417.405 Ground safety analysis.§ 417.405 Ground safety analysis.
(a) A launch operator must perform a ground safety analysis for launch vehicle hardware, ground hardware including launch site and ground support equipment, launch processing, and post-launch operations at a launch site in the United States. The requirements of this section apply to the performance of the ground safety analysis and to the ground safety analysis products that a launch operator must file with the FAA as required by § 417.402(d). This analysis must identify each potential hazard, each associated cause, and each hazard control that a launch operator must establish and maintain to keep each identified hazard from affecting the public. A launch operator must incorporate the launch site operator's systems and operations involved in ensuring public safety into the ground safety analysis.
(b) Technical personnel who are knowledgeable of launch vehicle systems, launch processing, ground systems, operations, and their associated hazards must prepare the ground safety analysis. These individuals must be qualified to perform the ground safety analysis through training, education, and experience.
(c) A launch operator must ensure personnel performing a ground safety analysis or preparing a ground safety analysis report will have the cooperation of the entire launch operator's organization. A launch operator must maintain supporting documentation and it must be available upon request.
(d) A launch operator must:
(1) Begin a ground safety analysis by identifying the systems and operations to be analyzed;
(2) Define the extent of each system and operation being assessed to ensure there is no miscommunication as to what the hazards are, and who, in a launch operator's organization or other organization supporting the launch, controls those hazards; and
(3) Ensure that the ground safety analysis accounts for each launch vehicle system and operation involved in launch processing and post-launch operations, even if only to show that no hazard exists.
(e) A ground safety analysis need not account for potential hazards of a component if a launch operator demonstrates that no hazard to the public exists at the system level. A ground safety analysis need not account for an operation's individual task or subtask level if a launch operator demonstrates that no hazard to the public exists at the operation level. A launch operator must provide verifiable controls for hazards that are confined within the boundaries of a launch operator's facility to ensure the public will not have access to the associated hazard area while the hazard exists.
(f) A launch operator must identify each potential hazard, including non-credible hazards. The probability of occurrence is not relevant with respect to identifying a hazard. Where an assertion is made that no hazard exists for a particular system or operation, the ground safety analysis must provide the rationale. A launch operator must identify the following hazards of each launch vehicle system, launch site and ground support equipment, launch processing, and post-launch operations:
(1) System hazards, including explosives and other ordnance, solid and liquid propellants, toxic and radioactive materials, asphyxiants, cryogens, and high pressure. System hazards generally exist even when no operation is occurring; and
(2) Operation hazards derived from an unsafe condition created by a system, operating environment, or an unsafe act.
(g) A launch operator must categorize identified system and operation hazards as follows:
(1) Public hazard. A hazard that extends beyond the launch location under the control of a launch operator. Public hazards include the following:
(i) Blast overpressure and fragmentation resulting from an explosion;
(ii) Fire and deflagration, including hazardous materials such as radioactive material, beryllium, carbon fibers, and propellants. A launch operator must assume that in the event of a fire, hazardous smoke from systems containing hazardous materials will reach the public;
(iii) Sudden release of a hazardous material into the air, water, or ground; and
(iv) Inadvertent ignition of a propulsive launch vehicle payload, stage, or motor.
(2) Launch location hazard. A hazard that stays within the confines of the location under the control of a launch operator but extends beyond individuals doing the work. The confines may be bounded by a wall or a fence line of a facility or launch complex, or by a fenced or unfenced boundary of an entire industrial complex or multi-user launch site. A launch location hazard may affect the public depending on public access controls. Launch location hazards that may affect the public include the hazards listed in paragraphs (g)(1)(i)-(iv) of this section and additional hazards in potentially unsafe locations accessible to the public such as:
(i) Unguarded electrical circuits or machinery;
(ii) Oxygen deficient environments;
(iii) Falling objects;
(iv) Potential falls into unguarded pits or from unguarded elevated work platforms; and
(v) Sources of ionizing and non-ionizing radiation such as x-rays, radio transmitters, and lasers.
(3) Employee hazard. A hazard to individuals performing a launch operator's work, but not to other people in the area. A launch operator must comply with all applicable Federal, state, and local employee safety regulations. A launch operator's ground safety analysis must identify employee hazards and demonstrate that there are no associated public safety issues.
(4) Non-credible hazard. A hazard for which possible adverse effects on people or property would be negligible and where the possibility of adverse effects on people or property is remote. A launch operator's ground safety analysis must identify non-credible hazards and demonstrate that the hazard is non-credible.
(h) A ground safety analysis must identify each hazard cause for each public hazard and launch location hazard. The ground safety analysis must account for conditions, acts, or chain of events that can result in a hazard. The ground safety analysis must account for the possible failure of any control or monitoring circuitry within hardware systems that can cause a hazard.
(i) A ground safety analysis must identify the hazard controls to be established by a launch operator for each hazard cause identified in paragraph (h) of this section. A launch operator's hazard controls include the use of engineering controls for the containment of hazards within defined areas and the control of public access to those areas.
(j) A launch operator must verify all information in a ground safety analysis, including design margins, fault tolerance and successful completion of tests. A launch operator must:
(1) Trace any identified hardware to an engineering drawing or other document that describes hardware configuration;
(2) Trace any test or analysis used in developing the ground safety analysis to a report or memorandum that describes how the test or analysis was performed;
(3) Ensure the accuracy of the test or analysis and the associated results;
(4) Trace any procedural hazard control identified to a written procedure, and approved by the person designated under § 417.103(b)(2) or the person's designee, with the paragraph or step number of the procedure specified;
(5) Identify a verifiable hazard control for each hazard; if a hazard control is not verifiable, a launch operator may include it as an informational note on the hazard analysis form;
(6) For each hazard control, reference a released drawing, report, procedure or other document that verifies the existence of the hazard control; and
(7) Maintain records, as required by § 417.15, of the documentation that verifies the information in the ground safety analysis.
(k) A launch operator must ensure the continuing accuracy of its ground safety analysis. The analysis of systems and operations must not end upon submission of a ground safety analysis report to the FAA during the license application process. A launch operator must analyze each new or modified system or operation for potential hazards that can affect the public. A launch operator must ensure that each existing system and operation is subject to continual scrutiny and that the information in a ground safety analysis report is kept current.