NPR 8715.3B NASA General Safety Program Requirements

1.1 Overview of the NASA Safety Program
1.2 NASA General Safety Program Roles and Responsibilities
1.3 Public Safety
1.4 Institutional Roles and Responsibilities in the NASA Safety Program
1.5 Program Management Roles and Responsibilities in the NASA Safety Program
1.6 Risk Assessment and Risk Acceptance
1.7 Technical Safety Requirements for NASA-Unique Designs and Operations
1.8 SMA Program Reviews
1.9 Advisory Panels, Committees, and Boards
1.10 Coordination with Organizations External to NASA
1.11 Safety Motivation and Awards Program
1.12 Safety Management Information
1.13 Safety Variances

Chapter 2. System Safety

2.1 Introduction
2.2 Institutional Roles and Responsibilities
2.3 System Safety Framework
2.4 Scope of the System Safety Modeling
2.5 Core Requirements for System Safety Process
2.6 System Safety Reviews
2.7 Change Review
2.8 Documentation

Chapter 3. Operational Safety

3.1 Purpose and Objectives
3.2 Motor Vehicle Safety
3.3 Personal Protective Equipment
3.4 Control of Hazardous Energy (Lockout/Tagout Program)
3.5 Pressure System Safety
3.6 Electrical Safety
3.7 Hazardous Material Transportation, Storage, and Use
3.8 Hazardous Operations
3.9 Laboratory Hazards
3.10 Lifting Safety
3.11 Explosive, Propellant, and Pyrotechnic Safety
3.12 Underwater Operations Safety
3.13 Launch, Entry, and Experimental Aeronautical Vehicle Operations Safety
3.14 Test Operations Safety
3.15 Non-Ionizing Radiation
3.16 Ionizing Radiation
3.17 Confined Spaces

Chapter 4. Aviation Safety

4.1 Purpose and Scope
4.2 Aviation Safety Program Responsibilities
4.3 Interfaces with Other Agencies

Chapter 5. Fire Safety

5.1 Purpose, Goals, and Objectives
5.2 Responsibilities
5.3 Fire Safety Program
5.4 Fire Protection Systems
5.5 Firefighting
5.6 Emergency (Pre-Fire) Planning and Procedures
5.7 Fire Safety Training
5.8 Reporting
5.9 Current Regulations, Codes, and Standards and Variances

Chapter 6. Nuclear Safety for Launching of Radioactive Materials

6.1 Purpose
6.2 Responsibilities
6.3 Nuclear Launch Safety Approval Process
6.4 Report Requirements

Chapter 7. Safety Training and Personnel Certification

7.1 Purpose
7.2 Responsibilities
7.3 Planning and Implementation of the Safety Training Program
7.4 Personnel Safety Certification Programs for Potentially Hazardous Operations and Materials
7.5 Mission Critical Personnel Reliability Program (PRP)
7.6 Hazardous Materials and Chemicals Risk Information
7.7 Exclusions

Chapter 8. Safety for Facility Acquisition, Construction, Activation, and Disposal

8.1 Purpose
8.2 Roles and Responsibilities
8.3 Facility Acquisition, Construction, and Activation Objectives
8.4 Basic Requirements for Facility Acquisition, Construction, and Activation
8.5 Facility Managers
8.6 Facility Safety Management Plan

Chapter 9. Safety and Risk Management for NASA Contracts

9.1 Purpose
9.2 Applicability and Scope
9.3 Authority and Responsibility
9.4 Requirements
9.5 Access to NASA Facilities by State and Federal Compliance Safety and Health Officers
9.6 Contractor Citations
9.7 Grants

Chapter 10. Process/Requirements for the SMA Portion of Requests for Liability Insurance or Indemnification of EAV Developers

10.1 Introduction
10.2 Responsibility
10.3 EAV SMA Assessment Reviews
10.4 SMA Review Process Products

Appendices

Change History

NPR 8715.3, NASA General Safety Program Requirements

Preface

P.1 Purpose

a. This NASA Procedural Requirements (NPR) provides the basis for the NASA Safety Program and serves as a general framework to structure more specific and detailed requirements for NASA Headquarters, Programs, and Centers. This document does not stand alone and is to be used in conjunction with the references listed in paragraph P.4.

b. This NPR is directed toward safety requirements and is not meant to provide requirements for occupational health or environmental health personnel or to provide requirements for occupational health and environmental activities. Some health and environmental safety references are included to assist Center safety personnel in interactions with occupational health and environmental personnel. Occupational safety and health requirements that implement 29 CFR Part 1960, Basic Program Elements for Federal Employees, Occupational Safety and Health Programs and Related Matters, are specified in NPR 8715.1, NASA Occupational Safety and Health Programs. Environmental requirements are specified in NPD 8500.1, NASA Environmental Management.

c. This NPR does not provide requirements for emergency planning. Emergency planning requirements are specified in NPD 8710.1, Emergency Preparedness Program.

d. To address special processes and/or discipline-unique processes, the Office of Safety and Mission Assurance publishes standards that provide specific instructions that are beyond the scope and detail of this document. A listing of applicable Federal requirements, NPRs, and standards can be found in paragraphs P.3 and P.4 of this NPR.

P.2 Applicability

a. This NPR is applicable to NASA Headquarters and NASA Centers including Component Facilities, and Technical and Service Support Centers. This NPR applies to the Jet Propulsion Laboratory (JPL) or to other contractors or grant recipients only to the extent specified or referenced in applicable contracts, grants, or agreements.

b. The procedural requirements in this document apply: (1) to all NASA organizations, elements, entities, or individuals; (2) to visitors on NASA property; (3) to all NASA equipment, property, systems, and facilities; (4) during all phases of the life cycle of systems or facilities; and (5) as specified in contract requirements.

c. The provisions of this document apply to non-NASA, non-contractor personnel when on NASA property.

d. The requirements in this NPR do not supersede more stringent requirements imposed by other Federal, State, or local government agencies.

e. In this NPR, a requirement is identified by a "shall" statement and followed by the phrase "(Requirement xxxxx)." The number (xxxxx) is assigned to each requirement statement for the Safety and Mission Assurance Requirements Tracking System.

Note: The word "shall" indicates that the rule is mandatory. Noncompliance with a "shall" statement requires approval of a variance. Any text that does not contain a "shall" statement is for information and contextual purposes only.

f. In this NPR, the word "project" refers to a unit of work performed in programs, projects, and activities. Management of a work unit is referred to as "project management," which includes managing programs, projects, and activities.

g. In this NPR, a system is: (a) the combination of elements that function together to produce the capability to meet a need and (b) the end product (performs operational functions) and enabling products (provide life-cycle support services to the operational end products) that make up a system. The elements include all hardware, software, equipment, facilities, personnel, processes, and procedures needed for this purpose. h. The Center Director for NASA Headquarters is the Assistant Administrator for Infrastructure and Administration. In this NPR, requirements for Center Directors applicable to NASA Headquarters also pertain to the Assistant Administrator for Infrastructure and Administration.

P.3 Authority

b. 42 U.S.C. S 2473( c )(1), Section 203 ( c )(1) of the National Aeronautics and Space Act of 1958, as amended.

c. 5 U.S.C., Government Organization And Employees, Paragraph 7902; Safety Programs.

g. 49 U.S.C., Transportation S 1421, the Occupational Safety and Health Act of 1970, as amended.

k. 14 CFR Chapter III, Commercial Space Transportation, Federal Aviation Administration, Department of Transportation.

l. 14 CFR Part 1214, Subpart 1214.5, Space Flight: Mission Critical Space Systems Personnel Reliability Program.

m. 14 CFR Part 1216, Subpart 1216.3, Procedures for Implementing the National Environmental Policy Act (NEPA).

t. 29 CFR Part 1960, Basic Program Elements for Federal Employees, Occupational Safety and Health Programs and Related Matters.

w. 48 CFR Part 1823, NASA FAR Supplement; Environment, Energy and Water Efficiency, Renewable Energy Technologies, Occupational Safety, and Drug-Free Workplace.

x. 48 CFR Part 1842, NASA FAR Supplement; Contract Administration and Audit Services.

z. 49 CFR Part 171.8, Hazardous Material Regulations; Definitions and abbreviations.

ac. EO 12196, Occupational Safety and Health Programs for Federal Employees, dated February 26, 1980, as amended.

ad. EO 13043, Increasing Seat Belt Use in the United States, dated April 16, 1997, as amended.

ae. Presidential Directive/National Security Council Memorandum Number 25 (PD/NSC-25), Scientific or Technological Experiments with Possible Large-Scale Adverse Environmental Effects and Aerospace Use of Major Radioactive Sources.

P.4 References

k. NPD 8700.3, Safety and Mission Assurance (SMA) Policy for Spacecraft, Instruments, and Launch Services.

af. NPR 8580.1, Implementing the National Environmental Policy Act and Executive Order 12114.

ag. NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping.

aj. NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects.

ap. NASA-STD-8709.2, NASA Safety and Mission Assurance Roles and Responsibilities for Expendable Launch Vehicle Services.

ar. NASA-STD-8719.8, Expendable Launch Vehicle Payload Safety Review Process Standard.

aw. NSS/WS 1740.10, NASA Safety Standard for Underwater Facility and Non-Open Water Operations.

ay. NSS 1740.14, Guidelines and Assessment Procedures for Limiting Orbital Debris.

ba. National Incident Management System, Department of Homeland Security, March 1, 2004.

bc. Safety and Mission Assurance Requirements Tree: http://www.hq.nasa.gov/office/codeq/doctree/qdoc.htm).

bd. Lessons Learned Information System (LLIS): http://nen.nasa.gov/portal/site/llis.

bf. NASA Safety Reporting System (NSRS): http://www.hq.nasa.gov/office/codeq/nsrs/index.htm.

bg. Wallops Flight Facility Range Safety Manual: see http://www.wff.nasa.gov/~code803/pages/RSM20022.pdf.

bh. AFSPCMAN 91710, Licensing and Safety Requirements for Launch: see http://thefederalregister.com/d.p/2005-03-01-05-3916.

bj. EM 385-1-1, U.S. Army Corps of Engineers, Safety and Health Requirements: see http://www.usace.army.mil/usace-docs/eng-manuals/em385-1-1/toc.htm.

bk. Federal Standard 313, Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised: see http://assist.daps.dla.mil/quicksearch/basic_profile.cfm?ident_number=53769.

bl. International Atomic Energy Agency (IAEA), Safety Series Number 6, Regulations for the Safe Transport of Radioactive Material, 1985 Edition as amended in 1990, Section III, paragraphs 301 through 306.

bn. Range Commanders Council (RCC) Document 316-91, Laser Range Safety: see http://www.fas.org/nuke/control/ccw/316-98/index.html.

bx. ANSI D6.1, Manual on Uniform Traffic Control Devices for Streets and Highways.

ca. ANSI Z136.2, Safe Use of Optical Fiber Communication Systems Utilizing Laser Diode and LED Sources.

cb. ANSI Z136.4, Recommended Practice for Laser Safety Measurements for Hazard Evaluation.

ce. Guide for Safety in the Chemical Laboratory, Manufacturing Chemists' Association, Inc.

cf. NIOSH Publication No. 87-113, A Guide to Safety in Confined Spaces: see http://www.cdc.gov/niosh/pdfs/87-113.pdf.

cg. Scientific or Technological Experiments with Possible Large-Scale Adverse Environmental Effects and Launch of Nuclear Systems into Space, dated December 14, 1977, as revised on May 8, 1996.

ch. S. Kaplan and B.J. Garrick, "On the Quantitative Definition of Risk," Risk Analysis, 1, 11-27, 1981.

ci. National Research Council's report "Understanding Risk: Informing Decisions in a Democratic Society," National Academy Press, Washington, DC, 1996.

P.5 Cancellation

Chapter 1. Institutional and Programmatic Safety Requirements

1.1 Overview of the NASA Safety Program

1.1.1 This document provides the procedural requirements that define the NASA Safety Program. Safety program responsibility starts at the top with senior management's role of developing policies and providing strategies and resources necessary to implement and manage a comprehensive safety program. The NASA Safety Program is executed by the responsible Mission Directorate Associate Administrators, Center Directors, Office of Safety and Mission Assurance (OSMA), component facility managers, safety managers, project managers, systems engineers, supervisors, line organizations, employees, and NASA contractors.

1.1.2 As stated in NPD 8700.1, NASA Policy for Safety and Mission Success, the objectives of the NASA Safety Program are to protect the public from harm, ensure the safety of employees, and affect positively the overall success rate of missions and operations through preventing damage to high-value equipment and property.

1.1.3 In general, the success or failure of an organization's safety efforts can be predicted by a combination of leading indicators (e.g., the number of open vs. closed inspection findings, awareness campaigns, training metrics, progress towards safety goals/objectives, the amount of hazard and safety analyses completed, and close calls) and its achievement measured by lagging indicators (e.g., the number of incidents involving injury or death to personnel, lost productivity [lost or restricted workdays], environmental damage, or loss of, or damage to, property). Like many successful corporations, NASA has learned that aggressively preventing mishaps is good management and a sound business practice.

1.1.4 NASA undertakes many activities involving high risk. Management of this risk is one of NASA's most challenging activities and is an integral part of NASA's safety efforts.

1.1.5 The policy for the NASA Safety Program is provided in NPD 8710.2, NASA Safety and Health Program Policy, for specific health program requirements in NPD 1800.2, NASA Occupational Health Program, and for environmental requirements in NPD 8500.1, NASA Environmental Management.

1.1.6 Policies, requirements, and procedures for mishap investigations are provided in NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping.

1.1.7 NASA identifies issues of concern through a strong network of oversight councils and internal auditors including the Aerospace Safety Advisory Panel (ASAP), the Operations and Engineering Panel (OEP), and the Aviation Safety Panel.

1.1.8 NASA's goal is to maintain a world-class safety program based on management and employee commitment and involvement; system and worksite safety and risk assessment; hazard and risk prevention, mitigation, and control; and safety and health training.

1.2 NASA General Safety Program Roles and Responsibilities

Table 1 lists responsible entities that have roles and responsibilities for NASA safety along with the associated paragraphs in this NPR that explain the responsibilities.

Responsible Entity	NPR 8715.3 Paragraph
NASA	1.8.3.1, 1.8.4, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.9.2, 3.13.5.1
NASA Administrator	6.2.1
Chief, Safety and Mission Assurance	1.9.3.1, 1.9.6, 1.10.1, 1.11.1, 1.13.6, 3.13.2, 3.13.4.5.1, 4.2.2, 6.2.3, 7.2.2
Chief Engineer	1.13.7
Chief Health and Medical Officer	1.13.8
Chief, Strategic Communications	1.12.2
Mission Directorate Associate Administrators	1.2.1, 2.2.1, 4.2.1, 6.1.3, 6.2.2, 6.2.4, 6.2.5, 7.4.1, 7.4.6.3, 7.5.3, 7.6.1, 7.2.1
Office of Security and Program Protection	6.2.9
Director, Safety and Assurance Requirements Division	1.4.2, 3.2.4.1, 4.2.3, 5.2.1
Operations and Engineering Panel (OEP)	1.9.3.2
NASA Interagency Nuclear Safety Review Panel (INSRP) Coordinator	6.2.7, 6.3.7.2
NASA INSRP Member	6.2.8
Nuclear Flight Safety Assurance Manager	6.3.3.2, 6.3.4.2, 6.3.5.2, 6.3.6.2, 6.3.8.2, 6.3.9.2, 6.4.2.2
NASA Aviation Safety Manager	4.2.4
NASA ELV Payload Safety Manager	3.13.4.5.2
Center Directors	1.2.1, 1.3.1, 1.4.3, 1.4.4, 1.6.1.1, 1.6.2.1, 1.8.2, 1.8.3, 1.8.4, 1.9.6, 1.12.1, 1.13.4, 2.2.1, 2.2.2, 3.2.1, 3.2.2.2, 3.2.2.3, 3.2.3.1, 3.2.5.1, 3.3.5, 3.4.2, 3.5.1, 3.6.1, 3.7.5.1, 3.7.6.1, 3.8.2, 3.9.2, 3.9.3.1, 3.9.4.1, 3.9.5.2, 3.10.1, 3.11.1, 3.11.2, 3.11.3, 3.12.2, 3.13.4.2, 3.13.4.3, 3.13.4.4, 3.13.4.5.4, 3.14.2, 3.14.3.2, 3.14.5.1, 3.14.6.1, 3.14.7.2, 3.15.3, 3.15.4, 3.17.3, 3.17.4, 4.2.1, 5.2.2, 5.3.1, 5.4.2.1, 5.5.2, 5.7.1, 5.8.1, 5.9.1, 5.10.1, 6.1.3, 6.2.2, 6.2.5, 7.2.1, 7.3.1, 7.4.1, 7.4.6.3, 7.5.3, 7.6.1, 8.2.1, 8.3.1, 8.3.2, 8.3.3, 8.4.1, 8.5.1, 8.6.1, 9.2.1, 9.5.1, 9.5.2, 9.6.1
Center Safety and Mission Assurance (SMA) Directors	1.3.2, 1.12.3, 1.13.5, 2.2.2, 3.8.3, 7.3.3, 7.4.2, 7.4.5.1, 7.4.5.2, 9.3.4, 9.4.2
Project Managers	1.3.1, 1.3.2, 1.5.2, 1.6.1.1, 1.6.2.1, 1.7.1.1, 1.7.2.1, 1.7.3.1, 1.7.4, 1.13.4, 2.2.1, 2.5.1.1, 2.5.3.1, 2.5.4.1, 3.5.1, 3.8.2, 3.9.2, 3.9.3.1, 3.9.4.1, 3.10.1, 3.11.1, 3.11.2, 3.12.2, 3.13.4.2, 3.13.4.3, 3.13.4.4, 3.14.2, 3.14.3.2, 3.14.4.1, 3.14.5.1, 3.14.6.1, 3.14.7.2, 3.15.3, 3.15.4, 3.15.7.1, 3.15.8.1, 3.15.9.1, 3.17.4, 4.2.1, 7.2.1, 7.4.1, 7.4.6.3, 7.5.3, 7.6.1, 9.2.1, 9.2.2, 9.3.1, 9.5.1, 9.5.2, 9.6.1, 9.7.1
Program Executives	6.1.3, 6.2.2, 6.2.4, 6.3.1, 6.3.3.1, 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.8.1, 6.3.9.1, 6.4.2.1
System Safety Managers	1.7.4, 2.5.3.2, 2.5.4.2, 2.5.1.3, 2.5.2.1, 2.6.2, 2.7.1, 2.8.1, 2.8.2, 9.3.2, 9.3.4
NASA Launch and Landing Site Managers	6.2.6
Pilot-in-Command	3.15.7.2
Medical Offices and Cognizant Health Officials	7.4.3
Line Managers	1.4.4, 1.4.5, 1.6.1.1, 2.2.1, 4.2.1, 6.2.5, 7.2.1, 7.4.1, 7.4.4
Supervisors	1.3.1, 1.4.5, 1.4.6, 3.3.6, 3.6.2, 3.17.5, 7.4.6.3, 7.5.3, 7.6.1
System Engineers	2.5.2.2
Center Training and Personnel Development Offices	7.2.3, 7.4.6.1, 7.4.6.2
Authority Having Jurisdiction	5.2.3
Explosive Safety Officer	3.11.4
Laser Radiation Safety Officer	3.15.5.2
Contracting Officers	9.2.2, 9.3.2, 9.3.3, 9.4.1, 9.4.3
Operators of Motor Vehicles	3.2.2.1, 3.2.3.2
Receiving Offices	3.7.6.2

1.2.1 Per NPD 1000.3, The NASA Organization, Mission Directorate Associate Administrators, through their project managers, and Center Directors, through their line managers, are responsible for the safety of their assigned personnel, facilities, and mission systems. Toward that end, they shall establish a safety program that adheres to the following principles (Requirement 25005):

a. Ensure that their safety planning and direction; the development of safety requirements, safety policies, safety methodology, and safety procedures; and the implementation and evaluation of their safety programs achieve the safety requirements in this NPR (Requirement 25006).

b. Ensure the conduct of assessments of quantitative and/or qualitative safety risks to people, property, or equipment, and include recommendations to either reduce the risks or accept them (Requirement 31816).

c. Ensure that safety assessments of all system changes are conducted, prior to changes to these systems being implemented, so as to preclude an unknown increase in risk to personnel or equipment (Requirement 25010).

d. Ensure that employees are informed of any risk acceptance when the employees are the ones at risk (Requirement).

e. Ensure that safety surveillance and periodic inspections are conducted to assure compliance with NASA safety policies and to assess the effectiveness of NASA safety activities as required by Federal, State, and local regulations, NASA policy, and national consensus standards (Requirement 25012).

f. Ensure that technical reviews of the safety of development efforts and operations are conducted in accordance with sound system safety engineering principles (Requirement 25009).

g. Ensure that trained individual(s) determine the corrective actions needed for mitigating or controlling safety risk for all activities (Requirement 31814).

h. Ensure that NASA employees and safety professionals are trained for their roles and responsibilities associated with specific safety functions (Requirement).

i. Ensure that software safety is included in their safety programs (Requirement).

j. Ensure that an ad hoc interagency review and approval process is implemented for the use of radioactive materials in spacecraft to avoid unacceptable radiation exposure for normal or abnormal conditions, including launch aborts with uncontrolled return to Earth (See Chapter 5) (Requirement 25021).

k. Ensure that research and development for new or unique safety functions and technologies are conducted to help meet NASA goals (Requirement 25013).

l. Ensure the integrity of information and information systems, where compromise may impact safety, by adherence to NASA information technology security procedures as required by NPR 2810.1, Security of Information Technology (Requirement).

