to clarify the trajectory file requirements 
in proposed paragraph (d) of appendix A to part 450. Sections 
A417.31(c)(5)(ii) and C417.11(d)(5)(ii) require that current operators 
provide position and velocity for each launched object after burnout or 
deployment. This requirement severely lacks in clarity and 
completeness. Proposed paragraph (d) would provide a clearer 
requirement in line with current practices. Launch and reentry 
operators would be required to provide trajectory files with position 
and velocity for each object through the entire screening process, not 
exclusively after burnout. The current practice at Federal ranges is to 
provide data through the entire screening process, therefore the FAA 
proposal is in line with current practices. Additionally, radar cross 
section and covariance (position and velocity) for probability of 
collision analysis would be required by proposed paragraph (d). These 
products are used in the analysis of potential collisions. Parts 431 
and 437 require the same trajectory files for analysis, however the 
current regulations do not provide guidance on how to provide the 
products necessary to complete the analysis. Proposed Sec.  450.169 and 
appendix A to part 450 would provide

[[Page 15351]]

the necessary guidance for all launch and reentry analysis.
    Proposed (e) of appendix A to part 450 would provide the three 
possible screening methodologies--spherical, ellipsoidal, or 
probability of collision. These requirements were discussed previously 
in this section.
13. Safety at End of Launch
    Proposed Sec.  450.171 would include requirements aimed at 
preventing the creation of orbital debris. Proposed Sec.  450.171(a) is 
the same as Sec.  417.129 and substantively the same as Sec.  
431.43(c)(3), which require certain measures to be taken by a launch 
operator to prevent the creation of orbital debris. The FAA is not 
proposing to update the substantive requirements for orbital debris 
mitigation in this rulemaking because it plans to do so in a future 
rulemaking.
    Proposed Sec.  450.171(b) would require an applicant to demonstrate 
compliance with the requirements in Sec.  450.171(a) in its 
application. This requirement is the same as Sec.  415.133, which 
applies to applications for the launch of an ELV from a non-Federal 
launch site. Proposed Sec.  450.171(b) would broaden the applicability 
of the application requirement to all launches. This is necessary 
because the importance of orbital debris mitigation has no relation to 
whether a launch takes place from a Federal or non-Federal launch site, 
or whether the launch vehicle is expendable or reusable. The expansion 
of the applicability of the application requirement is the only change 
related to orbital debris mitigation. As noted earlier, the substantive 
safety requirements remain the same.
14. Mishaps: Definition, Plan, Reporting, Response, Investigation, 
Test-Induced Damage
    As a part of its streamlining efforts, the FAA proposes four 
mishap-related actions, including a revised definition of anomaly. 
First, the FAA proposes to consolidate the many chapter III mishap-
related definitions into a mishap classification system. Second, this 
proposal would consolidate existing chapter III requirements for 
mishap, accident investigation, and emergency response plans, and 
clarify and streamline reporting requirements. Third, the FAA proposes 
to redefine the term ``anomaly'' and expand its application to include 
licensed, and not just permitted, activities. Fourth, the FAA proposes 
to exempt pre-coordinated test-induced damage to property involved with 
the test from being a mishap.
    The FAA proposes using an overarching mishap classification system 
instead of separate terms for ``mishap,'' ``launch accident,'' 
``reentry accident,'' ``launch incident,'' ``reentry incident,'' 
``human space flight incident,'' and ``launch site accident.'' The 
proposed mishap classification system would streamline and clarify the 
current accident, incident, and mishap definitions to create four 
mishap categories organized by severity, from most severe (Class 1) to 
least severe (Class 4). This proposal would also eliminate the $25,000 
monetary threshold from current ``mishap'' and accident terms. This 
proposal would consolidate parts 417 (Accident investigation plan), 420 
(Launch site accident investigation plan), 431 and 435 (Mishap 
investigation plan and emergency response plan), and 437 (Mishap 
response plan), into a single section applicable to all types of 
licenses, permits, and vehicles.
    Additionally, the FAA proposes to update the definition of the term 
``anomaly'' and relocate it from part 437 to part 401, making it 
applicable to licensed and permitted activities. Finally, the FAA 
proposes to exclude pre-coordinated test activities, resulting in 
damage to property owned by the operator and associated with test 
activities, from mishap consideration. This test-induced damage 
proposal provides permittees and licensees the freedom to conduct test 
activities that may result in damage to associated property, and the 
freedom to test without the need for a mishap investigation for 
foreseeable test failures.
i. Mishap Definitions
    The FAA currently uses a variety of terms to describe the 
occurrence of an unplanned event during commercial launch, reentry, and 
site activities. The term ``mishap'' is a broad term encompassing 
several of these unplanned events. Mishap, as currently defined in 
Sec.  401.5, means a launch or reentry accident, launch or reentry 
incident, launch site accident, failure to complete a launch or reentry 
as planned, or an unplanned event or series of events resulting in a 
fatality or serious injury (as defined in 49 CFR 830.2), or resulting 
in greater than $25,000 worth of damage to a payload, a launch or 
reentry vehicle, a launch or reentry support facility, or government 
property located on the launch or reentry site.\139\ As the definition 
shows, the term ``mishap'' captures 15 specific kinds of unplanned 
events,\140\ including five types of accidents and incidents. These are 
launch accident, reentry accident, launch incident, reentry incident, 
and launch site accident. These terms are defined separately in 
Sec. Sec.  401.5 and 420.5. Mishap also includes unplanned events 
resulting in failure to complete a mission as planned, a fatality or 
serious injury, or damages greater than $25,000 to certain property 
associated with the licensed or permitted activity.
---------------------------------------------------------------------------

    \139\ Section 401.5.
    \140\ (1) Launch accident; (2) reentry accident; (3) launch 
incident; (4) reentry incident; (5) launch site accident; (6) 
failure to complete a launch as planned; (7) failure to complete a 
reentry as planned; (8) an unplanned event resulting in a fatality; 
(9) an unplanned event resulting in a serious injury; (10) an 
unplanned event resulting in greater than $25,000 worth of damage to 
a payload; (11) an unplanned event resulting in greater than $25,000 
worth of damage to a launch vehicle; (12) an unplanned event 
resulting in greater than $25,000 worth of damage to a reentry 
vehicle; (13) an unplanned event resulting in greater than $25,000 
worth of damage to a launch support facility; (14) an unplanned 
event resulting in greater than $25,000 worth of damage to 
government property located on the launch site; or (15) an unplanned 
event resulting in greater than $25,000 worth of damage to a reentry 
site.
---------------------------------------------------------------------------

    The terms ``launch accident,'' ``reentry accident,'' and ``launch 
site accident,'' which are encompassed by the mishap definition, all 
include the occurrence of a fatality or serious injury to persons not 
associated with the activity and damage to property not associated with 
the activity exceeding $25,000. Unlike the term ``launch site 
accident,'' launch and reentry accidents account for the occurrence of 
a fatality or serious injury to a space flight participant or crew 
member during FAA-regulated activities. Other factors may also satisfy 
the various accident definitions. For instance, for launches involving 
an ELV, impacts of a launch vehicle, its payload, or any component 
thereof outside designated impact limit lines constitute an accident. 
If, however, the launch involves an RLV, impacts outside the designated 
landing site constitute an accident. In contrast, the definition for 
reentry accident makes no distinction between expendable and reusable 
vehicles. For reentry accidents, if the vehicle, its payload, or any 
component thereof lands outside a designated reentry site, the FAA 
deems it an accident.
    Similarly, although launch incidents and reentry incidents are both 
incidents, their definitions consist of different requirements. Launch 
and reentry incidents occur due to the malfunction of a FSS or other 
safety-critical system, or a failure of the operator's safety 
organization, design or operations. The FAA proposes to consolidate 
these

[[Page 15352]]

terms into a single mishap classification system eliminating the need 
for multiple terms.
    Current definitions of mishap and accident also include a $25,000 
monetary threshold that is arbitrary and outdated. Experience has shown 
that even minor damage that does not pose a threat to public safety can 
easily exceed the $25,000 monetary threshold, triggering potentially 
costly and burdensome notification, reporting, and investigation 
requirements. For example, a relatively minor unplanned event following 
a successful launch could result in damages to ground support equipment 
or launch facilities exceeding $25,000. The ARC noted the amount is 
outdated and does not necessarily reflect safety implications. 
Additionally, the conditions listed under the current definitions do 
not necessarily reflect the severity of consequences and associated 
public safety risks. A better mishap classification system would 
provide consistency of mishap thresholds and applicability to all types 
of operations, mitigating potential confusion. Rather than adding more 
definitions, the FAA would consolidate and replace the existing 
accident, incident, and mishap definitions with a mishap classification 
system that would be defined in Sec.  401.5 and would apply to all 
licensed and permitted activities.
    Under the proposed changes, ``mishap'' would mean any event, or 
series of events associated with a licensed or permitted activity, that 
meets the criteria of a Class 1, 2, 3 or 4 mishap. The FAA would use 
this overarching definition to describe any mishap type occurring 
during permitted or licensed activities regardless of classification or 
consequence threshold. The FAA's proposal was informed by existing NASA 
and Air Force mishap classification system definitions,\141\ and NTSB 
definitions.\142\
---------------------------------------------------------------------------

    \141\ NPR 8621.1C, NASA Procedural Requirements for Mishap and 
Close Call Reporting, Investigating, and Recordkeeping. Air Force 
Instruction 91-204, Safety Investigation and Hazard Reporting.
    \142\ As defined in 49 CFR 830.2.
---------------------------------------------------------------------------

    A ``Class 1 mishap'' would mean any event resulting in a fatality 
or serious injury to any person who is not associated with the licensed 
or permitted activity (e.g., members of the public) along with any 
space flight participant, crew, or government astronaut. The FAA would 
be adopting the definition of fatality or serious injury from 49 CFR 
830.2. To constitute a Class 1 mishap, the fatality or injury must 
result from licensed or permitted activity, including ground operations 
at a launch or reentry site. A Class 1 mishap would be a mishap that 
has the highest consequences and greatest impact on public safety. The 
proposed Class 1 mishap definition would incorporate existing fatality 
and serious injury criteria from current ``launch accident,'' ``reentry 
accident'' and ``launch site accident'' definitions.
    On November 25, 2015, the U.S Commercial Space Launch 
Competitiveness Act was signed into law (Pub. L. 114-90). This law 
amends 51 U.S.C. 50901(15) by inserting ``government astronauts'' after 
``crew'' each place it appears. In accordance with this amendment, and 
to ensure Class 1 mishap criteria applies equally to all persons on 
board a launch or reentry vehicle, the FAA Class 1 mishap definition 
includes government astronauts. The definition would only cover 
fatalities or serious injuries to crew, Government astronauts, 
spaceflight participants, or uninvolved public. The definition of Class 
1 mishap would not cover other persons associated with the launch or 
reentry, similar to the current accident definitions for which it 
replaces. The proposed Class 1 Mishap also consolidates existing 
accident definitions, which would include potential recovery site 
accidents that were previously not defined. The FAA proposes to define 
a ``Class 2 mishap'' as any unplanned event, other than a Class 1 
mishap, resulting in a malfunction of a safety-critical system, a 
failure of the safety organization or procedures, substantial damage to 
property not associated with the operation, or a high risk of causing a 
serious or fatal injury to any space flight participant, crew, 
government astronaut, or member of the public. The Class 2 mishap 
definition would encompass the current definitions of a ``launch 
incident,'' ``reentry incident,'' and ``human space flight incident.'' 
The definition would use a substantial damage to uninvolved property 
requirement instead of the $25,000 damage threshold.
    Under this proposal, the FAA would make a case-by-case 
determination whether the damage to public property is substantial. 
This evaluation may be based on, but not limited to, direct replacement 
cost, repair cost, and the property's intended use and functionality. 
For example, structural damage to public property exceeding 50 percent 
of its market value may be deemed as substantial damage. This approach 
potentially reduces the burden on the commercial space industry and 
Federal government by providing flexibility on the determination of 
substantial damage and the scope of the resulting investigation. This 
is consistent with the ARC feedback. Other criteria--such as events 
posing a high risk of causing a serious or fatal injury to any space 
flight participant, crew, government astronaut, or member of the 
public--are based on the existing ``human space flight incident'' 
definition and expanded to include government astronauts and members of 
the public. With this criterion, the FAA intends to cover events akin 
to a near miss in the aviation industry and is consistent with the Air 
Force and NASA practices. The addition of ``members of the public'' is 
consistent with the FAA's public safety mission. The FAA's goal is to 
evaluate the event type by impact to public safety.
    The FAA proposes to define ``Class 3 mishap'' as any unplanned 
event, other than a Class 1 or Class 2 mishap, resulting in permanent 
loss of a vehicle during licensed activity or the impact of a vehicle, 
its payload, or any component thereof outside the planned landing site 
or impact area. This change would differentiate between licensed 
launches and reentries and permitted launches and reentries. The FAA 
believes this proposal captures the intent of the current mishap 
definition that includes the failure to complete a launch or reentry as 
planned criterion. At the same time, the separation of licensed and 
permitted operations between Class 3 and 4 mishaps is also consistent 
with ARC feedback.
    The FAA would consider debris impacts outside of defined limits to 
meet the Class 3 mishap definition, provided the event did not satisfy 
the criteria of a Class 1 or 2 mishap. Impacts of launch vehicle debris 
outside designated impact limit lines are currently considered a launch 
accident.
    The FAA proposes to define a ``Class 4 mishap'' as an unplanned 
event, other than a Class 1, Class 2, or Class 3 mishap, resulting in 
permanent loss of a vehicle during permitted activity, a failure to 
achieve mission objectives, or substantial damage associated with 
licensed or permitted activity. The FAA intends proposed ``Class 4 
Mishap'' to capture other events with the potential for future public 
safety implications without directly affecting public safety during 
occurrence. For example, an operator may have complete loss of a 
permitted vehicle in a remote and unpopulated area. Although the loss 
may not have resulted in fatalities, serious injuries, or public 
property damage on this occasion, it is important to find the root 
cause of the mishap. Otherwise, if the operator does not identify and 
address the underlying

[[Page 15353]]

cause, it may endanger public safety during a future launch in 
different conditions.
ii. Anomaly Definition
    The FAA proposes to change the definition of ``anomaly'' and to 
move the definition to Sec.  401.5, where it would apply to all of 
chapter III. Anomaly would mean any condition during a licensed or 
permitted activity that deviates from what is standard, normal, or 
expected, during the verification or operation of a system, subsystem, 
process, facility, or support equipment. The inclusion of anomaly in 
Sec.  401.5 would clearly define the expectation of post-operation 
reporting for all licensed or permitted operations. It would also 
capture off-nominal events that do not fall under the thresholds of 
Class 1-4 mishaps as part of the required post-launch report.
    The FAA currently defines anomaly only in part 437. Part 437 
defines an anomaly as a problem that occurs during verification or 
operation of a system, subsystem, process, facility, or support 
equipment. Section 437.73 requires strict recording, reporting, and 
implementation of corrective actions in the event of a public safety 
related anomaly. Section 417.25(c)(1), applicable to ELVs, requires 
operators to report an anomaly that occurred during launch countdown 
and flight in the post-launch report but does not define anomaly. 
Although part 431 does not have specific anomaly reporting 
requirements, in practice, the FAA requires operators to report 
anomalies. To ensure anomaly reporting, the FAA has begun adding a term 
and condition to launch licenses requiring operators to report 
anomalies prior to the next launch. The FAA uses anomaly reporting to 
track vehicle-related issues and to ensure an operator mitigates those 
issues prior to future flights. Given that not all anomalies are 
identified during flight, the post-launch reporting requirement allows 
the operator to review countdown and flight data for off-nominal 
conditions and report any anomalous condition to the FAA as a part of 
the post-launch report.
    Although an anomaly is defined in Sec.  437.3, as ``a problem that 
occurs during verification or operation of a system, subsystem, 
process, facility, or support equipment,'' it is not defined in part 
415, 417, 431, or 435, and hence, it is applicable only to experimental 
permits. However, Sec.  417.25--Post launch report, requires an 
operator to ``identify any discrepancy or anomaly that occurred during 
the launch countdown or flight.'' The FAA is proposing to update the 
existing definition of an anomaly to ``any condition during a licensed 
or permitted activity that deviates from what is standard, normal, or 
expected, during the verification or operation of a system, subsystem, 
process, facility, or support equipment.'' The proposed definition 
seeks only to clarify what a ``problem'' is by adding ``deviates from 
what is standard, normal, or expected.''
iii. Mishaps--Reporting, Response, and Investigation Requirements
    The FAA proposes to consolidate current chapter III mishap plan, 
reporting, response and investigation requirements into proposed Sec.  
450.173. The FAA seeks comment on its proposed approach, as discussed 
below, to mishap requirements, including reporting.
    Current title 14 CFR chapter III requirements for mishap and 
accident reporting, response, and investigation requirements are 
inconsistent and create confusion. For that reason, the FAA's proposed 
changes would apply to mishap requirements for launch and reentry 
licenses, experimental permits, and launch and reentry site licenses. 
Proposed Sec.  450.173 would replace Sec. Sec.  417.111(h) (Accident 
Investigation Plan), 417.415(c) (Post launch and post flight hazard 
controls), and 431.45 (Mishap investigation plan and emergency response 
plan). The proposed mishap plan changes to Sec. Sec.  420.59(a) 
(Mishap) and 437.41 (Mishap plan) would require an operator to meet the 
requirements of Sec.  450.173.
    The inconsistencies in the FAA's current regulatory scheme, 
including signature requirements for mishap plans, has led to much 
confusion. For example, Sec.  417.111(h) requires an operator to 
implement a plan containing the launch operator's procedures for 
reporting and responding to launch accidents, launch incidents, or 
other mishaps. It also requires two signatures, one from an individual 
authorized to sign and certify the application, and another from the 
designated safety official. Similarly, Sec.  420.59 requires that 
licensed launch site operators develop and implement a launch site 
accident investigation plan that contains the licensee's procedures for 
reporting, responding to, and investigating launch site accidents and 
for cooperating with Federal officials in case of a launch accident. It 
also requires a signature from an individual authorized to sign and 
certify the application, but not from the designated safety official 
like Sec.  417.111(h). Current Sec.  431.45 requires an RLV operator to 
submit a mishap investigation plan (MIP) containing the applicant's 
procedures for reporting and responding to launch and reentry 
accidents, launch and reentry incidents, or other mishaps that occur 
during the conduct of an RLV mission. It also requires that an RLV 
operator submit an emergency response plan (ERP) containing procedures 
for informing the affected public of a planned RLV mission. The FAA 
requires that an individual authorized to sign and certify the license 
application, the person responsible for the conduct of all licensed RLV 
mission activities, and the designated safety official, sign the MIP 
and ERP. In contrast, Sec.  437.41 does not require any signatures. To 
ensure consistency between all title 14 CFR chapter III requirements, 
the FAA proposes to consolidate these requirements.
    The ARC noted that reporting requirements for mishaps not involving 
a fatality or serious injury are unclear and left up to the operator to 
determine. The ARC said the FAA should define a minimum standard for a 
reportable mishap, in addition to a minimum set of investigation and 
reporting requirements, including information that should be provided 
during initial notification.
    Current notification requirements are generally consistent for a 
launch, reentry, launch site accident, launch or reentry incident, or 
mishap involving a fatality or serious injury. In those instances, 
regulations throughout title 14 CFR chapter III require that operators 
provide immediate notification to the FAA's Washington Operations 
Center (WOC).\143\ This is not the case when a mishap does not involve 
a fatality or serious injury.\144\ For example, part 417 requires 
notification within 24 hours to the Associate Administrator for 
Commercial Space Transportation or to the FAA WOC in the event of a 
mishap that does not involve a fatality or serious injury. In contrast, 
parts 431 and 437 only require 24-hour notification to the Associate 
Administrator for Commercial Space Transportation, but not to the FAA 
WOC for a mishap that does not involve a fatality or serious injury. 
Current part 420 does not require a launch site operator to provide a 
24-hour mishap notification. If a mishap occur during non-business 
hours, this raises the possibility that a launch operator may be unable 
to report it to the Associate Administrator for Commercial Space 
Transportation, which would create the potential for a

[[Page 15354]]

non-compliance. To address these issues, the FAA proposes to provide a 
single source for all initial mishap notifications. The single source 
would be the FAA's WOC, a 24-hour, seven-day, operational facility.
---------------------------------------------------------------------------

    \143\ 14 CFR 417.111(h)(1)(i), 420.59(b)(1), 431.45(b)(1), and 
437.75(a)(1).
    \144\ 14 CFR 417.111(h)(1)(ii), 431.45(b)(2), and 437.75(a)(2).
---------------------------------------------------------------------------

    Parts 417, 420, 431, and 437 all require an operator to submit a 
written preliminary report within five days \145\ of either an accident 
or incident to the FAA, Associate Administrator for Commercial Space 
Transportation. The five-day report is a follow-up requirement designed 
to supplement initial mishap notification once more detailed 
information is known. Under the proposed mishap classification system 
and mishap plan requirements, all mishaps would have similar reporting 
requirements. The FAA believes the proposed mishap classification 
system would save the operator time and resources during the initial 
mishap response by eliminating the need to evaluate whether the event 
is an accident, incident, or mishap. This streamlining of reporting 
requirements reduces the burden of unclear reporting requirements noted 
by the ARC.
---------------------------------------------------------------------------

    \145\ 14 CFR 417.111(h)(1)(iii), 420.49(b)(2), 431.45(b)(3), and 
437.75(a)(3).
---------------------------------------------------------------------------

    Based on past examples, the five-day report is usually only one to 
three pages in length, requiring minimal time to compose. The FAA will 
use the information contained within the five-day report to ensure the 
mishap has been properly classified and the proper level of 
investigation and FAA oversight is being conducted. The FAA believes 
the time required to complete the five-day report is minimal and that 
by providing a clear expectation of required report contents in the 
event of all mishap types will eliminate confusion and ultimately 
result in time-savings.
    Response plan requirements for containing and minimizing the 
consequences of a mishap and for ensuring the preservation of data and 
physical evidence are generally consistent throughout license types 
with some exceptions. For instance, the regulations require that a 
launch site operator's plan include procedures for reporting and 
cooperating with FAA and NTSB investigations, and for designating one 
or more points of contact. Additionally, licensees must identify and 
adopt preventive measures for avoiding recurrence of the event.
    Current investigation requirements are also generally consistent 
across license types. The FAA currently requires that operators 
investigate the cause of a launch, reentry, or launch site accident, 
launch or reentry site incident, or mishap across license types.\146\ 
After the investigation, an operator must report investigation results 
to the FAA and delineate responsibilities for personnel assigned to 
conduct the investigation and for anyone retained by the operator to 
participate in an investigation. Section 420.59(e)(1) also requires 
that a launch site operator's investigation plan include procedures for 
participating in an investigation of a launch accident for launches 
launched from the launch site.
---------------------------------------------------------------------------

    \146\ 14 CFR 417.111(h)(3), 420.59(d)(3), 431.45(d), and 
437.75(c).
---------------------------------------------------------------------------

    To ensure vehicle recovery can be conducted safely and effectively 
and with minimal risk to the public, part 431 operators must submit an 
ERP containing the operator's procedures for notifying local officials 
of unplanned and offsite landings. In addition, these operators must 
provide a plan for informing the public potentially affected of the 
estimated date, time, and landing location for the reentry activity. 
This information must be provided in layman's terms. These requirements 
are unique to operations conducted under part 431.
    Section 417.415(c)'s post-launch and post-flight-attempt hazard 
controls require that an operator establish procedural controls for 
hazards associated with an unsuccessful flight where the launch vehicle 
has a land or water impact. These procedures ensure the evacuation and 
rescue of members of the public, the dispersion and movement of toxic 
plumes, identifying areas of risk, and communication with local 
government authorities. Additionally, these procedures require that an 
operator extinguish fires, secure impact areas, evacuate members of the 
public, prevent unauthorized access, and preserve evidence. Lastly, the 
operator must ensure public safety from hazardous debris and have plans 
for the recovery, salvage, and safe disposal of debris and hazardous 
materials.
    For all FAA-licensed operations, proposed Sec.  450.173 would 
require that an operator report, respond, and investigate class 1, 2, 
3, and 4 mishaps, using a plan or other written means.\147\
---------------------------------------------------------------------------

    \147\ For purposes of the preamble discussion regarding proposed 
Sec.  450.173, the term ``mishap plan document'' is used to 
encompass a plan or other written means.
---------------------------------------------------------------------------

    An approved mishap plan document would be eligible for reuse with 
other specific or similar vehicles, sites, and operations. This would 
ease the burden on industry. For example, a permittee applying for a 
license or a current licensee applying for a different type of license, 
would be able to use the same written mishap plan document previously 
developed because the requirements would be the same regardless of 
license type. This mishap plan document would include notification to 
local officials should a mishap cause the vehicle to land offsite, such 
that a coordinated effort can be made to protect the public. Provided 
emergency response requirements such as coordinated emergency response 
agreements remain current, a permittee can submit a mishap response 
plan developed for permitted operations to satisfy the mishap plan 
document application requirements under a license. Additionally, the 
FAA would not have to evaluate the same company differently depending 
on the permit or license type. This would reduce time and cost for the 
industry and the FAA while maintaining the same level of public safety.
iv. Discussion of the Mishap Plan--Reporting, Response, and 
Investigation Proposed Requirements
    Proposed Sec.  450.173 would eliminate all mishap plan signature 
requirements. The requirement that the person certifying the accuracy 
of the application also sign the mishap plan document is not necessary 
because by signing the application, the operator is already certifying 
that the components thereof, including the mishap plan document, are 
accurate. Additional signatures (e.g., from the safety official or 
mission director) are also unnecessary as the roles and 
responsibilities for personnel implementing the mishap plan document 
are contained in the plan itself. Eliminating the signature 
requirements would provide operators with the flexibility to assign 
personnel to implement a mishap plan document without having to 
resubmit a signed document to the FAA.
    Proposed Sec.  450.173(a) would require an operator to report, 
respond, and investigate class 1, 2, 3, and 4 mishaps according to 
paragraphs (b) through (h) of Sec.  450.173, using a plan or other 
written means. Proposed Sec.  450.173(b)(1) would require that an 
operator document the responsibilities for personnel assigned to 
implement the requirements of proposed Sec.  450.173. Proposed Sec.  
450.173(b)(2) would require an operator to document reporting 
responsibilities for personnel assigned to conduct investigations and 
for anyone retained by the licensee to conduct or participate in 
investigations. Proposed Sec.  450.173(b)(3) would require an operator 
to document the allocation of roles and responsibilities between the 
launch operator and any site operator for reporting, responding to, and

[[Page 15355]]

investigating any mishap during ground activities at the site. Further, 
proposed Sec.  450.173(c) would require an operator to report to, and 
cooperate with, FAA and NTSB mishap investigations. Also, it would 
require that the operator identify one or more points of contact for 
the FAA and NTSB. This proposal does not substantively change current 
requirements to report, cooperate, and designate points of contact. Any 
changes from current regulations would be made merely for clarification 
purposes. In the event of an FAA- or NTSB-led investigation, the FAA 
would not require an operator to perform an independent internal 
investigation because it would be a party to the investigation. 
However, the operator would remain responsible for reporting 
investigation results to the FAA, which would include any government-
generated or independent investigation reports as well as party 
submissions. In the event of an operator-led investigation under FAA 
oversight, the operator's investigation would be the primary 
investigation, although the FAA may grant official observer status to 
U.S. Government representatives (e.g., NASA, the Air Force). As 
official observers, these representatives would be integrated into the 
operator's investigation to the extent the FAA finds appropriate. These 
U.S. Government entities may decide to conduct their own investigation 
independent of FAA oversight, although the FAA and NTSB have primary 
jurisdiction.
    Proposed Sec.  450.173(d) would establish mishap reporting 
requirements applicable to all operations, vehicles, or mishap types. 
Proposed Sec.  450.173(d)(1) would require that an operator immediately 
notify the FAA WOC in case of a mishap involving a fatality or serious 
injury. Immediately would continue to mean notification without delay. 
The immediate notification should not hamper emergency response 
activities. Proposed Sec.  450.173(d)(2) would require that operators 
report other mishaps not involving a fatality or serious injury to the 
WOC within 24 hours. This would eliminate the current option to notify 
the Associate Administrator for Commercial Space Transportation instead 
of the WOC because the WOC, unlike the Administrator for Commercial 
Space Transportation, is available 24-hours per day, 7 days per week. 
Proposed Sec.  450.173(d)(3) would require operators to submit a 
written preliminary report to the FAA Office of Commercial Space 
Transportation within five days of any mishap. The report would need to 
include the information listed in proposed Sec.  450.173(d)(3). This 
list of information would include the operator's assessment on how the 
cause of its mishap could potentially affect similar vehicles, systems, 
or operations. Given some systems and components are common across 
operators, this information could prevent mishaps due to similar 
failures of a common system or component, including ground and range 
systems. The reporting requirements in this paragraph are similar to 
existing five-day reporting requirements. Under current regulations, a 
five-day preliminary written report was only required in the event of 
an accident or incident. Based on lessons learned from past mishaps, 
the FAA is streamlining these reporting requirements to ensure 
consistency between mishap classes and that information required to 
properly classify a mishap and the level of investigation required are 
reported. For example, mishaps involving a fatality or serious injury 
are typically investigated at the Federal level, as such, the FAA is 
aware of the information that may affect the safety of the public or 
public property. The operator, in accordance with their mishap plan, 
may investigate mishaps not involving a fatality or serious injury. In 
such cases, it is possible that the FAA may not become aware of 
information potentially affecting the public safety or public property 
in a timely manner, or other facts that may require elevating the class 
of mishap to a higher level.
    Proposed Sec.  450.173(e) sets emergency response requirements. 
Proposed Sec.  450.173(e)(1) would require that an operator activate 
emergency response services following a mishap. This requirement is 
consistent with the post-launch and post-flight attempt hazard controls 
in current Sec.  417.415. Proposed Sec.  450.173(e)(2) would require 
that an operator maintain existing hazard area surveillance and 
clearance as necessary to protect public safety. These notices would 
include NOTAM and NOTMAR. Proposed Sec.  450.173(e)(3) would require 
that an operator contain and minimize the consequences of a mishap. 
Proposed Sec.  450.173(e)(4) would provide for the preservation of data 
and physical evidence, including debris, which the FAA considers to be 
a physical record. In an effort to contain and minimize the 
consequences of the mishap and maintain site integrity for 
investigation, an operator would need to safe and secure the mishap 
site in a timely manner. Proposed Sec.  450.173(e)(4) is consistent 
with current requirements. Proposed Sec.  450.173(e)(5) would require 
an operator to implement agreements with local government authorities 
and emergency response services, as necessary. Emergency response 
procedures should identify who is responsible for securing the mishap 
site, and procedures for access to the mishap site. For example, the 
procedures should identify who is responsible for educating persons on 
the treatment of debris, and the disposal of hazardous materials. The 
FAA recommends that prior to beginning operations, an operator 
coordinate with Federal, state, and local authorities and emergency 
first responders to familiarize them with permitted and licensed 
operations and hazards associated with an operator's activities, such 
as launch vehicle hazards. This pre-coordination is important to ensure 
the safety of emergency personnel responding to the mishap. Vehicle and 
operational hazards may include vehicle composites, propellants, 
oxidizers, pressure vessels, unexploded ordnance, oxygen systems, and 
batteries.
    If implemented, proposed Sec.  450.173(f) would require an operator 
to investigate the root causes of a mishap and report the results to 
the FAA. Proposed Sec.  450.173(g) would require that an operator 
identify and implement preventive measures prior to the next flight, 
unless otherwise approved by the Administrator. The FAA is proposing 
that preventive measures be implemented prior to the next flight in all 
cases in order to codify current practice. The FAA would work with 
operators on a case-by-case basis to determine whether its next 
operation may proceed if it is unable to implement preventive measures 
before the next flight. The requirement to implement corrective action 
prior to next flight is consistent with existing requirements in Sec.  
437.73(d) for anomaly recording, reporting, and implementation of 
corrective actions.
    Proposed Sec.  450.173(h) would require that an operator maintain 
records associated with a mishap in accordance with proposed Sec.  
450.219(d) (Records). The operator would make these records available 
to Federal officials for inspection and copying. This requirement is 
consistent with existing record keeping requirements.\148\ Records 
would include debris, which the FAA considers a physical record. In all 
mishap cases, disposal of any related debris would be required to be 
coordinated with the FAA. Note that this proposal would allow for the 
sharing of proposed Sec.  450.173

[[Page 15356]]

responsibilities between launch and reentry operators pursuant to an 
agreement. For example, the site operator may report the mishap 
occurrence to the FAA as required by proposed Sec.  450.173(d), while 
the emergency response requirements of proposed Sec.  450.173(e) may be 
shared by both the launch or reentry operator and site operator. An 
operator would be required to retain all records until completion of 
any Federal investigation and the FAA advises the operator that the 
records need no longer be retained.
---------------------------------------------------------------------------

    \148\ Sections 417.15(b), 420.61(b), 431.77(b), and 437.87(b).
---------------------------------------------------------------------------

    Finally, proposed Sec.  450.173(i) would set application 
requirements. This section would require the submission of the mishap 
plan document at the time of license or permit application.
v. Test-Induced Damage
    The FAA proposes to introduce a test-induced damage exception to 
the mishap definition in proposed Sec.  450.175 (Test-induced Damage). 
This proposal would allow an operator to coordinate testing activities 
with the FAA before the activities take place to prevent the FAA from 
labeling failures as mishaps. Any test failure covered by this section 
would be considered test-induced damage and not a mishap, so long as 
the failure falls within the pre-coordinated and FAA-approved testing 
profile. The test-induced damage concept is not currently within the 
FAA's commercial space regulations. This proposal is due to the FAA's 
recognition that current mishap regulations may deter the kind of 
robust testing that may yield future safety benefits.
    The FAA currently deems a failure to achieve test objectives as a 
mishap (failure to complete a launch or reentry as planned). Similarly, 
a test failure that results in over $25,000 in damage to associated 
property would also be considered a mishap.\149\ In both cases, the 
resulting mishap designation would require a mishap investigation to 
identify root causes and preventive measures, which the operator would 
need to implement before the next operation.
---------------------------------------------------------------------------

    \149\ ``[R]esulting in greater than $25,000 worth of damage . . 
.'' in accordance with the mishap definition in Sec.  401.5.
---------------------------------------------------------------------------

    In the recent past, the FAA accepted the possibility of a test-
induced damage approach by pre-coordinating with a launch operator 
prior to conducting an in-flight abort test of a crew escape 
system.\150\ The FAA found that this process worked well in pre-
defining the objectives of the test, test limits, expected outcomes, 
and potential failure modes. It also allowed the operator and FAA to 
reach a common understanding of what events would be categorized as a 
test-induced damage or mishap. This approach would also be consistent 
with ARC feedback that the existing mishap definition leads to 
protracted mishap investigations because it does not recognize the 
difference between operational missions and higher risk experimental or 
test missions. The ARC and FAA believe this discourages robust testing 
to push the limits of a vehicle and undercutting test programs 
currently covered under experimental permits.
---------------------------------------------------------------------------

    \150\ Given these events fell within the pre-coordinated 
possible scenarios, the FAA did not consider them unplanned events 
and therefore, did not consider the events mishaps.
---------------------------------------------------------------------------

    As noted earlier, the ARC shared its concern that current mishap 
reporting and investigation requirements discourage robust testing. The 
FAA believes that the proposed test-induced damages paradigm addresses 
this concern by providing an opportunity for license applicants and 
existing license holders to pre-coordinate test activities and pre-
declare damages that the FAA would not consider a mishap. Under this 
paradigm, failure to achieve identified test objectives and certain 
pre-declared damages to property associated with the licensed activity, 
including ground support equipment, ground support systems, and flight 
hardware would not be reportable as an FAA-mishap provided the 
requirements of this section are met. The FAA also proposes to replace 
its existing mishap related definitions in favor of a mishap 
classification system to further clarify the types of events that would 
be considered a mishap.
    Proposed Sec.  450.175(a) would lay out the specific conditions for 
the test-induced damage approach. It would require an operator to 
coordinate test activities with and obtain approval from the FAA before 
the planned activity. The coordination should take place with 
sufficient time for the FAA to evaluate the proposal during the 
application process or as a license modification. A test activity would 
need to be pre-coordinated with the FAA to be eligible for the test-
induced damage mishap exception. The FAA would conduct pre-coordination 
activities during pre-application consultation. The test-induced damage 
exception would be optional and an operator would not be required to 
take this path. However, absent the test-induced damage exception, the 
FAA would categorize an unplanned event as a mishap in accordance with 
the proposed mishap classification system. Proposed Sec.  450.175(a)(2) 
would preclude certain kinds of mishaps from the test-induced damage 
alternative. Specifically, any mishap involving a serious injury or 
fatality, damage to property not associated with the licensed activity, 
or hazardous debris leaving the pre-defined hazard area would be 
treated as a mishap and not test-induced damage. Finally, proposed 
Sec.  450.175(a)(3) would require test-induced damage to fall within 
the scope of activities coordinated with the FAA to be eligible for 
this alternative. In other words, the FAA would consider the occurrence 
of damages resulting from test activities that fall outside the scope 
of approved activities (e.g., before scheduled test activities begin or 
exceeding operation limits) as a mishap in accordance with the proposed 
mishap classification system. The approved scope of the test would be 
outlined in the information submitted by the permittee or licensee to 
meet the application requirements of proposed Sec.  450.175(b).
    Proposed Sec.  450.175(b) would set the test-induced damage 
application requirements. The paragraph would list the information an 
applicant would need to submit under the test-induced damage 
alternative to mishap classification. The FAA does not intend the test-
induced damage exception to apply to the operation of an entire 
vehicle, but rather the testing of specific components and systems. The 
applicant should submit test objectives in a complete, clear, and 
concise manner to help the FAA distinguish between nominal operations 
and specific test objectives. It should also provide test limits such 
as the expected environments, personnel, equipment, or environmental 
limits. Also, the applicant would identify expected outcomes that the 
FAA would later compare to actual outcomes. The FAA would also request 
a list of potential risks, including the applicant's best understanding 
of the uncertainties in environments, test limits, or system 
performance. Applicable procedures or steps taken to execute the tests 
and the expected time and duration of the test would also be required. 
Finally, the FAA may request additional information such as 
clarification information to ensure public safety, safety of property, 
and to safeguard the national security and foreign policy interests of 
the United States.
    This proposal is similar to NASA's test-induced damages process, as 
defined in NPR 8621.1C (NASA Procedural Requirements for Mishap and 
Close Call Reporting, Investigating, and Recordkeeping). NASA developed 
the test-induced damages paradigm in support of the December 2014 
launch of Exploration Flight Test-1 and it has been in use supporting 
NASA test

[[Page 15357]]

programs ever since. The test-induced damages process is a formal 
process documenting the risk of damage and accepting that risk by 
signature before the test. Similar to the commercial space industry, 
NASA conducts tests to better understand and mitigate complex design, 
manufacturing, or operational issues with the objective of providing 
NASA with confidence that the system meets its technical and 
programmatic requirements and can successfully and safely perform its 
mission in the operational environment. As noted in NPR 8261.1C, some 
tests are designed and intended to result in hardware damage (e.g., a 
structural test-to-failure). Other tests are aggressive in nature, and 
test-incurred damage often occurs; the knowledge gained is used to 
improve designs. These statements hold true for the commercial space 
transportation industry as well. The FAA's proposed test-induced 
damages takes a NASA-proven process and tailors it to satisfy the FAA's 
public safety mission.

L. Pre- and Post-Flight Reporting

1. Preflight Reporting
    Under proposed Sec.  450.213, the FAA would continue to require a 
licensee to provide the FAA with specified information prior to each 
launch or reentry, consistent with current requirements. An operator 
would send the information as an email attachment to 
[email protected], or by some other method as agreed to by the 
Administrator in the license. The FAA would require five categories of 
information: mission-specific, flight safety analysis products, flight 
safety system test data, data required by the FAA to conduct a 
collision avoidance analysis, and a launch or reentry schedule.
    The first category would be mission-specific information in 
proposed Sec.  450.213(b). As currently required in Sec. Sec.  
417.17(b)(2) and 431.79(a), an operator would be required to provide 
this information to the FAA not less than 60 days before each mission 
conducted under the license. The FAA may also agree to a different time 
frame in accordance with Sec.  404.15. An operator would not have to 
provide any information under this section if the mission-specific 
information was already provided in the application. This would be the 
case if an operator's license authorizes specific missions, as opposed 
to unlimited launches or reentries within certain parameters.
    Specifically, an operator would continue to have to provide payload 
information in accordance with proposed Sec.  450.43(i), and flight 
information, including the vehicle, launch site, planned flight path, 
staging and impact locations, each payload delivery point, intended 
reentry or landing sites including any contingency abort locations, and 
the location of any disposed launch or reentry vehicle stage or 
component that is deorbited. This section would combine the reporting 
requirements of Sec. Sec.  417.17(b)(2) and 431.79(a), although 
reporting the location of any disposed launch or reentry vehicle stage 
or component that is deorbited would be a new requirement. The FAA 
would add this information requirement because disposals are much more 
common now than when parts 417 and 435 were issued, and notifications 
to airmen and mariners would be necessary to protect the public from 
vehicle stages or components reentering as part of a disposal. In 
practice, licensees have arranged for the issuance of NOTAMs and NTMs 
for vehicle stages purposefully deorbited.
    The second category is flight safety analysis products in proposed 
Sec.  450.213(c). An operator would need to submit to the FAA updated 
flight safety analysis products, using previously-approved 
methodologies, for each mission no less than 30 days before flight. The 
FAA may also agree to a different time frame in accordance with 
proposed Sec.  404.15. The flight safety analysis products are similar 
to what is currently required under Sec.  417.17(c)(3). Part 431 does 
not require similar flight safety analysis products to be submitted, 
although current practice is to require similar information in license 
orders.
    An operator would not be required to submit flight safety analysis 
products if the analysis submitted in the license application already 
satisfies all the requirements of the section. This would be the case 
if a licensee's license authorizes specific missions, as opposed to 
unlimited launches within certain parameters. An operator would also 
not be required to submit flight safety analysis products if the 
operator demonstrated during the application process that the analysis 
does not need to be updated to account for mission-specific factors. 
This would be the case if an operator operates within certain 
operational constraints proven to satisfy public safety criteria.
    Otherwise, an operator would be required to submit flight safety 
analysis products while accounting for vehicle and mission specific 
input data and potential variations in input data that may affect any 
analysis product within the final 30 days before flight. An operator 
would also be required to submit the analysis products using the same 
format and organization used in its license application. Lastly, an 
operator would not be able to change an analysis product within the 
final 30 days before flight, unless the operator has a process, 
approved in the license, for making a change in that period as part of 
the operator's flight safety analysis process.
    The third category is flight safety system test data in proposed 
Sec.  450.213(d). If an operator would be required to use an FSS to 
protect public safety as required by proposed Sec.  450.101(c), it 
would need to submit to the FAA, or provide access to, any test reports 
in accordance with approved flight safety system test plans no less 
than 30 days before flight. The FAA may also agree to a different time 
frame in accordance with proposed Sec.  404.15. This reporting 
requirement is discussed earlier in the section for flight safety 
systems.
    The fourth category would be data required by the FAA to conduct a 
collision avoidance analysis in proposed Sec.  450.213(e). Not less 
than 15 days before the flight of a launch vehicle or the reentry of a 
reentry vehicle, an operator would need to submit the collision 
avoidance information in proposed Appendix A to part 450 to a Federal 
entity identified by the FAA, and the FAA. This reporting requirement 
is discussed in the ``Launch and Reentry Collision Avoidance 
Requirements'' section.
    The fifth category, as proposed in Sec.  450.213(f), a launch or 
reentry schedule that identifies each review, rehearsal, and safety-
critical operation. The schedule would be required to be filed and 
updated in time to allow FAA personnel to participate in the reviews, 
rehearsals, and safety-critical operations. This is similar to current 
Sec.  417.17(b).
    2. Post-Flight Reporting
    Under proposed Sec.  450.215, the FAA would require an operator to 
provide specified information no later than 90 days after a launch or 
reentry. The FAA may also agree to a different time frame in accordance 
with proposed Sec.  404.15. An operator would send the information as 
an email attachment to [email protected], or other method as agreed 
to by the Administrator in the license.
    Specifically, as discussed earlier, an operator would need to 
provide any anomaly that occurred during countdown or flight that is 
material to public health and safety and the safety of property,\151\ 
and any corrective action

[[Page 15358]]

implemented or to be implemented after the flight due to an anomaly or 
mishap. Section 417.25(b) and (c) requires similar information. Part 
431 does not require post-flight information, although current practice 
is to require similar information in license orders.
---------------------------------------------------------------------------

    \151\ What is material to public health and safety and the 
safety of property is discussed later in this preamble in reference 
to proposed Sec.  450.211(a)(2).
---------------------------------------------------------------------------

    In addition, an operator would need to provide the actual 
trajectory flown by the vehicle, and, for an unguided suborbital launch 
vehicle, the actual impact location of all impacting stages and 
impacting components. The actual trajectory flown by the vehicle would 
be a new requirement, while the actual impact locations for an unguided 
suborbital launch vehicle is similar to the requirements in current 
Sec.  417.25(b) and (c). The FAA would use the actual trajectory flown 
by the vehicle to compare it to predicted trajectories. Because the FAA 
may not need this information for all launches, this information would 
only need to be reported if requested by the FAA.
    Lastly, an operator would need to report the number of humans on 
board the vehicle. This would be required because the FAA keeps a human 
space flight database for use by launch and reentry operators for the 
purposes of informed consent. Under Sec.  460.45(c), and pursuant to 
statute, an operator must inform each space flight participant of the 
safety record of all launch or reentry vehicles that have carried one 
or more persons on board, including both U.S. government and private 
sector vehicles, to include the total number of people who have died or 
been seriously injured on these flights, the total number of launches 
and reentries conducted with people on board, and the number of 
catastrophic failures. To facilitate all operators accurately informing 
space flight participants, the FAA maintains the human space flight 
database and populates it using voluntarily provided information from 
industry. As more launches and reentries are expected with humans on 
board, the FAA will require this information to keep the human 
spaceflight database up to date, and expects that this would not 
significantly increase the burden to operators.

Ground Safety

A. Definition and Scope of Launch

    As discussed in more detail in this section, the FAA proposes to 
amend the definitions of ``launch'' and ``reentry'' in part 401 to 
mirror the statutory definitions. The FAA would move the beginning and 
end of launch to proposed Sec.  450.3, which defines the scope of a 
vehicle operator's license. Proposed Sec.  450.3(b) would establish 
that launch begins under a license with the start of hazardous 
activities that pose a threat to the public, and it would amend the end 
of launch language to remove any reference to ELVs and RLVs. Finally, 
the FAA proposes to clarify that, absent the launch vehicle, the 
arrival of a payload at the launch site would not trigger the beginning 
of launch. Also, at a non-U.S. launch site, launch would begin at 
ignition or take-off for a hybrid vehicle.
    Title 51 U.S.C. 50902 defines launch as to place or try to place a 
launch vehicle or reentry vehicle and any payload or human being from 
Earth in a suborbital trajectory; in Earth orbit in outer space; or 
otherwise in outer space, including activities involved in the 
preparation of a launch vehicle or payload for launch, when those 
activities take place at a launch site in the United States. The FAA 
added the current regulatory definition of launch in the 1999 final 
rule.\152\ The language in the regulatory definition differs slightly 
from the current statutory language regarding activities in preparation 
of the vehicle, and the regulatory definition does not include the 
reference to human beings because that reference was added to the 
statute after 1999.\153\ The regulatory definition also includes 
language that is not set forth in the statute pertaining to pre- and 
post-flight ground operations including language identifying the 
beginning of launch and end of launch.
---------------------------------------------------------------------------

    \152\ 64 FR 19586 (April 21, 1999).
    \153\ As currently defined in 14 CFR 401.5, launch means to 
place or try to place a launch vehicle or reentry vehicle and any 
payload from Earth in a suborbital trajectory, in Earth orbit in 
outer space, or otherwise in outer space, and includes preparing a 
launch vehicle for flight at a launch site in the United States. The 
current definition also defines beginning and end of launch, which, 
as discussed later in the preamble, the FAA proposes to amend and 
move to proposed part 450 (Scope of a vehicle operator license).
---------------------------------------------------------------------------

    The FAA and industry have identified a number of issues associated 
with the current definition of launch in Sec.  401.5. The current 
definition of launch is inflexible and has resulted in confusion 
regarding launch from non-U.S. sites and whether the arrival of a 
payload constitutes the beginning of launch.
    The preamble discussion in the 1999 final rule stated that the 
intent of the FAA's definition of ``launch'' is to require a license at 
the start of those hazardous preflight activities that put public 
safety at risk. The final rule stated that, in accordance with this 
responsibility, the FAA will exercise regulatory oversight only if an 
activity is so hazardous as to pose a threat to third parties. 
Specifically, the FAA determined that launch begins when hazardous 
activities related to the assembly and ultimate flight of the launch 
vehicle commence.\154\ The preamble further elaborated that the moment 
at which hazardous activities begin is when the major components of a 
licensee's launch vehicle enter, for purposes of preparing for flight, 
the gate of a U.S. launch site, regardless of whether the site is 
situated on a Federal launch range and regardless of whether flight 
occurs from that site.\155\ At the time, the FAA determined that the 
arrival of the launch vehicle at a U.S. launch site would trigger the 
beginning of launch for the following reasons: ease of administration, 
consistent and broad interpretation, and change in the level of 
risk.\156\ Additionally, the rule stated that shortly after vehicle 
components arrive, hazardous activities related to the assembly and 
ultimate flight of the launch vehicle begin and therefore the arrival 
of the vehicle or its parts is a logical point at which the FAA should 
ensure that a launch operator is exercising safe practices and is 
financially responsible for any damage it may cause.\157\ In accordance 
with the definition of launch, the FAA has required a launch license to 
be in place before the arrival of major components of a launch vehicle 
at a U.S. launch site that are intended for use on a specific FAA-
licensed launch.
---------------------------------------------------------------------------

    \154\ 64 FR 19586 (April 21, 1999), at 19591.
    \155\ 64 FR 19586 (April 21, 1999).
    \156\ 64 FR 19586 (April 21, 1999), at 19589.
    \157\ 64 FR 19586 (April 21, 1999), at 19591.
---------------------------------------------------------------------------

    The lack of flexibility in the definition of beginning of launch 
has led to multiple requests from the industry to waive the requirement 
for a license to bring vehicle hardware on site and begin preflight 
activity.\158\ The FAA has issued numerous waivers because it 
determined that the proposed preflight activities associated with the 
arrival of launch vehicles or their major components were not so 
hazardous to the public as to require FAA oversight. In granting a 
waiver, the FAA determines that the waiver is in the public interest 
and will not jeopardize public health and safety, the safety of 
property, or any national security or foreign policy interest of the 
United States. In addition, by requesting a waiver to conduct preflight 
activities, the operator agrees that it must forgo the opportunity to 
seek indemnification for

[[Page 15359]]

any loss incurred under the waiver during the waived preflight 
activities.
---------------------------------------------------------------------------

    \158\ As stated previously, the FAA is only able to waive 
regulatory requirements, not definitions, and therefore has issued 
waivers to the requirement to obtain a license, rather than to the 
definition of launch.
---------------------------------------------------------------------------

    Further, the current definition does not account for the 
significant technological advances the industry has experienced since 
adoption of the 1999 rule. For example, in the current commercial space 
transportation environment, launch operations often include vehicles or 
vehicle stages that fly back to a U.S. launch site and remain at the 
launch site. In cases where no license was in place to cover the 
presence of flight hardware for possible reuse, consistent with 1999 
rule preamble language, the FAA has deemed this to be storage and does 
not require a license or waiver.\159\ As currently written, however, 
the definition could imply that a license is required for RLV launches 
during the period between end-of-launch and launch vehicle reuse, even 
when the vehicle is in a safe and dormant state, and would not be a 
threat to public safety.
---------------------------------------------------------------------------

    \159\ 64 FR 19586 (April 21, 1999), at 19593. ``On the other 
hand, the FAA does not intend a launch license to encompass 
components stored at a launch site for a considerable period of time 
prior to flight.''
---------------------------------------------------------------------------

    Because the current definition states that launch begins under a 
license with the arrival of a launch vehicle or payload at a U.S. 
launch site, the term ``or payload'' has been interpreted to mean 
arrival of a payload by itself could constitute beginning of launch. 
However, the 1999 preamble explicitly states that the FAA does not 
define launch to commence with the arrival of a payload absent the 
launch vehicle at a launch site.\160\ Also, it states that the FAA does 
not consider payload processing absent launch vehicle integration to 
constitute part of licensed activities.\161\ In addition, the 1999 rule 
preamble refers to launch beginning when the ``major components'' of a 
launch vehicle arrive at the launch site. However, the regulatory 
language remains unclear.
---------------------------------------------------------------------------

    \160\ 64 FR 19586 (April 21, 1999), at 19589.
    \161\ 64 FR 19586 (April 21, 1999), at 19593.
---------------------------------------------------------------------------

    Another point of current uncertainty is when launch begins from a 
non-U.S. site. Title 51 U.S.C. chapter 509 gives the FAA authority to 
issue a launch license to a U.S. citizen conducting a launch anywhere 
in the world. However, the current definition of launch is silent as to 
when launch begins from a non-U.S. site. This has resulted in operators 
lacking clarity as to when launch begins. In recent years, the FAA has 
licensed launches from international waters, Australia, the Marshall 
Islands, New Zealand, and Spain. In licensing these launches, the FAA 
has consistently interpreted that launch from outside of U.S. territory 
to begin at ignition or at the first movement that initiates flight, 
whichever occurs earlier.
    The ARC commented about the definition of launch for licensed 
launches from a U.S. launch site. The ARC report stated that launch 
should be defined on a case-by-case basis for all operators. The ARC 
recommended licensed activities on U.S. launch sites for all vehicles 
include preflight ground operations, flight operations, and launch 
operations phases as tailored by each launch operator. The ARC further 
recommends the initiation and scope of launch activities, including 
preflight ground operations and flight operation phases, be defined by 
the impact of each activity on public safety and property. These 
activities may include both hazardous and safety-critical operations, 
the latter encompassing non-hazardous activities that may impact public 
risk during other pre-launch and flight activities. A list of 
performance-based criteria for licensed activities would be tailored 
for each operator and the FAA based on their specific concept of 
operations. This scope should only include hazardous operations unique 
to activities as defined in the operator's license application 
documents and not activities already regulated by another government 
agency.
    In light of the multiple waiver requests and ARC recommendations, 
the FAA proposes to amend the regulatory definitions of launch and 
reentry (discussed later in this section) to match the statutory 
definitions. The FAA would also move the details in the definitions for 
beginning and end of launch (discussed later in this section) and 
reentry to the scope of a vehicle operator license requirements in 
proposed Sec.  450.3. In addition, the FAA would revise ``beginning of 
launch'' to be more performance-based and ``end of launch'' to remove 
references to ELVs and RLVs. Finally, the FAA proposes to clarify that 
launch from a non-U.S. site would begin at ignition, and that the 
arrival of a payload to a launch site does not constitute beginning of 
launch. The FAA believes the proposed revisions capture the primary 
intent of the ARC's recommendation, which is to limit FAA oversight to 
those launch operations that pose a hazard to public safety and the 
safety of property.
    The FAA would revise the definitions of launch and reentry in Sec.  
401.5 to mirror the statutory definitions. Specifically, the FAA would 
remove the beginning and end of launch language from the definition of 
``launch,'' and add the term ``human being'' to align with the 2015 
update to the Act. Similarly, the FAA would revise the definition of 
``reenter/reentry'' in part 401 to mirror the statutory definition, and 
would add the term ``human being'' to align with the 2015 update to the 
Act.
    The FAA would move the beginning and end of launch and reentry 
language to proposed Sec.  450.3. The FAA proposes this change because 
such detail in a definition makes the definition unwieldy and, unlike 
regulatory requirements, definitions cannot be waived.
    The FAA would amend beginning of launch such that launch begins 
with the first hazardous activities related to the assembly and 
ultimate flight of the launch vehicle at a U.S. launch site. Unless a 
later point is agreed to by the Administrator, hazardous preflight 
ground operations would be presumed to begin when the launch vehicle or 
its major components arrive at the launch site. For operations where an 
applicant identifies a later time when hazardous operations begin, the 
applicant may propose the event that it believes should constitute the 
beginning of launch during the pre-application process.\162\ As a 
result, there would be no need to request a waiver.
---------------------------------------------------------------------------

    \162\ The FAA's proposal regarding how an operator would 
determine what event constitutes the beginning of launch, and how to 
obtain the Administrator's approval, is located in the Ground Safety 
section under the Identifying First Hazardous Activity sub-heading 
of this preamble.
---------------------------------------------------------------------------

    This proposed change would also clarify that for launch vehicle 
stages or when launch begins for an RLV that returns to a launch site 
and remains there in a dormant state, FAA oversight is not necessary 
since no hazardous activity that falls under the FAA's oversight 
responsibilities are being performed.
    This proposal would clarify that, absent vehicle hardware, the 
arrival of payload does not constitute beginning of launch. Instead, 
launch would begin with the arrival of a launch vehicle or its major 
components at a U.S. launch site, or at a later point as agreed to by 
the Administrator.
    This proposal would also specify that launch from a non-U.S. site 
begins at ignition, or at the first movement that initiates flight, of 
the launch vehicle, whichever comes first. For hybrid vehicles, flight 
commences at take-off. The current ``beginning of launch,'' as defined 
in the definition of ``launch'' refers only to launches from a U.S. 
launch site, and is silent with regard to launches from sites outside 
the United States. Although the FAA issues launch licenses for launches 
from non-U.S. launch sites if the operator is a citizen

[[Page 15360]]

of the U.S., the FAA considers it outside its authority to license 
preflight activities that take place at a non-U.S. launch site in light 
of the statutory definition of launch that explicitly refers to 
``activities involved in the preparation of a launch vehicle . . . when 
those activities take place at a launch site in the United States.'' 
The FAA also believes that this interpretation is necessary because of 
issues of sovereignty and liability under international law. For these 
non-U.S. launch sites, the FAA has historically licensed launches 
beginning at ignition, or if there is no ignition, then at the first 
movement that initiates flight. In order to provide clarity for launch 
operators launching from non-U.S. sites, the FAA is proposing to codify 
this approach in part 450.
    In addition to addressing issues in the current definition of 
``launch'' regarding when launch begins, the FAA proposes to clarify 
when launch ends. First, the FAA would move the provisions in the 
current definition of launch regarding end of launch to proposed Sec.  
450.3. Second, the FAA would remove the distinction between ELVs and 
RLVs, which is consistent with one of the overall goals of this 
proposed rule. Overall, the substance of the current provisions related 
to end of launch currently located in Sec.  401.5 would not change. 
Specifically, launch ends:
    1. For an orbital launch of an ELV, after the licensee's last 
exercise of control over its vehicle whether on orbit or a vehicle 
stage impacting on Earth;
    2. For an orbital launch of an RLV, after deployment of all 
payloads or if there is no payload, after the launch vehicle's first 
steady state orbit; and
    3. For a suborbital launch of either an ELV or RLV that includes 
reentry, launch ends after reaching apogee; or for a suborbital launch 
that does not include a reentry, launch ends after the vehicle or 
vehicle component lands or impacts on Earth.
    In all these cases, activities on the ground to return either the 
launch site or the vehicle or vehicle component to a safe condition are 
part of launch and could possibly extend the end of launch. In the 
rare, yet to be seen, situation of a suborbital launch that does not 
require an FAA launch license but does require a reentry license, 
launch ends after the vehicle reaches apogee. In addition, the FAA 
would move the provisions related to reentry readiness and returning 
the vehicle to a safe state on the ground to proposed Sec.  450.3. 
Including these reentry provisions in the scope of a vehicle operator 
license would clarify an operator's responsibilities regarding post-
flight ground operations related to returning the vehicle to a safe 
state on the ground.
    Finally, the FAA proposes to modify the definition for reentry. 
Title 51 U.S.C. 50902 defines reentry as: to return or attempt to 
return, purposefully, a reentry vehicle and its payload or human 
beings, if any, from Earth orbit or from outer space to Earth. In 2000, 
the FAA codified the current regulatory definition of reentry in the 
final rule, Commercial Space Transportation Reusable Launch Vehicle and 
Reentry Licensing Regulations. Section 401.5 defines ``reenter; 
reentry'' as: To return or attempt to return, purposefully, a reentry 
vehicle and its payload, if any, from Earth orbit or from outer space 
to Earth. The term ``reenter; reentry'' includes activities conducted 
in Earth orbit or outer space to determine reentry readiness, and that 
are critical to ensuring public health and safety and the safety of 
property during reentry flight. The term ``reenter; reentry'' also 
includes activities conducted on the ground after vehicle landing on 
Earth to ensure the reentry vehicle does not pose a threat to public 
health and safety or the safety of property. As noted earlier, the FAA 
proposes to revise the definition to mirror the statute and move the 
provisions related to reentry readiness and returning the vehicle to a 
safe state on the ground to proposed Sec.  450.3.

