FAA Approach to Human Space Flight Regulations For Occupant Safety on Orbital Missions Federal Aviation Administration Jim Van Laak Deputy Associate Administrator,

FAA Approach to Human Space Flight Regulations

For Occupant Safety on Orbital Missions

Federal AviationAdministration

Jim Van Laak

Deputy Associate Administrator, FAA Office of Commercial Space Transportation (FAA/AST)

Date: May 26, 2011

FAA Approach for Development of Human Space Flight Regulations

April 8, 2011


2

Agenda

• Introduction– Mission Perspective

– Resulting Approach

• Proposed Approach for Occupant Safety– Process Based Approach

– Human Capabilities

– Human Limitations

– Core System Requirements

• Conclusion


April 8, 2011


Introduction

• NASA’s pursuit of commercial crew transportation is jumpstarting commercial orbital human sector

• Expected growth requires review of applicable FAA regulations

– Historical accident/incident rate is significant

– FAA licensing of NASA launches is likely

– FAA licensing of all non-governmental launches is certain

• Highly desirable that systems be designed both for NASA missions and commercial customers– Industry has requested that NASA and FAA work together to ensure

compatibility between their requirements

• This briefing outlines tentative approach to FAA licensing of commercial orbital human space flight– Content is preliminary but maturing daily

– Extensive coordination with NASA will continue

2


April 8, 2011


• NASA and FAA approaches to human safety are based on their respective missions

• Different missions lead to different approaches– NASA:

• Is a customer with a system level need (support ISS)• This translates to detailed system requirements• NASA has its own requirements for the safety of its crews• Is willing and able to pay for top quality systems

– FAA:• Is the regulator for a new, broad and varied industry• Is charged with allowing the industry to develop• Is focused only on the safety of public and spacecraft occupants

• Mission success is launch customer’s requirement

• Results in regulations that are more general and performance based

Mission Perspective

3


April 8, 2011


Resulting Approach

• FAA approach to regulation must:– Use a phased implementation as industry matures

– Be flexible to enable multiple customers

– Be performance based to support innovation

– Implement critical safety lessons learned from past programs

– Reward success without penalizing benign failure

– Apply enforcement as required for violations

• FAA and NASA together should:– Identify system elements and operations critical to safety

– Agree on characteristics of satisfactory design solutions

– Clearly distinguish safety from mission assurance

4


April 8, 2011


Proposed Regulatory Approachto

Occupant Safety

5


April 8, 2011


7

• This briefing describes the FAA’s planned approach to regulating orbital human space flight– Seeks balance between process and design requirements– Offers minimum core requirements for the safety of occupants

• Note: Current FAA regulations use the terms crew and space flight participant – This document will use occupants to include all humans on board– Those with mission execution roles will be called crew

• Proposed FAA requirements (regulations) intended to be:– Technically sound and attainable– Focused on occupant safety and not mission assurance– Verifiable– Compatible with more prescriptive NASA requirements

• Apply to the human space flight system– Launch vehicle, crewed element and portions of ground segment

General


April 8, 2011


Dual Approach

• Two parts – process and core requirements– Process requirements require applicants to:

• Use a system safety process for hazard analysis and risk assessment

• Use human integration processes to manage capabilities and limitations

• Validate and verify requirements

• Maintain a “spaceworthy” system

– Core safety requirements are minimum credible values for:• Cabin environment for human safety

• Space system reliability

• Human capabilities must match the tasks they are to perform

7


April 8, 2011


Process-Based Requirements: (Note 1)

Implement System Safety Process - Conduct hazard analyses and risk assessment Human Integration Process - Assess human capabilities and limitations and apply that info. (anthropometric, biomechanical, and ergonomics data) in space system design, development, and operations Validate and Verify requirements (e.g., testing, analysis) Ensure “Spaceworthiness” - Maintain/refurbish space system - Implement Quality Management System - Establish Configuration Management System - Establish Sustaining Engineering Process