1.3 Public Safety

1.3.1 Center Directors, project managers, supervisors, and NASA employees shall:

a. Eliminate risk or the adverse effect of NASA operations on the public, or provide public protection by exclusion or other protective measures where the risk or the adverse effect of NASA operations on the public cannot be eliminated (Requirement 25026).

b. Disallow non-NASA (either by contractors or visitors) research and development operations (under grants or cooperative agreements) that interfere with or damage NASA facilities or operations or threaten the health and safety of NASA personnel (Requirement 25027).

a. Require non-NASA research and development personnel and operations exposed to hazardous operations on NASA property to follow all Federal, NASA, and Center safety precautions and to procure needed protective clothing and equipment at their own expense (Requirement 31868).

b. Assure non-NASA research and development personnel operating or using potentially hazardous NASA equipment have received required training and are certified as qualified operators in accordance with Chapter 7 of this NPR (Requirement 31869).

1.3.3 Center Directors are delegated the authority to approve variances to public safety requirements for onsite non-NASA personnel (e.g., press, visitors) if appropriate safety requirements are in place and the risk is no greater than the risk to uninvolved employees.

1.4 Institutional Roles and Responsibilities in the NASA Safety Program

a. Terminate any NASA operation considered an immediate health hazard (Requirement).

b. When termination occurs, immediately notify affected Center offices (Requirement).

a. Establish and develop the overall NASA safety program policy and priorities (Requirement 8005).

b. Serve as the senior safety official for the Agency and exercise functional management authority over all NASA safety and risk management activities (Requirement 8006).

c. Terminate any operation that presents an immediate and unacceptable risk to personnel, property, or mission operations (Requirement).

d. When termination occurs, immediately notify affected Center and Mission Directorate officials (Requirement).

b. Place their safety organization at a level that ensures the safety review function can be conducted independently (Requirement).

c. Designate a senior manager as the Center safety and health officer and the safety program implementation authority (Requirement 25015 and 8021).

(1) Adequate resources (personnel and budget) are provided to support mishap prevention efforts (Requirement).

(2) Resource control is independent from any influence that would affect the independence of the advice, counsel, and services provided.

e. Ensure that policies, plans, procedures, and standards that define the characteristics of their safety program are established, documented, maintained, communicated, and implemented (Requirement 25017).

f. Ensure that the development, implementation, and maintenance of an effective safety and health program is in compliance with NASA, Federal, State, and local requirements (Requirement 8022).

g. Ensure the establishment of an effective system safety program based on a continuous risk assessment process to include the development of safety requirements early in the planning phase, the implementation of those requirements during the acquisition, development, and operational phases, and the use of a scenario-based risk assessment and tracking system to maintain the status of risks during the process (Requirement 25019). (See Chapter 2.)

h. Ensure that all NASA operations and operations performed on NASA property are performed in accordance with existing safety standards, consensus national standards (e.g., ANSI, NFPA), or special supplemental or alternative standards when there are no known applicable standards (Requirement 25022).

i. Ensure that for hazardous NASA operations, procedures are developed for the following circumstances: 1) to provide an organized and systematic approach to identify and control risks, 2) when equipment operations, planned or unplanned, are hazardous or constitute a potential launch, test, vehicle, or payload processing constraint, or 3) when an operation is detailed or complicated and there is reasonable doubt that it can be performed correctly without written procedures (Requirement 31859). (See Chapter 3 of this NPR for requirements for hazardous operating procedures.)

j. Ensure that an aviation safety program that meets the specific operational needs of their Center is established and maintained to comply with national standards and NASA directives and requirements (Requirement 25023). (See Chapter 4.)

k. Ensure that safety lessons learned are disseminated and included in Center communication media to improve the understanding of hazards and risks, the prevention of mishaps, and to suggest better ways of implementing system safety programs (Requirement).

l. Inform personnel of the availability of the NASA Safety Reporting System (NSRS) at their Center (Requirement 25048).

n. Ensure that all facilities are designed, constructed, and operated in accordance with applicable/approved codes, standards, procedures, and requirements (Requirement 25024). (See Chapters 8 and 9.)

o. Ensure that the safety responsibilities of each organizational element are defined and accomplished (Requirement 31818).

p. Ensure that line managers incorporate safety and health requirements into the planning, support, and oversight of hosted programs, projects, and operations as part of their management function (Requirement 31819).

q. Evaluate and document the incorporation of safety and health requirements into the planning and support of hosted programs, projects, and operations in senior manager's performance evaluations (Requirement 31820).

r. Ensure a qualified safety workforce is available to perform the safety function (Requirement 25020).

s. Ensure that properly equipped and trained personnel are provided to perform or support potentially hazardous or critical technical operations (Requirement).

Note: Special circumstances involving access to mission critical space systems and other critical equipment may dictate the need for the Personnel Reliability Program (14 CFR Part 1214, Subpart 1214.5, Space Flight: Mission Critical Space Systems Personnel Reliability Program). (See Chapter 3.)

t. Ensure that safety and mission assurance (SMA) risk-based acquisition management requirements are included in procurement, design, development, fabrication, test, or operations of equipment and facilities (Requirement 25018).

u. Analyze and utilize nonconformance and process control data as feedback in the assessment and management of technical risk (Requirement).

v. Ensure that qualitative and quantitative risk assessment results, hazard controls, and risk mitigation strategies are not negated when accounting for the analysis of nonconformance and process control data in the assessment and management of technical risk (Requirement).

Note: Quality assurance requirements are provided in NPD 8730.5, NASA Quality Assurance Program Policy.

w. Ensure the results of contractor safety and health provision evaluations are provided to the award fee boards for use in fee determination (Requirement 31856).

x. Ensure that the Governance Model is being implemented in the procurement process for the acquisition of hardware, software, services, materials, and equipment (Requirement 31857). (See Chapter 9.)

y. Pursue and obtain within two years, certification under the Occupational Safety and Health Administration (OSHA) Voluntary Protection Program (VPP) or through an equivalent recognized occupational safety certification program (Requirement).

z. Ensure their safety organization (or its support contractors) has access to certified safety professionals meeting the requirements of the OSHA VPP (Requirement 31858).

1.4.4 Center Directors and line managers shall ensure that up-to-date configuration control is maintained on all assigned equipment and systems (Requirement 25008).

1.4.5 Line managers and supervisors are accountable for the safety and health of their assigned personnel. To that end, they shall:

a. Ensure employee safety and health training is completed by employees pursuant to the requirements of the job to be performed (Requirement).

b. Ensure that safety is included in the employee's performance plan objectives (Requirement).

c. Encourage safe performance through safety and health incentive awards programs or other institutional programs establishing the safety organization (Requirement 31824).

a. Incorporate measurable leading safety and health performance criteria in line manager's performance plans (Requirement).

b. Evaluate and document achievement of the measurable safety and health performance criteria in the line manager's performance evaluations (Requirement 31822).

1.5 Program Management Roles and Responsibilities in the NASA Safety Program

1.5.1 Paragraph 2.2.2.a.1.vi of NPR 7120.5, NASA Program and Project Management Processes and Requirements, requires project managers to prepare and implement a comprehensive SMA Plan early in program formulation to ensure program compliance with all regulatory safety and health requirements from OSHA and all NASA SMA requirements. The importance of upfront safety, reliability, maintainability, and quality assurance requirements should be emphasized in all program activities.

b. Graphically represents project organizational relationships and assurance roles and responsibilities employing a Mission Assurance Process Map as described in NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments (Requirement).

c. Reflects a life cycle SMA process perspective, addressing areas including: procurement, management, design and engineering, design verification and test, software design, software verification and test, manufacturing, manufacturing verification and test, operations, and preflight verification and test (Requirement).

d. Contains data and information to support each section of the SMA Plan for each major milestone review to include the Safety and Mission Success Review (formerly SMA Readiness Review) (Requirement).

e. Contains trending and metrics utilized to display progress and to predict growth towards SMA goals and requirements (Requirement).

f. As a minimum, addresses the following topics and associated requirements (Requirement):

(2) Reliability and maintainability per NPD 8720.1, NASA Reliability and Maintainability (R&M) Program Policy.

(3) Risk assessment per NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects.

(5) Software safety and assurance per NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard.

(6) Occupational safety and health per NPR 8715.1, NASA Occupational Safety and Health Programs.

(9) Mishap reporting per NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping.

(10) Compliance verification, audit, SMA reviews, and SMA process maps per NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments.

1.5.3 Project managers shall ensure that contractor operations and designs are evaluated for consistency and compliance with the safety and health provisions provided in their contractual agreements (Requirement 31855).

1.6 Risk Assessment and Risk Acceptance

1.6.1 Risk Assessment. The primary purpose of risk assessment is to identify and evaluate risks to help guide decision making and risk management regarding actions to ensure safety and mission success. Risk assessment should use the most appropriate methods that adequately characterize the probability, consequence severities, and uncertainty of undesired events and scenarios. Quantitative methods can be used to evaluate probabilities, consequences, and uncertainties, whenever possible. Qualitative methods characterize hazards, and failure modes and effects provide valuable input to the risk assessment. When qualitative methods are used to assess risks, the qualitative values assigned should be rationalized. The results of the risk assessment along with the results of system safety analyses form the basis for risk-informed decision making. More discussion of system safety and risk assessment is provided in Chapter 2 of this NPR.

1.6.1.1 Project managers for flight systems and line managers for institutional systems shall:

a. Use a process for risk assessment that supports decisions regarding safety and mission success as well as other decisions such as the development of surveillance plans and information security (see Chapter 2) (Requirement).

1.6.2 Risk Acceptance. Center Directors and project/program managers are delegated the authority to accept residual risk associated with hazards based on risk assessment results and all relevant factors for their assigned activities. Center Directors and program managers should include involvement of the Technical Authority as a part of the risk analysis, evaluation, and decision-making processes. For technical matters related to project/program design, development, and operations, and involving the risk of safe and reliable operations as related to human safety, the Technical Authority has approval authority but the project/program manager must still formally accept the residual risk.

a. Establish and document a formal, closed loop, transparent decision-making process for accepting residual risk for their assigned activities, personnel, and/or property (Requirement 25085).

b. Meet Federal safety and health standards when making risk-informed decisions to accept residual risk (Requirement).

c. Reduce the risk to an acceptable level using the technical safety requirements provided in Paragraph 1.7 of this NPR (Requirement).

d. Only accept residual risk consistent with NASA requirements and, in all cases, ensure the acceptance of risk to NASA employees and/or equipment does not endanger the public or NASA employees (Requirement).

f. Communicate to: 1) the cognizant office of primary responsibility (OSMA, Office of the Chief Engineer (OCE), Office of the Chief Health and Medical Officer (OCHMO)) for review, decisions regarding residual risk acceptance and 2) to any employee or person for whom the risk has been accepted (Requirement 31870).

1.7 Technical Safety Requirements for NASA-Unique Designs and Operations

Developing and maintaining technically sound and defensible safety and health requirements is essential to serve as a basis for system design and for system safety analysis efforts. A combination of quantitative (for example, probabilistic) and qualitative (for example, failure tolerance or redundancy) technical safety and mission success requirements complement each other by compensating for weaknesses in one or the other analysis type. This NPR establishes a minimum set of technical SMA requirements to be applied to programs/projects.

To properly support design and operational decisions, it is necessary that alternatives be analyzed not only with respect to their impact on the mission's performance and programmatic objectives, but also with respect to their impact on safety and health. Risk management uses the results of the risk assessment as the basis for decisions to reduce the risk to an acceptable level.

1.7.1.1 Project managers shall ensure that hazards and dominant contributors to risk are controlled according to the following (Requirement):

a. Eliminate accident scenarios (e.g., eliminate hazards or initiating events by design).

b. Reduce the likelihood of accident scenarios through design and operational changes (hazard control).

d. Improve the state-of-knowledge regarding key uncertainties that drive the risk associated with a hazard (uncertainty reduction to support implementation of the above strategies).

Safety critical operations must have high reliability. High reliability is verified by reliability analysis using accepted modeling techniques and data in which uncertainties are incorporated. Where this cannot be accomplished with a specified confidence level, the design of safety critical operations shall have failure tolerance and safety margins in which critical operability and functionality are ensured. Failure tolerance is the ability of a system to perform its function(s) or maintain control of a hazard in the presence of failures of its subsystems. Failure tolerance may be accomplished through like or unlike redundancy. Safety margins are the difference between as-built factor of safety and the ratio of actual operating conditions to the maximum operating conditions specified during design.

1.7.2.1 To assure operability and functionality and to achieve failure tolerance, project managers shall use these design considerations.

a. Design safety critical systems such that the critical operation or its necessary functions can be assured. To provide assurance, design the component, subsystem, or system so it is are capable of being tested, inspected, and maintained (Requirement).

b. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, design safety critical systems so that no combination of two failures and/or operator errors (fail-safe, fail-safe as a minimum) will result in loss of life (Requirement).

c. When requesting a variance from the two-failure tolerance requirement, provide evidence and rationale that one or more of the following are met (Requirement).

(2) The system or subsystem is designed and certified in accordance with approved consensus standards.

d. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, design safety critical operations so that no single failure or operator error (fail-safe) will result in system loss/damage or personal injury (Requirement).

e. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, provide functional redundancy where there is insufficient time for recovery or system restoration. Where there is sufficient time between a failure and the manifestation of its effect, design for restoration of safe operation using spares, procedures, or maintenance provides an alternative means of achieving failure tolerance (Requirement).

f. Design safety critical systems and operations to have a safety margin (Requirement).

g. When using redundancy, verify that common cause failures (e.g., contamination, close proximity) do not invalidate the assumption of failure independence (Requirement).

h. When using redundancy in operations that could cause or lead to severe injury, major damage, or mission failure (safety critical operations), verify operability under conditions that singularly or separately added together represent the operating intended condition (Requirement).

i. When using reliability analyses, assess the probability of failure to provide the function and the time to restore the function, where loss of life, serious injury, or catastrophic system loss can occur. Uncertainties shall be incorporated in these assessments. The time to restore the function shall include the active time to repair and the time associated with the logistics or administrative downtime that affects the ease or rapidity of achieving full restoration of the failed function (Requirement).

a. Loss of functional protection for safety-critical operations requires termination of the operation at the first stable configuration (Requirement 25031).

b. At least one single level of functional protection is used to protect high-value facilities and flight systems (Requirement 31882).

c. In addition to the requirement in paragraph 1.7.2.1.b, for systems intended to be operated by humans, rescue and/or escape are a valid means of life protection and, if used, shall include validation, training, and certification (Requirement 31881).

1.7.3.1 Where high reliability is not verified by reliability analysis using accepted data with uncertainties incorporated, the project manager shall ensure that:

a. Operations that require the control of a condition, event, signal, process, or item for which proper recognition, performance, or tolerance is essential to safe system operation, use, or function are designed such that an inadvertent or unauthorized event cannot occur (inhibit) (Requirement).

c. Operations have two inhibits where personal injury, illness, mission loss, or system loss or damage can occur (Requirement).

d. The capability of inhibits or control procedures when required in operations by this paragraph are verified under operational conditions including the verification of independence among multiple inhibits (Requirement).

1.7.4 System Safety Managers shall assure that the above requirements are placed in program/project requirements and that any variances to those requirements are processed in accordance with the requirements of this NPR (Requirement). (See paragraph 1.13 of this NPR.)

1.8 SMA Program Reviews

1.8.1 The Chief, Safety and Mission Assurance, conducts audits, reviews, and assessments of NASA Centers, programs/projects, supporting facilities, and operations.

Note: Requirements for conducting and supporting independent SMA audits, reviews, and assessments are provided in NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments.

a. The Center's safety program is formally assessed annually (Requirement 25032).

b. The Center's annual safety program assessment is conducted by competent and qualified personnel (Requirement).

Note: In addition to normal management surveillance, the Center's annual safety program review can be accomplished through safety staff assistance visits, inspections, and safety audits. The Center's safety staff or an independent outside source may perform the formal assessments.