B. Ground Safety Requirements

    This proposal would revise current ground safety requirements to 
make them more flexible, scalable, and adaptable to varying types of 
launch and reentry operations. The proposal seeks to ensure that the 
FAA's oversight of ground operations at U.S. launch sites would only 
cover activities that are hazardous to the public and critical assets. 
Specifically, as proposed in Sec.  450.179, an operator would be 
required to protect the public from adverse effects of hazardous 
operations and systems associated with preparing a launch vehicle for 
flight, returning a launch or reentry vehicle to a safe condition after 
landing, or after an aborted launch attempt, and returning a site to a 
safe condition. An operator would be required to conduct a ground 
hazard analysis (proposed Sec.  450.185) and comply with certain 
prescribed hazard controls during those preflight activities that 
constitute launch. In addition, an operator would be required to comply 
with other ground safety and related application requirements in 
proposed part 450.
    The FAA proposed the part 417 ground safety regulations in the 2000 
NPRM \163\ and codified it in the 2006 final rule. The 2006 final rule 
adopted ground safety standards governing the preparation of a launch 
vehicle for flight. The final rule specified that in order for a launch 
operator to meet part 417 ground safety requirements, an operator must 
conduct a ground hazard analysis to meet the requirements of subpart E, 
part 417, as well as a toxic release hazard analysis to meet the 
requirements of Sec.  417.227. For launches conducted from a Federal 
launch range, a launch operator could rely on an LSSA as an alternative 
means of demonstrating compliance with the FAA's part 417 ground safety 
rules. Because most licensed ground operations were covered by the LSSA 
approach, the FAA did not begin to exercise the ground safety 
requirements in part 417 until 2016.
---------------------------------------------------------------------------

    \163\ Licensing and Safety requirements for Launch, NPRM. 65 FR 
63922 (October 25, 2000).
---------------------------------------------------------------------------

    Beginning in 2016, the FAA received several applications for launch 
licenses from non-Federal launch sites.\164\ Applicants were required 
to demonstrate compliance with the ground safety regulations in part 
417. During the FAA's evaluation, the agency found that many of its 
ground safety requirements were overly burdensome, highly prescriptive, 
and did not include criteria for determining public safety. 
Furthermore, the FAA discovered the requirements were out-of-date with 
commercial space transportation practices and operations, and in some 
cases duplicated other state and Federal regulations.
---------------------------------------------------------------------------

    \164\ The FAA's first license application involving a launch 
from a non-Federal launch range was from SpaceX for operations at 
pad 39A in Cape Canaveral, Florida. The FAA completed its evaluation 
and issued SpaceX the license on February 2017. Astra Space 
originally applied for a launch license from a non-Federal launch 
range in June 2017, and the FAA issued its license March 2018.
---------------------------------------------------------------------------

    Part 431 does not include explicit ground safety requirements. 
However, the scope of a launch license under part 431 includes 
preparing a launch vehicle for flight at a launch site in the United 
States. In conducting its safety review under Sec.  431.31, the FAA 
must determine whether an applicant is capable of launching an RLV and 
payload, if any, from a designated launch site without jeopardizing 
public health and safety and the safety of property. The FAA evaluates 
on an individual basis all public safety aspects of a proposed RLV 
mission to ensure they are sufficient to support safe conduct of the 
mission, including ground safety. In licenses issued under part 431, 
the FAA has required operators to address reasonably

[[Page 15361]]

foreseeable hazards to ensure the safety of pre- and post-flight ground 
operations. The lack of clarity in part 431 is problematic, and would 
be fixed by the ground safety requirements in this proposal.
    The ARC recommended that the FAA create ground safety regulations 
that are flexible and streamlined, continue to protect the public, and 
are not duplicative of other state or Federal authorities. The ARC 
provided four primary recommendations for ground safety. First, the ARC 
recommended the FAA allow operators to determine what activities and 
operations would be covered under FAA regulations by performing an 
analysis to define hazards. Second, the ARC recommended the FAA scale 
the scope of what is considered licensed activities based on each 
operator's unique operations. Third, the ARC recommended the FAA focus 
its regulatory authority solely on those things that affect public 
safety. Finally, the ARC recommended the FAA only regulate those things 
that are not already overseen by other governmental authorities.
    The FAA agrees with the ARC's recommendations that ground safety 
regulations should be flexible, performance-based, and utilize a ground 
hazard analysis that determines the best methods for protecting the 
public. The proposed ground safety regulations would rely on a system 
safety approach to allow flexibility by stripping away specific design 
requirements, establishing more performance-based requirements, and 
giving the operator flexibility in satisfying these requirements. 
Specifically, an operator would conduct a ground hazard analysis 
(proposed Sec.  450.185), and comply with prescribed hazard controls. 
In addition to any mitigations identified in the ground hazard 
analysis, the proposed regulations would require several prescribed 
hazard controls, including an accounting of how the operator would 
protect members of the public who enter areas under their control, 
provisions on how the operator would mitigate hazards created by a 
countdown abort, an explanation of the operator's plans for controlling 
fires, and generic emergency procedures an operator would implement. As 
will be discussed later, operators using toxic materials would have to 
perform a toxic release hazard analysis (proposed Sec.  450.187), show 
how it would contain the effects of a toxic release, or how the public 
would be protected from those risks from toxic releases. Operators 
would also be required to develop an explosive siting plan (proposed 
Sec.  450.183) and to coordinate with licensed launch and reentry site 
operators (proposed Sec.  450.181).
1. Ground Safety: Identifying First Hazardous Activity
    In proposed Sec.  450.3, an operator would have the flexibility to 
determine for its particular operation when the first preflight 
activity that poses a hazard to the public begins in coordination with 
the FAA. An operator could identify the arrival of the vehicle or its 
major components at the launch site as the beginning of hazardous 
operations, which is consistent with current practice. This option 
would provide a clear demarcation of when launch begins that is easily 
understood by both an operator and the FAA. The license would cover all 
ground operations that may present a hazard to the public from the time 
flight hardware first arrives at the launch or reentry site to the end 
of launch or reentry.
    Alternatively, an operator could identify some other action, after 
the arrival of the vehicle or its major components at the launch site, 
as the beginning of hazardous activities. As discussed earlier in the 
scope of a vehicle operator license discussion, this option would be 
available for those operations where the arrival of the launch vehicle 
does not constitute the beginning of hazardous activities. It would 
also provide flexibility to operators because the start of hazardous 
launch operations is unique to each operator's circumstances. These 
hazardous launch operations would include the pressurizing or loading 
of propellants into the vehicle or launch system,\165\ operations 
involving a fueled launch vehicle,\166\ or the transfer of energy 
necessary to initiate flight.\167\
---------------------------------------------------------------------------

    \165\ This would include the loading of propellants or 
pressurants, where there are potential hazards such as overpressure, 
explosion, debris, deflagration, fire, and toxic material release. 
The operations that are typically performed include wet dress 
rehearsals, cold flow, returning the vehicle to a safe state 
following a scrub, and tests that might be performed while the 
vehicle is being fueled.
    \166\ This would include static fire or tests with a fully-
fueled integrated vehicle.
    \167\ This would include activities that involve placing the 
launch vehicle into a state that would enable it to achieve 
suborbital or orbital flight. Even if traditional propellants are 
not used, the energy needed to escape Earth's gravity is significant 
and the initiation of the action to launch a vehicle could 
potentially have significant impact to public safety.
---------------------------------------------------------------------------

    While this option offers greater flexibility, it would require that 
an applicant talk with the FAA during pre-application consultation to 
identify which activity would be the beginning of hazardous launch 
operations. This is necessary for the FAA to scope its requirements 
accordingly, and so that the applicant knows what to include in its 
application. Early interactions with the FAA would allow a potential 
applicant to work with the FAA to determine which preflight operations 
constitute launch and therefore must occur under a license. An 
applicant that elects to identify an activity after the arrival of a 
launch vehicle or associated major components at a launch site as the 
beginning of launch should be prepared to discuss its operations with 
the FAA so that the FAA can determine that operations occurring prior 
to that point would not pose a threat to public safety. Note that under 
this proposal, indemnification and reciprocal waiver of claims coverage 
would start when launch begins as it does under current regulations. In 
other words, financial responsibility requirements would apply from the 
first hazardous operation until launch ends.
2. Ground Safety: Ground Hazard Analysis
    Proposed Sec.  450.185 (Ground Hazard Analysis) would require an 
operator to complete a ground hazard analysis which would include a 
thorough assessment of the launch vehicle, the launch vehicle 
integrated systems, ground support equipment, and other launch site 
hardware. The analysis would include an identification of hazards, a 
risk assessment, an identification and description of mitigations and 
controls, and provisions for hazard control verification and 
validation. Although the analysis might incorporate employee safety and 
mission assurance, this proposal would only require an applicant to 
identify the hazards that affect the public, and how an operator would 
mitigate those hazards.
    Proposed Sec.  450.185(a) would require an operator to identify 
hazards. A hazard is a real or potential condition that could lead to 
an unplanned event or series of events resulting in death, serious 
injury, or damage to or loss of equipment or property. The FAA proposes 
separating ground hazards into two primary categories: System and 
operational hazards. System hazards would include, but would not be 
limited to, vehicle over-pressurization, sudden energy release 
including ordnance actuation, ionizing and non-ionizing radiation, fire 
or deflagration, radioactive materials, toxic release, cryogens, 
electrical discharge, and structural failure. Operational hazards would 
be hazards introduced to the launch site through procedures and 
processes that occur during vehicle processing. Operational hazards 
would include propellant handling and

[[Page 15362]]

loading, transporting vehicles or components, vehicle system 
activation, and related tests.
    Once an operator has identified hazards, proposed Sec.  450.185(b) 
would require an operator to conduct a risk assessment. In other words, 
an operator would have to evaluate each hazard to determine the 
likelihood and the severity of that hazard. This assessment should 
identify the likelihood of each hazard causing a casualty. This 
assessment should also account for the likelihood of each hazard 
causing major damage to public property or critical assets. Public 
property, in this case, means any property not associated with the 
operation. Critical assets means an asset that is essential to the 
national interests of the United States, and includes property, 
facilities, or infrastructure necessary to maintain national defense, 
or assured access to space for national priority missions.
    Proposed Sec.  450.185(c) would require an operator to identify 
mitigations or controls used to eliminate or mitigate the severity or 
likelihood of identified hazards. An operator would be required to 
demonstrate, as part of its ground hazard analysis, that the 
mitigations or controls reduce the likelihood of each hazard that may 
cause (1) death or serious injury to the public to an extremely remote 
likelihood, and (2) major damage to public property or critical assets 
to a remote likelihood. These qualitative thresholds are the same as 
those in Sec.  437.55(a)(3) and proposed Sec.  450.109(a)(3). A hazard 
control is a preventative or mitigation measure that reduces the 
likelihood of the hazard or ameliorates its severity.
    Proposed Sec.  450.185(d) would require an operator to identify and 
describe the risk elimination and mitigation measures required to 
satisfy the risk criteria in proposed Sec.  450.185(c). Under current 
industry standards, these measures include one or more of the 
following: Design for minimum risk, incorporate safety devices, provide 
warning devices, or implement procedures and training, as previously 
discussed in reference to the analogous flight hazard analysis 
requirement in Sec.  450.109(a)(4).\168\
---------------------------------------------------------------------------

    \168\ MIL-STD-882E, section 4.3.4.
---------------------------------------------------------------------------

    Finally, proposed Sec.  450.185(e) would require an operator to 
demonstrate through verification and validation that the risk 
elimination measures meet the remote and extremely remote standards 
discussed earlier. Verification is an evaluation to determine that 
safety measures derived from the ground hazard analysis are effective 
and have been properly implemented. Verification provides measurable 
evidence that a safety measure reduces risk to acceptable levels. 
Validation is an evaluation to determine that each safety measure 
derived from the ground hazard analysis is correct, complete, 
consistent, unambiguous, verifiable, and technically feasible. 
Validation ensures that the right safety measure is implemented, and 
that the safety measure is well understood.
    While this proposal would require an operator to complete a full 
ground hazard analysis as described previously, an operator would not 
need to submit this analysis in its entirety as part of its vehicle 
operator license application. Rather in proposed Sec.  450.185(f), the 
FAA would require an applicant to provide a description of the ground 
safety hazard analysis methodology, a list of the systems and 
operations involving the vehicle or payload that may cause a hazard to 
the public, and the results of the ground hazard analysis that affect 
the public. Although the results of the ground hazard analysis would be 
unique to each applicant's operations, the ground hazard analysis 
application deliverables should have common elements. Specifically, the 
ground hazard analysis should contain the hazards that have a high 
likelihood or high severity of affecting the public. The analysis 
should include controls for the hazards that mitigate the risk to the 
public and all of the other requirements shown in Sec.  450.185. Common 
hazards that affect public safety, which the FAA would expect to be 
addressed in a ground hazard analysis, include propellant loading, 
ordinance installation or actuation, proximity to pressurized systems 
during operations, certain lifting operations (such as solid rocket 
motors and payload integration), operations which could result in toxic 
release, and RF testing. Fundamentally, if the operator identifies a 
hazard that affects the public, it must be properly documented and 
mitigated to reduce the risk to the public. It should be noted that any 
part of the ground hazard analysis could be reviewed during inspection.
3. Ground Safety: Ground Safety Prescribed Hazard Controls
    In addition to those mitigations an operator would implement as a 
result of its ground hazard analysis, proposed Sec.  450.189 (Ground 
Safety Prescribed Hazard Controls) would require an operator to 
implement certain prescribed hazard controls during the ground 
operations period of launch or reentry. These prescribed hazard 
controls would require that an operator document how it would protect 
members of the public who enter areas under the operator's control, 
mitigate hazards created by a countdown abort. They would also require 
the operator's plans for controlling fires and emergency procedures.
    Specifically, proposed Sec.  450.189(b) would require an operator 
to document a process for protecting members of the public who enter 
any area under the operator's control. Although the public would be 
protected from many hazards because they are excluded from safety clear 
zones and prevented from entering the site during certain hazardous 
operations, an operator should account for the protection of the public 
when they are allowed to be on the site. The proposed rule would 
require an operator to develop procedures to identify and track members 
of the public while on site, and methods to protect the public from 
hazards in accordance with the ground hazard analysis and the toxic 
hazard analysis. For example, the operator could have plans in place to 
control who enters its site, whether or not members of the public on 
site will be escorted, how the public will be made aware of and 
protected from hazards, and if members of the public will be required 
to wear personal protective equipment.
    This rule would also require an operator to establish, maintain, 
and perform procedures for controlling certain hazards in the event of 
a countdown abort or recycle operation. Current Sec.  417.415(b) 
requires an operator to meet specific requirements for safing their 
vehicle, maintaining control of their FSS, and controlling access to 
the site until it is returned to a safe state. This rule would require 
a more performance-based approach to ensuring the safety of the vehicle 
and the site following a countdown abort or recycle operation in order 
to accommodate many different types of flight safety systems and 
operations.
    Proposed Sec.  450.189(c) would require that an operator, following 
a countdown abort or recycle operation, establish, maintain, and 
perform procedures for controlling hazards related to the vehicle and 
returning the vehicle, stages, or other flight hardware and site 
facilities to a safe condition. In all of these instances, this 
proposal would require an operator to have provisions in place to keep 
the public safe while returning the launch vehicle or launch site back 
to a safe condition. If a launch vehicle does not lift-off after a 
command to initiate flight, an operator would be required to ensure 
that the vehicle and any payload are in a safe configuration, prohibit 
the public from entering into any identified hazard areas until the 
site

[[Page 15363]]

is returned to a safe condition, and maintain and verify that any FSS 
remains operation until certain that the launch vehicle does not 
represent a risk of inadvertent flight. These more specific 
requirements would be levied on an operator in the event of a failure 
to lift-off after a command to initiate because a launch vehicle can be 
in a particularly hazardous state.
    This proposed requirement is similar to Sec.  417.415(b), which 
requires a launch operator to establish procedures for controlling 
hazards associated with a failed flight attempt where an engine start 
command was sent, but the launch vehicle did not lift-off. These 
procedures must include maintaining and verifying that each flight 
termination system remains operational, assuring that the vehicle is in 
a safe configuration, and prohibiting launch complex entry until the 
launch pad area safing procedures are complete.
    Proposed Sec.  450.189(d) would require an operator to have in 
place reasonable precautions for reporting and controlling any fire 
that occurs during launch and reentry activities in order to prevent 
the occurrence of secondary hazards such as a brush fire caused by a 
static fire test or some related ground launch activity. These 
secondary hazards, if not controlled, could reach pressure vessels or 
other related equipment causing more damage. An operator may choose to 
meet industry standards or fire codes as a means of satisfying this 
requirement.
    Proposed Sec.  450.189(e) would require an operator to establish 
general emergency procedures that address how emergencies would be 
handled at the site. An emergency has the potential to directly affect 
the public or create secondary hazards that may affect the public; 
therefore, implementation of these procedures are critical for safety 
of the public. An emergency would include any event that would require 
an evacuation, or a response from emergency officials such as the fire 
department or emergency medical technicians. Additionally, the 
establishment of general emergency procedures would allow the operator 
to have roles, responsibilities, and plans in place in advance of an 
emergency to reduce the effects of any emergency on the public. Section 
417.111(c)(15) currently requires an operator to have generic emergency 
procedures in place for any emergency that may create a hazard to the 
public, and this rule would replace those prescriptive requirements 
with performance-based requirements.
    Proposed Sec.  450.189(f) would require an applicant to submit its 
process for protecting members of the public who enter any area under 
the operator's control. This process would be submitted as part of an 
applicant's vehicle operator license application.
4. Ground Safety: Coordination With a Licensed Launch or Reentry Site 
Operator
    Under proposed Sec.  450.181(a), for a launch or reentry conducted 
from or to a Federal launch or reentry site or a site licensed under 
part 420 or 433, an operator must coordinate with the site operator 
because the two entities each have public safety responsibilities 
during ground operations. Specifically, an operator must coordinate 
with the site operator to ensure public access is controlled where and 
when necessary to protect public safety, to ensure launch or reentry 
operations are coordinated with other launch and reentry operators and 
other affected parties to prevent unsafe interference, to ensure that 
any ground hazard area does not unnecessarily interfere \169\ with 
continued operation of the launch or reentry site, and to ensure prompt 
and effective response in the event of a mishap that could impact 
public safety. This is similar to Sec.  417.9(b)(2), which requires a 
launch operator to coordinate with a launch site operator and provide 
any information on its activities and potential hazards necessary for 
the launch site operator to determine how to protect any other launch 
operator, person, or property at the launch site. Part 431 requires an 
agreement between a launch or reentry operator and any site operator in 
Sec.  431.75. In addition, in the mission readiness review requirements 
in Sec.  431.37(a), an operator must involve launch site and reentry 
site personnel and verify their readiness to provide safety-related 
launch property and launch services.
---------------------------------------------------------------------------

    \169\ The FAA has proposed minimum requirements for ground 
hazard areas based on safety thresholds, either toxic hazard areas 
or other hazard areas derived from the ground hazard analysis, but 
has always allowed operators to propose to clear areas larger than 
necessary to ensure greater safety. In consultation with NASA and 
the Department of Defense, the FAA discovered that FAA approved 
ground hazard areas were having adverse impacts on neighboring space 
operations in easily avoidable ways. As such, the FAA has proposed 
ground hazard areas be coordinated with the affected launch or 
reentry site operators prior to licensing.
---------------------------------------------------------------------------

    For a launch or reentry conducted from or to a site licensed under 
part 420 or 433, Sec.  450.181(b) would require an operator to also 
coordinate with the site operator to establish roles and 
responsibilities for reporting, responding to, and investigating any 
mishap during ground activities at the site. The same mishap plan 
requirements in proposed Sec.  450.173 would apply to a site operator 
leaving open the assignment of roles and responsibilities between a 
site and launch or reentry operator for reporting, responding to, and 
investigating mishaps during ground operations. Proposed Sec.  
450.181(b) is designed to ensure those roles and responsibilities are 
established.
    As part of its application, an applicant would be required to 
describe how it is coordinating with a Federal or licensed launch or 
reentry site operator in compliance with this section. As discussed 
earlier, in reference to proposed Sec.  450.147, a vehicle operator 
would be required to submit as part of its vehicle operator license 
application references to any agreements with other entities utilized 
to meet any requirements of this section. In this context, agreements 
may include security, access control services, any lease agreements for 
launch sites, services used for hazard controls or analysis, or any 
agreement with local emergency or government services.
5. Ground Safety: Explosive Site Plan
    Proposed Sec.  450.183 (Explosive Site Plan) would require an 
applicant to include an explosive site plan as part of its vehicle 
operator license application, if it proposes to conduct a launch or 
reentry from or to a site exclusive to its own use. The explosive site 
plan would have to demonstrate compliance with the explosive siting 
requirements of Sec. Sec.  420.63, 420.65, 420.66, 420.67, 420.69, and 
420.70. Currently for exclusive use sites, Sec.  417.9(c) requires a 
launch operator to satisfy the requirements of the public safety 
requirements of part 420. With proposed Sec.  450.183, the FAA is 
clarifying that the only requirements from part 420 that need be 
conducted by an exclusive use operator is the explosive safety 
requirements.
6. Ground Safety: Toxic Hazards During Ground Operations
    Proposed Sec.  450.187 contains requirements for toxic hazard 
mitigation for ground operations. This is discussed later in the 
``Additional Technical Justification and Rationale'' section, in the 
subsection on toxic hazards for flight, due to the commonality of toxic 
requirements for ground operations and flight.

Process Improvements

A. Safety Element Approval

    This proposal would modify part 414 to enable applicants to request 
a safety

[[Page 15364]]

element approval in conjunction with a license application as provided 
in proposed part 450. Proposed Sec.  450.39 (Use of Safety Element 
Approval) would allow an applicant to use any vehicle, safety system, 
process, service, or personnel for which the FAA has issued a safety 
element approval under part 414 without the FAA's reevaluation of that 
safety element during a license application evaluation to the extent 
its use is within its approved envelope. Finally, this proposal would 
change the part 414 term from ``safety approval'' to ``safety element 
approval'' to distinguish it from ``safety approval'' as used in parts 
415, 431, and 435, and proposed part 450, because these terms, as 
discussed later in this section, have entirely different meanings.
i. Part 414 and 415 Safety Approval Clarification
    As defined in current Sec.  414.3, a safety approval is an FAA 
document containing an FAA determination that one or more safety 
elements, when used or employed within a defined envelope, parameter, 
or situation, will not jeopardize public health and safety or safety of 
property. As listed in the Act, safety elements include: (1) Launch 
vehicle, reentry vehicle, safety system, process, service, or any 
identified component thereof; or (2) qualified and trained personnel, 
performing a process or function related to licensed launch activities 
or vehicles. In contrast, parts 415, 431, and 435 reference ``safety 
approval'' to mean an FAA determination that an applicant is capable of 
launching a launch vehicle and its payload without jeopardizing public 
health and safety, and safety of property. Other chapter III parts, 
including parts 431 and 435, reference ``safety approval'' as described 
in part 415.
    The use of identical terms in parts 414, 415, 431, and 435 to 
reference different meanings has caused confusion. Therefore, the FAA 
proposes to distinguish these terms by changing the part 414 term to 
``safety element approval.'' This proposed term more accurately 
reflects the substance of a part 414 safety approval of a particular 
element that may be used to support the application review for one or 
more launch or reentry licenses. Other than the addition of ``element'' 
to the current term, the part 414 definition and related references in 
parts 413 and 437 would remain the same. The FAA would make conforming 
changes throughout parts 413, 414, and 437, where a part 414 safety 
approval is referenced, to change those references to ``safety element 
approval.'' The term ``safety approval'' would maintain the same 
meaning as that in current 415, 431 and 435 where it appears in the 
proposed rule.
ii. Part 414 Safety Element Approval \170\ Application Submitted in 
Conjunction With a License Application
---------------------------------------------------------------------------

    \170\ For readability and ease of understanding, this section 
refers to a current part 414 safety approval as a safety element 
approval, regardless of whether the discussion is referencing the 
current regulations or the proposed regulations. For direct 
quotations, the FAA retains the previous term ``safety approval.''
---------------------------------------------------------------------------

    Part 414 enables a launch and reentry operator to use an approved 
safety element within a specified scope without a re-examination of the 
element's fitness and suitability for a particular launch or reentry 
proposal. A safety element approval may be issued independent of a 
license, and it does not confer any authority to conduct activities for 
which a license is required under chapter III. A safety element 
approval does not relieve its holder of the duty to comply with all 
applicable requirements of law or regulation that may apply to the 
holder's activities.
    The ARC recommended that an applicant for a launch or reentry 
license be able to identify one or more safety elements included in the 
applicant's license application and to request review of those safety 
elements for a safety element approval concurrent with the license 
application review.\171\
---------------------------------------------------------------------------

    \171\ ARC Report, p. 24-25.
---------------------------------------------------------------------------

    The FAA agrees with the ARC's recommendation. The FAA notes that 
its practice has always been to accept references to information 
provided in a previous license application so long as the applicant can 
demonstrate the relevance of that information to the current 
application. The FAA also relies on previous evaluations where it 
analyzed compliance with a particular requirement if the same operator 
submits a more recent application using the same analysis. The proposed 
changes would codify this approach for safety element approval 
applications in proposed Sec.  450.39 \172\ and the relevant sections 
in part 414.
---------------------------------------------------------------------------

    \172\ Proposed Sec.  450.39 is similar to Sec.  437.21(c) for 
experimental permits, which states that if an applicant proposes to 
use any reusable suborbital rocket, safety system, process, service, 
or personnel for which the FAA has issued a safety approval under 
part 414, the FAA will not reevaluate that safety element to the 
extent its use is within its approved envelope. Parts 415 and 431 do 
not have similar sections because they were developed before part 
414 was issued.
---------------------------------------------------------------------------

    This proposal would allow an applicant to request a safety element 
approval as part of its vehicle operator license application. 
Specifically, this rule would provide a process in proposed Sec.  
414.13 to apply for a safety element approval concurrently with a 
license application. These safety element approval applications 
submitted in conjunction with a license would largely use information 
contained in a license application to satisfy part 414 requirements. 
This would alleviate the need to provide separate applications for a 
vehicle operator license and a safety element approval. The FAA 
envisions safety element approvals in conjunction with a license 
application to cover the same safety elements as delineated in Sec.  
414.3.
    Using similar processes as for part 414, the FAA would determine 
whether a safety element is eligible for a safety element approval. The 
FAA would base its determination on criteria in proposed part 450. The 
applicant would be required to specify the sections of the license 
application that support its application for a safety element approval. 
The technical criteria for reviewing a safety approval submitted as 
part of a vehicle operator license application would be limited to the 
requirements of proposed part 450. This limitation would simplify the 
safety element approval process by eliminating the need to provide a 
Statement of Conformance letter, as required under current Sec.  
414.1(c)(3) for a safety element approval separate from a vehicle 
operator license application. To avoid this limitation to proposed part 
450 criteria, an applicant could apply for a safety element approval 
separate from a vehicle operator license. However, there is no 
difference between a safety element approval issued through a separate 
application or a vehicle operator license application.
    Finally, the FAA proposes to remove the requirement stating that, 
for each grant of a safety element approval, the FAA will publish in 
the Federal Register a notice of the criteria that were used to 
evaluate the safety element approval application, and a description of 
the criteria. The FAA provided the rationale for this notification in 
the preamble to a proposed rule.\173\ The FAA explained that the 
purpose of this notification requirement was to make clear the criteria 
and standards the FAA used to assess a safety element. However, the FAA 
has found that this requirement is unnecessary, and has potentially 
discouraged applications for safety element approvals due to concerns 
that proprietary data may be disclosed. Going forward, a safety element 
approval application submitted concurrently with a vehicle operator 
license application would be evaluated

[[Page 15365]]

based only on criteria in proposed part 450. For other safety element 
approvals, experience has shown that there is no need to publish the 
criteria because the FAA's determinations were not based on any 
uniquely-derived standard. In fact, all eight safety element approvals 
granted by the FAA have been evaluated against regulations in 14 CFR 
chapter III. Therefore, the FAA proposes to revise the requirement in 
current Sec.  414.35 (re-designated as Sec.  414.39) such that safety 
element approval evaluation criteria, whether related to an application 
submitted concurrently with a license application or separately, would 
not require publication.
---------------------------------------------------------------------------

    \173\ Safety Approvals, NPRM, 70 FR 32191, 32198 (June 1, 2005).
---------------------------------------------------------------------------

    Given the FAA's proposal to not require publication of evaluation 
criteria, the confidentiality provision under current Sec.  414.13(d) 
\174\ is no longer necessary. That provision notifies applicants that 
if proposed criteria is secret, proprietary, or confidential, it may 
not be used as a basis to issue a safety approval.
---------------------------------------------------------------------------

    \174\ Current Sec.  414.13 would be renumbered in this proposal 
as Sec.  414.17 to maintain sequential section numbering.
---------------------------------------------------------------------------

B. Incremental Review of a License Application

    In response to the ARC recommendations, the FAA proposes to amend 
part 413 and to include language in proposed part 450 to allow an 
applicant the option for an incremental review of the safety approval 
portion of its application.
    Under 51 U.S.C. 50905(a)(1), the FAA is required by statute to 
issue or deny a launch or reentry license not later than 180 days after 
accepting an application. Under the same statute, the FAA must inform 
the applicant of any pending issue and action required to resolve the 
issue not later than 120 days after accepting an application. To ensure 
that the FAA has sufficient time to complete a thorough review to 
evaluate whether the applicant complies with the FAA's commercial space 
transportation regulations in the prescribed time frame, Sec.  413.11 
states the FAA screens the application to determine if it contains 
sufficient information for it to begin its review. It also states that 
if the application is so incomplete or indefinite that the FAA cannot 
start to evaluate it, the FAA will notify the applicant accordingly. In 
accordance with internal policy, the FAA aims to make this complete 
enough determination within two calendar weeks after receiving the 
application. When the FAA accepts an application, the 180-day review 
period begins on the date that the FAA received the application. If the 
FAA accepts an application as complete enough to review, the FAA works 
with applicants to identify additional information and documentation 
needed to demonstrate regulatory compliance, and advises applicants 
when those materials are needed. If the additional materials are not 
provided within an appropriate time frame, the FAA tolls the review 
period, stopping the counting of time towards the 180-day deadline. 
Once the FAA has completed its review, it issues a license, or informs 
the applicant, in writing, that the license application is being denied 
and states the reasons for denial.
    Industry representatives have expressed frustration both with a 
lack of clarity as to what is ``complete enough'' for the FAA to accept 
an application and begin review and with the 180-day review period. The 
FAA seeks comment on how the FAA can improve the clarity of ``complete 
enough'' to address past frustrations. For an applicant that is in the 
early stages of development, there are challenges with compiling all of 
the documentation in parallel with their vehicle development. First-
time applicants regularly underestimate the amount of time needed for 
licensing. For nearly all applicants, much of the vehicle and mission 
information is only refined and finalized within the 180-day review 
period, which may subject the application to tolling and business risk 
to the applicant's timeline for launch operations. The timing of the 
issuance of an FAA authorization has never caused a delay to a launch 
or reentry operation, but the FAA is cognizant that there could be 
impacts on an operator even absent an operation delay.
    In part to address these issues, and bearing in mind that a written 
application is the means by which the FAA determines whether a launch 
or reentry operator can conduct a launch or reentry safely, the FAA 
invited the ARC to describe how the FAA might modify its application 
process to improve efficiency for both the FAA and applicants. The ARC 
suggested in part that the FAA allow for an incremental or modular 
application and review process. Specifically, the ARC recommended that 
the application review process should be modified to allow for 
incremental approvals of subsections to guide a focused review and 
avoid tolling. The recommendation suggested further that, rather than 
180 days for review of an entire application, the FAA should assign a 
brief period for each subsection or module.
    The current application process is already modular to an extent. 
The FAA has issued payload determinations outside of a license, 
primarily for payload developers seeking early assurances that their 
payload would be permitted to be launched. The FAA has even conducted 
preliminary policy reviews to provide similar assurances to future 
applicants on a less formal basis. Despite these allowances, the vast 
majority of FAA commercial space licensing evaluation time is spent on 
evaluating the safety implications of a license application. Because 
this proposed rule seeks to convert the prescriptive safety 
requirements to performance-based criteria, the FAA believes that it 
may be possible to develop a flexible safety review process that can 
afford applicants early determinations, providing an applicant more 
flexibility and control over the timing of the licensing process.
    The ARC also recommended that the FAA reduce its application review 
time. The ARC focused on differentiating between experienced and 
inexperienced operators in order to decrease FAA review time of license 
applications. While the FAA agrees that experienced operators may 
require shorter application review times, it should be noted that this 
would likely be due to familiarity with the application process, more 
streamlined application materials that lend themselves to a more 
efficient review, and established processes that have been through FAA 
review previously (such as ground safety analyses). While the proposed 
incremental review process would empower operators to better define 
when certain portions of an application are reviewed and would allow an 
operator that has satisfied certain requirements early to receive 
credit for those portions of its application in advance, other 
proposals in this rulemaking, such as safety element approvals 
concurrent with a license application, flexible time frames, and 
reduced application burdens, would probably serve to reduce review 
times more effectively than an incremental application process. 
Nevertheless, the modular nature of payload determinations, policy 
approvals, environmental evaluations, and financial responsibility 
requirements, and the more granular incremental review of compliance 
with the safety approval requirements would allow an applicant to seek 
partial approval of an application as soon as a portion is ready to be 
evaluated. These approvals would allow an operator to better manage its 
timeline and any potential timeline risk. The flexible nature of this 
proposal would allow the FAA to further engage with industry and 
establish new best practices and greater efficiencies for

[[Page 15366]]

both government evaluators and our commercial partners. The option of 
using an incremental approach would provide more flexibility to 
operators who are able to provide portions of their application in 
advance.
    In proposed Sec.  450.33 (Incremental Review and Determinations), 
the FAA would revise the launch and reentry regulations to allow for an 
incremental review application submission option for vehicle operator 
license applicants. Because the current regulations already allow an 
operator to submit the payload, policy, environmental, and financial 
responsibility portions of its application independently, the FAA 
proposes that the incremental review process apply specifically to the 
safety approval portion of a license application. Given the large 
variety of applicant experience, proposed operations, and company 
timelines, the FAA recognizes a need for flexibility. Accordingly, the 
FAA is proposing amendments to part 413 and regulatory language in 
proposed part 450 to allow for incremental application submission and 
determinations. This incremental review application process would not 
replace the traditional review of a full, complete application 
submitted at once--the incremental review would be an optional path to 
obtaining an FAA license determination that allows an applicant to 
choose an application submission process that suits their business 
model and program needs.
    The FAA is proposing in Sec.  450.33(a) that, prior to any 
submission, an applicant would be required to identify to the FAA that 
it plans to avail itself of the incremental review and determination 
application process. During pre-application consultation, the FAA would 
work with an applicant towards an incremental review process that is 
aligned to both the development process for an applicant and the 
necessities of the FAA's evaluation framework. The FAA proposes to 
coordinate with applicants during pre-application consultation to 
determine the following: (1) Appropriate portions of an operator's 
application that could be submitted and reviewed independently; (2) the 
application and review schedule with dates of key milestones; (3) the 
applicant's planned approach to demonstrate compliance with each 
applicable regulation, to include any foreseeable requests for waiver; 
and (4) the scope of the proposed action being applied for, the 
identification of any novel safety approaches or other potentially 
complicating factors, and how those will be addressed during the 
licensing process.
    The details of an applicant's incremental application process would 
have to be approved by the FAA in accordance with proposed Sec.  
450.33(b) prior to application submission and the FAA could issue 
determinations towards a safety approval resulting from those reviews, 
in accordance with proposed Sec.  450.33(c). An applicant would be able 
to propose sections of the safety approval portion of its application 
that the FAA could review independently. This process would allow an 
applicant to submit completed sections, for example the System Safety 
Program, to the FAA early, rather than wait until the entire 
application was complete enough. The FAA would also be able, where 
appropriate, to review and make determinations on these increments 
prior to a full licensing determination. It would also allow an 
applicant to identify more challenging or lengthy portions of an 
application that could be submitted earlier to avoid delays and tolling 
closer to a launch date. The FAA believes this process would improve 
predictability for applicants seeking assurances against business 
risks. As the FAA gains more experience with the incremental 
application process, the FAA may issue guidance for the process or an 
example of a process that has been found to satisfy the intent of the 
regulation.
    The FAA considered the ARC's recommendations for predetermined 
modules, but identified several concerns in attempting to model the 
practice of such a process. The ARC provided a flow diagram that 
partitioned the evaluation process into nine conceptual 30-day modules, 
with the proposal that those modules could be reviewed in serial or in 
parallel. As noted earlier, the FAA is statutorily limited to a 180-day 
review process, so any review of modules in serial could not exceed 180 
days. The ARC recommended that if the modules are submitted in parallel 
for concurrent review, extra time should be provided for FAA review up 
to 90 days to allow for dependent analyses. The ARC recommendation 
asserted the importance that the modules are independent in terms of 
content, when possible, but correctly acknowledged that some modules 
will necessarily depend on others.\175\ The FAA seeks to provide as 
much flexibility as practicable in the proposed process to enable 
innovative business practices and schedules that contemplate frequent 
launches and reentries, but many aspects of the safety evaluation are 
interdependent, and the FAA requires certain material from one aspect 
of a safety evaluation to inform and remain consistent with other 
aspects. Furthermore, operators generally develop and define standards, 
methodologies, processes, preliminary designs, and plans for an aspect 
of their evaluation long before they are able to submit advanced 
analysis products or testing results. The FAA seeks comment on how a 
formal incremental review process would account for the statutory 180-
day review period, when application increments or modules are likely to 
be submitted and reviewed at very different time periods.
---------------------------------------------------------------------------

    \175\ ARC Report, p. 61.
---------------------------------------------------------------------------

    To enable incremental application submission and review, the FAA is 
proposing to amend Sec.  413.1 to broaden the term application to 
encompass either a full application submitted for review or an 
application portion submitted under the incremental review process. In 
making this amendment, the FAA would be able to accommodate 
applications submitted under either process. The FAA proposes to retain 
the pre-application consultation requirement of Sec.  413.5, which is 
streamlined by the proposed removal of Sec.  415.105 and its 
duplicative requirement for a more prescriptive pre-application 
consultation process. Under this proposal, an operator would be 
required to identify whether it wants to enter into the incremental 
application process during pre-application consultation. Should an 
operator elect to submit its application incrementally, it would work 
with the FAA to detail what is needed for each application portion to 
begin review. In proposing an approach to incremental review, the FAA 
expects that an applicant would consider the following:
    1. Application increments submitted at different times should be 
not be dependent on other increments to the extent practicable.
    2. Application increments should be submitted in a workable 
chronological order. In other words, an applicant should not submit an 
application increment before a separate application increment on which 
it is dependent. For example, the FAA would not expect to agree to 
review a risk analysis before reviewing a debris analysis or 
probability of failure analysis because the risk analysis is directly 
dependent on the other two analyses.
    3. An applicant should be able to clearly identify all the 
regulations and associated application materials that would be required 
for each application increment, and should be able to demonstrate to 
the FAA that all the applicable regulations are covered by the 
separately submitted portions.

[[Page 15367]]

    4. Examples of application increments that may be suitable for 
incremental review include: System Safety Program, Preliminary Safety 
Assessment for Flight, Flight Safety Analysis Methods, and FSS Design.
    The FAA seeks comment on the incremental approach generally. The 
FAA further seeks comment on any other useful guidelines that an 
applicant should consider when crafting an incremental approach. 
Finally, the FAA also seeks comment on any other safety approval 
sections of a license application that would be appropriate for 
incremental review.
    Finally, the FAA would amend Sec.  413.15 to provide that the time 
frame for any incremental review and determinations would be 
established with an applicant on a case-by-case basis during pre-
application consultation. The FAA would continue to work with 
applicants during the pre-application phase to assist applicants in 
navigating the FAA's regulations and identifying potential challenges.

C. Time Frames

    Chapter III regulations include a number of prescriptive time frame 
requirements that the FAA proposes to make more flexible. In 2016, the 
FAA conducted a review of the time frames in chapter III and found that 
many could be made more flexible without any discernable impact on 
safety. During meetings with the Commercial Spaceflight Federation 
(CSF) \176\ in 2017 and 2018, some members of industry expressed 
concern about the FAA's restrictive time frame requirements. The ARC 
also stated that the current regulatory time frames and requirements 
for submission of changes is onerous and untenable for high flight 
rates.\177\
---------------------------------------------------------------------------

    \176\ The Commercial Spaceflight Federation (CSF) states that 
its mission is ``to promote the development of commercial human 
spaceflight, pursue ever-higher levels of safety, and share best 
practices and expertise throughout the industry.'' Its member 
businesses and organizations include commercial spaceflight 
developers, operators, spaceports, suppliers and service providers.
    \177\ ARC Report, p. 48.
---------------------------------------------------------------------------

    In consideration of the industry's comments and the FAA's review of 
chapter III time frames, the FAA proposes in Sec.  450.15 to increase 
flexibility by allowing an operator the option to propose alternative 
time frames that better suit its operations. The FAA would revise the 
time frame requirements in parts 404, 413, 414, 415, 417, 420, 431, 
437, and 440 that are overly burdensome and may result in waiver 
requests. Further, the FAA would, after reviewing the operator's 
request for an alternative time frame, provide the FAA's expected 
review period to make its determination on the proposed alternative 
time frame. The proposed revisions to parts 415, 417, and 431 would be 
included in new proposed part 450. For ease of reference, the FAA would 
list all revised chapter III time frames in proposed appendix A to part 
404.
    Proposed Sec.  450.15(b) would inform the operator to submit its 
request for an alternative time frame in writing. The ``in writing'' 
provision could be in the form of a formal letter or email sent 
electronically to the email address [email protected], with the 
subject line ``Alternative Time Frame Request.'' If an operator would 
like to send the request in hardcopy, it would mail the request to the 
Federal Aviation Administration, Associate Administrator for Commercial 
Space Transportation, Room 331, 800 Independence Avenue SW, Washington, 
DC 20591; Attention: Alternative Time Frame Request. The FAA 
anticipates that an operator would submit these requests during the 
pre-application consultation or during the application process, and not 
after a license has been issued. At a minimum, the operator would be 
required to submit its request before the time frame specified in the 
regulations. Note, the FAA would need time to process the request. For 
example, if a requirement states that an operator must submit a 
document 30 days before launch, the operator may not submit a request 
for an alternative time frame 30 days before launch or later. Also, 
under the proposal, the requested alternate time frame must be 
specific. For example, an operator could request to submit a document 
15 days before launch, but not ``as soon as possible.'' The FAA would 
provide the operator its decision in writing.
    Proposed Sec.  404.15(c) would provide the conditions under which 
the Administrator would agree to an alternative time frame. That is, 
the FAA would review and agree to an alternative time frame if the 
proposed alternative time frame would allow time for the FAA to conduct 
its review and make the requisite findings. For example, the default 
time frame in proposed Sec.  450.213(b) for a licensee to submit to the 
FAA certain payload information would be not less than 60 days before 
each mission conducted under a license. The FAA uses the information to 
verify that each payload fits within any approved class of payload 
under the license, and to address any issues that may arise. The FAA 
may only need a shorter time frame for this effort if the approved 
payload classes are well defined and unlikely to generate payload-
specific issues. As another example, the default time frame in proposed 
Sec.  450.213(d) for a licensee to submit to the FAA certain flight 
safety system test data would be no later than 30 days before flight. 
The FAA may agree to a shorter time frame for an experienced operator 
that uses a proven flight safety system.

D. Continuing Accuracy of License Application and Modification of 
License

    The FAA proposes to consolidate continuing accuracy requirements 
currently in Sec. Sec.  417.11 and 431.73 in proposed Sec.  450.211. 
The proposed rule would preserve the standards in Sec. Sec.  417.11 and 
431.73. In addition, it would allow an applicant to request approval of 
an alternate method for requesting license modifications during the 
application process. This option currently only exists in Sec.  437.85 
for experimental permits.
    Under the current regulations, an operator must ensure that any 
representation contained in a license application is accurate for the 
entire term of a license. After the FAA issues a launch license, an 
operator must apply to the FAA for a license modification if any 
representation that is material to public health and safety or safety 
of property is no longer accurate (commonly referred to as ``material 
change''). An application to modify a license must be prepared and 
submitted in accordance with part 413. The licensee must indicate what 
parts of its license application or license terms and conditions would 
be affected by a proposed modification.
    Although license applications are often updated during the 
application process, the application, as fixed at the time of license 
issuance, becomes part of the licensing record. After issuing the 
license, the FAA deems any material change to a representation in the 
application to be a modification to the license. However, changes may 
occur after a license is issued, particularly among operators that are 
developing new systems or incorporating innovative technology. The FAA 
does not wish for the material change requirement to deter those 
changes intended to improve operations. Although the FAA and operators 
may not always agree on what constitutes a material change, the FAA 
works with the operator to resolve any issues and reduce uncertainties.
    Regarding compliance with an issued license, the ARC recommended 
that information needed prior to each launch, as long as it is within 
the approved flight envelope, should be minimized and a centralized, 
automated

[[Page 15368]]

system for submitting preflight information should be established. 
Continuing accuracy reviews should be limited to an assessment of the 
risks created by the change. The ARC further recommended that if the 
regulations continued to use the term ``material change,'' then that 
term should be defined in the regulations, guidance, or pre-application 
agreement.
    The FAA agrees with the ARC's recommendations. While there already 
exist avenues by which a licensee can minimize the need for license 
modifications,\178\ this rule would adopt an approach from Sec.  437.85 
where the FAA may identify the types of changes that a permittee may 
make to a reusable suborbital rocket design without invalidating the 
permit. In proposed Sec.  450.211, the FAA may approve an alternate 
method for requesting license modifications if requested during the 
application process. The FAA envisions that this approach would permit 
an applicant during the application process to propose a method that is 
responsive to its anticipated types of changes after a license is 
issued.
---------------------------------------------------------------------------

    \178\ A license applicant may circumvent or lessen the need for 
frequent license modification due to material change by providing in 
its application a range of payloads, flight trajectories, hazard 
areas, and orbital destinations, so as to encompass more flexibility 
in actual licensed operations. A license applicant may also create 
acceptable processes for making changes to safety critical systems 
and their components, mission rules, hazard areas, and safety 
organization, that limit the need for license modifications. Part of 
these processes would include a mechanism for informing FAA of the 
change.
---------------------------------------------------------------------------

    Regarding the recommendation for the development of a centralized 
automated system for submitting preflight information, while the FAA 
has been flexible in accepting application material and license updates 
submitted in electronic format, it recognizes that an improved system 
is desirable. The FAA is exploring mechanisms to facilitate these 
submissions.
    Finally, the FAA agrees with the ARC recommendation that it should 
develop guidance on what constitutes a ``material change'' and has 
identified the following areas that often constitute a material change:
    1. Safety-critical system or component changes (e.g., flight safety 
system) that may affect public safety, including--
    a. Substitution of an existing safety-critical component with a 
component with a new part number or manufacturer (reflecting changed 
dimensions, changed functional or performance specifications, or 
changed manufacturing process).
    b. Modifications to a safety critical component deemed necessary by 
an anomaly investigation, and requiring re-verification by test or 
inspection.
    c. Rework or repair of a safety-critical component after 
inspections or tests revealed fabrication or assembly imperfections.
    d. Reuse, after an earlier launch or reentry, of safety-critical 
systems or components, requiring refurbishment, re-qualification 
testing, and re-acceptance testing.
    2. Hazard analysis changes that may affect public safety such as 
the validity of the hazard analysis, mitigation measure, or 
verification of a safety critical system or component.
    3. Flight safety rule changes that may affect public safety such as 
flight commit criteria associated with public safety.
    4. Hazard area changes that may affect public safety, including the 
dimensions of the area.
    5. Maximum Probable Loss (MPL) related changes that affect the 
validity of the assumptions used to establish the MPL (e.g., change in 
the number of personnel within a hazard area, change in trajectory 
resulting in more overflight of people or property, increase in vehicle 
size with more propellant, hazardous materials, or potential debris).
    6. Environmental Assessment related changes that affect the 
validity of an environmental assessment (e.g., changes to mitigation 
measures outlined in a record of decision or environmental impact 
statement).
    7. Safety organization changes that may affect public safety such 
as changes to the roles and responsibilities of the safety organization 
or personnel, including changes in contractual safety services.\179\
---------------------------------------------------------------------------

    \179\ As discussed earlier in the preamble, the proposed rule 
would eliminate the current requirement to name a specific 
individual as the safety official. Instead, the NPRM would allow for 
one person or several persons to perform the safety official 
functions, and, the operator would be required to designate a 
position, not a specific individual, to accomplish the safety 
official functions. Therefore, under this proposal, if the operator 
changes the specific individual performing the safety official 
functions, that would not constitute a material change.
---------------------------------------------------------------------------

    8. Critical documents or processes that may affect public safety.
    The FAA believes that this list provides guidance to help operators 
better understand what constitutes a material change. As the industry 
continues to develop and the FAA identifies material changes, it will 
consider providing more detailed guidance.

Other Changes

A. Pre-Application Consultation

    As discussed earlier, the ARC recommended that the FAA require the 
pre-application process only for new operators or new vehicle programs. 
For all other operations, the ARC recommended that pre-application 
occur at the operator's discretion.\180\ The FAA does not agree that 
pre-application should be discretionary for anyone. In light of the 
various flexibilities proposed in this rule, pre-application 
consultation would remain critical to assist operators with the 
licensing process, especially those that choose to avail themselves of 
the flexibilities provided in this proposal. These flexibilities 
include incremental review, timelines, and the performance-based nature 
of many of the regulatory requirements. Pre-application consultation 
eases the burden on both the applicant and the FAA during the 
application process by identifying and resolving issues that allow 
applicants to submit application materials the agency can accept as 
complete enough for review. That being said, pre-application 
consultation with an experienced operator conducting an operation 
substantively similar to one previously licensed would likely be an 
abbreviated process.
---------------------------------------------------------------------------

    \180\ ARC Report, p. 23.
---------------------------------------------------------------------------

    In response to the ARCs request for defined review times, the FAA 
considered an approach to pre-application consultation that would 
culminate in a mutually agreeable ``compliance plan.'' Under this 
approach, a compliance plan would be developed collaboratively between 
the applicant and the FAA. Key milestones that could be established by 
the compliance plan would include, but would not be limited to, the 
planned dates of the formal application submittal, the FAA's licensing 
determination, and the submission of any required information that is 
unavailable at the time of formal application submittal. The FAA chose 
not to propose this requirement because it could be overly burdensome, 
possibly delay an application submittal, and the compliance plan could 
require frequent updates. However, the FAA would be open to commenters' 
views on how to best develop a voluntary pre-application product, such 
as a compliance plan.

B. Policy Review and Approval

    The FAA currently reviews a launch and reentry license application 
to determine whether it presents any issues affecting national security

[[Page 15369]]

interests, foreign policy interests, or international obligations of 
the United States. As part of its review and in accordance with section 
50918 of the Act, the FAA consults with the Department of State, 
Department of Defense, and other executive agencies, as appropriate. 
The Department of Defense assesses the effect of the launch on U.S. 
national security, and the Department of State assesses its effect on 
foreign policy interests and international obligations of the United 
States. For good practice, the FAA also consults with NASA, the 
Department of Commerce's National Oceanic and Atmospheric 
Administration (NOAA), and the Federal Communications Commission (FCC), 
for counsel on those U.S. interests related to the primary 
responsibilities of each agency. As such, the FAA coordinates with the 
FCC and NOAA over matters related to frequency licensing and Earth 
imaging, respectively, and with NASA for matters particularly related 
to its assets in space.
    Section 415.25 currently contains application requirements for a 
policy review of the launch of a vehicle other than an RLV, Sec.  
431.25 for the launch and reentry of an RLV, and Sec.  435.23 for the 
launch of a reentry vehicle other than an RLV.\181\ To date, these 
informational requirements have served their purpose well. However, the 
FAA believes that the current informational requirements should be 
modified to relieve the applicant of unnecessary burden and to improve 
the utility of the information requested for a policy review. 
Currently, Sec. Sec.  415.25(b) and 431.25(b) both require an applicant 
to identify structural, pneumatic, propellant, propulsion, electrical 
and avionics systems. Section 431.25(b) also requires an applicant to 
identify thermal and guidance systems used in the launch vehicle, and 
all propellants. Although identifying the aforementioned systems is 
important for a safety review, the FAA believes that this information 
is not critical for a policy review, which addresses whether the launch 
or reentry presents issues affecting national security interests, 
foreign policy interests, or international obligations of the United 
States.
---------------------------------------------------------------------------

    \181\ These sections require an applicant to provide basic 
information about the launch or reentry vehicle, its ownership, 
launch site, flight azimuths, trajectories, associated ground tracks 
and instantaneous impact points, sequence of planned events or 
maneuvers during flight, range of nominal impact areas for all spent 
motors and other discarded mission hardware, and for each orbital 
mission, the range of intermediate and final orbits of each vehicle 
upper stage, and their estimated orbital lifetimes.
---------------------------------------------------------------------------

    The FAA proposes to consolidate the policy review requirements 
contained in Sec. Sec.  415.25 and 431.25 under proposed Sec.  450.41 
(Policy Review and Approval). In doing so, the FAA would retain the 
substance of the current requirements while further tailoring the 
informational requirements toward a policy review. Also, the FAA would 
replace the launch or reentry vehicle description requirements with 
vehicle description requirements that are more appropriate for a policy 
review. Finally, the FAA would require the applicant to provide flight 
azimuths, trajectories, and associated ground tracks and instantaneous 
impact points, and contingency abort \182\ profiles, if any, for the 
duration of the licensed activity.
---------------------------------------------------------------------------

    \182\ The FAA proposes to revise the definition in Sec.  401.5 
of ``contingency abort'' to mean a flight abort with a landing at a 
planned location that has been designated in advance of vehicle 
flight. The proposed definition is discussed later in this preamble.
---------------------------------------------------------------------------

    Specifically, proposed Sec.  450.41(e)(2) would replace the current 
requirement to identify structural, pneumatic, propulsion, electrical, 
thermal, guidance and avionics systems with a requirement to describe 
the launch or reentry vehicle and any stages, including their 
dimensions, type and amounts of all propellants, and maximum thrust. As 
previously mentioned, currently required information is not critical 
for a policy review because policy determinations do not require the 
same level of technical detail as a safety review and do not need to 
delve into vehicle design specifics. Instead, the information required 
by proposed Sec.  450.41(e)(2) would provide the FAA and its 
interagency partners with the scope of the proposed activity that is 
more pertinent to a policy review. Moreover, the FAA anticipates that 
the proposed changes would be significantly less burdensome for an 
applicant, as the information is readily available and requires minimal 
effort to provide. In contrast, the currently required information, 
while also readily available, might be extensive and require more 
effort to compile.
    Additionally, it is unclear that the requirements to supply flight 
azimuths, trajectories, and associated ground tracks and instantaneous 
impact points, currently found in Sec. Sec.  415.25(d)(2) and 
431.25(d)(2), apply for the duration of the licensed activity (i.e., 
from lift-off to the end of licensed activities). For example, 
applicants previously have interpreted the requirement to supply flight 
azimuths and trajectories to end at orbital insertion because that is 
when ground tracks and instantaneous impact points vanish. However, 
during interagency coordination for policy reviews of orbital missions, 
NASA and the Department of Defense have repeatedly, and specifically, 
requested information from the FAA concerning the trajectories of upper 
stages after orbital insertion in order to determine the potential for 
the proposed mission to jeopardize the safety of government property in 
outer space or national security.
    Therefore, in addition to consolidating Sec. Sec.  415.25(d)(2) and 
431.25(d)(2) into proposed Sec.  450.41(e)(4)(ii), the FAA would add 
language to clarify that the requirement to supply flight azimuths, 
trajectories, and associated ground tracks and instantaneous impact 
points applies for the duration of the licensed activity (i.e., lift 
off to the end of launch). This clarification would eliminate the need 
for the FAA to request additional information from an applicant to 
satisfy inquiries from NASA and the Department of Defense during policy 
reviews and prevent any unnecessary delays to the policy review 
process.

C. Payload Review and Determination

    The FAA proposes to consolidate the payload review requirements. 
The agency would also remove the requirement to identify the method of 
securing the payload on an RLV, add application requirements to assist 
the interagency review, such as the identification of approximate 
transit time to final orbit and any encryption, clarify the FAA's 
relationship with other federal agencies for payload reviews, and 
modify the 60-day notification requirement currently found in 
Sec. Sec.  415.55 and 431.53.
    While speaking of payload reviews, it is important to keep in mind 
the definitions of launch vehicle and payload as defined in FAA 
regulations. The FAA is not proposing to amend these definitions. A 
launch vehicle is a vehicle built to operate in, or place a payload in, 
outer space or a suborbital rocket. A payload is an object that a 
person undertakes to place in outer space by means of a launch vehicle, 
including components of the vehicle specifically designed or adapted 
for that object. Thus, a payload can become a reentry vehicle. For 
example, the Dragon is a payload when it is launched on the Falcon 9 
and a reentry vehicle when it reenters from Earth orbit. The FAA 
believes that any component attached to, or part of, a launch or 
reentry vehicle that has an intended use in space other than 
transporting itself or a payload, is in fact a payload. For example, 
the FAA has treated canisters of cremains attached to a stage left in 
orbit as payloads.

[[Page 15370]]

    Pursuant to Sec.  415.51, unless the payload is exempt from review 
under Sec.  415.53, the FAA reviews a payload proposed for launch to 
determine whether an applicant, payload owner, or operator has obtained 
all the required licenses, authorization, and permits. The FAA further 
determines whether a payload's launch would jeopardize public health 
and safety, safety of property, U.S. national security or foreign 
policy interests, or international obligations of the United States. 
Similarly, both Sec.  431.51 for launch and reentry of an RLV and Sec.  
435.41 for reentry of a reentry vehicle other than an RLV, require the 
FAA to review a payload to examine the policy and safety issues related 
to the proposed reentry of a payload.
    Current Sec. Sec.  415.59 and 431.57 also require the applicant to 
submit basic payload information to allow the FAA to conduct a payload 
review. While the information requirements for payload review in 
Sec. Sec.  415.59 and 431.57 are similar, they are not identical. Both 
sections require that an applicant provide the payload's physical 
dimensions and weight; owner and operator; orbital parameters for 
parking, transfer, and final orbits; and hazardous materials, as 
defined in Sec.  401.5, and radioactive materials, and the amounts of 
each. However, Sec.  415.59 requires an applicant to provide the name 
and class of the payload, the intended payload operations during the 
life of the payload, and the delivery point in flight at which the 
payload will no longer be under the licensee's control. Whereas, Sec.  
431.57 requires an applicant to provide either the payload name or 
payload class and function; the physical characteristics of the payload 
in addition to the payload's dimensions and weight; the explosive 
potential of payload materials, alone and in combination with other 
materials found on the payload or RLV during reentry; and the method of 
securing the payload on the reusable launch vehicle. It also replaces 
delivery point with designated reentry site(s); and requires the 
identification of intended payload operations during the life of the 
payload. With respect to hazardous materials, Sec.  431.57 also 
requires the applicant to identify the container of the hazardous 
materials, in addition to the type and amount, because how the 
hazardous materials are contained is important for reentry.
    The FAA believes that the current payload review informational 
requirements necessitate modification to improve the utility and 
efficiency of payload review. During interagency review, other agencies 
have requested information from the FAA for the amount of time a 
payload will take to reach its final orbital destination. This 
information allows the agencies to assess the payload's potential to 
impact their operations. However, current regulations do not contain an 
informational requirement that the applicant provide this information. 
As a result, the FAA often must make additional requests to the 
applicant in order to provide the requesting agencies with the 
information.
    In the past, most non-government payloads were telecommunications 
or remote sensing satellites for which there were well-established 
regulatory regimes. Operators are now proposing payloads with new 
intended uses such as servicing other satellites and mapping frequency 
use. The capabilities of payloads continue to grow; for example, 
cubesats are appearing in great numbers with unique capabilities. As a 
result, it is possible that these new uses may pose threats to national 
security, such as the resolution of on-board cameras that might be used 
to survey national security space assets. Consequently, payload reviews 
increasingly need to address the threat that these new uses and 
capabilities might pose to U.S. national security, either unintentional 
or malicious.
    Additionally, Sec.  415.53 provides that the FAA does not review 
payloads regulated by the FCC or the Department of Commerce. Section 
431.51 provides that the FAA does not review payloads subject to 
regulation by other federal agencies. However, neither of these 
regulations reflect current practice. In practice, the FAA includes 
payload information in its interagency reviews for all payloads, with 
the exception of certain U.S. Government payloads for which information 
is unavailable due to national security concerns, because Sec.  415.51 
provides that the safety requirements apply to all payloads, regardless 
of whether the payload is otherwise exempt. Even though the FAA 
conducts a review of all payloads, the FAA does not impinge on the 
authority of the FCC or the Department of Commerce, nor question the 
decision of the FCC or NOAA to approve communications or remote sensing 
satellites. It does not question the decision of another federal agency 
concerning its payloads. More accurately, while the FAA may conduct a 
review of all payloads, the FAA does not make a payload determination 
on what it considers an ``exempt'' payload.
    Changes in the types of payloads that are being launched or 
proposed have also complicated the scope of FAA payload reviews and 
demonstrated that the language exempting certain payloads from review 
is overly restrictive. The FAA has made payload determinations for 
payloads that will undoubtedly require FCC or NOAA licensing, but the 
proposed payload missions were beyond the scope of communications or 
remote sensing. These payloads were examined in the interagency process 
and neither the FCC nor NOAA took exception to the FAA's approach.
    Section 50918 of Title 51 of the U.S. Code mandates that the 
Secretary of Transportation consult with the Secretary of Defense on 
matters affecting national security, the Secretary of State on matters 
affecting foreign policy, and the heads of other agencies when 
appropriate. Section 50919(b) states that chapter 509 of Title 51 does 
not affect the authority of the FCC or Department of Commerce. The 
language of FAA regulations exempting from review those payloads 
subject to the jurisdiction of the FCC, NOAA, and other agencies, is 
more restrictive regarding the FAA's authority than what is required in 
the statutory mandate of 51 U.S.C. 50918 and 50919. The genesis of this 
more-limited role by the FAA came from the Report of House of 
Representatives, May 31, 1984, that accompanied H.R. 3942. 
Specifically, the report stated: ``[t]he Committee intends that the 
Secretary not review or otherwise evaluate the merits of communications 
satellites licensed and approved by the FCC, other than to assure the 
proper integration of such payload with the launch vehicle and its 
launch into orbit.'' At that time, almost all non-government payloads 
were communications or remote sensing satellites, regulated by the FCC 
and NOAA, respectively.
    When DOT published the initial licensing regulations in 1988, the 
preamble noted that the payloads subject to existing payload regulation 
included only telecommunications satellites licensed by the FCC and 
remote sensing satellites licensed by NOAA. It went on to state that 
payloads that were not subject to review by DOT included all domestic 
payloads not presently regulated by the FCC or NOAA and all foreign 
payloads. Almost any domestic payload, even if it is not a 
telecommunications satellite, however, requires FCC licensing because 
it will invariably have a U.S.-owned or -operated transmitter for 
telemetry purposes. Therefore, it appears that the intention of the 
rule was only to exclude from FAA regulation telecommunications 
satellites licensed by the FCC and likewise, remote sensing satellites 
licensed by

[[Page 15371]]

NOAA, and not any satellite with a transmitter licensed by the FCC or 
with some incidental remote sensing capability.
    In recent years, there have been proposals for commercial payloads 
where the primary purpose might be scientific or exploratory or even 
artistic. Despite their primary purpose, these payloads almost always 
require an FCC license because they have transmitters for telemetry. 
Similarly, some payloads also require approval by NOAA even though 
remote sensing may be ancillary to the main purpose. Without an 
interagency review, the FAA has no direct means of knowing whether a 
payload is exempt from review and, as a result, has initiated 
interagency reviews. These reviews also serve the purpose of alerting 
the other agencies to launches of payloads that might jeopardize U.S. 
national security or foreign policy interests, or international 
obligations of the United States, even if they are exempt from an FAA 
payload review. Although the FAA has not to date been faced with the 
Department of Defense or the Department of State raising concerns 
through the interagency review regarding national security or foreign 
policy for an ``exempt'' payload, the FAA believes that it would be its 
responsibility to convey those concerns to the appropriate agencies for 
resolution.
    The ARC asserts that the payload reviews being conducted are more 
detailed than necessary to assure the protection of ``public health and 
safety.'' The ARC recommended that payloads that stay within the 
vehicle, have non-hazardous materials, or those that have previously 
been approved for flight, should not require reviews. It recommended 
that safety goals can be met by only requiring reviews for hazardous 
payloads that could impact ``public health and safety.'' The ARC also 
stated that it would be more cost effective to regulate only hazardous 
payloads ejected from the launch vehicle in reportable quantities using 
the existing standards in 49 CFR 172.101. It believes such an approach 
would reduce unnecessary paperwork and subsequent FAA review for 
``benign payloads,'' and the reduction of burden on the FAA to review 
``non-safety related payloads'' would support industry's increased 
flight tempo and reduce FAA review times.
    The FAA does not agree with the ARC recommendation that payloads 
that stay within the vehicle, payloads that are non-hazardous 
materials, or those that have previously been approved for flight 
should not require reviews. The fact that a payload remains on or 
within the launch or reentry vehicle does not change the function of 
the payload. The payload's intended use in space or changes in the 
orbit of the vehicle to accommodate the payload operation might present 
issues because it could affect NASA or Department of Defense assets 
either due to its orbit or function. For example, the Department of 
Defense has concerns regarding payloads that may pass close enough to 
its assets to photograph them. The FAA recognizes that some payloads, 
such as canisters of cremains, attached to an upper stage, might have 
little or no safety or policy implications. However, a review is still 
necessary to make that determination. Obviously, the absence of 
hazardous materials also removes some safety concerns; however, as 
previously discussed, hazardous materials are not the only concern 
addressed in the payload review.
    While payloads that stay within a vehicle, do not contain hazardous 
materials, or have previously been approved may require less scrutiny, 
a payload review is still required because the FAA is statutorily 
mandated under 51 U.S.C. 50904(c) to determine whether a license 
applicant or payload owner or operator has obtained all required 
licenses, authorization, and permits. If no license or authorization or 
permit is required by another federal agency, the FAA must determine 
whether a launch would jeopardize public health and safety, safety of 
property, U.S. national security or foreign policy interests, or 
international obligations of the United States. Similarly, while 
potentially it might be more cost effective to regulate only hazardous 
payloads ejected from a launch vehicle in reportable quantities using 
existing standards in 49 CFR 172.101, the FAA must still comply with 
the statutory requirements imposed on it by 51 U.S.C. 50904(c). Both 
the FAA's current and proposed regulations reflect this statutory 
requirement.
    As for payloads that have previously been approved for launch, the 
FAA already authorizes classes of payloads under Sec. Sec.  431.53 and 
415.55, but it still requires identification of the specific payload at 
least 60 days prior to the launch in order to confirm that the payload 
fits within the authorized class and to coordinate with other federal 
agencies. The FAA currently does not make a new payload determination 
if a payload fits within a class of payloads authorized under a 
particular license, but the review is still necessary to confirm there 
are no issues that affect public health and safety, the safety of 
property, or national security. The more defined the payload class, the 
less the likelihood of any issues once the specific payload is 
identified. For series of virtually identical payloads, the FAA has 
authorized the entire series. A payload or launch operator can work 
with the FAA to facilitate and expedite payload approvals by defining 
payload classes to accommodate possible payloads. Also, payload classes 
authorized for one operator will usually be authorized for another 
operator. The FAA acknowledges that the current 60-day notification 
requirement might be unnecessary for certain well-defined payload 
classes and proposes to modify this requirement to permit a shorter 
notification on a case-by-case basis. The FAA anticipates that the 
notification requirement would be specified either in the separate 
payload determination or in a vehicle operator license.
    The ARC recommended that payloads that contain hazardous materials 
in Federally-reportable quantities be reviewed in 15 days. The FAA does 
not agree with the ARC's recommendation because there are other 
considerations regarding intended operations in space that might affect 
national security or the safety of property. For example, a payload may 
have the capability of observing or interfering with U.S. national 
security assets or violate a provision of a treaty.
    The FAA proposes to consolidate the requirements for a payload 
review currently contained in subparts D of parts 415, 431, and 435 in 
proposed Sec.  450.43 (Payload Review and Determination). The proposed 
consolidation would retain most of the current payload review 
requirements. The limited changes the FAA proposes to the payload 
requirements are discussed in this section.
    The FAA proposes to modify the relationship with other agencies by 
removing the misleading statement that the FAA does not review payloads 
that are subject to regulation by the FCC or the Department of 
Commerce. Specifically, the FAA proposes to modify the regulation to 
reflect that while it does not review those aspects of payloads that 
are subject to regulation by the FCC or the Department of Commerce, it 
still reviews the payloads to determine their effect on the safety of 
launch. The FAA also consults with other agencies to determine whether 
their launch would jeopardize public health and safety, safety of 
property, U.S. national security or foreign policy interests, or 
international obligations of the United States. Proposed Sec.  
450.43(b) would provide that the FAA would not make a payload 
determination over those aspects of payloads that are subject to 
regulation by the FCC or the

[[Page 15372]]

Department of Commerce. The FAA does not intend to interfere with any 
requirement that these agencies might impose or with approvals or 
denials. This clarification is merely a recognition of current practice 
regarding payloads that do not easily fit into the existing regulatory 
rubric.
    The FAA also proposes not to retain the specific reference to NOAA 
in Sec.  415.53(a). Although commercial remote sensing is currently 
licensed by NOAA's Office of Commercial Remote Sensing Regulatory 
Affairs (CRSRA), the Secretary of Commerce recently proposed merging 
CRSRA with NOAA's Office of Space Commerce and moving them directly 
under the Office of the Secretary of Commerce. As a result, proposed 
Sec.  450.43(b) would revise the description of which payloads are 
exempt, to clarify that a payload planning to conduct remote sensing 
operations would be exempt if licensed by any office within the 
Department of Commerce.
    In consolidating the informational requirements in parts 415, 431, 
and 435, the FAA proposes to eliminate information requirements 
concerning the method of securing a payload that was a requirement 
under Sec.  431.57(g) for RLVs because that information is not relevant 
to a payload review. The FAA considered replacing that informational 
requirement with a more general one to provide the potential of the 
payload to affect the dynamics of the vehicle. However, the FAA 
determined such information was more pertinent to the vehicle operator 
and should instead be included in systems safety analysis for the 
launch or reentry, if appropriate.
    Proposed Sec.  450.43(i)(1) also would require an applicant to 
provide an expanded description for the payload that would include its 
composition and any hosted payloads in addition to the current 
requirements of physical dimensions and weight. The FAA proposes to ask 
for any foreign ownership of the payload or payload operator. In 
addition, the FAA would add the approximate transit times to final 
orbit for the payload. The FAA proposes to elaborate what it means by 
intended payload operations during the life of the payload by adding 
its anticipated life span and any planned disposal. Further, it 
proposes a requirement to describe any encryption associated with data 
storage on the payload and transmissions to or from the payload. 
Encryption helps ensure against cyber intrusion, loss of spacecraft 
control, and potential debris-causing events. The FAA is proposing 
these additions to the information requirements for launches to assist 
other federal agencies because NASA and the Department of Defense 
frequently have requested this information in response to the FAA's 
interagency review in order to determine whether the proposed payload 
would jeopardize the safety of government property in outer space, or 
U.S. national security.
    The FAA also proposes to add a general requirement that it may 
request any other information necessary to make a determination based 
on public health and safety, safety of property, U.S. national security 
or foreign policy interests, or international obligations of the United 
States. The FAA believes that it would rarely invoke this provision but 
believes that it is crucial to address unique payloads.
    The FAA anticipates that for payload classes--as distinguished from 
specific payloads--the applicant might only be able to provide a range 
of expected transit times and would find this acceptable. Similarly, 
for classes of payloads the FAA would find it appropriate to provide 
ranges for information related to size of the payload and quantities of 
hazardous materials. It also proposes to add the explosive potential of 
payload materials, alone and in combination with other materials on the 
payload for launches, as it already does for reentries because the 
information is equally relevant to the safety of a launch as for a 
reentry.
    The FAA anticipates that these additional data requirements would 
impose minimal burden, if any, on the applicant. For example, the 
payload operator should already have detailed plans for moving its 
payload to its final destination, and the explosive equivalent for most 
materials is easily calculated using readily-available information. As 
another example, in requesting information about what encryption, if 
any, is used, the FAA is not asking for a detailed account of 
encryption methodology. Many operators are already using 256-bit 
Advanced Encryption Standard encryption (AES-256) to protect commercial 
telemetry, tracking, and control data links and mission data 
transmission or storage. In this case, an operator would only need to 
state that it uses AES-256. These additional data requirements help 
inform the overall evaluation of a payload.
    By specifying in its regulations what is required to expedite the 
FAA's payload review process without the need to make supplemental 
requests to an applicant to address interagency concerns, and the 
applicant would avoid having to respond to such requests. The FAA seeks 
comment on this proposed approach.

D. Safety Review and Approval

    As part of its current licensing process under parts 415 and 431, 
the FAA conducts a safety review to determine whether a proposed launch 
or reentry will jeopardize public health and safety and safety of 
property. The FAA would not change the philosophy or purpose of a 
safety review in this rulemaking. As with the current regulations, an 
applicant would have to satisfy the safety requirements in order to 
obtain a license to conduct a launch or reentry. Only a vehicle 
operator license applicant would be eligible to apply for a safety 
approval, and may apply for a safety approval separately and 
incrementally. As with current regulations, the FAA would advise an 
applicant, in writing, of any issues raised during a safety review that 
would impede issuance of a license, and the applicant may respond in 
writing, or amend its license application in accordance with Sec.  
413.17. This proposal would also not change the process by which the 
FAA denies a license, and the recourse afforded an applicant if a 
license is denied.
    For launches and reentries from, or to, a Federal launch range or 
any launch or reentry site where a Federal launch range provides 
safety-related launch or reentry services or property by contract, the 
FAA would accept the service or property as meeting the relevant 
requirements of proposed part 450, as long as the FAA determines that 
the Federal launch range's safety requirements for the launch or 
reentry services or property provided satisfy those requirements. Note 
that a Federal launch range could, at the direction of the operator, 
provide FSA products such a debris risk analyses or flight safety 
limits analyses, directly to the FAA on behalf of an operator.
    While the FAA is not proposing to change the philosophy and purpose 
of a safety review and approval, the FAA is proposing changes to the 
requirements to obtain a safety approval. The FAA proposes to locate 
the application requirements for a safety approval in proposed Sec.  
450.45 (Safety Review and Approval), in paragraph (e), and throughout 
proposed subpart C.
    The application requirements in proposed Sec.  450.45(e) are 
general and not specific to any safety requirement, and would include 
information not covered explicitly in proposed subpart C. Proposed 
Sec.  450.45(e)(1) would address basic requirements for an application, 
such as the inclusion of a glossary of terms and a listing of 
referenced material. This proposed requirement is similar to current 
Sec.  415.107, although

[[Page 15373]]

the proposed regulation would not include the requirement for an 
application to be logically organized, with a clear and consistent page 
numbering system, and topics cross-referenced. The FAA expects an 
applicant to ensure its application meets these basic organizational 
standards without explicitly requiring them.
    In proposed Sec.  450.45(e)(2), the FAA would require an applicant 
to submit information about its launch or reentry site. This proposed 
requirement is similar to current Sec.  415.109(a), with the addition 
of references to a reentry site.
    In proposed Sec.  450.45(e)(3), the FAA would require an applicant 
to submit information about its launch or reentry vehicle, including 
safety critical systems. This proposed requirement is similar to 
current Sec.  415.109(b), but would include reentry vehicles in 
addition to launch vehicles.
    In proposed Sec.  450.45(e)(4), the FAA would require an applicant 
to submit a generic launch or reentry processing schedule that 
identifies any readiness activities, such as reviews and rehearsals, 
each safety-critical preflight operation, and day of flight activities. 
Although the proposed regulations do not necessarily require reviews or 
rehearsals, should the applicant propose them to meet readiness 
requirements, they should be included in the schedule. This proposed 
requirement is similar to current Sec.  415.119, but with the addition 
of reentry vehicles.
    Proposed Sec.  450.45(e)(5) would apply to any proposed launch or 
reentry with a human being on board the vehicle, and would require an 
applicant to demonstrate compliance with certain safety requirements in 
part 460. This proposed requirement is similar to current Sec.  415.8, 
except that it would include reentry vehicles.
    Proposed Sec.  450.45(e)(6) would address the potential launch or 
reentry of radionuclides, similar to current Sec.  415.115(b) but with 
the addition of reentries. Because such proposals are rare, it is the 
current practice of the FAA to address the public safety issues on a 
case-by-case basis. This proposed rule would not change this approach.
    Lastly, in proposed Sec.  450.45(e)(7), the FAA would reserve the 
right to request additional information if necessary. This request 
would include information incorporated by reference in the license 
application, such as a previous application submittal. The FAA could 
also request additional products that would allow the FAA to conduct an 
independent safety analysis. The FAA periodically conducts independent 
system safety and flight safety analyses in order to gain a deeper 
understanding of the safety issues associated with a launch or reentry 
proposal. This independent analysis is particularly important for novel 
systems or operations. The FAA proposes to continue this practice with 
this rulemaking.
    Proposed subpart C would contain the remainder of the application 
requirements for a safety approval. With some exceptions, discussed 
later, each safety requirement in proposed subpart C has application 
requirements articulated at the end of each section. Under current 
regulations for ELVs, application requirements are contained in part 
415, while safety requirements are contained in part 417. Under current 
regulations for RLVs contained in part 431, application requirements 
and safety requirements are not distinguished so clearly. The proposed 
approach is designed to clearly separate safety requirements from 
application requirements.
    However, the following proposed sections do not include application 
requirements, either because they introduce other sections or because 
the FAA would not require a demonstration of compliance to obtain a 
license:
    1. Sec.  450.101: This section would address the core public safety 
criteria for launching a launch vehicle or reentering a reentry 
vehicle. An applicant would demonstrate that it can meet these criteria 
in other parts of proposed subpart C.
    2. Sec.  450.113 (Flight Safety Analysis Requirements--Scope and 
Applicability): This section would address the scope and applicability 
of the FSA requirements contained in Sec. Sec.  450.113 through 
450.141.
    3. Sec.  450.157: This section would include requirements for 
communication procedures, but an applicant would not have to 
demonstrate compliance with this section in order to obtain a license.
    4. Sec.  450.159: This section would include requirements for 
preflight procedures. Similar to proposed Sec.  450.157, an applicant 
would not have to demonstrate compliance with this section in order to 
obtain a license.
    5. Sec.  450.169: This section would include requirements for 
launch and reentry collision avoidance analysis. An applicant would not 
have to demonstrate compliance with this section in order to obtain a 
license, but it would have to provide certain information to the FAA 
prior to a launch or reentry.
    6. Sec.  450.179 (Ground Safety--General): This section would 
address the scope and applicability of the ground safety requirements 
contained in Sec. Sec.  450.181 (Coordination with a Site Operator) 
through 450.189.