Human Capability Requirements (Occupants must be capable of performing safety critical functions)

Human Limitation Requirements (Occupants must be able to survive natural and man-made environments)

Space System Requirements (Launch or reentry vehicle must provide a safe, habitable environment for occupants)

Occupant (flight crew and non-crew member) trainingManual vs automated control? (Note 3) Ground command and control support (Note 3) Operating procedures

Environmental control (pressure, thermal) Acceleration, shock, vibration Acoustic Radiation Sustenance (food and water) Hygiene & waste Occupant health and rest

Failure tolerance Anomaly detection and response Contingency capabilities and/or escape Emergency equipment - Pressure suit? (Note 3) Structures (including crashworthiness) Standards (e.g., M&P, design, manufacturing) Infrastructure (pads, control centers, networks) Operations planning, training, and execution

Note 2 Note 2

FAA PROPOSED REGULATORY APPROACH FOR OCCUPANT SAFETY

9


April 8, 2011


10

FIGURE 1: FAA PROPOSED REGULATORY APPROACH FOR OCCUPANT SAFETY (CONT.)

Notes:1. These processes should drive design and operation of the system without FAA

prescriptive requirements. In a few cases FAA will specify minimum acceptable requirements such as failure tolerance.

2. Most of these core safety requirements arise from combining well established standards with system design. Human capabilities and limitations (such as those defined in NASA Std 3000 and other documents) combine with system design to produce a safe operation.

3. Applicant’s human factors and system safety analyses will determine requirements for some design features: manual or automated control; ground command and control; need for a pressure suit. FAA will be evaluating applicant’s processes as well as the results of analyses and tests.


April 8, 2011


Detailed Examples

Note: The following charts capture the current FAA approach to significant

requirements. These requirements are in addition to requirements to protect public safety. The language does not reflect final regulatory text.

11


April 8, 2011


Process Based Requirements

11


April 8, 2011


13

System Safety Process

Applicant must document and implement a System Safety Process which includes conducting hazard

analyses and risk assessments for occupant safety.


April 8, 2011


System Safety – Hazard Analysis

• Applicant must identify and characterize each hazard and assess risk to occupant health and safetya. Identify and describe hazards

b. Characterize risk for each hazard before risk elimination or mitigation

c. Define measures of risk acceptability

d. Identify risk mitigation measures required to satisfy paragraph (c)

e. Verify design performance through test, inspection or analysis

• Applicant must ensure the continued accuracy and validity of its hazard analyses throughout the system’s operational life

13


April 8, 2011


System Safety – Risk Assessment

• Applicants must perform and document an integrated risk assessment describing the total risk of the mission

• The results of this assessment will be used to:– Identify dominant sources of risk to target mitigation

– Guide test and verification efforts

– Inform occupants of the risks they are accepting

• Quantitative and/or qualitative methods may be used• Input data and assumptions must be documented

14


April 8, 2011


16

System Safety – Sustaining Engineering

• Maintain surveillance of system performance relative to design requirements and ensure continuing compliance

• Perform an updated risk assessment when there are safety critical changes to the vehicle design, operation, or maintenance.

• Record each significant system anomaly and report those that affect a safety-critical element.– Identify root causes of each significant anomaly and inform the FAA of

any corrective actions.


April 8, 2011


17

Document and implement a process for assessing human capabilities and limitations and apply that information to the

space system design, development, and operations to ensure occupant safety.

Human Integration Process


April 8, 2011


18

Human Integration Process

• Environmental Analysis Process– Ensure anticipated environment permits planned activity– Ergonomic considerations must be accommodated– Evaluate expected vibration/load environment and assess human

performance capability– Identify when an unsurvivable environment can occur in the vehicle

and implement controls to minimize the probability of occurrence.

• Task Allocation Process– Tasks allocated to humans must be suitable for humans functioning in

the anticipated environment.