1.8.3 Center Directors shall ensure that the Center's formal annual assessment has the following elements:

a. A formal assessment report that includes a discussion of the safety posture of the Center and each program reviewed (Requirement).

b. An assessment of the effectiveness of safety program management (Requirement 31885).

c. A safety culture survey that includes at least the management and communications functions of the Performance Evaluation Profile (PEP) survey (Requirement).

d. An assessment of safety program documentation (e.g., plans, procedures, monitoring data) (Requirement).

e. An assessment of the adequacy of safety standards and procedures (Requirement 31889).

g. Observations and inspections of workplace compliance with safety practices (Requirement 31890).

i. The development of formal plans of actions and milestones to correct all open deficiencies that shall be tracked to completion including interim controls that will be implemented if the hazard cannot be immediately corrected (Requirement).

j. Assessment and verification of corrective actions from previous assessments (Requirement 31888).

k. Evaluation of the implementation of 5 U.S.C. S 7902; 29 U.S.C. S 651 et seq.; 49 U.S.C. S 1421, the Occupational Safety and Health Act of 1970, as amended; E.O. 12196, Occupational Safety and Health Programs for Federal Employees dated February 26, 1980, as amended; OSHA regulations at 29 CFR Part 1910, Occupational Safety and Health Standards; and other pertinent Federally-mandated requirements (Requirement 31886).

1.8.4 Center Directors shall ensure that periodic training is conducted for Center safety personnel on safety program assessments covering prereview, review, and postreview procedures and requirements (Requirement).

1.9 Advisory Panels, Committees, and Boards

1.9.1 NASA strives to use the Nation's most competent safety resources to provide review and advice on the NASA Safety Program.

1.9.2 NASA has established an ASAP as an advisory committee in accordance with Section 6 of the NASA Authorization Act, 1968 (PL 90-67, codified as 42 U.S.C. 2477).

1.9.3.1 Chief, Safety and Mission Assurance, shall establish and maintain an OEP (Requirement).

1.9.3.2 The OEP shall evaluate processes and systems for assuring the continuing operational integrity of NASA test facilities, operations, and engineering technical support systems, address problems and issues at Centers, and provide recommendations to the Chief, Safety and Mission Assurance (Requirement).

1.9.4 NASA has established the Software Independent Verification and Validation (IV&V) Board of Directors to advise the OSMA as approval authority for IV&V support to programs and projects. The IV&V Board of Directors acts in an advisory capacity to provide input to the Chief, Safety and Mission Assurance, concerning the annual IV&V budget for support to programs and projects.

1.9.5 NASA has established and maintains a Space Flight Safety Panel to promote flight safety in NASA space flight programs involving flight crews and to advise appropriate Mission Directorate Associate Administrators on all aspects of the crewed space program that affect flight safety.

1.9.6 Center Directors and the Chief, Safety and Mission Assurance, shall have the authority to establish ad hoc committees to provide safety oversight review of programs, projects, and other activities (Requirement).

1.10 Coordination with Organizations External to NASA

1.10.1 The Chief, Safety and Mission Assurance, in coordination with the Office of External Relations (for exchanges with the Department of Defense (DoD), intelligence agencies, and foreign entities) and in consultation with the NASA Office of the General Counsel, shall establish guidelines for exchanging safety information with organizations external to NASA (Requirement 25038).

1.10.2 NASA shall encourage participation by NASA safety professionals in outside safety-related professional organizations (Requirement).

1.11 Safety Motivation and Awards Program

1.11.1 The Chief, Safety and Mission Assurance, shall establish a Safety Motivation and Awards Program that recognizes the safety achievements of NASA and other Federal Government employees supporting NASA objectives in all occupational categories and grade levels (Requirement 25041).

1.12 Safety Management Information

Efficient communication of safety information is necessary to meet the needs of safety officials and the managers they support. This includes communications between and among operational and safety organizations. NASA safety organizations will pursue every practical means for communicating verbal and written safety management information, lessons learned, and statistics. Examples of NASA information systems are the Incident Reporting Information System and the LLIS. Records and reports of accidents, occupational injuries, incidents, failure analyses, identified hazards, mishaps, appraisals, and like items contain information necessary for developing corrective measures and lessons learned.

Detailed records of occupational injuries are reported to OSHA in accordance with 29 CFR Part 1960, Subpart I, Recordkeeping and Reporting Requirements, and NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping. Safety forms and reports are retained per NPR 1441.1, NASA Records Retention Schedules.

1.12.1 Center Directors shall provide or make accessible to the OSMA (through an internet web site):

a. Center executive safety committee or board documentation (e.g., minutes and reports) (Requirement 31904).

b. Results of external (such as OSHA) safety program management reviews (Requirement 31905).

c. Top-level Center or program safety procedure documents that implement Headquarters requirements (Requirement 31906).

d. Copies of safety variances granted at the Center (see paragraph 1.13) (Requirement 31910).

1.12.2 The Chief, Strategic Communications, shall provide or make accessible (through internet web site) to the OSMA copies of comments sent to outside regulatory agencies (e.g., OSHA, Department of Transportation (DOT), Environmental Protection Agency (EPA)) concerning proposed rule-making that could affect the NASA Safety Program (Requirement 31908).

1.12.3 Center SMA Directors shall maintain a census of Government and contract employees performing safety, reliability, maintainability and quality functions (engineering, operations, and assurance) by organization or contractor company at their sites (Requirement).

1.12.4 COs and COTRs shall ensure that the census of employees performing safety, reliability, maintainability, and quality functions (engineering, operations, and assurance) by organization is a requirement under contracts.

1.13 Safety Variances

1.13.1 This paragraph provides policy and associated requirements for requesting and approving variances to safety requirements specified as overall SMA requirements for which OSMA is the Office of Primary Responsibility (OPR). The primary objective of this variance policy is to assure that NASA Headquarters maintains oversight of the Agency SMA requirements while providing the Centers and project managers with the authority and flexibility to accept reasonable risks necessary to accomplish their tasks. This policy is consistent with the ISO 9001 requirement for maintaining process control of services that an organization provides. This policy applies to all requirements for which OSMA is the OPR unless otherwise specified for a set of SMA requirements in an Agency requirements document.

1.13.2 A variance consists of documented and approved permission for relief from an established SMA requirement. There are three types of variances to NASA SMA requirements that may be requested at different times during the life cycle of a program/project: exceptions, deviations, and waivers. Variances can result from tailoring in the early phases of planning or from the analysis of designs, test results, and failures that occur throughout the project or facility life cycle. Tailoring is the process of determining which specific requirement(s) in a governing document shall be implemented. This process involves establishing minimum success criteria. Tailoring also authorizes relief from a specific requirement because it is not applicable to a specific mission, program/project operation, or facility and may include permanent exceptions (see paragraph 1.13.2.a of this NPR) and temporary deviations and waivers (see paragraphs 1.13.2.b and 1.13.2.c of this NPR).

a. An exception authorizes permanent relief from a specific requirement and may be requested at any time during the life cycle of a program/project. An exception typically addresses a situation where a requirement does not apply to a portion of a system. An exception may involve the approval of alternative means that provide an equivalent or lower level of risk; or formal acceptance of increased risk due to the fact that the requirement is not satisfied.

b. A deviation authorizes temporary relief in advance from a specific requirement and is requested during the formulation/planning/design stages of a program/project operation to address expected situations. A deviation involves the approval of alternative means that provide an equivalent or lower level of risk or formal acceptance of increased risk due to the fact that the requirement is not satisfied.

c. A waiver authorizes temporary relief after the fact from a specific requirement and is requested during the implementation of a project or operation to address situations that were unforeseen during design or advanced planning. A waiver involves the approval of alternative means that provide an equivalent or lower level of risk; or formal acceptance of increased risk due to the fact that the requirement is not satisfied.

1.13.3 It is NASA policy for final approval of an SMA variance to incorporate the following:

a. All variances to project level safety, reliability, and quality requirements require signature (indicating approval of the technical approach) by the Center Director (or designee) that hosts, or is directly responsible for, the project, operation, or facility. This constitutes final approval for a variance where there is an equivalent or lower level of risk.

b. All variances to program level safety, reliability, and quality requirements require signature by the Headquarters requirement owner (OCE, OSMA, OCHMO, etc. or designee). This constitutes final approval for a variance where there is an equivalent or lower level of risk.

c. If there is a net increase in risk, in addition to the signature(s) specified in paragraphs 1.13.3.a and b, a variance requires co-signature (indicating formal acceptance of the risk associated with the variance) by the responsible project/program manager and by each Center Director (or designee) responsible for people or property exposed to the associated risk.

a. Establish and implement Center/program/project-level processes and requirements as needed to satisfy the SMA variance policy and associated requirements provided in this NPR to include processes for preparation, review, and approval of variance requests (Requirement).

b. Ensure that all variance requests include (but are not limited to) documentation as to why the requirement cannot be met, alternative means to reduce the hazard or risk, the type of variance, the duration of the variance if temporary, and comments from any affected workers or their representatives if the variance affects personnel safety (Requirement).

c. Ensure all variance requests include a risk assessment that determines whether there is an increase in risk because the requirement is not satisfied or that the intent of the requirement is met through alternate means that provide an equivalent or lower level of risk (Requirement).

d. Ensure all requests for deviations or waivers include a plan for correcting the associated deficiency and identify a date or development milestone for bringing the project into compliance with the associated requirement (Requirement).

e. Ensure variance requests are approved in accordance with the policy in paragraph 1.13.3 of this NPR (Requirement).

g. Forward any request for variance to Federal, State, or local regulations to the OSMA for review prior to submittal to the appropriate Federal/State/local agency (Requirement).

a. Assist programs/projects in the preparation of variance requests (Requirement).

b. Assure that the risk associated with a variance request is properly characterized (quantitatively or qualitatively) and that any increase in overall risk (as compared to a system or operation designed to meet the requirement in question) is properly identified (Requirement).

c. Assure that the variance process is carried out in accordance with this NPR (Requirement).

d. Concur (or nonconcur) with variance requests based on paragraphs 1.13.5.b. and 1.13.5.c. above (Requirement).

a. Serve as the approving official for variances to program level safety, reliability, and quality requirements under SMA cognizance (ownership) (Requirement).

b. Oversee Center/project/program implementation of the variance policy and associated requirements provided in this NPR (Requirement).

c. Review all requests for variance to Federal, State, or local regulations before submittal to the Federal/State/local agency for approval (Requirement 31912).

1.13.7 The Chief Engineer shall serve as the approving official for variances to program level technical requirements under OCE cognizance (ownership) (Requirement).

1.13.8 The Chief Health and Medical Officer shall serve as the approving official for variances to program level requirements under Chief Health and Medical Officer cognizance (ownership) (Requirement).

Chapter 2. System Safety

2.1 Introduction

This chapter establishes requirements for the implementation of system safety processes to support decision making aimed at ensuring human safety, asset integrity, and mission success in programs/projects.

System safety assessment is a disciplined, systematic approach to the analysis of risks resulting from hazards that can affect humans, the environment, and mission assets. It is a critical first step in the development of risk management strategies. System safety covers the total spectrum of technical risk and management activities including safety and risk assessments and safety performance monitoring.

The format of this chapter is different than that of the rest of this NPR because of the need to discuss advanced concepts in system safety by the references.

2.2 Institutional Roles and Responsibilities

2.2.1 Mission Directorate Associate Administrators, Center Directors, program and project managers, and line managers shall ensure that system safety activities are conducted for all programs and projects including system acquisitions, in-house developments (research and technology), design, construction, fabrication and manufacture, experimentation and test, packaging and transportation, storage, checkout, launch, flight, reentry, retrieval and disassembly, maintenance and refurbishment, modification, and disposal (Requirement 25243).

2.2.2 Center Directors, through their Center SMA Directors, shall ensure that knowledgeable system safety and technical risk analysts are made available to program/project managers and Center engineering directors to define and conduct system safety activities, including assurance of prime contractor system safety activities (Requirement 25087).

2.3 System Safety Framework

2.3.1 The term "system," as used here, refers to one integrated entity that performs a specified function and includes hardware, software, human elements, and the environment within which the system operates. A "hazard," as used here, is a state or a set of conditions, internal or external to a system, that has the potential to cause harm. Generally, one or more additional conditions need to exist or additional events need to occur in conjunction with the existence of the hazard in order for an accident or mishap ¹ with consequences adverse to safety ² to result. These additional events enable the hazard to proceed to the adverse consequence. The term "mishap" is NASA's preferred generalization of an accident and it will be used in this document to refer to events leading to safety-adverse consequences. The term "accident" will be retained in the context of risk assessment methodology because of its wide acceptance in the practice of this methodology. The term "state" or "condition" is used in a broad sense to include any intrinsic property and characteristic of the material, system, or operation that could, in certain circumstances, lead to an adverse consequence . ³

2.3.2 Hazards analysis involves the application of systematic and replicable methods to identify and understand hazards, and to characterize the risk of mishaps that involve hazards. MIL-STD-882 describes the systems engineering approach to hazard analysis. This standard is used in conjunction with the following paragraphs to develop a comprehensive scenario-based system safety analysis program.

2.3.3 Risks originate from hazards - the absence of a hazard implies a freedom from the associated risk. In the context of making decisions to manage risk, it is useful to consider "risk" as a set of triplets ⁴: accident scenarios involving hazards; associated frequencies ⁵; and associated adverse consequences. Each triplet is a statement about the likelihood of realizing a postulated accident scenario with the type and magnitude of potential adverse consequences. The expression for risk as a set of triplets is:

¹ NASA defines mishap as -An unplanned event that results in at least one of the following: Injury to NASA personnel, caused by NASA operations; Injury to non-NASA personnel, caused by NASA operations; Damage to public or private property (including foreign property), caused by NASA operations or NASA funded development or research projects; Occupational injury or occupational illness to NASA personnel; Destruction of, or damage to, NASA property except for a malfunction or failure of component parts that are normally subject to fair wear and tear.+

² For example, the presence of fuel vapor in the crew module of a spacecraft is a hazard. Another example is the inoperability of the fire detection system.

³ For example, just having a toxic chemical in a tank constitutes a hazard because of the intrinsic toxicity property of the chemical.

⁴ S. Kaplan and B.J. Garrick, -On the Quantitative Definition of Risk,+ Risk Analysis, 1, 11-27, 1981.

⁵ The frequency estimate for each postulated accident scenario must account for the length of time during which the accident can possibly occur. This duration is often referred to as -exposure time+ or -time at risk.+

The "triplet" concept of risk is operationally useful because it makes clear that in order to define, assess, and understand risk it is necessary to produce:

It is also important to identify the uncertainties in the probabilities and consequences and to quantify them to the extent feasible.

2.3.4 NASA uses the term "safety" broadly to include human safety (public and workforce), environmental safety, and asset safety . ⁶ Therefore, safety-adverse consequences of interest to NASA may include:

h. Loss of, or damage to, ground assets (program facilities and public properties).

⁶ The broad definition is -freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.+ In the context of risk-informed decision making, safety can be considered as an overall mission and program condition that provides sufficient assurance that accidents will not result from the mission execution or program implementation, or, if they occur, their consequences will be mitigated. This assurance is established by means of the satisfaction of a combination of deterministic requirements and risk criteria.

⁷ The term -local public+ refers to the population in the vicinity of a site for a NASA operation but not directly associated with the operation.

2.3.5 Risk management involves making decisions that eliminate hazards or reduce the frequency and/or consequences of accidents involving hazards to an acceptable level by introducing hazard control measures and modifying system design (e.g., hardware, software) and/or procedures. Risk management may also importantly involve activities to identify and reduce uncertainties. Monitoring the effectiveness of risk reduction and uncertainty reduction strategies is an important element of risk management activities. The NASA's continuous risk management process shown below (Figure 2.1) provides an approach to track the effectiveness of implemented risk reduction strategies.

2.3.6.1 Scenario-based modeling of hazards as illustrated in Figure 2.2 provides a general framework for the analysis of how hazards lead to adverse consequences. The identified scenarios then provide a basis for the assessment of risk. In the scenario modeling approach, for each hazard, an initiating event is identified, and necessary enabling conditions that result in undesired consequences are also identified. The enabling conditions often involve the failure to recognize a hazard or the failure to implement appropriate controls such as protective barriers or safety subsystems (controls). The resulting accident scenario is the sequence of events that is comprised of the initiating event and the enabling conditions and/or events that lead to the adverse consequences. Scenarios can be classified according to the type and severity of the consequences (i.e., according to their end states). In the scenario-based modeling framework, a linkage between hazards and adverse consequences of interest is established. Modeling of the characteristics of this linkage (i.e., how the presence of a hazard is linked with the occurrence of other events (e.g., hardware failures, software errors, human errors, or phenomenological events leading to formation of a mishap) should be the fabric of hazard analysis. As part of this modeling, the following items are addressed:

a. How a hazard enables or contributes to the causation of initiating events; i.e., the mechanism by which the hazard is translated to the initiating event.

b. How a hazard enables or contributes to the loss of the system's ability to compensate for (or respond to) initiating events.

c. How a hazard enables or contributes to the loss of system's ability to limit the severity of the consequences.

In carrying out a hazard analysis, it is important to describe the context for the hazard, which involves identifying the hazard, identifying the enabling conditions and events, and identifying the target of the consequences; i.e., does the hazard represent potential adverse consequences to humans, to the environment, or to the equipment. Analyzing hazards, in the context of the above factors, supports risk management activities that involve prevention of (reduction of frequency of) adverse accident scenarios (ones with undesired consequences) and promotion of favorable scenarios. Understanding the elements of the adverse scenarios (i.e., the structure of accident scenarios and contributing hazards), the risk significance of the adverse scenarios, and elements of successful scenarios are essential to an effective system safety and risk management program. This scenario-based risk information provides required input to risk management that is used to allocate resources optimally for risk reduction.

2.3.6.2 Evaluating uncertainties ⁸ is an important part of evaluating risks, in particular the uncertainties associated with the accident scenario probabilities and the accident scenario consequences. Randomness (or variability) of physical processes modeled in risk assessments requires use of probabilistic models to represent uncertainty in possible scenario outcomes. The probabilistic models for the accident scenarios reflect these process-inherent uncertainties (referred to as "aleatory uncertainties"). These process-uncertainties are realized for initiating events and system behavior and must be treated explicitly in the hazards modeling. The development of accident scenarios and their risks involves using model assumptions and model parameters that are based on what is currently known about the physics of the relevant processes and the behavior of systems under given conditions. Because there is uncertainty associated with these potentially complex conditions, probabilistic models are also used to represent the state-of-knowledge regarding the numerical parameter values and the validity of the model assumptions. These state-of-knowledge uncertainties (referred to as "epistemic uncertainties") must be properly accounted for as part of risk characterization. The expanded representation of the risk triplets that accounts for epistemic uncertainties is shown below. It is also shown notionally in Figure 2.3.

⁸ -Uncertainty+ is a broad and general term used to describe an imperfect state of knowledge or a variability resulting from a variety of factors including, but not limited to, lack of knowledge, applicability of information, physical variation, randomness or stochastic behavior, indeterminacy, judgment, and approximation. Uncertainty is generally classified into two broad categories or types: epistemic uncertainty and aleatory uncertainty. Epistemic uncertainty is that uncertainty associated with incompleteness in the analyst+s (or analysts+) state of knowledge. Aleatory uncertainty is that uncertainty associated with variation or stochastic behavior in physical properties or physical characteristics of the system being addressed.