E. Environmental Review

    The FAA proposes to consolidate environmental review requirements 
for launch and reentry operators in a single section, as proposed Sec.  
450.47 (Environmental Review). Currently, these requirements are set 
forth in Sec. Sec.  415.201, 415.203, 431.91, 431.93, and 435.61. In 
addition, the FAA proposes to revise current Sec. Sec.  420.15, 433.7, 
433.9, and 437.21 to conform to the changes in proposed Sec.  450.47. 
Apart from consolidation, these proposed revisions would not alter the 
current environmental review process.
    The FAA is responsible for complying with the National 
Environmental Policy Act (NEPA) and other applicable environmental 
laws, regulations, and Executive Orders prior to issuing a launch or 
reentry license. To comply with NEPA, the FAA must first determine 
whether the licensing action requires a Categorical Exclusion (CATEX), 
an Environmental Assessment (EA), or an Environmental Impact Statement 
(EIS). A CATEX is appropriate when actions, individually or 
cumulatively, do not have a significant effect on the human 
environment. An EA broadly documents evidence and analysis necessary to 
determine whether a proposed action may significantly affect the human 
environment requiring the preparation of an EIS or results in a finding 
of no significant impact (FONSI). If the action may significantly 
affect the human environment, NEPA requires preparation of an EIS. An 
EIS is a thorough analysis of a proposed action's impacts on the 
environment, including a public involvement process.
    Under current FAA practice, the issuance of a new launch or reentry 
license does not fall within the scope of a CATEX. However, an 
applicant may provide data and analysis to assist the FAA in 
determining whether a CATEX could apply (including whether an 
extraordinary circumstance exists) to a license modification. Examples 
include modifications that are administrative in nature or involve 
minor facility siting, construction, or maintenance actions. If a CATEX 
does not apply to the proposed action, but it is not anticipated to 
have significant environmental effects, then NEPA requires the 
preparation of an EA instead. The FAA may prepare an EA using 
applicant-provided information. In the alternative, an applicant may 
prepare an EA with FAA oversight. When NEPA requires an EIS for 
commercial space actions, the FAA uses third-party contracting to

[[Page 15374]]

prepare the document. That is, the FAA selects a contractor to prepare 
the EIS, and the license applicant pays the contractor. Finally, if an 
EA or EIS was previously developed, the FAA may require a written re-
evaluation of the environmental document to ensure the document's 
continued adequacy, accuracy and validity.\183\
---------------------------------------------------------------------------

    \183\ FAA Order 1050.1F, Environmental Impacts: Policies and 
Procedures, provides a more detailed description of the FAA's 
policies and procedures for NEPA and CEQ compliance.
---------------------------------------------------------------------------

    This proposed rule would not alter the current environmental review 
requirements. However, the consolidation of the launch and reentry 
regulations would require a consolidation of the environmental review 
requirements.

F. Additional License Terms and Conditions, Transfer of a Vehicle 
Operator License, Rights Not Conferred by a Vehicle Operator License

    As discussed earlier in this preamble, the FAA proposes to 
consolidate, under proposed part 450, the differing types of launch and 
reentry licenses, currently in parts 415, 431, and 435, into a single 
vehicle operator license. As part of this consolidation, the FAA would 
combine specified sections of parts 415, 431, and 435 into proposed 
sections of part 450, such that the consolidated requirements would 
apply to a single vehicle operator license. Except for these changes, 
the current requirements would remain the same. The specific proposed 
changes are identified below.
1. Additional Terms and Conditions
    The FAA proposes to consolidate the current additional terms and 
conditions requirements in Sec. Sec.  415.11, 431.11, and 435.11 into 
proposed Sec.  450.9 (Additional License Terms and Conditions) without 
substantive change. Therefore, the proposed requirement would state 
that the FAA may amend a vehicle operator license at any time by 
modifying or adding terms and conditions to the license to ensure 
compliance with the Act and regulations.
2. Transfer of a Vehicle Operator License
    The FAA proposes to consolidate the requirements to transfer a 
license in current Sec. Sec.  415.13, 431.13, and 435.13 into proposed 
Sec.  450.11 (Transfer of a Vehicle Operator License). Although the 
location of the requirements would change, the requirements themselves 
would not substantively change.
    The proposed requirements would continue to provide that only the 
FAA may transfer a vehicle operator license; and, that an applicant 
must submit a license application to transfer a license according to 
the provisions of part 413 and the requirements of proposed part 450. 
Also, like the current requirements, the proposal would require an 
applicant to satisfy all of the approvals and determinations required 
under part 450 before the FAA would transfer a license to an applicant, 
and the FAA would retain the ability to incorporate by reference any 
findings made part of the record to support the initial licensing 
determination and to modify a license to reflect any changes necessary 
because of a license transfer.
3. Rights Not Conferred by a Vehicle Operator License
    The FAA proposes to consolidate in proposed Sec.  450.13 (Rights 
Not Conferred by a Vehicle Operator License) the requirements in 
current Sec. Sec.  415.15, 431.15, and 435.15 regarding the rights that 
are not conferred by issuance of a license. Although the location of 
the requirements would change, the requirements themselves would not 
substantively change.
    The proposed requirements would continue to state that issuance of 
a vehicle operator license does not relieve a licensee of its 
obligation to comply with all applicable requirements of law or 
regulation that may apply to its activities. In addition, the proposal 
would state the issuance of a license does not confer any proprietary, 
property or exclusive right in the use of any Federal launch range or 
related facilities, airspace, or outer space.

G. Unique Safety Policies, Requirements, and Practices

    Proposed Sec.  450.177 (Unique Policies, Requirements and 
Practices) would require an operator to review operations, system 
designs, analysis, and testing, and to identify any unique launch or 
reentry hazards not otherwise addressed by proposed part 450, 
consistent with current regulations and practice. An operator would be 
required to implement any unique safety policy, requirement, or 
practice needed to protect the public from the unique hazard. In its 
application, an operator would have to identify any unique safety 
policy, requirement, or practice, and demonstrate that each it protects 
public health and safety and the safety of property.
    Proposed Sec.  450.177 would also provide that the FAA may identify 
and impose a unique policy, requirement, or practice, as needed, to 
protect the public health and safety, safety of property, and the 
national security and foreign policy interests of the United States. In 
its application, an operator would need to demonstrate that each unique 
safety policy, requirement, or practice imposed by the FAA protects 
public health and safety, safety of property, and the national security 
and foreign policy interests of the United States.
    Proposed Sec.  450.177 is largely the same as Sec.  417.127 with 
two differences. Section 417.127 requires an applicant to file a 
request for license modification for any change to a unique safety 
policy, requirement, or practice. The FAA would not incorporate this 
requirement in proposed part 450 because it is duplicative given the 
general license modification requirement in proposed Sec.  450.177. 
Also, Sec.  417.127 applies only when necessary to protect the public, 
whereas proposed Sec.  450.177(b) would also apply to national security 
and foreign policy interests of the United States. This is necessary to 
cover the full scope of FAA's licensing authority.
    The purpose for this proposed section is the same as for current 
Sec.  417.127. As the space transportation industry continues to grow, 
advances in technology and implementation of innovations by launch and 
reentry operators will likely introduce new and unforeseen safety 
challenges. These unique challenges will require FAA officials and 
operators to collaborate on a case-by-case basis to identify and 
mitigate those unique hazards to public health and safety, safety of 
property, and the national security and foreign policy interests of the 
United States not specifically addressed by proposed part 450.

H. Compliance Monitoring

    The FAA proposes to combine the compliance monitoring requirements 
of parts 417 and 431 into Sec.  450.209 (Compliance Monitoring). In 
combining the requirements, the FAA would adopt Sec.  417.23. The FAA 
currently conducts safety inspections to ensure a licensee complies 
with applicable regulations, the terms and conditions of its license, 
and representations the licensee made in its application.
    Compliance monitoring requirements are codified in Sec. Sec.  
417.23, 431.83, and 435.51. Section 417.23 requires that a launch 
operator cooperate with and allow Federal officers or employees access 
to observe any of its activities associated with the conduct of a 
licensed launch, and provide the FAA with a console for monitoring the 
countdown's progress, and the communication on all channels of the 
countdown communication network. The requirements of Sec. Sec.  
417.23(a) and 431.83 are nearly identical in that both require a 
licensee to cooperate with and

[[Page 15375]]

to allow Federal officers or employees access to observe any of its 
activities associated with the conduct of a licensed RLV mission. 
However, unlike Sec.  417.23, Sec.  431.83 does not require a licensee 
to provide a console to the FAA for monitoring all the channels on the 
countdown communication network.
    Monitoring the communications channels--including countdown, 
anomaly, range coordination, surveillance, and weather--is a vital part 
of compliance monitoring and safety inspection operations, regardless 
of operation type. Under part 417, a licensee cooperates with the FAA 
and provides its inspectors with access and consoles to observe the 
activities associated with the licensed launch. As a result, the FAA is 
able to monitor all communication channels, and has access to the 
safety official and the mission director through the communications 
panel and through a phone line. FAA inspectors regularly monitor an 
operator's communications channels. In doing so, an inspector can 
become aware of issues that arise during a countdown. These issues may 
include vehicle health, ground operations, FSS health, range readiness, 
clearance of surveillance and hazard areas, weather, and countdown 
procedures. Additionally, listening to the communications channels also 
gives an inspector a sense of an operator's safety culture, rigor, and 
readiness. In addition, inspectors can communicate face-to-face with 
the safety official and the mission director, if necessary, because 
they are typically collocated.
    Although there is a requirement in part 431, and incorporated by 
reference in part 435, that an operator cooperate with safety 
inspectors, there is no specific requirement for the licensee to 
provide access to all communication channels. The FAA has had to 
discuss with the operator what channels will be available for 
monitoring during these operations. Some operators have contended that 
their employees will not be as forthcoming with information if they 
know FAA inspectors are listening. However, being able to hear how the 
operator communicates during critical operations is necessary for 
inspectors to determine compliance and to address problems before they 
occur. Since inspectors cannot physically listen to all channels 
concurrently, an inspector will listen to one or more channels that can 
provide situational awareness and information used to determine 
compliance. The necessary discussions require additional time and may 
cause a delay, consume man-hours, and is a cost to both the government 
and the operator during the license application phase, or potentially 
during a launch countdown.
    Regarding the contention that personnel are less likely to discuss 
problems if inspectors are monitoring their conversation, the FAA 
strives to be as unobtrusive as possible so as not to affect 
operations. Additionally, the purpose of compliance monitoring is not 
to punish operators. Rather, channel monitoring and on-site inspection 
allows inspectors to identify potential licensing issues and alert the 
operator, so it can take action to maintain or return to compliance. 
This approach ensures safety while minimizing impacts to the operator. 
There have been many instances where inspectors noticed incorrect test 
setups for FSS checks, for example, or other issues during compliance 
monitoring that would affect public safety, and informed the operator 
so they could be corrected before safety was impacted.
    Compliance monitoring is important for ensuring public safety and 
requires that FAA safety inspectors be exposed to actual operations in 
order to be trained, qualified, and capable of performing their safety-
critical role. Because safety inspectors are trained to detect non-
compliances, they need to have access to, and the discretion to see and 
hear, as much of the operation as they deem necessary. Observing 
activities for training and familiarization purposes benefits both the 
inspectors and the operator because the more familiar an inspector is 
with an operation, the better he or she can perform the inspection. 
Knowledgeable inspectors cause less operational impacts because they 
ask fewer questions and are less likely to incorrectly identify a non-
compliance.
    The FAA proposes to combine the compliance monitoring requirements 
of Sec. Sec.  417.23 and 431.83 in proposed Sec.  450.209. The proposed 
regulation would primarily adopt those requirements in Sec.  417.23, 
but ``launch operator'' would be replaced by ``licensee'', and 
``licensed launch'' would be replaced by ``licensed launch or 
reentry.'' Additionally, the FAA proposes to allow an operator the 
option to provide the FAA with means other than a console for 
monitoring the communication and countdown channels. For example, a 
smaller company may operate without consoles, in which case the 
operator may provide the FAA with radio monitoring and a location in 
close proximity to the necessary data to monitor launch. As a result, 
the compliance monitoring requirements of proposed Sec.  450.209 would 
apply to all launch and reentry operations, thereby capturing licensed 
launch operations under current part 417 and licensed RLV operations 
under current part 431. Proposed Sec.  450.209 also codifies current 
FAA practice for conducting compliance monitoring of part 435 
operations.
    Proposed Sec.  450.209(b) would require the licensee to provide the 
FAA with a console or other means for monitoring the countdown and 
communication network. This proposed requirement would alleviate the 
issues that result from extended negotiations. The option for ``other 
means'' would provide the operator with some flexibility, as the FAA 
recognizes that operations may occur with temporary infrastructure and 
a console may be an unrealistic request. In this case, the operator 
would be expected to provide the FAA with an alternative method to 
monitor communications that is approved by the FAA prior to operations.

I. Registration of Space Objects

    The FAA proposes to consolidate the requirements for the 
registration of space objects in proposed Sec.  450.217 (Registration 
of Space Objects). These requirements currently reside in Sec. Sec.  
417.19 and 431.85 and are largely identical. This proposal would not 
change the substantive requirements of either section, except to add a 
registration requirement for objects owned by a foreign entity.
    The 1975 Convention on Registration of Objects Launched into Outer 
Space (Registration Convention), to which the United States is a 
signatory, requires details about the orbit of each space object. To 
that end, current regulations require an applicant to provide 
information on space objects that the FAA forwards to the Department of 
State. The Department of State then registers the objects with the 
United Nations as required by the Registration Convention. Since 
enacting these current regulations, the Department of State has 
requested that the FAA also provide this information for objects 
possibly owned by foreign entities.
    Current registration of space objects requirements is codified in 
Sec.  417.19, applicable to ELVs, and Sec.  431.85, applicable to RLVs. 
The two provisions are substantively identical in all respects but one. 
That is, they both require the registration of any object placed in 
space by a licensed mission, unless the object is owned and registered 
by the U.S. Government or owned by a foreign entity. Similarly, both 
sections require the licensee to submit information about the space 
object's international designator, the date and location of the 
mission, the general function of the space object, and

[[Page 15376]]

the final orbital parameters. The sole substantive distinction is that 
Sec.  431.85 also requires an operator to notify the FAA when it 
removes a space object.
    Proposed Sec.  450.217 would deviate from current Sec. Sec.  417.19 
and 431.85 by requiring the registration of foreign-owned space 
objects. The FAA would not require the licensee to determine the 
owner's nationality. The Department of State would use this information 
to ensure that other nations meet their obligations by registering 
their foreign objects. Proper registration of all objects owned by 
foreign entities would allow for the protection of the United States 
from liability associated with these objects.
    Otherwise, the FAA would retain the same informational 
requirements. It would continue to require a licensee to submit 
information about the space object's international designator, the date 
and location of the mission, the general function of the space object, 
and the final orbital parameters. Additionally, proposed Sec.  450.217 
would retain current Sec.  431.85's requirement that an operator notify 
the FAA when it removes a space object.

J. Public Safety Responsibility, Compliance With License, Records, 
Financial Responsibility, and Human Spaceflight Requirements

    The FAA is not proposing any substantive changes to the 
requirements specified below. However, the agency is proposing to 
consolidate these requirements into the new, proposed part 450; clarify 
that the consolidated requirements apply to any licensed launch or 
reentry; and make other minor, clarifying edits. The following is a 
summary of the proposed changes:
1. Public Safety Responsibility and Compliance With License
    The FAA would consolidate the public safety responsibility 
requirements in current Sec. Sec.  417.7 and 431.71(a) into proposed 
Sec.  450.201 (Public Safety Responsibility). Also, the FAA would move 
the compliance requirement in current Sec.  431.71(b) to its own 
section, proposed Sec.  450.203, Compliance with License. Although the 
location of these requirements would change, the requirements 
themselves would not change.
    Therefore, proposed Sec.  450.201 would provide that a licensee is 
responsible for ensuring public safety and safety of property during 
the conduct of a licensed launch or reentry. Proposed Sec.  450.203 
(Compliance with License) would require that a licensee conduct a 
licensed launch or reentry in accordance with representations made in 
its license application, the requirements of proposed part 450, 
subparts C and D, and the terms and conditions contained in the 
license.
    The proposed requirement for a licensee to conduct a licensed 
launch or reentry in accordance with representations made in its 
license application is the same, in substance, to Sec. Sec.  417.11(a) 
and 431.71(b). Section 417.11(a) states that a launch operator must 
conduct a licensed launch and carry out launch safety procedures in 
accordance with its application. Section 431.71(b) states that a 
licensee must conduct a licensed RLV mission and perform RLV safety 
procedures in accordance with representations made in its license 
application. The fact that representations made in a license 
application become binding on a licensee is discussed earlier in this 
preamble.
    The proposed requirement for a licensee to conduct a licensed 
launch or reentry in accordance with the requirements of proposed part 
450, subparts C and D, is the same, in substance, to Sec.  
417.1(b)(2)'s treatment of part 417 requirements. Section 417.1(b)(2) 
states that the safety requirements of part 417, subparts B through E, 
apply to all licensed launches of expendable launch vehicles. Part 431 
does not have a similar requirement because application requirements 
and safety requirements are interlinked, leaving uncertain the actual 
safety requirements under a license. Note that in subpart C, the 
application requirement paragraphs do not apply once a license is 
issued, unless a licensee applies for a modification.
    The proposed requirement for a licensee to conduct a licensed 
launch or reentry in accordance with the terms and conditions contained 
in the license is the same, in substance, to Sec. Sec.  415.9(b) and 
431.71(b). Section 415.9(b) states that a launch license authorizes a 
licensee to conduct a launch or launches subject to the licensee's 
compliance with terms and conditions contained in license orders 
accompanying the license. Section 431.71(b) states that a licensee's 
failure to comply with any license condition is sufficient basis for 
the revocation of a license or other appropriate enforcement action. 
The FAA includes terms and conditions in a license to address license-
specific requirements. Under the proposal, a licensee's failure to act 
in accordance with these items would be sufficient basis to revoke a 
license, or some other appropriate enforcement action.
2. Financial Responsibility
    The FAA would consolidate the current financial responsibility 
requirements in Sec. Sec.  417.21 and 431.81 into proposed Sec.  
450.205 (Financial Responsibility Requirements). Although the location 
of the requirements would change, the requirements themselves would not 
change.
    As such, the proposed regulation would require a licensee to comply 
with financial responsible requirements as required by part 440, and as 
specified in a license or license order.
3. Human Spaceflight
    The FAA would consolidate the human spaceflight requirements in 
current Sec. Sec.  415.8, 431.8, and 435.8 into proposed Sec.  450.207 
(Human Spaceflight Requirements). The proposal would require a licensee 
conducting a launch or reentry with a human being on board the vehicle 
to comply with human spaceflight requirements as required by part 460 
of this chapter and as specified in a license or license order. 
Although the location of the requirements would change, the 
requirements themselves would not change.
4. Records
    The FAA would consolidate the current record requirements in 
Sec. Sec.  417.15(a) and (b) and 431.77(a) and (b) into proposed Sec.  
450.219(a) and (b). However, the FAA would replace the terms ``launch 
accident'' and ``launch incident'' in Sec.  417.15(b) and the terms 
``launch accident,'' ``reentry accident,'' ``launch incident,'' and 
``reentry incident'' in Sec.  431.77(b) with ``class 1 or class 2 
mishap.'' As discussed in more detail earlier in this preamble, the FAA 
proposes to replace current part 401 definitions involving 
``accident,'' ``incident,'' and ``mishap'' with specified mishap 
classes.
    The proposed regulation would require an operator to maintain, for 
3 years, all records, data, and other material necessary to verify that 
a launch or reentry is conducted in accordance with representations 
contained in the operator's application, the requirements of subparts C 
and D, and the terms and conditions contained in the license. To 
satisfy this requirement, the FAA expects an operator to keep a record 
of the actual conditions at the time of flight and any deviations 
outside of the flight commit criteria as specified in the current Sec.  
417.113(c). Similar to current requirements, in the event of a class 1 
or class 2 mishap, an operator would be required to preserve all 
records related to the event until the completion of any

[[Page 15377]]

Federal investigation (which could be greater than 3 years) and the FAA 
has notified the operator that the records need no longer be retained. 
The operator would need to make all records required to be maintained 
under the regulations available to Federal officials for inspection and 
copying.

K. Applicability

1. General
    Proposed Sec.  450.1 (Applicability) would state that part 450 
prescribes requirements for obtaining and maintaining a license to 
launch, reenter, or both launch and reenter, a launch or reentry 
vehicle. As discussed previously, proposed part 450 would consolidate 
licensing requirements currently covered in parts 415, 417, 431, and 
435.
2. Grandfathering
    Under proposed Sec.  450.1(b), proposed part 450 would not apply to 
any launch or reentry that an operator elects to conduct pursuant to a 
license issued by the FAA or an application accepted by the FAA prior 
to the effective date of proposed part 450, with two exceptions. The 
proposed requirements for collision avoidance analysis (COLA) and asset 
protection would apply to all operators subject to the FAA's authority 
under 51 U.S.C. chapter 509 who are conducting launches after the 
effective date of the new regulations. The FAA would determine the 
applicability of proposed part 450 to an application for a license 
modification submitted after the effective date of the part on a case-
by-case basis.
    The proposed regulations are more performance based, and many of 
the current requirements would serve as a means of compliance to meet 
the proposed regulations. As a result, activities authorized under the 
existing regulations would be authorized under the proposed 
regulations. The FAA proposes to allow an operator to operate under the 
current regulations (specifically, parts 401, 415, 417, 431, and 435) 
when conducting a launch after the effective date of new part 450 
provided it holds a license or has had a license application accepted 
prior to the effective date of this regulation. Pursuant to Space 
Policy Directive-3 \184\ (SPD-3), proposed Sec.  450.169 and proposed 
appendix A to part 450 would align the COLA criteria with current 
common practice and provide better protection for inhabitable and 
active orbiting objects. Additionally, Sec.  450.101 would require that 
the probability of loss of functionality for each critical asset must 
not exceed 1 x 10^-\3\ to protect national assets. For that 
reason, the FAA is proposing that all operators would be required to 
comply with these two provisions on this rule's effective date.
---------------------------------------------------------------------------

    \184\ Space Policy Directive-3, National Space Traffic 
Management Policy, 83 FR 28969 (June 21, 2018).
---------------------------------------------------------------------------

    Because many of the current regulations would serve as a means of 
compliance for the proposed regulations, the FAA would review license 
modifications that applied the current regulations as means of 
demonstrating compliance with the proposed regulations. Additionally, 
an operator could use a means of compliance other than the current 
regulations to demonstrate compliance in a license modification 
request. The FAA would determine the applicability of proposed part 450 
to an application for a license modification submitted after the 
effective date of the part on a case-by-case basis. The FAA does not 
anticipate that a vehicle operator would have any greater difficulty 
meeting the requirements under the proposed regulations than under the 
existing regulations. In fact, the FAA believes that the proposed 
regulations are more flexible because most allow for many different 
means of compliance.
    An applicant for a renewal would be required to meet all the 
requirements of proposed part 450. The FAA anticipates that this would 
not be burdensome for operators seeking license renewals because there 
would be few, if any, additional application requirements that could 
not be fulfilled by reference to previously submitted information.

L. Equivalent Level of Safety

    In addition to developing performance-based requirements, this 
proposal would preserve the equivalent-level-of-safety flexibility by 
relocating the provision to proposed Sec.  450.37. Unlike using a means 
of compliance, which requires demonstration of compliance with a 
performance-based regulation, the ELOS provision would continue to 
allow an applicant to propose an alternative method to meet the safety 
intent of a current regulatory requirement. For example, Sec.  
450.117(d)(3) would require representative normal flight trajectory 
analysis outputs for each one second of flight. An applicant may wish 
to request an ELOS determination to the one-second interval, and the 
FAA would likely accept it if an alternative interval provides smooth 
and continuous individual PC contours.
    To demonstrate equivalent level of safety, an operator would 
provide a clear and convincing demonstration, through technical 
rationale, that the proposed alternative approach provided a level of 
safety equivalent to the requirement it would replace. An ELOS 
determination means an approximately equal level of safety as 
determined by qualitative or quantitative means. Under Sec.  450.37(b), 
an operator would not be able to use an ELOS determination to replace 
the public risk criteria set forth in Sec.  450.101.
    In 2018, the FAA issued a final rule that expanded the option to 
satisfy commercial space transportation requirements by demonstrating 
an equivalent level of safety in order to provide more choice to 
operators and reduce the number of waivers that must be prepared by 
industry and processed by the government.\185\ To utilize the option, 
operators are required to demonstrate that they are achieving a level 
of safety equivalent to any safety parameters specified in the 
regulations. The FAA evaluates every request for an alternative means 
of regulatory compliance under the ELOS provisions to ensure that the 
safety of the public, property, or any national security or foreign 
policy interest of the United States is maintained to be consistent 
with the requirements in 14 CFR chapter III. The FAA would preserve the 
process established in the 2018 rulemaking, and would include its ELOS 
determination as part of any license issued applying this provision.
---------------------------------------------------------------------------

    \185\ Updates to Rulemaking and Waiver Procedures and Expansion 
of the Equivalent Level of Safety Option, Final Rule, 83 FR 28528 
(June 20, 2018).
---------------------------------------------------------------------------

    The FAA requests comment on the potential use of ``safety cases'' 
when demonstrating an equivalent level of safety under proposed Sec.  
450.37. A safety case is a structured argument, supported by a body of 
evidence that provides a compelling, comprehensive, and valid case that 
a system is safe, for a given application in a given environment.\186\ 
The ARC report (at p. 25) suggested that FAA review time could be 
minimize if applicant submittals were ``structured as a reasonable 
safety case that the proposed actions are safe under all plausible 
scenarios.'' In fact, the ARC suggested ``safety cases'' could be 
useful options several times. With respect to the proposed regulation, 
a safety case would potentially show that certain requirements 
identified by the applicant, excluding the requirements of Sec.  
450.101, need not be complied with per se in order to demonstrate that 
an alternative approach provides an equivalent level of safety to the

[[Page 15378]]

requirements identified by the applicant.
---------------------------------------------------------------------------

    \186\ This Safety Case definition is from the U.K. Ministry of 
Defence (MOD) Standard 00-56, ``Safety Management Requirements for 
Defence Systems.''
---------------------------------------------------------------------------

    A-P-T Research, Inc., under contract to the FAA, recommended the 
use of a safety case approach as an alternate path to securing a 
license.\187\ The FAA considered proposing a safety case approach to 
demonstrating an equivalent level of safety under proposed Sec.  450.37 
that would include a formal proposal process that must use a means of 
compliance accepted by the Administrator, unless the Administrator 
determines otherwise based on predicted public risks and consequences, 
or demonstrated reliability. The formal proposal process would: (1) 
Facilitate an FAA audit of all risk management methods proposed for 
use, including a demonstration of how the proposed methods can 
demonstrate compliance with Sec.  450.101; (2) implement all the 
recommended improvements from the audit or justify all deviations from 
the recommended improvements; (3) document the risk management methods 
used and the verification evidence to demonstrate compliance with Sec.  
450.101; (4) facilitate an audit by an FAA-approved third party of the 
risk management methods used and the verification evidence to 
demonstrate compliance with Sec.  450.101; and (5) submit the results 
of the third party audit for FAA review and approval. An applicant that 
sought to use this safety case approach would need to submit: (1) A 
description of their plan to facilitate an FAA audit of all risk 
management methods proposed for use, including a demonstration of how 
the proposed methods can demonstrate compliance with Sec.  450.101; (2) 
a description of the improvements implemented based on the FAA audit 
and detailed justifications for any deviations from the FAA recommended 
improvements; (3) a description of the risk management methods used and 
the verification evidence to demonstrate compliance with Sec.  450.101; 
(4) an agreement to facilitate an audit by an FAA-approved third party 
of the risk management methods used and the verification evidence to 
demonstrate compliance with Sec.  450.101; and (5) a description of the 
results of the third party audit. The safety case approach recommended 
by APT included the use of a third party to review. The FAA sees 
potential complications, including liability considerations, when 
involving a third party in the licensing process. The FAA seeks 
comments on the potential usefulness and challenges associated with a 
safety case approach, whether or not a third party would be involved.
---------------------------------------------------------------------------

    \187\ A-P-T Research, Inc. ``A New Path to Launch Licenses,'' 
Doc. No. CDSP-FL004-18-00402 (October 16, 2018).
---------------------------------------------------------------------------

Additional Technical Justification and Rationale

    The sections below provide detailed discussions of flight safety 
analyses and software safety. Additionally, this section discusses the 
numerous conforming changes the FAA proposes to the existing 
regulations in order to implement the proposed regulations.

A. Flight Safety Analyses

    As discussed earlier, for purposes of this proposed rule, an FSA 
consists of a set of quantitative analyses used to determine flight 
commit criteria, flight abort rules, flight hazard areas, and other 
mitigation measures, and to verify compliance with the public safety 
criteria in proposed Sec.  450.101. The FAA proposes 15 sections for 
flight safety analysis, as discussed below.
1. Scope and Applicability
    Proposed Sec.  450.113 establishes the portions of flight for which 
an operator would be required to perform and document an FSA, and would 
describe the analyses required for each type of operation. The portion 
of flight governed by the public safety criteria is central to the 
scope of the FSA.
    The current scope of FSA regulations is laid out in Sec. Sec.  
417.201 and 417.107(b) for ELVs. Specifically, Sec.  417.107(b)(1) 
currently requires that FSAs quantify the collective risks from lift-
off through orbital insertion for orbital launches and from lift-off to 
final impact for suborbital launches. Unfortunately, Sec.  
417.107(b)(2) does not clearly specify the portion of flight for which 
an FSA must quantify the individual risks. In practice, the FAA has 
reconciled this vagueness by requiring the same scope for both 
collective and individual risks: From lift-off through orbital 
insertion for orbital launches and from lift-off to final impact for 
suborbital launches.
    It is also unclear in current regulations what portions of flight 
the FSA needs to cover for RLVs. Section 431.35(b)(1) simply states 
that the collective public risk limit applies to each proposed reentry, 
but does not speak specifically to beginning and end of the period of 
flight that an FSA must analyze. Reentry means to return or attempt to 
return, purposefully, a reentry vehicle from earth orbit or from outer 
space to Earth.\188\ Reentry includes activities conducted in Earth 
orbit or outer space to determine reentry readiness and that are 
critical to ensuring public health and safety and the safety of 
property during reentry flight. The definition also includes activities 
conducted on the ground after vehicle landing on Earth to ensure the 
vehicle does not pose a threat to public health and safety or the 
safety of property. In practice, the FAA has required public risk 
assessments to begin at the final health check prior to initiation of 
de-orbit burn and ending when flight stops, such as splashdown for a 
capsule.
---------------------------------------------------------------------------

    \188\ 14 CFR 401.5.
---------------------------------------------------------------------------

    Further, for both ELVs and RLVs, the current regulations do not 
expressly address the potential public safety hazards caused by the 
disposal of a launch vehicle stage or component from orbit. That is, 
Sec. Sec.  417.107(b) and 431.35(b)(1), in addressing the public risk 
criteria, do not specifically address the disposal of launch vehicle 
stages or components. As discussed earlier, such vehicle disposals have 
become more common in recent years, reflecting the elevated priority 
put on orbital debris mitigation. The FAA explained in the 2016 final 
rule \189\ that when the FAA requires that the quantitative risk 
analysis account for the planned impact of a first stage (or any stage) 
jettisoned prior to orbital insertion, it includes accounting for stage 
impacts regardless of whether the actual impact occurs before or after 
orbital insertion.
---------------------------------------------------------------------------

    \189\ Changing the Collective Risk Limits for Launches and 
Reentries and Clarifying the Risk Limit Used to Establish Hazard 
Areas for Ships and Aircraft, Final Rule. 81 FR 47017 (July 20, 
2016).
---------------------------------------------------------------------------

    For reentry, proposed Sec. Sec.  450.101(b) and 450.113(a)(4) would 
clarify and reduce the period FSAs must analyze when quantifying the 
public risks posed by reentry operations. The proposal would clarify 
that post-flight operations are not included in the safety analyses 
necessary to quantify the public risks posed by reentry operations. In 
Sec.  401.5, the FAA proposes to include a definition for deorbit that 
clarifies that deorbit begins with the final command to commit the 
vehicle to a perigee below 70 nautical miles, approximately 130 km, and 
ends when all vehicle components come to rest on the Earth.
    Proposed Sec.  450.113 replaces Sec.  417.201 to clarify the scope 
and applicability of FSAs. In proposed Sec.  450.113(a)(1), an operator 
would be required to perform and document an FSA for orbital launch, 
from lift-off through orbital insertion,\190\ including any component 
or stage landings. In proposed Sec.  450.113(a)(2), an operator would 
be

[[Page 15379]]

required to perform and document an FSA for suborbital launch, from 
lift-off through final impact. In proposed Sec.  450.113(a)(3), the FAA 
clarifies the scope of disposal FSA that would be necessary to 
demonstrate compliance with the disposal safety criteria in proposed 
Sec.  450.101(d). Specifically, for disposal, an FSA would span from 
the beginning of the deorbit burn through final impact.
---------------------------------------------------------------------------

    \190\ The FAA proposes orbital insertion to mean the point at 
which a vehicle achieves a minimum 70-nautical mile perigee based on 
a computation that accounts for drag. This adopts the definition of 
orbital insertion in RCC 321-17 Standard.
---------------------------------------------------------------------------

    Proposed Sec.  450.113(a)(4) would require an operator to perform 
and document an FSA for reentry, from the beginning of the deorbit burn 
through landing. The proposal is consistent with current practice, but 
would clarify that post-landing activities are not included in the FSA.
    Proposed Sec.  450.113(a)(5) would explicitly address hybrid 
vehicles, which include air-launch rockets released from carrier 
aircraft such as the Pegasus rocket carried by a modified L-1011 
airliner. The proposal would clarify that FSAs generally apply to 
hybrid vehicles, for all phases of flight unless the Administrator 
determines otherwise based on demonstrated reliability. Thus, the 
proposal would enable an operator of a hybrid vehicle with a high level 
of demonstrated reliability for the entire flight or for a phase of 
flight, to be exempt from performing some FSAs without seeking a waiver 
for the flight or phase of flight. Demonstrated reliability refers to 
statistically valid probability of failure estimates based on the 
outcomes of all previous flights of the vehicle or stage. For example, 
if an applicant seeks to operate a hybrid vehicle that features an air-
launch rocket released from a carrier aircraft with minimal 
modification from the original design certified as a commercial 
transport aircraft, the FAA would find certain FSAs not applicable if 
empirical data sufficiently showed that the demonstrated reliability 
and estimated public risks of the system are equivalent to general 
aviation aircraft during a given phase of flight. Specifically, the FAA 
foresees that such an applicant could be exempt from some of the normal 
flight trajectory analysis requirements during the captive carry phases 
of flight if the applicant could demonstrate compliance with the public 
safety criteria in proposed Sec.  450.101 without the benefit of some 
of the normal flight trajectory analysis outputs.
    Proposed Sec.  450.113(b) would identify the specific FSA actions 
applicable to all launch and reentry vehicles (in paragraph (b)(1)), a 
launch or reentry vehicle that relies on an FSS to comply with proposed 
Sec.  450.101 (in paragraph (b)(2)), and launch of an unguided 
suborbital launch vehicle (in paragraph (b)(3)).
2. Flight Safety Analysis Methods
    Proposed Sec.  450.115 (Flight Safety Analysis Methods) would set 
the methodology requirements for FSAs. This section would replace the 
prescriptive requirements currently in Sec.  417.203 and appendices A, 
B, C and I to part 417. Currently, Sec.  417.203(a) requires that FSAs 
meet the requirements for methods of analysis contained in appendices A 
(section A417) and B (section B417) to part 417 for a launch vehicle 
flown with an FSS, and appendices B and C (section C417) for an 
unguided suborbital launch vehicle that uses a wind-weighting safety 
system. Specifically, section A417 provides prescriptive requirements 
on the FSA methodologies and products for a launch vehicle flown with 
an FSS. Section B417 provides prescriptive requirements on the FSA for 
hazard area analyses for ship and aircraft protection. Section C417 
provides prescriptive requirements on the FSA methodologies and 
products for a launch vehicle flown with a wind weighting safety 
system.
    Section 417.203(b) specifically lists the broad categories of 
approved methods of analysis while Sec.  417.203(c) addresses 
requirements for alternate analysis methods. Section 417.203(c) 
currently requires that an alternate FSA method be based on accurate 
data and scientific principles, and is statistically valid. In 
practice, the FAA has evaluated the validity of an applicant's proposed 
methods by comparing the results to valid benchmarks such as data from 
mishaps, test, or validated high-fidelity methods. Section 417.203(e) 
requires that a launch operator demonstrate to the FAA compliance with 
the requirements of part 417, subpart C. In its application, a launch 
operator must include the analysis products required by parts 415, 
subpart F, 417, subpart A, and appendices A, B, C, and I, depending on 
whether the launch vehicle uses an FSS or a wind-weighting safety 
system.
    Pursuant to Sec.  431.35(c), the FSA for an RLV is required to 
account for any reasonably foreseeable hazardous event and safety-
critical system failures during launch flight or reentry that could 
result in a casualty to the public. However, part 431 does not include 
requirements for the methods used to provide an FSA, thus providing no 
standards for evaluating an FSA's validity or level of fidelity. The 
part 431 license applications approved by the FAA included FSA 
methodologies and products comparable to those in 417 license 
applications.
    Proposed Sec.  450.115(a) sets the scope for FSA methods. This 
section would not materially change the scope of the FSA methods under 
current parts 417 and 431, which account for the risk to the public 
from hazards associated with normal and malfunctioning vehicle flight 
in accordance to Sec.  417.205(a). However, proposed Sec.  450.115(a) 
would add language currently not expressly provided in Sec.  417.205(a) 
that would require an operator's FSA method to account for all 
reasonably foreseeable events and failure of safety-critical systems. 
This language is consistent with the current requirement in Sec.  
431.35(c) to account for any reasonably foreseeable hazardous event, 
and safety-critical system failures during launch flight or reentry 
that could result in a casualty to the public.
    Proposed Sec.  450.115(b) would establish the level of fidelity for 
FSAs. Specifically, it would require a level of fidelity sufficient to 
demonstrate that any risk to the public would satisfy the public risk 
criteria of proposed Sec.  450.101, including the use of mitigations, 
accounting for all known sources of uncertainty, using a means of 
compliance accepted by the Administrator. It would also require that 
the analysis identify the dominant source of each type of public risk 
with a criterion in proposed Sec.  450.101(a) or (b) in terms of phase 
of flight, source of hazard (such as toxic exposure, inert, or 
explosive debris), and vehicle response mode. Thus, this proposed rule 
would provide performance targets instead of the current part 417 
approach that mandates a single level of fidelity equivalent to methods 
that comply with the extensive requirements given in the appendices of 
part 417.
    The requirements in proposed Sec.  450.115(b) would account for all 
known sources of uncertainty and identify the dominant sources of risk. 
The proposal would be consistent with the best practices of other 
regulatory agencies that use quantitative risk analyses as part of a 
risk management approach to ensure public safety. The Nuclear 
Regulatory Commission (NRC), which has a long history of performance-
based regulations with quantitative risk analyses to ensure public 
safety, has a long-standing policy to ensure that the quantitative 
techniques used for regulatory decision-making take into account the 
potential uncertainties that exist so that an estimate can be made on 
the confidence level to be ascribed to the quantitative

[[Page 15380]]

results.\191\ The NRC has also found that, through use of quantitative 
techniques, important uncertainties have been, and continue to be, 
brought into better focus and may even be reduced as compared to those 
that would remain with sole reliance on deterministic decision-making. 
The NRC found that direct lack of severe accident experience makes it 
necessary that proper attention be given not only to the range of 
uncertainty surrounding probabilistic estimates, but also to the 
phenomenology that most influences the uncertainties. In other words, 
the NRC found the need to identify the dominant sources of public risks 
and their uncertainties when using quantitative risk analyses to ensure 
public safety.\192\
---------------------------------------------------------------------------

    \191\ Nuclear Regulatory Commission, Nuclear Regulatory Safety 
Policy Goals. 51 FR 28044 (August 21, 1986).
    \192\ The Department of the Interior (DOI), Bureau of 
Reclamation, uses risk criteria for achieving public protection in 
dam safety decision-making in a manner consistent with this proposed 
rule. Specifically, the DOI uses mean values calculated from Monte 
Carlo or similar analyses that include explicit treatment of input 
uncertainty.
---------------------------------------------------------------------------

    The FAA would require that operators use a means of compliance 
accepted by the Administrator for FSA methods. The FAA plans to publish 
a draft version of that AC concurrently with this NPRM. An important 
aspect of that AC is the use of approaches generally consistent with 
the consensus U.S. Government standards on launch and reentry risk 
assessments (e.g., RCC 321). The RCC 321 Standard (paragraph 2.4) 
recognizes that there is significant uncertainty in the computed risks 
of rocket launches and notes that confidence bounds of 90 percent 
describing the uncertainty in the computed risk can span multiple 
orders of magnitude. Thus, the consensus U.S. Government standards on 
launch and reentry risk assessments contains a policy statement that 
uncertainty cannot be ignored. The RCC 321 Supplement further concurred 
with several statements originally made by the NRC, including the 
following three: (1) The use of mean estimates does not, however, 
resolve the need to quantify (to the extent reasonable) and understand 
those important uncertainties involved in risk predictions; (2) 
sensitivity studies should be performed to determine those 
uncertainties most important to the probabilistic estimates; and (3) 
the results of sensitivity studies should be displayed showing, for 
example, the range of variation together with the underlying science or 
engineering assumptions that dominate this variation. Even so, the RCC 
went on to conclude that a formal uncertainty analysis may not be 
necessary under conditions where the best mean estimate of the public 
risk is low relative to the collective risk criterion.
    For this rulemaking, the FAA considered adopting an approach to the 
treatment of uncertainty following RCC 321 Standard and Supplement. The 
FAA requests comment on whether this treatment of uncertainty is 
reasonable. Specifically, the FAA solicits input on the process whereby 
the uncertainty does not have to be considered if the computed risk is 
less than one-third of the primary aggregated collective risk 
criterion.\193\ Current Air Force practice is to include implementation 
of measures to improve risk analyses to reduce the level of uncertainty 
when the predicted risks exceed 3 x 10^-5 EC. 
Examples of that could include refined input data or a higher-fidelity 
method for the risk computations.
---------------------------------------------------------------------------

    \193\ The choice of one-third was consistent with the 
recommendation in AFSPCMAN 91-710 Vol.1, 1 July 2004. Attachment 5 
states that if risk to all individuals from a single hazard exceeds 
an EC of 30 x 10^-6, a range user may have to 
take additional measures to protect personnel and resources. 
Examples include to fix, correct, or improve existing non-
compliances, improve risk analyses to reduce the level of 
uncertainty, require a day-of-launch risk analysis, or establish 
disaster aversion criteria.
---------------------------------------------------------------------------

    Similarly, if the estimated risk level exceeds 3 x 10^-5 
EC, the RCC 321 Standard states that the range should 
compute the uncertainty to ensure that a launch is not allowed that 
would violate the criterion based on best estimates that account for 
uncertainty. There are published examples of uncertainty analyses for 
launch risks that explicitly account for uncertainties associated with 
the input data (e.g., the probability of failure associated with a 
given break-up state vector), and biases and uncertainties in key sub-
models (e.g., the sub-model used to compute the PC given an 
impact with a given piece of debris on a specific structure type). 
However, the end effect of the RCC 321 Standard approach to uncertainty 
treatment is that a range or range user could continue operating under 
current practice, using their current tools without formal uncertainty 
quantification for missions with a collective risk no greater than 3 x 
10^-5 EC. Under the RCC approach, only missions 
that pose collective risks above 3 x 10^-5 EC 
based on point estimates would be required to perform formal 
uncertainty quantification. The FAA requests comment on whether the 
current approaches to uncertainty treatment employed by the RCC or the 
Air Force are viable in the FAA's regulatory framework. The FAA further 
requests comments on any currently available approaches to address 
uncertainties in public risk assessments, including the approach 
identified in the draft means of compliance on uncertainty and level of 
fidelity in FSA methods.
    Proposed Sec.  450.115(b) would require that an operator account 
for all known sources of uncertainty in various FSAs. The FAA intends 
to ensure that FSA methods account for known sources of aleatory 
(random) uncertainties that are the result of inherently random 
processes. An example of aleatory uncertainty is the influence of 
prevailing weather conditions on the results of collective and 
individual risk analyses for launch or reentry. The true EC 
is often highly influenced by the prevailing weather conditions during 
the proposed operation. The uncertainty in the true EC due 
to weather conditions is substantial for a typical baseline risk 
analysis that accounts for the foreseeable weather conditions in a 
given month based upon historical data and assumes that an operation is 
equally feasible under any of those likely weather conditions given all 
the safety and mission assurance constraints. For example, most 
vehicles would not attempt to fly through certain wind conditions due 
to the potential for the vehicle to break up or veer off-course, 
leading to a violation of safety or mission assurance constraints. The 
uncertainty in the true EC for a day-of-launch risk analysis 
is much smaller, but the uncertainty in any forecast or measured 
weather input data will still produce some uncertainty in the 
EC due to measurement errors and variability in the weather 
measurements and forecasts. There are several other potentially 
important sources of aleatory uncertainty in an EC analysis, 
and there are various valid approaches to account for these aleatory 
uncertainties. This proposed rule would require that aleatory 
uncertainties are accounted for, including known sources of randomness 
in critical input data. These would include normal and malfunction 
trajectories, weather conditions, population and sheltering 
characteristics (e.g., between day and night), velocities induced 
during break-up, aerodynamic properties of the vehicle and debris, any 
yield from an explosive impact, and the amount of debris that burns up 
due to aero-thermal heating during re-entry.
    Proposed Sec.  450.115(c) would establish application requirements 
for methods of analysis. Specifically, the proposed rule would require 
that an applicant submit a description of the FSA methodology for each 
launch or reentry approved by the FAA, including identification of the

[[Page 15381]]

scientific principles and statistical methods used, and all assumptions 
and their justifications. However, if the FAA determines that the 
range's FSA methods meets FAA safety requirements, then the operator 
would not be required to provide the FAA with a description of the FSA 
methodology. Also, an applicant would be required to include the 
rationale for the level of fidelity, the evidence for validation and 
verification required by proposed Sec.  450.101(g), the extent that the 
benchmark conditions are comparable to the foreseeable conditions of 
the intended operations, and the extent the analyses accounted for risk 
mitigations. The FAA intends for assumptions to be justified using 
logic, historical flight experience data, relevant test data, and the 
results from physics-based simulations.
3. Trajectory Analysis for Normal Flight
    The FAA proposes a single regulation governing an FSA for normal 
trajectories, applicable to all launch and reentry vehicles, in 
proposed Sec.  450.117 (Trajectory Analysis for Normal Flight). The 
provision would distinguish between variability in the intended 
trajectory and uncertainties due to random sources of dispersion such 
as winds and vehicle performance. It would also clarify application 
requirements.
    All the FSAs depend on some form of analysis of the trajectory 
under normal conditions, otherwise known as a normal trajectory. That 
is, one must first understand a vehicle's trajectory when it performs 
as intended and under normal conditions before one can determine the 
effects of malfunctions along its flight path.
    Current regulations for normal trajectory analyses are found in 
Sec. Sec.  417.207 and 431.35(d) and appendix A to part 417. Section 
417.207 sets the current trajectory analysis requirements for ELVs. 
Section 417.207(a)(1) requires an analysis that establishes the limits 
of a launch vehicle's normal flight, as defined by the normal 
trajectory and potential three-sigma trajectory dispersions about the 
normal trajectory for any time after lift-off. Although this 
requirement is generally clear, the uncertainties the analysis must 
consider could be clearer. For example, the current requirement does 
not distinguish between inherently random uncertainties that could 
cause the actual trajectory to differ from the nominal trajectory, and 
variability in the known conditions immediately prior to the initiation 
of the operation (e.g., weather conditions at the time of the launch or 
the time into a launch window that the launch occurs for a rendezvous 
mission).
    In terms of current RLV regulations in part 431, they describe 
flight trajectory analyses requirements in a single paragraph in Sec.  
431.35(d)(8). Specifically, the FAA requires that applicants provide 
flight trajectory analyses covering launch or ascent of the vehicle 
through orbital insertion and reentry or descent of the vehicle through 
landing, including its three-sigma dispersion. This regulation is 
silent as to the specific uncertainties for which the analysis must 
account. In practice, part 431 license applicants have provided normal 
trajectory data consistent with the part 417 regulations.
    Proposed Sec.  450.117 would retain the substantive normal 
trajectory analysis requirements currently in Sec.  417.207 and the 
definitions of key terms such as ``normal flight'' and ``normal 
trajectory.'' Proposed Sec.  450.117(a)(1) would require a trajectory 
analysis that establishes the limits of a vehicles normal flight. The 
proposal would retain the requirement in Sec.  417.207(a)(1) to 
establish a nominal trajectory where the vehicle performs as designed 
without any deviation due to winds, propulsion performance, or mass 
properties but would add clarity about the sources of uncertainty that 
a trajectory analysis must account for by distinguishing between 
variability and random uncertainty.
    Specifically, the proposal would expressly require a trajectory 
analysis to establish two separate sets of trajectories to characterize 
distinct sources of uncertainty, including variability and random 
uncertainty. One set of normal trajectories in Sec.  450.117(a)(1)(ii) 
would characterize the uncertainty during normal flight due to random 
deviations from ideal conditions, such as wind conditions, vehicle 
mass, and performance characteristics. Another set of normal 
trajectories in Sec.  450.117(a)(1)(i) would characterize how the 
intended trajectory could vary due to conditions known prior to 
initiation of flight. An example of variability is how the intended 
trajectory would change due to different times for lift-off within a 
launch window that lasts several minutes for a mission with an orbital 
rendezvous as the primary objective. Another example of variability is 
how the intended trajectory would change due to wind conditions. In 
such cases, the nominal trajectory represents the most likely lift-off 
time. An FSA must distinguish between variability and random 
uncertainty in the normal trajectory in order to demonstrate that the 
criteria in proposed Sec.  450.101 would be satisfied at any time the 
operator intends to initiate launch or re-entry flight.
    Section 450.117(a)(2) would require a fuel exhaustion trajectory 
that produces instantaneous impact points with the greatest range for 
any given time after liftoff for any stage that has the potential to 
impact the Earth and does not burn to propellant depletion before a 
programmed thrust termination. This is the same as current Sec.  
417.207(a)(2). The FAA is unaware of any challenges with the current 
regulation regarding a fuel exhaustion trajectory.
    For vehicles with an FSS, proposed Sec.  450.117(a)(3) would 
establish a new requirement for trajectory data or parameters that 
describe the limits of a useful mission. The FAA proposes in Sec.  
401.5 to define the ``limits of a useful mission'' as the trajectory 
data or other parameters that describes the limits of a mission that 
can attain the primary objective, including but not limited to flight 
azimuth limits. Thus, the proposal would require an operator to 
establish the limits of a useful mission based on the values of 
trajectory parameters necessary to attain the primary mission 
objective, including flight azimuth limits. Note that the azimuth limit 
data is currently required by the Air Force in Air Force Space Command 
Manual (AFSPCMAN) 91-710 Vol. 2. The limits of a useful mission are 
essential input data for the flight safety limits analysis, and for an 
evaluation of whether a vehicle should be allowed to pass through a 
gate, as discussed later in this preamble.
    Proposed Sec.  450.117(b) would require a final trajectory analysis 
to use a six-degree of freedom trajectory model, and proposed Sec.  
450.117(c) would require a trajectory analysis to account for all wind 
effects, including profiles of winds that are no less severe than the 
worst wind conditions under which flight might be attempted, and for 
uncertainty in the wind conditions. These are similar to Sec.  
417.207(b) and (c), respectively.
    Proposed Sec.  450.117(d) would provide application requirements 
for trajectory analyses that address the proposed methodology, input 
data, and output data. In paragraph (d)(1), an applicant would be 
required to describe the methodology used to characterize normal flight 
and the limits of a useful mission, including the scientific principles 
and statistical methods used, all assumptions and their justifications, 
the rationale for the level of fidelity of the methods, and the 
evidence for validation and verification that would be required by 
proposed Sec.  450.101(g). In paragraph (d)(2), the FAA proposes to 
require that the applicant describe the

[[Page 15382]]

input data used in normal trajectory analyses and provides a list of 
the minimum input data an applicant must describe. In paragraph (d)(3), 
the FAA proposes to require that an applicant describe a representative 
normal trajectory analysis outputs (e.g., position, velocity, and 
vacuum instantaneous impact point) for each second of flight for (1) 
the nominal trajectory, (2) a fuel exhaustion trajectory under 
otherwise nominal conditions, (3) a set of trajectories that 
characterize variability in the intended trajectory based on conditions 
known prior to initiation of flight, (4) a set of trajectories that 
characterize how the actual trajectory could differ from the intended 
trajectory due to random uncertainties, and (5) a set of trajectories 
that characterize the limits of a useful mission as described in 
proposed Sec.  450.117(a). The proposed application requirements 
provide regulatory clarity regarding the normal trajectory 
characterization necessary to ensure compliance with proposed Sec.  
450.101.
    Note that in this proposed section, and other proposed flight 
safety analysis application requirements, the FAA requires 
representative data. This allows the FAA to evaluate an applicant's 
methodologies. Representative data should be the best, meaning the most 
realistic, data available given the intended flight parameters.
    The applicant would also be required to submit additional products 
that allow the FAA to conduct an independent analysis, if requested by 
the Administrator. This same application requirement would also be in 
proposed Sec. Sec.  450.119 through 450.141. At times, the FAA conducts 
independent flight safety analyses which usually require additional 
information than is normally required of an applicant. Instead of 
attempting to list out what is needed for every independent analysis, 
which is usually case-specific, the FAA proposes to simply state that 
more information may be necessary. The FAA's conduct of an independent 
analysis is usually reserved for new vehicle concepts, new analysis 
methods, or proposals that involve unique public safety issues.
4. Trajectory Analysis for Malfunction Flight
    Proposed Sec.  450.119 (Trajectory Analysis for Malfunction Flight) 
would consolidate trajectory analysis requirements for all launch and 
reentry vehicles. In consolidating, the FAA would also update its 
requirements to reflect advancements in trajectory analysis 
capabilities and clarify application requirements. A malfunction 
trajectory analysis is necessary to determine how far a vehicle can 
deviate from its normal flight path in case of a malfunction. This 
analysis helps determine impact points in case of a malfunction and is 
therefore a vital input for the analyses needed to demonstrate 
compliance with risk criteria. The FAA's current regulations covering 
trajectory analyses in case of malfunction are in Sec.  417.209 
(Malfunction turn analysis), appendix A to part 417, and Sec.  
431.35(d)(8).
    Current Sec.  417.209 sets forth the trajectory analysis 
requirements in case of a malfunction applicable to ELVs. Section 
417.209(a)(1) requires a trajectory analysis to establish the launch 
vehicle's turning capability in the event of a malfunction during 
flight using a set of turn curves. Appendix A to part 417 (section 
A417.9) also provides more detailed and prescriptive requirements for 
analyzing ``turn curves.'' Turn curve data offered a reasonable way to 
simulate failures that produce trajectory departures, particularly in 
response to thrust offsets when computational limitations made it 
impractical to perform six degrees of freedom (6-DOF) simulations of 
malfunction trajectories.
    In the past, turn curves produced a reasonable way to model the 
classic cornus spiral behavior associated with a constant thrust offset 
or nozzle burn-through. Thus, Sec.  417.209(b) requires a set of turn 
curves to establish the launch vehicle velocity vector turn angle from 
the nominal launch vehicle velocity vector, and to establish the 
vehicle velocity turn magnitude from the nominal velocity magnitude. 
There are two fundamental types of malfunction turn curves: (1) One 
that shows how the magnitude velocity changes during the turn; and (2) 
the other for the direction of the velocity. Given advancements in 
computational capabilities, the use of turn curves as mandated by the 
current regulations constitutes an outdated and unnecessarily 
simplified analysis technique. For instance, through current 
computational capabilities, particularly the prevalence of 6-DOF 
trajectory models, it is generally more efficient and more accurate for 
an applicant to provide sets of Monte Carlo trajectories that 
characterize a given type of malfunction, even for the thrust vector 
offsets and nozzle burn-through, than to provide turn curve data.
    The current RLV regulations in part 431 do not explicitly address 
malfunction trajectory analyses. Section 431.35(d)(8) describes flight 
trajectory analysis requirements in a single paragraph. It requires 
that applicants provide flight trajectory analyses covering launch or 
ascent of the vehicle through orbital insertion and reentry or descent 
of the vehicle through landing, including its three-sigma dispersion. 
In practice, part 431 license applicants have provided malfunction 
trajectory analyses consistent with the part 417 regulations. However, 
the lack of clarity regarding the malfunction trajectory analysis 
requirements and ensuing discussions between the FAA and operators has 
resulted in inefficiencies and delays in the licensing process.
    Proposed Sec.  450.119 would consolidate all trajectory analysis 
requirements for a malfunctioning flight which would be applicable to 
any launch or reentry vehicle. Based on the noted advancements in 
computational capabilities that have rendered the current use of turn 
curves outdated and over simplistic, the FAA proposes to remove the 
Sec.  417.209(b) requirements related to turn curves in favor of more 
modern Monte Carlo methods. Proposed Sec.  450.119(b) would provide 
performance-based requirements regarding what a malfunction trajectory 
analysis must account for, including applicable times in flight and 
valid trajectory time intervals. Specifically, the proposal would 
require the analysis to account for (1) all trajectory times during the 
thrusting phases or when the lift vector is controlled during flight, 
(2) the duration starting when a malfunction begins to cause each 
flight deviation throughout the thrusting phases of flight, and (3) 
trajectory time intervals between malfunction turn start times that are 
sufficient to establish flight safety limits, if any, and individual 
risk contours that are smooth and continuous. The proposal would retain 
in Sec.  450.119(b)(4) the performance-based requirement currently in 
Sec.  417.209(a)(3) to establish the relative probability of occurrence 
of each malfunction turn of which the vehicle is capable. In proposed 
Sec.  450.119(b)(5), the analysis would also have to account for the 
probability distribution of position and velocity of the vehicle when 
each malfunction will terminate due to vehicle breakup, along with the 
cause of termination and the state of the vehicle.\194\ Finally, in 
proposed Sec.  450.119(b)(6), the analysis would establish the 
vehicle's flight behavior from the time when a malfunction begins to 
cause a flight deviation until ground impact or predicted structural 
failure, with trajectory time intervals that are

[[Page 15383]]

sufficient to establish individual risk contours that are smooth and 
continuous.
---------------------------------------------------------------------------

    \194\ The proposed Sec.  450.119(b)(5) requirement would be 
equivalent to the Sec.  417.209(a)(4) through (9) requirements. 
Under Sec.  417.209, the FAA prescribed the use of ``turn curves'' 
that were a particular way to compute the position and velocity at 
the end of a malfunction trajectory.
---------------------------------------------------------------------------

    Finally, proposed Sec.  450.119(c) would provide application 
requirements for malfunction trajectory analyses that address the 
proposed methodology, input data, and output data. An applicant would 
be required to describe the methodology used to characterize 
malfunction flight including the same elements required for the normal 
trajectory analyses. The FAA proposes to require that an applicant 
describe the input data used in malfunction trajectory analyses and 
provides a list of the minimum data an applicant must describe. The FAA 
also proposes to require that an applicant describe representative 
malfunction trajectory analysis outputs (e.g., position, velocity, and 
vacuum instantaneous impact point) for each second of flight and for 
the probability of each trajectory that characterizes a type of 
malfunction flight. Finally, the FAA may also request additional 
products to conduct an independent analysis. These proposed application 
requirements are consistent or less burdensome than current 
requirements.
5. Debris Analysis
    Proposed Sec.  450.121 (Debris Analysis) would set the requirements 
for debris analysis by revising current requirements in Sec.  417.211 
(Debris analysis), accounting for part 431 practices not fully 
expressed in the regulatory language, consolidating requirements from 
Sec.  417.107 (Flight Safety), and removing overly prescriptive and 
burdensome requirements from Appendix A to part 417.
    Under Sec.  417.211(a), a debris analysis must identify the inert, 
explosive, and other hazardous vehicle debris that results from normal 
and malfunctioning flight. Section 417.211(b) specifies that a debris 
analysis must account for various causes of a launch vehicle breakup. 
This analysis includes debris from any flight termination system 
activation, launch vehicle explosion, aerodynamic loads, inertial 
loads, atmospheric reentry heating, and impact of an intact vehicle. 
Section 417.211(c) asks for a list of debris fragments for each cause 
of breakup and any planned jettison of debris, launch vehicle 
components, or payload. Also, Sec.  417.107(c) contains debris 
threshold requirements for debris analysis and appendix A to part 417 
(section A417.11) provides detailed direction on the debris analysis 
constraints, debris models, and other debris analysis products.
    Although part 431 does not expressly ask for a debris analysis, the 
FAA has deemed Sec.  431.35(b) to require one, applying the same 
standards as those in part 417. However, this lack of regulatory 
specificity in part 431 has led to longer pre-application consultation 
periods as the FAA and operators worked to ascertain the applicable 
requirements.
    Proposed Sec.  450.121 would provide performance-based regulations 
regarding the level of fidelity required for key elements of a valid 
debris analysis. Proposed Sec.  450.121(a) would include a debris 
analysis that characterizes the debris generated for each foreseeable 
vehicle response mode as a function of vehicle flight time, accounting 
for the effects of fuel burn and any configuration changes.
    The FAA proposes to add the references to fuel burn and 
configuration changes that are absent from current part 417 because an 
operator's debris list will change over time with variations to the 
amount of available propellant and with the jettisoning of hardware.
    Proposed Sec.  450.121(b) would require that the debris analysis 
account for each foreseeable cause of vehicle breakup, including any 
breakup caused by an FSS activation or by impact of an intact vehicle. 
This proposal would include debris from a vehicle's jettisoned 
components and payloads because such debris could cause a casualty due 
to impact with an aircraft or waterborne vessel or could pose a toxic 
or fire hazard. This proposal is consistent with the ARC recommendation 
to develop a process for a debris catalogue. Foreseeable causes of 
vehicle breakup would include engine or motor explosion, or exceeding 
structural limits due to aerodynamic loads, inertial loads, or 
aerothermal heating.
    Proposed Sec.  450.121(c) is substantively the same as Sec.  
417.107(c). The section contains the debris thresholds requirements. It 
would adopt the references to inert, explosive, and other hazardous 
vehicle debris currently in Sec.  417.211(a). The inert debris 
requirement would include all debris that could impact a human being 
with a mean expected kinetic energy at impact greater than or equal to 
11 ft-lbs, or mean impact kinetic energy per unit area of 34 ft-lb/
in\2\. The required thresholds are well-established standards used by 
Federal launch ranges. In general, the 11 ft-lb requirement is the 
primary threshold for debris, whereas the 34 ft-lb/in\2\ is for 
penetrating injuries. This paragraph also would clarify the need to 
consider the effects of all inert debris on aircraft or waterborne 
vessels, or those that pose a toxic or fire hazard. The debris analysis 
would also be required to identify any explosive debris.
    Proposed Sec.  450.121(d) would provide the debris analysis 
application requirements. This paragraph would inherit, in a less 
detailed and prescriptive manner, the requirements in appendix A to 
part 417, section A417.11. It would expressly identify the information 
and data needed by the FAA to evaluate compliance with the regulatory 
requirements. Proposed Sec.  450.121(d) would describe the level of 
fidelity required for the products of a debris analysis including (1) a 
description of the debris analysis methodology, including input data, 
assumptions, and justifications for the assumptions; (2) a description 
of all vehicle breakup modes and the development of debris lists; and 
(3) all debris fragment lists necessary to quantitatively describe the 
physical, aerodynamic, and harmful characteristics of each debris 
fragment or fragment class. Finally, as discussed earlier, the 
applicant would be required to provide additional products as requested 
by the FAA to conduct an independent analysis to ensure that public 
safety criteria are satisfied.
6. Flight Safety Limits Analysis
    Proposed Sec.  450.123 would set the requirements to identify 
uncontrolled areas and establish flight safety limits that define when 
an operator must initiate flight abort to (1) ensure compliance with 
the public safety criteria of proposed Sec.  450.101 and (2) prevent 
debris capable of causing a casualty from impacting in uncontrolled 
areas if the vehicle is outside the limits of a useful mission.
    Current Sec.  417.213(a) requires that a flight safety limits 
analysis identify the location of populated or other protected areas 
and establish flight safety limits to define when an FSS must terminate 
a launch vehicle's flight to prevent hazardous impacts from reaching 
any protected area and ensure that the public risk criteria of Sec.  
417.107(b) are satisfied. Section 417.3 currently defines a flight 
safety limit as criteria to ensure a set of impact limit lines 
established for the flight of a launch vehicle flown with an FSS bound 
the area where debris with a ballistic coefficient of 3 psf or more is 
allowed to impact when an FSS functions. Thus, Sec.  417.213(a) and the 
definition of flight safety limit require that any populated area be 
protected by flight safety limits from where the FSS must be activated. 
This requirement is not consistent with operations on Federal launch 
ranges

[[Page 15384]]

that allow potential debris impact in populated areas inside the impact 
limit lines, as long as the individual and collective public risks 
remain within acceptable limits.
    The requirements in Sec.  417.213(b) are specific about potential 
contributors to the vehicle and debris dispersions for which the flight 
safety limits analysis must account including time delays, all wind 
effects, velocity imparted to vehicle fragments by breakup, all lift 
and drag forces on the malfunctioning vehicle and falling debris, all 
launch vehicle guidance and performance errors, all launch vehicle 
malfunction turn capabilities, and any uncertainty due to map errors 
and launch vehicle tracking errors.
    Section 417.213(d) requires that the analysis establish designated 
impact limit lines to bound the area where debris with a ballistic 
coefficient of 3 psf is allowed to impact, assuming the FSS functions 
properly. In contrast, part 431 does not contain any express 
requirements for a flight safety limits analysis to set flight safety 
limits. That being said, part 431 license applicants have performed a 
flight safety limits analysis mirroring part 417 requirements in cases 
where an FSS was employed to satisfy the public risk criteria in Sec.  
431.35(b).
    The FAA proposes to move the definition of ``flight safety limit'' 
from current Sec.  417.3 to Sec.  401.5 and update the definition to 
mean criteria to ensure that public safety is protected from the flight 
of a vehicle when an FSS functions properly. Thus, the proposal would 
remove any ballistic coefficient threshold from the definition of a 
flight safety limit. As previously discussed, the Air Force has 
permanently waived its previous requirement that embedded a specific 
ballistic coefficient threshold into the flight safety limits, and the 
FAA has also waived the corresponding requirement in Sec.  
417.213(d).\195\ When the FAA adopted the 3 psf ballistics coefficient 
standard (in 2006), the FAA recognized that ballistic coefficient is 
not well correlated with the probability of a casualty producing 
impact.\196\ Simply put, ballistic coefficient is an imperfect 
surrogate that was adopted based on past practice when computers were 
less capable than today.
---------------------------------------------------------------------------

    \195\ 81 FR 1470 (January 12, 2016).
    \196\ Licensing and Safety Requirements for Launch, NPRM. 67 FR 
49464 (October 28, 2002).
---------------------------------------------------------------------------

    In Sec.  401.5, the proposal would also replace the term 
``protected area'' with ``uncontrolled area,'' defined as an area of 
land not controlled by a launch or reentry operator, a launch or 
reentry site operator, an adjacent site operator, or other entity by 
agreement. This change reflects the fact that all members of the 
public, even those in areas of land controlled by a launch operator, 
are protected to the extent that collective and individual public risk 
limits apply everywhere. Specifically, proposed Sec.  450.123(a) would 
require protection of uncontrolled areas by flight safety limits and 
ensure compliance with the public safety criteria of proposed Sec.  
450.101, while controlled areas would be required to meet only the 
collective and individual risk requirements (also in accordance with 
proposed Sec.  450.101).
    The FAA intends to assess the need for flight safety limits to 
protect environmentally-sensitive areas in the environmental review 
process of proposed Sec.  450.47. The FAA anticipates that not all 
environmentally-sensitive areas will need this protection. For example, 
current practice for launches from the Western Range protects a 
National Marine Sanctuary in the Pacific Ocean against planned impacts 
of jettisoned items, but not against debris from a flight abort.
    Proposed Sec.  450.123(a) would require an FSA to identify the 
location of uncontrolled areas and establish flight safety limits that 
would define when an operator must initiate flight abort to prevent 
debris capable of causing a casualty from impacting in uncontrolled 
areas if the vehicle is outside the limits of a useful mission, and to 
ensure compliance with the public safety criteria of proposed Sec.  
450.101. Given flight safety limits are only required to protect people 
in uncontrolled areas and not people in controlled areas, the proposal 
would reconcile the current inconsistency between the part 417 
requirements versus the current practice at some Federal launch ranges 
that allows the public's exposure to debris hazards as long as the 
collective and individual risk criteria are met.
    Proposed Sec.  450.123(b) would require a flight safety limits 
analysis to identify flight safety limits for use in establishing 
flight abort rules. The flight safety limits would be required to 
account for temporal and geometric extents on the Earth's surface of 
any vehicle hazards resulting from any planned or unplanned event for 
all times during flight, and account for potential contributions to the 
debris impact dispersions. This is the same as Sec.  417.213(b). 
Proposed Sec.  450.123(b)(3) would add a requirement to design flight 
safety limits to avoid flight abort under conditions that result in 
increased collective risk to people in uncontrolled areas, compared to 
continued flight. The proposed requirement is equivalent to the U.S. 
Government consensus standard that a conditional risk management 
process should be implemented to ensure that mission rules do not 
induce unacceptable consequences when they are implemented.\197\ In the 
flight safety context, a flight abort is a good example of a safety 
intervention intended to mitigate public risks, but that typically 
induces a conditional risk (e.g., a consequence associated with the 
debris event triggered by the flight abort). A flight safety limits 
analysis would ideally minimize all foreseeable consequences, not just 
those to people on the ground or to the extent necessary to meet the 
public safety criteria. For example, placing flight safety limits in 
areas where flight abort might place debris on a busy shipping lane or 
air corridor is not an ideal solution when other locations for the 
limits could meet the public safety criteria and consequence criteria, 
and still provide space for the vehicle to fly a useful mission. Also, 
as a malfunctioning vehicle's debris footprint migrates towards a 
populated area, the consequence to people on the ground from a flight 
abort will increase from a low number and possibly reach the proposed 
consequence limit. The ideal location for a flight safety limit on such 
trajectory is not at the last location where an abort would still 
result in meeting the consequence criteria, which would presumably 
result in a consequence close to the limit, but at a location that 
minimizes the consequence. This proposed approach could result in 
flight safety limits that provide debris containment, or nearly so, 
while also allowing normal flight and flight within the limits of a 
useful mission without triggering an abort. In summary, the design of 
the flight safety limits and the associated flight safety rules would 
be required to avoid an increase in risk induced by a flight abort, 
compared to inaction or action at a different time. This is relevant to 
areas where debris containment is not possible, as discussed in greater 
length in the next section on proposed Sec.  450.125.
---------------------------------------------------------------------------