• Human/Machine Interface Requirements– Design all human/machine interfaces to control risk of inadvertent,

inaccurate, or mistaken command inputs– Assess how vehicle and its systems allow consistent and effective

control throughout the flight environment


April 8, 2011


19

Implement a process for validating and verifying safety critical requirements.

Validation and Verification


April 8, 2011


20

Validation and Verification (V&V)

• Use systems engineering processes for requirement definition and control

• Show traceability from each safety critical requirement to its verification, from the component to the system level.

• Submit a master test plan including: scope, methods, environments, groundrules and assumptions, predicted results, and data requirements.

• Provide a final test report that summarizes the test results for safety critical system elements.

• Document verification that safety critical requirements have been met.

• Demonstrate that software has been verified prior to beginning hazardous operations.


April 8, 2011


21

Verification and Validation (V&V)

Successfully verify the system’s integrated performance in an operational flight environment before flying a space flight participant. Verification must include flight testing. [§ 460.17]

– *Operator must specify the objectives, procedures, type and number of tests, and success criteria for the flight test program. Flight test objectives must:

• Verify the integrated performance of the launch/reentry vehicle system hardware, software, and the human, in the operational flight environment;

• Define and validate the boundaries for acceptable operation; and• Verify the analytical models used to predict the system performance

across the operating envelopes.

– *Operator must demonstrate the safety-critical nominal functions in an operational flight environment before flying non-crewmembers. Safety-related flight parameters must be recorded to enable correlation between predictions and actual flight test data.

* This adds more specificity to § 460.17


April 8, 2011


22

Document and implement processes to ensure system “spaceworthiness” to include:• Maintaining/refurbishing elements of the flight system• Implementing a quality management system• Implementing a configuration management system

Ensure “Spaceworthiness”


April 8, 2011


Maintenance/Refurbishment/Quality

• Prior to each flight the operator must:– Ensure the system is safe for the planned flight

– Ensure that the system meets the performance characteristics defined in its license application

– Repair defects in accordance with applicable regulations and the license holder’s spaceworthiness program

• Third parties may be employed for refurbishment, maintenance, preventative maintenance and alteration– The operator remains responsible to ensure work complies with the

spaceworthiness program

22


April 8, 2011


24

Configuration Management

• Operator must have Quality and Configuration Management Systems commensurate with the complexity of the mission and system to ensure that system remains in a known, tested configuration. – Must cover the system and its operations from design through

operation and refurbishment (if applicable).

– Hardware and software requirements, designs, “as built” configurations, and associated operations must remain controlled and traceable.


April 8, 2011


25

Occupants must be capable of performing safety critical functions.

Note: Operator must take into consideration the capabilities of occupants to safely perform critical functions under nominal and non-nominal conditions.

Human Capability Requirements


April 8, 2011


Human Factors [§ 460.15]

• The operator must account for human factors in safety critical activities including:– Design and layout of displays and controls

– Thermal, acoustic, acceleration and vibratory environment

– Type and degree of automation;

– Restraint of all individuals and objects in the vehicle

25


April 8, 2011


27

Task Analysis and Allocation

• The applicant must analyze the system characteristics and detailed system hazard and performance assessment to determine appropriate levels of: – Automated vs human-in-the-loop operations

– Manual override capability

– Ground support (capability to remotely monitor, operate, and control space system).


April 8, 2011


Operations Planning and Products

• Operators must implement an effective operations program to:– Develop plans, procedures, training and oversight

– Control hazards

– Respond to contingencies

– Comply with system limitations through mission design

• Products include:– Training requirements and products

– Mission planning products including procedures and checklists

– Mission rules

– Contingency plans

27


April 8, 2011


29

Crew Qualifications and Training [§ 460.5]

• Each crew must successfully complete training on ground and flight responsibilities

• Training must include nominal and off-nominal conditions including:– Abort scenarios

– Emergency egress

– In flight emergency operations. • Flight crew must demonstrate an ability to function under the

stresses of space flight:– Acceleration or deceleration, microgravity, and vibration

– Function while wearing appropriate safety equipment (oxygen mask, pressure suit, etc.)