⁹ In the above, -RISK+ denotes risk with uncertainty, which is an inherent part of risk.

Risk management decisions can involve the elimination of hazards or the reduction in the probability or consequences associated with accident scenarios by modifying designs and/or introducing additional design features (e.g., hardware, software, ergonomic), and/or operational or management procedures that prevent the occurrence of an accident scenario or its propagation (individual events within the scenario) or by mitigating the consequences. Improvements in the state-of-knowledge regarding key uncertainties (i.e., uncertainty reduction) that drive the risk associated with a hazard can also be used to manage risk. (See paragraph 1.7.1 of this NPR.)

2.3.8 Program success is achieved by ensuring that technical objectives of the program are accomplished safely within the constraints of cost and schedule and consistent with stakeholder expectations. Safety is one of NASA's core values. Ensuring safety involves the following high-level safety objectives:

d. Protect program (systems and infrastructures needed to execute a mission) and public assets.

In order to properly support key design and operational decisions, it is necessary that design and operational alternatives ¹⁰ are analyzed not only with respect to their impact on the mission's technical and programmatic objectives, but also with respect to their impact on these high-level safety objectives. Probabilistic risk assessments ¹¹ developed as part of system safety modeling activities and supported by qualitative safety analyses (e.g., Preliminary Hazard Analysis (PHA), Fault Tree Analysis) are used to assess the impact of a decision alternative on the overall objectives. It should be noted that a typical probabilistic risk assessment model combines many engineering models including qualitative safety and reliability models (e.g., PHA, Failure Modes and Effects Analysis (FMEA)) and quantitative hardware and human reliability models for the purpose of quantifying risk. Qualitative system safety analyses are mostly "deterministic," and uncertainties which remain unquantified are managed using redundancy, design for minimum risk, physical margins, and safety factors. The roles of both probabilistic risk assessment and qualitative system safety analyses in decision making are depicted in Figure 2.4. In this NPR, the term "System Safety Models" is used to include both qualitative safety analysis and probabilistic risk assessment models. It is important to emphasize that qualitative safety analysis, to be most effective, needs to be scenario-based, even if the risks of scenarios are not explicitly quantified.

¹⁰ Decision making is the process of selecting "the most preferential (according to predetermined rules) choice+ from a number of available choices. Each choice represents a decision alternative.

¹¹ Probabilistic risk assessments are used to systematically develop the set of risk triplets discussed earlier. Probabilities, magnitude of consequences, and associated uncertainties are evaluated using various analytical models (including reliability and availability models) and all available evidence, which includes physics, past experience, and expert judgment.

Figure 2.4 shows importantly that probabilistic risk assessment complements and supports qualitative safety analyses and does not replace it. The deliberation that takes place before a decision is made utilizes the insights and results of both the qualitative "deterministic" analyses and the probabilistic risk assessment. Possible conflicts between these results may be resolved during the deliberation. This process of decision making is therefore risk-informed, not risk-based. It is important to note that the decision is the result of a combination of analysis and deliberation .

The deliberation at the end of the process imposes a responsibility on the decision makers who must consider subjectively the impact of each decision option on various metrics ¹³ that represent technical and programmatic objectives as well as on metrics that represent safety considerations. Consequently, it would be desirable to move as much of this burden as possible from the deliberation to the analysis and to begin such analysis early in Formulation. ¹²

2.3.9 To facilitate the deliberation, we develop the hierarchical tree of Figure 2.5, which shows how system safety models along with other models are utilized to assess the impact of a decision alternative on safety and other objectives.

The top tier of this tree is "Program Success." The idea is to evaluate the impact on this ultimate objective of each decision alternative listed in the diamond at the bottom of the figure. Since "Program Success" is very general, a hierarchical approach is employed to develop quantitative metrics that will measure the achievement of this top-level objective. The next tier in the tree, lists the general objective categories that constitute program success; i.e., "Affordability," "Program technical objectives," "Safety," and "Stakeholder support ." ¹⁴ At the next tier, these categories are elaborated upon further by listing a number of objectives. Thus, the category "Safety" becomes the four objectives: "Protect public health," "Protect workforce health," "Protect environment," and "Protect program and public assets." The next tier of the tree, labeled "potential adverse consequences," shows quantitative metrics for each objective. For example, two metrics for the objective "protecting environment" are: "earth contamination" and "planetary contamination." These metrics, also called Performance Measures (PMs), allow quantitative assessment of the impact of each decision alternative on the objectives. This hierarchical, tree-like structure shows the objectives that the decision maker values in making the decision. It provides a convenient structure for:

a. Identification of safety PMs (measures of safety adverse consequences) and other technical and programmatic PMs in the context of the program's high-level objectives.

d. Ranking of decision alternatives according to their desirability (based on consideration of PMs and preferences).

¹² Details on the analytic-deliberative decision-making process are given in the National Research Council+s report -Understanding Risk: Informing Decisions in a Democratic Society,+ National Academy Press, Washington, DC, 1996.

¹³ The Institute of Electrical and Electronics Engineers (IEEE) defines metric as a quantitative measure of the degree to which a system, component, or process possesses a given attribute.

¹⁴ These objectives must be fundamental objectives; i.e., objectives that the decision maker fundamentally cares about.

¹⁵ The PMs (adverse consequences), in general, are not valued equally by the decision maker.

2.3.10 A PM is a metric that is related to risk and/or the constituents of risk (e.g., probability, consequence). It provides risk insight into a process, a project, or a product to enable assessment and improvement. Safety PMs are metrics that provide measures of the safety performance of a system. Because adverse space mission mishaps are rare and an absence of mishaps does not assure that no mishaps will occur in the future, safety PMs provide a means of assessing and monitoring safety performance to enable design and operational decisions aimed at preventing mishaps and optimizing safety. High level safety PMs (see the hierarchy shown in Figure 2.5) can be defined in terms of the probability of a consequence type of a specific magnitude (e.g., probability of any general public deaths or injuries) or the expected magnitude of a consequence type (e.g., the number of public deaths or injuries). Metrics such as "Probability of failure to meet a mission critical function" can be used as non-safety PMs. Safety and non-safety PMs, along with other performance measures such as reliability, provide decision makers with the ability (1) to set performance goals (e.g., safety goals), (2) to trade performances, and (3) to monitor performances at different stages of the system life cycle.

Figure 2.5: The Role of System Safety Models and Other Models in Risk-informed Decision Making

2.3.11 Relationship of System Safety Technical Processes with Other Technical Processes

The system safety technical processes provided in this chapter cannot be effective unless they are performed by well-trained and experienced safety analysts and are supported by engineering and safety-related activities that include:

a. Ensuring that safety, software, and quality standards are applied and utilized throughout the project life cycle (e.g., NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard). These are included in the box "Qualitative System Safety Analysis" of Figure 2.4 and in the deliberation.

b. Monitoring processes to ensure that lessons learned are used as feedback to inform safety-related models and activities.

c. Ensuring that best practices in system engineering are followed in the design of the system.

2.4 Scope of System Safety Modeling

Decision makers throughout the entire life cycle of the project, beginning with concept design and concluding with decommissioning, must consider safety. However, the level of formality and rigor that is involved in implementing the system safety processes should match project potential consequences, life cycle phase, life cycle cost, and strategic importance. To assist in determining the scope of activities for safety evaluations as a function of project characteristics, two tables are provided. The categorization scheme identified in Table 2.1 is used to determine a project priority. This table is similar to Table 1 from NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects.

Once the project priority is determined, the scope of system safety modeling is determined using Table 2.2.

2.4.2 Projects identified as "Priority I" ranking from Tables 2.1 are generally the most visible and complex of NASA's product lines. Because of this, the system safety technical processes for Priority I projects must include probabilistic risk assessment as specified in NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects. For Priority II or III projects, Table 2.2 provides latitude to adjust the scope of system safety modeling. This graded approach to the application of system safety modeling also operates on another dimension. That is, the level of rigor and detail associated with system safety modeling activities must be commensurate with the availability of design and operational information . ¹⁶ The two-dimensional nature of the graded approach is intended to ensure that allocation of resources to system safety technical activities considers the visibility and complexity of the project and to ensure that the level of rigor associated with system safety models follows the level of maturity of the system design.

¹⁶ For example, during the formulation phase, an order-of-magnitude or bounding assessment may be performed. In this type of assessment, the probability and/or the magnitude of consequence is approximated or bounded instead of deriving a best-estimate. These assessments are useful for screening purposes and initial risk tradeoff studies.

2.5 Core Requirements for System Safety Processes

The system safety modeling approaches previously described should be implemented as part of technical processes that represent system safety activities. Conceptually, system safety activities consist of three major technical processes as shown in the circular flow diagram in Figure 2.6. These processes are designed to systematically and objectively analyze hazards and identify the mechanism for their elimination or control. These processes begin in the conceptual phase and extend throughout the life cycle of a system including disposal. In general, requirements for safety system technical processes must provide a risk-informed perspective to decision makers participating in the project life cycle. The three critical technical processes to a successful system safety program are (1) system safety modeling, (2) life cycle applications of models for risk-informed decisions and, (3) monitoring safety performance. The circular flow indicates that these technical processes are linked and are performed throughout the project life cycle. A System Safety Technical Plan is used to guide the technical processes and establish roles and responsibilities. This plan is established early in the formulation phase of each project and updated throughout the project life cycle.

The SSTP is designed to be a technical planning guide for the technical performance and management of the system safety activities. The SSTP can be a stand-alone document, or part of the SMA plan or the Systems Engineering Management Plan (SEMP). It provides the specifics of the system safety modeling activities and describes what and how safety adverse consequences will be modeled, how system safety models (qualitative and probabilistic risk assessments) will be integrated and applied for risk-informed decision making and safety monitoring, how the technical team(s) responsible for generating and maintaining system safety models will interact with the system engineering organizations, the reporting protocol, and the cost and schedule associated with accomplishing system safety modeling activities in relation to the critical or key events during all phases of the life cycle.

a. Ensure, for Category I project/programs, that the SSTP is approved by the governing Program Management Council (PMC) and has concurrence by the cognizant SMA managers and the project's senior engineer (Requirement).

b. Ensure that the System Safety Manager and the prime contractor (for out-of-house projects) have the resources to implement the SSTP (Requirement 25082).

c. Ensure, for Category I project/programs, that changes to the SSTP are approved by the governing PMC and have concurrence by the Chief, Safety and Mission Assurance (Requirement).

d. When the SSTP is not an integral part of the SEMP, ensure the SSTP is coordinated with the SEMP for the integration of system safety activities with other system engineering technical processes (Requirement).

a. In coordination with the program/project manager, assign a System Safety Manager to have specific responsibility for the development and implementation of the SSTP (Requirement 25081).

b. Ensure that the assigned System Safety Manager has demonstrated expertise in safety analysis including, in the case of Category I and II projects, the application of probabilistic risk assessment techniques (Requirement).

c. Ensure that all personnel with project safety oversight responsibilities are funded by other than direct project funding sources (Requirement).

a. Develop a SSTP during the project formulation phase and update the plan throughout the system life cycle (Requirement).

b. Ensure that the scope of system safety technical processes in the SSTP follows the graded approach specified in Tables 2.1 and 2.2 (Requirement 32105).

c. Ensure that the SSTP provides the specifics of the system safety modeling activities and their application to risk-informed decision making and safety monitoring throughout the project life cycle (Requirement).

d. In consultation with the project managers, establish and document in the SSTP the objectives and scope of the system safety tasks and define applicable safety deliverables and performance measures (Requirement).

e. Provide technical direction and manage implementation of system safety activities as specified in the SSTP (Requirement).

f. Ensure that system safety engineering activities are integrated into system engineering technical processes (Requirement).

g. Determine the acceptability of residual risk stemming from safety assessments (Requirement).

h. Ensure that specific safety requirements are integrated into overall programmatic requirements and are reflected in applicable program and planning documents including the statement of work for contractor designs (Requirement 32120).

i. Maintain appropriate safety participation in the program design, tests, operations, failures and mishaps, and contractor system safety activities at a level consistent with mishap potential for the life of the program (Requirement 25094).

j. Establish an independent safety reporting channel to keep the Center SMA Director apprised of the system safety status (including tests and operations), particularly regarding problem areas that may require assistance from the Center, the NASA Engineering and Safety Center, or Headquarters (Requirement 25095).

k. Support OSMA requirements for audits, assessments, and reviews (Requirement).

Developing and maintaining technically sound and tractable safety models are essential activities for ensuring safety. In these activities, analysts use all the relevant and available information including design documents, operational procedures, test results, operational history, and human and software performance to develop comprehensive system safety models. Developing these models is multidisciplinary and may involve diverse and geographically dispersed groups. Thus, it is important for the safety modeling activities to be coordinated in order to ensure consistency and technical quality.

Safety models need to be synchronized with the system design and operational state-of-knowledge to ensure the models match the collected engineering information during operation with model predictions.

2.5.2.1 System Safety Managers shall ensure that the system safety modeling activities are fully integrated into system engineering and are supported by domain, systems, and specialty engineers (Requirement).

a. Ensure that system safety models use systematic, replicable, and scenario-based techniques to identify hazards, to characterize the risk of accidents, to identify risk control measures, and to identify key uncertainties (Requirement 32122).

b. Initially conduct system safety analyses during project formulation and design concept phases (prior to the Preliminary Design Review) and maintain and update these analyses continuously throughout the project life cycle (Requirement 32126).

c. Ensure, for Category I and II program/projects, probabilistic risk assessment techniques are used for system safety analysis (Requirement).

d. Ensure that the system safety models are developed in an iterative process to allow model expansion, model updating, and model integration as the design evolves and operational experience is acquired (Requirement).

e. Use system specific and all relevant data including failure histories, mishap investigation findings, and the NASA LLIS in system safety analysis (Requirement).

f. Maintain an up-to-date database of identified hazards, accident scenarios, probabilities and consequences, and key uncertainties throughout the life of the program (Requirement 25093).

g. Document the bases for the system safety analyses including key assumptions, accident scenarios, probabilities, consequence severities, and uncertainties such that they are traceable (Requirement).

Safety and technical risk considerations are critical in the decision-making process. When faced with a decision, several conflicting alternatives may be available to the decision maker. In a risk-informed decision-making framework, the decision maker considers safety and other technical attributes as well as programmatic attributes, such as cost and schedule, to select the best decision alternative.

a. Ensure that a framework is constructed for systematically incorporating system safety analysis results into the evaluation of decision alternatives (Requirement).

b. Establish and document a formal and transparent decision-making process for hazard closure ¹⁸ and formally accepting residual risk that has been determined to be acceptable by the cognizant technical authority (Requirement 25085).

c. Ensure acceptable residual risks ¹⁹ are accepted in writing (Requirement 32114). (See paragraph 1.6 of this NPR.)

d. Ensure that decisions to accept risk are coordinated with the governing SMA organization and communicated to the next higher level of management for review (Requirement 32115). (See paragraph 1.6.2 of this NPR.)

e. Where residual risks have been determined by either the cognizant technical authority or the cognizant SMA authority as "unacceptable," initiate risk mitigation/control activities, as appropriate, to reduce the risk to an acceptable level (Requirement).

f. Ensure that the requirements of this Chapter are specified in related contracts, memoranda of understanding, and other agreement documents (Requirement). (See Chapter 9 of this NPR.)

¹⁷ A precursor is an occurrence of one or more events that have significant failure or risk implications.

¹⁸ Closure of a hazard condition or other safety issue is the demonstration that all safety requirements expressly formulated to address the condition or issue have been satisfied.

¹⁹ Residual risk is the level of risk that remains present after applicable safety-related requirements have been satisfied. In a risk-informed context, such requirements may include measures and provisions intended to reduce risk from above to below a defined acceptable level.

a. Ensure that system safety models are constructed to support the implementation of the risk-informed decision framework (Requirement).

b. Ensure that the system safety models incorporate all the safety attributes important to risk-informed decision making by working with the project manager and other decision makers as deemed appropriate (Requirement).

c. Establish the methods and tools that are used in the risk-informed framework (Requirement).

d. Check and validate the methods and tools before implementation and obtain concurrence from the project manager (Requirement).

e. Document the bases for the methods and tools used and analytical results (Requirement).

Safety, like other performance attributes, is monitored during the entire life cycle to ensure that an acceptable level of safety is maintained.

2.5.4.1 Project managers shall ensure that the performance attributes and precursors that are identified as being important indicators of system safety are monitored (Requirement).

a. Establish the methods and tools that are used in the performance monitoring and precursor assessments (Requirement).

b. Check and validate the methods and tools used for performance monitoring and precursor assessments before implementation (Requirement).

c. Maintain an up-to-date database of the performance monitoring results and precursor results (Requirement).

d. Ensure that the performance monitoring and precursor data are fed back into system safety analyses and the results updated (Requirement).

e. Document the bases for the methods and tools that are used in the performance monitoring and precursor assessments (Requirement).

2.6 System Safety Reviews

System Safety and Mission Success Program Reviews are conducted in conjunction with other program milestones. The purpose of these reviews is to evaluate the status of system safety and risk analyses, risk management, verification techniques, technical safety requirements, and program implementation throughout all the phases of the system life cycle.

a. Conduct periodic system safety and mission success reviews of their program/project depending on the complexity of the system (Requirement 25099).

b. Document the periodicity of the System Safety and Mission Success Program Reviews in the SSTP (Requirement).

c. Ensure that the System Safety and Mission Success Program Reviews focus on the evaluation of management and technical documentation, hazard closure, and the safety residual risks remaining in the program at that stage of development (Requirement 32129).

d. Establish and maintain dedicated independent assessment activities for Priority I programs and projects, such as the Constellation Program (Requirement 32113).

a. Conduct periodic independent reviews of the system safety tasks keyed to project milestones (Requirement 25091).

b. Assist and support independent review groups established to provide independent assessments of the program (Requirement 25092).

c. Support the OSMA independent safety assessment process to determine readiness to conduct tests and operations having significant levels of safety risks (Requirement).

2.7 Change Review

Systems are changed during their life cycle to enhance capabilities, improve safety, provide more efficient operation, and incorporate new technology. With each change, the original safety aspects of the system can be impacted, either increasing or reducing the risk. Any aspect of controlling hazards can be weakened, risks can be increased, or conversely, risks can be decreased. Even a change that appears inconsequential could have significant impact on the baseline risk of the system. Accordingly, proposed system changes should be subjected to a safety review or analysis, as appropriate, to assess the safety and risk impacts, including implications on controls and mitigations for significant hazards and FMEA/CILS.

a. Update the system safety analyses to identify any change in risk (Requirement 25102).

b. Ensure that safety personnel assess the potential safety impact of the proposed change and any changes to the baseline risk and previously closed hazards (Requirement 32137).

c. Ensure that proposed changes to correct a safety problem are analyzed to determine the amount of safety improvement (or detriment) that would result from incorporation of the change (Requirement 32138).

d. Ensure that the safety impact for every change that is proposed to a program baseline (even if the statement is "No Impact") is documented (Requirement 32139).