    \197\ RCC 321-10 at p. 2-7.
---------------------------------------------------------------------------

    Proposed Sec.  450.123(c) would require the flight safety analysis 
to include a gate analysis for an orbital launch, or any launch or 
reentry where one or more trajectories that represents a useful mission 
intersects a flight safety limit that provides containment of debris 
capable of causing a casualty. This is also discussed in more detail in 
the next section on gate analysis.
    Proposed Sec.  450.123(d) would provide flexibility to allow the 
computation of

[[Page 15385]]

flight safety limits in real-time in lieu of computing flight safety 
limits preflight. This alternative would reduce the number of 
assumptions used in the flight safety limits analysis and allow for a 
computation that uses the best available data on the vehicle state. The 
proposal would allow the computation of flight safety limits in real-
time to be performed on the ground or onboard the vehicle.
    The FAA proposes to remove the requirement for a straight-up time 
analysis currently in Sec.  417.215. A straight-up time analysis 
establishes when to terminate the flight of a vehicle that fails to 
pitch over, and thus flies straight up, to achieve debris containment. 
The straight-up time is not the only method of limiting the risks and 
consequences to the launch area in the case of a vehicle that flies a 
straight-up trajectory. Although the express provision is being removed 
in the proposed rule, the new performance-based analysis permitted 
under Sec.  450.213 would allow the straight-up time approach to 
control the hazards from a straight-up flight, but its use would not be 
required.
    Proposed Sec.  450.123(e) lays out the application requirements for 
flight safety limits analyses. The FAA would require an applicant to 
submit: (1) A description of how each flight safety limit will be 
computed; (2) representative flight safety limits and associated 
parameters; (3) an indication of which flight abort rule from proposed 
Sec.  450.165(c) is used in conjunction with each example flight safety 
limit; (4) a graphic depiction or series of depictions of 
representative flight safety limits, the launch or landing point, all 
uncontrolled area boundaries, and vacuum instantaneous impact point 
traces for the nominal trajectory, extents of normal flight, and limits 
of a useful mission trajectories; (5) if the requirement for flight 
abort is computed in real-time in lieu of precomputing flight safety 
limits, a description of how the real-time flight abort requirement is 
computed including references to public safety criteria of Sec.  
450.101; and (6) additional products requested by the FAA for an 
independent analysis when necessary to demonstrate compliance with risk 
criteria. The proposed application requirements are consistent with 
current practice under parts 417 and 431.
7. Gate Analysis
    The FAA proposes Sec.  450.125 to make regulations governing gate 
analyses more performance-based, flexible, and clear. This change would 
include revising the definition of ``gate'' and, as discussed earlier, 
adding a definition of the ``limits of a useful mission.'' The proposal 
would also add an option to relax flight safety criteria without using 
a gate.
    Current Sec.  417.3 defines a ``gate'' as the portion of a flight 
safety limit boundary through which the tracking icon of a launch 
vehicle flown with an FSS may pass without flight termination. As 
discussed earlier, a gate is an opening in a flight safety limit 
through which a vehicle may fly, provided the vehicle meets certain 
pre-defined conditions such that the vehicle performance indicates an 
ability to continue safe flight. If the vehicle fails to meet the 
required conditions to pass a gate, then flight abort would occur at 
the flight safety limit. In other words, the gate would be closed.
    The FAA has requirements for an overflight gate analysis in Sec.  
417.217 and appendix A, section A417.17, and for a hold-and-resume gate 
analysis in Sec.  417.218. An overflight gate analysis determines 
whether a vehicle can overfly populated areas. This analysis requires a 
launch operator determine why it is safe to allow flight through a 
flight safety limit--the limit that protects populated or protected 
areas--without terminating a flight. This analysis accounts for the 
fact that it is potentially more dangerous to populated or protected 
areas to destroy a malfunctioning vehicle during certain portions of a 
launch than not to destroy it. In some circumstances, a destroyed 
vehicle may disperse debris over a wider area affecting more people 
than if the vehicle were to impact intact.
    The primary purpose of flight safety limits and gates is to 
establish safe locations and conditions to abort the flight prior to 
the vehicle entering a region or condition where it may endanger 
populated or other protected areas if flight were to continue. From an 
operator's perspective, a gate should allow the vehicle to fly through 
a flight safety limit when the trajectory corresponds to a useful 
mission.\198\ Otherwise, a flight abort would be required for every 
flight that intersects with a flight safety limit even if the mission 
can still have a successful outcome. The optimal use of flight safety 
limits and gates would be to prevent vehicles that cannot achieve a 
useful mission from continuing flight, even when the flight is along a 
trajectory that crosses a gate.
---------------------------------------------------------------------------

    \198\ As discussed earlier in this preamble, the FAA proposes in 
Sec.  401.5 to define the ``limits of a useful mission'' as the 
trajectory data or other parameters that describes the limits of a 
mission that can attain the primary objective, including but not 
limited to flight azimuth limits.
---------------------------------------------------------------------------

    The current gate regulations imply that gates are the only option 
when debris containment is not possible along a trajectory that 
represents a useful mission, whether it is normal or outside of the 
normal trajectory envelope. This requirement does not reflect current 
practice at the Federal launch ranges. Federal launch ranges sometimes 
relax flight safety limits to allow continued flight for these 
trajectories without the use of a gate, as long as the operations 
satisfies the collective risk criterion. Also, some Federal launch 
ranges do not currently require explicit identification of the 
conditional risk posed by a vehicle that flies on a trajectory within 
the normal trajectory envelope or the limits of a useful mission. The 
preflight risk due to such a trajectory is often small because the 
vehicle is not likely to deviate far from nominal. However, a gate or 
relaxed flight safety limit to allow flight on such a trajectory 
implies that the risk must be acceptable given that the vehicle does 
fly on such a trajectory. Such a failure to identify the conditional 
risk associated with such a trajectory as part of the gate analysis is 
inconsistent with the U.S. Government consensus standard (RCC 321-17 
paragraph 2.3.6) that a conditional risk management process should be 
implemented to ensure that mission rules do not induce unacceptable 
levels of risk when they are implemented.
    Although part 431 has no requirements related to gate analysis, the 
one orbital RLV operation licensed to date employed an FSS and 
performed a gate analysis.
    The FAA's proposed Sec.  450.125 would establish a single set of 
performance-based gate analysis requirements applicable to all launch 
and reentry vehicles. The gate analysis requirements in Sec. Sec.  
417.217 and 417.218 would be combined. Proposed Sec.  450.125 would 
remove prescriptive requirements on the types of gates, standardize the 
requirements for establishing a gate, and open the possibility of 
relaxing flight safety limits. The FAA believes an operator should have 
the freedom to select risk mitigation methods that will present the 
best safety posture rather than prescribing certain strategies that may 
not be the best for all scenarios and vehicles. The FAA also proposes 
to revise the existing definition of ``gate'' in Sec.  401.5 to replace 
the term ``flight termination'' with ``flight abort'' and to add 
language to reflect that the flight must remain within specified 
parameters to avoid flight abort.
    Proposed Sec.  450.125(a) would require a gate analysis for an 
orbital launch, or

[[Page 15386]]

any launch or reentry where one or more trajectories that represents a 
useful mission intersects a flight safety limit that provides 
containment of debris capable of causing a casualty.
    Proposed Sec.  450.125(b) would set the gate analysis requirements. 
The FAA would require an analysis to establish a relaxation of flight 
safety limits to allow continued flight or a gate where a decision will 
be made to abort the launch or reentry, or allow continued flight. If a 
gate is established, the analysis should establish a measure of 
performance at the gate that would enable the flight abort crew or 
autonomous FSS to determine whether the vehicle is able to complete a 
useful mission, and abort the flight if it is not. Further, the 
analysis should establish accompanying flight abort rules. Finally, for 
an orbital launch, the analysis should establish a gate at the last 
opportunity to determine whether the vehicle's flight is in compliance 
with the flight abort rules and can make a useful mission, and abort 
the flight if not. This last requirement would achieve the goal of 
assuring that only missions that can be useful are allowed to proceed 
to orbit, thereby limiting the potential for space debris. In addition, 
when the vehicle performance does not demonstrate an ability to reach a 
minimum safe orbit (without an imminent random reentry), meaning it 
cannot pass the useful mission requirement, the regulation would 
require that flight abort occur.
    In proposed Sec.  450.125(c), the FAA would require the extents of 
any gate or relaxation of the flight safety limits to be based on 
normal trajectories, trajectories that may achieve a useful mission, 
collective risk, and consequence criteria. In proposed Sec.  
450.125(c)(1), the FAA proposes to require a gate or relaxation of 
flight safety limits anywhere a flight safety limit intersects with a 
normal trajectory if that trajectory would meet the individual and 
collective risk criteria of proposed Sec.  450.101(a)(1) and (2) or 
(b)(1) and (2) when treated like a nominal trajectory with normal 
trajectory dispersions.\199\ Requiring all normal trajectories to be 
treated like a nominal trajectory with dispersions as input to a 
conditional risk analysis (given a sample normal trajectory) for the 
gate analysis would resolve the issue of an incomplete characterization 
of the conditional risk of a vehicle that flies through what was a 
flight safety limit while within the normal trajectory envelope.
---------------------------------------------------------------------------

    \199\ The FAA would retain the definitions of ``normal flight'' 
and ``normal trajectory'' currently found in Sec.  417.3.
---------------------------------------------------------------------------

    Another requirement of the proposed gate analysis would be that the 
predicted average consequence from flight abort resulting from any 
reasonably foreseeable vehicle response mode, in any one-second period 
of flight, using any modified flight safety limits must not exceed 1 x 
10^-2 CEC. The goal of this requirement is to 
ensure that flight safety limits do not create an unacceptable 
consequence when used, since debris containment is no longer provided. 
A gate that does not have flight safety limits after the gate would not 
need to meet this consequence criterion since it would be placed at the 
same location as flight safety limits that do provide debris 
containment. Under the proposal, any intersections of flight safety 
limits with normal trajectories would result in flight safety limits 
that are relaxed enough to allow passage, or an open gate in the flight 
safety limit as long as there is enough data available to confirm that 
the vehicle is healthy (i.e., appears capable of reaching a minimum 
safe perigee). Flight on normal trajectories must still meet the public 
safety criteria in proposed Sec.  450.101, so this practice would 
ensure acceptable risks and use the best available data to confirm that 
a vehicle is unlikely to fail before being allowed to fly through a 
gate, if one is present. Whether flight safety limits would be relaxed 
enough to let a vehicle fly through that area, or be gated, is 
optional. A gate is preferred if it would reduce risk, given that there 
is sufficient information available to make a decision on whether the 
vehicle is sufficiently healthy to pass. This practice would align with 
the Federal launch range's current practice and meet the intent of the 
current requirement in Sec.  417.107(a)(2).
    In proposed Sec.  450.125(c)(2), trajectories that are outside of 
normal flight but within the limits of a useful mission would be 
evaluated as potential normal trajectories. Proposed Sec.  
450.125(c)(2) would allow flight safety limits to be gated or relaxed 
where they intersect with any trajectory within the limits of a useful 
mission, if the trajectory would meet the individual and collective 
risk criteria of proposed Sec.  450.101(a)(1) and (2) or (b)(1) and 
(2), assuming that the trajectory flown would be treated like a nominal 
trajectory with normal trajectory dispersions. The predicted average 
consequence from flight abort resulting from a failure in any one-
second period of flight, using any modified flight safety limits, would 
be required to not exceed 1 x 10^-2 CEC. The 
philosophy behind proposed Sec.  450.125(c)(2) is to allow a non-normal 
flight to continue as long as the mission does not pose an unacceptable 
conditional risk given the present trajectory. A good example of 
missions that fall into this category are missions that lift-off on an 
incorrect flight azimuth, usually due to a software input error, such 
as the Ariane 5 failure on January 25, 2018, during its 97th mission 
(VA241). Apart from the programming error, these vehicles may be 
healthy and are not expected to fail more frequently than a flight 
without the programming error, so these flights should be allowed to 
continue if they meet the individual and collective risk criteria on 
the present azimuth (unless the risk from planned debris impacts was 
unacceptable on the present flight azimuth). If they do not, such 
flights would be required to implement an abort. This proposal is 
consistent with the ARC's recommendation to expand part 431 to include 
flight abort rules that apply when the vehicle is performing outside of 
its profile and is unable to reach a useful orbit or survive, and needs 
to be terminated prior to overflight of a populated area.
    Proposed Sec.  450.125(d) would establish the application 
requirements for gate analyses. Specifically, the proposal would 
require an applicant to submit a description of the methodology used to 
establish each gate or relaxation of a flight safety limit; a 
description of the measure of performance used to determine whether a 
vehicle will be allowed to cross a gate without flight abort, the 
acceptable ranges of the measure of performance, and how these ranges 
were determined; a graphic depiction showing representative flight 
safety limits, any protected uncontrolled area overflight regions, and 
instantaneous impact point traces for the nominal trajectory, extents 
of normal flight, and limits of a useful mission trajectories; and any 
additional products requested by the FAA to conduct an independent 
analysis when necessary to ensure that public risk criteria are not 
exceeded. The proposed application requirements are consistent with 
current practice under parts 417 and 431.
8. Data Loss Flight Time and Planned Safe Flight State Analyses
    The FAA proposes to consolidate and update data loss flight times 
and planned safe flight states requirements in proposed Sec.  450.127 
(Data Loss Flight Time and Planned Safe Flight State Analyses).
    Data loss flight time analyses are used to establish when an 
operator must abort a flight following the loss of vehicle tracking 
information. In Sec.  417.3,

[[Page 15387]]

the FAA currently defines ``data loss flight time'' as the shortest 
elapsed thrusting time during which a launch vehicle flown with an FSS 
can move from its normal trajectory to a condition where it is possible 
for the launch vehicle to endanger the public. This definition is 
unclear as to what constitutes a condition where it is possible for the 
launch vehicle to endanger the public. Given the overall approach to 
impact limit lines in Sec.  417.213(d) and the treatment of data loss 
flight times in appendix A to part 417, section A417.19, the FAA has 
interpreted the definition to mean any impact on a protected area with 
debris greater than 3 psf ballistic coefficient.
    With this proposal, the FAA would move the definition of ``data 
loss flight time'' from current Sec.  417.3 to Sec.  401.5 and update 
the definition to mean the shortest elapsed thrusting or gliding time 
during which a vehicle flown with an FSS can move from its trajectory 
to a condition where it is possible for the vehicle to violate a flight 
safety limit. An important change in the definition would be the 
replacement of ``move from its normal trajectory'' with ``move from its 
trajectory.'' Computing data loss flight times initialized using normal 
trajectories or nominal trajectories would both be acceptable means of 
compliance with the proposed regulation, since using the former should 
be more conservative. This resolves the issue of varying practices at 
different ranges and provides additional flexibility.
    In Sec.  417.219(a), the FAA requires a launch operator to 
establish data loss flight times and a planned safe flight state. In 
Sec.  417.219(b), the FAA requires that thrust be considered as a means 
of moving a vehicle towards a protected area, but some vehicles can 
also glide a significant distance using lift. Further, Sec.  417.219(b) 
requires the data loss flight time to be relative to reaching protected 
areas, not flight safety limits. The requirements in Sec.  417.219(c) 
also include a method of establishing the planned safe flight state 
that includes the subjective phrase ``the absence of a flight safety 
system would not significantly increase the accumulated risk from 
debris impacts.'' Data loss times are currently computed in different 
ways at Federal launch ranges, with some initializing the computation 
from the nominal trajectory and some from trajectories within the 
normal trajectory envelope, sometimes referred to as ``dispersed'' 
trajectories.
    Part 431 has no requirements related to analysis to establish data 
loss flight times or planned safe flight state. However, the one 
orbital RLV operation licensed to date employed an FSS and established 
data loss flight times.
    The FAA's proposed Sec.  450.127(a) would require an FSA to 
establish data loss flight times and a planned safe flight state for 
each flight to establish each flight abort rule that applies when 
vehicle tracking data is not available for use by the flight abort crew 
or autonomous FSS. Substantively, this proposal is consistent with the 
current rule in Sec.  417.219(a). However, the FAA's proposal would 
update language to account for autonomous FSS and the use of the term 
flight abort in place of flight termination.
    Proposed Sec.  450.127(b)(1) would retain the data loss flight time 
analysis requirements consistent with Sec.  417.219, but with the 
addition of gliding flight as a means of moving a vehicle towards 
flight safety limits (in lieu of protected areas in accordance with 
Sec.  417.219). The proposal would replace the subjective method of 
establishing the safe flight state with a more straightforward method 
of analyzing when the vehicle's state vector reaches a state where the 
vehicle is no longer required to have a flight safety system. This is 
to avoid aborting a flight due to loss of track data during a phase of 
flight in which track data is not required to ensure safe flight. Thus, 
the proposal would encourage operators to avoid a flight abort, which 
often correlates with creating debris, due to loss of track data when 
in an area where flight abort is not required to meet the regulations.
    Proposed Sec.  450.127(b)(2) would require data loss flight times 
to account for forces that may stop the vehicle before reaching a 
flight safety limit, such as aerodynamic forces that exceed the 
structural limits of the vehicle. When more conservative methods are 
used, such as assuming an instantaneous turn towards the nearest flight 
safety limit, data loss flight times can be underestimated in that a 
vehicle could not physically perform the turn without breaking up. Data 
loss flight times that are unrealistically low create the risk of an 
unnecessary abort (and thus, an unnecessary debris event) if track is 
lost, since track may return and allow flight to continue if the data 
loss flight times are greater.
    Proposed Sec.  450.127(b)(3) would allow the computation of data 
loss flight times in real-time in lieu of only computations made 
preflight. This proposal would allow for a computation using the last-
known state vector of the vehicle before track was lost. Proposed Sec.  
450.127(b)(3) would allow the computation of data loss flight times to 
be performed on the ground or onboard the vehicle, depending on whether 
a traditional command destruct or autonomous flight safety system is 
used.
    In proposed Sec.  450.127(c), the requirements regarding the 
planned safe flight state would be consistent with those currently in 
Sec.  417.219(c), only generalized to apply to reentry as well as 
launch. Proposed Sec.  450.127(c)(1) would update the Sec.  
417.219(c)(1) requirement using new terminology without any change to 
the meaning.
    Proposed Sec.  450.127(d) lays out the application requirements for 
data loss flight time and planned safe flight state analyses. 
Specifically, the proposal would require an applicant to submit a 
description of the methodology used to determine data loss flight 
times; tabular data describing the data loss flight times from a 
representative mission; the safe flight state and methodology used to 
determine it; and any additional products requested by the FAA to 
conduct an independent analysis.
9. Time Delay Analysis
    For ELVs, Sec.  417.221(a) requires a time delay analysis that 
establishes the mean elapsed time between the violation of a flight 
termination rule and the time when the flight safety system is capable 
of terminating flight for use in establishing flight safety limits. 
Section 417.221(b) requires the analysis to determine a time delay 
distribution that accounts for the variance of all time delays for each 
potential failure scenario, a flight safety official's decision and 
reaction time, and flight termination hardware and software delays 
which includes all delays inherent in tracking systems, data processing 
systems, display systems, command control systems, and flight 
termination systems.
    The FAA has also required time delay analyses for RLVs under the 
current regulatory scheme. Specifically, Sec.  431.39(a) requires an 
RLV license applicant to submit contingency abort plans, if any, that 
ensure safe conduct of mission operations during nominal and non-
nominal vehicle flight. In practice, a time delay analysis has been 
necessary to ensure safe conduct of an RLV that uses flight abort.
    The FAA proposes to streamline the regulations governing the 
analysis of time delay in proposed Sec.  450.129 (Time Delay Analysis). 
Proposed Sec.  450.129(a) would use language identical to Sec.  
417.221(a), except that the term ``terminating'' would be replaced with 
the term ``aborting.'' The proposal would replace the list of time 
delay contributions prescribed in Sec.  417.221(b) with a performance-
based requirement in proposed Sec.  450.129(a), that the time delay 
analysis would be required to

[[Page 15388]]

determine a time delay distribution that accounts for all foreseeable 
sources of delay.
    Proposed Sec.  450.129(b) would list application requirements. 
Specifically, the proposal would require an applicant to submit a 
description of the methodology used in the time delay analysis, a 
tabular listing of each time delay source and the total delay, with 
uncertainty, and any additional products the FAA would request to 
conduct an independent analysis.
10. Probability of Failure
    Proposed Sec.  450.131 (Probability of Failure Analysis) would 
cover probability of failure (POF) analysis requirements for all launch 
and reentry vehicles. The proposal would also make application 
requirements clearer and implement performance-based requirements to 
address allocation to flight times and vehicle response modes. The 
proposed POF performance requirements would allow an operator to employ 
alternative, potentially innovative methodologies so long as the 
results satisfy proposed requirements such as valid input data.
    Current regulations covering POF analysis requirements for ELVs are 
found in Sec.  417.224. Part 431 does not have requirements for a POF 
analysis. Even so, a POF analysis is necessary to demonstrate 
compliance with the public risk criteria set for RLV operations in 
Sec.  431.35(b).
    Section 417.224(a) requires that POF analyses use accurate data, 
scientific principles, and a method that is statistically or 
probabilistically valid. For vehicles with fewer than two flights, the 
POF must account for the outcome of all previous launches of vehicles 
developed and launched in similar circumstances. If a vehicle has more 
than two flights, the POF analysis must account for the outcomes of all 
previous flights of the vehicle in a statistically valid manner. 
Section 417.224(a) does not address the use of data on partial failures 
and anomalies, which is a shortcoming the FAA seeks to correct. Section 
417.224(b) defines failure to mean when a launch vehicle does not 
complete any phase of normal flight, or when any anomalous condition 
exhibits the potential for a stage or its debris to impact the Earth or 
reenter the atmosphere during the mission, or any future mission, of 
similar launch vehicle capability. The paragraph makes clear a launch 
incident or accident also constitutes a failure. Finally, Section 
417.224(c) explains that previous flights begin when the launch vehicle 
normally or inadvertently lifts off from a launch platform and that 
liftoff occurs with any motion of the launch vehicle with respect to 
the launch platform.
    Although the Sec.  417.224 definitions have generally served the 
FAA and the industry well, Sec.  417.224 lacks requirements to address 
allocation to flight times and vehicle response modes (VRMs), even 
though these allocations are necessary to determine the public risks 
posed by various VRMs at various times in flight. Given POF is a 
primary factor in any risk computation, it is impossible for an 
applicant to demonstrate compliance with the quantitative public risk 
criteria without an analysis to determine the probability of any 
reasonably foreseeable outcome, such as an on-trajectory loss of thrust 
or a malfunction turn ending in aerodynamic break-up.
    The FAA would retain the substantive Sec.  417.224 POF analysis 
requirements in proposed Sec.  450.131, including the definitions of 
key terms such as ``failure'' and ``previous flight''. However, the 
proposal would apply to all launch and reentry vehicles. In addition, 
it would clarify the data a POF analysis must use to establish a valid 
allocation to flight times and vehicle response modes.
    Proposed Sec.  450.131(a) would retain the same substantive 
requirements regarding the an operator's estimation of the POF for 
vehicles with fewer than two flights. However, for vehicles with two or 
more previous flights, the proposal would change the Sec.  417.224(a) 
provision by requiring that the outcomes of all previous flights of the 
vehicle or vehicle stage account for data on partial failures and 
anomalies including Class 3 and Class 4 mishaps. Thus, the proposal 
would require an analysis to account for partial failures and 
anomalies. These changes should improve the credibility of POF analyses 
by giving due credit to stages that succeed even though a subsequent 
stage fails. For example, consider a vehicle launched two times, with a 
failure during the second stage on the first launch and no failures 
during the second launch. For the third launch, the proposal would 
allow a probability of failure analysis to account for the fact that 
the first stage flew twice without a failure, while the second stage 
flew twice with one failure.
    Proposed Sec.  450.131(b) would retain essentially the same 
definition of ``failure'' used in Sec.  417.224(b), with changes using 
the proposed mishap terminology (Class 1 or Class 2) and to cover other 
vehicles beyond ELVs.
    Proposed Sec.  450.131(c) would retain essentially the same 
definition of ``previous flight'' for FSA purposes, with changes 
intended to encompass all launch and reentry vehicles, including cases 
where an operator uses a carrier aircraft. Thus, ``previous flight'' 
for the purposes of an FSA would cover the flight of a launch vehicle 
beginning when the vehicle normally or inadvertently lifts off from a 
launch platform. Liftoff would still occur with any motion of the 
launch vehicle with respect to the launch platform. The FAA would 
clarify that this would include a carrier aircraft as a launch 
platform, and would include any intentional or unintentional separation 
from the launch platform. In terms of a reentry vehicle, the flight of 
a reentry vehicle or deorbiting upper stage would begin when a vehicle 
attempts to initiate a deorbit.
    Proposed Sec.  450.131(d), titled ``Allocation,'' would establish 
performance requirements to address POF allocation to flight times and 
VRMs. The proposal would require that a vehicle POF be distributed 
across flight times and vehicle response modes consistent with the data 
available from all previous flights of vehicles developed and launched 
or reentered in similar circumstances; and data from previous flights 
of vehicles, stages, or components developed and launched or reentered 
by the subject vehicle developer or operator. Such data may include 
previous experience involving similar vehicle, stage, or component 
design characteristics; development and integration processes, 
including the extent of integrated system testing; and level of 
experience of the vehicle operation and development team members. These 
requirements were not in Sec.  417.224 or part 431. In this context, 
phases of flight would be defined by planned events affecting the 
vehicle configuration and its failure rate, such as ignition, first 
stage flight, stage separation, second stage ignition, second stage 
flight, payload fairing separation, etc. This proposal would require 
what is already necessary and thus done in current practice.
    In proposed Sec.  450.131(e), the FAA would require that a POF 
allocation account for significant differences in the observed failure 
rate and the conditional failure rate. The conditional failure rate 
represents the failure rate conditional on the vehicle or subsystem 
having survived, without a failure as defined earlier, to a given time 
in flight. The observed failure rate is the product of the conditional 
failure rate and the reliability function, which is commonly defined as 
the probability that the vehicle or subsystem has not failed prior to a 
given time in flight. For high reliability systems where the 
reliability function is close to one (by definition),

[[Page 15389]]

the observed failure rate can be approximated as the conditional 
failure rate. If the overall vehicle or stage POF is below 10 percent 
(over the entire period of time corresponding to a phase of flight), 
then this simplified approach produces a relative error less than 
approximately 0.5 percent, which is generally not considered a 
significant difference. For lower reliability systems, this 
approximation does produce a significant difference between the 
observed failure rate and the conditional failure rate. Here again, the 
proposal would clarify what is already necessary and thus done in 
current practice.
    Proposed Sec.  450.131(e) would also require that a POF analysis 
use a constant conditional failure rate for each phase of flight, 
unless there is clear and convincing evidence of a different 
conditional failure rate for a particular vehicle, stage, or phase of 
flight. Thus, the proposal would require a POF analysis to assume that 
the conditional failure rate can be represented as a piece-wise 
constant function of time for each phase of flight, absent clear and 
convincing evidence to the contrary. The points that define transitions 
to a potentially different conditional failure rate must include 
staging events or other vehicle configuration changes, such as ignition 
of other engines or rocket motors. In some cases, the FAA anticipates 
that there will be sufficient evidence to justify a different failure 
rate, for example during a start-up or shut-down/burnout transient for 
a rocket motor compared to steady state operation of a stage, engine, 
or motor.
    Proposed Sec.  450.131(f) would lay out the FAA's application 
requirements for POF analyses that address the proposed methodology, 
assumptions and justification, input data, and output data. An 
applicant would also be required to provide a complete set of tabular 
data and graphs of the predicted failure rate and cumulative failure 
probability for each foreseeable VRM. The proposed requirements are 
consistent with current practice to the extent that any valid FSA must 
include the probability of failure assigned to each VRM as a function 
of time into flight.
11. Flight Hazard Areas
    The FAA proposes to streamline its regulations on flight hazard 
area in proposed Sec.  450.133, applicable to all launch and reentry 
vehicles. The FAA would codify its working definition of ``flight 
hazard area'' to mean any region of land, sea, or air that must be 
surveyed, publicized, controlled, or evacuated in order to protect the 
public health and safety and safety of property. An FSA would include a 
flight hazard area analysis to identify regions of land, sea, or air 
where an operation poses a potential hazard to the public. The proposal 
would reduce the size of the regions of land, sea, and air requiring 
hazard warnings from normal flight events and would reduce the size of 
regions requiring surveillance prior to initiating a commercial space 
transportation operation. These changes would be consistent with 
practices at Federal launch ranges.
    The current FAA regulations most pertinent to flight hazard area 
analysis are found in Sec. Sec.  417.107(b) (Flight safety) and 417.223 
(Flight hazard analysis) for ELVs, and Sec. Sec.  431.35(b) (Acceptable 
reusable launch vehicle mission risk) and 431.43(b) (Reusable launch 
vehicle mission operational requirements and restrictions) for RLVs. 
Both the ELV and RLV regulations require flight hazard areas to protect 
against hazards posed by vehicle malfunctions (e.g., an in-flight 
break-up) and normal flight events that create hazards (e.g., any 
planned jettison of debris, launch vehicle components, or vehicle 
stages).
    The FAA currently sets requirements to warn of, or limit the 
operations of, ELVs and RLVs in regions where planned debris impacts 
are likely, for example, due to jettisoned stages. In Sec.  417.223(b), 
the FAA currently requires flight hazard area analyses to establish 
ship and aircraft hazard area warnings to mariners and airman in 
regions that encompass the three-sigma impact dispersion area for each 
planned debris impact. Similar language appears in Sec.  431.43(b), 
which states that a nominal landing location is suitable if the area of 
the predicted three-sigma dispersion of the vehicle impacts can be 
wholly contained within the designated location. In the 2000 final 
rule, the FAA explained that it intended the three-sigma to refer a 
location where the vehicle or stage landing would be contained 997 
times out of 1000 attempts, or 99.7 percent probability of 
containment.\200\ Hence, these regulations used the term ``three-
sigma'' to refer to a univariate Gaussian distribution,\201\ despite 
the fact that impact dispersions are bivariate, and not necessarily 
Gaussian. Notably, neither Sec.  417.223 nor Sec.  431.43 stipulate 
whether these warning areas must account for all debris or only debris 
capable of causing a casualty. There is evidence that the separation of 
large stages can liberate small fragments with a negligible probability 
of creating a casualty, depending on the nature of the exposed 
population. For example, people in aircraft are often more vulnerable 
than people on the ground because a fragment that impacts an aircraft 
has a much higher kinetic energy due to the velocity of the aircraft.
---------------------------------------------------------------------------

    \200\ 65 FR 56618 (September 9, 2000), at 56629.
    \201\ Gaussian distribution (also known as normal distribution) 
is a bell-shaped curve, and it is assumed that during any 
measurement values will follow a normal distribution with an equal 
number of measurements above and below the mean value.
---------------------------------------------------------------------------

    Both the ELV and RLV regulations require public risk controls, such 
as evacuation or surveillance, to ensure that no individual member of 
the public is exposed to greater one-in-a-million (1 x 10^-6) 
PC, irrespective of their location on land, sea, or air, to 
satisfy risk criterion in Sec. Sec.  417.107(b) and 431.35(b). The part 
417 regulations address the identification and surveillance of flight 
hazard areas explicitly in several sections, including Sec. Sec.  
417.111(b)(5), 417.121(f), and 417.223 as discussed below. Part 431 
regulations do not expressly address flight hazard areas. However, the 
preamble to the 2000 final rule stated that the individual risk limit 
of 1 x 10^-6 PC would dictate whether or not an 
area must be evacuated for launch or reentry activity along that 
trajectory to occur safely, and clarified that limit applied for any 
person not involved in the licensed activity. Hence, the current RLV 
regulations clearly intended the evacuation, and surveillance by 
inference, of any area where a person not involved in the licensed 
activity would otherwise experience more than 1 x 10^-6 
PC.
    Only Sec.  417.223 and associated appendices provide specific 
direction on conducting flight hazard area analyses. In Sec.  
417.223(a), the FAA requires launch operators to perform a flight 
hazard area analysis that identifies any regions of land, sea, or air 
that must be surveyed, publicized, controlled, or evacuated in order to 
control the risk to the public from debris impact hazards. In addition, 
the current regulation notes that the risk management requirements of 
Sec.  417.205(a) apply to the flight hazard area analyses. Lastly, 
Sec.  417. 223(a) paragraph lists factors that the analysis must 
account for.
    Regarding aircraft hazard areas, the preamble to part 431 stated 
that the FAA also reserves discretion to impose measures deemed 
necessary by that office to protect public safety.\202\ This deference 
to regional offices for aircraft protection resulted in a lack of 
clarity and potential unevenness to the aircraft protection 
requirements potentially imposed on RLV operators.
---------------------------------------------------------------------------

    \202\ 65 FR 56618 (September 19, 2000), at 56646.
---------------------------------------------------------------------------

    Proposed Sec.  450.133 would establish general requirements for the 
flight hazard area analysis as well as

[[Page 15390]]

requirements specific to waterborne vessel hazard areas, land hazard 
areas, airspace hazard volumes, and the license application. The 
proposal would make uniform to launch and reentry the requirement in 
current Sec.  417.223(a) that operators must identify any regions of 
land, sea, or air that must be surveyed, publicized, controlled, or 
evacuated to the extent necessary to ensure acceptable individual and 
collective risks. However, as discussed later in this section, the 
proposed regulations would allow operators to reduce, or otherwise 
optimize, the size of the warning regions for hazards resulting from 
normal flight events.
    The proposal would add a definition of ``flight hazard area'' to 
Sec.  405.1 to mean any region of land, sea, or air that must be 
surveyed, publicized, controlled, or evacuated in order to protect the 
public health and safety, and safety of property. This definition is 
consistent with the current requirement in Sec.  417.223(a). Note that 
the proposed definition would allow for the fact that it may be 
appropriate to issue a public warning for a flight hazard area, but 
unnecessary to survey or evacuate the area to ensure the public risks 
are within the criteria given in proposed Sec.  450.101, as explained 
in the discussion of hazard area surveillance and publication.
    Proposed Sec.  450.133(a) would also revise the technical factors 
for which the hazard area analysis must account to remove language 
limiting those factors to launch activity alone, thus making consistent 
the regulations for all types of commercial space transportation 
operations. The proposal would merge current Sec.  417.223(a)(2), (3), 
and (4) with slight changes into Sec.  450.133(a)(1) to require an 
operator to account for the ``regions of land, sea, and air potentially 
exposed to debris impact resulting from normal flight events and from 
debris hazards resulting from any potential malfunction.'' Proposed 
Sec.  450.133(a)(5) would also clarify that the analysis must account 
for all foreseeable sources of debris dispersion during freefall, 
including wind effects, guidance and control, velocity imparted by 
break-up or jettison, lift, and drag forces with winds that are no less 
severe than the worst wind conditions under which flight might be 
attempted, and uncertainty in the wind conditions. In Sec.  
417.223(a)(4), the current regulation implies that the analysis only 
needed to account for some exposed populations in the vicinity of the 
launch site. The proposed Sec.  450.133(a) would further clarify that 
all sources of debris dispersion must be accounted for by removing any 
ambiguity associated with what constitutes ``in the vicinity of the 
launch site;'' by eliminating that phrase, and thus ensuring equal 
protection for all public exposures. Finally, the proposal would 
clarify that valid flight hazard area analyses would be required to 
treat all planned debris hazards, planned impacts, and planned landings 
as a virtual certainty, consistent with current practice and the 
regulations in sections A417.23 and B417.13. Again, part 431 does not 
address flight hazard areas, but current practice for RLVs is generally 
consistent with the ELV regulations.
    Proposed Sec.  450.133(b)(1), (c)(1), and (d)(1) would align FAA 
regulations with practices at the Federal launch ranges by allowing 
operators to reduce or otherwise optimize the size of the regions for 
warnings of potential hazardous debris resulting from normal flight 
events. Specifically, in Sec.  417.223(b), the FAA currently requires 
hazard area analyses to establish ship and aircraft hazard area 
warnings in regions that encompass the three-sigma impact dispersion 
area for each planned debris impact. Similar language appears in Sec.  
431.43(b), and the FAA previously took the position that ``three-
sigma'' in this context referred to 99.7 percent probability of 
containment (as explained earlier). However, the current regulations do 
not specify if the confidence of containment applies to all planned 
debris or only debris capable of causing a casualty. In any case, 
current practice includes the establishment of flight hazard areas 
sufficient for 97 percent probability of containment of debris capable 
of causing a casualty. Thus, the proposed requirements in Sec.  450.133 
(b)(1), (c)(1), and (d)(1) would be revised to include language 
reflecting that the provision applies to debris capable of causing a 
casualty to any person located on land, sea, or air.
    Finally, proposed Sec.  450.133(e) would list flight hazard area 
application requirements. An applicant would need to submit a 
description of the methodology to be used in the flight hazard area 
analysis, including all assumptions and justifications for the 
assumptions, vulnerability models, analysis methods, and input data. 
This information would include the worst wind conditions under which 
flight might be attempted accounting for uncertainty in the wind 
conditions, the classes of waterborne vessels and vulnerability 
criteria employed, and the classes of aircraft and vulnerability 
criteria employed. Section 450.133(e)(2) would require an applicant to 
submit representative hazard area analysis outputs to include tabular 
data and graphs of the results of the flight hazard area analysis. Note 
that the proposal would require hazard area results to identify the 
regions of land, sea, and air considered hazardous, regardless of 
location or ownership.\203\ The proposed requirement to show contours 
of probability of impact (PI) and PC that are an 
order of magnitude lower than those used to define the flight hazard 
areas is necessary to demonstrate sufficient computational resolution 
and analysis fidelity for the results that are critical to public 
safety. Furthermore, the FAA Air Traffic Organization currently 
requires identification of regions of air where the PI 
exceeds 1 x 10^-7 for all debris capable of causing a 
casualty to persons on an aircraft, in order to facilitate safe and 
efficient integration of launch and reentry operations into the NAS. 
Proposed Sec.  450.133(e)(3) would specifically provide that applicants 
must provide additional products if requested by the FAA to conduct an 
independent analysis.
---------------------------------------------------------------------------

    \203\ However, as provided in proposed Sec.  450.161(c), an 
operator would only be required to publicize warnings for flight 
hazard areas that exclude any regions of land, sea, or air under the 
control of the vehicle or site operator or other entity by 
agreement.
---------------------------------------------------------------------------

12. Debris Risk Analysis
    The FAA proposes to streamline, clarify, and make consistent its 
regulations on debris risk analysis used to evaluate compliance with 
the public safety criteria in proposed Sec.  450.101. The proposal 
would require launch and reentry operators to conduct a debris risk 
analysis that demonstrates compliance with proposed Sec.  450.101 
either prior to the day of the operation, accounting for all 
foreseeable conditions within the flight commit criteria, or during the 
countdown using the best available input data.
    A debris risk analysis determines the expected average number of 
casualties to the public, individually and collectively, due to inert 
and explosive debris hazards. This analysis includes an evaluation of 
risk to populations on land, including areas following passage through 
any gate in a flight safety limit boundary. The current FAA regulations 
require a debris risk analysis, but only part 417 provides any 
specificity about what constitutes a valid analysis including 
prescriptive requirements in section A417.25 of appendix A. Part 431 
provides no requirements to clarify what constitutes a valid debris 
risk analysis. In practice though, RLV license applicants often abided 
by debris risk performance requirements set in part 417, such as the 
need to use trajectory time intervals sufficient to

[[Page 15391]]

produce smooth and continuous individual risk contours.
    Section A417.1 states that the appendix applies to the methods for 
performing analysis required by Sec. Sec.  417.107 and 417.225, and 
provides (1) an acceptable means of compliance, and (2) a standard and 
a measure of fidelity against which the FAA will measure any proposed 
alternative analysis approach. However, in some cases the 417 
appendices are overly prescriptive and unduly burdensome. For example, 
section A417.25(c) requires an operator to file with the FAA a debris 
risk analysis report that includes all populated areas included in the 
debris risk analysis, which typically translates into many thousands of 
population centers for an orbital launch, as well as the values of 
probability of impact and expected casualty for each populated area. In 
other cases, the part 417 appendices mistakenly neglected to direct an 
applicant to account for important phenomena, such as the influence of 
uncertainties in atmospheric conditions on the propagation of debris 
from each predicted breakup location to impact.
    The FAA proposes to streamline, clarify, and make consistent its 
regulations regarding debris risk analyses to determine if public risks 
posed by a proposed launch or reentry can comply with the public safety 
criteria in proposed Sec.  450.101. The proposal would provide 
performance-based regulations regarding the level of fidelity required 
for key elements of a valid debris risk analysis, including analyses 
for the propagation of debris, public exposure and critical assets 
model, and casualty areas. The proposed debris risk analysis 
requirements in Sec.  450.135 would supplement the more generic 
requirements for flight safety methods proposed in Sec.  450.115. The 
proposal would also align FAA regulations with practices at the Federal 
launch ranges.
    Proposed Sec.  450.135(a) provides applicants an option to perform 
a debris risk analysis that demonstrates compliance with public safety 
criteria in Sec.  450.101, either prior to the day of the operation, by 
accounting for all foreseeable conditions within the flight commit 
criteria, or during the countdown using the best available input data. 
Thus, the proposal provides flexibility that was lacking in both parts 
417 and 431.
    Proposed Sec.  450.135(b) would include performance-based 
requirements to clarify the phenomena the propagation-of-debris portion 
of the analysis must consider. The propagation of debris is a physics-
based analysis that predicts where debris impacts are likely to occur 
in the case of a debris event while the vehicle is in flight, such as 
jettison of a vehicle stage or an explosion. As mentioned previously, 
section A417 provides some requirements regarding the sources of debris 
impact dispersions that must be accounted for, but in some cases that 
was either overly prescriptive or incomplete. A debris risk analysis 
must compute statistically-valid debris impact probability 
distributions using the input data produced by FSAs required in 
proposed Sec. Sec.  450.117 through 450.133. The propagation of debris 
from each predicted breakup location to impact would be required to 
account for all foreseeable forces that can influence any debris impact 
location, and all foreseeable sources of impact dispersion. At a 
minimum, the foreseeable sources of impact dispersion must include the 
uncertainties in atmospheric conditions, debris aerodynamic parameters, 
pre-breakup position and velocity, and breakup-imparted 
velocities.\204\
---------------------------------------------------------------------------

    \204\ The level of fidelity of the analysis would be subject to 
the requirements in proposed Sec.  450.101(g) which, as proposed, 
requires an operator's flight safety analysis method to use accurate 
data and scientific principles and be statistically valid. The 
method must produce results consistent with or more conservative 
than the results available from previous mishaps, tests, or other 
valid benchmarks, such as higher-fidelity methods.
---------------------------------------------------------------------------

    Proposed Sec.  450.135(c) would provide performance-based 
regulations that specify features of a valid exposure model. An 
exposure model provides critical input data on the geographical 
location of people and critical assets at various times when the launch 
or reentry operation could occur. A debris risk analysis must use an 
exposure model that accounts for the distribution of people and 
critical assets. The exposure input data would be required to include 
the entire region where there is a significant probability of impact of 
hazardous debris, to characterize the distribution and vulnerability of 
people and critical assets both geographically and temporally, and to 
account for the distribution of people in various structure and vehicle 
types with a resolution consistent with the characteristic size of the 
impact probability distributions for relevant fragment groups. It would 
be required to have sufficient temporal and spatial resolution that a 
uniform distribution of people within each defined region can be 
treated as a single average set of characteristics without degrading 
the accuracy of any debris analysis output, and to use accurate source 
data from demographic sources, physical surveys, or other methods. As 
well, the exposure input data would be required to be regularly updated 
to account for recent land-use changes, population growth, migration, 
and construction. Finally, it would be required to account for 
uncertainty in the source data and modeling approach.
    In Sec.  450.135(d), the proposal would provide performance-based 
regulations that set forth the features of a valid casualty area and 
consequence analysis. The proposal would include a definition of 
casualty area in Sec.  401.5. ``Casualty area'' would mean the area 
surrounding each potential debris or vehicle impact point where serious 
injuries, or worse, can occur. A debris risk analysis would be required 
to model the casualty area and compute the predicted consequences of 
each reasonably foreseeable vehicle response mode in terms of 
conditional expected casualties. The casualty area and consequence 
analysis would be required to account for all relevant debris fragment 
characteristics and the characteristics of a representative person 
exposed to any potential debris hazard; any direct impacts of debris 
fragments, intact impact, or indirect impact effects; and vulnerability 
of people and critical assets to debris impacts. The vulnerability of 
people and critical assets to debris impacts would be required to 
account for the effects of buildings, ground vehicles, waterborne 
vessel, and aircraft upon the vulnerability of any occupants; for all 
hazard sources, such as the potential for any toxic or explosive energy 
releases; and for indirect or secondary effects such as bounce, 
splatter, skip, slide or ricochet, including accounting for terrain. It 
would also be required to account for the effect of wind on debris 
impact vector and toxic releases, and for impact speed and angle (also 
accounting for motion of vehicles). Finally, it would be required to 
account for uncertainty in fragment impact parameters, and uncertainty 
in modeling methodology. These broad performance-based items would 
replace the unduly narrow and prescriptive requirements in appendix A 
which would give operators more flexibility in demonstrating that 
public risk criteria have been met.
    In order to provide adequate protection from public safety risks 
such as the risk of casualties, it is important that analyses used to 
protect public safety account for all known influences on the 
vulnerability of people and critical assets. At the same time, the 
proposal recognizes in Sec.  450.101(g) that a valid method must 
produce results consistent with or more conservative than the results 
available from previous mishaps, tests, or other valid

[[Page 15392]]

benchmarks. Hence, the proposal would not require a vulnerability model 
to account explicitly for each known influence on the empirical results 
per se, but the proposal would require that a valid vulnerability model 
produce results that are either consistent with the standard in 
proposed Sec.  450.101(g).
    Proposed Sec.  450.135(e) would list application requirements, 
which are designed to be more balanced and less prescriptive and 
ambiguous than current requirements in appendix A to part 417, section 
A417. The proposal would require an application to describe the methods 
used to compute debris impact distributions, population exposure data, 
atmospheric data, as well as how the operator proposes to account for 
the conditions immediately prior to enabling the launch or reentry 
flight, per Sec.  450.135(e)(1) through (5).
    Proposed Sec.  450.135(e)(6) and (7) would require an applicant to 
submit sample debris risk analysis outputs, including the effective 
unsheltered casualty area for all fragment classes, assuming a 
representative impact vector; and the effective casualty area for all 
fragments classes for a representative type of building, ground 
vehicle, waterborne vessel, and aircraft, assuming a representative 
impact vector. This is not a new requirement because the effective 
casualty area was always necessary for computing the EC. The 
proposal would define effective casualty area in Sec.  401.5 as the 
aggregate casualty area of each piece of debris created by a vehicle 
failure at a particular point on its trajectory. The effective casualty 
area for each piece of debris is a modeling construct in which the area 
within which 100 percent of the population are assumed to be a 
casualty, and outside of which 100 percent of the population are 
assumed not to be a casualty.
    In proposed Sec.  450.135(e)(8), an applicant would be required to 
submit sample collective and individual outputs under representative 
conditions and the worst foreseeable conditions, including the total 
collective casualty expectation for the proposed operation; a list of 
the collective risk contribution for at least the top ten population 
centers and all centers with collective risk exceeding 1 percent of the 
collective risk criterion in proposed Sec.  450.101; a list of the 
maximum individual PC for the top ten population centers and 
all centers that exceed 10 percent of the individual risk criterion in 
proposed Sec.  450.101. The applicant would also be required to submit 
a list of the probability of loss of functionality of any critical 
asset that exceeds 1 percent of the critical asset criterion in 
proposed Sec.  450.101. Proposed Sec.  450.135(e)(9) would require an 
operator to submit a list of the conditional collective casualty 
expectation for each vehicle response mode for each one-second interval 
of flight under representative conditions and the worst foreseeable 
conditions. Finally, in all FSAs, the applicant must also submit 
additional products that allow an independent analysis, if requested by 
the FAA, in order to assure that the public risk criteria are 
satisfied.
13. Far-field Overpressure Blast Effects
    The FAA proposes to consolidate its regulations on far-field 
overpressure blast effects analyses in proposed Sec.  450.137 (Far-
Field Overpressure Blast Effect Analysis), used to demonstrate 
compliance with the public safety criteria in proposed Sec.  450.101. 
This analysis looks at the potential public hazard from broken windows 
as a result of impacting explosive debris, including impact of an 
intact launch vehicle.
    The near-field effects of explosions are covered under debris risk 
analysis, where meteorological conditions do not significantly 
influence the attenuation of overpressure. However, the FAA would 
require a far-field blast effect analysis for peak incident 
overpressures below 1 pound per square inch (psi,) the point where 
meteorological conditions can significantly influence the attenuation 
of explosive overpressures. A launch and reentry operator would be 
required to conduct a far-field overpressure blast effects analysis 
(also known as distance focusing overpressure, or DFO) that 
demonstrates compliance with public safety criteria in proposed Sec.  
450.101. An operator would need to complete the analysis either prior 
to the day of the operation accounting for all foreseeable conditions 
within the flight commit criteria or during the countdown using the 
best available input data. An applicant would be required to describe 
the critical input data, such as the meteorological measurements, and 
develop flight commit criteria to include any hazard controls derived 
from this FSA in accordance with proposed Sec.  450.165(b)(6).
    Impacting explosive materials, both liquid and solid, have the 
potential to explode. Given the appropriate combination of atmospheric 
pressure and temperature gradients, the impact explosion can produce 
distant focus overpressure at significant distance from the original 
blast point. Overpressures from as low as 0.1 psi may cause windows to 
break. However, other forms of overpressure, such as multiple pulses, 
may also prove hazardous depending on the size and thickness of windows 
and the number of windowpanes. Moreover, levels of overpressure will 
change depending on distance, atmospherics, and a vehicle's explosive 
yield.
    Multiple historical events involving large explosions, including 
rocket failures, have shown that under unfavorable atmospheric 
conditions, a shock wave may focus to produce significant peak 
overpressures at communities beyond the boundaries of the launch site, 
potentially causing window breakage and injuries. In light of the 
historical evidence of blast damage due to overpressure focusing, and 
building on the legacy of U.S. agency efforts to protect against the 
potential public risks associated with rocket explosions, the FAA 
adopted regulations to protect the public from the DFO phenomena in 
Sec.  417.229 (Far-field overpressure blast effect analysis) and 
appendix A to part 417 (section A417.29.) In Sec.  417.229, the FAA 
requires an FSA to establish flight commit criteria that protect the 
public from any hazard associated with DFO effects and demonstrate 
compliance with the public risk criterion. Section 417.229(b) currently 
lists appropriate constraints on the analysis and section A417.29 
provides an acceptable means of compliance. Section A417.29 includes 
hazard controls based on ANSI S2.20-183 Standard,\205\ as well as a 
standard and a measure of fidelity used to assess any proposed 
alternative analytic approach. Section A417.29 also lists the products 
of a valid DFO analysis.
---------------------------------------------------------------------------

    \205\ ANSI S2.20-1983, Estimating Air Blast Characteristics for 
Single Point Explosions in Air, with a Guide to Evaluation of 
Atmospheric Propagation and Effects, Acoustical Society of America, 
New York (1983).
---------------------------------------------------------------------------

    However, current regulations lack clarity on when a day-of-launch 
DFO analysis is necessary. Specifically, section A417.29(c) requires 
that an operator conduct a risk analysis that accounts for ``current 
meteorological conditions,'' unless the operator complies with the 
prescriptive requirements in Sec.  417.229(b) that include the 
extremely conservative method prescribed by the ANSI S2.20-183 
Standard. These requirements have led to situations where an operator 
was technically required to perform a day-of-launch risk analysis to 
protect against the DFO hazard, when in fact the public risks due to 
the DFO phenomena were insignificant based on every weather condition 
measured over a period of many years.
    Part 431 does not explicitly address the potential public hazard 
posed by

[[Page 15393]]

DFO. However, since 2016, Sec.  431.35(b)(1)(i) has required an 
applicant to demonstrate that the total collective risk does not exceed 
1 x 10^-\4\ EC, where the total risk consists of 
risk posed by impacting inert and explosive debris, toxic release, and 
far-field blast overpressure. Because the RLVs licensed to date under 
part 431 have relatively low potential explosive yields (compared to 
large ELVs), some part 431 license applicants were able to perform 
hazard analyses based on the extremely conservative method prescribed 
by the ANSI S2.20-183 Standard to demonstrate that the public risks due 
to the DFO phenomena were insignificant.
    The FAA proposes to streamline and clarify its regulations on DFO 
analyses. Whereas part 417 regulations and relevant appendices contain 
prescriptive methodology requirements in Appendix A, the proposal would 
distill these sections into performance requirements applicable to both 
launch and reentry flight operations.
    Proposed Sec.  450.137(a) would provide applicants an option to 
perform a DFO risk analysis that demonstrates compliance with public 
safety criteria in proposed Sec.  450.101, either prior to the day of 
the operation, by accounting for all foreseeable conditions within the 
flight commit criteria, or during the countdown using the best 
available input data. If an operator could satisfy Sec.  450.137(a)(1), 
then it would not be required to satisfy Sec.  450.137(a)(2). There are 
at least two different screening analyses that would demonstrate 
compliance with Sec.  450.137(a)(1). Method one would be a very simple 
deterministic window breakage screening analysis. Method two would be a 
simplified risk-based screening analysis. If either screening analysis 
indicates no potential hazards or insignificant risks, with or without 
mitigations, then an operator would not be required to comply with 
Sec.  450.137(a)(2). Conversely, an operator would be required to 
satisfy proposed Sec.  450.137(a)(2) if it could not demonstrate 
compliance with Sec.  450.137(a)(1). Thus, the proposal would provide 
clarity regarding how to determine if a day-of-operations risk analysis 
is necessary, and flexibility to establish flight commit criteria to 
limit the contribution of DFO public risks based on analysis done prior 
to the day of the operation. This clarity and flexibility were lacking 
in both parts 417 and 431.
    Proposed Sec.  450.137(b) would set required performance outcomes 
and the specific factors that a DFO FSA must consider. Substantively, 
Sec.  450.137(b) would contain the same requirements as those currently 
in Sec.  417.229(b). Note that the level of fidelity of the DFO 
analysis would be subject to the requirements in proposed Sec.  
450.101(g), so that the analysis methods used must produce results 
consistent with, or more conservative than, the results available from 
valid benchmarks.
    Proposed Sec.  450.137(c) would clarify the materials an operator 
must submit with its license application, which are generally 
consistent with those currently required to comply with part 417. This 
paragraph would clarify the level of fidelity required for the products 
of a DFO analysis by specifying the key input data and critical model 
elements that an application would be required to describe. The 
proposal would require an application to include: (1) A description of 
the population centers, terrain, building types, and window 
characteristics used as input to the far-field overpressure analysis; 
(2) a description of the methods used to compute the foreseeable 
explosive yield probability pairs, and the complete set of yield-
probability pairs, used as input to the far-field overpressure 
analysis; (3) a description of the methods used to compute peak 
incident overpressures as a function of distance from the explosion and 
prevailing meteorological conditions, including sample calculations for 
a representative range of the foreseeable meteorological conditions, 
yields, and population center locations; (4) a description of the 
methods used to compute the probability of window breakage, including 
tabular data and graphs for the probability of breakage as a function 
of the peak incident overpressure for a representative range of window 
types, building types, and yields accounted for; (5) a description of 
the methods used to compute the PC for a representative 
individual, including tabular data and graphs for the PC, as 
a function of location relative to the window and the peak incident 
overpressure for a representative range of window types, building 
types, and yields accounted for; (6) tabular data and graphs showing 
the hypothetical location of any member of the public that could be 
exposed to a PC of 1 x 10^-\5\ or greater for 
neighboring operations personnel, and 1 x 10^-\6\ or greater 
for other members of the public, given foreseeable meteorological 
conditions, yields, and population exposures; (7) the maximum expected 
casualties that could result from far-field overpressure hazards 
greater given foreseeable meteorological conditions, yields, and 
population exposures; and (8) a description of the meteorological 
measurements used as input to any real-time far-field overpressure 
analysis. It would also require the submission of any additional 
products that allow an independent analysis, as requested by the 
Administrator.
14. Toxic Hazards for Flight
    The FAA proposes to replace current Sec.  417.227 and appendix I to 
part 417 with the following two performance-based regulations: Sec.  
450.139 for toxic hazard analyses for flight operations and Sec.  
450.187 for toxic hazards mitigation for ground operations.
    Currently, the requirements for a toxic release hazard analysis are 
specified in Sec.  417.227. Section 417.277 requires that an FSA 
establish flight commit criteria that protect the public from any 
hazard associated with toxic release and demonstrate compliance with 
the public risk criteria of Sec.  417.107(b). This analysis must 
account for any toxic release that will occur during the proposed 
flight of a launch vehicle or that would occur in the event of a flight 
mishap, and for all members of the public that may be exposed to toxic 
release. Additionally, Sec.  417.405 sets forth the requirements for a 
ground safety analysis, and, although toxic release is not explicitly 
enumerated, a launch operator must identify each potential hazard 
including the sudden release of a hazardous material. Appendix I to 
part 417 provides methodologies for performing toxic release hazard 
analysis for the flight of a launch vehicle and for launch processing 
at a launch site in the U.S. as required by Sec.  417.407(f).
    Similarly, Sec.  431.35 requires that for a reusable launch vehicle 
mission, an applicant must demonstrate that the proposed mission does 
not exceed the acceptable risk defined in Sec.  417.107(b)(1) that 
includes the risk associated with toxic release. Further, Sec.  
431.35(c) requires that an applicant employ a system safety process to 
identify the hazards and assess the risks to public health and safety 
of property associated with the mission. Although parts 431 and 435 
have the same risk criteria for toxic release as are contained in part 
417, unlike part 417, they have no explicit requirements for 
establishing toxic thresholds. Instead, toxic hazards are addressed as 
part of the systems safety process. The lack of definitive requirements 
in parts 431 and 435 has created a lack of clarity as to the 
requirements for toxic release hazard analysis during the system safety 
process.
    The current toxic hazard requirements have a number of 
shortcomings. The

[[Page 15394]]

requirements of Sec.  417.227 are not sufficiently definitive for an 
operator to establish the toxic concentration and exposure duration 
threshold for a toxic propellant, to evaluate toxic hazards for flight 
or for ground operations, to determine a toxic hazard area in the event 
of a release during flight or from a ground operations mishap, or to 
require toxic containment or evacuation of the public from a toxic 
hazard area.
    Conversely, the existing appendix I to part 417 is overly 
prescriptive in defining permissible values for assumptions and data 
inputs to analyses but, as discussed later, lacks important items. In 
many instances, appendix I requires specific methods, formulas, 
acceptable sources, specific conditions, and assumptions. However, 
often these are not the only ways in which the requirements or required 
demonstrations can be made.
    There are numerous examples of the prescriptive nature of appendix 
I to part 417. For example, section I417.3(c)(1) identifies only three 
agencies of the U.S. Government, namely, the Environmental Protection 
Agency, the Federal Emergency Management Agency, and the Department of 
Transportation, that the launch operator is permitted to use as sources 
of toxicant levels of concern (LOC). There are no common standards in 
toxicological dose-response data. The data bases of concentration 
thresholds are different from agency to agency. Specific toxic 
chemicals that are released may not be included in some or many lists, 
and some databases account for exposure durations where others do not. 
Additionally, some databases account for differences in the age and 
vulnerability of populations exposed, while others do not. Furthermore, 
some databases account for differences in the severity of physiological 
responses to exposure, when others do not. Therefore, excluding 
available dose-response databases limits the capability of the operator 
to select the most appropriate LOC. Other U.S Government agencies that 
have established airborne toxic concentration thresholds of exposure, 
including the National Research Council (NRC), the U.S. Occupational 
Safety and Health Administration (OSHA), the National Institute for 
Occupational Safety and Health (NIOSH), the National Oceanic and 
Atmospheric Administration (NOAA), the American Conference of 
Government Industrial Hygienists (ACGIH), the U.S. Department of 
Defense, the National Institutes of Health (NIH), the U.S. National 
Institute of Medicine, and the U.S. National Library of Medicine.
    Other prescriptive examples in Appendix I include section 
I417.3(c)(3) which requires the launch operator to use only one 
formulation to determine the toxic concentration threshold for mixtures 
of two or more toxicants, and section I417.5(c)(2), which prescribes a 
set of single-valued worst-case conditions that a launch operator must 
apply in an analysis of toxic hazard conditions for uncommon or unique 
propellants. Other sections of the appendix mandate specific 
assumptions.\206\
---------------------------------------------------------------------------

    \206\ For example, section I417.7(e)(2), the worst-case release 
scenario for toxic liquids, requires an assumption that liquid 
spreads to one centimeter deep, and that the volatilization rate 
must account for the highest daily maximum temperature occurring the 
past 3 years precluding more severe or more realistic worst-case 
conditions, such as assuming the liquid spreads to a lesser depth, 
exposing a greater surface area for evaporation. This may not be 
conservative enough to provide acceptable public safety in some 
cases.
---------------------------------------------------------------------------

    In addition to being overly prescriptive, Appendix I also contains 
inaccuracies and out of date information. For example, section 
I417.7(b) (Process hazards analysis) provides that an analysis that 
complies with 29 CFR 1910.119(e) satisfies section I417.7(b)(1) and 
(2). However, the specific requirements of 29 CFR 1910.119(e) are not 
completely congruent with the specific requirements of section 
I417.7(b)(1) and (2). In particular, the following requirements of 
section I417.7(b)(2) do not have counterparts in Sec.  1910.119(e): 
location of the source of the release; each opportunity for equipment 
malfunction or human error that can cause an accidental release; and 
each safeguard used or needed to control each hazard or prevent 
equipment malfunctions or human error. Thus, if an operator chooses to 
satisfy Sec.  1910.119(e), important parts of section I417.7(b)(2) may 
not be addressed, such as the location of the source of the release 
which is needed to determine the toxic hazard area necessary to achieve 
toxic containment.
    The tables in appendix I are also problematic and in many cases 
omit important information. For example, Table I417-1, Commonly Used 
Non-Toxic Propellants, contains only three propellants, designated as 
commonly used non-toxic propellants. However, this list leaves other 
non-toxic liquid propellants such as liquid methane or liquefied 
natural gas without an explicit exemption from performing a toxic 
release hazard analysis.
    The FAA proposes to consolidate the requirements for toxic release 
analysis for the launch of an ELV currently contained in parts 415 and 
417, the launch and reentry of an RLV in part 431, and the launch of a 
reentry vehicle other than a reusable launch vehicle in part 435. 
Specifically, the FAA proposes to replace current Sec.  417.227 and 
appendix I to part 417, with two performance-based regulations--
proposed Sec. Sec.  450.139 and 450.187. The proposed requirements 
would apply to all launches and reentries, and would provide more 
definitive application requirements for the toxic release hazard 
analysis.
    Both proposed Sec. Sec.  450.139 and 450.187 would apply to launch 
and reentry vehicles, including all components and payloads that have 
toxic propellants or other toxic chemicals, making it explicitly clear 
that reentry operations require a toxic hazard release analysis where 
the requirement was not previously explicit in parts 431 and 435. The 
FAA decided to split the toxic release analysis regulations into two 
sections, one for flight and the other for ground operations, because 
ground operations and flight operations have different criteria 
available to establish an acceptable level of public safety. 
Specifically, the FAA proposes to apply a quantitative public risk 
acceptability criteria for flight consistent with the risk criteria in 
Sec.  450.101 and to apply a qualitative hazard acceptability criterion 
for ground hazards that is consistent with the standard in Sec.  
450.109(a)(3).\207\
---------------------------------------------------------------------------

    \207\ Section 450.109(a)(3) would require that the risk 
associated with each hazard meets the following criteria: (i) The 
likelihood of any hazardous condition that may cause death or 
serious injury to the public must be extremely remote and (ii) the 
likelihood of any hazardous condition that may cause major damage to 
public property or critical assets must be remote.
---------------------------------------------------------------------------

    Proposed Sec.  450.139(b)(1) would require an operator to conduct a 
toxic release hazard analysis. Additionally, under paragraph (b)(2) an 
operator would be required to manage the risk of casualties that could 
arise from exposure to toxic release either through containing hazards 
in accordance with proposed Sec.  450.139(d) or performing a toxic risk 
assessment under proposed paragraph (e) that protects the public in 
compliance with proposed Sec.  450.101, including toxic release. 
Furthermore, under proposed Sec.  450.139(b)(3) an operator would be 
required to establish flight commit criteria based on the results of 
its toxic release hazard analysis, containment analysis, or toxic risk 
assessment for any necessary evacuation of the public from any toxic 
hazard area.
    Section 450.139(c) would contain the requirements for a toxic 
release hazard analysis, which are currently lacking in

[[Page 15395]]

Sec.  417.227. Specifically, under proposed Sec.  450.139(c) the toxic 
release hazard analysis would require an operator to account for any 
toxic releases that could occur during nominal or non-nominal launch or 
reentry for flight operation. Furthermore, an operator's toxic release 
hazard analysis would be required to include a worst-case release 
scenario analysis or a maximum-credible release scenario analysis for 
each process that involves a toxic propellant or other chemical; 
determine if toxic release can occur based on an evaluation of the 
chemical compositions and quantities of propellants, other chemicals, 
vehicle materials, and projected combustion products, and the possible 
toxic release scenarios; account for both normal combustion products 
and any unreacted propellants and phase change or molecular derivatives 
of released chemicals; and account for any operational constraints and 
emergency procedures that provide protection from toxic release. While 
the proposed Sec.  450.139(c) would contain more definitive 
requirements than current regulations, it would also provide the 
operator more flexibility in the analysis because unlike the current 
regulations it would not require an operator to make specific 
assumptions when performing a worst-case release scenario analysis to 
determine worst-case released quantities of toxic propellants, toxic 
liquids, or toxic gases from ground operations.
    Proposed Sec.  450.139(b)(2) would require an operator to manage 
the risk of casualties arising from toxic release either by containing 
the hazards in accordance with paragraph (d) or by performing a toxic 
risk assessment in accordance with paragraph (e) that protects the 
public in compliance with the risk criteria of Sec.  450.101. If an 
operator chose toxic containment to comply with proposed Sec.  
450.139(b)(2), the operator would be required to manage the risk of 
casualties by either (1) evacuating, or being prepared to evacuate, the 
public from a toxic hazard area, where an average member of the public 
would be exposed to greater than one percent conditional individual 
PC in the case of worst-case release or maximum credible 
release scenario, or (2) by employing meteorological constraints to 
limit a launch operation to times when the prevailing winds would 
transport a toxic release away from populated areas otherwise at risk. 
The conditional individual PC would be computed assuming 
that (1) a maximum credible release event occurs, and (2) average 
members of the public are present along the boundary of the toxic 
hazard area.
    If an operator chose to comply with proposed Sec.  450.139(b)(2) by 
conducting a toxic risk assessment that protects the public in 
compliance with proposed Sec.  450.101, in accordance with Sec.  
450.139(e), the toxic risk assessment would require the operator to 
account for airborne concentration and duration thresholds of toxic 
propellants or other chemicals. For any toxic propellant, other 
chemicals, or combustion product, an operator would be required to use 
airborne toxic concentration and duration thresholds identified in a 
means of compliance accepted by the Administrator. Currently, the 
thresholds set by the Acute Exposure Guideline Level 2 (AEGL-2), the 
Emergency Response Planning Guidelines Level 2 (ERPG-2), or the Short-
term Public Emergency Guidance Level (SPEGL) \208\ would be accepted 
means of compliance for proposed Sec.  450.139(e)(1) (and Sec.  
450.187(d)(1)). These are thresholds designed to anticipate casualty-
causing health effects from exposure to certain airborne chemical 
concentrations. The FAA anticipates, as discussed earlier, that 
additional agencies' threshold values could satisfy the requirements 
and would identify any additional accepted thresholds. By requiring an 
operator to use airborne toxic concentration thresholds identified in a 
means of compliance accepted by the Administrator under proposed Sec.  
450.35, the FAA anticipates that operators would be provided with some 
flexibility to utilize toxic concentration thresholds identified by 
agencies other than the three currently identified in appendix I to 
part 417 thereby enhancing the capability of the operator to select the 
most appropriate LOC for its operation.
---------------------------------------------------------------------------

    \208\ AEGLs are used by EPA, the American Industrial Hygiene 
Association's ERPGs are used by NOAA, and the National Research 
Council's SPEGL is used by the DOD.
---------------------------------------------------------------------------