April 8, 2011


30

Crew Qualifications and Training [§ 460.5] (cont)

• Pilots must— – Hold an FAA pilot certificate with instrument rating. – Receive vehicle and mission-specific training for each phase of flight

using one or more of the following• A simulator;• An aircraft whose characteristics are similar to the vehicle or that has

similar phases of flight to the vehicle ; • Flight testing; or• An equivalent method of training approved by the FAA

– Train in procedures that direct the vehicle away from the public in the event the occupants abandon the vehicle during flight; and

– Train for each mode of control or propulsion, including any transition between modes, such that the pilot is able to control the vehicle.


April 8, 2011


31

Security [§ 460.53]

• Security– An operator must implement security requirements to prevent any

space flight participant from jeopardizing the safety of other occupants (flight crew and non-crew members) or the public.


April 8, 2011


32

The spacecraft environment must be verified as suitable for human occupancy, including low risk of

injury and compatibility with required functions.

Human Limitation Requirements


April 8, 2011


33

ECLSS [§ 460.11]

• Operator must provide atmospheric conditions adequate to sustain life and consciousness for all inhabited areas within a vehicle.

• Operator must provide means to monitor and control the following environmental conditions in the inhabited areas or demonstrate an equivalent level of safety: – Composition of the atmosphere – Pressure, temperature and humidity– Contaminants that include particulates and any harmful or hazardous

concentrations of gases, or vapors; and – Ventilation and circulation.


April 8, 2011


34

Occupant Health

• For occupant health and safety, the space system must– Provide sufficient consumables and sustenance (food and potable

water) for the mission with consideration of contingency scenarios (e.g., delays associated with deorbit, emergency recovery associated with non-nominal landings)

– Provide for personal hygiene activities/supplies and waste management if applicable.


April 8, 2011


35

Medical Standard for Crew [§ 460.5(b) and (e)]

• Each crew member on an orbital mission with a safety-critical role must possess and carry an FAA first-class airman medical certificate

• Additional requirement:

– Demonstrate an ability to withstand the stresses of space flight, which may include high acceleration or deceleration, microgravity, and vibration, in sufficient condition to safely carry out his or her duties so that the vehicle will not harm the public or those on board.


April 8, 2011


36

Health–Medical

• Operators must develop a Medical Screening Program for non-crew occupants.

• Operator must implement a radiation occupational exposure program to ensure that its orbital flight crew do not individually exceed accumulated radiation doses per OSHA standards.– Orbital flight crew must wear personal radiation dosimeters.


April 8, 2011


37

The launch or reentry vehicle must provide a safe, habitable environment for occupants, and provide, to the

extent practical, the capability to safely recover from hazardous situations.

Space System Core Requirements


April 8, 2011


38

Failure Tolerance

• Minimum Level of Failure Tolerance– The space system must control hazards that can lead to serious injury

or loss of life with no less than single failure tolerance, except for areas approved to use Design for Minimum Risk (DFMR) criteria.

– Design for Minimum Risk controls risk through approved standards, margins, test and verification to enhance reliability to the maximum extent practicable.

– The minimum failure tolerance may not depend on the use of in-flight maintenance, including EVA, emergency equipment, abort systems including launch escape systems, or other emergency operations.


April 8, 2011


39

Failure Tolerance (cont)

• Potential Additional Levels of Failure Tolerance– Integrated analysis of the design and operations must ensure the

validity of the claimed failure tolerance

– In some cases additional levels of failure tolerance may be required based on limited system reliability or other hazard characteristics.

• Operator Error– The space system must be designed to tolerate a minimum of one

inadvertent operator action, as identified by a human error analysis, without causing a casualty.