2.8 Documentation

The maintenance of the SSTP is required to provide ready traceability from the baseline safety requirements, criteria, and efforts planned in the conceptual phases through the life cycle of the program.

2.8.1 The project manager (or designated agent) and the System Safety Manager shall:

a. Ensure that all pertinent details of the system safety analysis and review are traceable from the initial identification of the risks through their resolution and any updates in the SSTP (Requirement 25100).

b. Ensure that records are maintained per NPR1441.1, NASA Records Retention Schedules (Requirement 32130).

a. Submit a system safety analysis report to the program/project manager at each milestone (formulation, evaluation, implementation, or other equivalent milestones [e.g., Safety Requirements Review ²⁰, Preliminary Design Review, Critical Design Review, and Flight Readiness Review]) detailing the results of the system safety analyses completed to date to document the status of system safety tasks (Requirement 25101).

b. Ensure that each submitted revision to the system safety analysis report lists the risks that have been addressed, the risks that have yet to be addressed, and expected residual risks that will remain following the implementation of risk reduction strategies (Requirement 32132).

c. Ensure that the system safety analysis report documents management and technical changes that affect the established safety baseline (by changes in the planned approach, design, requirements, and implementation) and is revised when required (Requirement 32133).

d. Ensure that a final approved system safety analysis report is produced that contains a verification of the resolution of the risks and a written acceptance of the residual risks from the program/project manager to complete the audit trail (Requirement 32134).

²⁰ Safety requirements include both deterministic and risk-informed requirements. A deterministic safety requirement is the qualitative or quantitative definition of a threshold of action or performance that must be met by a mission-related design item, system, or activity in order for that item, system, or activity to be acceptably safe. A risk-informed requirement is a safety requirement that has been established, at least in part, on the basis of the consideration of a safety-related risk metric and its associated uncertainty.

CHAPTER 3. Operational Safety

This chapter establishes safety procedural requirements for NASA operational safety. The objective of this chapter is to protect the public; flight, ground, laboratory, and underwater personnel; the environment; aircraft; spacecraft; payloads; facilities; property; and equipment from operations-related safety hazards. This NPR is not inclusive of all regulations and requirements governing operations. Citations are indicated throughout the text for applicable standards, specifications, and other references.

3.1 NASA has established an Engineering and Construction Innovations Committee to nurture and foster the identification and appropriate use of new innovations and practices to improve the process of delivering high quality facilities projects. Each Center or off-site facility with responsibility for construction projects has one member/vote on the Engineering and Construction Innovations Committee.

3.1.1 Center Directors shall conduct safety inspections of all facilities, occupied or unoccupied, at least annually to ensure compliance with safety, fire protection, and building codes and standards (Requirement).

3.2.1 Center Directors shall ensure that motor vehicle operating procedures comply with Federal, State, and local motor vehicle safety regulations (Requirement 25139) .

3.2.2.1 Operators of motor vehicles on NASA property or operating a NASA vehicle both on and off NASA property shall:

a. Not drive a motor vehicle for a continuous period of more than 10 hours, including a combination of personal driving and driving for official NASA business (Requirement).

b. Not drive a motor vehicle for a combined duty period that exceeds 12 hours in any 24-hour period, without at least 8 consecutive hours of rest (Requirement 32269) .

c. Not use hand-held communication devices while the vehicle is motion except for emergency, security, and fire vehicles during official operations (Requirement).

Note: This includes cell phones, UHF radios, or other hand-held wireless communication devices. When there are two individuals traveling in an emergency, security, or fire vehicle during official operations, the passenger should be the person to use the hand-held communication device.

d. Ensure that children unable to use seat belts while in Federal vehicles are secured in DOT-approved child safety seats that are properly installed (Requirement 32276) .

e. Have formal training, as required in paragraph 7.3.1 of this NPR, if operation of the vehicle involves skills beyond those associated with normal, everyday operation of private motor vehicles (Requirement).

3.2.2.2 Center Directors shall ensure that any variation from the above policy has safety office approval (Requirement 32270) .

3.2.2.3 Center Directors shall ensure that all NASA motor vehicles used off NASA Centers are inspected to the standards of the State or other jurisdiction's vehicle safety inspection requirements (Requirement 32273) .

Executive Order 13043, Increasing Seat Belt Use in the United States, dated April 16, 1997, as amended, requires all Federal employees to use seat belts while on official business. The EO states seat belt use is required by Federal employees operating or in any vehicle with seat belts while on Federal business.

a. Center policy requires passengers not be carried in the cargo area of pickup trucks, flatbeds, or special purpose equipment such as fire trucks or escape trucks unless designated occupant positions with seat belts are provided (see 49 CFR Part 571, Federal Motor Vehicle Safety Standards) (Requirement 32277) .

b. Center policy requires the use of seats belts for all occupants of motor vehicles operated on NASA property, including delivery vans and trucks of all sizes, at all times the vehicle is in motion (Requirement 32278) .

a. Prepare and submit an annual status report to the Secretary of Transportation on NASA-wide seat belt use (Requirement 32280) .

Note: Required by EO 13043, Increasing Seat Belt Use in the United States, dated April 18, 1997, as amended. The annual report includes seat belt usage rates and statistics of crashes, injuries, and related costs involving Federal employees on official business. DOT consolidates this data into an annual status report to the President for all Federal Agencies.

b. Coordinate data for the annual report with the Office of Institutions and Management and the OCHMO (Requirement).

Note: The format and submittal date for the report will be as directed each year by the Secretary of Transportation.

3.2.5.1 Center Directors shall use the ANSI D6.1, Manual on Uniform Traffic Control Devices for Streets and Highways, for guidance when setting traffic control devices or marking roads for motor vehicle operations on NASA property (Requirement 25142) .

3.3.1 Requirements for the stocking and issuance of PPE are provided in NPR 4100.1, NASA Materials Inventory Management Manual.

3.3.2 Requirements for the accountability of PPE are provided in NPR 4200.1, NASA Equipment Management Manual.

3.3.3 Requirements for the use, including the training for, storage, and maintenance, of PPE are provided in 29 CFR Part 1910, Subpart I, Personnel Protective Equipment.

3.3.4 Examples of PPE. Items which may be purchased and issued by NASA include, but are not limited to, the following:

e. Aprons, suits, and gloves (e.g., fire resistant materials, leather, rubber, cotton, and synthetics).

h. Specialty items of protective nature (e.g., cryogenic handlers suits, Self-Contained Atmospheric Protective Ensemble suits, fire fighter suits, foul weather gear, harnesses, life belts, lifelines, life nets, insulated clothing for "cold test" exposure, supplied air suits, and electrical protective devices).

a. Issue PPE to NASA employees at Government expense in those situations where engineering controls, management controls, or other corrective actions have not reduced the hazard to an acceptable level or where use of engineering controls, management controls, or other techniques is not feasible (Requirement 32282) .

b. Authorize (or deny) the purchase of PPE after the purchase request has been reviewed by safety and health professionals to determine proper specifications and adequacy of abatement.

Note: The authority for the purchase of PPE with appropriated funds is provided in 5 U.S.C. 7903, Protective Clothing and Equipment. It is recommended that local safety and health committees be involved in the decision to purchase PPE.

c. Ensure that only clothing and equipment meeting Federal regulations, industrial standards, or NASA special testing requirements are used for PPE (Requirement 32286) .

Note: Transients or visitors may be furnished PPE on a temporary basis if they are on site for NASA-related business purposes or at NASA's invitation.

d. Ensure that non-NASA, contractor, and non-contractor personnel at their Center procure their own PPE to provide an equivalent level of safety Requirement 32290 .

e. Ensure that non-NASA, contractor, and non-contractor personnel at their Center provide the appropriate training, fit testing, and compliance with other Federal, State, local, and NASA PPE requirements (Requirement).

f. Have a formal Respiratory Protection Program if respirators are used at their Center (Requirement 32294) .

Note: The OCHMO at NASA Headquarters provides guidance for purchasing, training, selection, and qualification for use of respiratory protective devices and other health-related PPE.

3.3.6 COs and COTRs shall ensure that contracts require non-NASA, contractor, and non-contractor personnel to procure their own PPE.

3.3.7 NASA hosts, guides, or area supervisors shall be responsible for obtaining, issuing, and recovering PPE issued to transients or visitors on site for NASA-related business purposes or at NASA's invitation (Requirement 32289) .

3.4.1 Requirements for all NASA Centers, facilities, and operations that have the responsibility for controlling hazardous energy involving electrical, pressure, hydraulic, pneumatic, and mechanical systems are given in 29 CFR 1910.147, The Control of Hazardous Energy (lockout/tagout).

3.4.2 Center Directors shall establish a program for controlling hazardous energy during service and maintenance operations where the unexpected energizing or startup of equipment could cause injury to employees or equipment damage (Requirement 32295) .

Requirements for NASA pressure vessel and vacuum system safety are provided in NPD 8710.5, NASA Safety Policy for Pressure Vessels and Pressurized Systems.

3.5.1 Center Directors and Project Managers shall use NPD 8710.5, NASA Safety Policy for Pressure Vessels and Pressurized Systems, to protect personnel and property from hazards posed by pressure vessels and pressurized systems.

Note: This document assigns responsibilities for the various aspects of a NASA pressure vessel and pressurized systems safety program, references the codes, standards, guides, and Federal regulations that must be followed, and establishes unique NASA requirements.

This paragraph provides requirements for protecting personnel and property from electrical hazards. It applies to all NASA uses of electrical power.

a. Electrical systems are designed in accordance with NFPA 70, National Electric Code, MIL-454, Standard General Requirements for Electronic Equipment, or Center-specific requirements if more specific (Requirement 32297) .

b. Electrical systems are operated and maintained to adequately control hazards likely to cause death or serious physical harm or severe system damage (Requirement 32298) .

c. All electrical systems are reviewed by the Center's safety office for appropriate location and for proximity to ignitable or combustible material such as gas, vapor, dust, or fiber Requirement 32322) .

d. All electrical work deemed hazardous by job safety analysis is performed by personnel familiar with electrical code requirements in accordance with NFPA 70E, Standard for Electrical Safety in the Workplace, and qualified/certified for the class of work to be performed Requirement 32300) .

e. Transformer banks or high-voltage equipment (600+ volts) are protected by an enclosure to prevent unauthorized access with metallic enclosures being grounded (Requirement 32305) .

f. Entrances to enclosed transformer banks or high-voltage equipment (600+ volts) not under constant observation are kept locked (Requirement 32306) .

g. Signs warning of high voltage and prohibiting unauthorized entrance are posted at entrances and on the perimeter of enclosed transformer banks or high-voltage equipment (600+ volts) (Requirement 32307) .

h. An authorized access list of qualified personnel is maintained for enclosed transformer banks or high-voltage equipment (600+ volts) (Requirement 32308) .

i. Inductive floors or other methods are used where electrostatic discharge is a significant hazard to personnel or hardware (Requirement 32309) .

b. One person, trained to recognize electrical hazards, is delegated to watch the movements of other personnel working with electrical equipment to warn them if they get dangerously close to live conductors or perform unsafe acts and to assist in the event of a mishap (Requirement 32304) .

3.7.1 This paragraph provides requirements for protecting persons and property during the transportation, storage, and use of hazardous materials. NASA policy for transporting hazardous material or hazardous or radiological waste is contained in NPD 6000.1, Transportation Management.

Note: The OCHMO maintains a Web-based hazardous materials information database (ChemWatch) that is available for use by all NASA and NASA contractor personnel. Contact the Senior Environmental Health Officer for Web access to the database on (321) 867-2961.

3.7.2 Requirements for the transport of hazardous materials on both Federal property and public roadways are provided in applicable Federal regulations (e.g., DOT, EPA, and OSHA) and State and local laws and regulations.

3.7.3 Hazardous material is defined by law as a substance or materials in a quantity and form which may pose an unreasonable risk to health and safety or property when transported in commerce (49 CFR Part 171.8, Regulations, Definitions, and Abbreviations). The Secretary of Transportation has developed a list of hazardous materials given in 49 CFR Part 172.101, Purpose and Use of Hazardous Materials Tables.

3.7.4 Typical hazardous materials are those that may be highly reactive, poisonous, explosive, flammable, combustible, corrosive, and radioactive; produce contamination or pollution of the environment; or cause adverse health effects or unsafe conditions.

a. That the mode of transportation is inspected to the standards of the Federal Highway Administration, U.S. Coast Guard, Department of Transportation, and Federal Railroad Administration (Requirement 32314) .

b. That all contractor motor vehicles, rail cars, boats, and ships covered by NASA Bill of Lading and used for the transportation of hazardous material have passed an inspection prior to loading to assure that the vehicle or vessel is in safe mechanical condition (Requirement 32313) .

c. That all vehicles transporting hazardous materials on NASA and public roadways display all DOT-required placards, lettering, or numbering (Requirement 32315) .

d. That hazardous material defined in 49 CFR Part 171.8, Hazardous Material Regulations, Definitions, and Abbreviations, is not transported in NASA administrative aircraft (Requirement 32316) .

Note: To ensure hazardous material is not inadvertently loaded on administrative aircraft, all cargo for shipment should be routed through the Center's transportation office or, if en route, cargo should be accepted only from a certified shipper or freight forwarding agency.

a. That hazardous material storage, use, and disposal inventories are conducted at least annually (Requirement).

b. That the conditions of materials in storage are assessed at least quarterly, and those determined to be unsuitable for use are removed from active inventory (Requirement 32317) .

c. That local procedures address the requirements for release prevention, control, countermeasures, contingency planning, and include a listing of restricted/prohibited materials for purchasing and use at Centers.

Note: Requirements for the storage, use, and disposal of hazardous materials are provided in Federal and State regulations.

d. That NASA procurement activities reference 29 CFR Part 1910.1200, Hazard Communication, and Federal Standard 313, Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised, in commodity specifications, purchase descriptions, purchase orders, contracts, and other purchase documents (Requirement 32318) .

e. That electronic, magnetic, optical, or paper copies of all Material Safety Data Sheets (MSDS) are maintained in the work area where the material is being used or stored (Requirement 32320) .

f. The employees in work areas where hazardous materials are being used or stored are permitted to view any MSDS sheet maintained on file (Requirement).

3.7.6.2 Receiving offices at each Center shall provide copies of the MSDS for receipt of such commodities to the central office responsible for maintaining the MSDS records (Requirement 32319) .

Note: Safety forms and reports are retained per NPR 1441.1, NASA Records Retention Schedules.

3.8.1 NASA hazardous operations involve materials or equipment that, if misused or mishandled, have a high potential to result in loss of life, serious injury or illness to personnel, or damage to systems, equipment, or facilities. Adequate preparation and strict adherence to operating procedures can prevent most of these mishaps. This paragraph applies to operations that occur on a routine or continuous basis. Requirements for protecting personnel and property during hazardous test operations are provided in paragraph 3.14 of this NPR.

a. Identify, assess, analyze, and develop adequate safety controls for all hazardous operations (Requirement 32323) .

b. Ensure that all hazardous operations have a Hazardous Operating Procedure or a Hazardous Operating Permit (HOP) (Requirement 32324) .

Note: HOPs consist of a detailed plan listing step-by-step functions or tasks to be performed on a system or equipment to ensure safe and efficient operations. HOPs list special precautions, start and stop time of the operation, and the approving supervisor(s). Certain operations (e.g., rigging, high voltage) depend on adherence to overall standards and general guidelines and specific training as opposed to HOPs for each specific operation.

c. Ensure that all HOPs developed at NASA sites or for NASA operations have concurrence from the responsible fire protection or safety office (Requirement).

d. Ensure that all HOPs are approved by the NASA Center safety office or the contractor safety office to assure that a review has been performed (Requirement 32329) .

e. Ensure that deviations or changes to HOPs are also approved by the cognizant NASA Center safety office or contractor safety office to assure that a review has been performed (Requirement 32330) .

Note: If deviations or changes to HOPs are approved by the contractor's safety office, a copy should be forwarded to the local NASA safety office for informational purposes.

f. Ensure facility operating instructions and changes are developed based on the facility mission and operational requirements (Requirement 32504) .

g. Ensure that all procedures include sufficient detail to identify residual hazards and cautions to NASA personnel (Requirement 32505) .

h. Ensure that hazardous procedures are marked conspicuously on the title page; e.g., "THIS DOCUMENT CONTAINS HAZARDOUS OPERATIONS PROCEDURES," to alert operators that strict adherence to the procedural steps and safety and health precautions contained therein is required to ensure the safety and health of personnel and equipment (Requirement 32328) .

i. Ensure that specific personnel certification requirements are established, as listed in Chapter 7, in cases where hazardous operations (e.g., rigging, high voltage) depend on adherence to specific standards, guidelines, and training (Requirement 32325) .

j. Ensure that personnel other than certified operators are excluded from exposure to hazardous operations that depend on adherence to specific standards, guidelines, and training (Requirement 32326) .

k. Ensure that personnel use the buddy system whereby an adjacent or nearby person not directly exposed to the hazard serves as an observer to render assistance where the risk of injury is high (Requirement 32327) .

3.8.3 Center SMA Directors or their designee shall review and approve HOPs (Requirement).

3.9.1 This paragraph provides guidance for protecting personnel and property in a laboratory environment. For the purposes of this document, a laboratory is a facility in which experimentation, testing, and analyses are performed on human or animal subjects, organisms, biological and other physical materials, substances, and equipment (including bioinstrumentation). Included also are certain equipment, repair, and calibration operations and processing of materials.

a. The design of laboratories incorporates the requirements of State and Federal codes required for the individual Center (e.g., building, electrical, and fire protection for laboratory facilities) (Requirement).

b. Escape routes are provided, designed, and marked in accordance with the NFPA 101, Life Safety Code (Requirement 32333) .

c. Occupational safety and health considerations such as ventilation, shower stalls, and eye wash stations are included in the design of laboratories (Requirement 32334) .

Note: For facility acquisition and construction safety requirements, see Chapter 8.

d. The design, fabrication, or modification of laboratories used for experimentation, testing, or analyses performed on human or animal subjects are coordinated in advance with OCHMO at (202) 358-2390 (Requirement).

e. Laboratory facilities and areas with significant quantities of flammable, combustible, corrosive, and toxic liquids, solids, or gases are protected in accordance with provisions of NFPA 45, Standard on Fire Protection for Laboratories Using Chemicals, as modified below (Requirement 32335) .

f. Laboratories not using or fitting the above chemical classification, yet housing unique, mission-critical, or high-value research equipment, conform to the provisions of NASA-STD 8719.11, Safety Standard for Fire Protection (Requirement 32336) .

Note: In the design of laboratories, special facilities should be considered to ensure the integrity of the terrestrial environment as well as the integrity of biological and physical samples returned from space.

g. Laboratory designs include additional considerations for biohazards resulting from use or handling of biological materials such as infectious microorganisms, viruses, medical waste, or genetically engineered organisms (Requirement 32338) .