    An operator also would be required under Sec.  450.139(e)(2) to 
account for physical phenomena (such as meteorological conditions and 
characterization of the terrain) expected to influence any toxic 
concentration and duration in the area surrounding the potential 
release site instead of prescribing a set of single-valued wind speed 
and atmospheric stability classes and dictating how an operator must 
derive the variance of the mean wind directions. Hence, under proposed 
Sec.  450.139(e)(2) the toxic assessment would likely be more 
appropriate for the actual situation. Proposed Sec.  450.139(e)(3) 
would require an operator to determine a toxic hazard area for the 
launch or reentry, surrounding the potential release site for each 
toxic propellant or other chemical based on the amount and toxicity of 
the propellant or other chemical, the exposure duration, and the 
meteorological conditions involved. Finally, under proposed Sec.  
450.139(e)(4) and (5) the toxic assessment would be required to account 
for all members of the public that may be exposed to the toxic release, 
including all members of the public on land and on any waterborne 
vessels, populated offshore structures, and aircraft that are not 
operated in direct support of the launch or reentry, and for any risk 
mitigation measures applied in the risk assessment.
    In many respects, proposed Sec. Sec.  450.139 and 450.187 are 
nearly identical, and the rationale behind the revisions proposed in 
Sec.  450.139 would be the same for proposed Sec.  450.187. As 
discussed previously, proposed Sec.  450.187 would apply to any launch 
or reentry vehicle, including all vehicle components and payloads, that 
uses toxic propellants or other toxic chemicals. Like Sec.  450.139, 
Sec.  450.187(b) would require a toxic hazard analysis.
    Under the proposed rule an operator would be required to manage 
risk from a toxic release hazard or demonstrate compliance with 
proposed Sec.  450.109(a)(3) \209\ with a toxic risk assessment. The 
requirements for a toxic risk assessment under proposed Sec.  
450.187(e) are substantially similar to those of proposed Sec.  
450.139, except that ground operations use a qualitative acceptability 
criteria and flight operations can use quantitative risk criteria. FAA 
has not proposed quantitative criteria for ground operations because 
there are no commonly accepted criteria.
---------------------------------------------------------------------------

    \209\ As discussed earlier, Sec.  450.109(a)(3) would require 
that the risk associated with each hazard meets the following 
criteria: (i) The likelihood of any hazardous condition that may 
cause death or serious injury to the public must be extremely remote 
and (ii) the likelihood of any hazardous condition that may cause 
major damage to public property or critical assets must be remote.
---------------------------------------------------------------------------

    The proposed application requirements under Sec.  450.139(f) toxic 
hazards for flight and under Sec.  450.187(e) for ground operations 
would be similar. The FAA believes that the proposed approach will 
provide applicants with a clear understanding of what the FAA requires 
in order to avoid repeated requests for clarifications and additional 
information. Both would require the applicant to submit: (1) The 
identity of the toxic propellant, chemical, or toxic combustion 
products or derivatives in the possible toxic release; (2) its selected 
airborne toxic concentration and duration thresholds; (3) 
meteorological conditions for the atmospheric

[[Page 15396]]

transport, and buoyant cloud rise of any toxic release from its source 
to downwind receptor locations; (4) characterization of the terrain; 
(5) the identity of the toxic dispersion model used, and any other 
input data; (6) representative results of toxic dispersion modeling to 
predict concentrations and durations at selected downwind receptor 
locations; (7) a description of the failure modes and associated 
relative probabilities for potential toxic release scenarios used in 
the risk evaluation; (8) the methodology and representative results of 
the worst-case or maximum-credible quantity of any toxic release; (9) a 
demonstration that the public will not be exposed to airborne 
concentrations above the toxic concentration and duration thresholds; 
(10) the population density in receptor locations that are identified 
by toxic dispersion modeling as toxic hazard areas; and (11) a 
description of any risk mitigations applied in the toxic risk 
assessment; and (12) the identity of the population database used. Like 
other risk analyses, the FAA may request additional products that allow 
the FAA to conduct an independent analysis.
15. Wind Weighting for the Flight of an Unguided Suborbital Launch 
Vehicle
    The FAA proposes to consolidate three current part 417 provisions 
expressly regulating unguided suborbital launch vehicle operations into 
Sec.  450.141. The proposed rule would retain the performance 
requirements and remove the prescriptive provisions in Sec. Sec.  
417.125 and 417.233. The FAA also proposes to incorporate the 
overarching safety performance requirements in appendix C to part 417 
related to wind weighting analysis products. This proposal applies 
specifically to the flight of unguided suborbital launch vehicles using 
wind weighting to meet the public safety criteria of proposed Sec.  
450.101.
    An unguided suborbital launch vehicle is a suborbital rocket that 
does not contain active guidance or a directional control system. 
Unlike the launch of a guided launch vehicle, an unguided suborbital 
launch vehicle may safely fly by adjusting the launcher azimuth and 
elevation (aiming the rocket) shortly before launch to correct for the 
effects of wind conditions at the time of flight. This process limits 
impact locations to those that minimize public exposure. The FAA refers 
to this safety process as ``wind weighting,'' which involves unique 
organizational and operational safety requirements.
    Section 417.125 provides the broad requirements for launching an 
unguided suborbital launch vehicle. Specifically, it lays out 
provisions for a flight safety system, a wind weighting safety system, 
public risk criteria, stability, tracking, and post launch review. 
Section 417.125(b) requires an applicant to use an FSS if the vehicle 
can reach a populated area and the applicant does not use an effective 
wind weighting system. Section 417.125(c) sets requirements for a wind 
weighting system if that system is used in place of an FSS. It provides 
that the vehicle must not contain a guidance or directional control 
system. It also requires the launcher azimuth and elevation setting to 
be wind weighted to correct for the effects of wind conditions at the 
time of flight in compliance with Sec.  417.233's FSA requirements, and 
requires specific nominal launcher elevation angle for proven (85[deg], 
and 86[deg] with wind correction) and unproven (80[deg], and 84[deg] 
with wind correction) unguided suborbital launch vehicles. These 
prescriptive launch elevation angles are used so that the vehicle does 
not fly uprange. In other words, the rocket should not be angled so 
vertically that winds could force the rocket uprange instead of the 
intended downrange direction. Section 417.125(d) expressly requires 
unguided suborbital launch vehicles to fly in accordance with the 
public risk criteria required for all launch vehicles under part 417.
    In addition, the current rule has stability, tracking, and post-
launch review requirements that are specific to unguided suborbital 
launch vehicles. Section Sec.  417.125(e) requires specific stability 
requirements measured in calibers to ensure that the unguided 
suborbital launch vehicle is stable throughout flight. The tracking 
requirements in Sec.  417.125(f) require that a launch operator track 
impact locations after launch to verify that the preflight wind 
weighting analysis was accurate. Section 417.125(g) is related to post-
launch review and states that the launch operator must provide these 
impact locations, a comparison of actual to predicted nominal 
performance, and investigation results of any launch anomaly.
    Current Sec.  417.233 describes the FSA requirements particular to 
unguided suborbital launch vehicles with wind weighting systems. The 
analyses must establish flight commit criteria, wind constraints under 
which launch may occur, and launcher azimuth and elevation settings 
that correct for wind effects on the launch vehicle. This last 
requirement is known as the wind weighting analysis.
    Appendix C to part 417 contains flight safety methodologies and 
products for an unguided suborbital launch vehicle flown with a wind 
weighting safety system. These includes methodologies and products for 
a trajectory analysis, a wind weighting analysis, a debris analysis, a 
risk analysis, and a collision avoidance analysis. Section C417.3 
requires the launch operator perform a six-degrees-of-freedom 
trajectory simulation in order to determine a nominal trajectory, 
impact point, and potential three-sigma dispersions about the nominal 
impact point. Section C417.5 is related to wind weighting and describes 
the methodology an applicant must use to measure winds and incorporate 
them into the trajectory simulation in order to determine launch 
elevation angle and azimuth settings. The debris (section C417.7) and 
risk (section C417.9) analyses describe methodologies and analysis 
products applicable to all launch vehicles for calculating 
EC. The parts of appendix C that are covered elsewhere in 
the proposed rule because they are applicable to all vehicles have not 
been transferred to proposed Sec.  450.141. This includes the debris, 
risk, and collision avoidance analyses.
    Proposed Sec.  450.141 would consolidate the requirements of 
Sec. Sec.  417.125 and 417.233 and appendix C, but would not carry over 
the detailed methodological and prescriptive requirements. Proposed 
Sec.  450.141(a) would explain that the section applies to the flight 
of an unguided suborbital launch vehicle using a wind weighting safety 
system to meet the public safety criteria of proposed Sec.  450.101. 
The FAA proposes to define a wind weighting safety system as equipment, 
procedures, analysis, and personnel functions used to determine the 
launcher elevation and azimuth setting that correct for wind effects 
that an unguided suborbital launch vehicle will experience during 
flight. The FAA proposes the wind weighting safety system be a means to 
satisfy the safety requirements in proposed Sec.  450.101.
    Proposed Sec.  450.141(b) would set the requirements for the wind 
weighting safety system. It would require that the launcher azimuth and 
elevation angle settings (1) be wind weighted to correct for the 
effects of wind conditions at the time of flight to provide a safe 
impact location, and (2) ensure the rocket will not fly in an 
unintended direction given wind uncertainties. This section would 
replace current Sec.  417.125(b), which requires a flight safety system 
unless the vehicle uses wind weighting or does not have sufficient 
energy to reach a populated area. Rather than the blanket FSS 
requirement in current Sec.  417.125(b), the consequence analysis in 
proposed Sec.  450.135(d) would determine the need

[[Page 15397]]

for an FSS. This section also eliminates the requirement in Sec.  
417.125(c)(3) regarding specific nominal launcher elevation angle for 
proven (85[deg] and 86[deg] with wind correction) and unproven (80[deg] 
and 84[deg] with wind correction) vehicles to prevent the vehicle from 
flying uprange. Rather than requiring specific launcher elevation 
angles to prevent a vehicle from flying uprange, the FAA would require 
an operator to determine what angles would ensure the rocket not fly in 
unintended direction given wind uncertainties. This flexibility would 
allow a licensee to determine the best angle to both maximize mission 
objectives given the particularities of their operation while 
simultaneously ensuring safety.
    Proposed Sec.  450.141(c) would contain FSA performance 
requirements that apply only to the launch of an unguided suborbital 
launch vehicle flown with a wind weighting safety system. It is 
necessary to establish the flight commit criteria and other flight 
safety rules to control risk to the public and satisfies the public 
safety criteria in proposed Sec.  450.101. Proposed Sec.  450.141(c) 
would require an operator to establish any wind constraints under which 
launch could occur, and conduct a wind weighting analysis that 
establishes the launcher azimuth and elevation settings. Proposed Sec.  
450.141(c) is, in essence, the same as Sec.  417.233.
    Proposed Sec.  450.141(d) would require an unguided suborbital 
launch vehicle to remain stable in all configurations throughout each 
stage of powered flight. This performance outcome would eliminate the 
need for the specific prescriptive stability requirements of current 
Sec.  417.125(e), which requires a suborbital launch vehicle be stable 
in flexible body to 1.5 calibers and rigid body to 2.0 calibers 
throughout each stage of powered flight.
    Finally, proposed Sec.  450.141(e) would establish the agency's 
application requirements specific to unguided suborbital launch 
vehicles. The FAA would require a description of wind weighting 
analysis methods, description of wind weighting system and equipment, 
and a sample wind weighting analysis, all derived from part 417, 
appendix C, section C417.5(d). The remainder of appendix C was not 
included in the proposal because these are all prescriptive 
methodologies, or are requirements applying to all launch vehicles 
covered in other sections of the proposal. For instance, the Trajectory 
Analysis of section C417.3 would be covered by proposed Sec. Sec.  
450.117 and 450.119. Except for section C417.5(d) as described earlier, 
section C417.5 was not included in the proposal since this is a 
prescriptive methodology. The methodologies for debris analysis from 
section C417.7 are not in the proposal and the debris analysis proposal 
would now be in proposed Sec.  450.121. Similarly, section C417.9 would 
be covered by proposed Sec.  450.135 without the prescribed 
methodologies. Lastly, the collision avoidance section of the appendix, 
section C417.11 would be covered by proposed Sec.  450.169.

B. Software

    As discussed earlier, the FAA proposes software safety requirements 
in Sec.  450.111. The risk mitigation measures that result from this 
rule are meant to be minimums, and software development processes tend 
to benefit from consistency across projects, so an applicant may apply 
the requirements from its most critical software to all of its 
software, but the FAA does not require that an applicant do so.
    Software can contribute to accidents or losses in several ways. 
Software may contain errors that, in certain system conditions, cause 
unintended behaviors or prevent intended behaviors. Software may also 
perform actions that while correct and intended in isolation, cause 
hazards when interacting with other components or the system as a 
whole. Software may provide accurate information to an operator in a 
manner that confuses the operator, leading to a software-human 
interaction error. Software safety therefore typically requires 
separate analyses of the software, software and computing system 
interaction, and the integration of software, hardware, and humans into 
the entire system.
    Software becomes safety-critical when the applicant uses its 
outputs in safety decisions. The development, validation, and 
evaluation of safety-critical software requires a level of rigor 
commensurate with the severity of the potential hazards and the 
software's degree of control over those hazards. Reliance on software 
differs among operators. For example, some launch systems employ 
Autonomous Flight Safety Systems (AFSS) that rely on rigorously-
developed and thoroughly-tested software to make safety decisions to 
protect the public without human intervention. Other systems require 
human intervention to make safety decisions, such as when a pilot or 
ground transmitter operator must make decisions for launch systems.
    Current FAA licensing regulations segregate software safety 
requirements by type of vehicle (ELV, RLV, or reentry vehicle) in three 
separate sections.\210\ Current software safety regulations in parts 
415, 417, and 431 are flexible. With this flexibility comes 
uncertainty. For example, Sec.  415.123(b) requires that a launch 
operator provide all plans for software development, the results of 
software hazard analyses, and plans and results of software validation 
and verification, but does not give guidance on the minimum-acceptable 
levels of rigor for those products or guidance on their contents. The 
FAA and the operator must determine the appropriate level of rigor, 
scope, and content of each plan and result for each operation. This 
process can be labor-intensive, requiring multiple meetings over a 
period of weeks or months.
---------------------------------------------------------------------------

    \210\ Part 415 covers launch license application procedures for 
ELVs; part 417 addresses launch safety requirements for ELVs, and 
part 431 sets launch license and safety requirements for RLVs.
---------------------------------------------------------------------------

    Also, Sec.  417.123(c), applicable to ELVs, requires that a launch 
operator conduct computing system and software hazard analyses for the 
integrated system. This requirement does not specify the requisite 
forms of the analyses, the scope and contents of the analyses, or the 
application data required to demonstrate compliance with the 
requirement. The FAA and the applicant must negotiate the specifics for 
each of those items for every application. Similarly, Sec.  417.123(d) 
requires that a launch operator develop and implement computing system 
and software validation and verification plans, but is silent regarding 
the contents of the plans. This again requires that the FAA and the 
applicant discuss, often at length, the software test plans for every 
operation.
    Unlike Sec. Sec.  415.123 and 417.123, Sec.  431.35 does not 
contain any explicit references to software safety. However, in 
practice, the FAA has set software safety requirements under the 
current system safety process requirements in Sec.  431.35(c). Pursuant 
to Sec.  431.35(c), the FAA has required applicants satisfy Sec.  
417.123 or demonstrate an equivalent level of safety, in order to meet 
Sec.  431.35 for software safety. This lack of detail forces the FAA 
and applicant to work collaboratively to develop the system safety 
process criteria on a case-by-case basis.
    Operators have offered consistent feedback on the FAA's software 
safety requirements. Applicants frequently asked whether Sec. Sec.  
417.123(b) and 431.35(c)'s verification and validation plan requirement 
included a requirement for independent verification and validation. 
Independent verification and validation is a common

[[Page 15398]]

and effective method of mitigating software hazards for high-
criticality software, one for which there is no known substitute. Thus, 
although not explicitly stated in the regulations, the FAA has required 
independent verification and validation as part of the verification and 
validation requirements in Sec. Sec.  417.123(b) and 431.35(c). The FAA 
considers software testers independent when the test organization is 
independent of the development organization up to the senior-executive 
level. Generally, an in-house software testing team can be sufficiently 
independent to perform a credible independent verification and 
validation function when rigorously insulated from software development 
authorities and incentives. Still more independence may be required for 
highly safety-critical autonomous software, such as an independent 
contractor, depending on the risks and the other mitigation measures 
implemented by the applicant. The FAA has required at least 
independence up to the senior-management level and expected an 
applicant to show evidence of this independence in its application.
    Applicants have also often asked whether the FAA requires 
submissions of software code. The FAA has not historically required 
executable code submissions and does not plan to do so in this 
proposal. Instead, the FAA's requirements focus on the software 
development and testing processes, combined with analysis of the 
software's use in the context of the system as a whole. Firstly, the 
FAA seeks to understand the software development processes used for the 
design, production, verification, and qualification of software to 
determine the code quality. Proposed Sec.  450.111(a), (b), and (c) 
would provide these general software process requirements that are 
independent of the degree of control exercised by a given software 
component. Secondly, the FAA must understand the impacts of the 
software on the system as a whole. It is important to understand design 
risks, which are those risks inherent to the software design and 
architecture; and also process risks, which arise from the software 
development processes and standards of the applicant. The FAA uses 
these two components, process and implementation, to evaluate software 
components and processes for the appropriate level of rigor.
    The FAA must also understand the relationship between software 
actions and system risks to set the appropriate level of rigor. 
Establishing the required level of rigor and understanding its 
implementation form the basis of software safety determinations. 
Configuration management, including version control, then ensures the 
operator uses the intended processes and functionality for the correct 
software in the system's operation.
    Applicants have often sought help in determining whether software 
is safety-critical in accordance with Sec. Sec.  417.123(b) and 
415.123(a). For instance, operators sometimes use software to generate 
information used in safety-critical decisions, such as initiating a 
deorbit burn. The FAA has consistently found software that generates 
information used in safety-critical decisions to be safety-critical 
software, albeit with a low degree of control over the system.
    Applicants have also asked whether the FAA requires redundant 
processing such as running a second instance of a software component on 
a second independent computer, and if so, the required level of risk. 
The FAA has made such determinations based on the hazards involved and 
on the software's degree of control over those hazards. The FAA has 
chosen not to prescribe a requirement for redundant processing because 
such a requirement is best derived from the applicant's individual 
approach to hazard mitigation at the system level. Redundant copies of 
identical software contain identical software faults, so redundant 
processing is best described as a mitigation for hardware failures. The 
proposal would allow for software without redundant processing whenever 
processing redundancy is not necessary to achieve acceptable risk. For 
example, the FAA may not require redundant processing in fail-safe 
systems, low-criticality systems, or where hardware ensures software 
processing integrity by using hardware features such as watchdog timers 
or error-correcting memory.
    In light of the range of design strategies between commercial space 
operators, the FAA realized that a one-size-fits-all approach to 
software safety would not be practical. Instead, in proposed Sec.  
450.111(d) through (g) the FAA would establish requirements for each 
safety category of software. The safety categories, commonly known in 
the software safety industry as ``levels of rigor'' or ``software 
criticality indexes,'' would range from autonomous software with 
catastrophic hazards to software with no safety impact.
    Applicants may rely upon Federal launch range standards to show 
compliance with the proposed rule, provided the standards meet the 
regulations. The FAA maintains awareness of the Federal launch range 
safety standards through the CSWG. The FAA currently incorporates the 
known and coordinated standards maintained by the Federal launch ranges 
into FAA licensing in order to avoid duplication of effort. The Federal 
launch ranges have an extensive launch safety history, and their 
standards meet or exceed the level of safety required by the FAA. The 
FAA intends to retain the ability to apply Federal launch range safety 
standards toward license evaluation and issuance.
    In developing this proposed rule, the FAA has tried to remain 
consistent with prevalent industry standards related to the ``level of 
rigor'' approach to software safety. Specifically, the FAA has used the 
level of rigor approaches applied by the Department of Defense and NASA 
to inform the FAA's proposed level of rigor approach to software safety 
regulation.
    The FAA proposes to use the Department of Defense's MIL-STD-882E 
concept of ``level of rigor'' to categorize software according to the 
amount of risk it presents to the operation and use its ``level of 
rigor tasks'' to derive appropriate regulatory requirements for each 
level of rigor. MIL-STD-882E uses a software hazard severity category 
with a software control category to assign level of rigor tasks to 
software. This method has proven successful in achieving an acceptable 
level of safety for space operations.
    The FAA also used RCC 319, Flight Termination Systems Commonality 
Standard, to develop the requirements for autonomous software in 
proposed Sec.  450.111(d). RCC 319-14 provides detailed software 
requirements for autonomous flight safety systems, which have been 
extensively reviewed by the space community. RCC 319-14 creates 
software categories that combine hazard severity and degree of control 
in a single step, and provides deep detail on the appropriate risk 
reduction tasks for each category. AFSPCMAN 91-712 (draft) is the 
source of RCC 319-14's software categories and risk reduction tasks.
    The FAA also reviewed NASA's Software Safety Standard (NASA-STD-
8719.13C), which provides standards applicable to defining the 
requirements for implementing a systematic approach to software safety. 
Like RCC 319-14, NASA-STD-8719.13C combines software hazard's severity 
with the software's degree of control to assign analysis and testing 
tasks. However, NASA expands its software control category definitions 
to include software autonomy, software complexity, time-criticality, 
and degree of hazard control. The FAA also considered NASA's Software 
Assurance Standard (NASA-STD-8739.8), which provides criticality, risk, 
resource investment, and financial impact categorizations and 
correlates

[[Page 15399]]

these to levels of software assurance effort. These two NASA documents 
provided the FAA with a wealth of potential software safety 
requirements and methods to determine the requirements that would be 
most appropriate for a variety of space systems. These documents also 
provided a checklist of key aspects of software projects that enable 
software safety. The FAA has drawn from these documents the minimum set 
of requirements that would enable space operators to protect the 
public, and the minimum set of data that would enable the FAA to verify 
that space operators will protect the public in the course of their 
innovations.
    Finally, the FAA reviewed the Air Force Space Command's draft 91-
712, Launch Safety Software and Computing System Requirements. The Air 
Force has successfully used 91-712 for military space projects and it 
is the source of many RCC 319-14 requirements. 91-712, and the 
standards discussed earlier, all prescribe increasing the effort 
devoted to software safety in proportion to the severity of the hazards 
that software can create and in proportion to the degree of control 
that software exercises over those hazards.
    The proposed software safety regulations would categorize software 
and computing functions into the following degrees of control as 
defined in proposed Sec.  450.111(d) through (g): Autonomous software, 
semi-autonomous software, redundant fault-tolerant software, 
influential software, and no safety impact.
    This proposal for software safety would address the causes of 
software faults and software failures. Software faults are design flaws 
in software that cause unintended behaviors or prevent intended 
behaviors. Software faults include errors in syntax, definitions, 
steps, or processes that can cause a program to produce an unintended 
or unanticipated result. The presence of software faults might not 
always result in an observable software failure that is evident to the 
user because it may appear to be behaving properly. A software failure, 
in contrast, is an unintended or undesirable event caused by, or 
unintentionally allowed by, one or more software faults. A software 
fault is a defect or vulnerability in software while a software failure 
results from the execution of faulty software.\211\
---------------------------------------------------------------------------

    \211\ An example of a software failure is the ``blue screen of 
death,'' which causes a computer to end all processing. An example 
of software fault is a fault in requirements for measurement units 
and a fault in test procedures. The Mars Climate Orbiter was lost as 
a result of these two faults when one function was written in 
English units while the rest were written in metric.
---------------------------------------------------------------------------

    This proposal would address faults in software requirements by 
analytical means in proposed Sec.  450.111. Specifically, the proposal 
would require an applicant to describe the functions and features, 
including interfaces, of the software. The FAA has interpreted the need 
to describe software to include providing the software requirements for 
each safety-critical software component even though not explicitly 
required by Sec.  431.35 or Sec.  417.123. The proposal therefore 
codifies current practice.
    Software requirements are an excellent, even indispensable, means 
of understanding any software component's safety implications. Software 
requirements, both documented and implied, are the basis of the 
software design and constitute a key part of Sec.  417.123(a) through 
(e) requirement for software designs. The FAA proposes to clarify the 
necessity and scope of software requirements that would be required to 
be included in an application in proposed Sec.  450.111(h). Software 
requirements would need to be documented and analyzed whenever safety-
critical software is present.\212\ Software requirements are frequently 
inherited from system requirements, and both must be internally and 
mutually consistent and valid for the resulting software to work 
safely. A system-level hazard analysis finds out what hazards software 
presents to the system. The software analyses can use the system-level 
analyses as initial assessments of software's criticality when starting 
software safety analyses. If software requirements are flawed, the 
software written to those software requirements will be flawed as well. 
This causal path, where software faults originate in software 
requirements, is the reason for the proposal's focus on identification, 
documentation, validation, and verification of software requirements.
---------------------------------------------------------------------------

    \212\ Implied or undocumented software requirements are common 
sources of software faults.
---------------------------------------------------------------------------

    This proposal addresses faults in implementation by requiring 
specific types of software verification and validation testing in 
proposed Sec.  450.111(d)(4), (e)(4), (f)(3), and (g)(2). This proposal 
would clarify the required types of software verification and 
validation testing that are required under current Sec. Sec.  
417.123(d) and 415.123(b)(8).\213\ Verification and validation are 
standard aspects of a software development cycle and are used together 
to determine that software meets its intended purpose. In this context, 
verification refers to ensuring software meets the software 
requirements and design specifications. Validation ensures that the 
software achieves its intended purpose.\214\ While testing does not 
ensure the absence of software faults, it helps detect and therefore 
reduce their presence.
---------------------------------------------------------------------------

    \213\ Examples of testing include unit testing to verify some of 
the smallest units of code, such as functions, and acceptance 
testing to validate high-level software requirements.
    \214\ Verification takes place while the software is under 
development while validation is performed after completing software 
development and implementation.
---------------------------------------------------------------------------

    The proposal would address faults in configuration with explicit 
requirements to establish and verify software configuration management 
processes. Configuration management is the set of processes that ensure 
that the flight components, including software components, are the 
correct components with the appropriate development and test heritage. 
Faults in configuration management can lead to unsuitable or 
incompatible components in a system, resulting in an increased 
potential for unintended and unsafe system actions.
    Proposed Sec.  450.111(a) would require operators to document a 
process that identifies the risks to the public health and safety and 
the safety of property arising from computing systems and software. 
This is consistent with the Sec.  417.123(a) requirement for a 
description of the computing system and software system safety process. 
It adds no more requirements than part 415 because Sec.  415.123(b)(6) 
requires an applicant to describe the computing system and software 
system safety process as required by Sec.  417.123(a). Unlike Sec.  
431.35(c), proposed Sec.  450.111(a) specifically mentions computing 
systems and software as items to be included in the system safety 
process.
    Proposed Sec.  450.111(b) would require an operator to identify all 
safety-critical functions associated with its computing systems and 
software. The 10 listed functions are a minimum set of items to include 
whenever they are present in a system, because they represent the most 
common safety-critical roles in which software can be employed. For 
example, software used to control or monitor safety-critical systems is 
capable of hazardous actions by definition. Similarly, software that 
accesses safety-critical data is safety-critical because it may alter 
safety-critical data or prevent other components from accessing safety-
critical data at required times. The software safety process must then 
demonstrate that the software that accesses safety-critical data cannot

[[Page 15400]]

cause a hazard by doing so. These requirements are the same as in the 
current Sec.  417.123(b), with the addition of one new criterion for 
software that displays safety-critical information. Proposed Sec.  
450.111 would retain the requirement of Sec.  417.123(b) for the 
identification of safety-critical functions. The proposal would add 
detail and clarity to this requirement, specifying that the identified 
functions must be accompanied by assessments of the criticality of each 
software function. This is normally done by assessing the consequences 
of a functional failure or error and assessing the degree of control 
that the software can exercise to implement the function. The proposal 
would retain the examples of software that may have safety-critical 
functions, with the expectation that the full list of safety-critical 
functions is not limited to the examples. It differs from Sec.  
415.123(b), which describes the documents and materials that the 
applicant must provide, whereas proposed Sec.  450.111(b) would list 
the safety-critical computing system and software functions that must 
be identified and would not list the application requirements in the 
same section. The proposal would depart from Sec.  431.35(d)(3) by 
specifically requiring the applicant to identify all safety-critical 
functions associated with its computing systems and software instead of 
implicitly requiring the identification of safety-critical software as 
part of the process of identifying safety-critical systems.
    Proposed Sec.  450.111(c) would require the identification of 
safety-critical software functions by consequence and degree of 
control. It would elaborate on the requirements of Sec. Sec.  
415.123(a) and 417.123(a), which require the identification and 
assessment of the software risks to public safety by specifying that 
the assessments must include the public safety consequences of each 
safety-critical software function and the degree of control that 
software exercises over the performance of that function. Proposed 
Sec.  450.111(c) would provide the classification for the applicants to 
use while the application requirements are contained in proposed Sec.  
450.111(h). Requiring software degree of control would allow the FAA to 
request less information for software components with reduced or no 
influence on public safety. The proposal would differ from Sec.  431.35 
by explicitly requiring identification of software hazards by function 
and specifying the documentation requirements related to computing 
systems and software in proposed Sec.  450.111(h). Even though this 
language is different from Sec.  431.35, this is not a new requirement.
    The requirements in the proposal vary based on the software degree 
of control and degree of hazard presented. The first and highest degree 
of control is autonomous software. Autonomous software would mean 
software that exercises autonomous control over safety-critical 
systems, subsystems, or components such that a control entity cannot 
detect or intervene to prevent a hazard that may impact public health 
and safety or the safety of property. It is any software that can act 
without an opportunity for meaningful human intervention. The FAA would 
impose the most stringent requirements for autonomous software with 
potential catastrophic public safety consequences. Proposed Sec.  
450.111(d) would set forth five criteria specific to autonomous 
software.
    Under proposed Sec.  450.111(d)(1), the software component would be 
required to undergo full path coverage testing and any inaccessible 
code must be documented and addressed. Full path coverage testing is a 
systematic technique for ensuring that all routes through the code have 
been tested. Path coverage testing includes decision, statement, and 
entry and exit coverage. Proposed Sec.  450.111(d)(1) would retain and 
clarify the current requirements in Sec.  431.35(d). Full path coverage 
testing and documentation of inaccessible code would be required for 
autonomous components because the presence of inaccessible code 
segments presents a potential for the execution of untested 
instructions, which is obviously deleterious for an autonomous system 
that, by definition, depends on the correctness of its instructions for 
safe operation.
    Under proposed Sec.  450.111(d)(2), the software component's 
functions would be required to be tested on flight-like hardware. 
Testing would be required also to include nominal operation and fault 
responses for all functions. The proposal would retain and clarify the 
current requirements in Sec. Sec.  431.35(d) and 415.123(b)(8). Testing 
software components on flight-like hardware, including nominal 
operation and fault responses, is an industry standard for ensuring 
that the software interfaces with the hardware as designed. All 
autonomous safety-critical components require this testing.
    Under proposed Sec.  450.111(d)(3), an operator would be required 
to conduct hazard analyses of computing systems and software for the 
integrated system and for each autonomous, safety-critical software 
component. A software hazard analysis identifies those hazards 
associated with safety-critical computer system functions, assesses 
their risk, identifies methods for mitigating them, and specifies 
evidence of the implementation of those mitigation measures. This 
requirement is currently in Sec. Sec.  415.123(b)(7), 417.123(c), and 
431.35(d)(4). All software components, regardless of degree of control, 
require this analysis for the integrated system. This analysis is also 
required for each autonomous, safety-critical software component. 
Hazard analyses provide the essential foundation for risk assessment 
and management of any system. This analysis is necessary throughout the 
lifecycle of the system, from development to disposal. As a system is 
modified during design, operation, and maintenance, changes to any part 
of the system can lead to unexpected consequences that may incur new 
hazards to public safety. It is important to consider risks that result 
from software and computing errors as a class or subsystem, as well as 
those resulting from the operation and interaction of software with all 
other components of the system.
    Proposed Sec.  450.111(d)(4) would require an operator to validate 
and verify any computing systems and software. Current Sec. Sec.  
415.123(b)(8) and 417.123(d) already require verification and 
validation although this proposed rule would add the requirement that 
testing be conducted by testers who are independent from the software 
developers. Independence is essential because it enables testing of 
cases and conditions that the software developers may not have 
considered or may have inadvertently omitted.
    Under proposed Sec.  450.111(d)(5), an operator would be required 
to develop and implement software development plans as currently 
required in Sec. Sec.  415.123(b)(9) and 417.123(e)(1) through (5). A 
software development plan is a means to consolidate and standardize the 
management of a software development process. These plans would include 
descriptions of coding standards used, configuration control, 
programmable logic controllers, and policies on use of commercial-off-
the-shelf software and software reuse. It would be updated as necessary 
throughout the lifecycle of the project, and may be comprised of one or 
several documents.
    The configuration control of a software development project is 
particularly important to ensure and facilitate an efficient and 
accurate development process. Therefore, the proposal would retain the 
existing, if implicit, requirements of Sec.  417.123(e)(2) to limit 
faults in configuration by

[[Page 15401]]

requiring robust configuration management. Proper configuration 
management ensures consistency and accuracy throughout a system's 
design, development, operation, and maintenance. In software 
engineering terms, it is a fundamental aspect of a disciplined approach 
to the software lifecycle that provides a continuously current baseline 
for the system. The FAA would set configuration management requirements 
for all safety-critical documentation and code, including but not 
limited to software requirements, hazard analysis, test plans, test 
results, change requests, and development plans. Tools, processes, and 
procedures for configuration management are employed throughout the 
software industry.
    Proposed Sec.  450.111(e) would apply to semi-autonomous software, 
with a definition nearly identical to that stated in MIL-STD-882E. The 
FAA regards semi-autonomous software as software that exercises control 
over safety-critical hardware systems, subsystems, or components, 
allowing time for safe detection and intervention by a control entity. 
The software safety requirements for semi-autonomous software are a 
subset of those required for autonomous software as described in 
proposed Sec.  450.111(d).
    Under proposed Sec.  450.111(e)(1), the software component's 
safety-critical functions, as categorized by the process in proposed 
Sec.  450.111(a), (b), and (c), would be required to be subjected to 
full path coverage testing and any inaccessible code must be documented 
and addressed. Proposed Sec.  450.111(e)(1) would retain and clarify 
current Sec.  431.35(d) as described in proposed Sec.  450.111(d)(1). 
The rationale for proposed Sec.  450.111(e)(1) and (d)(1) are 
identical.
    Under proposed Sec.  450.111(e)(2), the semi-autonomous software 
component's safety-critical functions would be required to be tested on 
flight-like hardware, including testing of nominal operation and fault 
responses for all safety-critical functions. Proposed Sec.  
450.111(e)(2) would also retain and clarify the current requirements in 
Sec.  431.35(d) as described in proposed Sec.  450.111(d)(2).
    Under proposed Sec.  450.111(e)(3), an operator would be required 
to conduct computing system and software hazard analyses for the 
integrated system. The proposal would retain the requirement of 
conducting computing system and software hazard analyses that exists in 
current Sec. Sec.  415.123(b)(7), 417.123(c), and 431.35(d)(4). All 
software components, regardless of level of control, would require this 
analysis for the integrated system. The rationale for proposed Sec.  
450.111(e)(3) and (d)(3) are identical.
    Under proposed Sec.  450.111(e)(4), an operator would need to 
verify and validate any computing systems and software related to semi-
autonomous software as described earlier, with the associated 
rationale, for autonomous software relative to proposed Sec.  
450.111(d)(4). This verification and validation would be required to 
include testing by a test team independent of the software development 
division or organization. This would retain the requirement for 
verification and validation of computing systems and software, 
including testing by an independent test team, as currently required in 
Sec. Sec.  415.123(b)(8) and 417.123(d).
    Under proposed Sec.  450.111(e)(5), an operator would be required 
to develop and implement software development plans as currently 
required in Sec. Sec.  415.123(b)(9) and 417.123(e)(1) through (5). The 
rationale for proposed Sec.  450.111(e)(5) and (d)(5) are identical.
    Proposed Sec.  450.111(f) would apply to redundant fault-tolerant 
software, which is defined as software that exercises control over 
safety-critical hardware systems, subsystems, or components, for which 
a non-software component must also fail in order to impact public 
health and safety or the safety of property.\215\ There are redundant 
sources of safety-significant information, and mitigating functionality 
can respond within any time-critical period. The proposal would include 
four criteria for redundant fault-tolerant software.
---------------------------------------------------------------------------

    \215\ MIL-STD-882E elaborates that the definition of redundant 
fault-tolerant assumes that there is adequate fault detection, 
annunciation, tolerance, and system recovery to prevent the hazard 
occurrence if software fails, malfunctions, or degrades.
---------------------------------------------------------------------------

    Proposed Sec.  450.111(f)(1) is consistent with the second criteria 
for autonomous and semi-autonomous software in proposed Sec.  
450.111(d)(2) and (e)(2), in that the software component's safety-
critical functions would be required to be tested on flight-like 
hardware, including testing of nominal operation and fault responses 
for all safety-critical functions. The proposal would retain and 
clarify the current requirements in Sec.  431.35(d).
    Proposed Sec.  450.111(f)(2) would repeat the third criteria for 
autonomous and semi-autonomous software as described in proposed Sec.  
450.111(d)(3) and (e)(3). It would require that an operator conduct 
computing system and software hazard analyses for the integrated 
system. The proposal would retain the requirement of conducting 
computing system and software hazard analyses that exists in the 
current Sec. Sec.  415.123(b)(7), 417.123(c), and 431.35(d)(4). All 
software components, regardless of level of control, would require this 
analysis for the integrated system. The rationale for this part is the 
same as that for proposed Sec.  450.111(d)(3).
    Under proposed Sec.  450.111(f)(3), an operator would be required 
to verify and validate any computing systems and software related to 
redundant fault-tolerant software as described earlier, with associated 
rationale, for autonomous software related to proposed Sec.  
450.111(d)(4) and semi-autonomous software in proposed Sec.  
450.111(e)(4). This verification and validation would be required to 
include testing by a test team independent of the software development 
division or organization. This would retain the requirement for 
verification and validation of computing systems and software, 
including testing by an independent test team, as currently required 
under Sec. Sec.  415.123(b)(8) and 417.123(d).
    Under proposed Sec.  450.111(f)(4), an operator would be required 
to develop and implement software development plans as currently 
required under Sec. Sec.  415.123(b)(9) and 417.123(e)(1) through (5). 
The same rationale applies here as for proposed Sec.  450.111(d)(5) and 
(e)(5).
    Proposed Sec.  450.111(g) would apply to software that provides 
information to a person who uses the information to take actions or 
make decisions that can impact public health and safety or the safety 
of property, but does not require operator action to avoid a mishap. 
Influential software provides information that is used in safety-
critical decisions, but cannot cause a hazard on its own. The proposal 
would include three criteria for influential software.
    Proposed Sec.  450.111(g)(1) would require an operator to conduct 
computing system and software hazard analyses for the integrated 
system. The proposed rule would retain the requirement of conducting 
computing system and software hazard analyses that exists in the 
current Sec. Sec.  415.123(b)(7), 417.123(c), and 431.35(d)(4). All 
software components, regardless of level of control, would require this 
analysis for the integrated system. The rationale for this proposed 
section is the same as that for proposed Sec.  450.111(d)(3).
    Proposed Sec.  450.111(g)(2) would require an operator to verify 
and validate any computing systems and software related to influential 
software. This verification and validation would be required to include 
testing by a test

[[Page 15402]]

team independent of the software development division or organization. 
This would retain the requirement for verification and validation of 
computing systems and software, including testing by an independent 
test team, as currently required under Sec. Sec.  415.123(b)(8) and 
417.123(d). The rationale for this proposed section is the same as that 
for proposed Sec.  450.111(d)(4).
    Proposed Sec.  450.111(g)(3) would require an operator to develop 
and implement software development plans as required in existing 
Sec. Sec.  415.123(b)(9) and 417.123(e)(1) through (5). The same 
rationale applies here as for proposed Sec.  450.111(d)(5), (e)(5), and 
(f)(4).
    Proposed Sec.  450.111(h) would retain the application requirements 
of Sec. Sec.  415.123 and 417.123, but would vary in the required 
amount of detail according to the level of control of the software. The 
amount of application materials would depend on the software 
component's risk to safety. The proposal would differ from Sec.  431.35 
by expressly requiring documentation related to computing systems and 
software. This requirement was implicit in Sec.  431.35 and the FAA has 
requested these documents in practice. The FAA would require 
descriptions of software components with no safety impact but would not 
impose process requirements. This information would be required to 
supplement the vehicle description requirements contained elsewhere in 
this proposal. It would also lead to a shared understanding of the 
systems and components that do not have known safety significance 
allowing the FAA only cursorily to review those systems during the 
license application evaluation without undue concern over undocumented 
systems, functions, or features.

C. Changes to Parts 401, 413, 414, 420, 437, 440

1. Part 401--Definitions
    The FAA proposes to modify definitions in parts 401, 414, 417, 420, 
437, and 440. This would include adding new definitions to or modifying 
current definitions in Sec.  401.5 (Definitions) to align with the new 
proposed regulations. The FAA also proposes to clarify and move some of 
the definitions that are currently in part 417 to proposed part 450. 
Also, the proposal would not retain some of the definitions currently 
in part 417. Finally, the FAA proposes to remove various current 
definitions from Sec. Sec.  401.5 and 420.5.
    The FAA proposes to add new definitions to Sec.  401.5. These 
definitions would be necessary additions to accompany the proposed part 
450 requirements, especially in the area of flight safety analysis. 
Proposed Sec. Sec.  450.113 through 450.139 would require the addition 
of ``Casualty Area,'' ``Critical Asset,'' ``Deorbit,'' ``Dose-Response 
Relationship,'' ``Disposal,'' ``Effective Casualty Area,'' ``Expected 
Casualty,'' ``Flight Abort,'' ``Flight Abort Rules,'' ``Flight Hazard 
Area,'' ``Liftoff,'' ``Limits of a Useful Mission,'' ``Orbital 
Insertion,'' and ``Probability of Casualty.'' Most important within 
that group are ``Critical Asset,'' which is driven by proposed 
protection criteria for assets that are essential to the national 
interests of the United States, and ``Disposal,'' which is driven by 
proposed upper stage disposal risk criteria. The other terms and 
associated definitions that would be added to support proposed 
Sec. Sec.  450.113 through 450.139 are referenced in the proposed FSA 
requirements.
    The proposed system safety regulations would require the addition 
of the following terms and associated definitions: ``Hazard Control'' 
and ``Launch or Reentry System.'' Proposed Sec.  450.101(a)(1) and 
(b)(1) would require a definition for ``Neighboring Operations 
Personnel''; proposed Sec.  450.107(b) would require a clear definition 
of ``Physical Containment''; proposed Sec.  450.111 would require a 
definition for ``Control Entity'' and ``Software Function''; proposed 
Sec. Sec.  450.139 and 450.187 would require a definition for ``Toxic 
Hazard Area.'' Proposed Sec.  450.101(c) would require the addition of 
``Vehicle Response Mode.'' The collision avoidance requirements in 
proposed Sec.  450.169 would require the addition of ``Reentry Window'' 
and ``Window Closure'' to Sec.  401.5, while the unguided suborbital 
requirements in proposed Sec.  450.141 would require the addition of 
``Unguided Suborbital Launch Vehicle'' and ``Wind Weighting Safety 
System.''
    These new definitions are discussed in detail in corresponding 
sections of this preamble, including the proposed meaning and usage.
    Current Sec.  401.5 definitions that would be modified by this rule 
are as follows: ``Contingency Abort,'' which would be simplified; 
``Flight Safety System,'' which would be simplified to incorporate the 
new term ``Flight Abort;'' and ``Instantaneous Impact Point,'' which 
would remove drag effects and clarify that this term means a predicted 
impact point. ``Mishap'' would be defined as having four classes or 
categories, from most to least severe, based on lessons learned as 
discussed earlier in this preamble. The current definition of ``Public 
Safety'' would be removed from Sec.  401.5 and the definition of 
``Public'' would be removed from Sec.  420.5, and a new definition for 
``Public'' would be added to Sec.  401.5. ``Launch'' and ``Reenter; 
Reentry'' would be modified to remove language that further scopes what 
aspects of space transportation are licensed, as discussed earlier. 
Scoping language would be transferred to proposed Sec.  450.3. ``Safety 
Critical'' would be modified to remove the last sentence because it is 
unnecessary. The definition for ``State and United States'' would fix a 
minor printing error.
    Section 417.3 contains the definitions for part 417, only some of 
which would be preserved and added to Sec.  401.5 by this proposed 
rulemaking. These are ``Command Control System,'' ``Countdown,'' 
``Crossrange,'' ``Data Loss Flight Time,'' ``Downrange,'' ``Explosive 
Debris,'' ``Flight Abort Crew,'' ``Flight Safety Limit,'' ``Gate,'' 
``Launch Window,'' ``Normal Flight,'' ``Normal Trajectory,'' 
``Operating Environment,'' ``Operation Hazard,'' ``Service Life,'' 
``System Hazard,'' ``Sub-Vehicle Point,'' ``Tracking Icon,'' and 
``Uprange.'' A number of changes have been made as follows:
     ``Command Control System'' would be modified to take out 
unnecessary detail.
     ``Countdown,'' ``Downrange,'' ``Explosive Debris,'' and 
``Normal Flight'' would be modified to add reentry.
     ``Crossrange,'' ``Launch Window,'' ``Normal Trajectory,'' 
``Service Life,'' and ``System Hazard'' would be unchanged.
     The term ``Flight Abort Crew'' would be changed from 
``Flight Safety Crew,'' and would be simplified.
     ``Operating Environment'' would be changed to add reentry, 
and would use the term ``lifecycle'' within the definition instead of 
the limiting reference to acceptance testing, launch countdown, and 
flight.
     ``Operation Hazard'' would be modified to clarify that a 
system hazard is not an operation hazard.
     The term ``Protected Area'' would be removed, and the term 
``Uncontrolled Area'' would be added to Sec.  401.5 but with the 
inclusion of a launch or reentry site operator, an adjacent site 
operator, or other entity by agreement who can control an area of land.
     The term ``Service life'' would be changed to replace 
reference to a flight termination system component with any safety-
critical system component.
     The last sentence in ``Sub-Vehicle Point'' and ``Uprange'' 
would be

[[Page 15403]]

removed because these sentences are unnecessary.
     ``Tracking Icon'' would be modified to include autonomous 
flight safety systems.
     ``Data Loss Flight Time,'' ``Flight Safety Limit,'' and 
``Gate'' would be changed as discussed earlier in this preamble.
    In part 414, ``Safety Approval'' would be changed to ``Safety 
Element Approval,'' so that a part 414 approval is not confused with a 
proposed part 450 safety approval. Its meaning, however, would remain 
the same as discussed earlier in this preamble.
    The definition of ``Maximum Probable Loss (MPL)'' in Sec.  440.3 
would be modified to include Neighboring Operations Personnel.
    The definition of ``Anomaly'' would be removed from part 437 and 
added to Sec.  401.5 with a revised meaning.
    Definitions that would not be retained from part 417 are ``Command 
Destruct Systems,'' ``Conjunction on Launch,'' ``Destruct,'' ``Drag 
Impact Point,'' ``Dwell Time,'' ``Fail-Over,'' ``Family Performance 
Data,'' ``Flight Safety System,'' ``Flight Termination System,'' 
``Inadvertent Separation Destruct System,'' ``In-Family,'' ``Launch 
Azimuth,'' ``Launch Crew,'' ``Launch Wait,'' ``Meets Intent 
Certification,'' ``Non-Operating Environment,'' ``Operating Life,'' 
``Out-of-Family,'' ``Passive Component,'' ``Performance 
Specifications,'' ``Safe-Critical Computer System Function,'' ``Storage 
Life,'' and ``Waiver.'' These would no longer be a part of commercial 
space regulations because they have been replaced with different terms 
(i.e., ``Conjunction on Launch'' and ``Launch Wait''), are already 
defined in Sec.  401.5 (i.e., ``Flight Safety System''), or are simply 
not used (all others).
    This proposed rule would also remove from Sec.  401.5, ``Human 
Space Flight Incident,'' ``Launch Accident,'' ``Launch Incident,'' 
``Reentry Accident,'' and ``Reentry Incident.'' In addition, it would 
remove ``Launch Site Accident'' from Sec.  420.5. These definitions 
would be removed because of the proposed changes in definitions related 
to mishaps. The proposed rule would also remove from Sec.  401.5 
``Emergency Abort,'' because it is no longer in use, and ``Vehicle 
Safety Operations Personnel,'' because those personnel are referred to 
as ``Safety Critical Personnel'' in proposed part 450.
    The FAA also proposes to remove the definition of ``Instantaneous 
Impact Point'' from Sec.  420.5. This definition would be removed 
because a new definition with a modified meaning would be added to 
Sec.  401.5.
2. Part 413--Application Procedures
i. Sec.  413.1 Clarification of the Term ``Application''
    The FAA proposes to modify Sec.  413.1 to clarify the term 
``application.'' Specifically, the FAA would add to Sec.  413.1 that 
the term application means either an application in its entirety, or a 
portion of an application for incremental review and determination in 
accordance with Sec.  450.33. This change is necessary to enable 
incremental review as discussed earlier.
ii. Sec.  413.21 Denial of a License or Permit Application
    The FAA proposes to correct the section heading of Sec.  413.21 to 
reflect the content of the section, and also correct paragraph (c) of 
this section to reference both license and permit applications.
    Section 413.21 applies to a license or permit application. However, 
the section heading and paragraph (c) of this section only reference 
``license.'' To correct this oversight, the FAA proposes to revise the 
section heading to read, ``Denial of a license or permit application.'' 
In addition, the FAA proposes to remove the reference to ``license'' 
from paragraph (c) so that it would apply to both license and permit 
applications.
iii. ``Complete Enough'' and ``Sufficiently Complete''
    The FAA proposes to change the term ``sufficiently complete'' in 
part 414 to ``complete enough,'' as used in Sec.  413.11, because the 
two terms mean the same thing. That is, they both describe the point at 
which the FAA has determined it has sufficient information to accept an 
application and begin its evaluation to make findings regarding issuing 
a license or permit.
    Section 413.11 uses ``complete enough'' to describe when the FAA 
will accept an application and begin its review for a launch license or 
permit. The original intent was to use the same term in other chapter 
III sections. However, the term ``sufficiently complete'' in Sec. Sec.  
414.15(a), 415.107(a), and 417.203(c) was never changed to ``complete 
enough.''
    Therefore, the agency proposes to change the term ``sufficiently 
complete'' to ``complete enough'' for consistency and clarity. The 
proposed change would be made in part 414 and in proposed part 450, 
since parts 415 and 417 would be consolidated under this new part.
iv. Electronic Submission
    This rule proposes to amend Sec.  413.7(a)(3) to allow an applicant 
the option to submit its application by email as a link to a secure 
server, and remove the requirement that an application be in a format 
that cannot be altered.
    In 2015, the FAA published the ``Electronic Applications for 
Licenses, Permits, and Safety Approvals'' rule.\216\ In that rule, the 
FAA made the application process more flexible and efficient by 
providing an applicant with the option to submit applications to the 
FAA electronically, either via email or on an electronic storage 
device, rather than submitting a paper application. Specifically, Sec.  
413.7(a)(3) requires that an application made via email be submitted as 
an email attachment to [email protected] in a format that cannot 
be altered. The FAA's intent was to allow applicants to transact with 
the agency electronically, in accordance with the Government Paperwork 
Elimination Act. However, since the rule published, the FAA has found 
that many of the files containing the necessary application materials 
are too large to be transmitted successfully by email. When this 
occurs, applicants have transmitted an email message with a File 
Transfer Program (FTP) link or a link to a digital repository where the 
materials can be downloaded by the FAA. The FAA has found this to be an 
acceptable means of submitting an application. Because the FAA proposes 
to amend application procedures in this rulemaking, the FAA also 
proposes to align the regulations with the current acceptable practice 
of allowing this form of electronic application submission. 
Accordingly, the FAA proposes to amend Sec.  413.7(a)(3) to allow an 
applicant the option to submit its application by email as a link to a 
secure server.
---------------------------------------------------------------------------

    \216\ Electronic Applications for Licenses, Permits, and Safety 
Approvals, Direct Final Rule. 80 FR 30147 (May 27, 2015).
---------------------------------------------------------------------------

    Additionally, the 2015 rulemaking identified that in requiring a 
file format that could not be altered, the FAA would accept a PDF 
document or a read-only Word file. Because both of these file types can 
actually be modified, the FAA has found it is impossible to comply with 
the requirement in Sec.  413.7(a)(3)(ii). However, the need for 
document and version control of applications still exists for accurate 
record keeping and to ensure that the application materials the FAA 
evaluates and enforces represent the final and accurate submission from 
the applicant and have not been altered in any way. As nearly every 
form of electronic file submitted could be altered in some way or 
another, the FAA proposes to replace the current Sec.  413.7(a)(3)(ii) 
with a new

[[Page 15404]]

requirement that an applicant's email submission would be required to 
identify each document appended to the email, including any that are 
included as an attachment or that are stored on a secure server. The 
FAA further proposes to include a new Sec.  413.7(a)(3)(iii) which 
would require all electronic files be date stamped and include version 
control documentation. The replacement of Sec.  413.7(a)(3)(ii) and the 
addition of Sec.  413.7(a)(3)(iii) would further the FAA's intent to 
prevent any unrecognized alteration.
    The proposed amendments to Sec.  414.13(a)(3) would mirror the 
proposed text of Sec.  413.7(a)(3). The FAA also proposes to remove 
Sec.  414.11(a)(3) because those requirements would be addressed in the 
proposed text of Sec.  414.13(a)(3). These changes would remove 
unactionable application requirements and replace them with regulations 
that align with current practice and practicable compliance.
    The FAA also proposes to change the heading of part 413 from 
``License Application Procedures'' to ``Application Procedures.'' The 
proposed heading change reflects the multiple application procedures 
under part 413, which includes launch and reentry licenses, launch and 
reentry site licenses, and experimental permits. The FAA proposes this 
title change to improve the regulatory clarity for future experimental 
permit applicants.
3. Part 414--Safety Element Approvals
    As discussed earlier, the FAA proposes to change the part 414 term 
from ``safety approval'' to ``safety element approval'' to distinguish 
it from ``safety approval'' as used in parts 415, 431, and 435, and 
proposed part 450. Also, the FAA proposes to modify part 414 to enable 
applicants to request a safety element approval in conjunction with a 
license application as provided in proposed part 450.\217\
---------------------------------------------------------------------------

    \217\ Discussion on safety element approval changes to part 414 
can be found in the Process Improvements section A portion of this 
preamble.
---------------------------------------------------------------------------

4. Part 420--License To Operate a Launch Site
    As discussed earlier, the proposal would modify the environmental 
requirements in Sec.  420.15 to match the environmental requirements in 
proposed Sec.  450.47. Also, the proposal would remove the definitions 
of ``instantaneous impact point,'' ``launch site accident,'' and 
``public'' from Sec.  420.5, and allow alternate time frames in Sec.  
420.57. In addition, it would change the heading of Sec.  420.59 from 
``Launch Site Accident Investigation Plan'' to ``Mishap Plan,'' and 
modify the section as discussed earlier. Further, it would make a minor 
edit in Sec.  420.51.
5. Part 433--License To Operate a Reentry Site
    As discussed earlier, the proposal would modify the environmental 
requirements in Sec. Sec.  433.7 and 433.9 to align them with the 
environmental requirements in proposed Sec.  450.47.
6. Part 437--Experimental Permits
    As discussed earlier, the FAA proposes to modify part 437 
(Experimental Permits) in six ways. First, the proposal would remove 
the definition of ``anomaly'' from Sec.  437.3 and include a modified 
version in Sec.  401.5. Second, the proposal would modify the 
environmental requirements in Sec.  437.21(b)(1) to match the 
environmental requirements proposed in Sec.  450.47. Third, it would 
change the name of ``safety approval'' to ``safety element approval'' 
in Sec.  437.21. Fourth, it would modify the mishap plan requirements 
in Sec. Sec.  437.41 and 437.75. Fifth, it would change the 
requirements for collision avoidance to match proposed Sec.  450.169. 
Sixth, it would allow for alternate time frames in Sec.  437.89.
7. Part 440--Financial Responsibility
    As discussed earlier, the FAA proposes to modify Sec.  440.15 to 
allow for alternate time frames, and modify the definition of ``maximum 
probable loss'' in Sec.  440.3 to align it with the new, proposed 
definition of ``neighboring operations personnel.''

IV. Regulatory Notices and Analyses

A. Regulatory Evaluation

    Changes to Federal regulations must undergo several economic 
analyses. First, Executive Order 12866 and Executive Order 13563 direct 
that each federal agency shall propose or adopt a regulation only upon 
a reasoned determination that the benefits of the intended regulation 
justify its costs. Second, the Regulatory Flexibility Act of 1980 (Pub. 
L. 96-354) requires agencies to analyze the economic impact of 
regulatory changes on small entities. Third, the Trade Agreements Act 
(Pub. L. 96-39 as amended) prohibits agencies from setting standards 
that create unnecessary obstacles to the foreign commerce of the United 
States. In developing U.S. standards, the Trade Agreements Act requires 
agencies to consider international standards and, where appropriate, 
that they be the basis of U.S. standards. Fourth, the Unfunded Mandates 
Reform Act of 1995 (Pub. L. 104-4) requires agencies to prepare a 
written assessment of the costs, benefits, and other effects of 
proposed or final rules that include a Federal mandate likely to result 
in the expenditure by State, local, or tribal governments, in the 
aggregate, or by the private sector, of $100 million or more annually 
(adjusted for inflation with base year of 1995). The FAA has provided a 
more detailed Preliminary Regulatory Impact Analysis of the benefits 
and costs of this proposed rule in the docket of this rulemaking. This 
portion of the preamble summarizes this analysis.
    In conducting these analyses, the FAA has determined that this 
proposed rule: (1) Has benefits that justify its costs, (2) is not an 
economically ``significant regulatory action'' as defined in section 
3(f) of Executive Order 12866, (3) is ``significant'' as defined in 
DOT's Regulatory Policies and Procedures, (4) will have a significant 
economic impact on a substantial number of small entities, (5) will not 
create unnecessary obstacles to the foreign commerce of the United 
States, and (6) will not impose an unfunded mandate on state, local, or 
tribal governments, or on the private sector by exceeding the threshold 
identified earlier. These analyses are summarized below.
Baseline Problem and Statement of Need
    The FAA is proposing this deregulatory action to comply with 
President Donald J. Trump's Space Policy Directive-2 (SPD-2) 
``Streamlining Regulations on Commercial Use of Space.'' The directive 
instructed the Secretary of Transportation to publish for notice and 
comment, proposed rules rescinding or revising the launch and reentry 
licensing regulations. Section 2 of SPD-2 charged the Department of 
Transportation with revising regulations to require a single license 
for all types of commercial space flight operations and replace 
prescriptive requirements with performance-based criteria. The subject 
proposed rule would implement this section of SPD-2.
    The FAA's existing regulations have been criticized as overly-
prescriptive, lacking sufficient clarity, outdated, and inconsistent 
with the requirements of other Government agencies. The regulations for 
ELV launches in parts 415 and 417 have proven to be too prescriptive 
and one-size-fits-all. The requirements of these parts were written in 
a very detailed fashion, which has caused some sections to become 
outdated or obsolete. In contrast, the regulations for RLV launches 
have proven to be too general, lacking

[[Page 15405]]

regulatory clarity. For example, part 431 does not contain specificity 
regarding the qualification of flight safety systems, acceptable 
methods for flight safety analysis, and ground safety requirements.
    The purpose of the proposed rule is to streamline and simplify the 
licensing of launch and reentry operations by relying on performance-
based regulations rather than prescriptive regulations. This action 
would consolidate and revise multiple commercial space launch and 
reentry regulations addressing licensing into a single regulatory part 
that states safety objectives to be achieved for the launch of 
suborbital and orbital expendable and reusable launch vehicles, and the 
reentry of reentry vehicles. This action would also enable flexible 
timeframes, remove unnecessarily burdensome ground safety regulations, 
redefine when launch begins to allow specified pre-flight operations 
prior to license approval, and allow applicants to seek a license to 
launch from multiple sites. This proposal is necessary to reduce the 
need to file and process waivers, improve clarity of the regulations, 
and relieve administrative and cost burdens on industry and the FAA. 
The intended effect of this action is to make commercial space 
transportation regulations more efficient and effective, while 
maintaining public safety.
    Since the last comprehensive update to the regulations in 2006, the 
differences between ELVs and RLVs have blurred. Vehicles that utilize 
traditional flight safety systems now are partially reusable. For 
example, the Falcon 9 first stage, launched by Space Exploration 
Technologies Corp. (SpaceX), routinely returns to the launch site or 
lands on a barge and other operators are developing launch vehicles 
with similar capabilities. Although the reuse of safety critical 
systems or components can have public safety implications, labeling a 
launch vehicle as expendable or reusable has not shown to impact the 
primary approach necessary to protect public safety, certainly not to 
the extent suggested in the differences between part 431 and parts 415 
and 417.
    This deregulatory action would consolidate and revise multiple 
commercial space regulatory parts to apply a single set of licensing 
and safety regulations across several types of operations and vehicles. 
It would also replace many prescriptive regulations with performance-
based regulations, giving industry greater flexibility to develop a 
means of compliance that maximizes their business objectives. This 
proposed rule would result in net cost savings for industry and enable 
future innovation in U.S. commercial space transportation.
Affected Operators and Launches
    At the time of writing based on FAA license data, the FAA estimates 
this proposed rule would affect 12 operators that have an active 
license or permit to conduct launch or reentry operations. In addition, 
the FAA estimates this proposed rule would affect approximately 276 
launches over the next 5 years based on actual launch and reentry 
numbers and forecasted numbers.\218\ The FAA anticipates that the 
proposed rule would reduce the costs of current and future launch 
operations by removing current prescriptive requirements that are often 
burdensome to meet or require a waiver. The FAA expects these changes 
would lead to more efficient launch operations and have a positive 
effect on expanding the number of future launch and reentry operations.
---------------------------------------------------------------------------

    \218\ See the Preliminary Regulatory Impact Analysis of this 
proposed rule in the docket for more information. The FAA Office of 
Commercial Space Transportation derived the launches affected by 
this proposed rule for a 5-year period of analysis due to the 
rapidly changing environment of commercial space transportation.
---------------------------------------------------------------------------

Summary of Impacts
    Over a 5-year period of analysis, this proposed rule would result 
in net present value cost savings to industry of about $19 million 
using a 7% discount rate or about $21 million using a 3% discount rate, 
with annualized net cost savings to industry of about $4.6 million 
using either discount rate. This proposed rule would also result in net 
present value savings for FAA of about $0.8 million using a 7% discount 
rate or about $1 million using a 3% discount rate, with annualized net 
cost savings to FAA of about $0.2 million using either discount rate.
    The largest quantified cost savings for industry would result from 
eliminating or relaxing requirements for a flight safety system on some 
launches (about $11 million in present value savings over 5 years at a 
discount rate of 7% or about $12 million at a discount rate of 3%) and 
from reducing the number of personnel that would have to be evacuated 
from neighboring launch sites (about $8 million in present value 
savings over 5 years at a discount rate of 7% or about $9 million at a 
discount rate of 3%). These cost savings are described in more detail 
below.
    The FAA proposes to move from prescriptive flight safety system 
requirements to performance-based requirements. As a result, the 
proposed rule would not require all launch vehicles to have a full 
flight safety system. Launch vehicles that have a very low probability 
of multiple casualties even if vehicle control fails would not be 
required to have a flight safety system. In addition, vehicles that 
have moderately low probability of casualty even if vehicle control 
fails would not be required to have robust flight safety systems.\219\ 
These performance-based requirements would reduce costs for some 
vehicle operators, especially for small vehicles or those operating in 
remote locations.
---------------------------------------------------------------------------

    \219\ See discussion in the preamble regarding being compliant 
with the flight safety systems of part 417.
---------------------------------------------------------------------------

    The proposed rule would provide a new definition of neighboring 
operations personnel and establish new criteria for neighboring launch 
site personnel for the purposes of risk and financial responsibility. 
The change would allow affected operators to potentially reduce the 
number of personnel that have to evacuate and enable more concurrent 
operations by accepting a small safety risk tradeoff. The FAA has 
monetized the value of this small increased safety risk as summarized 
in the following tables. The FAA estimates the present value of these 
small increased safety risks to be about $1.4 million discounted at 7% 
or about $1.5 discounted at 3% over the five years.
    The FAA estimates some small costs to industry that would assist 
both industry and the FAA in the implementation of this proposed rule, 
such as providing information to the FAA that other agencies frequently 
request or performing one-time updates of flight safety limit analyses 
and ground hazard analyses that would be used to determine performance-
based means of compliance that provide future savings. In addition, 
there may be additional costs for the modification of existing licenses 
to benefit from the cost saving provisions of this proposed rule. The 
FAA would also incur small costs for payload review, ground hazard 
analysis, and the review of modifications to existing licenses.
    The following table summarizes total quantified savings, costs, and 
net impacts.

[[Page 15406]]



                        Summary of Total 5-Year Quantified Savings, Costs and Net Impacts
                                       [Presented in thousands of dollars]
----------------------------------------------------------------------------------------------------------------
                                                     Industry        Industry
                     Impact                        present value   present value    FAA present     FAA present
                                                       (7%)            (3%)         value (7%)      value (3%)
----------------------------------------------------------------------------------------------------------------
Cost Savings....................................       $19,386.1       $21,844.5        $1,045.7        $1,208.9
Costs...........................................          -542.6          -569.5          -222.3          -237.0
                                                 ---------------------------------------------------------------
    Net Cost Savings............................        18,843.5        21,275.0           823.4           971.8
                                                 ---------------------------------------------------------------
        Annualized Net Cost Savings.............         4,595.7         4,645.5           200.8           212.2
----------------------------------------------------------------------------------------------------------------
Increased Safety Risks..........................        -1,370.2        -1,540.6  ..............  ..............
                                                 ---------------------------------------------------------------
    Net Cost Savings less Increased Safety Risks        17,473.3        19,734.4           823.4           971.8
                                                 ---------------------------------------------------------------
        Annualized Net Cost Savings less                 4,261.6         4,309.1           200.8           212.2
         Increased Safety Risks.................
----------------------------------------------------------------------------------------------------------------
Table notes: The sum of individual items may not equal totals due to rounding. Negative signs are used to
  indicate costs and increased safety risks in this table. Present value estimates provided at 7% and 3% per OMB
  guidance.

    The following table summarizes quantified impacts by provision 
category.

                    Summary of 5-Year Quantified Savings, Costs and Net Impacts by Provisions
                                       [Presented in thousands of dollars]
----------------------------------------------------------------------------------------------------------------
                                                     Industry        Industry
            Provision category/impact              present value   present value    FAA present     FAA present
                                                       (7%)            (3%)         value (7%)      value (3%)
----------------------------------------------------------------------------------------------------------------
Waiver Avoidance:
    --Definition of Launch......................           $32.8           $36.7           $10.3           $11.5
    --Waterborne Vessel Hazard Areas............            65.6            73.3            20.5            22.9
    --Waiver for 48 Hour Readiness..............            41.0            45.8            12,8            14.3
System Safety Program--Safety Official..........            39.1            43.7            45.7            51.0
Duration of a Vehicle License...................            50.6            56.5           104.3           116.5
Readiness--Elimination of pre-launch meeting 15            709.9           799.0           127.7           143.6
 days prior.....................................
Flight Safety System--Not required for all              10,612.6        11,981.3           572.5           679.2
 launches.......................................
Flight Safety Analysis no longer required for               22.1            25.0             2.8             3.2
 hybrids........................................
Neighboring Operations *........................         7,698.9         8,656.7  ..............  ..............
Ground Hazard Analysis..........................           113.3           126.6           149.2           166.6
                                                 ---------------------------------------------------------------
    Total Cost Savings..........................        19,386.1        21,844.5         1,045.7         1,208.9
----------------------------------------------------------------------------------------------------------------
Payload Review and Determination................           -45.6           -51.2           -46.4           -52.2
Flight Safety Limit Analysis....................          -157.7          -163.8  ..............  ..............
Ground Hazard Analysis..........................           -24.0           -26.8           -27.2           -30.4
Modification Costs for Existing Licenses........          -315.4          -327.6          -148.7          -154.5
                                                 ---------------------------------------------------------------
    Total Costs.................................          -542.6          -569.5          -222.3          -237.0
                                                 ---------------------------------------------------------------
        Net Cost Savings........................        18,843.5        21,275.0           823.4           971.8
                                                 ---------------------------------------------------------------
            Annualized Net cost Savings.........         4,595.7         4,645.5           200.8           212.2
----------------------------------------------------------------------------------------------------------------
Increased Safety Risks: Neighboring Operations *        -1,370.2        -1,540.6  ..............  ..............
                                                 ---------------------------------------------------------------
    Net Cost Savings less Increased Safety Risks        17,473.3        19,734.4           823.4           971.8
                                                 ---------------------------------------------------------------
        Annualized Net Cost savings Less                 4,261.6         4,309.1           200.8           212.2
         Increased Safety Risks.................
----------------------------------------------------------------------------------------------------------------
* Changes to Neighboring Operations requirements result in net savings less increased safety risks.
Table notes: The sum of individual items may not equal totals due to rounding. Negative signs are used to
  indicate costs and increased safety risks in this table. Present value estimates provided at 3% and 7% per OMB
  guidance.

    The FAA also expects industry will gain additional unquantified 
savings and benefits from the proposed rule, since it provides 
flexibility and scalability through performance-based requirements that 
would reduce the future cost of innovation and improve the efficiency 
and productivity of U.S. commercial space transportation.
    The following table summarizes some of the proposed changes that 
would result unquantified savings.