April 8, 2011


40

Failure Tolerance (cont)

• Verification of Failure Tolerance– Failure tolerance for safety critical hazards must be verified by an

integrated analysis, using a system-level Hazard Analysis and a Failure Modes and Effects Analysis to show compliance with the approved level of failure tolerance.

• Failure tolerance requirement does not apply to primary structure, pressure vessel walls, and pressurized lines– Catastrophic failures must be controlled through approved standards

and margins.


April 8, 2011


41

ECLSS [§ 460.11]

• Operator must provide an adequate redundant or secondary oxygen supply for the flight crew.

• Operator must – Provide a redundant means of preventing cabin depressurization*; or – Prevent incapacitation of any of the flight crew in the event of loss of

cabin pressure.

*A full pressure suit is an acceptable means for meeting this; however, requirement for a pressure suit depends on the specific vehicle design based on system safety and human factors analyses.


April 8, 2011


42

Structures – Factors of Safety

• Structures must withstand all design loads and thermal environments without yield or detrimental deformation.

• Primary structure must be designed with an adequate factor of safety to:– Survive a limit-load scenario, at design temperature, after being

subjected to design fatigue life. – Survive design life without failure. Maintain a positive margin of safety

under combined loads, pressures, and accompanying environments

• Specifications for materials, fabrication processes, and material testing techniques must ensure compliance with the engineering requirements. – Processes must assure that production parts conform to the design– Materials inspection processes must verify materials meet

performance requirements

• Potential Specification of minimum factors of safety is TBD


April 8, 2011


43

Anomaly Detection and Response

• The space system must provide the following capability to detect and annunciate significant anomalies that affect critical systems, subsystems, and/or occupant health.– Identify and annunciate catastrophic events

– Provide real-time monitoring of safety-critical measurements

– Detect a pre-determined set of failure or degraded conditions.

– Control hazards and risks for which system response is used to mitigate the hazard.

– If the design life includes multiple missions, appropriate means must be provided to ensure compliance with minimum performance requirements.


April 8, 2011


44

Isolation and Recovery

• The space system must maximize the capability to isolate and/or recover from faults capable of causing a catastrophic event.

• The Anomaly Detection System must identify incipient failures within the time constraints for system response, including human response if applicable


April 8, 2011


45

Contingency Response or Escape System

• Operator must have contingency responses including abort and/or an escape system across the mission profile:– Vehicle abort systems must automatically detect incipient failures and

determine the need for a time critical abort, such as during ascent.

– If a Range Safety System is installed, system must initiate abort sequence prior to destruction of launch vehicle to ensure occupant survival

– The space system should allow contingency reentry with minimum lead time


April 8, 2011


46

Emergency Equipment

• Operator or crew must have the ability to detect smoke and suppress a cabin fire.

• Space System must provide capability for occupants to respond to emergency situations. This includes the following:– Contingency breathing apparatus for protection from fire/smoke, toxic

atmosphere, or reduced cabin pressure – First aid kit– Pressure suit or personal protective equipment (if applicable)– Emergency lighting– Fire suppression system– Search and rescue/recovery aids– Occupant survival kit to support occupants following an off-nominal

landing.


April 8, 2011


Support Systems

• Operator must provide support systems necessary for occupant safety. These support systems may include:– Communications facilities

– Weather reporting facilities

– Mission control centers

– Landing and alternate landing facilities, including appropriate rescue, emergency medical, and firefighting services

46


April 8, 2011


48

Conclusion

• The proposed regulatory approach relies upon– Process-based requirements that provide flexibility to design, develop,

and operate efficiently

– Minimal set of core safety requirements pertaining to Human Capabilities, Human Limitations, and Space System.

– Utilizes robust abort and crew escape provisions to enable relaxed system reliability

• FAA/AST looks forward to inputs from industry– Lessons learned

– Innovative techniques

– Experience based recommendations

Documents

FAA Approach to Human Space Flight Regulations For Occupant Safety on Orbital Missions Federal Aviation Administration Jim Van Laak Deputy Associate Administrator,