Note: See 29 Part CFR 1910.1030, Blood Borne Pathogens, and NPR 1800.1, NASA Occupational Health Program Procedures, for additional details.

h. Laboratory designs include additional considerations to protect physical samples returned from space against terrestrial contamination and to protect the terrestrial environment against potential biological or toxic hazards due to these samples (Requirement).

In addition to pertinent safety requirements found elsewhere in this document, the following requirements are specifically applicable to laboratories.

a. Laboratories meeting the definition as described in 29 CFR Part 1910.1450, Occupational Exposure to Hazardous Chemicals in Laboratories, are operated in accordance with chemical hygiene plans (Requirement 32340) .

b. Suitable facilities for quick drenching or flushing of the eyes and body of any person exposed to injurious corrosive materials are provided within the work area for immediate emergency use (Requirement 32341) .

c. Installation, maintenance, and access to facilities for quick drenching and flushing of the eyes and safety showers are in accordance with ANSI 358.1, Emergency Eyewash and Shower Equipment, latest edition (Requirement 32342) .

d. Eyewashes and/or safety showers are located no more than 10 seconds or 50 feet distance away from the hazard source (Requirement 32343) .

3.9.4.1 Center Directors and project managers shall ensure that all personnel wear skin and eye protection while in direct view of a bare pressurized arc lamp, whether energized or not, unless the system is locked out or tagged out for maintenance or repair (Requirement 32344) .

3.9.5.1 Policy and requirements for ventilation systems are provided in NPR 1800.1, NASA Occupational Health Program Procedures.

3.9.5.2 Center Directors shall ensure that their occupational health programs assure proper ventilation (Requirement).

Because some laboratory operations use a considerable amount of glassware and ceramics, necessary safeguards shall be employed to minimize personnel injury. Refer to the Guide for Safety in the Chemical Laboratory, Manufacturing Chemists' Association, Inc., and Handling Glassware.

3.10.1 Center Directors and project managers shall comply with NASA-STD-8719.9, Standard for Lifting Devices and Equipment, for protecting persons and property during lifting operations (Requirement 25150) .

Note: This standard establishes minimum safety requirements for the design, testing, inspection, personnel certification, maintenance, and use of overhead and gantry cranes, mobile cranes, derricks, hoists, special hoist-supported personnel lifting devices, hydrasets, hooks, mobile aerial platforms, power industrial trucks, jacks, and slings for NASA-owned and NASA contractor-supplied equipment used in support of NASA operations at NASA Centers.

3.11.1 Center Directors and project managers shall use NSS 1740.12, Safety Standard for Explosives, Propellants, and Pyrotechnics, for protecting personnel and property from hazards of explosives and explosive materials, including all types of explosives, propellants (liquid and solid), oxidizers, and pyrotechnics (Requirement 25151) .

3.11.2 Center Directors and project managers shall ensure that explosive, propellant, and pyrotechnic operations are conducted in a manner that exposes the minimum number of people to the smallest quantity of explosives for the shortest period consistent with the operation being conducted (Requirement 32349) .

3.11.3 Center Directors shall designate in writing an Explosive Safety Officer (ESO) for explosives, propellant, and pyrotechnic operations at their Center (Requirement 32350) .

Note: The Center SMA Director may recommend a candidate for Center ESO, if requested by the Center Director. For specific responsibilities of the ESO, refer to NSS 1740.12, Safety Standard for Explosives, Propellants, and Pyrotechnics.

a. Manage the Center Explosives, Propellants, and Pyrotechnic Safety Program to assure a robust mishap prevention program is in place (Requirement).

b. Ensure that the Explosives, Propellants, and Pyrotechnic Safety Program meets all Federal, NASA, State, and local requirements (Requirement).

c. Represent the Center Director in this program to help assure that minimum number of required personnel and critical resources are exposed to the minimum amount of explosives for the minimal amount of time for all explosive operations (Requirement).

d. Advise the Center Director on the programmatic health of the Explosives, Propellants, and Pyrotechnic Safety Program (Requirement).

e. Represent the Center Director for all explosives, propellants, and pyrotechnic safety matters (Requirement).

f. Assure oversight of all processes required by NSS 1740.12, Safety Standard for Explosives, Propellants, and Pyrotechnics (Requirement).

g. Review all operating procedures for handling explosives, propellants, and pyrotechnics (Requirement).

h. Review and participate in the development of construction and/or modification plans for facilities or structures containing explosives, propellants, and pyrotechnics (Requirement).

i. Review all locations and routes that provide for the transportation, storage, and handling of explosives, propellants, and pyrotechnic materials (Requirement).

j. Provide oversight for staff training and records and participate in the evaluation of selected training programs for explosive, propellant, and pyrotechnic safety (Requirement).

Note: Safety forms and reports are retained per NPR 1441.1, NASA Records Retention Schedules.

k. Process and provide inputs for the approval of all explosive-related site plans and review current explosive site plans on an annual basis (Requirement).

l. Manage deviations and waivers in accordance with Chapter 1 of this NPR (Requirement).

Note: As defined in NSS 1740.12, Safety Standard for Explosives, Propellants, and Pyrotechnics: Licensed Explosive Locations - Ammunition and explosive storage locations (not for explosive operations and excluding Hazard Division 1.1 & 1.2), which are normally outside the Center's explosive storage area but within NASA's area of control.

n. Review all Memorandums of Agreement associated with explosive, propellant, and pyrotechnic operations (Requirement).

Note: If the ESO represents NASA as a tenant organization, the ESO assures compliance with the host requirements though formal negotiations and documentation of those agreements. If the ESO represents NASA as the Host, the ESO assures compliance with all appropriate elements of this NPR. In all cases, the ESO assures that agreements are formalized to maximize the health and safety of NASA employees and facilities.

o. Perform an independent hazard assessment of all laboratories and test facilities having activities that involve the mixing, blending, extruding, synthesizing, assembling, disassembling and other activities involved in the making of a chemical compound, mixture, or device which is intended to explode (Requirement).

3.12.1 Requirements for open-water operations are given in NPR 1800.1, NASA Occupational Health Program Procedures.

3.12.2 Center Directors and project managers shall use NSS/WS 1740.10, NASA Safety Standard for Underwater Facility and Non-Open Water Operations, as the minimum standard to establish the safety requirements for all NASA neutral buoyancy facilities, equipment, personnel, and operations involving underwater activities including the simulation of a weightless environment (Requirement 25152) .

Note: This standard also applies to NASA personnel participating in underwater operations at non-NASA facilities.

3.13.1 This paragraph provides policy and requirements for protecting the safety of the public, the workforce, and assets during operations involving space launch or entry vehicles or experimental aeronautical vehicles (EAV) and their associated payloads. These vehicles include, but are not limited to, reusable launch vehicles, Expendable Launch Vehicles (ELVs), experimental aerospace vehicles, entry vehicles, sample return capsules, uninhabited aerial vehicles, balloons, sounding rockets, and drones.

Note: This paragraph does not apply to conventional piloted aircraft. See Chapter 4, Aviation Safety, of this NPR.

a. Establish and oversee the Agency Safety Operations Program elements needed to assure successful implementation of operations safety requirements and assure related concerns are evaluated and resolved (Requirement).

b. Approve and promulgate Agency-level operations safety policy and requirements, including the provisions of this NPR and associated implementation documents (Requirement).

(1) Monitor preparations for operations to determine compliance with Agency safety policies, processes, and requirements (Requirement).

(2) Support programs/projects to provide advice and technical support, and act as a link to independent engineering, safety, and assessment capabilities (Requirement).

(3) Maintain cognizance over safety issues that have the potential to be elevated to NASA Headquarters for resolution (Requirement).

(4) Provide a concurrence or nonconcurrence on the safety readiness to begin operations when the decision is elevated to NASA Headquarters (Requirement 32347) .

(5) Participate prior to and during operations to communicate the Agency safety position to appropriate program/project officials (Requirement 32348) .

3.13.3.1 NPR 8715.5, Range Safety Program, contains NASA's range safety policy, roles and responsibilities, requirements, and procedures for protecting the safety of the public, the workforce, and property during range flight operations. These operations include the launch or entry of an orbital, suborbital, or deep space vehicle or operation of an experimental aeronautical vehicle. NPR 8715.5, Range Safety Program, defines the range safety-related roles and responsibilities for all levels of NASA management, including the Agency Range Safety Manager. NPR 8715.5, Range Safety Program, also incorporates NASA's public risk acceptability policy for range flight operations.

3.13.4.1 Payload Safety Policy. It is NASA policy to safeguard people and resources (including flight hardware and facilities) from hazards associated with payloads controlled by NASA and hazards associated with payload-related Ground Support Equipment (GSE) by eliminating the hazards or reducing the risk associated with the hazard to an acceptable level. To accomplish this policy NASA shall:

a. Establish and maintain technical and procedural safety requirements applicable to the design, production, flight-area processing and testing, vehicle integration, flight, and planned recovery of NASA payloads.

b. Coordinate with U.S. or foreign entities that participate in NASA payload projects as needed to ensure compliance with all safety requirements that apply to each payload.

c. Incorporate all applicable safety requirements into the overall requirements for each NASA payload, the contracts for any related procurements, and any related cooperative or grant agreements.

d. Maintain an independent payload safety review and approval process designed to ensure that each NASA payload project properly implements all applicable safety requirements and to facilitate safety risk management appropriate to each payload.

3.13.4.2 Manned Space Flight Payloads. For payloads that will fly on, or interface with, a manned space launch vehicle, spacecraft, or entry vehicle controlled by NASA, Center Directors and program/project managers shall establish the processes and requirements needed to satisfy Paragraph 3.13.4.1 of this NPR (Requirement).

For example: Space Shuttle payloads are subject to NSTS 1700.7, Safety Policy and Requirements for Payloads Using the Space Transportation System; NSTS/ISS 13830, Payload Safety Review and Data Submittal Requirements for Payloads Using the Space Shuttle and International Space Station; and KHB 1700.7, Space Shuttle Payload Ground Safety Handbook.

3.13.4.3 Unmanned Suborbital Payloads. For a payload that will fly on an unmanned suborbital vehicle controlled by NASA (such as a sounding rocket, balloon, or experimental aeronautical vehicle), Center Directors and program/project managers shall establish the processes and requirements needed to satisfy Paragraph 3.13.4.1 of this NPR (Requirement).

For example: The Wallops Flight Facility Range Safety Manual applies to Wallops-controlled suborbital payloads.

3.13.4.4 Return-to-Earth Payloads. For a payload that will be launched into space and will return to Earth for recovery or purposes other than disposal, Center Directors and program/project managers shall establish the processes and requirements needed to satisfy Paragraph

Note: Disposal of space flight hardware is covered by the NASA Orbital Debris Program. See paragraph 3.13.6 of this NPR.

3.13.4.5 ELV Payloads. To ensure that Paragraph 3.13.4.1 of this NPR is satisfied for payload missions that will fly on ELVs, the OSMA has established the NASA ELV Payload Safety Program. The responsibilities and requirements of the ELV Safety Program (see NPD 8700.3, Safety and Mission Assurance (SMA) Policy for Spacecraft, Instruments, and Launch Services) apply to unmanned orbital and unmanned deep space payloads managed or launched by NASA, whether developed by NASA or any contractor or independent agency in a joint venture with NASA. The ELV Safety Program applies to spacecraft procurement, integration and testing, launch processing and launch of ELV payloads, including payload provided upper stages, payload/launch vehicle interface hardware, and GSE used to support payload-related operations.

b. Approve and promulgate Agency-level ELV payload safety policy and requirements, including the provisions of this NPR and associated implementation documents (Requirement).

c. Designate in writing, fund, and provide input to the performance evaluation of the NASA ELV Payload Safety Manager (see paragraph 3.13.4.5.2 of this NPR) (Requirement).

d. Designate in writing the members of the NASA ELV Payload Safety Executive Team (see paragraph 3.13.4.5.3 of this NPR) (Requirement).

a. Lead the NASA ELV Payload Safety Program and serve as the Agency focal point for all matters involving ELV payload safety, to include managing ELV Payload Safety Program funds and participating in panels, joint working groups, and safety policy initiation or change activities affecting NASA ELV payloads (Requirement).

b. Develop and maintain Agency-level ELV payload safety policy, processes, and requirements in accordance with the applicable Agency directives development processes (Requirement).

c. Develop and administer the safety review and approval process for NASA ELV payloads in coordination with the NASA ELV Payload Safety Executive Team (Requirement).

d. Provide NASA ELV payload projects with guidance on the implementation of the safety policy, processes, and requirements (Requirement).

e. Provide input and guidance to NASA officials responsible for development of ELV payload- related contracts, grants, and cooperative agreements with entities internal and external to NASA, including foreign entities (Requirement).

f. Report on ELV payload safety concerns to the NASA Headquarters OSMA (Requirement).

g. Perform an audit as an element of the NASA Headquarters SMA Audits, Reviews, and Assessments program defined by NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments, for the area of ELV payload safety (Requirement).

h. Participate in independent assessments of payload safety processes at NASA Centers, component and range facilities, payload processing facilities (including commercial or contractor facilities used to process NASA ELV payloads), and launch sites (Requirement).

i. Coordinate independent assessments of payload safety processes with the audits, reviews, and assessments performed by the OSMA to ensure an effective and efficient overall safety assessment process (Requirement).

j. Open or further enhance communication with U.S. and foreign entities that support NASA ELV payload projects and document partnerships, joint activities, and special arrangements through formal agreements (Requirement).

k. Coordinate safety review activities and actions with the NASA ELV Payload Safety Executive Team, NASA Centers, ELV payload projects, launch vehicle contractors, appropriate Technical Authority official, range safety and other launch site safety organizations, and other U.S. and foreign entities as needed to resolve payload safety concerns and support approval for flight (Requirement).

l. Establish and maintain an ELV payload safety training program to ensure project and other personnel as appropriate are knowledgeable of the NASA ELV payload safety requirements and safety review and approval processes and related activities (Requirement).

m. Provide a forum for technical interchange and lessons learned to include educational conferences and workshops for the benefit of the ELV payload community (Requirement).

n. Track and implement lessons learned for continuous improvement and update policy, processes, and requirements as needed (Requirement).

a. Participate in the ELV payload safety review process and approve the safety readiness of NASA ELV payloads, facilities, and related GSE for launch-area processing and launch in coordination with all authorities for each mission (Requirement).

b. Support the NASA Safety and Mission Success Review (or equivalent) for each NASA ELV payload mission (Requirement).

c. Interpret safety requirements, if requested, and support each payload project as needed to ensure proper implementation (Requirement).

d. Approve alternative approaches to satisfying a safety requirement in coordination with the appropriate technical authority (or equivalent) responsible for the requirement (Requirement).

e. Assess proposed variances to safety requirements and assure that any residual risk associated with a variance is properly characterized (Requirement).

f. Coordinate with all variance approval authorities, including the technical authority (or equivalent) responsible for the requirement and the Center Director(s) or other NASA official(s) responsible for people or property exposed to any risk associated with the variance (see the safety variance policy in paragraph 1.13 of this NPR) (Requirement).

g. Coordinate with each range safety and launch site safety organization that shares responsibility for a NASA ELV payload mission to ensure that any mission-specific decision made by the Executive Team is consistent with NASA's safety requirements and the safety requirements of the other organizations (Requirement).

3.13.4.5.4 Each Center Director Responsible for a Payload, Payload Processing Facility, or Launch Site (or designee) shall:

a. Establish the Center-level processes and associated requirements needed to ensure Paragraph 3.13.4.1 of this NPR is satisfied for each ELV payload project that uses the Center's resources (Requirement).

b. Support independent safety assessments of ELV payload activities and respond to all findings and recommendations for which the Center is responsible (Requirement).

a. Ensure that funding and other resources are allocated for payload projects to satisfy all aspects of the NASA ELV Payload Safety Program, including proper implementation of the applicable safety requirements and successful completion of the payload safety review and approval process (Requirement).

b. Ensure that the payload project's timeline provides for compliance with the established payload safety review and approval process (Requirement).

c. Establish and implement any project-level processes and requirements needed to satisfy safety requirements and successfully complete the payload safety review and approval process (Requirement).

3.13.4.5.6 Each NASA Contract, Grant, Cooperative Agreement, or Other Agreement Officer shall coordinate with the NASA ELV Payload Safety Manager to ensure that all applicable safety requirements are incorporated into the agreement(s) governing each payload, including compliance with Federal, State, and local requirements relating to safety as specified in NPR 5800.1, Grant and Cooperative Agreement Handbook, and safety requirements pertaining to the use of NASA facilities and equipment (Requirement).

Chapter 2 of NPR 8715.5, Range Safety Program, contains policy and requirements applicable to NASA missions that involve the use of commercially-available space launch or entry services. Also see NASA-STD-8709.2, NASA Safety and Mission Assurance Roles and Responsibilities for Expendable Launch Vehicle Services.

Safety policies, processes, and requirements that apply to the disposal of space flight hardware at the end of a mission are contained in NPD 8710.3, NASA Policy for Limiting Orbital Debris Generation, and NSS 1740.14, Guidelines and Assessment Procedures for Limiting Orbital Debris.

3.14.1 This paragraph provides requirements for protecting personnel and property during test operations, for both human-controlled and unoccupied or robotic tests. Testing includes hazardous training activities and demonstrations of test hardware or procedures. The requirements stated herein apply to test facilities; test equipment located within, or attached to, test facilities; equipment being tested; test personnel; test conduct; and test documents.

3.14.2 Center Directors and project managers shall ensure that test plans are developed and evaluated to assure test performance within safe operating limits (Requirement 25163) .

Note: Evaluations will address the test article, test facility, testing procedures, test conditions, operator involvement, and potential risk to adjoining facilities and personnel.

3.14.3.1 Safety documentation establishes the basis for safe test conduct by means of engineering analyses (including hazard analyses).

3.14.3.2 Center Directors and project managers shall ensure that established test controls are clearly identified in test drawings, facility drawings, and test procedures (Requirement).

a. Design test systems such that test personnel or critical test hardware are not subjected to a test environment wherein a credible single-point failure (e.g., power loss) could result in injury, illness, or loss to the critical test hardware (Requirement 32372) .

b. Construct all systems (electrical, mechanical, pneumatic, and/or hydraulic) so that no single failure could cause a critical condition (Requirement 32373) .

c. Ensure that software that may interface with test systems meets the requirements stated in Chapter 1 of this NPR (Requirement 32374) .

Note: Software by itself is not hazardous; however, when interfaced with test hardware, software could command a hazardous condition in the hardware. See NASA-STD-8719.13, Software Safety Standard, for further information.

d. Calibrate and certify safety-critical instrumentation before test operations and as required by test documentation or the test organization's internal procedures (Requirement 32375) .

e. Ensure all personnel involved in tests are informed of potential hazards, safety procedures, and protective measures (Requirement 32376) .

f. Ensure the availability of appropriate emergency medical treatment facilities (Requirement 32376) .

g. Conduct formal reviews of engineering designs that are complicated or potentially hazardous to facilities (Requirement 32378) .

h. Ensure test result reports include anomalies, safety implications, and lessons learned (Requirement 32379) .