[[Page 15407]]



                          Unquantified Savings
------------------------------------------------------------------------
            Change                               Savings
------------------------------------------------------------------------
Time Frames...................  The proposal would revise time frames in
                                 parts 404, 413, 414, 415, 417, 420,
                                 431, 437, and 440 that may be
                                 burdensome for some operators. This
                                 would increase flexibility by allowing
                                 an operator the option to propose
                                 alternative time frames that better
                                 suit their operations. Eligible time
                                 frames include preflight and post-
                                 flight reporting among others listed in
                                 proposed Appendix A to Part 404--
                                 Alternative Time Frames.
Safety Element Approval.......  The proposal would remove the
                                 requirement in part 414 to publish in
                                 the Federal Register the criteria upon
                                 which safety element approvals were
                                 based. The purpose of this notification
                                 requirement was to make clear the
                                 criteria and standards the FAA used to
                                 assess a safety element, particularly
                                 when no clear regulatory requirement
                                 existed and there could be other
                                 potential users of the safety approval.
                                 However, the FAA has found that this
                                 requirement is unnecessary, and has
                                 potentially discouraged applications
                                 for safety element approvals due to
                                 concerns that propriety data may be
                                 disclosed. FAA anticipates that
                                 removing this requirement will lead to
                                 increased use of safety element
                                 approvals, reducing industry burden and
                                 potentially improving safety.
Mishaps.......................  The proposal would provide the following
                                 mishap-related enhancements, which FAA
                                 expects to better tailor mishap
                                 responses.
                                 Replace current part 400 mishap
                                 related definitions with a consolidated
                                 mishap classification system
                                 (streamlines and reduces confusion).
                                 Consolidate existing part 400
                                 mishap/accident investigation and
                                 emergency response plan requirements
                                 into a single part (streamlines and
                                 reduces confusion).
                                 Exempt pre-coordinated test-
                                 induced property damage from being a
                                 mishap (removes need to consider test-
                                 induced property damages from mishap
                                 requirements and likely results in
                                 fewer investigations of minor mishaps).
                                 This proposal also eliminates
                                 the small $25,000 monetary threshold
                                 from the current mishap and accident
                                 investigation requirements potentially
                                 reducing the number of mishaps being
                                 investigated that do not pose a threat
                                 to public safety. A minor damage that
                                 does not pose a threat to public safety
                                 can easily exceed the $25,000 monetary
                                 threshold, triggering potentially
                                 costly and burdensome notification,
                                 reporting, and investigation
                                 requirements.
Toxics........................  The proposal would replace part 417
                                 toxic release hazard analysis
                                 requirements with performance-based
                                 regulations that would provide
                                 flexibility for operators to comply
                                 with the required risk criteria in
                                 varied and innovative ways relative to
                                 their operations.
Lightning protection            The proposal would remove appendix G to
 requirement.                    part 417, Natural and Triggered
                                 Lightning Flight Commit Criteria, and
                                 replace it with the performance-based
                                 requirements. The current requirements
                                 are outdated, inflexible, overly
                                 conservative, and not explicitly
                                 applicable to RLVs and RVs. The
                                 proposed revision would provide an
                                 operator with more flexibility, and
                                 allow it to take into account the
                                 vehicle's mission profile when
                                 determining how to mitigate the direct
                                 and indirect effects of a lightning
                                 discharge.
------------------------------------------------------------------------

    The FAA intends to update its analysis with additional information 
and data identified during the comment period to better assess the 
impacts of this deregulatory action. Estimates may change for the final 
rule as a result.
    The FAA invites comments on the benefits, savings, or costs of this 
proposed rule. Send comments by any of the methods identified under 
Addresses in this proposed rule. Specifically, the FAA requests 
information and data that can be used to quantify the additional 
savings of this proposed rule. Please provide references and sources 
for information and data.

B. Regulatory Flexibility Determination

    The Regulatory Flexibility Act of 1980 (Pub. L. 96-354) (RFA) 
establishes ``as a principle of regulatory issuance that agencies shall 
endeavor, consistent with the objectives of the rule and of applicable 
statutes, to fit regulatory and informational requirements to the scale 
of the businesses, organizations, and governmental jurisdictions 
subject to regulation. To achieve this principle, agencies are required 
to solicit and consider flexible regulatory proposals and to explain 
the rationale for their actions to assure that such proposals are given 
serious consideration.'' The RFA covers a wide-range of small entities, 
including small businesses, not-for-profit organizations, and small 
governmental jurisdictions.
    Agencies must perform a review to determine whether a rule will 
have a significant economic impact on a substantial number of small 
entities. If the agency determines that it will, the agency must 
prepare a regulatory flexibility analysis as described in the RFA.
    Under Section 603(b) of the RFA, the initial regulatory flexibility 
analysis for a proposed rule must:
     Describe reasons the agency is considering the action;
     State the legal basis and objectives;
     Describe the recordkeeping and other compliance 
requirements;
     State all federal rules that may duplicate, overlap, or 
conflict;
     Describe an estimated number of small entities impacted; 
and
     Describe alternatives considered.
1. Description of Reasons the Agency Is Considering the Action
    The Chair of the National Space Council, the Vice President, 
directed the Secretaries of Transportation and Commerce, and the 
Director of the Office of Management and Budget, to conduct a review of 
the U.S. regulatory framework for commercial space activities and 
report back within 45 days with a plan to remove barriers to commercial 
space enterprises.
    The Council approved four recommendations, including the Department 
of Transportation's recommendation that the launch and reentry 
regulations should be reformed into a consolidated, performance-based 
licensing regime.
    Codifying the recommendations of the Council, SPD-2 was issued on 
May 24, 2018. SPD-2 instructed the Secretary of Transportation to 
publish for notice and comment proposed rules rescinding or revising 
the launch and reentry licensing regulations, no later than February 1, 
2019. SPD-2 charged the Department with revising the regulations such 
that they would require a single license for all types of commercial 
space flight operations and replace prescriptive requirements with 
performance-based criteria. The current action is complying with this 
recommendation.
    Current regulations setting forth procedures and requirements for 
commercial space transportation licensing were based largely on the 
distinction between expendable or reusable launch vehicles. 
Specifically, 14 CFR parts 415 and 417 address the launch of expendable 
launch vehicles, part 431 addresses the launch and

[[Page 15408]]

reentry of reusable launch vehicles, and part 435 addresses the reentry 
of reentry vehicles.
    The regulations in parts 415 and 417 are based on the Federal 
launch range standards developed in the 1990s. Parts 431 and 435 are 
primarily process-based, relying on a license applicant to derive 
safety requirements through a ``system safety'' process. While these 
regulations satisfied the need of the commercial launch industry at the 
time they were issued, the industry has changed and continues to 
evolve, thus rendering the current regulatory structure cumbersome and 
outdated.
2. Statement of the Legal Basis and Objectives
    The Commercial Space Launch Act of 1984, as amended and re-codified 
at 51 U.S.C. 50901-50923 (the Act), authorizes the Department of 
Transportation, and the FAA through delegation, to oversee, license, 
and regulate commercial launch and reentry activities, and the 
operation of launch and reentry sites as carried out by U.S. citizens 
or within the United States. Section 50905 directs the FAA to exercise 
this responsibility consistent with public health and safety, safety of 
property, and the national security and foreign policy interests of the 
United States. The FAA is authorized to regulate only to the extent 
necessary to protect the public health and safety, safety of property, 
and national security and foreign policy interests of the United 
States. In addition, section 50903 requires that the FAA encourage, 
facilitate, and promote commercial space launches and reentries by the 
private sector.
    If adopted as proposed, this rulemaking would streamline and 
increase flexibility in the FAA's commercial space regulations. This 
action would consolidate and revise multiple regulatory parts to apply 
a single set of licensing and safety regulations across several types 
of operations and vehicles. It would also replace many prescriptive 
regulations with performance-based rules, giving industry greater 
flexibility to develop means of compliance that maximize their business 
objectives while maintaining an equivalent level of safety to the 
agency's current regulations. Because this rulemaking would amend the 
FAA's launch and reentry requirements, it falls under the authority 
delegated by the Act.
3. Description of the Recordkeeping and Other Compliance Requirements
    The FAA is not proposing any substantive changes to the 
requirements specified below. However, the agency is proposing to 
consolidate these requirements into a new, proposed part 450 (Launch 
and Reentry License Requirements); clarify that the consolidated 
requirements apply to any licensed launch or reentry; and make other 
minor, clarifying edits. The following is a summary of the proposed 
changes:
i. Public Safety Responsibility and Compliance With License
    The FAA would consolidate the public safety responsibility 
requirements in current Sec. Sec.  417.7 and 431.71(a) into proposed 
Sec.  450.201, Public Safety Responsibility. Also, the FAA would move 
the compliance requirement in current Sec.  431.71(b) to its own 
section, proposed Sec.  450.203 (Compliance with License). Although the 
location of these requirements would change, the requirements 
themselves would not change.
    Therefore, proposed Sec.  450.201 would provide that a licensee is 
responsible for ensuring public safety and safety of property during 
the conduct of a licensed launch or reentry. And proposed Sec.  450.203 
would require that a licensee conduct a licensed launch or reentry in 
accordance with representations made in its license application, the 
requirements of part 450, subparts C and D, and the terms and 
conditions contained in the license. A licensee's failure to act in 
accordance with these items would be sufficient basis to revoke a 
license, or some other appropriate enforcement action.
ii. Records.
    The FAA would consolidate the current record requirements in 
Sec. Sec.  417.15(a) and (b) and 431.77(a) and (b) into proposed Sec.  
450.219(a) and (b). However, the FAA would replace the term ``launch 
accident'' in paragraph (b) with ``class 1 or class 2 mishap.'' As 
discussed in more detail in the Part 401--Definitions section of this 
preamble, the FAA is proposing to replace current part 401 definitions 
involving ``accident,'' ``incident,'' and ``mishap'' with specified 
mishap classes.
    As such, the proposed regulation would require a licensee to 
maintain, for 3 years, all records, data, and other material necessary 
to verify that a launch or reentry is conducted in accordance with 
representations contained in the licensee's application. The exception 
would be for a class 1 or class 2 mishap, where a licensee would be 
required to preserve all records related to the event. These records 
would be required to be retained until the completion of any Federal 
investigation and the FAA has notified the licensee that the records 
need not be retained. The licensee would be required to make all 
records required to be maintained under the regulations available to 
Federal officials for inspection and copying.
4. All Federal Rules That May Duplicate, Overlap, or Conflict
    No other federal rules duplicate, overlap, or conflict with FAA's 
launch and reentry licensing requirements.
5. Description and an Estimated Number of Small Entities Impacted
    The FAA has identified two potential small entities that this 
proposed rule would impact, Vector Launch, Inc. and Generation Orbit. 
Both operators employ fewer than 1,500 people and both were in pre-
application consultation to launch under parts 415 and 417 at the time 
of this writing.\220\ These two companies are the only small entities 
identified in this analysis that may be directly affected by this 
proposed rule.
---------------------------------------------------------------------------

    \220\ The FAA uses the current Small Business Administration 
size standard of 1,500 employees for passenger and freight air 
transportation. This information is found in https://www.sba.gov/sites/default/files/files/Size_Standards_Table_2017.pdf.
---------------------------------------------------------------------------

6. Alternatives Considered
    The FAA considered three alternatives to the proposed rule.
i. No Change to Current Regulations
    This alternative was not chosen because the current regulations are 
outdated, prescriptive, and do not adequately reflect industry current 
practices or technology development. The inefficiency of the licensing 
process due to current regulations risks stifling innovation and growth 
of the industry, especially for small operators.
ii. Propose a More Process-Based Regulatory Approach
    With this alternative, the FAA would propose less detailed 
regulations that would rely primarily on the outcome of an operator's 
system safety process to protect public safety. This alternative was 
not chosen because it would lack regulatory clarity without adding any 
additional flexibility for a launch or reentry operator which may be 
more burdensome to small operators compared to large operators.
iii. Propose a Defined Modular Application Process
    With this alternative, the FAA would propose similar safety 
requirements but would add a more defined incremental

[[Page 15409]]

or modular application process. The current proposal enables an 
incremental application process, but does not define one with explicit 
modules and time frames. This alternative was not chosen because the 
FAA has no experience with an incremental or modular application 
process with which to base a proposal. In addition, a more defined 
incremental or modular application process may be less flexible and 
scalable and therefore more burdensome to small operators.
    The FAA expects this proposed rule would provide regulatory relief 
to small entities from current prescriptive requirements and result in 
net savings.
    As discussed previously in this section, the FAA identified two 
possible small entities that would be affected by this proposed rule 
but they are in the pre-application stage for potential ELV and RLV 
launches and we have little information on how they may comply with 
existing or proposed requirements. As these entities have not begun 
operations, we do not have estimates of the costs savings or costs that 
would reliably apply. However, the following are some estimates of per 
entity cost savings and costs based on data representing existing ELV 
and RLV operators. We note that some of the estimated savings and costs 
of this proposed rule may not apply to these entities.
Cost Savings
i. Readiness--Elimination of Pre-Launch Meeting 15 Days Prior (Sec.  
450.155)
    ELV operators might save $4,600 per avoided launch readiness 
meeting, however this assumes the average number of people at each 
meeting would be 25 and this might not apply to a small business.
ii. Flight Safety System--Not Required for All Launches (Sec.  450.145)
    For launches where an FSS would not be required under the proposal, 
RLV operators might save $195,000 per launch vehicle for a vehicle 
using an existing design. An ELV operator might save $680,000 per 
launch. Both ELV and RLV operators might save an estimated $1.3 million 
for new vehicle designs by not having to incur all the research, 
design, testing, materials and installation costs for an FSS.
iii. Ground Hazard Analysis (Sec.  450.185)
    An ELV operator might save $28,000 per application by not having to 
do a ground hazard analysis under this proposal.
Costs
i. Payload Review and Determination (Sec.  450.43)
    The proposed rule could cause small operators to incur about $204 
more per launch than due to additional payload review and determination 
costs.
ii. Ground Hazard Analysis (Sec.  450.185)
    RLV applicants might incur about $3,000 more per application due to 
having to perform ground hazard analyses under the proposal.
    The FAA invites comments on this initial regulatory flexibility 
analysis for the proposed rule. Send comments by any of the methods 
identified under Addresses in this proposed rule. Specifically, the FAA 
requests information and data that can be used to quantify savings and 
costs to small operators directly affected by this proposed rule. 
Please provide references and sources for information and data.

C. International Trade Impact Assessment

    The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the 
Uruguay Round Agreements Act (Pub. L. 103-465), prohibits federal 
agencies from establishing standards or engaging in related activities 
that create unnecessary obstacles to the foreign commerce of the United 
States. Pursuant to these Acts, the establishment of standards is not 
considered an unnecessary obstacle to the foreign commerce of the 
United States, so long as the standard has a legitimate domestic 
objective, such as the protection of safety, and does not operate in a 
manner that excludes imports that meet this objective. The statute also 
requires consideration of international standards and, where 
appropriate, that they be the basis for U.S. standards. The FAA has 
assessed the potential effect of this proposed rule and determined that 
it will not create unnecessary obstacles to the foreign commerce of the 
United States.

D. Unfunded Mandates Assessment

    Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires each federal agency to prepare a written statement 
assessing the effects of any Federal mandate in a proposed or final 
agency rule that may result in an expenditure of $100 million or more 
(in 1995 dollars) in any one year by State, local, and tribal 
governments, in the aggregate, or by the private sector; such a mandate 
is deemed to be a ``significant regulatory action.'' The threshold 
after adjustment for inflation is $150 million using the most current 
annual (2017) Implicit Price Deflator for Gross Domestic Product from 
the U.S. Bureau of Economic Analysis. This proposed rule does not 
contain such a mandate; therefore, the requirements of Title II of the 
Act do not apply.

E. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires 
that the FAA consider the impact of paperwork and other information 
collection burdens imposed on the public. According to the 1995 
amendments to the Paperwork Reduction Act (5 CFR 1320.8(b)(2)(vi)), an 
agency may not collect or sponsor the collection of information, nor 
may it impose an information collection requirement unless it displays 
a currently valid Office of Management and Budget (OMB) control number.
    This action contains the following proposed consolidation of two 
existing information collection requirements, previously approved under 
OMB Control Numbers 2120-0608 and 2120-0643, under a new OMB control 
number. As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 
3507(d)), the FAA will submit the proposed information collection 
requirements to OMB for its review. In addition, the FAA has published 
a separate notice of the proposed requirements for public comment, and 
has included the notice in the docket for this rulemaking. The notice 
includes instructions on how to submit comments specifically to the 
proposed information collection requirements. Additional details on 
assumptions and calculations used in this section are presented in the 
Preliminary Regulatory Impact Analysis available in the docket of this 
rulemaking. The following estimates are included in the total savings 
and costs summarized in the Regulatory Evaluation section and 
considered in the Regulatory Flexibility Determination section of this 
proposed rule.
    Summary: The FAA proposes to consolidate under a new part 450, the 
requirements currently contained in parts 415 and 417 for the launch of 
an ELV, in part 431 for the launch and reentry of an RLV, and in part 
435 for the reentry of a reentry vehicle other than an RLV. The result 
of this effort would be streamlined regulations designed to be more 
flexible and scalable, with reduced timelines and minimal duplicative 
jurisdiction. The net result would be reduced paperwork for operators, 
although for some provisions paperwork would increase.
    Use: The information would be used by FAA to evaluate the launch 
and

[[Page 15410]]

reentry operators' applications and to ensure safety.
Paperwork Impact to Industry
    Respondents (including number of): The information collection would 
potentially affect 12 operators based on available data at the time of 
writing.
    Annual Burden Estimate: Most changes in part 450 would result in a 
reduction in the paperwork burden. The paperwork associated with 
industry requesting waivers to certain provisions would be alleviated. 
Paperwork associated with industry requesting license modifications 
would also be reduced because an operator would not have to modify a 
license if the specific safety official were to change. In addition, 
with the extension of RLV licenses to up to five years, it is likely 
that fewer licenses would be issued, resulting in less paperwork. Due 
to the change in launch scope, the documentation accompanying a ground 
hazard analysis for ELV operators would be reduced.
Industry Cost Savings
    The following table indicates the frequency of responses, the 
estimated time per response, the burdened wage rate, annual hours, and 
the cost for each cost saving provision. Response frequency is provided 
for the estimated number of waivers avoided (Sec.  450.3), estimated 
reduction in annual number of licenses modified (Sec.  450.103), 
estimated reduction in annual license renewals, and the estimated 
annual number of launches for which there would be a reduction in 
ground hazard analysis paperwork (Sec.  450.185). An estimated time for 
each response is also indicated below, as are burdened hourly wage 
rates for the specific personnel associated with each provision and 
annual hours and total cost savings.

                                         Industry Paperwork Cost Savings
----------------------------------------------------------------------------------------------------------------
                                                  Estimated time
           Description               Response      per response    Industry wage   Annual hours    Cost savings
                                     frequency        (hours)          rate
----------------------------------------------------------------------------------------------------------------
Waiver Avoidance (Sec.   450.3).              17              20         $100.03             340         $34,010
System Safety Program--Safety                5.6              24           71.01           134.4           9,544
 Official (Sec.   450.103)......
Duration of a Vehicle License                1.2           126.5           81.28           151.8          12,338
 (Sec.   450.7).................
Ground Safety (Sec.   450.185)..               1             340           81.28             340          27,634
                                 -------------------------------------------------------------------------------
    Total Annual Savings........  ..............  ..............  ..............             966          83,526
----------------------------------------------------------------------------------------------------------------

    Cost savings includes paperwork related to waivers avoided due to 
the definition of launch, waterborne vessel protection, and removal of 
48-hour readiness requirement.
Industry Paperwork Burden
    Other changes would result in an increase in paperwork burden. The 
Payload Review and Determination section (Sec.  450.43) would add 
requirements for applicants to provide explosive potential of payload 
materials, alone and in combination with other materials on the payload 
for launches, as well as the appropriate transit time to final orbit 
for payloads with significant transit time after release from vehicle. 
The FAA is adding requirements for ground hazard analysis (Sec.  
450.185) for RLV launches. The proposed rule would require RLVs to 
submit information to the FAA.
    The table below indicates the frequency of responses, estimated 
time per response, burdened hourly wage rate, annual hours, and the 
cost for each provision that would add burden. Response frequency is 
provided for the estimated number of explosive potential and transit 
time calculations, and the estimated number of annual RLV applications 
which would require ground hazard analysis. An estimated time per 
response is also indicated below, as are burdened hourly wage rates for 
the specific personnel associated with each provision and annual hours 
and total cost savings.

                                            Industry Paperwork Burden
----------------------------------------------------------------------------------------------------------------
                                                  Estimated time
           Description               Response      per response    Industry wage   Annual hours        Cost
                                     frequency        (hours)          rate
----------------------------------------------------------------------------------------------------------------
Explosive Potential (Sec.                     50               2          $81.28             100          $8,128
 450.43)........................
Transit time (Sec.   450.43)....              50             0.5           81.28              25           2,032
Ground Safety (Sec.   450.185)..               2              36           81.28              72           5,852
                                 -------------------------------------------------------------------------------
    Total Cost Burden...........  ..............  ..............  ..............             197          16,012
----------------------------------------------------------------------------------------------------------------

    The following table summarizes the industry total annual paperwork 
savings, total annual burden and the net annual savings.

                     Industry Net Paperwork Savings
------------------------------------------------------------------------
               Description                 Annual hours    Cost savings
------------------------------------------------------------------------
Total Annual Savings....................             966         $83,526
Total Annual Burden.....................             197          16,012
                                         -------------------------------

[[Page 15411]]

 
    Net Annual Savings..................             769          67,514
------------------------------------------------------------------------

Paperwork Burden to the Federal Government
    The following tables summarizes FAA paperwork savings and burden. 
Similar to industry burden savings, the FAA would receive burden relief 
from waivers avoided due to the definition of launch, waterborne vessel 
protection, and removal of the 48-hour readiness requirement. See the 
Regulatory Impact Analysis available in the docket for more details on 
these estimates and calculations.

                                           FAA Paperwork Cost Savings
----------------------------------------------------------------------------------------------------------------
                                                  Estimated time
                   Description                     per response    FAA wage rate   Annual hours    Cost savings
                                                      (hours)
----------------------------------------------------------------------------------------------------------------
Waiver Avoidance (Sec.   450.3).................             7.5          $83.26           127.5         $10,616
System Safety Program--Safety Official (Sec.                  24           82.88           134.4          11,139
 450.103).......................................
Duration of a Vehicle License (Sec.   450.7)....           253.5           83.61           304.2          25,434
Ground Safety (Sec.   450.185)..................             439           82.88             439          36,384
                                                 ---------------------------------------------------------------
    Total Annual Savings........................  ..............  ..............           1,005          83,573
----------------------------------------------------------------------------------------------------------------


                                              FAA Paperwork Burden
----------------------------------------------------------------------------------------------------------------
                                                  Estimated time
                   Description                     per response    FAA wage rate   Annual hours    Cost savings
                                                      (hours)
----------------------------------------------------------------------------------------------------------------
Explosive Potential (Sec.   450.43).............             2.0          $82.88             100          $8,288
Transit time (Sec.   450.43)....................             0.5           82.88              25           2,072
Ground Safety (Sec.   450.185)..................              40           82.88              80           6,630
                                                 ---------------------------------------------------------------
    Total Annual Burden.........................  ..............  ..............             205          16,990
----------------------------------------------------------------------------------------------------------------


                        FAA Net Paperwork Savings
------------------------------------------------------------------------
               Description                 Annual hours    Cost savings
------------------------------------------------------------------------
Total Annual Savings....................           1,005         $83,573
Total Annual Burden.....................             205          16,990
                                         -------------------------------
    Net Annual Savings..................             800          66,583
------------------------------------------------------------------------

Voluntary One-Time Modification of Existing Licenses
    There are currently 24 active licenses held by 12 operators. Once 
the rule is in effect, existing licenses would be grandfathered under 
the current provisions, unless the licenses are modified. Operators may 
choose to modify their licenses to benefit from the cost saving 
provisions of the proposed rule--some operators may choose also to wait 
until they apply for a new license. The FAA assumes modifications of 
licenses would occur within the first year after the rule is effective. 
The FAA assumes it would take about one month for an industry aerospace 
engineer to develop documentation and analysis to apply for a 
modification of an existing license and about two weeks for an FAA 
employee to review an application for a modification of an existing 
license.
    The following estimates assume all licenses would be modified. This 
overestimates paperwork costs, since some operators may not find it 
advantageous to modify their existing licenses. The FAA requests 
comment on these assumptions and the following estimates to apply for 
applications to modify existing licenses. Specifically, the FAA 
requests information if licenses holders would modify existing licenses 
for changes from this proposed rule or wait to apply for new licenses. 
The FAA may revise these assumptions and estimates for the final rule.

[[Page 15412]]



                                           Industry Burden Costs for Applications To Modify Existing Licenses
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                     Time (one month
                       Year                            Wage rate      of work hours)      Cost per        Number of       Total burden     Total costs
                                                                            *             license          licenses          hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.................................................          $81.28              173          $14,061               24            4,152         $337,457
--------------------------------------------------------------------------------------------------------------------------------------------------------
* One month of work hours based on the following calculations: 52 work weeks/year x 40 work hours/week = 2,080 work hours/year; and, 2,080 work hours/
  year / 12 months = 173 work hours/month (rounded).


                                           FAA Burden Costs To Review Applications To Modify Existing Licenses
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Hours (two
                       Year                            Wage rate      weeks of work       Cost per        Number of       Total burden     Total costs
                                                                          hours)          license          licenses          hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.................................................          $82.88               80           $6,630               24            1,920         $159,130
--------------------------------------------------------------------------------------------------------------------------------------------------------

    The agency is soliciting comments to--
    (1) Evaluate whether the proposed information requirement is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    (2) Evaluate the accuracy of the agency's estimate of the burden;
    (3) Enhance the quality, utility, and clarity of the information to 
be collected; and
    (4) Minimize the burden of collecting information on those who are 
to respond, including by using appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology.
    Individuals and organizations may send comments on the information 
collection requirement to the address listed in the ADDRESSES section 
at the beginning of this preamble by June 14, 2019. Comments also 
should be submitted to the Office of Management and Budget, Office of 
Information and Regulatory Affairs, Attention: Desk Officer for FAA, 
New Executive Building, Room 10202, 725 17th Street NW, Washington, DC 
20053.

F. International Compatibility

    In keeping with U.S. obligations under the Convention on 
International Civil Aviation, it is FAA policy to conform to 
International Civil Aviation Organization (ICAO) Standards and 
Recommended Practices to the maximum extent practicable. The FAA has 
determined that there are no ICAO Standards and Recommended Practices 
that correspond to these proposed regulations.

G. Environmental Analysis

    FAA Order 1050.1F identifies FAA actions that are categorically 
excluded from preparation of an environmental assessment or 
environmental impact statement under the National Environmental Policy 
Act in the absence of extraordinary circumstances. The FAA has 
determined this rulemaking action qualifies for the categorical 
exclusion identified in paragraph 5-6.6 and involves no extraordinary 
circumstances.

V. Executive Order Determinations

A. Executive Order 13132, Federalism

    The FAA has analyzed this proposed rule under the principles and 
criteria of Executive Order 13132, Federalism. The agency has 
determined that this action would not have a substantial direct effect 
on the States, or the relationship between the Federal Government and 
the States, or on the distribution of power and responsibilities among 
the various levels of government, and, therefore, would not have 
Federalism implications.

B. Executive Order 13211, Regulations That Significantly Affect Energy 
Supply, Distribution, or Use

    The FAA analyzed this proposed rule under Executive Order 13211, 
Actions Concerning Regulations that Significantly Affect Energy Supply, 
Distribution, or Use (May 18, 2001). The agency has determined that it 
would not be a ``significant energy action'' under the executive order 
and would not be likely to have a significant adverse effect on the 
supply, distribution, or use of energy.

C. Executive Order 13609, International Cooperation

    Executive Order 13609, Promoting International Regulatory 
Cooperation, promotes international regulatory cooperation to meet 
shared challenges involving health, safety, labor, security, 
environmental, and other issues and to reduce, eliminate, or prevent 
unnecessary differences in regulatory requirements. The FAA has 
analyzed this action under the policies and agency responsibilities of 
Executive Order 13609, and has determined that this action would have 
no effect on international regulatory cooperation.

D. Executive Order 13771, Reducing Regulation and Controlling 
Regulatory Costs

    This proposed rule is expected to be a deregulatory action under 
Executive Order 13771 and would result in net cost savings for industry 
that would likely reduce the future cost of innovation in U.S. 
commercial space transportation. The Preliminary Regulatory Impact 
Analysis for the proposed rule provides additional information.

VI. Additional Information

A. Comments Invited

    The FAA invites interested persons to participate in this 
rulemaking by submitting written comments, data, or views. Also, the 
agency invites comments regarding potential overlap with the regulatory 
requirements of other agencies not addressed in this proposed rule. In 
addition, the FAA invites comments relating to the economic, 
environmental, energy, or federalism impacts that might result from 
adopting the proposals in this document. The most helpful comments 
reference a specific portion of the proposal, explain the reason for 
any recommended change, and include supporting data. To ensure the 
docket does not contain duplicate comments, commenters should send only 
one copy of written comments, or if comments are filed electronically, 
commenters should submit only one time.
    The FAA will file in the docket all comments it receives, as well 
as a report summarizing each substantive public contact with FAA 
personnel concerning this proposed rulemaking. Before acting on this 
proposal, the FAA will consider all comments it receives on or before 
the

[[Page 15413]]

closing date for comments. The FAA will consider comments filed after 
the comment period has closed if it is possible to do so without 
incurring expense or delay. The agency may change this proposal in 
light of the comments it receives.
    Proprietary or Confidential Business Information: Commenters should 
not file proprietary or confidential business information in the 
docket. Such information must be sent or delivered directly to the 
person identified in the FOR FURTHER INFORMATION CONTACT section of 
this document, and marked as proprietary or confidential. If submitting 
information on a disk or CD ROM, mark the outside of the disk or CD 
ROM, and identify electronically within the disk or CD ROM the specific 
information that is proprietary or confidential.
    Under 14 CFR 11.35(b), if the FAA is aware of proprietary 
information filed with a comment, the agency does not place it in the 
docket. It is held in a separate file to which the public does not have 
access, and the FAA places a note in the docket that it has received 
it. If the FAA receives a request to examine or copy this information, 
it treats it as any other request under the Freedom of Information Act 
(5 U.S.C. 552). The FAA processes such a request under Department of 
Transportation procedures found in 49 CFR part 7.

B. Availability of Rulemaking Documents

    An electronic copy of rulemaking documents may be obtained from the 
internet by--Searching the Federal eRulemaking Portal (https://www.regulations.gov);
    Visiting the FAA's Regulations and Policies web page at https://www.faa.gov/regulations_policies or
    Accessing the Government Printing Office's web page at https://www.gpo.gov/fdsys/.
    Copies may also be obtained by sending a request to the Federal 
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence 
Avenue SW, Washington, DC 20591, or by calling (202) 267-9680. 
Commenters must identify the docket or notice number of this 
rulemaking.
    All documents the FAA considered in developing this proposed rule, 
including economic analyses and technical reports, may be accessed from 
the internet through the Federal eRulemaking Portal referenced in item 
(1) above.

List of Subjects

14 CFR Part 401

    Organization and functions (Government agencies), Space 
transportation and exploration.

14 CFR Part 404

    Administrative practice and procedure, Space transportation and 
exploration.

14 CFR Part 413

    Confidential business information, Space transportation and 
exploration.

14 CFR Part 414

    Airspace, Aviation safety, Space transportation and exploration.

14 CFR Part 420

    Environmental protection, Reporting and recordkeeping requirements, 
Space transportation and exploration.

14 CFR Part 437

    Aircraft, Aviation safety, Reporting and recordkeeping 
requirements, Space transportation and exploration.

14 CFR Part 440

    Indemnity payments, Insurance, Reporting and recordkeeping 
requirements, Space transportation and exploration.

14 CFR Part 450

    Aircraft, Aviation safety, Environmental protection, 
Investigations, Reporting and recordkeeping requirements, Space 
transportation and exploration.

The Proposed Amendment

    In consideration of the foregoing, the Federal Aviation 
Administration proposes to amend chapter III of title 14, Code of 
Federal Regulations as follows:

PART 401--ORGANIZATION AND DEFINITIONS

0
1. The authority citation for part 401 continues to read as follows:

    Authority:  51 U.S.C. 50101-50923.

0
2. In Sec.  401.5:
0
a. Add, in alphabetical order, the definitions of ``Anomaly,'' 
``Casualty area,'' and ``Command control system'';
0
b. Revise the definition of ``Contingency abort'';
0
c. Add, in alphabetical order, the definitions of ``Control entity,'' 
``Countdown,'' ``Critical asset,'' ``Crossrange,'' ``Data loss flight 
time,'' ``Deorbit,'' ``Disposal,'' ``Dose-response relationship,'' 
``Downrange,'' and ``Effective casualty area'';
0
d. Remove the definition of ``Emergency abort'';
0
e. Add, in alphabetical order, the definition of ``Expected casualty,'' 
``Explosive debris,'' ``Flight abort,'' ``Flight abort crew,'' ``Flight 
abort rules,'' ``Flight hazard area,'' and ``Flight safety limit'';
0
f. Revise the definition of ``Flight safety system'';
0
g. Add, in alphabetical order, the definitions of ``Gate'' and ``Hazard 
control'';
0
h. Remove the definition of ``Human space flight incident'';
0
i. Revise the definitions of ``Instantaneous impact point'' and 
``Launch'';
0
j. Remove the definitions of ``Launch accident'' and ``Launch 
incident'';
0
k. Add, in alphabetical order, the definitions of ``Launch or reentry 
system,'' ``Launch window,'' ``Liftoff,'' and ``Limits of a useful 
mission'';
0
l. Revise the definition of ``Mishap'';
0
m. Add, in alphabetical order, the definitions of ``Mishap, Class 1,'' 
``Mishap, Class 2,'' ``Mishap, Class 3'', ``Mishap, Class 4,'' 
``Neighboring operations personnel,'' ``Normal flight,'' ``Normal 
trajectory,'' ``Operating environment,'' and ``Operation hazard'';
0
n. Revise the definition of ``Operator'';
0
o. Add, in alphabetical order, the definitions of ``Orbital 
insertion,'' ``Physical containment,'' ``Probability of casualty,'' and 
``Public'';
0
p. Remove the definition of ``Public safety'';
0
q. Revise the definition of ``Reenter; reentry'';
0
r. Remove the definitions of ``Reentry accident'' and ``Reentry 
incident'';
0
s. Add, in alphabetical order, the definition of ``Reentry window'';
0
t. Revise the definition of ``Safety critical'';
0
u. Add, in alphabetical order, the definitions of ``Service life'' and 
``Software function'';
0
v. Revise the definition of ``State and United States'';
0
w. Add, in alphabetical order, the definitions of ``Sub-vehicle 
point,'' ``System hazard,'' ``Toxic hazard area,'' ``Tracking icon,'' 
``Uncontrolled area,'' ``Unguided suborbital launch vehicle,'' 
``Uprange,'' and ``Vehicle response modes'';
0
x. Remove the definition of ``Vehicle safety operations personnel''; 
and
0
y. Add, in alphabetical order, the definitions of ``Wind weighting 
safety system'' and ``Window closure''.
    The additions and revisions read as follows:


Sec.  401.5  Definitions.

* * * * *
    Anomaly means any condition during licensed or permitted activity 
that

[[Page 15414]]

deviates from what is standard, normal, or expected, during the 
verification or operation of a system, subsystem, process, facility, or 
support equipment.
* * * * *
    Casualty area means the area surrounding each potential debris or 
vehicle impact point where serious injuries, or worse, can occur.
    Command control system means the portion of a flight safety system 
that includes all components needed to send a flight abort control 
signal to the on-board portion of a flight safety system.
    Contingency abort means a flight abort with a landing at a planned 
location that has been designated in advance of vehicle flight.
    Control entity means a person or device that can control another 
device or process.
    Countdown means the timed sequence of events that must take place 
to initiate flight of a launch vehicle or reentry of a reentry vehicle.
* * * * *
    Critical asset means an asset that is essential to the national 
interests of the United States. Critical assets include property, 
facilities, or infrastructure necessary to maintain national defense, 
or assured access to space for national priority missions.
    Crossrange means the distance measured along a line whose direction 
is either 90 degrees clockwise (right crossrange) or counter-clockwise 
(left crossrange) to the projection of a vehicle's planned nominal 
velocity vector azimuth onto a horizontal plane tangent to the 
ellipsoidal Earth model at the vehicle's sub-vehicle point. The terms 
right crossrange and left crossrange may also be used to indicate 
direction.
    Data loss flight time means the shortest elapsed thrusting or 
gliding time during which a vehicle flown with a flight safety system 
can move from its trajectory to a condition where it is possible for 
the vehicle to violate a flight safety limit.
    Deorbit means the flight of a vehicle that begins with the final 
command to commit to a perigee below 70 nautical miles (approximately 
130 kilometers), and ends when all vehicle components come to rest on 
the Earth.
    Disposal means the return or attempt to return, purposefully, a 
launch vehicle stage or component, not including a reentry vehicle, 
from Earth orbit to Earth, in a controlled manner.
    Dose-response relationship means a quantitative methodology used to 
assign a probability of casualty within a population group given 
exposure to a toxic chemical of known or predicted concentration and 
duration.
    Downrange means the distance measured along a line whose direction 
is parallel to the projection of a vehicle's planned nominal velocity 
vector azimuth into a horizontal plane tangent to the ellipsoidal Earth 
model at the vehicle sub-vehicle point. The term downrange may also be 
used to indicate direction.
    Effective casualty area means the aggregate casualty area of each 
piece of debris created by a vehicle failure at a particular point on 
its trajectory. The effective casualty area for each piece of debris is 
a modeling construct in which the area within which 100 percent of the 
population are assumed to be a casualty, and outside of which 100 
percent of the population are assumed not to be a casualty.
* * * * *
    Expected casualty means the mean number of casualties predicted to 
occur per flight operation if the operation were repeated many times.
* * * * *
    Explosive debris means solid propellant fragments or other pieces 
of a vehicle or payload that result from breakup of the vehicle during 
flight and that explode upon impact with the Earth's surface and cause 
overpressure.
* * * * *
    Flight abort means the process to limit or restrict the hazards to 
public health and safety, and the safety of property, presented by a 
launch vehicle or reentry vehicle, including any payload, while in 
flight by initiating and accomplishing a controlled ending to vehicle 
flight.
    Flight abort crew means the personnel who make a flight abort 
decision.
    Flight abort rules means the conditions under which a flight safety 
system must abort the flight to ensure compliance with public safety 
criteria.
* * * * *
    Flight hazard area means any region of land, sea, or air that must 
be surveyed, publicized, controlled, or evacuated in order to protect 
public health and safety and the safety of property.
    Flight safety limit means criteria to ensure that public safety is 
protected from the flight of a vehicle when a flight safety system 
functions properly.
    Flight safety system means a system used to implement flight abort. 
A human can be a part of a flight safety system.
    Gate means the portion of a flight safety limit boundary through 
which the tracking icon of a vehicle flown with a flight safety system 
may pass without flight abort, provided the flight remains within 
specified parameters.
    Hazard control means a preventative measure or mitigation put in 
place for systems or operations to reduce the severity of a hazard or 
the likelihood of the hazard occurring.
* * * * *
    Instantaneous impact point means a predicted impact point, 
following thrust termination of a vehicle.
    Launch means to place or try to place a launch vehicle or reentry 
vehicle and any payload or human being from Earth in a suborbital 
trajectory, in Earth orbit in outer space, or otherwise in outer space, 
including activities involved in the preparation of a launch vehicle or 
payload for launch, when those activities take place at a launch site 
in the United States.
* * * * *
    Launch or reentry system means the integrated set of subsystems, 
personnel, products, and processes that, when combined together, safely 
carries out a launch or reentry.
* * * * *
    Launch window means a period of time during which the flight of a 
launch vehicle may be initiated.
    Liftoff means any motion of the launch vehicle with intention to 
initiate flight.
    Limits of a useful mission means the trajectory data or other 
parameters that describe the limits of a mission that can attain the 
primary objective, including flight azimuth limits.
    Mishap means any event, or series of events associated with a 
licensed or permitted activity, that meets the criteria of a Class 1, 
2, 3 or 4 mishap.
    Mishap, Class 1 means any event resulting in one or more of the 
following:
    (1) A fatality or serious injury (as defined in 49 CFR 830.2) as a 
result of licensed or permitted activity to any person who is not 
associated with the licensed or permitted activity, including ground 
activities at a launch or reentry site; or
    (2) A fatality or serious injury to any space flight participant, 
crew, or government astronaut.
    Mishap, Class 2 means any event, other than a Class 1 mishap, 
resulting in one or more of the following:
    (1) A malfunction of a flight safety system or safety-critical 
system; or
    (2) A failure of the licensee's or permittee's safety organization, 
safety operations, safety procedures; or
    (3) High risk, as determined by the FAA, of causing a serious or 
fatal injury to any space flight participant, crew, government 
astronaut, or member of the public; or

[[Page 15415]]

    (4) Substantial damage, as determined by the FAA, to property not 
associated with licensed or permitted activity.
    Mishap, Class 3 means any unplanned event, other than a Class 1 or 
Class 2 mishap, resulting in one or more of the following:
    (1) Permanent loss of a launch or reentry vehicle during licensed 
activity; or
    (2) The impact of a licensed or permitted launch or reentry 
vehicle, its payload, or any component thereof outside the planned 
landing site or designated hazard area.
    Mishap, Class 4 means an unplanned event, other than a Class 1, 
Class 2, or Class 3 mishap, resulting in one or more of the following:
    (1) Permanent loss of a vehicle during permitted activity;
    (2) Failure to achieve mission objectives; or
    (3) Substantial damage, as determined by the FAA, to property 
associated with licensed or permitted activity.
    Neighboring operations personnel means, as determined by the 
Federal or licensed launch or reentry site operator, those members of 
the public located within a launch or reentry site, or an adjacent 
launch or reentry site, who are not associated with a specific 
hazardous licensed or permitted operation currently being conducted but 
are required to perform safety, security, or critical tasks at the site 
and are notified of the operation.
* * * * *
    Normal flight means the flight of a properly performing vehicle 
whose real-time vacuum instantaneous impact point does not deviate from 
the nominal vacuum instantaneous impact point by more than the sum of 
the wind effects and the three-sigma guidance and performance 
deviations in the uprange, downrange, left-crossrange, or right-
crossrange directions.
    Normal trajectory means a trajectory that describes normal flight.
    Operating environment means an environment that a launch or reentry 
vehicle component will experience during its lifecycle. Operating 
environments include shock, vibration, thermal cycle, acceleration, 
humidity, and thermal vacuum.
    Operation hazard means a hazard created by an operating environment 
or by an unsafe act.
* * * * *
    Operator means a holder of a license or permit under 51 U.S.C. 
Subtitle V, chapter 509.
    Orbital insertion means the point at which a vehicle achieves a 
minimum 70-nautical mile perigee based on a computation that accounts 
for drag.
* * * * *
    Physical containment means a launch vehicle does not have 
sufficient energy for any hazards associated with its flight to reach 
the public or critical assets.
* * * * *
    Probability of casualty means the likelihood that a person will 
suffer a serious injury or worse, including a fatal injury, due to all 
hazards from an operation at a specific location.
    Public means, for a particular licensed or permitted launch or 
reentry, people and property that are not involved in supporting the 
launch or reentry and includes those people and property that may be 
located within the launch or reentry site, such as visitors, 
individuals providing goods or services not related to launch or 
reentry processing or flight, and any other operator and its personnel.
    Reenter; reentry means to return or attempt to return, 
purposefully, a reentry vehicle and its payload or human being, if any, 
from Earth orbit or from outer space to Earth.
* * * * *
    Reentry window means a period of time during which the reentry of a 
reentry vehicle may be initiated.
* * * * *
    Safety critical means essential to safe performance or operation. A 
safety-critical system, subsystem, component, condition, event, 
operation, process, or item, is one whose proper recognition, control, 
performance, or tolerance, is essential to ensuring public safety.
    Service life means, for a safety-critical system component, the sum 
total of the component's storage life and operating life.
* * * * *
    Software function means a collection of computer code that 
implements a requirement or performs an action. This includes firmware 
and operating systems.
* * * * *
    State and United States means, when used in a geographical sense, 
the several States, the District of Columbia, the Commonwealth of 
Puerto Rico, American Samoa, the United States Virgin Islands, Guam, 
and any other commonwealth, territory, or possession of the United 
States.
    Sub-vehicle point means the location on an ellipsoidal Earth model 
where the normal to the ellipsoid passes through the vehicle's center 
of gravity.
    System hazard means a hazard associated with a system and generally 
exists even when no operation is occurring.
* * * * *
    Toxic hazard area means a region on the Earth's surface where toxic 
concentrations and durations may be greater than approved toxic 
thresholds for acute casualty, in the event of a release during launch 
or reentry.
    Tracking icon means the representation of a vehicle's instantaneous 
impact point, debris footprint, or other vehicle performance metric 
used during real-time tracking of the vehicle's flight.
    Uncontrolled area is an area of land not controlled by a launch or 
reentry operator, a launch or reentry site operator, an adjacent site 
operator, or other entity by agreement.
    Unguided suborbital launch vehicle means a suborbital rocket that 
does not contain active guidance or a directional control system.
* * * * *
    Uprange means the distance measured along a line that is 180 
degrees to the downrange direction.
* * * * *
    Vehicle response modes means mutually exclusive scenarios that 
characterize foreseeable combinations of vehicle trajectory and debris 
generation.
* * * * *
    Wind weighting safety system means equipment, procedures, analysis 
and personnel functions used to determine the launcher elevation and 
azimuth settings that correct for wind effects that an unguided 
suborbital launch vehicle will experience during flight.
    Window closure means a period of time when launch or reentry is not 
permitted in order to avoid a collision with an object in orbit. A 
window closure may occur within a launch or reentry window, may delay 
the start of a window, or terminate a window early.

PART 404--REGULATIONS AND LICENSING REQUIREMENTS

0
 3. The authority citation for part 404 continues to read as follows:

    Authority:  51 U.S.C. 50901-50923.

0
4. Revise Sec.  404.5 to read as follows:


Sec.  404.5  Filing a petition for waiver.

    (a) A petition for waiver must be submitted at least 60 days before 
the proposed effective date of the waiver, unless the Administrator 
agrees to a different time frame in accordance with Sec.  404.15.
    (b) The petition for waiver must include:
    (1) The specific section or sections of this chapter from which the 
petitioner seeks relief;

[[Page 15416]]

    (2) The extent of the relief sought and the reason the relief is 
being sought;
    (3) The reason why granting the request for relief is in the public 
interest and will not jeopardize the public health and safety, safety 
of property, and national security and foreign policy interests of the 
United States; and
    (4) Any additional facts, views, and data available to the 
petitioner to support the waiver request.
0
5. Add Sec.  404.15 to read as follows:


Sec.  404.15  Alternative time frames.

    (a) General. Unless otherwise approved by the Administrator, an 
applicant, a licensee, a permittee, or a safety element approval holder 
must meet the time frames set forth in this chapter.
    (b) Request to change a time frame. A person may file a written 
request to the FAA to propose an alternative time frame to any of the 
time frames included in the sections listed in appendix A to this part. 
The request must be--
    (1) Submitted no later than the specific time frame included in the 
regulation; and
    (2) Emailed to [email protected]; or
    (3) Mailed to the Federal Aviation Administration, Associate 
Administrator for Commercial Space Transportation, Room 331, 800 
Independence Avenue SW, Washington, DC 20591. Attention: Alternative 
Time Frame Request.
    (c) Administrator review. The Administrator will review and make a 
decision or grant a request for an alternative time-frame as follows:
    (1) The FAA will conduct its review on a case-by-case basis, taking 
into account the complexity of the request and whether it allows 
sufficient time for the FAA to conduct its review and make the 
requisite public health and safety, safety of property, and national 
security and foreign policy findings; and
    (2) The FAA will provide its decision in writing.
0
6. Add appendix A to part 404 the read as follows:

Appendix A to Part 404--Alternative Time Frames

A404.1 GENERAL

    Alternative time frames. This appendix lists the sections and 
corresponding paragraphs in this chapter that provide the eligible 
time frames for an applicant, licensee, permittee or a safety 
element approval holder, as applicable, to request an alternative 
time frame.

                   Table A404.1--Eligible Time Frames
------------------------------------------------------------------------
                     49 CFR                             Paragraphs
------------------------------------------------------------------------
Sec.   404.5--Filing a petition for waiver......  (a)
Sec.   413.23--License or permit renewal........  (a)
Sec.   414.31--Safety element approval renewal..  (a)
Sec.   420.57--Notifications....................  (d)
Sec.   437.89--Preflight reporting..............  (a), (b)
Sec.   440.15--Demonstration of compliance......  (a)(1), (a)(2),
                                                   (a)(3), (a)(4)
Sec.   450.169-- Launch and Reentry Collision     (f)(1)
 Avoidance Analysis Requirements.
Sec.   450.213--Preflight reporting.............  (b), (c), (d), (e)
Sec.   450.215--Post-flight reporting...........  (a)
------------------------------------------------------------------------

PART 413--APPLICATION PROCEDURES

0
7. The authority citation for part 413 continues to read as follows:

    Authority:  51 U.S.C. 50901-50923.

0
 8. Revise the heading for part 413 to read as set forth above.
0
9. Revise Sec.  413.1 to read as follows:


Sec.  413.1  Scope of this part.

    (a) This part explains how to apply for a license or experimental 
permit. These procedures apply to all applications for obtaining a 
license or permit, transferring a license, and renewing a license or 
permit. In this part, the term application means either an application 
in its entirety, or a portion of an application for incremental review 
and determination in accordance with Sec.  450.33 of this chapter.
    (b) Use the following table to locate specific requirements:

                        Table 1 to Paragraph (b)
------------------------------------------------------------------------
                         Subject                               Part
------------------------------------------------------------------------
License to Operate a Launch Site........................             420
License to Operate a Reentry Site.......................             433
Experimental Permits....................................             437
Launch And Reentry License Requirements.................             450
------------------------------------------------------------------------

0
10. Amend Sec.  413.7 by revising the section heading and paragraph 
(a)(3) to read as follows:


Sec.  413.7  Application submission.

    (a) * * *
    (3) For an application submitted by email, an applicant must send 
the application as an email attachment, or as a link to a secure 
server, to [email protected]. The application and the email to 
which the application is attached or linked must also satisfy the 
following criteria:
    (i) The email to which the application is attached or linked must 
be sent from an email address controlled by the person who signed the 
application or by an authorized representative of the applicant;
    (ii) The email must identify each document that is included as an 
attachment or that is stored on a secure server; and
    (iii) The electronic files must be date-stamped and have version 
control documentation.
* * * * *
0
 11. Amend Sec.  413.11 by revising paragraph (a) to read as follows:


Sec.  413.11  Acceptance of an application.

* * * * *
    (a) The FAA accepts the application and will initiate review; or
* * * * *

[[Page 15417]]

0
12. Revise Sec.  413.15 to read as follows:


Sec.  413.15  Review period.

    (a) Review period duration. Unless otherwise specified in this 
chapter, the FAA reviews and makes a license or permit determination on 
an application within 180 days of receiving an accepted license 
application or within 120 days of receiving an accepted permit 
application. The FAA will establish the time frame for any incremental 
review and determination with an applicant on a case-by-case basis 
during pre-application consultation.
    (b) Review period tolled. If an accepted application does not 
provide sufficient information to continue or complete the reviews or 
evaluations required by this chapter for a license, permit, or 
incremental determination, or an issue exists that would affect a 
determination, the FAA notifies the applicant, in writing, and informs 
the applicant of any information required to complete the application. 
If the FAA cannot review an accepted application because of lack of 
information or for any other reason, the FAA will toll the review 
period until the FAA receives the information it needs or the applicant 
resolves the issue.
    (c) Notice. Unless applying under incremental review and 
determination in accordance with Sec.  450.33 of this chapter, if the 
FAA does not make a decision within 120 days of receiving an accepted 
license application or within 90 days of receiving an accepted permit 
application, the FAA informs the applicant, in writing, of any 
outstanding information needed to complete the review, or of any issues 
that would affect the decision.
0
13. Amend Sec.  413.21 by revising the section heading and paragraphs 
(b) and (c) to read as follows:


Sec.  413.21  Denial of a license or permit application.

* * * * *
    (b) If the FAA has denied an application in its entirety, the 
applicant may either--
    (1) Attempt to correct any deficiencies identified and ask the FAA 
to reconsider the revised application. The FAA has 60 days or the 
number of days remaining in the review period, whichever is greater, 
within which to reconsider the decision; or
    (2) Request a hearing in accordance with part 406 of this chapter, 
for the purpose of showing why the application should not be denied.
    (c) An applicant whose application is denied after reconsideration 
under paragraph (b)(1) of this section may request a hearing in 
accordance with paragraph (b)(2) of this section.
0
14. Revise part 414 to read as follows:

PART 414--SAFETY ELEMENT APPROVALS

Sec.
Subpart A--General
414.1 Scope.
414.3 Definitions.
414.5 Applicability.
414.7 Eligibility.
Subpart B--Application Procedures
414.9 Pre-application consultation.
414.11 Application.
414.13 Application separate from a vehicle operator license 
application.
414.15 Application concurrent with vehicle operator license 
application.
414.17 Confidentiality.
414.19 Processing the initial application.


414.21  Maintaining the continued accuracy of the initial application.

Subpart C--Safety Element Approval Review and Issuance
414.23 Technical criteria for reviewing a safety element approval 
application.
414.25 Terms and conditions for issuing a safety element approval; 
duration of a safety element approval.
414.27 Maintaining the continued accuracy of the safety element 
approval application.
414.29 Safety element approval records.
414.31 Safety element approval renewal.
414.33 Safety element approval transfer.
414.35 Monitoring compliance with the terms and conditions of a 
safety element approval.
414.37 Modification, suspension, or revocation of a safety element 
approval.
414.39 [Reserved]
Subpart D--Appeal Procedures
414.41 Hearings in safety element approval actions.
414.43 Submissions; oral presentations in safety element approval 
actions.
414.45 Administrative law judge's recommended decision in safety 
element approval actions.

    Authority:  51 U.S.C. 50901-50923.

Subpart A--General


Sec.  414.1  Scope.

    This part establishes procedures for obtaining a safety element 
approval and renewing and transferring an existing safety element 
approval. Safety element approvals issued under this part may be used 
to support the application review for one or more vehicle operator 
license requests under other parts of this chapter.


Sec.  414.3  Definitions.

    For purposes of this part the following definitions apply:
    Safety element approval. A safety element approval is an FAA 
document containing the FAA determination that one or more of the 
safety elements listed in paragraphs (1) and (2) of this definition, 
when used or employed within a defined envelope, parameter, or 
situation, will not jeopardize public health and safety or safety of 
property. A safety element approval may be issued independent of a 
license, and it does not confer any authority to conduct activities for 
which a license is required under this chapter. A safety element 
approval does not relieve its holder of the duty to comply with all 
applicable requirements of law or regulation that may apply to the 
holder's activities.
    (1) Launch vehicle, reentry vehicle, safety system, process, 
service, or any identified component thereof; or
    (2) Qualified and trained personnel, performing a process or 
function related to licensed activities or vehicles.
    Safety element. A safety element is any one of the items or persons 
(personnel) listed in paragraphs (1) and (2) of the definition of 
``safety approval'' in this section.


Sec.  414.5  Applicability.

    This part applies to an applicant that wants to obtain a safety 
element approval for any of the safety elements defined under this part 
and to persons granted a safety element approval under this part. Any 
person eligible under this part may apply to become the holder of a 
safety element approval.


Sec.  414.7  Eligibility.

    (a) There is no citizenship requirement to obtain a safety element 
approval.
    (b) You may be eligible for a safety element approval if you are--
    (1) A designer, manufacturer, or operator of a launch or reentry 
vehicle or component thereof;
    (2) The designer or developer of a safety system or process; or
    (3) Personnel who perform safety critical functions in conducting a 
licensed launch or reentry.
    (c) A safety element approval applicant must have sufficient 
knowledge and expertise to show that the design and operation of the 
safety element for which safety element approval is sought qualify for 
a safety element approval.
    (d) Only the safety elements defined under this part are eligible 
for a safety element approval. The applicant must consult with the FAA 
before submitting an application. Unless the applicant or the FAA 
requests another form of consultation, consultation is oral discussion 
with the FAA about the

[[Page 15418]]

application process and the potential issues relevant to the FAA's 
safety element approval decision.

Subpart B--Application Procedures


Sec.  414.9  Pre-application consultation.

    The applicant must consult with the FAA before submitting an 
application. Unless the applicant or the FAA requests another form of 
consultation, consultation is oral discussion with the FAA about the 
application process and the potential issues relevant to the FAA's 
safety approval decision.


Sec.  414.11  Application.

    An applicant may submit an application for a safety element 
approval in one of two ways:
    (a) Separate from a vehicle operator license application in 
accordance with Sec.  414.13; or
    (b) Concurrent with a vehicle operator license application in 
accordance with Sec.  414.15.


Sec.  414.13  Application separate from a vehicle operator license 
application.

    (a) An applicant must make an application in writing and in 
English. The applicant must file the application with the Federal 
Aviation Administration either by paper, by use of physical electronic 
storage, or by email in the following manner:
    (1) For an application submitted on paper, an applicant must send 
two copies of the application to the Federal Aviation Administration, 
Associate Administrator for Commercial Space Transportation, Room 331, 
800 Independence Avenue SW, Washington, DC 20591. Attention: 
Application Review.
    (2) For an application submitted by use of physical electronic 
storage, the applicant must either mail the application to the address 
specified in paragraph (a)(1) of this section or hand-deliver the 
application to an authorized FAA representative. The application and 
the physical electronic storage containing the application must also 
satisfy all of the following criteria:
    (i) The application must include a cover letter that is printed on 
paper and signed by the person who signed the application or by an 
authorized representative of the applicant;
    (ii) The cover letter must identify each document that is included 
on the physical electronic storage; and
    (iii) The physical electronic storage must be in a format such that 
its contents cannot be altered.
    (3) For an application submitted by email, an applicant must send 
the application as an email attachment, or as a link to a secure 
server, to [email protected]. The application and the email to 
which the application is attached must also satisfy the following 
criteria:
    (i) The email to which the application is attached must be sent 
from an email address controlled by the person who signed the 
application or by an authorized representative of the applicant; and
    (ii) The email must identify each document that is included as an 
attachment or that is stored on a secure server; and
    (iii) The electronic files must be date-stamped and have version 
control documentation.
    (b) The application must identify the following basic information:
    (1) Name and address of the applicant.
    (2) Name, address, and telephone number of any person to whom 
inquiries and correspondence should be directed.
    (3) Safety element as defined under this part for which the 
applicant seeks a safety element approval.
    (c) The application must contain the following technical 
information:
    (1) A Statement of Conformance letter, describing the specific 
criteria the applicant used to show the adequacy of the safety element 
for which a safety element approval is sought, and showing how the 
safety element complies with the specific criteria.
    (2) The specific operating limits for which the safety element 
approval is sought.
    (3) The following as applicable:
    (i) Information and analyses required under this chapter that may 
be applicable to demonstrating safe performance of the safety element 
for which the safety element approval is sought.
    (ii) Engineering design and analyses that show the adequacy of the 
proposed safety element for its intended use, such that the use in a 
licensed launch or reentry will not jeopardize public health or safety 
or the safety of property.
    (iii) Relevant manufacturing processes.
    (iv) Test and evaluation procedures.
    (v) Test results.
    (vi) Maintenance procedures.
    (vii) Personnel qualifications and training procedures.
    (d) The application must be legibly signed, dated, and certified as 
true, complete, and accurate by one of the following:
    (1) For a corporation, an officer or other individual authorized to 
act for the corporation in licensing or safety element approval 
matters.
    (2) For a partnership or a sole proprietorship, a general partner 
or proprietor, respectively.
    (3) For a joint venture, association, or other entity, an officer 
or other individual duly authorized to act for the joint venture, 
association, or other entity in licensing matters.
    (e) Failure to comply with any of the requirements set forth in 
this section is sufficient basis for denial of a safety element 
approval application.


Sec.  414.15  Application concurrent with vehicle operator license 
application.

    (a) An applicant for a vehicle operator license may also identify 
one or more sections of its application for which it seeks to obtain a 
safety element approval concurrently with a license. An applicant 
applying for a safety element approval concurrently with a license 
must--
    (1) Meet the applicable requirements of part 450 of this chapter;
    (2) Provide the information required in Sec.  414.13(b)(3) and 
(c)(2) and (3); and
    (3) Specify the sections of the license application that support 
its application for a safety element approval.
    (b) The scope of the safety element approval will be limited to 
what the application supports. The technical criteria for reviewing a 
safety element submitted as part of a vehicle operator license 
application are limited to the applicable requirements of part 450 of 
this chapter.


Sec.  414.17  Confidentiality.

    (a) To ensure confidentiality of data or information in the 
application, the applicant must--
    (1) Send a written request with the application that trade secrets 
or proprietary commercial or financial data be treated as confidential, 
and include in the request the specific time frame confidential 
treatment is required.
    (2) Mark data or information that require confidentiality with an 
identifying legend, such as ``Proprietary Information,'' ``Proprietary 
Commercial Information,'' ``Trade Secret,'' or ``Confidential Treatment 
Requested.'' Where this marking proves impracticable, attach a cover 
sheet that contains the identifying legend to the data or information 
for which confidential treatment is sought.
    (b) If the applicant requests confidential treatment for previously 
submitted data or information, the FAA will honor that request to the 
extent practicable in case of any prior distribution of the data or 
information.
    (c) Data or information for which confidential treatment is 
requested or data or information that qualifies for

[[Page 15419]]

exemption under 5 U.S.C. 552(b)(4) will not be disclosed to the public 
unless the Associate Administrator determines that withholding the data 
or information is contrary to the public or national interest.


Sec.  414.19  Processing the initial application.

    (a) The FAA will initially screen an application to determine if 
the application is complete enough for the FAA to start its review.
    (b) After completing the initial screening, the FAA will inform the 
applicant in writing of one of the following:
    (1) The FAA accepts the application and will begin the reviews or 
evaluations required for a safety element approval determination under 
this part.
    (2) The FAA rejects the application because it is incomplete or 
indefinite making initiation of the reviews or evaluations required for 
a safety element approval determination under this part inappropriate.
    (c) The written notice will state the reason(s) for rejection and 
corrective actions necessary for the application to be accepted. The 
FAA may return a rejected application to the applicant or may hold it 
until the applicant provides more information.
    (d) The applicant may withdraw, amend, or supplement an application 
any time before the FAA makes a final determination on the safety 
element approval application by making a written request to the 
Associate Administrator. If the applicant amends or supplements the 
initial application, the revised application must meet all the 
applicable requirements under this part.


Sec.  414.21  Maintaining the continued accuracy of the initial 
application.

    The applicant is responsible for the continuing accuracy and 
completeness of information provided to the FAA as part of the safety 
element approval application. If at any time after submitting the 
application, circumstances occur that cause the information to no 
longer be accurate and complete in any material respect, the applicant 
must submit a written statement to the Associate Administrator 
explaining the circumstances and providing the new or corrected 
information. The revised application must meet all requirements under 
Sec.  414.13 or Sec.  414.15.

Subpart C--Safety Element Approval Review and Issuance


Sec.  414.23  Technical criteria for reviewing a safety element 
approval application.

    The FAA will determine whether a safety element is eligible for and 
may be issued a safety approval. We will base our determination on 
performance-based criteria, against which we may assess the effect on 
public health and safety and on safety of property, in the following 
hierarchy:
    (a) FAA or other appropriate Federal regulations.
    (b) Government-developed or adopted standards.
    (c) Industry consensus performance-based criteria or standard.
    (d) Applicant-developed criteria. Applicant-developed criteria are 
performance standards customized by the manufacturer that intends to 
produce the system, system component, or part. The applicant-developed 
criteria must define--
    (1) Design and minimum performance;
    (2) Quality assurance system requirements;
    (3) Production acceptance test specifications; and
    (4) Continued operational safety monitoring system characteristics.


Sec.  414.25  Terms and conditions for issuing a safety element 
approval; duration of a safety approval.

    (a) The FAA will issue a safety element approval to an applicant 
that meets all the requirements under this part.
    (b) The scope of the safety element approval will be limited by the 
scope of the safety demonstration contained in the application on which 
the FAA based the decision to grant the safety element approval.
    (c) The FAA will determine specific terms and conditions of a 
safety element approval individually, limiting the safety element 
approval to the scope for which it was approved. The terms and 
conditions will include reporting requirements tailored to the 
individual safety element approval.
    (d) A safety element approval is valid for five years and may be 
renewed.


Sec.  414.27  Maintaining the continued accuracy of the safety element 
approval application.

    (a) The holder of a safety element approval must ensure the 
continued accuracy and completeness of representations contained in the 
safety element approval application, on which the approval was issued, 
for the entire term of the safety element approval.
    (b) If any representation contained in the application that is 
material to public health and safety or safety of property ceases to be 
accurate and complete, the safety element approval holder must prepare 
and submit a revised application according to Sec.  414.13 or Sec.  
414.15. The safety element approval holder must point out any part of 
the safety element approval or the associated application that would be 
changed or affected by a proposed modification. The FAA will review and 
make a determination on the revised application under the terms of this 
part.


Sec.  414.29  Safety element approval records.

    The holder of a safety element approval must maintain all records 
necessary to verify that the holder's activities are consistent with 
the representations contained in the application for which the approval 
was issued for the duration of the safety element approval plus one 
year.


Sec.  414.31  Safety element approval renewal.

    (a) Eligibility. A holder of a safety element approval may apply to 
renew it by sending the FAA a written application at least 90 days 
before the expiration date of the approval, unless the Administrator 
agrees to a different time frame in accordance with Sec.  404.15 of 
this chapter.
    (b) Application. (1) A safety element approval renewal application 
must meet all the requirements under Sec.  414.13 or Sec.  414.15.
    (2) The application may incorporate by reference information 
provided as part of the application for the expiring safety element 
approval or any modification to that approval.
    (3) Any proposed changes in the conduct of a safety element for 
which the FAA has issued a safety element approval must be described 
and must include any added information necessary to support the fitness 
of the proposed changes to meet the criteria upon which the FAA 
evaluated the safety element approval application.
    (c) Review of application. The FAA conducts the reviews required 
under this part to determine whether the safety element approval may be 
renewed. We may incorporate by reference any findings that are part of 
the record for the expiring safety element approval.
    (d) Grant of safety element approval renewal. If the FAA makes a 
favorable safety element approval determination, the FAA issues an 
order that amends the expiration date of the safety element approval or 
issues a new safety element approval. The FAA may impose added or 
revised terms and conditions

[[Page 15420]]

necessary to protect public health and safety and the safety of 
property.
    (e) Written notice. The FAA will provide written notice to the 
applicant of our determination on the safety element approval renewal 
request.
    (f) Denial of a safety element approval renewal. If the FAA denies 
the renewal application, the applicant may correct any deficiency the 
FAA identified and request a reconsideration of the revised 
application. The applicant also has the right to appeal a denial as set 
forth in subpart D of this part.


Sec.  414.33  Safety element approval transfer.

    (a) Only the FAA may approve a transfer of a safety element 
approval.
    (b) Either the holder of a safety element approval or the 
prospective transferee may request a safety element approval transfer.
    (c) Both the holder and prospective transferee must agree to the 
transfer.
    (d) The person requesting the transfer must submit a safety element 
approval application according to Sec.  414.13 or Sec.  414.15, must 
meet the applicable requirements of this part, and may incorporate by 
reference relevant portions of the initial application.
    (e) The FAA will approve a transfer of a safety element approval 
only after all the approvals and determinations required under this 
chapter for a safety element approval have been met. In conducting 
reviews and issuing approvals and determinations, the FAA may 
incorporate by reference any findings made part of the record to 
support the initial safety element approval determination. The FAA may 
modify the terms and conditions of a safety element approval to reflect 
any changes necessary because of a safety element approval transfer.
    (f) The FAA will provide written notice to the person requesting 
the safety element approval transfer of our determination.


Sec.  414.35  Monitoring compliance with the terms and conditions of a 
safety element approval.

    Each holder of a safety element approval must allow access by, and 
cooperate with, Federal officers or employees or other individuals 
authorized by the Associate Administrator to inspect manufacturing, 
production, testing, or assembly performed by a holder of a safety 
element approval or its contractor. The FAA may also inspect a safety 
element approval process or service, including training programs and 
personnel qualifications.


Sec.  414.37  Modification, suspension, or revocation of a safety 
element approval.

    (a) The safety element approval holder. The safety element approval 
holder may submit an application to the FAA to modify the terms and 
conditions of the holder's safety element approval. The application 
must meet all the applicable requirements under this part. The FAA will 
review and make a determination on the application using the same 
procedures under this part applicable to an initial safety element 
approval application. If the FAA denies the request to modify a safety 
element approval, the holder may correct any deficiency the FAA 
identified and request reconsideration. The holder also has the right 
to appeal a denial as set forth in subpart D of this part.
    (b) The FAA. If the FAA finds it is in the interest of public 
health and safety, safety of property, or if the safety element 
approval holder fails to comply with any applicable requirements of 
this part, any terms and conditions of the safety approval, or any 
other applicable requirement, the FAA may--
    (1) Modify the terms and conditions of the safety element approval; 
or
    (2) Suspend or revoke the safety element approval.
    (c) Effective date. Unless otherwise stated by the FAA, any 
modification, suspension, or revocation of a safety element approval 
under paragraph (b) of this section--
    (1) Takes effect immediately; and
    (2) Continues in effect during any reconsideration or appeal of 
such action under this part.
    (d) Notification and Right to Appeal. If the FAA determines it is 
necessary to modify, suspend, or revoke a safety element approval, we 
will notify the safety element approval holder in writing. If the 
holder disagrees with the FAA's determination, the holder may correct 
any deficiency the FAA identified and request a reconsideration of the 
determination. The applicant also has the right to appeal the 
determination as set forth in subpart D of this part.