3.14.5.1 Center Directors and project managers shall ensure that Test Readiness Reviews:

a. Are conducted for tests involving new or modified hardware and/or procedures (Requirement).

b. Determine and document the safety, technical, and operational readiness of the test (Requirement 32381) .

3.14.6.1 Center Directors and project managers shall ensure that a pre-test meeting is conducted with all involved personnel to discuss the facility, design, instrumentation, safety, and operator training and certification (Requirement 32382) .

Note: The meeting should also establish the test plan, identify test constraints to ensure facility safety, and determine test article readiness, ground support equipment readiness, and procedural readiness.

3.14.7.1 The requirements for the protection of human research subjects are contained in NPD 7100.8, Protection of Human Research Subjects, and 45 CFR Part 46, Protection of Human Subjects.

a. Tests involving hazardous substances, where human test subjects or test team personnel may be exposed, are reviewed for adequacy of test team safeguards, including direct communication between the test subjects and test conductors (Requirement 32383) .

b. A facility environmental control system failure or failure in the distribution system affecting one pressure-suited occupant shall not affect any other pressure-suited occupant for tests requiring crew participation in a pressure suit (Requirement 32384) .

c. A means exists for immediately detecting an incipient fire or other hazardous condition in each crew compartment of any test area (Requirement 32385) .

d. Automatic fire detection is provided for critical areas not suitable for visual monitoring (Requirement 32386) .

e. Crewed test systems are designed for timely and unencumbered rescue of incapacitated crew members (Requirement 32387) .

f. Software controlling crewed test systems are thoroughly analyzed to ensure that no command results in death or injury to the test subjects (Requirement 32388) .

Note: Policies and requirements for software are given in NPD 2820.1, NASA Software Policy, and NPR 7150.2, NASA Software Engineering Requirements.

g. Crewed test systems are designed to provide for manual overrides of critical software commands to ensure the safety of test subjects during any system event or test scenario (normal operation, malfunction, emergency) (Requirement 32389) .

h. Manual overrides of critical software commands support safe test termination and egress of test subjects (Requirement 32390) .

i. Medical resources and facilities needed for response are alerted, on-call, and immediately available as needed (Requirement 32391 .

3.15.1 Requirements for non-ionizing radiation are provided NPR 1800.1, NASA Occupational Health Program Procedures. Microwave and radar protection standards are covered in various State regulations, national consensus standards, and Federal standards including 29 CFR Part 1910.97, Non-ionizing Radiation. This paragraph provides requirements for protecting personnel and property during laser use in NASA operations. The primary laser hazard to humans is eye and/or skin damage from direct exposure to the beam or specular reflection, and in some cases, from viewing a diffuse reflection.

3.15.2 Exposure requirements for laser radiation are provided in 21 CFR Part 1040, Performance Standards For Light-Emitting Products. Requirements for the procurement and manufacture of laser products are provided in 21 CFR Part 1040.10, Laser Products, and 21 CFR Part 1040.11, Specific Purpose Laser Products.

3.15.3 Center Directors and project managers shall comply with these regulations unless a specific exemption is obtained from the U.S. Department of Health and Human Services, Food and Drug Administration (Requirement 32398) .

a. Only trained and certified employees are assigned to install, adjust, and operate laser equipment (Requirement 25168) .

b. Personnel operating lasers are trained and certified in accordance with Chapter 7 of this NPR (Requirement 32423) .

c. Laser operations during any open-air laser scenario conducted on DoD-controlled ranges or test facilities or by DoD personnel use the Range Commanders Council Document 316-91, Laser Range Safety (Requirement 25165) .

d. Laser operation conforms to the principles and requirements set forth in ANSI Z136.1, American National Standard for Safe Use of Laser, and ANSI Z136.2, Safe Use of Optical Fiber Communication Systems Utilizing Laser Diode and LED Sources (Requirement 32399) .

e. Exposure of personnel to laser radiation does not exceed the permissible exposure levels provided in ANSI Z136.1, American National Standard for Safe Use of Laser (Requirement 32395) .

f. To the maximum extent practicable, laser hazards to personnel are eliminated by engineering design before they become operational, or procedures are developed and equipment provided to reduce the risk for those hazards that cannot be eliminated (Requirement 32396) .

g. Any laser that can cause injury or damage has a Center-approved safety documentation, test plan, and test procedure review (Requirement 32400) .

3.15.5.1 The Center SMA Director shall designate a qualified Laser Radiation Safety Officer for their site (Requirement).

a. Contact the laser safety clearing house to obtain a "Site Window" clearance where a planned laser operation has the potential for the beam to strike an orbiting craft (Requirement 32401) .

Note: Clearance is obtained from the Orbital Safety Officer, U.S. Space Command / J3SOO, 1 NORAD Road, Suite 9-101, Cheyenne Mountain AFB, CO 80914-6020, Stop 4, Phone: (719) 474-3056/4404/4444.

a. Operate Class III-B and IV lasers only in controlled environments or designated areas that have no unintended reflective or transmitting surfaces (Requirement 32404) .

b. Post laser operations areas with standard warning placards as set forth in ANSI Z136.1, American National Standard for Safe Use of Lasers (Requirement).

c. Ensure that the posted area is isolated to prevent inadvertent entry (Requirement 32405) .

d. Wear laser goggles or other approved methods of eye protection in accordance with requirements of ANSI Z136.1, American National Standard for Safe Use of Lasers (Requirement 32406) .

e. Keep all flammable materials/vapors away from any laser during operation unless specifically authorized by the operation/test plan (Requirement 32407) .

a. Identify the airborne use of Class III-B and IV lasers early in the system acquisition process and track their use throughout the program life cycle (Requirement 32409) .

Note: A realistic and timely application of safety engineering to laser systems can avoid or reduce the costs involved in redesign, time lost in modification, and loss of mission capability.

b. Ensure the design of laser systems for NASA aircraft and spacecraft includes a system of interlocks to prevent inadvertent laser beam output (Requirement 32411) .

c. When a test circuit switch is provided to override the ground interlock to aid ground test operations, maintenance, or service, ensure the design precludes inadvertent operation (Requirement 32412) .

d. Ensure that the crew will not operate the laser except in accordance with the prescribed mission profile (Requirement 32413) .

e. For long-range laser shots, designate as large an exclusion area as practical to minimize the risk to the people outside the area (Requirement 32415) .

Note: A buffer area should be added around the exclusion area. Air Force AFOSH Standard 48-12, Health Hazard Control for Laser Operations, includes a guide for operation of lasers from aircraft. It can be used to develop the buffer zone for space-based laser shots directed at the ground. (See Range Commanders Council (RCC) Document 316-91, Laser Range Safety.)

f. Ensure a hazard evaluation and written safety precautions are completed prior to airborne laser operations (Requirement 32416) .

g. Ensure that the hazard analysis considers catastrophic events and the need for very reliable, high-speed laser shutdown should such events occur (Requirement 32417) .

Note: See ANSI Z136.1, American National Standard for Safe Use of Lasers, for hazard evaluation and control information.

h. Ensure that qualified personnel perform laser hazard evaluations to determine specific hazards associated with specific uses, establish appropriate hazard control measures, and identify crew and public-at-large protection requirements (Requirement 32418) . i. When completing the hazard evaluation, consider and document the atmospheric effects of laser beam propagation, the transmission of laser radiation through intervening materials, the use of optical viewing aids, and resultant hazards; e.g., electrical, cryogenic, toxic vapors (Requirement 32419) .

3.15.7.2 The Pilot-in-Command shall ensure that the laser system is used in accordance with the test plan (Requirement 32414) .

3.15.7.3 Program managers and safety evaluators shall assess the safety aspects, compliance with safety requirements, and resolution of laser safety-related problems (Requirement 32410) .

a. Laser software provides safety precautions for fast-moving lasers and prevents misdirected laser operation (Requirement 32420) .

b. Laser software development is subjected to a software safety analysis per Chapter 1 of this NPR (Requirement 32421) .

c. Existing laser software systems are reviewed to assure that safety precautions are provided (Requirement 32422) .

Policies and requirements for the handling, use, and storage of radioactive material and radiation generating equipment are contained in directives under the purview of the occupational health organizations. See NPD 1800.2, NASA Occupational Health Program.

3.17.1 Requirements for operations in confined spaces are provided in OSHA 29 CFR Part 1910.146, Permit-Required Confined Spaces.

3.17.2 A confined space is any space that exhibits all three of the following characteristics: large enough to bodily enter and perform work, not designed for continuous human occupancy, and limited means of entry or exit. A permit-required confined space is a confined space that contains any recognized serious safety or health hazard. No entry into permit-required confined spaces will be made until an assessment of that space has been made and a permit or operating procedures are posted.

3.17.3 Center Directors shall develop and document a confined space operations plan that, at a minimum, establishes a confined space working group, outlines the confined space permit process, and identifies all confined spaces on their Center (Requirement).

a. Entry into Permit-Required Confined Spaces is performed with written procedures and authorizations (Requirement 32424) .

b. No entry into confined spaces is made until an assessment of that space has been made and a permit or operating procedures posted (Requirement 32425) .

c. All contractors or persons performing work on the Center are notified of all confined spaces (Requirement).

3.17.5 Supervisors shall have the overall responsibility for entry and work in confined spaces and ensure compliance with ANSI Z117.1, Safety Requirements for Confined Space, and the NIOSH Publication No. 87-113, A Guide to Safety in Confined Spaces (Requirement 32426) .

Note: Permit requirements for confined spaces are given in 29 CFR 1910.146, Permit-required confined spaces.

Chapter 4. Aviation Safety

4.1.1 This chapter provides the procedural requirements for the NASA Aviation Safety Program not covered by NPR 7900.3, Aircraft Operations Management. These requirements provide for managers and aviation safety personnel to establish and implement their aviation mishap prevention programs. NASA philosophy is that mishaps are preventable and that mishap prevention is an inherent function of leadership and management. NASA's major involvement in aeronautics dictates a commitment to aviation safety, not only through the Aviation Safety Program but also in all technology programs.

4.2 Aviation Safety Program Responsibilities

4.2.1. Mission Directorate Associate Administrators, Center Directors, project managers, and line managers shall ensure that adequate resources are applied to aviation operations to meet aviation safety objectives (Requirement).

a. Establish NASA Aviation Safety Program requirements and provide support and functional oversight of NASA aviation safety (Requirement 25174).

b. When required, provide the NASA Administrator with an independent assessment of NASA's aviation safety status and provide immediate information on critical safety issues (Requirement 32433).

c. Conduct reviews (staff assistance visits, safety inspections, and process verifications) to provide insight and to monitor management's effectiveness in aviation safety (Requirement 32428).

d. Provide technical and operational assistance to improve the overall aviation safety program (Requirement 32429).

e. Assure that the highly diversified aviation activities within NASA have an Aviation Safety Program at Headquarters that covers each flight activity (Requirement).

f. Assure Aviation Safety Program requirements are comprehensive and proactive in covering all aspects of flight (Requirement).

g. Assure that NASA Aviation Safety Program requirements cover each level of aviation management (Requirement).

4.2.3 The Director, Safety and Assurance Requirements Division, shall designate the NASA Aviation Safety Manager (Requirement).

a. Coordinate all OSMA requirements affecting aviation safety or reporting (Requirement 32436).

b. Identify aviation safety issues through mishap investigation and analysis (Requirement 32438).

c. Participate in the annual NASA Aviation Safety Officer meeting (Requirement 32440).

d. Monitor the implementation of the Agency's Aviation Safety Program requirements (Requirement 32441).

e. Attend selected program flight readiness and safety reviews (Requirement 32442).

f. Serve as an advisor to the Inter-Center Aircraft Operations Panel (IAOP) and participate in IAOP activities, including meetings, reviews, and subpanel activities (Requirement 32443).

g. Develop the NASA Aviation Safety Reference Manual and ensure that it is current and meets the needs of NASA (Requirement 32444).

h. Conduct aviation safety staff assistance visits and reviews (Requirement 32448).

i. Coordinate recommendations from mishap investigations that require corrective action from sources or agencies outside of NASA (Requirement 32449).

k. Serve as ex-officio board member to major aircraft mishap investigations and provide independent oversight and expert guidance in investigation procedures and techniques (Requirement 32439).

l. Provide aviation safety oversight to ensure Headquarters and Center aircraft operations comply with NASA safety policy (Requirement 32435).

m. Interface with other safety organizations involving aviation safety (Requirement 32446).

4.3 Interfaces with Other Agencies

NASA aviation activities interface with the aircraft industry, DOT/Federal Aviation Administration (FAA), DoD, and foreign governments.

4.3.1 Center Chiefs of Flight Operations shall have a process in place for communicating with outside organizations to exchange flight information that affects their assigned aircraft (Requirement 32475).

4.3.2.1 Because NASA uses many military airfields and aircraft common to the military services, Center Chiefs of Flight Operations shall:

a. Ensure coordination with the United States Air Force, Army, Navy, and Marine Corps where applicable (Requirement 32478).

b. Ensure the use of the various military safety publications, cross-exchange of accident prevention data, and participation in joint safety efforts (Requirement 32479).

Chapter 5. Fire Safety

5.1 Purpose, Goals, and Objectives

5.1.1 This chapter establishes the overall requirements for the NASA Fire Safety Program. The goals of this program are zero loss of life from fires, a reduction in number of fires to zero, protection for facilities and equipment to preclude major losses, and a reduction in the magnitude of loss for those fires that occur. The objective of NASA fire safety policy is to protect human life, property, and the environment from the risk of fire-related hazards.

5.1.2 Each NASA Center should develop and aggressively pursue a Fire Safety Program with the primary goal to reduce or eliminate the potential for fires through the application of effective fire prevention techniques and by heightening the fire safety awareness of all NASA and contractor personnel.

5.1.3 Requirements for fire safety are provided in 40 U.S.C. S 3312, Compliance with Nationally Recognized Codes, 29 CFR Part 1910 Subpart L, Fire Protection, 29 CFR Part 1910.38, Employee Emergency Plans, and 29 CFR Part 1910.39, Fire Prevention Plans.

5.2 Responsibilities

a. Provide advocacy for fire protection for Construction of Facilities (CoF) projects (Requirement).

b. Support NASA Center budget submittals for fire protection, fire suppression, and fire research (Requirement).

a. Be responsible for identifying and reducing fire risks, ensuring fire safety of Center operations, and implementing the requirements of this chapter (Requirement 32520).

b. Implement a comprehensive fire safety program at their Center and facilities in accordance with specific program requirements and procedures given in NASA-STD-8719.11, Safety Standard for Fire Protection (Requirement 25197).

c. Ensure that the fire safety program complies with National Fire Protection Association standards including their appendices, unless the requirements of local codes are more stringent; nationally recognized building and fire safety codes and requirements; and local building and fire codes and requirements (Requirement 32541).

d. Ensure implementation of NASA operational fire safety procedures (Requirement 32521).

e. Ensure each Center adopts, implements, and trains in the use of the Incident Management System in accordance with NFPA 1561, Standard on Emergency Services Incident Management System and the National Incident Management System, when responding to and managing any emergency or disaster (Requirement).

f. Ensure that the Center Security Office is notified of all fires that are suspicious in nature (Requirement).

g. Ensure that employees, other than trained professional firefighters, trained volunteers, or emergency response personnel, do not fight fires except in cases where the fire is incipient in nature (Requirement).

h. Ensure that compliance with NASA-STD-8719.11, Safety Standard for Fire Protection, is made part of contractual requirements at NASA Centers with contractors performing work as deemed necessary by the CO and the responsible NASA Center fire safety program office (Requirement).

i. Appoint, in writing, an Authority Having Jurisdiction (AHJ) for NASA fire protection (Requirement 32522).

a. Be a safety or fire protection professional with requisite skills and knowledge (Requirement 32523).

b. Designate personnel responsible for the investigation of all fires at their Center and facilities (Requirement).

c. Perform a risk assessment and determine on a case-by-case basis the need to incorporate newer requirements and standards into existing facility and equipment operating procedures when standards are updated and superseded by newer, more stringent requirements (Requirement 32533).

5.3 Fire Safety Program

5.3.1 Center Directors shall ensure that the implementation of an effective fire safety program at their Center complies with the following minimum requirements:

a. Requirements are established for a reasonable level of fire safety and property protection from the hazards created by fire and explosions in accordance with NFPA 1, Uniform Fire Code (Requirement).

b. An appropriate level of fire service operations is provided to protect lives and property based on the size and mission of the Center (Requirement).

c. Risk management processes are applied in order to assess individual programs and adopt additional fire safety requirements (Requirement).

d. Fire hazards are identified through documented annual engineering surveys, fire inspections, and comprehensive fire risk evaluations (Requirement 32526).

e. Fire safety discrepancies are documented and abatement plans prepared for corrective action(s) and tracking (Requirement 25199).

f. Fire safety discrepancies that cannot be corrected or funded locally are forwarded to Headquarters for resolution (Requirement 32525).

g. Fire safety violations are reviewed and corrected (e.g., work orders for repair, construction, follow-up, and acceptance).

h. All project design criteria, conceptual plans, and design documents with life safety and/or fire protection/prevention implications are reviewed and approved (Requirement 32524).

j. Procedures are in place for control of flammable materials and hazardous operations (Requirement).

k. Automatic fire detection and suppression systems for all facilities containing significant hazards, mission essential equipment, or permanently housed personnel are in place (Requirement).

l. Requirements are established for life cycle review and replacement for fire suppression and protection equipment (Requirement).

m. Requirements are established for proper functioning of the Center Fire Department and/or coordination with the responsible local fire department (Requirement).

n. Procedures are in place and reviewed for reporting and investigating fires (Requirement).

o. Emergency action plans and a Center fire safety program plan are developed and reviewed (Requirement).

p. Assistance is available for assuring the adequacy of fire design and code compliance from a contractual and cost benefit standpoint for major construction projects (Requirement).

q. Facility design drawings are reviewed for inclusion of adequate fire protection features and systems and for compliance with applicable codes and criteria (Requirement).

r. All contract documents are reviewed for fire protection specifications (Requirement).

5.4 Fire Protection Systems

The nature of NASA's mission is such that a significant number of specialized facilities and operations exist along with more conventional structures and work routines. As a result, difficulties arise in the determination of the required level of fire safety. In most instances, conventional fire protection doctrine and existing codes and standards are appropriate. However, specialized facilities may have fire risks not specifically addressed by conventional means. In those instances, safeguards can be assured by following the requirements contained in this document and in NASA-STD-8719.11, Safety Standard for Fire Protection.

a. Extinguishing systems and fire extinguishers comply, as a minimum, with the NFPA codes and standards (Requirement 32528).

b. All fire protection equipment are Underwriter Laboratories (UL) listed, Factory Mutual (FM) or Canadian Safety approved (Requirement 32529).