Sec.  414.39  [Reserved]

Subpart D--Appeal Procedures


Sec.  414.41  Hearings in safety element approval actions.

    (a) The FAA will give the safety element approval applicant or 
holder, as appropriate, written notice stating the reason for issuing a 
denial or for modifying, suspending, or revoking a safety element 
approval under this part.
    (b) A safety element approval applicant or holder is entitled to a 
determination on the record after an opportunity for a hearing.


Sec.  414.43  Submissions; oral presentations in safety element 
approval actions.

    (a) Determinations in safety element approval actions under this 
part will be made on the basis of written submissions unless the 
administrative law judge, on petition or on his or her own initiative, 
determines that an oral presentation is required.
    (b) Submissions must include a detailed exposition of the evidence 
or arguments supporting the petition.
    (c) Petitions must be filed as soon as practicable, but in no event 
more than 30 days after issuance of decision or finding under Sec.  
414.37.


Sec.  414.45  Administrative law judge's recommended decision in safety 
element approval actions.

    (a) The Associate Administrator, who will make the final decision 
on the matter at issue, will review the recommended decision of the 
administrative law judge. The Associate Administrator will make such 
final decision within 30 days of issuance of the recommended decision.
    (b) The authority and responsibility to review and decide rests 
solely with the Associate Administrator and may not be delegated.

PART 415 [REMOVE AND RESERVE]

0
15. Remove and reserve part 415.

PART 417 [REMOVE AND RESERVE]

0
16. Remove and reserve part 417.

PART 420--LICENSE TO OPERATE A LAUNCH SITE

0
17. The authority citation for part 420 continues to read as follows:

    Authority: 51 U.S.C. 50901-50923.


Sec.  420.5  [Amended]

0
18. Amend Sec.  420.5 by removing the definitions for ``Instantaneous 
impact point,'' ``Launch site accident,'' and ``Public.''
0
 19. Amend Sec.  420.15 by revising paragraph (b) to read as follows:


Sec.  420.15  Information requirements.

* * * * *
    (b) Environmental. The FAA is responsible for complying with the 
procedures and policies of the National Environmental Policy Act (NEPA) 
and other applicable environmental laws, regulations, and Executive 
Orders prior to issuing a launch site license. An applicant must 
provide the FAA with information needed to comply with such 
requirements. The FAA will

[[Page 15421]]

consider and document the potential environmental effects associated 
with issuing a launch site license.
    (1) Environmental Impact Statement or Environmental Assessment. An 
applicant must--
    (i) Prepare an Environmental Assessment with FAA oversight;
    (ii) Assume financial responsibility for preparation of an 
Environmental Impact Statement by an FAA-selected and -managed 
consultant contractor; or
    (iii) Submit a written re-evaluation of a previously submitted 
Environmental Assessment or Environmental Impact Statement when 
requested by the FAA.
    (2) Categorical exclusion. An applicant may request a categorical 
exclusion determination from the FAA by submitting the request and 
supporting rationale.
    (3) Environmental information. An application must include an 
approved FAA Environmental Assessment, Environmental Impact Statement, 
categorical exclusion determination, or written re-evaluation covering 
all planned licensed activities in compliance with NEPA and the Council 
on Environmental Quality Regulations for Implementing the Procedural 
Provisions of NEPA.
* * * * *
0
20. Revise Sec.  420.51 to read as follows:


Sec.  420.51  Responsibilities--general.

    A licensee must operate its launch site in accordance with the 
representations in its application.
0
21. Amend Sec.  420.57 by revising paragraph (d) to read as follows:


Sec.  420.57  Notifications.

* * * * *
    (d) At least 2 days prior to flight of a launch vehicle, unless the 
Administrator agrees to a different time frame in accordance with Sec.  
404.15 of this chapter, the licensee must notify local officials and 
all owners of land adjacent to the launch site of the flight schedule.
0
22. Revise Sec.  420.59 to read as follows:


Sec.  420.59  Mishap plan.

    (a) A licensee must submit a mishap response plan that meets the 
requirements of Sec.  450.173 of this chapter.
    (b) A launch site operator's mishap plan must also contain--
    (1) Procedures for participating in an investigation of a launch 
mishap for launches launched from the launch site; and
    (2) Require the licensee to cooperate with FAA or National 
Transportation Safety Board (NTSB) investigations of a mishap for 
launches launched from the launch site.
    (c) Emergency response and investigation procedures developed in 
accordance with 29 CFR 1910.119 and 40 CFR part 68 will satisfy the 
requirements of Sec.  450.173(d) and (e) to the extent that they 
include the elements required by Sec.  450.173(d) and (e).

PART 431 [REMOVE AND RESERVE]

0
23. Remove and reserve part 431.

PART 433--LICENSE TO OPERATE A REENTRY SITE

0
24. The authority citation for part 433 continues to read as follows:

    Authority:  51 U.S.C. 50901-50923.

0
25. Revise Sec.  433.7 to read as follows:


Sec.  433.7  Environmental.

    (a) General. The FAA is responsible for complying with the 
procedures and policies of the National Environmental Policy Act (NEPA) 
and other applicable environmental laws, regulations, and Executive 
Orders prior to issuing a reentry site license. An applicant must 
provide the FAA with information needed to comply with such 
requirements. The FAA will consider and document the potential 
environmental effects associated with issuing a license for a reentry 
site.
    (b) Environmental Impact Statement or Environmental Assessment. An 
applicant must--
    (1) Prepare an Environmental Assessment with FAA oversight;
    (2) Assume financial responsibility for preparation of an 
Environmental Impact Statement by an FAA-selected and -managed 
consultant contractor; or
    (3) Submit a written re-evaluation of a previously submitted 
Environmental Assessment or Environmental Impact Statement when 
requested by the FAA.
    (c) Categorical exclusion. An applicant may request a categorical 
exclusion determination from the FAA by submitting the request and 
supporting rationale.
    (d) Environmental information. An application must include an 
approved FAA Environmental Assessment, Environmental Impact Statement, 
categorical exclusion determination, or written re-evaluation covering 
all planned licensed activities in compliance with NEPA and the Council 
on Environmental Quality Regulations for Implementing the Procedural 
Provisions of NEPA.


Sec.  433.9  [Removed and Reserved]

0
26. Remove and reserve Sec.  433.9.

PART 435 [REMOVED AND RESERVED]

0
27. Remove and reserve part 435.

PART 437--EXPERIMENTAL PERMITS

0
28. The authority citation for part 437 continues to read as follows:

    Authority:  51 U.S.C. 50901-50923.


Sec.  437.3  [Amended]

0
29. Amend Sec.  437.3 by removing the definition for ``Anomaly.''
0
30. Amend Sec.  437.21 by revising paragraphs (b) and (c) to read as 
follows:


Sec.  437.21  General.

* * * * *
    (b) Other regulations--(1) Environmental--(i) General. The FAA is 
responsible for complying with the procedures and policies of the 
National Environmental Policy Act (NEPA) and other applicable 
environmental laws, regulations, and Executive Orders to consider and 
document the potential environmental effects associated with proposed 
reusable suborbital rocket launches or reentries. An applicant must 
provide the FAA with information needed to comply with such 
requirements. The FAA will consider and document the potential 
environmental effects associated with proposed reusable suborbital 
rocket launches or reentries.
    (ii) Environmental Impact Statement or Environmental Assessment. An 
applicant must--
    (A) Prepare an Environmental Assessment with FAA oversight;
    (B) Assume financial responsibility for preparation of an 
Environmental Impact Statement by an FAA-selected and -managed 
consultant contractor; or
    (C) Submit a written re-evaluation of a previously submitted 
Environmental Assessment or Environmental Impact Statement when 
requested by the FAA.
    (iii) Categorical exclusion. An applicant may request a categorical 
exclusion determination from the FAA by submitting the request and 
supporting rationale.
    (iv) Information requirements. An application must include an 
approved FAA Environmental Assessment, Environmental Impact Statement, 
categorical exclusion determination, or written re-evaluation covering 
all planned licensed activities in compliance with NEPA and the Council 
on Environmental Quality Regulations for Implementing the Procedural 
Provisions of NEPA.
    (2) Financial responsibility. An applicant must provide the 
information required by part 3 of appendix A of part 440 of this 
chapter for the FAA to

[[Page 15422]]

conduct a maximum probable loss analysis.
    (3) Human space flight. An applicant proposing launch or reentry 
with flight crew or a space flight participant on board a reusable 
suborbital rocket must demonstrate compliance with Sec. Sec.  460.5, 
460.7, 460.11, 460.13, 460.15, 460.17, 460.51 and 460.53 of this 
subchapter.
    (c) Use of a safety element approval. If an applicant proposes to 
use any reusable suborbital rocket, safety system, process, service, or 
personnel for which the FAA has issued a safety element approval under 
part 414 of this chapter, the FAA will not reevaluate that safety 
element to the extent its use is within its approved envelope. As part 
of the application process, the FAA will evaluate the integration of 
that safety element into vehicle systems or operations.
* * * * *
0
31. Revise Sec.  437.41 to read as follows:


Sec.  437.41  Mishap plan.

    An applicant must submit a mishap plan that meets the requirements 
of Sec.  450.173 of this chapter.
0
32. Revise Sec.  437.65 to read as follows:


Sec.  437.65  Collision avoidance analysis.

    For a permitted flight with a planned maximum altitude greater than 
150 kilometers, a permittee must obtain a collision avoidance analysis 
in accordance with Sec.  450.169 of this chapter.


Sec.  437.75  [Removed and Reserved]

0
33. Remove and reserve Sec.  437.75.
0
34. Amend Sec.  437.89 by:
0
a. Revising paragraph (a) introductory text;
0
b. In paragraphs (a)(1) through (3), removing the comma at the end of 
the paragraphs and adding a semicolon in its place; and
0
c. Revise paragraph (b).
    The revisions read as follows:


Sec.  437.89  Pre-flight reporting.

    (a) Not later than 30 days before each flight or series of flights 
conducted under an experimental permit, unless the Administrator agrees 
to a different time frame in accordance with Sec.  404.15 of this 
chapter, a permittee must provide the FAA with the following 
information:
* * * * *
    (b) Not later than 15 days before each permitted flight planned to 
reach greater than 150 km altitude, unless the Administrator agrees to 
a different time frame in accordance with Sec.  404.15, a of this 
chapter permittee must provide the FAA its planned trajectory for a 
collision avoidance analysis.

PART 440--FINANCIAL RESPONSIBILITY

0
35. The authority citation for part 440 continues to read as follows:

    Authority:  51 U.S.C. 50901-50923.

0
36. Amend Sec.  440.3 by revising the definition for ``Maximum probable 
loss'' to read as follows:


Sec.  440.3  Definitions.

* * * * *
    Maximum probable loss (MPL) means the greatest dollar amount of 
loss for bodily injury or property damage that is reasonably expected 
to result from a licensed or permitted activity:
    (1) Losses to third parties, excluding Government personnel and 
other launch or reentry participants' employees involved in licensed or 
permitted activities and neighboring operations personnel, that are 
reasonably expected to result from a licensed or permitted activity are 
those that have a probability of occurrence of no less than one in ten 
million.
    (2) Losses to Government property and Government personnel involved 
in licensed or permitted activities and neighboring operations 
personnel that are reasonably expected to result from licensed or 
permitted activities are those that have a probability of occurrence of 
no less than one in one hundred thousand.
* * * * *
0
37. Amend Sec.  440.15 by revising paragraphs (a)(1) through (4) to 
read as follows:


Sec.  440.15  Demonstration of compliance.

    (a) * * *
    (1) All reciprocal waiver of claims agreements required under Sec.  
440.17(c) must be submitted at least 30 days before the start of any 
licensed or permitted activity involving a customer, crew member, or 
space flight participant; unless the Administrator agrees to a 
different time frame in accordance with Sec.  404.15 of this chapter;
    (2) Evidence of insurance must be submitted at least 30 days before 
commencement of any licensed launch or permitted activity, and for 
licensed reentry no less than 30 days, before commencement of launch 
activities involving the reentry licensee, unless the Administrator 
agrees to a different time frame in accordance with Sec.  404.15 of 
this chapter;
    (3) Evidence of financial responsibility in a form other than 
insurance, as provided under Sec.  440.9(f) must be submitted at least 
60 days before commencement of a licensed or permitted activity, unless 
the Administrator agrees to a different time frame in accordance with 
Sec.  404.15 of this chapter; and
    (4) Evidence of renewal of insurance or other form of financial 
responsibility must be submitted at least 30 days in advance of its 
expiration date, unless the Administrator agrees to a different time 
frame in accordance with Sec.  404.15 of this chapter.
* * * * *
0
38. Add part 450 to read as follows:

PART 450--LAUNCH AND REENTRY LICENSE REQUIREMENTS

Sec.
Subpart A--General Information
450.1 Applicability.
450.3 Scope of a vehicle operator license.
450.5 Issuance of a vehicle operator license.
450.7 Duration of a vehicle operator license.
450.9 Additional license terms and conditions.
450.11 Transfer of a vehicle operator license.
450.13 Rights not conferred by a vehicle operator license.
Subpart B--Requirements to Obtain a Vehicle Operator License
450.31 General.
450.33 Incremental review and determinations.
450.35 Accepted means of compliance.
450.37 Equivalent level of safety.
450.39 Use of safety element approval.
450.41 Policy review and approval.
450.43 Payload review and determination.
450.45 Safety review and approval.
450.47 Environmental review.
Subpart C--Safety Requirements

Public Safety Criteria

450.101 Public safety criteria.

System Safety Program

450.103 System safety program.

Preliminary Safety Assessment for Flight and Hazard Control Strategies

450.105 Preliminary safety assessment for flight.
450.107 Hazard control strategies.

Flight Hazard Analyses for Hardware and Software

450.109 Flight hazard analysis.
450.111 Computing systems and software.

Flight Safety Analyses

450.113 Flight safety analysis requirements--scope and 
applicability.
450.115 Flight safety analysis methods.
450.117 Trajectory analysis for normal flight.
450.119 Trajectory analysis for malfunction flight.
450.121 Debris analysis.
450.123 Flight safety limits analysis.
450.125 Gate analysis.
450.127 Data loss Flight time and planned safe flight state 
analyses.

[[Page 15423]]

450.129 Time delay analysis.
450.131 Probability of failure analysis.
450.133 Flight hazard area analysis.
450.135 Debris risk analysis.
450.137 Far-field overpressure blast effects analysis.
450.139 Toxic hazards for flight.
450.141 Wind weighting for the flight of an unguided suborbital 
launch vehicle.

Prescribed Hazard Controls

450.143 Safety-critical system design, test, and documentation.
450.145 Flight safety system.
450.147 Agreements.
450.149 Safety-critical personnel qualifications.
450.151 Work shift and rest requirements.
450.153 Radio frequency management.
450.155 Readiness.
450.157 Communications.
450.159 Preflight procedures.
450.161 Surveillance and publication of hazard areas.
450.163 Lightning hazard mitigation.
450.165 Flight safety rules.
450.167 Tracking.
450.169 Launch and reentry collision avoidance analysis 
requirements.
450.171 Safety at end of launch.
450.173 Mishap plan--reporting, response, and investigation 
requirements.
450.175 Test-induced damage.
450.177 Unique Policies, requirements, and practices.

Ground Safety

450.179 Ground safety--general.
450.181 Coordination with a site operator.
450.183 Explosive site plan.
450.185 Ground hazard analysis.
450.187 Toxic hazards mitigation for ground operations.
450.189 Ground safety prescribed hazard controls.
Subpart D--Terms and Conditions of a Vehicle Operator License.
450.201 Public safety responsibility.
450.203 Compliance with license.
450.205 Financial responsibility requirements.
450.207 Human Spaceflight Requirements.
450.209 Compliance monitoring.
450.211 Continuing accuracy of license application; application for 
modification of license.
450.213 Preflight reporting.
450.215 Post-flight reporting.
450.217 Registration of space objects.
450.219 Records.
Appendix A to Part 450--Collision Analysis Worksheet

    Authority:  51 U.S.C. 50901-50923.

Subpart A--General Information


Sec.  450.1  Applicability.

    (a) General. This part prescribes requirements for obtaining and 
maintaining a license to launch, reenter, or both launch and reenter, a 
launch or reentry vehicle.
    (b) Grandfathering. Except for Sec. Sec.  450.169 and 450.101(a)(4) 
and (b)(4), this part does not apply to any launch or reentry that an 
operator elects to conduct pursuant to a license issued by the FAA or 
an application accepted by the FAA no later than [EFFECTIVE DATE OF 
FINAL RULE]. The Administrator will determine the applicability of this 
part to an application for a license modification submitted after 
[EFFECTIVE DATE OF FINAL RULE] on a case-by-case basis.


Sec.  450.3  Scope of a vehicle operator license.

    (a) A vehicle operator license authorizes a licensee to conduct one 
or more launches or reentries using the same vehicle or family of 
vehicles. A vehicle operator license identifies the scope of 
authorization as defined in paragraphs (b) and (c) of this section or 
as agreed to by the Administrator.
    (b) A vehicle operator license authorizes launch, which includes 
the flight of a launch vehicle and pre- and post-flight ground 
operations as follows:
    (1) Launch begins when hazardous preflight ground operations 
commence at a U.S. launch site that pose a threat to the public. Unless 
a later point is agreed to by the Administrator, hazardous preflight 
ground operations commence when a launch vehicle or its major 
components arrive at a U.S. launch site.
    (2) At a non-U.S. launch site, launch begins at ignition or at the 
first movement that initiates flight, whichever occurs earlier.
    (3) Launch ends when any of the following events occur:
    (i) For an orbital launch of a vehicle without a reentry of the 
vehicle, launch ends after the licensee's last exercise of control over 
its vehicle on orbit, after vehicle stage impact on Earth, after 
activities necessary to return the vehicle or stage to a safe condition 
on the ground after landing, or after activities necessary to return 
the site to a safe condition, whichever occurs later;
    (ii) For an orbital launch of a vehicle with a reentry of the 
vehicle, launch ends after deployment of all payloads, upon completion 
of the vehicle's first steady-state orbit if there is no payload, or 
after activities necessary to return the site to a safe condition, 
whichever occurs later;
    (iii) For a suborbital launch that includes a reentry, launch ends 
after reaching apogee; or
    (iv) For a suborbital launch that does not include a reentry, 
launch ends after the vehicle or vehicle component impact on Earth, 
after activities necessary to return the vehicle or vehicle component 
to a safe condition on the ground after landing, or after activities 
necessary to return the site to a safe condition, whichever occurs 
later.
    (c) A vehicle operator's license authorizes reentry, which includes 
activities conducted in Earth orbit or outer space to determine reentry 
readiness and that are critical to ensuring public health and safety 
and the safety of property during reentry flight. Reentry also includes 
activities necessary to return the reentry vehicle to a safe condition 
on the ground after landing.


Sec.  450.5  Issuance of a vehicle operator license.

    (a) The FAA issues a vehicle operator license to an applicant who 
has obtained all approvals and determinations required under this part 
for a license.
    (b) A vehicle operator license authorizes a licensee to conduct 
launches or reentries, in accordance with the representations contained 
in the licensee's application, with subparts C and D of this part, and 
subject to the licensee's compliance with terms and conditions 
contained in license orders accompanying the license, including 
financial responsibility requirements.


Sec.  450.7  Duration of a vehicle operator license.

    A vehicle operator license is valid for the period of time 
determined by the Administrator as necessary to conduct the licensed 
activity but may not exceed 5 years from the issuance date.


Sec.  450.9  Additional license terms and conditions.

    The FAA may modify a vehicle operator license at any time by 
modifying or adding license terms and conditions to ensure compliance 
with the Act (as defined in Sec.  401.5 of this chapter) and its 
implementing regulations in this chapter.


Sec.  450.11  Transfer of a vehicle operator license.

    (a) Only the FAA may transfer a vehicle operator license.
    (b) An applicant for transfer of a vehicle operator license must 
submit a license application in accordance with part 413 of this 
chapter and must meet the requirements of part 450 of this chapter. The 
FAA will transfer a license to an applicant that has obtained all of 
the approvals and determinations required under this part for a 
license. In conducting its reviews and issuing approvals and 
determinations, the FAA may incorporate by reference any findings made 
part of the record to support the initial licensing determination. The 
FAA may modify a

[[Page 15424]]

license to reflect any changes necessary as a result of a license 
transfer.


Sec.  450.13  Rights not conferred by a vehicle operator license.

    Issuance of a vehicle operator license does not relieve a licensee 
of its obligation to comply with all applicable requirements of law or 
regulation that may apply to its activities, nor does issuance confer 
any proprietary, property or exclusive right in the use of any Federal 
launch range or related facilities, airspace, or outer space.

Subpart B--Requirements to Obtain a Vehicle Operator License


Sec.  450.31  General.

    (a) To obtain a vehicle operator license, an applicant must--
    (1) Submit a license application in accordance with the procedures 
in part 413 of this chapter;
    (2) Obtain a policy approval from the Administrator in accordance 
with Sec.  450.41;
    (3) Obtain a favorable payload determination from the Administrator 
in accordance with Sec.  450.43;
    (4) Obtain a safety approval from the Administrator in accordance 
with Sec.  450.45;
    (5) Satisfy the environmental review requirements of Sec.  450.47; 
and
    (6) Provide the information required by appendix A of part 440 of 
this chapter for the Administrator to conduct a maximum probable loss 
analysis for the applicable licensed operation.
    (b) An applicant may apply for the approvals and determinations in 
paragraphs (a)(2) through (6) of this section separately or all 
together in one complete application, using the application procedures 
contained in part 413 of this chapter.
    (c) An applicant may also apply for a safety approval in an 
incremental manner, in accordance with Sec.  450.33.
    (d) An applicant may reference materials previously provided as 
part of a license application in order to meet the application 
requirements of this part.


Sec.  450.33  Incremental review and determinations.

    An applicant may submit its application for a safety review 
incrementally using an approach approved by the Administrator.
    (a) An applicant must identify to the Administrator, prior to 
submitting an application, whether it will submit an incremental 
application for any approval or determination.
    (b) An applicant using an incremental approach must have the 
approach approved by the Administrator prior to submitting an 
application.
    (c) The Administrator may make incremental determinations as part 
of this review process.


Sec.  450.35  Accepted means of compliance.

    (a) An applicant must demonstrate compliance with applicable 
sections of this part using a means of compliance accepted by the 
Administrator. These applicable sections specify that only an accepted 
means of compliance can be used to demonstrate compliance.
    (b) The FAA will provide public notice of each means of compliance 
that the Administrator has accepted.
    (c) An applicant requesting acceptance of an alternative means of 
compliance must submit the alternative means of compliance to the FAA 
in a form and manner acceptable to the Administrator.


Sec.  450.37  Equivalent level of safety.

    (a) An applicant must demonstrate compliance with each requirement 
of this part, unless the applicant clearly and convincingly 
demonstrates that an alternative approach provides an equivalent level 
of safety to the requirement of this part.
    (b) Paragraph (a) of this section does not apply to the 
requirements of Sec.  450.101.


 Sec.  450.39   Use of safety element approval.

    If an applicant proposes to use any vehicle, safety system, 
process, service, or personnel for which the FAA has issued a safety 
element approval under part 414 of this chapter, the FAA will not 
reevaluate that safety element during a license application evaluation 
to the extent its use is within its approved envelope.


Sec.  450.41  Policy review and approval.

    (a) General. The FAA issues a policy approval to an applicant 
unless the FAA determines that a proposed launch or reentry would 
jeopardize U.S. national security or foreign policy interests, or 
international obligations of the United States.
    (b) Interagency consultation. (1) The FAA consults with the 
Department of Defense to determine whether a license application 
presents any issues affecting U.S. national security.
    (2) The FAA consults with the Department of State to determine 
whether a license application presents any issues affecting U.S. 
foreign policy interests or international obligations.
    (3) The FAA consults with other Federal agencies, including the 
National Aeronautics and Space Administration, authorized to address 
issues identified under paragraph (a) of this section, associated with 
an applicant's proposal.
    (c) Issues during policy review. The FAA will advise an applicant, 
in writing, of any issue raised during a policy review that would 
impede issuance of a policy approval. The applicant may respond, in 
writing, or amend its license application as required by Sec.  413.17 
of this chapter.
    (d) Denial of policy approval. The FAA notifies an applicant, in 
writing, if it has denied policy approval for a license application. 
The notice states the reasons for the FAA's determination. The 
applicant may respond in writing to the reasons for the determination 
and request reconsideration in accordance with Sec.  413.21 of this 
chapter.
    (e) Application requirements for policy review. In its license 
application, an applicant must--
    (1) Identify the model, type, and configuration of any vehicle 
proposed for launch or reentry by the applicant;
    (2) Describe the vehicle by characteristics that include individual 
stages, their dimensions, type and amounts of all propellants, and 
maximum thrust;
    (3) Identify foreign ownership of the applicant as follows:
    (i) For a sole proprietorship or partnership, identify all foreign 
ownership;
    (ii) For a corporation, identify any foreign ownership interests of 
10 percent or more; and
    (iii) For a joint venture, association, or other entity, identify 
any participating foreign entities; and
    (4) Identify proposed vehicle flight profile, including:
    (i) Launch or reentry site, including any contingency abort 
locations;
    (ii) Flight azimuths, trajectories, and associated ground tracks 
and instantaneous impact points for the duration of the licensed 
activity, including any contingency abort profiles;
    (iii) Sequence of planned events or maneuvers during flight;
    (iv) Normal impact or landing areas for all mission hardware; and
    (v) For each orbital mission, the range of intermediate and final 
orbits of each vehicle upper stage and their estimated orbital 
lifetimes.


Sec.  450.43  Payload review and determination.

    (a) General. The FAA issues a favorable payload determination for a 
launch or reentry to a license applicant or payload owner or operator 
if--
    (1) The applicant, payload owner, or payload operator has obtained 
all required licenses, authorizations, and permits; and

[[Page 15425]]

    (2) Its launch or reentry would not jeopardize public health and 
safety, safety of property, U.S. national security or foreign policy 
interests, or international obligations of the United States.
    (b) Relationship to other executive agencies. The FAA does not make 
a determination under paragraph (a)(2) of this section for--
    (1) Those aspects of payloads that are subject to regulation by the 
Federal Communications Commission or the Department of Commerce; or
    (2) Payloads owned or operated by the U.S. Government.
    (c) Classes of payloads. The FAA may review and issue findings 
regarding a proposed class of payload, including communications, remote 
sensing, or navigation. However, prior to a launch or reentry, each 
payload is subject to verification by the FAA that its launch or 
reentry would not jeopardize public health and safety, safety of 
property, U.S. national security or foreign policy interests, or 
international obligations of the United States.
    (d) Payload owner or payload operator may apply. In addition to a 
launch or reentry operator, a payload owner or payload operator may 
request a payload review and determination.
    (e) Interagency consultation. The FAA consults with other agencies 
as follows:
    (1) The Department of Defense to determine whether launch or 
reentry of a proposed payload or payload class would present any issues 
affecting U.S. national security;
    (2) The Department of State to determine whether launch or reentry 
of a proposed payload or payload class would present any issues 
affecting U.S. foreign policy interests or international obligations; 
or
    (3) Other Federal agencies, including the National Aeronautics and 
Space Administration, authorized to address issues of public health and 
safety, safety of property, U.S. national security or foreign policy 
interests, or international obligations of the United States, 
associated with the launch or reentry of a proposed payload or payload 
class.
    (f) Issues during payload review. The FAA will advise a person 
requesting a payload determination, in writing, of any issue raised 
during a payload review that would impede issuance of a license to 
launch or reenter that payload or payload class. The person requesting 
payload review may respond, in writing, or amend its application as 
required by Sec.  413.17 of this chapter.
    (g) Denial of a payload determination. The FAA notifies an 
applicant, in writing, if it has denied a favorable payload 
determination. The notice states the reasons for the FAA's 
determination. The applicant may respond in writing to the reasons for 
the determination and request reconsideration in accordance with Sec.  
413.21 of this chapter.
    (h) Incorporation of payload determination in license application. 
A favorable payload determination issued for a payload or class of 
payload may be included by a license applicant as part of its 
application. However, any change in information provided under 
paragraph (i) of this section must be reported in accordance with Sec.  
413.17 of this chapter. The FAA determines whether a favorable payload 
determination remains valid in light of reported changes and may 
conduct an additional payload review.
    (i) Application requirements. A person requesting review of a 
particular payload or payload class must identify the following:
    (1) For launch of a payload:
    (i) Payload name or class, and function;
    (ii) Description, including physical dimensions, weight, 
composition, and any hosted payloads;
    (iii) Payload owner and payload operator, if different from the 
person requesting payload review and determination,
    (iv) Any foreign ownership of the payload or payload operator, as 
specified in Sec.  450.41(e)(3);
    (v) Hazardous materials as defined in Sec.  401.5 of this chapter, 
radioactive materials, and the amounts of each;
    (vi) Explosive potential of payload materials, alone and in 
combination with other materials found on the payload;
    (vii) For orbital launches, parameters for parking, transfer and 
final orbits, and approximate transit times to final orbit;
    (viii) Delivery point in flight at which the payload will no longer 
be under the licensee's control;
    (ix) Intended operations during the lifetime of the payload, 
including anticipated life span and any planned disposal;
    (x) Any encryption associated with data storage on the payload and 
transmissions to or from the payload; and
    (xi) Any other information necessary to make a determination based 
on public health and safety, safety of property, U.S. national security 
or foreign policy interests, or international obligations of the United 
States; or
    (2) For reentry of a payload:
    (i) Payload name or class and function;
    (ii) Physical characteristics, dimensions, and weight of the 
payload;
    (iii) Payload owner and payload operator, if different from the 
person requesting the payload review and determination;
    (iv) Type, amount, and container of hazardous materials and 
radioactive materials in the payload;
    (v) Explosive potential of payload materials, alone and in 
combination with other materials found on the payload or reentry 
vehicle during reentry; and
    (vi) Designated reentry site.


Sec.  450.45  Safety review and approval.

    (a) General. The FAA issues a safety approval to an applicant if it 
determines that an applicant can conduct launch or reentry without 
jeopardizing public health and safety and safety of property. A license 
applicant must satisfy the application requirements in this section and 
subpart C of this part.
    (b) Services or property provided by a Federal launch range. The 
FAA will accept any safety-related launch or reentry service or 
property provided by a Federal launch range or other Federal entity by 
contract, as long as the FAA determines that the launch or reentry 
services or property provided satisfy this part.
    (c) Issues during safety review. The FAA will advise an applicant, 
in writing, of any issues raised during a safety review that would 
impede issuance of a safety approval. The applicant may respond, in 
writing, or amend its license application as required by Sec.  413.17 
of this chapter.
    (d) Denial of a safety approval. The FAA notifies an applicant, in 
writing, if it has denied a safety approval for a license application. 
The notice states the reasons for the FAA's determination. The 
applicant may respond in writing to the reasons for the determination 
and request reconsideration in accordance with Sec.  413.21 of this 
chapter.
    (e) Application requirements. An applicant must submit the 
application requirements information in subpart C of this part, as well 
as the following:
    (1) General. An application must--
    (i) Contain a glossary of unique terms and acronyms used in 
alphabetical order;
    (ii) Contain a listing of all referenced material;
    (iii) Use equations and mathematical relationships derived from or 
referenced to a recognized standard or text, and define all algebraic 
parameters;
    (iv) Include the units of all numerical values provided; and
    (v) Include a legend or key that identifies all symbols used for 
any schematic diagrams.
    (2) Site description. An applicant must identify the proposed 
launch or

[[Page 15426]]

reentry site, including contingency abort locations, and submit the 
following:
    (i) Boundaries of the site;
    (ii) Launch or landing point locations, including latitude and 
longitude;
    (iii) Identity of any site operator; and
    (iv) Identity of any facilities at the site that will be used for 
pre- or post-flight ground operations.
    (3) Vehicle description. An applicant must submit the following:
    (i) A written description of the vehicle or family of vehicles, 
including structural, thermal, pneumatic, propulsion, electrical, and 
avionics and guidance systems used in each vehicle, and all 
propellants. The description must include a table specifying the type 
and quantities of all hazardous materials on each vehicle and must 
include propellants, explosives, and toxic materials; and
    (ii) A drawing of each vehicle that identifies:
    (A) Each stage, including strap-on motors;
    (B) Physical dimensions and weight;
    (C) Location of all safety-critical systems;
    (D) Location of all major vehicle control systems, propulsion 
systems, pressure vessels, and any other hardware that contains 
potential hazardous energy or hazardous material; and
    (E) For an unguided suborbital launch vehicle, the location of the 
rocket's center of pressure in relation to its center of gravity for 
the entire flight profile.
    (4) Mission schedule. An applicant must submit a generic launch or 
reentry processing schedule that identifies any readiness activities, 
such as reviews and rehearsals, and each safety-critical preflight 
operation to be conducted. The mission schedule must also identify day 
of flight activities.
    (5) Human space flight. For a proposed launch or reentry with a 
human being on board a vehicle, an applicant must demonstrate 
compliance with Sec. Sec.  460.5, 460.7, 460.11, 460.13, 460.15, 
460.17, 460.51, and 460.53 of this chapter.
    (6) Radionuclides. The FAA will evaluate the launch or reentry of 
any radionuclide on a case-by-case basis, and issue an approval if the 
FAA finds that the launch or reentry is consistent with public health 
and safety, safety of property, and national security and foreign 
policy interests of the United States. For any radionuclide on a launch 
or reentry vehicle, an applicant must--
    (i) Identify the type and quantity;
    (ii) Include a reference list of all documentation addressing the 
safety of its intended use; and
    (iii) Describe all approvals by the Nuclear Regulatory Commission 
for preflight ground operations.
    (7) Additional material. The FAA may also request--
    (i) Any information incorporated by reference in the license 
application; and
    (ii) Additional products that allow the FAA to conduct an 
independent safety analysis.


Sec.  450.47  Environmental review.

    (a) General. The FAA is responsible for complying with the 
procedures and policies of the National Environmental Policy Act (NEPA) 
and other applicable environmental laws, regulations, and Executive 
Orders prior to issuing a launch or reentry license. An applicant must 
provide the FAA with information needed to comply with such 
requirements. The FAA will consider and document the potential 
environmental effects associated with issuing a launch or reentry 
license consistent with paragraph (b) of this section.
    (b) Environmental Impact Statement or Environmental Assessment. An 
applicant must--
    (1) Prepare an Environmental Assessment with FAA oversight;
    (2) Assume financial responsibility for preparation of an 
Environmental Impact Statement by an FAA-selected and -managed 
consultant contractor; or
    (3) Submit a written re-evaluation of a previously submitted 
Environmental Assessment or Environmental Impact Statement when 
requested by the FAA.
    (c) Categorical exclusion. An applicant may request a categorical 
exclusion determination from the FAA by submitting the request and 
supporting rationale.
    (d) Application requirements. An application must include an 
approved FAA Environmental Assessment, Environmental Impact Statement, 
categorical exclusion determination, or written re-evaluation, which 
should address compliance with any other applicable environmental laws, 
regulations, and Executive Orders covering all planned licensed 
activities in compliance with NEPA and the Council on Environmental 
Quality Regulations for Implementing the Procedural Provisions of NEPA.

Subpart C--Safety Requirements

Public Safety Criteria


Sec.  450.101  Public safety criteria.

    (a) Launch risk criteria. An operator may initiate the flight of a 
launch vehicle only if all risks to the public satisfy the criteria in 
paragraphs (a)(1) through (4) of this section. The following criteria 
apply to each launch from liftoff through orbital insertion for an 
orbital launch, and through final impact or landing for a suborbital 
launch:
    (1) Collective risk. The collective risk, measured as expected 
number of casualties (EC), consists of risk posed by 
impacting inert and explosive debris, toxic release, and far field 
blast overpressure. The FAA will determine whether to approve public 
risk due to any other hazard associated with the proposed flight of a 
launch vehicle on a case-by-case basis.
    (i) The risk to all members of the public, excluding persons in 
aircraft and neighboring operations personnel, must not exceed an 
expected number of 1 x 10^-4 casualties.
    (ii) The risk to all neighboring operations personnel must not 
exceed an expected number of 2 x 10^-4 casualties.
    (2) Individual risk. The individual risk, measured as probability 
of casualty (PC), consists of risk posed by impacting inert 
and explosive debris, toxic release, and far field blast overpressure. 
The FAA will determine whether to approve public risk due to any other 
hazard associated with the proposed flight of a launch vehicle on a 
case-by-case basis.
    (i) The risk to any individual member of the public, excluding 
neighboring operations personnel, must not exceed a probability of 
casualty of 1 x 10^-6 per launch.
    (ii) The risk to any individual neighboring operations personnel 
must not exceed a probability of casualty of 1 x 10^-5 per 
launch.
    (3) Aircraft risk. A launch operator must establish any aircraft 
hazard areas necessary to ensure the probability of impact with debris 
capable of causing a casualty for aircraft does not exceed 1 x 
10^-\6\.
    (4) Risk to critical assets. The probability of loss of 
functionality for each critical asset must not exceed 1 x 
10^-\3\, or a more stringent probability if the FAA 
determines, in consultation with relevant Federal agencies, it is 
necessary to protect the national security interests of the United 
States.
    (b) Reentry risk criteria. An operator may initiate the deorbit of 
a vehicle only if all risks to the public satisfy the criteria in 
paragraphs (b)(1) through (4) of this section. The following criteria 
apply to each reentry, from the final health check prior to the deorbit 
burn through final impact or landing:
    (1) Collective risk. The collective risk, measured as expected 
number of casualties (EC), consists of risk posed by 
impacting inert and explosive debris, toxic release, and far field 
blast

[[Page 15427]]

overpressure. The FAA will determine whether to approve public risk due 
to any other hazard associated with the proposed deorbit of a reentry 
vehicle on a case-by-case basis.
    (i) The risk to all members of the public, excluding persons in 
aircraft and neighboring operations personnel, must not exceed an 
expected number of 1 x 10^-\4\ casualties.
    (ii) The risk to all neighboring operations personnel must not 
exceed an expected number of 2 x 10^-\4\ casualties.
    (2) Individual risk. The individual risk, measured as probability 
of casualty (PC), consists of risk posed by impacting inert 
and explosive debris, toxic release, and far field blast overpressure. 
The FAA will determine whether to approve public risk due to any other 
hazard associated with the proposed flight of a launch vehicle on a 
case-by-case basis.
    (i) The risk to any individual member of the public, excluding 
neighboring operations personnel, must not exceed a probability of 
casualty of 1 x 10^-\6\ per reentry.
    (ii) The risk to any individual neighboring operations personnel 
must not exceed a probability of casualty of 1 x 10^-\5\ per 
reentry.
    (3) Aircraft risk. A reentry operator must establish any aircraft 
hazard areas necessary to ensure the probability of impact with debris 
capable of causing a casualty for aircraft does not exceed 1 x 
10^-\6\.
    (4) Risk to critical assets. The probability of loss of 
functionality for each critical asset must not exceed 1 x 
10^-\3\, or a more stringent probability if the FAA 
determines, in consultation with relevant Federal agencies, it is 
necessary to protect the national security interests of the United 
States.
    (c) Flight abort. An operator must use flight abort with a flight 
safety system that meets the requirements of Sec.  450.145 as a hazard 
control strategy if the consequence of any reasonably foreseeable 
vehicle response mode, in any one-second period of flight, is greater 
than 1 x 10^-3 conditional expected casualties for 
uncontrolled areas. This requirement applies to all phases of flight, 
unless otherwise agreed to by the Administrator based on the 
demonstrated reliability of the launch or reentry vehicle during that 
phase of flight.
    (d) Disposal safety criteria. A launch operator must ensure that 
any disposal meets the criteria of paragraphs (b)(1), (2), and (3) of 
this section, or targets a broad ocean area.
    (e) Protection of people and property on-orbit. (1) A launch or 
reentry operator must prevent the collision between a launch or reentry 
vehicle stage or component and people or property on-orbit, in 
accordance with the requirements in Sec.  450.169(a).
    (2) For any launch vehicle stage or component that reaches Earth 
orbit, a launch operator must prevent the creation of debris through 
the conversion of energy sources into energy that fragments the stage 
or component, in accordance with the requirements in Sec.  450.171.
    (f) Notification of planned impacts. For any launch, reentry, or 
disposal, an operator must notify the public of any region of land, 
sea, or air that contain, with 97 percent probability of containment, 
all debris resulting from normal flight events capable of causing a 
casualty.
    (g) Validity of the analysis. For any analysis used to demonstrate 
compliance with this section, an operator must use accurate data and 
scientific principles and be statistically valid. The method must 
produce results consistent with or more conservative than the results 
available from previous mishaps, tests, or other valid benchmarks, such 
as higher-fidelity methods.

System Safety Program


Sec.  450.103  System safety program.

    An operator must implement and document a system safety program 
throughout the operational lifecycle of a launch or reentry system that 
includes the following:
    (a) Safety organization. An operator must maintain and document a 
safety organization that has clearly defined lines of communication and 
approval authority for all public safety decisions. At a minimum, the 
safety organization must have the following positions:
    (1) Mission director. For each launch or reentry, an operator must 
designate a position responsible for the safe conduct of all licensed 
activities and authorized to provide final approval to proceed with 
licensed activities. This position is referred to as the mission 
director in this part.
    (2) Safety official. For each launch or reentry, an operator must 
designate a position with direct access to the mission director that 
is--
    (i) Responsible for communicating potential safety and 
noncompliance issues to the mission director; and
    (ii) Authorized to examine all aspects of the operator's ground and 
flight safety operations, and to independently monitor compliance with 
the operator's safety policies, safety procedures, and licensing 
requirements.
    (3) Addressing safety concerns. The mission director must ensure 
that all of the safety official's concerns are addressed.
    (b) Procedures. An operator must establish procedures to evaluate 
the operational lifecycle of the launch or reentry system:
    (1) An operator must conduct a preliminary safety assessment as 
required by Sec.  450.105, and the system safety program must include:
    (i) Methods to review and assess the validity of the preliminary 
safety assessment throughout the operational lifecycle of the launch or 
reentry system;
    (ii) Methods for updating the preliminary safety assessment; and
    (iii) Methods for communicating and implementing the updates 
throughout the organization.
    (2) For operators that must conduct a flight hazard analysis as 
required by Sec.  450.109, the system safety program must include:
    (i) Methods to review and assess the validity of the flight hazard 
analysis throughout the operational lifecycle of the launch or reentry 
system;
    (ii) Methods for updating the flight hazard analysis;
    (iii) Methods for communicating and implementing the updates 
throughout the organization; and
    (iv) A process for tracking hazards, risks, mitigation and hazard 
control measures, and verification activities.
    (c) Configuration management and control. An operator must--
    (1) Employ a process that tracks configurations of all safety-
critical systems and documentation related to the operation;
    (2) Ensure the use of correct and appropriate versions of systems 
and documentation tracked in paragraph (c)(1) of this section; and
    (3) Maintain records of launch or reentry system configurations and 
document versions used for each licensed activity, as required by Sec.  
450.219.
    (d) Post-flight data review. An operator must employ a process for 
evaluating post-flight data to--
    (1) Ensure consistency between the assumptions used for the 
preliminary safety assessment, any hazard or flight safety analysis, 
and associated mitigation and hazard control measures;
    (2) Resolve any identified inconsistencies prior to the next flight 
of the vehicle;
    (3) Identify any anomaly that may impact any flight hazard 
analysis, flight safety analysis, or safety critical system, or is 
otherwise material to public health and safety and the safety of 
property; and
    (4) Address any anomaly identified in paragraph (d)(3) of this 
section prior to

[[Page 15428]]

the next flight, including updates to any flight hazard analysis, 
flight safety analysis, or safety critical system.
    (e) Application requirements. An applicant must submit in its 
application the following:
    (1) A description of the applicant's safety organization as 
required by paragraph (a) of this section, identifying the applicant's 
lines of communication and approval authority, both internally and 
externally, for all public safety decisions and the provision of public 
safety services; and
    (2) A summary of the processes and products identified in the 
system safety program requirements in paragraphs (b), (c), and (d) of 
this section.

Preliminary Safety Assessment for Flight and Hazard Control Strategies


Sec.  450.105  Preliminary safety assessment for flight.

    (a) Preliminary safety assessment. An operator must conduct and 
document a preliminary safety assessment for the flight of a launch or 
reentry vehicle that identifies--
    (1) Vehicle response modes;
    (2) Public safety hazards associated with vehicle response modes, 
including impacting inert and explosive debris, toxic release, and far 
field blast overpressure;
    (3) Geographical areas where vehicle response modes could 
jeopardize public safety;
    (4) Any population exposed to public safety hazards in or near the 
identified geographical areas;
    (5) The CEC, unless otherwise agreed to by the 
Administrator based on the demonstrated reliability of the launch or 
reentry vehicle during any phase of flight;
    (6) A preliminary hazard list which documents all hardware, 
operational, and design causes of vehicle response modes that, 
excluding mitigation, have the capability to create a hazard to the 
public;
    (7) Safety-critical systems; and
    (8) A timeline of all safety-critical events.
    (b) Application requirements. An applicant must submit the result 
of the preliminary safety assessment, including all of the items 
identified in paragraph (a) of this section.


Sec.  450.107  Hazard control strategies.

    (a) General. For each phase of a launch or reentry vehicle's 
flight--
    (1) If the public safety hazards identified in the preliminary 
safety assessment can be mitigated adequately to meet the requirements 
of Sec.  450.101 using physical containment, wind weighting, or flight 
abort, in accordance with paragraphs (b), (c), and (d) of this section, 
an operator does not need to conduct a flight hazard analysis for that 
phase of flight.
    (2) If the public safety hazards identified in the preliminary 
safety assessment cannot be mitigated adequately to meet the public 
risk criteria of Sec.  450.101 using physical containment, wind 
weighting, or flight abort, in accordance with paragraphs (b), (c), and 
(d) of this section, an operator must conduct a flight hazard analysis 
in accordance with Sec.  450.109 to derive hazard controls for that 
phase of flight.
    (b) Physical containment. To use physical containment as a hazard 
control strategy, an operator must--
    (1) Ensure that the launch vehicle does not have sufficient energy 
for any hazards associated with its flight to reach outside the flight 
hazard area developed in accordance with Sec.  450.133; and
    (2) Apply other mitigation measures to ensure no public exposure to 
hazards as agreed to by the Administrator on a case-by-case basis.
    (c) Wind weighting. To use wind weighting as a hazard control 
strategy--
    (1) The launch vehicle must be a suborbital rocket that does not 
contain any guidance or directional control system; and
    (2) An operator must conduct the launch using a wind weighting 
safety system in accordance with Sec.  450.141.
    (d) Flight abort. To use flight abort as a hazard control strategy 
an operator must employ a flight safety system, or other safeguards 
agreed to by the Administrator, that meets the requirements of Sec.  
450.145.
    (e) Application requirement. An applicant must--
    (1) Describe its hazard control strategy for each phase of flight; 
and
    (2) If using physical containment as a hazard control strategy--
    (i) Demonstrate that the launch vehicle does not have sufficient 
energy for any hazards associated with its flight to reach outside the 
flight hazard area developed in accordance with Sec.  450.133; and
    (ii) Describe the methods used to ensure that flight hazard areas 
are cleared of the public and critical assets.

Flight Hazard Analyses for Hardware and Software


Sec.  450.109  Flight hazard analysis.

    Unless an operator uses physical containment, wind weighting, or 
flight abort as a hazard control strategy, an operator must perform and 
document a flight hazard analysis, and continue to maintain it 
throughout the lifecycle of the launch or reentry system. Hazards 
associated with computing systems and software are further addressed in 
Sec.  450.111.
    (a) Flight hazard analysis. A flight hazard analysis must identify, 
describe, and analyze all reasonably foreseeable hazards to public 
safety and safety of property resulting from the flight of a launch or 
reentry vehicle. Each flight hazard analysis must--
    (1) Identify all reasonably foreseeable hazards, and the 
corresponding vehicle response mode for each hazard, associated with 
the launch or reentry system relevant to public safety and safety of 
property, including those resulting from:
    (i) Vehicle operation, including staging and release;
    (ii) System, subsystem, and component failures or faults;
    (iii) Software operations;
    (iv) Environmental conditions;
    (v) Human factors;
    (vi) Design inadequacies;
    (vii) Procedure deficiencies;
    (viii) Functional and physical interfaces between subsystems, 
including any vehicle payload;
    (ix) Reuse of components or systems; and
    (x) Interactions of any of the items in paragraphs (a)(1)(i) 
through (ix) of this section.
    (2) Assess each hazard's likelihood and severity.
    (3) Ensure that the risk associated with each hazard meets the 
following criteria:
    (i) The likelihood of any hazardous condition that may cause death 
or serious injury to the public must be extremely remote; and
    (ii) The likelihood of any hazardous condition that may cause major 
damage to public property or critical assets must be remote.
    (4) Identify and describe the risk elimination and mitigation 
measures required to satisfy paragraph (a)(3) of this section.
    (5) Demonstrate that the risk elimination and mitigation measures 
achieve the risk levels of paragraph (a)(3) of this section through 
validation and verification. Verification includes:
    (i) Analysis;
    (ii) Test;
    (iii) Demonstration; or
    (iv) Inspection.
    (b) Identification of new hazards. An operator must establish and 
document the criteria and techniques for identifying new hazards 
throughout the lifecycle of the launch or reentry system.
    (c) Completeness for each flight. For every launch or reentry, the 
flight

[[Page 15429]]

hazard analysis must be complete and all hazards must be mitigated to 
an acceptable level in accordance with paragraph (a)(3) of this 
section.
    (d) Updates throughout the lifecycle. An operator must continually 
update the flight hazard analysis throughout the operational lifecycle 
of the launch or reentry system.
    (e) Application requirements. An applicant must submit in its 
application the following:
    (1) Flight hazard analysis products of paragraphs (a)(1) through 
(5) of this section, including data that verifies the risk elimination 
and mitigation measures resulting from the applicant's flight hazard 
analyses required by paragraph (a)(5) of this section; and
    (2) The criteria and techniques for identifying new hazards 
throughout the lifecycle of the launch or reentry system as required by 
paragraph (b) of this section.


Sec.  450.111  Computing systems and software.

    (a) General. An operator must implement and document a process that 
identifies the hazards and assesses the risks to public health and 
safety and the safety of property arising from computing systems and 
software.
    (b) Safety-critical functions. An operator must identify all 
safety-critical functions associated with its computing systems and 
software. Safety-critical computing system and software functions 
include the following:
    (1) Software used to control or monitor safety-critical systems;
    (2) Software that transmits safety-critical data, including time-
critical data and data about hazardous conditions;
    (3) Software that computes safety-critical data;
    (4) Software that accesses or manages safety-critical data;
    (5) Software that displays safety-critical data;
    (6) Software used for fault detection in safety-critical computer 
hardware or software;
    (7) Software that responds to the detection of a safety-critical 
fault;
    (8) Software used in a flight safety system;
    (9) Processor-interrupt software associated with safety-critical 
computer system functions; and
    (10) Software used for wind weighting.
    (c) Consequence and the degree of control. Safety-critical 
functions must be identified by consequence and the degree of control 
exercised by the software component as defined by paragraphs (d) 
through (h) of this section.
    (d) Autonomous software. This section applies to software that 
exercises autonomous control over safety-critical hardware systems, 
subsystems, or components, such that a control entity cannot detect and 
intervene to prevent a hazard that may impact public health and safety 
or the safety of property. Autonomous software must meet the following 
criteria:
    (1) The software component must be subjected to full path coverage 
testing. Any inaccessible code must be documented and addressed;
    (2) The software component's functions must be tested on flight-
like hardware. Testing must include nominal operation and fault 
responses for all functions;
    (3) An operator must conduct computing system and software hazard 
analyses for the integrated system and for each autonomous, safety-
critical software component;
    (4) An operator must verify and validate any computing systems and 
software. Verification and validation must include testing by a test 
team independent of the software development division or organization; 
and
    (5) An operator must develop and implement software development 
plans, including descriptions of the following:
    (i) Coding standards used;
    (ii) Configuration control;
    (iii) Programmable logic controllers;
    (iv) Policy on use of any commercial-off-the-shelf software; and
    (v) Policy on software reuse.
    (e) Semi-autonomous software. This section applies to software that 
exercises control over safety-critical hardware systems, subsystems, or 
components, allowing time for predetermined safe detection and 
intervention by a control entity to detect and intervene to prevent a 
hazard that may impact public health and safety or the safety of 
property. Semi-autonomous software must meet the following criteria:
    (1) The software component's safety-critical functions must be 
subjected to full path coverage testing. Any inaccessible code in a 
safety-critical function must be documented and addressed;
    (2) The software component's safety-critical functions must be 
tested on flight-like hardware. Testing must include nominal operation 
and fault responses for all safety-critical functions;
    (3) An operator must conduct computing system and software hazard 
analyses for the integrated system;
    (4) An operator must verify and validate any computing systems and 
software. Verification and validation must include testing by a test 
team independent of the software development division or organization; 
and
    (5) An operator must develop and implement software development 
plans, including descriptions of the following:
    (i) Coding standards used;
    (ii) Configuration control;
    (iii) Programmable logic controllers;
    (iv) Policy on use of any commercial-off-the-shelf software; and
    (v) Policy on software reuse.
    (f) Redundant fault-tolerant software. This section applies to 
software that exercises control over safety-critical hardware systems, 
subsystems, or components, for which a non-software component must also 
fail in order to impact public health and safety or the safety of 
property. Redundant fault-tolerant software must meet the following 
criteria:
    (1) The software component's safety-critical functions must be 
tested on flight-like hardware. Testing must include nominal operation 
and fault responses for all safety-critical functions;
    (2) An operator must conduct computing system and software hazard 
analyses for the integrated system;
    (3) An operator must verify and validate any computing systems and 
software. Verification and validation must include testing by a test 
team independent of the software development division or organization; 
and
    (4) An operator must develop and implement software development 
plans, including descriptions of the following:
    (i) Coding standards used;
    (ii) Configuration control;
    (iii) Programmable logic controllers;
    (iv) Policy on use of any commercial-off-the-shelf software; and
    (v) Policy on software reuse.
    (g) Influential software. This section applies to software that 
provides information to a person who uses the information to take 
actions or make decisions that can impact public health and safety or 
the safety of property, but does not require operator action to avoid a 
mishap. Influential software must meet the following criteria:
    (1) An operator must conduct computing system and software hazard 
analyses for the integrated system;
    (2) An operator must verify and validate any computing systems and 
software. Verification and validation must include testing by a test 
team independent of the software development division or organization; 
and

[[Page 15430]]

    (3) An operator must develop and implement software development 
plans, including descriptions of the following:
    (i) Coding standards used;
    (ii) Configuration control;
    (iii) Programmable logic controllers;
    (iv) Policy on use of any commercial-off-the-shelf software; and
    (v) Policy on software reuse.
    (h) Application requirements. An applicant must document and 
include in its application the following:
    (1) For autonomous software:
    (i) Test plans and results as required by paragraphs (d)(1) and (2) 
of this section;
    (ii) All software requirements, and design and architecture 
documentation;
    (iii) The outputs of the hazard analyses as required by paragraph 
(d)(3) of this section; and
    (iv) Computing system and software validation and verification 
plans as required by paragraph (d)(4) of this section.
    (2) For semi-autonomous software:
    (i) Test plans and results as required by paragraphs (e)(1) and (2) 
of this section;
    (ii) All software requirements, and design and architecture 
documentation;
    (iii) The outputs of the hazard analyses as required by paragraph 
(e)(3) of this section; and
    (iv) Computing system and software validation and verification 
plans as required by paragraph (e)(4) of this section.
    (3) For redundant fault-tolerant software:
    (i) Test plans and results as required by paragraph (f)(1) of this 
section; and
    (ii) All software requirements and design documents.
    (4) For influential software:
    (i) The software component's development and testing; and
    (ii) The software component's functionality.
    (5) For software that the applicant has determined to have no 
safety impact, the software component's functionality must be described 
in detail.

Flight Safety Analyses


Sec.  450.113  Flight safety analysis requirements--scope and 
applicability.

    (a) Scope. An operator must perform and document a flight safety 
analysis--
    (1) For orbital launch, from liftoff through orbital insertion, and 
any component or stage landings;
    (2) For suborbital launch, from liftoff through final impact;
    (3) For disposal, from the beginning of the deorbit burn through 
final impact;
    (4) For reentry, from the beginning of the deorbit burn through 
landing; and
    (5) For hybrid vehicles, for all phases of flight, unless the 
Administrator determines otherwise based on demonstrated reliability.
    (b) Applicability. (1) Sections 450.115 through 450.121 and 450.131 
through 450.139 apply to all launch and reentry vehicles;
    (2) Sections 450.123 through 450.129 apply to a launch or reentry 
vehicle that relies on flight abort to comply with Sec.  450.101; and
    (3) Section 450.141 applies to the launch of an unguided suborbital 
launch vehicle.


Sec.  450.115  Flight safety analysis methods.

    (a) Scope of the analysis. An operator's flight safety analysis 
method must account for all reasonably foreseeable events and failures 
of safety-critical systems during nominal and non-nominal launch or 
reentry that could jeopardize public health and safety, and the safety 
of property.
    (b) Level of fidelity of the analysis. An operator's flight safety 
analysis method must have a level of fidelity sufficient to--
    (1) Demonstrate that any risk to the public satisfies the public 
safety criteria of Sec.  450.101, including the use of mitigations, 
accounting for all known sources of uncertainty, using a means of 
compliance accepted by the Administrator; and
    (2) Identify the dominant source of each type of public risk with a 
criterion in Sec.  450.101(a) or (b) in terms of phase of flight, 
source of hazard (such as toxic exposure, inert, or explosive debris), 
and vehicle response mode.
    (c) Application requirements. An applicant must submit a 
description of the flight safety analysis methodology, including 
identification of:
    (1) The scientific principles and statistical methods used;
    (2) All assumptions and their justifications;
    (3) The rationale for the level of fidelity;
    (4) The evidence for validation and verification required by Sec.  
450.101(g);
    (5) The extent that the benchmark conditions are comparable to the 
foreseeable conditions of the intended operations; and
    (6) The extent that risk mitigations were accounted for in the 
analyses.


Sec.  450.117  Trajectory analysis for normal flight.

    (a) General. A flight safety analysis must include a trajectory 
analysis that establishes--
    (1) For any phase of flight within the scope as provided by Sec.  
450.113(a), the limits of a launch or reentry vehicle's normal flight 
as defined by the nominal trajectory, and the following sets of 
trajectories sufficient to characterize variability and uncertainty 
during normal flight:
    (i) A set of trajectories to characterize variability. This set 
must describe how the intended trajectory could vary due to conditions 
known prior to initiation of flight; and
    (ii) A set of trajectories to characterize uncertainty. This set 
must describe how the actual trajectory could differ from the intended 
trajectory due to random uncertainties.
    (2) A fuel exhaustion trajectory that produces instantaneous impact 
points with the greatest range for any given time after liftoff for any 
stage that has the potential to impact the Earth and does not burn to 
propellant depletion before a programmed thrust termination.
    (3) For vehicles with a flight safety system, trajectory data or 
parameters that describe the limits of a useful mission.
    (b) Trajectory model. A final trajectory analysis must use a six-
degree of freedom trajectory model to satisfy the requirements of 
paragraph (a) of this section.
    (c) Wind effects. A trajectory analysis must account for all wind 
effects, including profiles of winds that are no less severe than the 
worst wind conditions under which flight might be attempted, and for 
uncertainty in the wind conditions.
    (d) Application requirements. An applicant must submit the 
following:
    (1) A description of the methodology used to characterize the 
vehicle's flight behavior throughout normal flight and limits of a 
useful mission, including:
    (i) The scientific principles and statistical methods used;
    (ii) All assumptions and their justifications;
    (iii) The rationale for the level of fidelity, and
    (iv) The evidence for validation and verification required by Sec.  
450.101(g).
    (2) A description of the input data used to characterize the 
vehicle's flight behavior throughout normal flight and limits of a 
useful mission, including:
    (i) The worst wind conditions under which flight might be 
attempted, and a description of how the operator will evaluate the wind 
conditions and uncertainty in the wind conditions prior to initiating 
the operation;
    (ii) A description of the wind input data, including uncertainties;
    (iii) A description of the parameters with a significant influence 
on the vehicle's behavior throughout normal flight, including a 
quantitative description of the nominal value for

[[Page 15431]]

each significant parameter throughout normal flight;
    (iv) A description of the random uncertainties with a significant 
influence on the vehicle's behavior throughout normal flight, including 
a quantitative description of the statistical distribution for each 
significant parameter; and
    (v) The primary mission objectives and the conditions that describe 
the limits of a useful mission.
    (3) Representative normal flight trajectory analysis outputs, 
including the position, velocity, and vacuum instantaneous impact 
point, for each second of flight for--
    (i) The nominal trajectory;
    (ii) A fuel exhaustion trajectory under otherwise nominal 
conditions;
    (iii) A set of trajectories that characterize variability in the 
intended trajectory based on conditions known prior to initiation of 
flight;
    (iv) A set of trajectories that characterize how the actual 
trajectory could differ from the intended trajectory due to random 
uncertainties, and
    (v) A set of trajectories that characterize the limits of a useful 
mission as described in paragraph (a)(3) of this section.
    (4) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.119  Trajectory analysis for malfunction flight.

    (a) General. A flight safety analysis must include a trajectory 
analysis that establishes--
    (1) The vehicle's capability to depart from normal flight; and
    (2) The vehicle's deviation capability in the event of a 
malfunction during flight.
    (b) Characterizing foreseeable trajectories. A malfunction 
trajectory analysis must account for each cause of a malfunction 
flight, including software and hardware failures. For each cause of a 
malfunction trajectory, the analysis must characterize the foreseeable 
trajectories resulting from a malfunction. The analysis must account 
for--
    (1) All trajectory times during the thrusting phases, or when the 
lift vector is controlled, during flight;
    (2) The duration, starting when a malfunction begins to cause each 
flight deviation throughout the thrusting phases of flight;
    (3) Trajectory time intervals between malfunction turn start times 
that are sufficient to establish flight safety limits, if any, and 
individual risk contours that are smooth and continuous;
    (4) The relative probability of occurrence of each malfunction turn 
of which the vehicle is capable;
    (5) The probability distribution of position and velocity of the 
vehicle when each malfunction will terminate due to vehicle breakup, 
along with the cause of termination and the state of the vehicle; and
    (6) The vehicle's flight behavior from the time when a malfunction 
begins to cause a flight deviation until ground impact or predicted 
structural failure, with trajectory time intervals that are sufficient 
to establish individual risk contours that are smooth and continuous.
    (c) Application requirements. An applicant must submit--
    (1) A description of the methodology used to characterize the 
vehicle's flight behavior throughout malfunction flight, including:
    (i) The scientific principles and statistical methods used;
    (ii) All assumptions and their justifications;
    (iii) The rationale for the level of fidelity; and
    (iv) The evidence for validation and verification required by Sec.  
450.101(g).
    (2) A description of the input data used to characterize the 
vehicle's malfunction flight behavior, including:
    (i) A list of each cause of malfunction flight considered;
    (ii) A list of each type of malfunction flight for which 
malfunction flight behavior was characterized;
    (iii) A description of the parameters with a significant influence 
on the vehicle's behavior throughout malfunction flight for each type 
of malfunction flight characterized, including a quantitative 
description of the nominal value for each significant parameter 
throughout normal flight; and
    (iv) A description of the random uncertainties with a significant 
influence on the vehicle's behavior throughout malfunction flight for 
each type of malfunction flight characterized, including a quantitative 
description of the statistical distribution for each significant 
parameter.
    (3) Representative malfunction flight trajectory analysis outputs, 
including the position, velocity, and vacuum instantaneous impact point 
for each second of flight for--
    (i) Each set of trajectories that characterizes a type of 
malfunction flight; and
    (ii) The probability of each trajectory that characterizes a type 
of malfunction flight.
    (4) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.121  Debris analysis.

    (a) General. A flight safety analysis must include a debris 
analysis that characterizes the debris generated for each foreseeable 
vehicle response mode as a function of vehicle flight time, accounting 
for the effects of fuel burn and any configuration changes.
    (b) Vehicle impact or breakup. A debris analysis must account for 
each foreseeable cause of vehicle breakup, including any breakup caused 
by flight safety system activation, and for impact of an intact 
vehicle.
    (c) Debris thresholds. A debris analysis must account for all 
inert, explosive, and other hazardous vehicle, vehicle component, and 
payload debris foreseeable from normal and malfunctioning vehicle 
flight. At a minimum, the debris analysis must identify--
    (1) All inert debris that can cause a casualty or loss of 
functionality of a critical asset, including all debris that could--
    (i) Impact a human being with a mean expected kinetic energy at 
impact greater than or equal to 11 ft-lbs;
    (ii) Impact a human being with a mean impact kinetic energy per 
unit area at impact greater than or equal to 34 ft-lb/in\2\;
    (iii) Cause a casualty due to impact with an aircraft;
    (iv) Cause a casualty due to impact with a waterborne vessel; or
    (v) Pose a toxic or fire hazard.
    (2) Any explosive debris that could cause a casualty or loss of 
functionality of a critical asset.
    (d) Application requirements. An applicant must submit:
    (1) A description of the debris analysis methodology, including 
input data, assumptions, and justifications for the assumptions;
    (2) A description of all vehicle breakup modes and the development 
of debris lists;
    (3) All debris fragment lists necessary to quantitatively describe 
the physical, aerodynamic, and harmful characteristics of each debris 
fragment or fragment class; and
    (4) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.123  Flight safety limits analysis.

    (a) General. A flight safety analysis must identify the location of 
uncontrolled areas and establish flight safety limits that define when 
an operator must initiate flight abort to--
    (1) Ensure compliance with the public safety criteria of Sec.  
450.101; and
    (2) Prevent debris capable of causing a casualty from impacting in

[[Page 15432]]

uncontrolled areas if the vehicle is outside the limits of a useful 
mission.
    (b) Flight safety limits. The analysis must identify flight safety 
limits for use in establishing flight abort rules. The flight safety 
limits must--
    (1) Account for temporal and geometric extents on the Earth's 
surface of any vehicle hazards resulting from any planned or unplanned 
event for all times during flight;
    (2) Account for potential contributions to the debris impact 
dispersions; and
    (3) Be designed to avoid flight abort that results in increased 
collective risk to people in uncontrolled areas, compared to continued 
flight.
    (c) Gates. For an orbital launch, or any launch or reentry where 
one or more trajectories that represents a useful mission intersects a 
flight safety limit that provides containment of debris capable of 
causing a casualty, the flight safety analysis must include a gate 
analysis as required by Sec.  450.125.
    (d) Real-time flight safety limits. As an alternative to flight 
safety limits analysis, flight abort time can be computed and applied 
in real-time during vehicle flight as necessary to meet the criteria in 
Sec.  450.101.
    (e) Application requirements. An applicant must submit:
    (1) A description of how each flight safety limit will be computed 
including references to public safety criteria of Sec.  450.101;
    (2) Representative flight safety limits and associated parameters;
    (3) An indication of which flight abort rule from Sec.  450.165(c) 
is used in conjunction with each example flight safety limit;
    (4) A graphic depiction or series of depictions of representative 
flight safety limits, the launch or landing point, all uncontrolled 
area boundaries, and vacuum instantaneous impact point traces for the 
nominal trajectory, extents of normal flight, and limits of a useful 
mission trajectories;
    (5) If the requirement for flight abort is computed in real-time in 
lieu of precomputing flight safety limits, a description of how the 
real-time flight abort requirement is computed including references to 
public safety criteria of Sec.  450.101; and
    (6) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.125  Gate analysis.

    (a) Applicability. The flight safety analysis must include a gate 
analysis for an orbital launch or any launch or reentry where one or 
more trajectories that represent a useful mission intersect a flight 
safety limit that provides containment of debris capable of causing a 
casualty.
    (b) Analysis requirements. The analysis must establish--
    (1) A relaxation of the flight safety limits that allows continued 
flight or a gate where a decision will be made to abort the launch or 
reentry, or allow continued flight;
    (2) If a gate is established, a measure of performance at the gate 
that enables the flight abort crew or autonomous flight safety system 
to determine whether the vehicle is able to complete a useful mission, 
and abort the flight if it is not;
    (3) Accompanying flight abort rules; and
    (4) For an orbital launch, a gate at the last opportunity to 
determine whether the vehicle's flight is in compliance with the flight 
abort rules and can make a useful mission, and abort the flight if it 
is not.
    (c) Gate extents. The extents of any gate or relaxation of the 
flight safety limits must be based on normal trajectories, trajectories 
that may achieve a useful mission, collective risk, and consequence 
criteria as follows:
    (1) Flight safety limits must be gated or relaxed where they 
intersect with a normal trajectory if that trajectory would meet the 
individual and collective risk criteria of Sec.  450.101(a)(1) and (2) 
or (b)(1) and (2) when treated like a nominal trajectory with normal 
trajectory dispersions. The predicted average consequence from flight 
abort resulting from any reasonable vehicle response mode, in any one-
second period of flight, using the modified flight safety limits, must 
not exceed 1 x 10^-2 conditional expected casualties;
    (2) Flight safety limits may be gated or relaxed where they 
intersect with a trajectory within the limits of a useful mission if 
that trajectory would meet the individual and collective risk criteria 
of Sec.  450.101(a)(1) and (2) or (b)(1) and (2) when treated like a 
nominal trajectory with normal trajectory dispersions. The predicted 
average consequence from flight abort resulting from any reasonable 
vehicle response mode, in any one-second period of flight, using the 
modified flight safety limits, must not exceed 1 x 10^-2 
conditional expected casualties; and
    (3) For an orbital launch, in areas where no useful mission 
trajectories intersect with flight safety limits, the final gate may 
extend no further than necessary to allow vehicles on a useful mission 
to continue flight.
    (d) Application requirements. An applicant must submit:
    (1) A description of the methodology used to establish each gate or 
relaxation of a flight safety limit;
    (2) A description of the measure of performance used to determine 
whether a vehicle will be allowed to cross a gate without flight abort, 
the acceptable ranges of the measure of performance, and how these 
ranges were determined;
    (3) A graphic depiction or depictions showing representative flight 
safety limits, any uncontrolled area overflight regions, and 
instantaneous impact point traces for the nominal trajectory, extents 
of normal flight, and limits of a useful mission trajectories; and
    (4) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.127  Data loss flight time and planned safe flight state 
analyses.

    (a) General. For each flight, a flight safety analysis must 
establish data loss flight times and a planned safe flight state to 
establish each flight abort rule that applies when vehicle tracking 
data is not available for use by the flight abort crew or autonomous 
flight safety system.
    (b) Data loss flight times. (1) A flight safety analysis must 
establish a data loss flight time for each trajectory time interval 
along the nominal trajectory from initiation of the flight of a launch 
or reentry vehicle through that point during nominal flight when the 
minimum elapsed thrusting or gliding time is no greater than the time 
it would take for a normal vehicle to reach the final gate crossing, or 
the planned safe flight state established under paragraph (c) of this 
section, whichever occurs earlier.
    (2) Data loss flight times must account for forces that may stop 
the vehicle before reaching a flight safety limit.
    (3) Data loss flight times may be computed and applied in real-time 
during vehicle flight in which case the state vector just prior to loss 
of data should be used as the nominal state vector.
    (c) Planned safe flight state. For a vehicle that performs normally 
during all portions of flight, the planned safe flight state is the 
point during the nominal flight of a vehicle where--
    (1) The vehicle cannot reach a flight safety limit for the 
remainder of the flight;
    (2) The vehicle achieves orbital insertion; or
    (3) The vehicle's state vector reaches a state where the vehicle is 
no longer required to have a flight safety system.
    (d) Application requirements. An applicant must submit:
    (1) A description of the methodology used to determine data loss 
flight times;

[[Page 15433]]

    (2) Tabular data describing the data loss flight times from a 
representative mission;
    (3) The safe flight state for a representative mission and 
methodology used to determine it; and
    (4) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.129  Time delay analysis.

    (a) General. A flight safety analysis must include a time delay 
analysis that establishes the mean elapsed time between the violation 
of a flight abort rule and the time when the flight safety system is 
capable of aborting flight for use in establishing flight safety 
limits. The time delay analysis must determine a time delay 
distribution that accounts for all foreseeable sources of delay.
    (b) Application requirements. An applicant must submit:
    (1) A description of the methodology used in the time delay 
analysis;
    (2) A tabular listing of each time delay source and the total 
delay, with uncertainty; and
    (3) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.131  Probability of failure analysis.

    (a) General. For each hazard and phase of flight, a flight safety 
analysis for a launch or reentry must account for vehicle failure 
probability. The probability of failure must be consistent for all 
hazards and phases of flight.
    (1) For a vehicle or vehicle stage with fewer than two flights, the 
failure probability estimate must account for the outcome of all 
previous flights of vehicles developed and launched or reentered in 
similar circumstances.
    (2) For a vehicle or vehicle stage with two or more flights, 
vehicle failure probability estimates must account for the outcomes of 
all previous flights of the vehicle or vehicle stage in a statistically 
valid manner. The outcomes of all previous flights of the vehicle or 
vehicle stage must account for data on partial failures and anomalies, 
including Class 3 and Class 4 mishaps, as defined in Sec.  401.5 of 
this chapter.
    (b) Failure. For flight safety analysis purposes, a failure occurs 
when a vehicle does not complete any phase of normal flight or when any 
anomalous condition exhibits the potential for a stage or its debris to 
impact the Earth or reenter the atmosphere outside the normal 
trajectory envelope during the mission or any future mission of similar 
vehicle capability. Also, a Class 1 or Class 2 mishap, as defined in 
Sec.  401.5 of this chapter, constitutes a failure.
    (c) Previous flight. For flight safety analysis purposes--
    (1) The flight of a launch vehicle begins at a time in which a 
launch vehicle normally or inadvertently lifts off from a launch 
platform; and
    (2) The flight of a reentry vehicle or deorbiting upper stage 
begins at a time in which a vehicle attempts to initiate a deorbit.
    (d) Allocation. The vehicle failure probability estimate must be 
distributed across flight time and vehicle response mode. The 
distribution must be consistent with--
    (1) The data available from all previous flights of vehicles 
developed and launched or reentered in similar circumstances; and
    (2) Data from previous flights of vehicles, stages, or components 
developed and launched or reentered by the subject vehicle developer or 
operator. Such data may include previous experience involving similar--
    (i) Vehicle, stage, or component design characteristics;
    (ii) Development and integration processes, including the extent of 
integrated system testing; and
    (iii) Level of experience of the vehicle operation and development 
team members.
    (e) Observed vs. conditional failure rate. Probability of failure 
allocation must account for significant differences in the observed 
failure rate and the conditional failure rate. A probability of failure 
analysis must use a constant conditional failure rate for each phase of 
flight, unless there is clear and convincing evidence of a different 
conditional failure rate for a particular vehicle, stage, or phase of 
flight.
    (f) Application requirements. An applicant must submit:
    (1) A description of the probability of failure analysis, including 
all assumptions and justifications for the assumptions, analysis 
methods, input data, and results;
    (2) A representative set of tabular data and graphs of the 
predicted failure rate and cumulative failure probability for each 
foreseeable vehicle response mode; and
    (3) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.133  Flight hazard area analysis.

    (a) General. A flight safety analysis must include a flight hazard 
area analysis that identifies any region of land, sea, or air that must 
be surveyed, publicized, controlled, or evacuated in order to control 
the risk to the public. A flight hazard area analysis must account for 
all reasonably foreseeable vehicle response modes during nominal and 
non-nominal flight that could result in a casualty. The analysis must 
account for, at a minimum--
    (1) The regions of land, sea, and air potentially exposed to debris 
impact resulting from normal flight events and from debris hazards 
resulting from any potential malfunction;
    (2) Any hazard controls implemented to control risk to any hazard;
    (3) The limits of a launch or reentry vehicle's normal flight, 
including winds that are no less severe than the worst wind conditions 
under which flight might be attempted and uncertainty in the wind 
conditions;
    (4) The debris identified for each foreseeable cause of breakup, 
and any planned jettison of debris, launch or reentry vehicle 
components, or payload;
    (5) All foreseeable sources of debris dispersion during freefall, 
including wind effects, guidance and control, velocity imparted by 
break-up or jettison, lift, and drag forces; and
    (6) A probability of one for any planned debris hazards or planned 
impacts.
    (b) Waterborne vessel hazard areas. The flight hazard area analysis 
for waterborne vessels must determine the areas and durations for 
regions of water--
    (1) That are necessary to contain, with 97 percent probability of 
containment, all debris resulting from normal flight events capable of 
causing a casualty to persons on waterborne vessels;
    (2) That are necessary to contain either where the probability of 
debris capable of causing a casualty impacting on or near a vessel 
would exceed 1 x 10^-5, accounting for all relevant hazards, 
or where the individual probability of casualty for any person on board 
a vessel would exceed the criterion in Sec.  450.101(a)(2) or (b)(2); 
and
    (3) Where reduced vessel traffic is necessary to meet collective 
risk criterion in Sec.  450.101(a)(1) or (b)(1).
    (c) Land hazard areas. The flight hazard area analysis for land 
must determine the durations and areas regions of land--
    (1) That are necessary to contain, with 97 percent probability of 
containment, all debris resulting from normal flight events capable of 
causing a casualty to any person on land;
    (2) Where the individual probability of casualty for any person on 
land would exceed the criterion in Sec.  450.101(a)(2) or (b)(2); and
    (3) Where reduced population is necessary to meet the collective 
risk criterion in Sec.  450.101(a)(1) or (b)(1).
    (d) Airspace hazard volumes. The flight hazard area analysis for 
airspace must determine the durations and

[[Page 15434]]

volumes for regions of air to be submitted to the FAA for approval--
    (1) That are necessary to contain, with 97 percent probability of 
containment, all debris resulting from normal flight events capable of 
causing a casualty to persons on an aircraft; and
    (2) Where the probability of impact on an aircraft would exceed the 
criterion in Sec.  450.101(a)(3) or (b)(3).
    (e) Application requirements. An applicant must submit:
    (1) A description of the methodology to be used in the flight 
hazard area analysis including all assumptions and justifications for 
the assumptions, vulnerability models, analysis methods, input data, 
including:
    (i) Input wind data and justification that those represent the 
worst wind conditions under which flight might be attempted accounting 
for uncertainty in the wind conditions;
    (ii) Classes of waterborne vessel and vulnerability criteria 
employed; and
    (iii) Classes of aircraft and vulnerability criteria employed.
    (2) Tabular data and graphs of the results of the flight hazard 
area analysis, including:
    (i) Geographical coordinates of all hazard areas that are 
representative of those to be published prior to any proposed 
operation;
    (ii) Representative 97 percent probability of containment contours 
for all debris resulting from normal flight events capable of causing a 
casualty, regardless of location, including regions of land, sea, or 
air;
    (iii) Representative individual probability of casualty contours 
regardless of location;
    (iv) If applicable, representative 1 x 10^-5 and 1 x 
10^-6 probability of impact contours for all debris capable 
of causing a casualty to persons on an waterborne vessel regardless of 
location; and
    (v) Representative 1 x 10^-6 and 1 x 10^-7 
probability of impact contours for all debris capable of causing a 
casualty to persons on an aircraft regardless of location.
    (3) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.135   Debris risk analysis.

    (a) General. A debris risk analysis must demonstrate compliance 
with public safety criteria in Sec.  450.101, either--
    (1) Prior to the day of the operation, accounting for all 
foreseeable conditions within the flight commit criteria; or
    (2) During the countdown using the best available input data.
    (b) Propagation of debris. A debris risk analysis must compute 
statistically valid debris impact probability distributions using the 
input data produced by flight safety analyses required in Sec. Sec.  
450.117 through 450.133. The propagation of debris from each predicted 
breakup location to impact must account for--
    (1) All foreseeable forces that can influence any debris impact 
location; and
    (2) All foreseeable sources of impact dispersion, including, at a 
minimum:
    (i) The uncertainties in atmospheric conditions;
    (ii) Debris aerodynamic parameters;
    (iii) Pre-breakup position and velocity; and
    (iv) Breakup-imparted velocities.
    (c) Exposure model. A debris risk analysis must account for the 
distribution of people and critical assets. The exposure input data 
must--
    (1) Include the entire region where there is a significant 
probability of impact of hazardous debris;
    (2) Characterize the distribution and vulnerability of people and 
critical assets both geographically and temporally;
    (3) Account for the distribution of people in various structures 
and vehicle types with a resolution consistent with the characteristic 
size of the impact probability distributions for relevant fragment 
groups;
    (4) Have sufficient temporal and spatial resolution that a uniform 
distribution of people within each defined region can be treated as a 
single average set of characteristics without degrading the accuracy of 
any debris analysis output;
    (5) Use accurate source data from demographic sources, physical 
surveys, or other methods;
    (6) Be regularly updated to account for recent land-use changes, 
population growth, migration, and construction; and
    (7) Account for uncertainty in the source data and modeling 
approach.
    (d) Casualty area and consequence analysis. A debris risk analysis 
must model the casualty area, and compute the predicted consequences of 
each reasonably foreseeable vehicle response mode in any one-second 
period of flight in terms of conditional expected casualties. The 
casualty area and consequence analysis must account for--
    (1) All relevant debris fragment characteristics and the 
characteristics of a representative person exposed to any potential 
debris hazard.
    (2) Any direct impacts of debris fragments, intact impact, or 
indirect impact effects.
    (3) The vulnerability of people and critical assets to debris 
impacts, including:
    (i) Effects of buildings, ground vehicles, waterborne vessel, and 
aircraft upon the vulnerability of any occupants;
    (ii) All hazard sources, such as the potential for any toxic or 
explosive energy releases;
    (iii) Indirect or secondary effects such as bounce, splatter, skip, 
slide or ricochet, including accounting for terrain;
    (iv) Effect of wind on debris impact vector and toxic releases;
    (v) Impact speed and angle, accounting for motion of impacted 
vehicles;
    (vi) Uncertainty in fragment impact parameters; and
    (vii) Uncertainty in modeling methodology.
    (e) Application requirements. An applicant must submit:
    (1) A description of the methods used to compute the parameters 
required to demonstrate compliance with the public safety criteria in 
Sec.  450.101, including a description of how the operator will account 
for the conditions immediately prior to enabling the flight of a launch 
vehicle or the reentry of a reentry vehicle, such as the final 
trajectory, atmospheric conditions, and the exposure of people and 
critical assets;
    (2) A description of the methods used to compute debris impact 
distributions;
    (3) A description of the methods used to develop the population 
exposure input data;
    (4) A description of the exposure input data, including, for each 
population center, a geographic definition and the distribution of 
population among shelter types as a function of time of day, week, 
month, or year;
    (5) A description of the atmospheric data used as input to the 
debris risk analysis;
    (6) The effective unsheltered casualty area for all fragment 
classes assuming a representative impact vector;
    (7) The effective casualty area for all fragment classes for a 
representative type of building, ground vehicle, waterborne vessel, and 
aircraft, assuming a representative impact vector;
    (8) Collective and individual debris risk analysis outputs under 
representative conditions and the worst foreseeable conditions, 
including:
    (i) Total collective casualty expectation for the proposed 
operation;
    (ii) A list of the collective risk contribution for at least the 
top ten population centers and all centers with collective risk 
exceeding 1 percent of the collective risk criterion in Sec.  450.101;

[[Page 15435]]

    (iii) A list of the maximum individual probability of casualty for 
the top ten population centers and all centers that exceed 10 percent 
of the individual risk criterion in Sec.  450.101; and
    (iv) A list of the probability of loss of functionality of any 
critical asset that exceeds 1 percent of the critical asset criterion 
in Sec.  450.101;
    (9) A list of the conditional collective casualty expectation for 
each vehicle response mode for each one-second interval of flight under 
representative conditions and the worst foreseeable conditions; and
    (10) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.137  Far-field overpressure blast effects analysis.

    (a) General. The far-field overpressure blast effect analysis must 
demonstrate compliance with public safety criteria in Sec.  450.101, 
either--
    (1) Prior to the day of the operation, accounting for all 
foreseeable conditions within the flight commit criteria; or
    (2) During the countdown using the best available input data.
    (b) Analysis constraints. The analysis must account for--
    (1) The potential for distant focus overpressure or overpressure 
enhancement given current meteorological conditions and terrain 
characteristics;
    (2) The potential for broken windows due to peak incident 
overpressures below 1.0 psi and related casualties;
    (3) The explosive capability of the vehicle at impact and at 
altitude and potential explosions resulting from debris impacts, 
including the potential for mixing of liquid propellants;
    (4) Characteristics of the vehicle flight and the surroundings that 
would affect the population's susceptibility to injury, including 
shelter types and time of day of the proposed operation;
    (5) Characteristics of the potentially affected windows, including 
their size, location, orientation, glazing material, and condition; and
    (6) The hazard characteristics of the potential glass shards, 
including falling from upper building stories or being propelled into 
or out of a shelter toward potentially occupied spaces.
    (c) Application requirements. An applicant must submit a 
description of the far-field overpressure analysis, including all 
assumptions and justifications for the assumptions, analysis methods, 
input data, and results. At a minimum, the application must include:
    (1) A description of the population centers, terrain, building 
types, and window characteristics used as input to the far-field 
overpressure analysis;
    (2) A description of the methods used to compute the foreseeable 
explosive yield probability pairs, and the complete set of yield-
probability pairs, used as input to the far-field overpressure 
analysis;
    (3) A description of the methods used to compute peak incident 
overpressures as a function of distance from the explosion and 
prevailing meteorological conditions, including sample calculations for 
a representative range of the foreseeable meteorological conditions, 
yields, and population center locations;
    (4) A description of the methods used to compute the probability of 
window breakage, including tabular data and graphs for the probability 
of breakage as a function of the peak incident overpressure for a 
representative range of window types, building types, and yields 
accounted for;
    (5) A description of the methods used to compute the probability of 
casualty for a representative individual, including tabular data and 
graphs for the probability of casualty, as a function of location 
relative to the window and the peak incident overpressure for a 
representative range of window types, building types, and yields 
accounted for;
    (6) Tabular data and graphs showing the hypothetical location of 
any member of the public that could be exposed to a probability of 
casualty of 1 x 10^-5 or greater for neighboring operations 
personnel, and 1 x 10^-6 or greater for other members of the 
public, given foreseeable meteorological conditions, yields, and 
population exposures;
    (7) The maximum expected casualties that could result from far-
field overpressure hazards greater given foreseeable meteorological 
conditions, yields, and population exposures;
    (8) A description of the meteorological measurements used as input 
to any real-time far-field overpressure analysis; and
    (9) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.139  Toxic hazards for flight.

    (a) Applicability. This section applies to any launch or reentry 
vehicle, including all vehicle components and payloads, that use toxic 
propellants or other toxic chemicals.
    (b) General. An operator must--
    (1) Conduct a toxic release hazard analysis in accordance with 
paragraph (c) of this section;
    (2) Manage the risk of casualties that could arise from the 
exposure to toxic release through one of the following means:
    (i) Contain hazards caused by toxic release in accordance with 
paragraph (d) of this section; or
    (ii) Perform a toxic risk assessment, in accordance with paragraph 
(e) of this section, that protects the public in compliance with the 
risk criteria of Sec.  450.101, including toxic release hazards.
    (3) Establish flight commit criteria based on the results of its 
toxic release hazard analysis, containment analysis, or toxic risk 
assessment for any necessary evacuation of the public from any toxic 
hazard area.
    (c) Toxic release hazard analysis. A toxic release hazard analysis 
must--
    (1) Account for any toxic release that could occur during nominal 
or non-nominal flight;
    (2) Include a worst-case release scenario analysis or a maximum-
credible release scenario analysis;
    (3) Determine if toxic release can occur based on an evaluation of 
the chemical compositions and quantities of propellants, other 
chemicals, vehicle materials, and projected combustion products, and 
the possible toxic release scenarios;
    (4) Account for both normal combustion products and any unreacted 
propellants and phase change or chemical derivatives of released 
substances; and
    (5) Account for any operational constraints and emergency 
procedures that provide protection from toxic release.
    (d) Toxic containment. An operator using toxic containment must 
manage the risk of any casualty from the exposure to toxic release 
either by--
    (1) Evacuating, or being prepared to evacuate, the public from a 
toxic hazard area, where an average member of the public would be 
exposed to greater than one percent conditional individual probability 
of casualty in the event of a worst-case release or maximum credible 
release scenario; or
    (2) Employing meteorological constraints to limit a launch 
operation to times during which prevailing winds and other conditions 
ensure that an average member of the public would not be exposed to 
greater than one percent conditional individual probability of casualty 
in the event of a worst-case release or maximum credible release 
scenario.
    (e) Toxic risk assessment. An operator using toxic risk assessment 
must establish flight commit criteria that demonstrate compliance with 
the public risk criterion of Sec.  450.101. A toxic risk assessment 
must--

[[Page 15436]]

    (1) Account for airborne concentration and duration thresholds of 
toxic propellants or other chemicals. For any toxic propellant, other 
chemicals, or combustion product, an operator must use airborne toxic 
concentration and duration thresholds identified in a means of 
compliance accepted by the Administrator;
    (2) Account for physical phenomena expected to influence any toxic 
concentration and duration in the area surrounding the potential 
release site;
    (3) Determine a toxic hazard area for the launch or reentry, 
surrounding the potential release site for each toxic propellant or 
other chemical based on the amount and toxicity of the propellant or 
other chemical, the exposure duration, and the meteorological 
conditions involved;
    (4) Account for all members of the public that may be exposed to 
the toxic release, including all members of the public on land and on 
any waterborne vessels, populated offshore structures, and aircraft 
that are not operated in direct support of the launch or reentry; and
    (5) Account for any risk mitigation measures applied in the risk 
assessment.
    (f) Application requirements. An applicant must submit:
    (1) The identity of toxic propellant, chemical, or combustion 
products or derivatives in the possible toxic release;
    (2) The applicant's selected airborne toxic concentration and 
duration thresholds;
    (3) The meteorological conditions for the atmospheric transport and 
buoyant cloud rise of any toxic release from its source to downwind 
receptor locations;
    (4) Characterization of the terrain, as input for modeling the 
atmospheric transport of a toxic release from its source to downwind 
receptor locations;
    (5) The identity of the toxic dispersion model used, and any other 
input data;
    (6) Representative results of an applicant's toxic dispersion 
modeling to predict concentrations and durations at selected downwind 
receptor locations, to determine the toxic hazard area for a released 
quantity of the toxic substance;
    (7) For toxic release hazard analysis in accordance with paragraph 
(c) of this section:
    (i) A description of the failure modes and associated relative 
probabilities for potential toxic release scenarios used in the risk 
evaluation; and
    (ii) The methodology and representative results of an applicant's 
determination of the worst-case or maximum-credible quantity of any 
toxic release that might occur during the flight of a vehicle;
    (8) For toxic risk assessment in accordance with paragraph (e) of 
this section:
    (i) A demonstration that the public will not be exposed to airborne 
concentrations above the toxic concentration and duration thresholds, 
based upon representative results of the toxic release hazard analysis;
    (ii) The population density in receptor locations that are 
identified by toxic dispersion modeling as toxic hazard areas;
    (iii) A description of any risk mitigations applied in the toxic 
risk assessment; and
    (iv) The identity of the population database used; and
    (9) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.141  Wind weighting for the flight of an unguided suborbital 
launch vehicle.

    (a) Applicability. This section applies to the flight of an 
unguided suborbital launch vehicle using wind weighting to meet the 
public safety criteria of Sec.  450.101.
    (b) Wind weighting safety system. The flight of an unguided 
suborbital launch vehicle that uses a wind weighting safety system must 
meet the following:
    (1) The launcher azimuth and elevation settings must be wind 
weighted to correct for the effects of wind conditions at the time of 
flight to provide a safe impact location; and
    (2) An operator must use launcher azimuth and elevation angle 
settings that ensures the rocket will not fly in an unintended 
direction given wind uncertainties.
    (c) Analysis. An operator must--
    (1) Establish flight commit criteria and other flight safety rules 
that control the risk to the public from potential adverse effects 
resulting from normal and malfunctioning flight;
    (2) Establish any wind constraints under which flight may occur; 
and
    (3) Conduct a wind weighting analysis that establishes the launcher 
azimuth and elevation settings that correct for the windcocking and 
wind-drift effects on the unguided suborbital launch vehicle.
    (d) Stability. An unguided suborbital launch vehicle, in all 
configurations, must be stable throughout each stage of powered flight.
    (e) Application requirements. An applicant must submit:
    (1) A description of its wind weighting analysis methods, including 
its method and schedule of determining wind speed and wind direction 
for each altitude layer;
    (2) A description of its wind weighting safety system and identify 
all equipment used to perform the wind weighting analysis;
    (3) A representative wind weighting analysis using actual or 
statistical winds for the launch area and provide samples of the 
output; and
    (4) Additional products that allow an independent analysis, as 
requested by the Administrator.

Prescribed Hazard Controls


Sec.  450.143  Safety-critical system design, test, and documentation.

    (a) Applicability. This section applies to all safety-critical 
systems. Flight safety systems that are required to meet the 
requirements of Sec.  450.101(c) must meet additional requirements in 
Sec.  450.145.
    (b) Fault-tolerant design. An operator must design safety-critical 
systems to be fault-tolerant such that there is no single credible 
fault that can lead to increased risk to public safety beyond nominal 
safety-critical system operation.
    (c) Qualification testing of design. An operator must functionally 
demonstrate the design of the vehicle's safety-critical systems at 
conditions beyond its predicted operating environment. The operator 
must select environmental test levels that ensure the design is 
sufficiently stressed to demonstrate that system performance is not 
degraded due to design tolerances, manufacturing variances, or 
uncertainties in the environment.
    (d) Acceptance of hardware. An operator must--
    (1) Functionally demonstrate any safety-critical system while 
exposed to its predicted operating environment with margin to 
demonstrate that it is free of defects, free of integration and 
workmanship errors, and ready for operational use; or
    (2) Combine in-process controls and a quality assurance process to 
ensure functional capability of any safety-critical system during its 
service life.
    (e) Lifecycle of safety-critical systems. (1) The predicted 
operating environment must be based on conditions predicted to be 
encountered in all phases of flight, recovery, and transportation.
    (2) An operator must monitor the flight environments experienced by 
safety-critical system components to the extent necessary to--
    (i) Validate the predicted operating environment; and
    (ii) Assess the actual component life remaining or adjust any 
inspection period.
    (f) Application requirements. An applicant must submit to the FAA 
the following as part of its application:

[[Page 15437]]

    (1) A list and description of each safety-critical system;
    (2) Drawings and schematics for each safety-critical system;
    (3) A summary of the analysis to determine the predicted operating 
environment and duration to be applied to qualification and acceptance 
testing covering the service life of any safety-critical system;
    (4) A description of any instrumentation or inspection processes to 
monitor aging of any safety-critical system; and
    (5) The criteria and procedures for disposal or refurbishment for 
service life extension of safety-critical system components.


Sec.  450.145  Flight safety system.

    (a) General. For each phase of flight for which an operator must 
implement flight abort to meet the requirement of Sec.  450.101(c), the 
operator must use a flight safety system, or other safeguards agreed to 
by the Administrator, on the launch or reentry vehicle, vehicle 
component, or payload with the following reliability:
    (1) If the consequence any vehicle response mode is 1 x 
10^-2 conditional expected casualties or greater for 
uncontrolled areas, an operator must employ a flight safety system with 
design reliability of 0.999 at 95 percent confidence and commensurate 
design, analysis, and testing; or
    (2) If the consequence of any vehicle response mode is between 1 x 
10^-2 and 1 x 10^-3 conditional expected casualties 
for uncontrolled areas, an operator must employ a flight safety system 
with a design reliability of 0.975 at 95 percent confidence and 
commensurate design, analysis, and testing.
    (b) Accepted means of compliance. To comply with paragraph (a) of 
this section, an applicant must use a means of compliance accepted by 
the Administrator.
    (c) Monitoring. An operator must monitor the flight environments 
experienced by any flight safety system component.
    (d) Application requirements. An applicant must submit the 
information identified in paragraphs (d)(1) through (5) of this 
section, for any flight safety system including any flight safety 
system located on board a launch or reentry vehicle; any ground based 
command control system; any support system, including telemetry 
subsystems and tracking subsystems, necessary to support a flight abort 
decision; and the functions of any personnel who operate the flight 
safety system hardware or software:
    (1) Flight safety system description. An applicant must describe 
the flight safety system and its operation in detail, including all 
components, component functions, and possible operational scenarios.
    (2) Flight safety system diagram. An applicant must submit a 
diagram that identifies all flight safety system subsystems and shows 
the interconnection of all the elements of the flight safety system. 
The diagram must include any subsystems used to implement flight abort 
both on and off the vehicle, including any subsystems used to make the 
decision to abort flight.
    (3) Flight safety system analyses. An applicant must submit any 
analyses and detailed analysis reports of all flight safety system 
subsystems necessary to demonstrate the reliability and confidence 
levels required by paragraph (a) of this section.
    (4) Tracking validation procedures. An applicant must document and 
submit the procedures for validating the accuracy of any vehicle 
tracking data utilized by the flight safety system to make the decision 
to abort flight.
    (5) Flight safety system test plans. An applicant must submit 
acceptance, qualification, and preflight test plans of any flight 
safety system, subsystems, and components. The test plans must include 
test procedures and test environments.


Sec.  450.147  Agreements.

    (a) General. An operator must establish a written agreement with 
any entity that provides a service or property that meets a requirement 
in this part, including:
    (1) Launch and reentry site use agreements. A Federal launch range 
operator, a licensed launch or reentry site operator, or any other 
person that provides services or access to or use of property required 
to support the safe launch or reentry under this part;
    (2) Agreements for notices to mariners. Unless otherwise addressed 
in agreements with the site operator, for overflight of navigable 
water, the U.S. Coast Guard or other applicable maritime authority to 
establish procedures for the issuance of a Notice to Mariners prior to 
a launch or reentry and other measures necessary to protect public 
health and safety;
    (3) Agreements for notices to airmen. Unless otherwise addressed in 
agreements with the site operator, the FAA Air Traffic Organization or 
other applicable air navigation authority to establish procedures for 
the issuance of a Notice to Airmen prior to a launch or reentry, for 
closing of air routes during the respective launch and reentry windows, 
and for other measures necessary to protect public health and safety; 
and
    (4) Mishap response. Emergency response providers, including local 
government authorities, to satisfy the requirements of Sec.  450.173.
    (b) Roles and responsibilities. The agreements required in this 
section must clearly delineate the roles and responsibilities of each 
party to support the safe launch or reentry under this part.
    (c) Effective date. The agreements required in this section must be 
in effect before a license can be issued, unless otherwise agreed to by 
the Administrator.
    (d) Application requirement. The applicant must describe each 
agreement in this section. The applicant must provide a copy of any 
agreement, or portion thereof, to the FAA upon request.


Sec.  450.149  Safety-critical personnel qualifications.

    (a) Qualification requirements. An operator must ensure safety-
critical personnel are trained, qualified, and capable of performing 
their safety-critical tasks, and that their training is current.
    (b) Application requirements. An applicant must--
    (1) Identify safety-critical tasks that require qualified 
personnel;
    (2) Provide internal training and currency requirements, completion 
standards, or any other means of demonstrating compliance with the 
requirements of this section; and
    (3) Describe the process for tracking training currency.


Sec.  450.151  Work shift and rest requirements.

    (a) General. For any launch or reentry, an operator must document 
and implement rest requirements that ensure safety-critical personnel 
are physically and mentally capable of performing all assigned tasks.
    (b) Specific items to address. An operator's rest requirements must 
address the following:
    (1) Duration of each work shift and the process for extending this 
shift, including the maximum allowable length of any extension;
    (2) Number of consecutive work shift days allowed before rest is 
required;
    (3) Minimum rest period required--
    (i) Between each work shift, including the period of rest required 
immediately before the flight countdown work shift; and
    (ii) After the maximum number of work shift days allowed; and

[[Page 15438]]

    (4) Approval process for any deviation from the rest requirements.
    (c) Application requirements. An applicant must submit rest rules 
that demonstrate compliance with the requirements of this section.


Sec.  450.153  Radio frequency management.

    (a) Frequency management. For any radio frequency used, an operator 
must--
    (1) Identify each frequency, all allowable frequency tolerances, 
and each frequency's intended use, operating power, and source;
    (2) Provide for the monitoring of frequency usage and enforcement 
of frequency allocations; and
    (3) Coordinate use of radio frequencies with any site operator and 
any local and Federal authorities.
    (b) Application requirements. An applicant must submit procedures 
or other means to demonstrate compliance with the radio frequency 
requirements of this section.


Sec.  450.155  Readiness.

    (a) Flight readiness. An operator must document and implement 
procedures to assess readiness to proceed with the flight of a launch 
or reentry vehicle. These procedures must address, at minimum, the 
following:
    (1) Readiness of vehicle and launch, reentry, or landing site, 
including any contingency abort location;
    (2) Readiness of safety-critical personnel, systems, software, 
procedures, equipment, property, and services; and
    (3) Readiness to implement the mishap plan required by Sec.  
450.173.
    (b) Application requirements. An applicant must--
    (1) Demonstrate compliance with the requirements of paragraph (a) 
of this section through procedures that may include a readiness meeting 
close in time to flight; and
    (2) Describe the criteria for establishing readiness to proceed 
with the flight of a launch or reentry vehicle.


Sec.  450.157  Communications.

    (a) Communication procedures. An operator must implement 
communication procedures during the countdown and flight of a launch or 
reentry vehicle that--
    (1) Define the authority of personnel, by individual or position 
title, to issue ``hold/resume,'' ``go/no go,'' and abort commands;
    (2) Assign communication networks so that personnel identified in 
paragraph (a)(1) of this section have direct access to real-time 
safety-critical information required to issue ``hold/resume,'' ``go/no 
go,'' and any abort commands;
    (3) Ensure personnel, identified in paragraph (a)(1) of this 
section, monitor each common intercom channel during countdown and 
flight; and
    (4) Implement a protocol for using defined radio telephone 
communications terminology.
    (b) Currency. An operator must ensure the currency of the 
communication procedures, and that all personnel are working with the 
approved version of the communication procedures.
    (c) Communication records. An operator must record all safety-
critical communications network channels that are used for voice, 
video, or data transmissions that support safety critical systems 
during each countdown.


Sec.  450.159  Preflight procedures.

    (a) Preflight procedures. An operator must implement preflight 
procedures that--
    (1) Verify that each flight commit criterion is satisfied before 
flight is initiated; and
    (2) Ensure the operator can return the vehicle to a safe state 
after a countdown abort or delay.
    (b) Currency. An operator must ensure the currency of the preflight 
procedures, and that all personnel are working with the approved 
version of the preflight procedures.


Sec.  450.161  Surveillance and publication of hazard areas.

    (a) General. The operator must publicize, survey, and evacuate each 
flight hazard area prior to initiating flight of a launch vehicle or 
the reentry of a reentry vehicle to the extent necessary to ensure 
compliance with Sec.  450.101.
    (b) Verification. The launch or reentry operator must perform 
surveillance sufficient to verify or update the assumptions, input 
data, and results of the flight safety analyses.
    (c) Publication. An operator must publicize warnings for each 
flight hazard area, except for regions of land, sea, or air under the 
control of the vehicle operator, site operator, or other entity by 
agreement. If the operator relies on another entity to publicize these 
warnings, it must verify that the warnings have been issued.
    (d) Application requirements. An applicant must submit:
    (1) A description of how it will provide for day-of-flight 
surveillance of flight hazard areas, if necessary, to ensure that the 
presence of any member of the public in or near a flight hazard area is 
consistent with flight commit criteria developed for each launch or 
reentry as required by Sec.  450.165(b); and
    (2) A description of how it will establish flight commit criteria 
based on the results of its toxic release hazard analysis, containment 
analysis, or toxic risk assessment for any necessary evacuation of the 
public from any toxic hazard area.


Sec.  450.163  Lightning hazard mitigation.

    (a) Lighting hazard mitigation. An operator must--
    (1) Establish flight commit criteria that mitigate the potential 
for a launch or reentry vehicle intercepting or initiating a lightning 
strike, or encountering a nearby discharge, using a means of compliance 
accepted by the Administrator;
    (2) Use a vehicle designed to continue safe flight in the event of 
a direct lightning strike or nearby discharge; or
    (3) Ensure compliance with Sec.  450.101, given any direct 
lightning strike or an encounter with a nearby discharge.
    (b) Application requirements. (1) An applicant electing to comply 
with paragraph (a)(1) of this section must submit flight commit 
criteria that mitigate the potential for a launch or reentry vehicle 
intercepting or initiating a direct lightning strike, or encountering a 
nearby lightning discharge.
    (2) An applicant electing to comply with paragraph (a)(2) of this 
section must submit documentation providing evidence that the vehicle 
is designed to protect safety-critical systems against the effects of a 
direct lightning strike or nearby discharge.
    (3) An applicant electing to comply with paragraph (a)(3) of this 
section must submit documentation providing evidence that the safety 
criteria in Sec.  450.101 will be met given any direct lightning strike 
or an encounter with a nearby discharge.


Sec.  450.165  Flight safety rules.

    (a) General. For each launch or reentry, an operator must establish 
and observe flight safety rules that govern the conduct of the launch 
or reentry.
    (b) Flight commit criteria. The flight safety rules must include 
flight commit criteria that identify each condition necessary prior to 
flight of a launch vehicle or the reentry of a reentry vehicle to 
satisfy the requirements of Sec.  450.101, and must include:
    (1) Surveillance of any region of land, sea, or air in accordance 
with Sec.  450.161;
    (2) Monitoring of any meteorological condition necessary to--
    (i) Be consistent with any safety analysis required by this part; 
and
    (ii) If necessary in accordance with Sec.  450.163, mitigate the 
potential for a launch or reentry vehicle intercepting a lightning 
strike, or encountering a nearby discharge;

[[Page 15439]]

    (3) Implementation of any launch or reentry window closure in the 
launch or reentry window for the purpose of collision avoidance in 
accordance with Sec.  450.169;
    (4) Confirmation that any safety-critical system is ready for 
flight;
    (5) For any reentry vehicle, except a suborbital vehicle, 
monitoring by the operator or an on board system that the status of 
safety-critical systems are healthy before enabling reentry flight, to 
assure the vehicle can reenter safely to Earth; and
    (6) Any other hazard controls derived from any safety analysis 
required by this part.
    (c) Flight abort rules. (1) For a vehicle that uses a flight safety 
system, the flight safety rules must identify the conditions under 
which the flight safety system, including the functions of any flight 
abort crew, must abort the flight to:
    (i) Ensure compliance with Sec.  450.101; and
    (ii) Prevent debris capable of causing a casualty from impacting in 
uncontrolled areas if the vehicle is outside the limits of a useful 
mission.
    (2) Vehicle data required to evaluate flight abort rules must be 
available to the flight safety system across the range of normal and 
malfunctioning flight.
    (3) The flight abort rules must include the following:
    (i) The flight safety system must abort flight when valid, real-
time data indicate the vehicle has violated any flight safety limit;
    (ii) The flight safety system must abort flight when the vehicle 
state approaches conditions that are anticipated to compromise the 
capability of the flight safety system and further flight has the 
potential to violate a flight safety limit;
    (iii) The flight safety system must incorporate data loss flight 
times to abort flight at the first possible violation of a flight 
safety limit, or earlier, if valid tracking data is insufficient for 
evaluating a minimum set of flight abort rules required to maintain 
compliance with Sec.  450.101; and
    (iv) Flight may continue past any gate established under Sec.  
450.125 only if the parameters used to establish the ability of the 
vehicle to complete a useful mission are within limits.
    (d) Application requirements. An applicant must submit:
    (1) For flight commit criteria, a list of all flight commit 
criteria; and
    (2) For flight abort rules:
    (i) A description of each rule, and the parameters that will be 
used to evaluate each rule;
    (ii) A list that identifies the rules necessary for compliance with 
each requirement in Sec.  450.101; and
    (iii) A description of the vehicle data that will be available to 
evaluate flight abort rules across the range of normal and 
malfunctioning flight.


Sec.  450.167  Tracking.

    (a) Vehicle tracking. During the flight of a launch or reentry 
vehicle, an operator must measure and record in real time the position 
and velocity of the vehicle. The system used to track the vehicle must 
provide data to determine the actual impact locations of all stages and 
components, and to obtain vehicle performance data for comparison with 
the preflight performance predictions.
    (b) Application requirements. An applicant must identify and 
describe each method or system used to meet the tracking requirements 
of paragraph (a) of this section.


Sec.  450.169  Launch and reentry collision avoidance analysis 
requirements.

    (a) Criteria. For an orbital or suborbital launch or reentry, an 
operator must establish window closures needed to ensure that the 
launch or reentry vehicle, any jettisoned components, or payloads meet 
the following requirements with respect to orbiting objects, not 
including any object being launched or reentered.
    (1) For inhabitable objects, one of three criteria in paragraphs 
(a)(1)(i) through (iii) of this section must be met:
    (i) The probability of collision between the launching or 
reentering objects and any inhabitable object must not exceed 1 x 
10^-6;
    (ii) The launching or reentering objects must maintain an 
ellipsoidal separation distance of 200 km in-track and 50 km cross-
track and radially from the inhabitable object; or
    (iii) The launching or reentering objects must maintain a spherical 
separation distance of 200 km from the inhabitable object.
    (2) For objects that are neither orbital debris nor inhabitable, 
one of the two criteria in paragraphs (a)(2)(i) and (ii) of this 
section must be met:
    (i) The probability of collision between the launching or 
reentering objects and any object must not exceed 1 x 10^-5; 
or
    (ii) The launching or reentering objects must maintain a spherical 
separation distance of 25 km from the object.
    (3) For all other known orbital debris identified by the FAA or 
other Federal Government entity as 10 cm squared or larger, the 
launching or reentering objects must maintain a spherical separation 
distance of 2.5 km from the object.
    (b) Screening time. A launch or reentry operator must ensure the 
requirements of paragraph (a) of this section are follows:
    (1) Through the entire flight of a suborbital launch vehicle;
    (2) For an orbital launch, during ascent from a minimum of 150 km 
to initial orbital insertion and for a minimum of 3 hours from liftoff;
    (3) For reentry, during descent from initial reentry burn to 150 km 
altitude; and
    (4) For disposal, during descent from initial disposal burn to 150 
km altitude.
    (c) Rendezvous. Planned rendezvous operations that occur within the 
screening time frame are not considered a violation of collision 
avoidance if the involved operators have pre-coordinated the rendezvous 
or close approach.
    (d) Analysis not required. A launch collision avoidance analysis is 
not required if the maximum altitude attainable by a launch operator's 
suborbital launch vehicle and any released debris is less than 150 km. 
The maximum altitude attainable means an optimized trajectory, assuming 
maximum performance within 99.7% confidence bounds, extended through 
fuel exhaustion of each stage, to achieve a maximum altitude.
    (e) Analysis. Collision avoidance analysis must be obtained for 
each launch or reentry from a Federal entity identified by the FAA.
    (1) An operator must use the results of the collision avoidance 
analysis to establish flight commit criteria for collision avoidance; 
and
    (2) Account for uncertainties associated with launch or reentry 
vehicle performance and timing, and ensure that each window closure 
incorporates all additional time periods associated with such 
uncertainties.
    (f) Timing and information required. An operator must prepare a 
collision avoidance analysis worksheet for each launch or reentry using 
a standardized format that contains the input data required by appendix 
A to this part, as follows:
    (1) An operator must file the input data with a Federal entity 
identified by the FAA and the FAA at least 15 days before the first 
attempt at the flight of a launch vehicle or the reentry of a reentry 
vehicle, unless the Administrator agrees to a different time frame in 
accordance with Sec.  404.15 of this chapter;
    (2) An operator must obtain a collision avoidance analysis 
performed by a Federal entity identified by the FAA 6 hours before the 
beginning of a launch or reentry window; and
    (3) If an operator needs an updated collision avoidance analysis 
due to a launch or reentry delay, the operator

[[Page 15440]]

must file the request with the Federal entity and the FAA at least 12 
hours prior to the beginning of the new launch or reentry window.


Sec.  450.171  Safety at end of launch.

    (a) Debris mitigation. An operator must ensure for any proposed 
launch that for all vehicle stages or components that reach Earth 
orbit--
    (1) There is no unplanned physical contact between the vehicle or 
any of its components and the payload after payload separation;
    (2) Debris generation does not result from the conversion of energy 
sources into energy that fragments the vehicle or its components. 
Energy sources include chemical, pressure, and kinetic energy; and
    (3) For all vehicle stages or components that are left in orbit, 
stored energy is removed by depleting residual fuel and leaving all 
fuel line valves open, venting any pressurized system, leaving all 
batteries in a permanent discharge state, and removing any remaining 
source of stored energy.
    (b) Application requirements. An applicant must demonstrate 
compliance with the requirements in paragraph (a) of this section.


Sec.  450.173  Mishap plan--reporting, response, and investigation 
requirements.

    (a) General. An operator must report, respond, and investigate 
class 1, 2, 3, and 4 mishaps, as defined in Sec.  401.5 of this 
chapter, in accordance with paragraphs (b) through (h) of this section 
using a plan or other written means.
    (b) Responsibilities. An operator must document--
    (1) Responsibilities for personnel assigned to implement the 
requirements of this section;
    (2) Reporting responsibilities for personnel assigned to conduct 
investigations and for anyone retained by the licensee to conduct or 
participate in investigations; and
    (3) Allocation of roles and responsibilities between the launch 
operator and any site operator for reporting, responding to, and 
investigating any mishap during ground activities at the site.
    (c) Cooperation with FAA and NTSB. An operator must report to, and 
cooperate with, the FAA and NTSB investigations and designate one or 
more points of contact for the FAA and NTSB.
    (d) Mishap reporting requirements. An operator must--
    (1) Immediately notify the FAA Washington Operations Center in case 
of a mishap that involves a fatality or serious injury (as defined in 
49 CFR 830.2);
    (2) Notify within 24 hours the FAA Washington Operations Center in 
the case of a mishap that does not involve a fatality or serious injury 
(as defined in 49 CFR 830.2); and
    (3) Submit a written preliminary report to the FAA Office of 
Commercial Space Transportation within five days of any mishap. The 
preliminary report must include the following information, as 
applicable:
    (i) Date and time of the mishap;
    (ii) Description of the mishap and sequence of events leading to 
the mishap, to the extent known;
    (iii) Intended and actual location of the launch or reentry or 
other landing on Earth;
    (iv) Vehicle or debris impact points, including those outside a 
planned landing or impact area;
    (v) Identification of the vehicle;
    (vi) Identification of any payload;
    (vii) Number and general description of any fatalities or injuries;
    (viii) Description and estimated costs of any property damage;
    (ix) Identification of hazardous materials, as defined in Sec.  
401.5 of this chapter, involved in the event, whether on the vehicle, 
any payload, or on the ground;
    (x) Action taken by any person to contain the consequences of the 
event;
    (xi) Weather conditions at the time of the event; and
    (xii) Potential consequences for other similar vehicles, systems, 
or operations.
    (e) Emergency response requirements. An operator must--
    (1) Activate emergency response services to protect the public 
following a mishap as necessary including, but not limited to:
    (i) Evacuating and rescuing members of the public, taking into 
account debris dispersion and toxic plumes; and
    (ii) Extinguishing fires;
    (2) Maintain existing hazard area surveillance and clearance as 
necessary to protect public safety;
    (3) Contain and minimize the consequences of a mishap, including:
    (i) Securing impact areas to ensure that no members of the public 
enter;
    (ii) Safely disposing of hazardous materials; and
    (iii) Controlling hazards at the site or impact areas;
    (4) Preserve data and physical evidence; and
    (5) Implement agreements with government authorities and emergency 
response services, as necessary, to satisfy the requirements of this 
section.
    (f) Mishap investigation requirements. In the event of a mishap, an 
operator must--
    (1) Investigate the root causes of the mishap; and
    (2) Report investigation results to the FAA.
    (g) Preventative measures. An operator must identify and implement 
preventive measures for avoiding recurrence of the mishap prior to the 
next flight, unless otherwise approved by the Administrator.
    (h) Mishap records. An operator must maintain records associated 
with the mishap in accordance with Sec.  450.219(b).
    (i) Application requirements. An applicant must submit the plan or 
other written means required by this section.


Sec.  450.175  Test-induced damage.

    (a) Coordination of anticipated test-induced damage. Test-induced 
damage is not a mishap if all of the following are true:
    (1) An operator coordinates potential test-induced damage with the 
FAA before the planned activity, and with sufficient time for the FAA 
to evaluate the operator's proposal during the application process or 
as a license modification; and
    (2) The test-induced damage did not result in any of the following:
    (i) Serious injury or fatality (as defined in 49 CFR 830.2);
    (ii) Damage to property not associated with the licensed activity; 
and
    (iii) Hazardous debris leaving the pre-defined hazard area; or
    (3) The test-induced damage falls within the scope of activities 
coordinated with the FAA in paragraph (a)(1) of this section.
    (b) Application requirements. An applicant must submit the 
following information:
    (1) Test objectives;
    (2) Test limits;
    (3) Expected outcomes;
    (4) Potential risks, including the applicant's best understanding 
of the uncertainties in environments, test limits, or system 
performance;
    (5) Applicable procedures;
    (6) Expected time and duration of the test; and
    (7) Additional information as required by the FAA to ensure 
protection of public health and safety, safety of property, and the 
national security and foreign policy interests of the United States.


Sec.  450.177  Unique policies, requirements, and practices.

    (a) Operator identified unique hazards. An operator must review 
operations, system designs, analysis, and testing, and identify any 
unique hazards not otherwise addressed by this part. An operator must 
implement any

[[Page 15441]]

unique safety policy, requirement, or practice needed to protect the 
public from the unique hazard.
    (b) FAA unique policy, requirement, or practice. The FAA may 
identify and impose a unique policy, requirement, or practice as needed 
to protect the public health and safety, safety of property, and the 
national security and foreign policy interests of the United States.
    (c) Application requirements. (1) An operator must identify any 
unique safety policy, requirement, or practice necessary in accordance 
with paragraph (a) of this section, and demonstrate that each unique 
safety policy, requirement, or practice protects public health and 
safety and the safety of property.
    (2) An operator must demonstrate that each unique safety policy, 
requirement, or practice imposed by the FAA in accordance with 
paragraph (b) of this section, protects public health and safety, 
safety of property, and the national security and foreign policy 
interests of the United States.

Ground Safety


Sec.  450.179  Ground safety--general.

    At a U.S. launch or reentry site, an operator must protect the 
public from adverse effects of hazardous operations and systems 
associated with--
    (a) Preparing a launch vehicle for flight;
    (b) Returning a launch or reentry vehicle to a safe condition after 
landing, or after an aborted launch attempt; and
    (c) Returning a site to a safe condition.


Sec.  450.181  Coordination with a site operator.

    (a) General. For a launch or reentry conducted from or to a Federal 
launch or reentry site or a site licensed under part 420 or 433 of this 
chapter, an operator must coordinate with the site operator to ensure--
    (1) Public access is controlled where and when necessary to protect 
public safety;
    (2) Launch or reentry operations are coordinated with other launch 
and reentry operators and other affected parties to prevent unsafe 
interference;
    (3) Any ground hazard area that affects the operations of a launch 
or reentry site is coordinated with the Federal or licensed launch or 
reentry site operator; and
    (4) Prompt and effective response in the event of a mishap that 
could impact public safety.
    (b) Licensed site operator. For a launch or reentry conducted from 
or to a site licensed under part 420 or 433 of this chapter, an 
operator must also coordinate with the site operator to establish roles 
and responsibilities for reporting, responding to, and investigating 
any mishap during ground activities at the site.
    (c) Application requirements. An applicant must describe how it is 
coordinating with a Federal or licensed launch or reentry site operator 
in compliance with this section.


Sec.  450.183  Explosive site plan.

    (a) Exclusive use sites. For a launch or reentry conducted from or 
to a site exclusive to its own use, an operator must comply with the 
explosive siting requirements of Sec. Sec.  420.63, 420.65, 420.66, 
420.67, 420.69, and 420.70 of this chapter.
    (b) Application requirements. An applicant must submit an explosive 
site plan in accordance with paragraph (a) of this section.


Sec.  450.185  Ground hazard analysis.

    An operator must perform and document a ground hazard analysis, and 
continue to maintain it throughout the lifecycle of the launch or 
reentry system. The analysis must--
    (a) Hazard identification. Identify system and operation hazards 
posed by the vehicle and ground hardware, including site and ground 
support equipment. Hazards identified must include the following:
    (1) System hazards, including:
    (i) Vehicle over-pressurization;
    (ii) Sudden energy release, including ordnance actuation;
    (iii) Ionizing and non-ionizing radiation;
    (iv) Fire or deflagration;
    (v) Radioactive materials;
    (vi) Toxic release;
    (vii) Cryogens;
    (viii) Electrical discharge; and
    (ix) Structural failure; and
    (2) Operation hazards, including:
    (i) Propellant handling and loading;
    (ii) Transporting of vehicle or vehicle components;
    (iii) Vehicle testing; and
    (iv) Vehicle or system activation.
    (b) Hazard assessment. Assess each hazard's likelihood and 
severity.
    (c) Risk criteria. Ensure that the risk associated with each hazard 
meets the following criteria:
    (1) The likelihood of any hazardous condition that may cause death 
or serious injury to the public must be extremely remote; and
    (2) The likelihood of any hazardous condition that may cause major 
damage to public property or critical assets must be remote.
    (d) Risk elimination and mitigation. Identify and describe the risk 
elimination and mitigation measures required to satisfy paragraph (c) 
of this section.
    (e) Validation and verification. Demonstrate that the risk 
elimination and mitigation measures achieve the risk levels of 
paragraph (c) of this section through validation and verification. 
Verification includes:
    (1) Analysis;
    (2) Test;
    (3) Demonstration; or
    (4) Inspection.
    (f) Application requirements. An applicant must submit--
    (1) A description of the methodology used to perform the ground 
hazard analysis;
    (2) A list of all systems and operations that may cause a hazard 
involving the vehicle or any payload; and
    (3) The ground hazard analysis products of paragraphs (a) through 
(e) of this section, including data that verifies the risk elimination 
and mitigation measures.


Sec.  450.187  Toxic hazards mitigation for ground operations.

    (a) Applicability. This section applies to any launch or reentry 
vehicle, including all vehicle components and payloads, that use toxic 
propellants or other toxic chemicals.
    (b) Toxic release hazard analysis. An operator must conduct a toxic 
release hazard analysis that--
    (1) Accounts for any toxic release that could occur during nominal 
or non-nominal launch or reentry ground operations;
    (2) Includes a worst-case release scenario analysis or a maximum-
credible release scenario analysis for each process that involves a 
toxic propellant or other chemical;
    (3) Determines if toxic release can occur based on an evaluation of 
the chemical compositions and quantities of propellants, other 
chemicals, vehicle materials, and projected combustion products, and 
the possible toxic release scenarios;
    (4) Accounts for both normal combustion products and any unreacted 
propellants and phase change or chemical derivatives of released 
substances; and
    (5) Accounts for any operational constraints and emergency 
procedures that provide protection from toxic release.
    (c) Toxic containment. An operator using toxic containment must 
manage the risk of casualty from the exposure to toxic release either 
by--
    (1) Evacuating, or being prepared to evacuate, the public from a 
toxic hazard area, where an average member of the public would be 
exposed to greater than one percent conditional individual probability 
of casualty in the event of a

[[Page 15442]]

worst-case release or maximum credible release scenario; or
    (2) Employing meteorological constraints to limit a ground 
operation to times during which prevailing winds and other conditions 
ensure that an average member of the public would not be exposed to 
greater than one percent conditional individual probability of casualty 
in the event of a worst-case release or maximum credible release 
scenario.
    (d) Toxic risk assessment. An operator using toxic risk assessment 
must manage the risk from any toxic release hazard and demonstrate 
compliance with the criteria in Sec.  450.109(a)(3). A toxic risk 
assessment must--
    (1) Account for airborne concentration and duration thresholds of 
toxic propellants or other chemicals. For any toxic propellant, other 
chemicals, or combustion product, an operator must use airborne toxic 
concentration and duration thresholds identified in a means of 
compliance accepted by the Administrator;
    (2) Account for physical phenomena expected to influence any toxic 
concentration and duration in the area surrounding the potential 
release site;
    (3) Determine a toxic hazard area for each process, surrounding the 
potential release site for each toxic propellant or other chemical 
based on the amount and toxicity of the propellant or other chemical, 
the exposure duration, and the meteorological conditions involved;
    (4) Account for all members of the public that may be exposed to 
the toxic release; and
    (5) Account for any risk mitigation measures applied in the risk 
assessment.
    (e) Application requirements. An applicant must submit:
    (1) The identity of the toxic propellant, chemical, or toxic 
combustion products in the possible toxic release;
    (2) The applicant's selected airborne toxic concentration and 
duration thresholds;
    (3) The meteorological conditions for the atmospheric transport and 
buoyant cloud rise of any toxic release from its source to downwind 
receptor locations;
    (4) Characterization of the terrain, as input for modeling the 
atmospheric transport of a toxic release from its source to downwind 
receptor locations;
    (5) The identity of the toxic dispersion model used, and any other 
input data;
    (6) Representative results of an applicant's toxic dispersion 
modeling to predict concentrations and durations at selected downwind 
receptor locations, to determine the toxic hazard area for a released 
quantity of the toxic substance;
    (7) For toxic release hazard analysis in accordance with paragraph 
(b) of this section:
    (i) A description of the failure modes and associated relative 
probabilities for potential toxic release scenarios used in the risk 
evaluation; and
    (ii) The methodology and results of an applicant's determination of 
the worst-case or maximum-credible quantity of any toxic release that 
might occur during ground operations;
    (8) For toxic risk assessment in accordance with paragraph (d) of 
this section:
    (i) A demonstration that the public will not be exposed to airborne 
concentrations above the toxic concentration and duration thresholds, 
based upon the representative results of the toxic release hazard 
analysis;
    (ii) The population density in receptor locations that are 
identified by toxic dispersion modeling as toxic hazard areas;
    (iii) A description of any risk mitigation measures applied in the 
toxic risk assessment; and
    (iv) The identity of the population database used; and
    (9) Additional products that allow an independent analysis, as 
requested by the Administrator.


Sec.  450.189  Ground safety prescribed hazard controls.

    (a) General. In addition to the hazard controls derived form an 
operator's ground hazard analysis and toxic hazard analysis, an 
operator must comply with paragraphs (b) through (e) of this section.
    (b) Protection of public on the site. An operator must document a 
process for protecting members of the public who enter any area under 
the control of a launch or reentry operator, including:
    (1) Procedures for identifying and tracking the public while on the 
site; and
    (2) Methods the operator uses to protect the public from hazards in 
accordance with the ground hazard analysis and toxic hazard analysis.
    (c) Countdown abort. Following a countdown abort or recycle 
operation, an operator must establish, maintain, and perform procedures 
for controlling hazards related to the vehicle and returning the 
vehicle, stages, or other flight hardware and site facilities to a safe 
condition. When a launch vehicle does not liftoff after a command to 
initiate flight was sent, an operator must--
    (1) Ensure that the vehicle and any payload are in a safe 
configuration;
    (2) Prohibit entry of the public into any identified hazard areas 
until the site is returned to a safe condition; and
    (3) Maintain and verify that any flight safety system remains 
operational until verification that the launch vehicle does not 
represent a risk of inadvertent flight.
    (d) Fire suppression. An operator must have reasonable precautions 
in place to report and control any fire caused by licensed activities.
    (e) Emergency procedures. An operator must have general emergency 
procedures that apply to any emergencies not covered by the mishap plan 
of Sec.  450.173 that may create a hazard to the public.
    (f) Application requirements. An applicant must submit the process 
for protecting members of the public who enter any area under the 
control of a launch or reentry operator in accordance with paragraph 
(b) of this section.

Subpart D--Terms and Conditions of a Vehicle Operator License


Sec.  450.201  Public safety responsibility.

    A licensee is responsible for ensuring public safety and safety of 
property during the conduct of a licensed launch or reentry.


Sec.  450.203  Compliance with license.

    A licensee must conduct a licensed launch or reentry in accordance 
with representations made in its license application, the requirements 
of subpart C of this part and this subpart, and the terms and 
conditions contained in the license. A licensee's failure to act in 
accordance with the representations made in the license application, 
the requirements of subpart C of this part and this subpart, and the 
terms and conditions contained in the license, is sufficient basis for 
the revocation of a license or other appropriate enforcement action.


Sec.  450.205  Financial responsibility requirements.

    A licensee must comply with financial responsibility requirements 
as required by part 440 of this chapter and as specified in a license 
or license order.


Sec.  450.207  Human spaceflight requirements.

    A licensee conducting a launch or reentry with a human being on 
board the vehicle must comply with human spaceflight requirements as 
required by part 460 of this chapter and as specified in a license or 
license order.


Sec.  450.209  Compliance monitoring.

    (a) A licensee must allow access by, and cooperate with, Federal 
officers or employees or other individuals authorized by the FAA to 
observe any of its activities, or of its contractors or

[[Page 15443]]

subcontractors, associated with the conduct of a licensed launch or 
reentry.
    (b) For each licensed launch or reentry, a licensee must provide 
the FAA with a console or other means for monitoring the progress of 
the countdown and communication on all channels of the countdown 
communications network. A licensee must also provide the FAA with the 
capability to communicate with the mission director designated by Sec.  
450.103(a)(1).
    (c) If the FAA finds a licensee has not complied with any of the 
requirements in subpart C of this part or this subpart, the FAA may 
require the licensee to revise its procedures to achieve compliance.


Sec.  450.211  Continuing accuracy of license application; application 
for modification of license.

    (a) A licensee is responsible for the continuing accuracy of 
representations contained in its application for the entire term of the 
license. After a license has been issued, a licensee must apply to the 
FAA for modification of the license if--
    (1) The licensee proposes to conduct a launch or reentry in a 
manner not authorized by the license; or
    (2) Any representation contained in the license application that is 
material to public health and safety or the safety of property is no 
longer accurate and complete or does not reflect the licensee's 
procedures governing the actual conduct of a launch or reentry. A 
change is material to public health and safety or the safety of 
property if it alters or affects the--
    (i) Class of payload;
    (ii) Type of launch or reentry vehicle;
    (iii) Type or quantity of hazardous material;
    (iv) Flight trajectory;
    (v) Launch site or reentry site or other landing site; or
    (vi) Any system, policy, procedure, requirement, criteria, or 
standard that is safety critical.
    (b) An application to modify a license must be prepared and 
submitted in accordance with part 413 of this chapter. If requested 
during the application process, the FAA may approve an alternate method 
for requesting license modifications. The licensee must indicate any 
part of its license or license application that would be changed or 
affected by a proposed modification.
    (c) Upon approval of a modification, the FAA issues either a 
written approval to the licensee or a license order amending the 
license if a stated term or condition of the license is changed, added, 
or deleted. An approval has the full force and effect of a license 
order and is part of the licensing record.


Sec.  450.213  Preflight reporting.

    (a) Preflight reporting methods. An operator must send the 
information in this section as an email attachment to 
[email protected], or other method as agreed to by the 
Administrator in the license.
    (b) Mission information. A licensee must submit to the FAA the 
following mission-specific information not less than 60 days before 
each mission conducted under the license, unless the Administrator 
agrees to a different time frame in accordance with Sec.  404.15 of 
this chapter in the license, except when the information was provided 
in the license application:
    (1) Payload information in accordance with Sec.  450.43(i); and
    (2) Flight information, including the vehicle, launch site, planned 
flight path, staging and impact locations, each payload delivery point, 
intended reentry or landing sites including any contingency abort 
location, and the location of any disposed launch or reentry vehicle 
stage or component that is deorbited.
    (c) Flight safety analysis products. An operator must submit to the 
FAA updated flight safety analysis products, using previously-approved 
methodologies, for each mission no less than 30 days before flight, 
unless the Administrator agrees to a different time frame in accordance 
with Sec.  404.15 of this chapter in the license.
    (1) An operator is not required to submit the flight safety 
analysis products if--
    (i) The analysis submitted in the license application satisfies all 
the requirements of this section; or
    (ii) The operator demonstrated during the application process that 
the analysis does not need to be updated to account for mission-
specific factors.
    (2) If the operator is required to submit the flight safety 
analysis products, the operator--
    (i) Must account for vehicle and mission specific input data;
    (ii) Must account for potential variations in input data that may 
affect any analysis product within the final 30 days before flight;
    (iii) Must submit the analysis products using the same format and 
organization used in its license application; and
    (iv) May not change an analysis product within the final 30 days 
before flight unless the operator has a process, approved in the 
license, for making a change in that period as part of the operator's 
flight safety analysis process.
    (d) Flight safety system test data. Any licensee that is required 
to use a flight safety system to protect public safety as required by 
Sec.  450.101(c) must submit to the FAA, or provide the FAA access to, 
any test reports, in accordance with approved flight safety system test 
plans, no less than 30 days before flight, unless the Administrator 
agrees to a different time frame in accordance with Sec.  404.15 of 
this chapter in the license. These reports must include:
    (1) A summary of the system, subsystem, and component-level test 
results, including all test failures and corrective actions 
implemented;
    (2) A summary of test results demonstrating sufficient margin to 
predicted operating environments;
    (3) A comparison matrix of the actual qualification and acceptance 
test levels used for each component in each test compared against the 
predicted flight levels for each environment, including any test 
tolerances allowed for each test; and
    (4) A clear identification of any components qualified by 
similarity analysis or a combination of analysis and test.
    (e) Collision avoidance analysis. In accordance with Sec.  
450.169(f), at least 15 days before the first attempt at the flight of 
a launch vehicle or the reentry of a reentry vehicle, or at least 12 
hours prior to the beginning of a new launch or reentry window due to a 
launch or reentry delay, unless the Administrator agrees to a different 
time frame in accordance with Sec.  404.15 of this chapter, a licensee 
must submit to a Federal entity identified by the FAA and the FAA the 
collision avoidance information in appendix A to this part.
    (f) Launch or reentry schedule. A licensee must file a launch or 
reentry schedule that identifies each review, rehearsal, and safety-
critical operation. The schedule must be filed and updated in time to 
allow FAA personnel to participate in the reviews, rehearsals, and 
safety-critical operations.


Sec.  450.215  Post-flight reporting.

    (a) An operator must submit to the FAA the information in paragraph 
(b) of this section no later than 90 days after a launch or reentry, 
unless the Administrator agrees to a different time frame in accordance 
with Sec.  404.15 of this chapter.
    (b) An operator must send the following information as an email 
attachment to [email protected], or other method as agreed to by 
the Administrator in the license:
    (1) Any anomaly that occurred during countdown or flight that is 
material to

[[Page 15444]]

public health and safety and the safety of property;
    (2) Any corrective action implemented or to be implemented after 
the flight due to an anomaly or mishap;
    (3) The number of humans on board the vehicle;
    (4) The actual trajectory flown by the vehicle, if requested by the 
FAA; and
    (5) For an unguided suborbital launch vehicle, the actual impact 
location of all impacting stages and impacting components, if requested 
by the FAA.


Sec.  450.217  Registration of space objects.

    (a) To assist the U.S. Government in implementing Article IV of the 
1975 Convention on Registration of Objects Launched into Outer Space, 
each licensee must submit to the FAA the information required by 
paragraph (b) of this section for all objects placed in space by a 
licensed launch, including a launch vehicle and any components, except 
any object owned and registered by the U.S. Government.
    (b) For each object that must be registered in accordance with this 
section, not later than 30 days following the conduct of a licensed 
launch, an operator must file the following information:
    (1) The international designator of the space object;
    (2) Date and location of launch;
    (3) General function of the space object;
    (4) Final orbital parameters, including:
    (i) Nodal period;
    (ii) Inclination;
    (iii) Apogee; and
    (iv) Perigee; and
    (5) Ownership, and country of ownership, of the space object.
    (c) A licensee must notify the FAA when it removes an object that 
it has previously placed in space.


Sec.  450.219  Records.

    (a) Except as specified in paragraph (b) of this section, a 
licensee must maintain for 3 years all records, data, and other 
material necessary to verify that a launch or reentry is conducted in 
accordance with representations contained in the licensee's 
application, the requirements of subpart C of this part and this 
subpart, and the terms and conditions contained in the license.
    (b) In the event of a class 1 or class 2 mishap, as defined in 
Sec.  401.5 of this chapter, a licensee must preserve all records 
related to the event. Records must be retained until completion of any 
Federal investigation and the FAA advises the licensee that the records 
need not be retained. The licensee must make all records required to be 
maintained under the regulations available to Federal officials for 
inspection and copying.

Appendix A to Part 450--Collision Analysis Worksheet

    (a) Launch or reentry information. An operator must file the 
following information:
    (1) Mission name and launch location. A mnemonic given to the 
launch vehicle/payload combination identifying the launch mission 
from all others. Launch site location in latitude and longitude;
    (2) Launch or reentry window. The launch or reentry window 
opening and closing times in Greenwich Mean Time (referred to as 
ZULU time) and the Julian dates for each scheduled launch or reentry 
attempts including primary and secondary launch or reentry dates;
    (3) Epoch. The epoch time, in Greenwich Mean Time (GMT), of the 
expected launch vehicle liftoff time;
    (4) Segment number. A segment is defined as a launch vehicle 
stage or payload after the thrusting portion of its flight has 
ended. This includes the jettison or deployment of any stage or 
payload. For each segment, an operator must determine the orbital 
parameters;
    (5) Orbital parameters. An operator must identify the orbital 
parameters for all objects achieving orbit including the parameters 
for each segment after thrust end (such as SECO-1 and SECO-2);
    (6) Orbiting objects to evaluate. An operator must identify all 
orbiting object descriptions including object name, length, width, 
depth, diameter, and mass;
    (7) Time of powered flight and sequence of events. The elapsed 
time in hours, minutes, and seconds, from liftoff to passivation or 
disposal. The input data must include the time of powered flight for 
each stage or jettisoned component measured from liftoff; and
    (8) Point of contact. The person or office within an operator's 
organization that collects, analyzes, and distributes collision 
avoidance analysis results.
    (b) Collision avoidance analysis results transmission medium. An 
operator must identify the transmission medium, such as voice or 
email, for receiving results.
    (c) Deliverable schedule/need dates. An operator must identify 
the times before flight, referred to as ``L-times,'' for which the 
operator requests a collision avoidance analysis. The final 
collision avoidance analysis must be used to establish flight commit 
criteria for a launch.
    (d) Trajectory files. Individual position and velocity 
trajectory files, including:
    (1) The position coordinates in the Earth-Fixed Greenwich (EFG) 
coordinates coordinate system measured in kilometers and the EFG 
velocity components measured in kilometers per second, of each 
launch vehicle stage or payload starting below 150 km through 
screening time frame;
    (2) Radar cross section values for each individual file;
    (3) Covariance, if probability of impact analysis option is 
desired; and
    (4) Separate trajectory files identified by valid window time 
frames, if launch or reentry trajectory changes during launch or 
reentry window.
    (e) Screening. An operator must select spherical, ellipsoidal, 
or collision probability screening as defined in this paragraph (e) 
for determining any conjunction:
    (1) Spherical screening. Spherical screening centers a sphere on 
each orbiting object's center-of-mass to determine any conjunction;
    (2) Ellipsoidal screening. Ellipsoidal screening utilizes an 
impact exclusion ellipsoid of revolution centered on the orbiting 
object's center-of-mass to determine any conjunction. An operator 
must provide input in the UVW coordinate system in kilometers. The 
operator must provide delta-U measured in the radial-track 
direction, delta-V measured in the in-track direction, and delta-W 
measured in the cross-track direction; or
    (3) Probability of Collision. Collision probability is 
calculated using position and velocity information with covariance 
in both position and velocity.

    Issued under authority provided by 49 U.S.C. 106(f) and 51 
U.S.C. chapter 509 in Washington, DC, on March 22, 2019.
Wayne R. Monteith,
Associate Administrator, Office of Commercial Space Transportation.
[FR Doc. 2019-05972 Filed 4-12-19; 8:45 am]
 BILLING CODE 4910-13-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.