5.5 Firefighting

5.5.1 Firefighting organizations may be established or provided from outside sources to ensure adequate protection to life and property.

a. NFPA recommendations and OSHA regulations are used for determining type, size, and training of firefighting organizations (Requirement 25201).

b. Firefighting organizations are equipped with sufficient amount of firefighting vehicles and equipment to combat anticipated fires (Requirement).

c. Agreed-upon arrangements with external agencies to provide NASA with fire protection services are documented and retained on file (Requirement 32530).

5.6 Emergency (Pre-Fire) Planning and Procedures

Specialized facilities and critical areas that constitute a major portion of NASA operations demand a unique, pre-planned response from the entire Agency. See NPD 8710.1, Emergency Preparedness Program, NASA-STD-8719.11, Safety Standard for Fire Protection, and respective emergency preparedness plans for further information on specific critical areas and emergency plan procedures.

5.7 Fire Safety Training

5.7.1 Center Directors shall ensure that fire safety training for NASA employees is conducted in accordance with the requirements contained in Chapter 7 of this NPR (Requirement 25203).

5.8 Reporting

a. Reporting is an integral part of the fire safety program (Requirement 25204).

b. Investigation of fire-related mishaps is in accordance with NFPA 921, Guide for Fire and Explosion Investigations, in addition to NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping (Requirement 32531).

5.9 Current Regulations, Codes, and Standards and Variances

5.9.1 With the goal of protecting life and property, Center Directors shall comply with the most current fire requirements in the design, construction, and operation of all NASA buildings and structures (Requirement 25205).

Chapter 6. Nuclear Safety for Launching of Radioactive Materials

6.1 Purpose

6.1.1 This chapter provides internal NASA procedural requirements for characterizing and reporting potential risks associated with a planned launch of radioactive materials into space, on launch vehicles and spacecraft, during normal or abnormal flight conditions. Procedures and levels of review and analysis required for nuclear launch safety approval vary with the quantity of radioactive material planned for use and potential risk to the general public and the environment.

6.1.2 An analysis or evaluation may be required in accordance with paragraph 9 of Presidential Directive/National Security Council Memorandum Number 25 (PD/NSC-25), Scientific or Technological Experiments with Possible Large-Scale Adverse Environmental Effects and Launch of Nuclear Systems into Space, dated December 14, 1977, as amended, in obtaining nuclear launch safety approval. Guidance on procedures, requirements, or licensing details for using, storing, shipping, or handling radioactive materials in ground processing facilities or activities or in preparation for space uses is not included in this chapter (see paragraph 3.16). The tracking of radiation exposures to workers is also not included in this chapter.

6.1.3 Mission Directorate Associate Administrators, Center Directors, and program executives shall ensure that NASA missions involving the launch of radioactive materials comply with the provisions of the National Environmental Policy Act of 1969 (42 U.S.C. 4321 et seq.), and follow the policy and procedures contained in 14 CFR Part 1216, Subpart 1216.3, Procedures for Implementing the National Environmental Policy Act (NEPA), NPR 8580.1, Implementing the National Environmental Policy Act and Executive Order 12114 (Requirement 25118).

6.2 Responsibilities

a. Determine, for NASA, the acceptability of the potential risk of launching and using nuclear materials in space as described in Table 6.1 (Requirement 32190).

b. Request empanelment of an Interagency Nuclear Safety Review Panel (INSRP) with membership and responsibilities in accordance with PD/NSC-25 after receiving a request from the Program Executive (in coordination with SMA). (Requirement 32257).

c. Appoint a NASA member to the empanelled INSRP with consideration of the recommendations(s) by the Chief, Safety and Mission Assurance (Requirement).

6.2.2 Mission Directorate Associate Administrators, Center Directors, and program executives involved with the control and processing of radioactive materials for launch into space shall ensure:

a. Compliance with space nuclear launch safety requirements and processes provided in this NPR (Requirement 25119).

b. Basic designs of vehicles, spacecraft, and systems utilizing radioactive materials provide protection to the public, the environment, and users such that radiation risk resulting from exposures to radioactive sources are as low as reasonably achievable (Requirement).

c. Nuclear safety considerations are incorporated from the initial design stages throughout all project stages to ensure that overall mission radiological risk is acceptable (Requirement 25120).

d. All space flight equipment (including medical and other experimental devices) that contain or use radioactive materials are identified and analyzed (per paragraph 6.3 of this NPR) for radiological risk (Requirement 25121).

e. Development of site-specific ground operations and radiological contingency plans commensurate with the risk represented by the planned launch of nuclear materials (Requirement 25122).

f. Contingency planning, as required by the National Response Plan, includes provisions for emergency response and support for source recovery efforts (Requirement 32191).

g. Involve the OCHMO in the Federal Radiological Emergency Response planning process (Requirement).

a. Assure that NASA missions involving the launch of radioactive materials comply with paragraph 9 of PD/NSC-25, as appropriate (Requirement 32192).

b. Assist in the review and evaluation of nuclear safety risk (Requirement 32193).

c. Per Table 6.1, prepare, coordinate, and provide the required notification of planned launches of radioactive materials to the Executive Office of the President, Office of Science and Technology Policy (OSTP) (Requirement 32196).

f. Nominate a NASA member for each empanelled ad hoc INSRP following a request by the program or mission office to the NASA Administrator (Requirement).

g. Provide assistance to the cognizant NASA Mission Directorate and project office(s) in meeting nuclear launch safety analysis/evaluation requirements (Requirement 32197).

h. Review all radiological contingency and emergency planning as part of the SMA audits, reviews, and assessments process. (Requirement).

i. Ensure that the OCHMO is notified of the intent to launch radioactive materials (Requirement).

j. Coordinate health physics aspects with the OCHMO periodically and in the event of any related radiological emergencies during the mission (Requirement).

6.2.4 Mission Directorate Associate Administrators and program executives shall:

a. Designate an individual responsible for ensuring the implementation of the requirements for nuclear launch safety approval in accordance with paragraph 9 of PD/NSC-25 (Requirement 32200).

b. Notify the NASA Headquarters NFSAM in writing as soon as radioactive sources are identified for potential use on NASA spacecraft to schedule nuclear launch safety approval activities (Requirement 32201).

c. Identify the amount of radioactive material and the process for documenting the risk represented by the use of radioactive materials to the NFSAM in accordance with paragraph 6.4 of this NPR (Requirement).

d. Provide required reports to the NFSAM in accordance with paragraphs 6.3 and 6.4 of this NPR (Requirement 32202).

f. Obtain nuclear launch safety approval or launch concurrence in accordance with paragraph 6.3 of this NPR (Requirement 32203).

6.2.5 Mission Directorate Associate Administrators, Center Directors, and line managers shall:

a. Ensure, to the extent of responsibility applicable under defined licensing/permitting documentation or agreements, compliance with all pertinent directives, licenses, agreements, and requirements promulgated by regulatory agencies relative to the use of radioactive materials planned for a space launch (Requirement 32204).

b. Coordinate with appropriate project office(s) to ensure radioactive material source reports that are submitted per paragraph 6.4 of this NPR accurately reflect all known radioactive material sources intended for flight (Requirement 32205).

a. Apply range safety requirements, with regard to the safe launch of radioactive materials, specified in range safety standards (Requirement 25123).

b. Develop and implement site-specific ground operations and radiological contingency plans to address potential ground handling accidents and potential launch/landing accident scenarios and to support source recovery operations commensurate with the radioactive materials present (Requirement 32207).

c. Coordinate radiological contingency plans and exercises with the OCHMO (Requirement).

d. Exercise contingency response capabilities as deemed necessary to ensure adequate readiness of participants and adequacy of planning to protect the public, site personnel, and facilities (Requirement 32208).

e. Ensure appropriate and timely coordination with regional Federal, State, territorial, and local emergency management authorities to provide for support to, and coordination with, offsite emergency response elements (Requirement 32209).

f. Make provisions for special offsite monitoring and assistance in recovery of radioactive materials that could spread into areas outside the geographical boundaries of the launch site (Requirement 32210).

g. Establish a radiological control center (RADCC) for launches and landings with radioactive sources possessing a significant health or environmental risk, or having an activity of A2 mission multiple greater than 1,000 as determined per paragraph 6.3 of this NPR, or as specified in applicable interagency agreements (Requirement 32211).

h. Ensure, when required, that the RADCC provides technical support and coordination with other Federal, State, territorial, and local agencies in the case of a launch or landing accident that may result in the release of radioactive materials (Requirement).

i. Ensure, when required, that the RADCC is operational during launch and landing phases anytime there is a potential for an accident that could release radioactive material (Requirement 32213).

j. Ensure, when required, that the RADCC is staffed commensurate with the risk associated with the radioactive materials present (Requirement 32212).

a. Coordinate NASA's participation in activities supporting empanelled INSRP(s) to ensure adequate information is available to the INSRP(s) (Requirement 32214).

b. Make arrangements for NASA personnel to provide technical assistance to empanelled INSRP(s) (Requirement 32215).

c. Coordinate the support needs of those selected to provide assistance to empanelled INSRP(s) as may be appropriate (i.e.; travel, funding, technical) (Requirement 32216).

b. Provide technical liaison between the empanelled INSRP and NASA management (Requirement).

a. Ensure appropriate coordination with the Department of Homeland Security (Federal Emergency Management Agency) to provide adequate emergency and recovery planning for all NASA missions above a threshold of 1,000 for A2 mission multiple as defined in paragraph 6.3 of this NPR (Requirement 32194).

b. Ensure that radiological emergency and recovery plans are developed and implemented where NASA is the Lead Federal Agency as defined by the National Response Plan - Nuclear/Radiological Incident Annex (Requirement 32195).

c. Upon request, provide the program executive and OSMA with mission-specific information recommended for consideration during launch or potential accident site emergency response and clean-up planning as part of the nuclear launch approval process (Requirement).

6.3 Nuclear Launch Safety Approval Process

The level of analysis, evaluation, review, and the concurrence or approval required for a radiological risk assessment varies with the total amount of radioactive materials planned for launch as follows:

6.3.1 For all planned launches of radioactive materials, program executives shall:

a. Use the A2 mission multiple value to determine the level of assessment required (Requirement 32217).

b. Use total mission radioactive material inventory contained on the launch to calculate the total A2 mission multiple per Appendix D, Activity and Radioactivity Limits - Basic A1/A2 Values (Requirement 32222).

c. Use the highest of the algebraic sum of the isotopes' A2 multiples at launch, anytime the spacecraft will be in Earth orbit, or during near Earth interplanetary flight (e.g., Earth Gravity Assists) to determine the level of assessment required (Requirement 32223).

d. Consult with the NFSAM and the NASA Office of the General Counsel to determine what provisions, if any, of this chapter apply when NASA participates in the launch of a vehicle or spacecraft from other countries or territories, and these vehicles or spacecraft contain a radioactive source (Requirement 32221).

A summary of the nuclear launch safety review, reporting, and approval requirements is provided in Table 6.1, Nuclear Launch Safety Approval Summary.

6.3.3.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Request nuclear launch safety concurrence in writing from the NFSAM (Requirement 25132).

b. Submit the request to the NFSAM a minimum of 4 months prior to launch (Requirement).

6.3.3.2 The NFSAM shall review the report and inform the program executive in writing of concurrence (or nonconcurrence) and any safety concerns not less than 2 months prior to launch (Requirement 32227).

6.3.4.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Request nuclear launch safety concurrence in writing from the NFSAM (Requirement 25133).

b. Submit the request to the NFSAM a minimum of 4 months prior to launch (Requirement).

a. Review the request and inform the program executive in writing of nuclear launch safety concurrence (or nonconcurrence) and any safety concerns not less than 2 months prior to launch (Requirement).

b. Report launches with these quantities of radioactive material to the OSTP prior to launch (Requirement 32228).

6.3.5 For launches with A2 mission multiples equal to or greater than 10 but less than 500:

6.3.5.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Develop and document, in consultation with the NFSAM, a mutually agreed upon schedule for developing a nuclear safety review (Requirement).

b. Prepare or have prepared a nuclear safety review of the radiological risk for the proposed mission (Requirement 32232).

c. Ensure that the nuclear safety review contains the report described in paragraph 6.4 of this NPR (Requirement 32233).

d. Ensure that the nuclear safety review contains program excerpts describing the mission (Requirement 32234).

e. Ensure that the nuclear safety review contains an analysis of the probabilities of launch and in-flight accidents which could result in the terrestrial release of radioactive materials (surface and air) (Requirement 32235).

f. Ensure that the nuclear safety review contains an estimate of the upper bound of health and environmental effects due to a radioactive material release (Requirement 32236).

g. Ensure that the nuclear safety review contains mission-specific information recommended for consideration in the launch or potential accident site emergency response and clean-up planning (Requirement 32237).

h. Provide the Chief, Safety and Mission Assurance, and the NFSAM the nuclear safety review along with a request for nuclear launch concurrence at least 5 months prior to launch (Requirement 32238).

a. Make a preliminary scoping evaluation of the radiological risk to identify the extent of analyses needed as part of a prelaunch nuclear safety review (Requirement 32230).

b. Develop and document, in consultation with the program executive, a mutually agreed upon schedule for developing a nuclear safety review (Requirement 32231).

c. Notify OSTP of the planned launch with these quantities of radioactive material as a part of the quarterly report (Requirement 32239).

6.3.6 For launches with A2 mission multiples equal to or greater than 500 but less than 1,000:

6.3.6.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Develop and document, in consultation with the NFSAM, a mutually agreed upon schedule for developing a nuclear safety review (Requirement).

b. Prepare or have prepared a Safety Analysis Summary (SAS) that, in coordination with the NFSAM, addresses the radiological risk of the proposed mission (Requirement 32244).

c. Ensure that the SAS contains a brief description of the planned mission, schedule, launch vehicle, and spacecraft to include operations while in-orbit and during near-Earth flight (Requirement 32245).

d. Ensure that the SAS contains a description of all radioactive materials, their physical state/chemical form, and quantities (Requirement 32246).

e. Ensure that the SAS contains probabilities and resulting consequences of launch and in-flight accidents that could result in the terrestrial release of radiological materials (Requirement 32247).

f. Ensure that the SAS contains an estimate of any health and environmental effects due to a radioactive material release (Requirement 32248).

g. Ensure that the SAS contains mission-specific information recommended for consideration in the launch or potential accident site emergency response and clean-up planning (Requirement 32249).

h. Provide the Chief, Safety and Mission Assurance, the SAS along with a request for nuclear launch concurrence at least 6 months prior to launch (Requirement).

j. Forward the SAS to the NASA Administrator, along with the concurrence of the Chief, Safety and Mission Assurance, no later than 4 months before launch and request nuclear launch safety approval from the NASA Administrator (Requirement 32251).

a. Make a preliminary assessment of the radiological risk and provide a written assessment to the program executive (Requirement 32242).

b. Develop and document, in consultation with the program executive, a mutually agreed upon schedule for nuclear launch safety analyses and review activities to be conducted to support a nuclear launch safety concurrence request (Requirement 32243).

c. Review the SAS and provide timely comments to the program in accordance with the mutually agreed upon schedule (Requirement 32250).

d. Notify OSTP of the planned launch as a part of the quarterly report (Requirement 32252).

6.3.7.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Request, in coordination with the Chief, Safety and Mission Assurance, the NASA Administrator to empanel an ad hoc INSRP for the mission (Requirement 32255).

b. Factor the time required for an INSRP into the program master schedule (Requirement 32256).

c. Develop and document, in consultation with the NFSAM, the empanelled INSRP, the program, and the appropriate Department of Energy (DOE) offices (in accordance with interagency agreements for specific missions), a schedule for the delivery of a Safety Analysis Report (SAR), using a phased approach, with the complete final SAR being delivered no later than 10 months prior to launch (Requirement 32260).

e. Deliver the agreed iterations of the SAR to the INSRP according to the documented schedule (Requirement).

6.3.7.2 Following the approval by the NASA Administrator to empanel an INSRP, the NASA INSRP Coordinator shall, in accordance with paragraph 6.2.7, facilitate the preparation of an INSRP-developed SER of the radiological risk for the proposed nuclear mission as required by PD/NSC-25 (Requirement 32261).

6.3.8 For orbiting spacecraft being resupplied or modified in which the U.S. Government is the lead (e.g., International Space Station) and the A2 mission multiple is equal to 10 but less than 1000:

b. Perform a safety analysis to the level of detail defined in paragraph 6.3.6 of this NPR (Requirement 32262).

c. Meet the launch concurrence/approval requirements defined in paragraph 6.3.6 of this NPR (Requirement).

6.3.8.2 The NFSAM shall conduct reviews as defined in paragraph 6.3.6 of this NPR (Requirement).

6.3.9 For orbiting spacecraft being resupplied or modified in which the U.S. Government is the lead (e.g., International Space Station) and the A2 mission multiple exceeds 1000:

b. Perform a safety analysis to the level of detail defined in paragraph 6.3.7 of this NPR (Requirement).

c. Meet the launch concurrence/approval requirements defined in paragraph 6.3.7 of this NPR (Requirement).

a. Advise the program executive concerning a request to the NASA Administrator to empanel an INSRP as per paragraph 6.2.2 of this NPR.

b. Coordinate a safety evaluation as defined in paragraph 6.3.7.1 of this NPR (Requirement).

6.4 Report Requirements

6.4.1 Nuclear launch safety analyses (e.g., SAS, SAR) and evaluation (e.g., SER) are described in previous paragraphs.

6.4.2.1 NASA program executives, Center Directors, facility managers, laboratory managers, and launch and landing site managers shall:

a. Use the Radioactive Materials On-Board Report shown in Figure 6.2 to report planned launches of radioactive materials and request for nuclear launch concurrence/approval (Requirement 32265).

b. Ensure that entries are made for each isotopic source for planned launch and resupplying missions (Requirement 32267).

6.4.2.2 The NFSAM shall use the format of the Radioactive Materials On-Board Report shown in Figure 6.2 for the quarterly report to notify OSTP of planned launches (Requirement 32266).

Note: Figure 6.2 shows the format for the reports for planned launch and for resupplying radioactive materials to on-orbit spacecraft.

CHAPTER 7. Safety Training and Personnel Certification

7.1 Purpose

This chapter describes the requirements for establishing safety training programs and the minimum training certification levels necessary for personnel involved in potentially hazardous NASA operations. Much of this training is available on the Internet. Instructor-based courses are available through the NASA Safety Training Center (NSTC). The NSTC can be reached by telephone at (281) 244-1284. This chapter also references Personnel Reliability Program (PRP) requirements that may be imposed for certain mission-critical job functions.

7.2 Responsibilities

7.2.1 Mission Directorate Associate Administrators, Center Directors, project managers, and line managers shall provide training to assist managers/supervisors and employees with their specific roles and responsibilities in safety programs (Requirement 25103).

a. Assist Center counterparts in ensuring that 29 CFR Part 1960, Basic Program Elements for Federal Employees, Occupational Safety and Health and Health Programs, and Related Matters, requirements are followed (Requirement).

b. Ensure Agency-wide consistency and uniformity in the NASA safety training program (Requirement 25109).

c. Act as a clearinghouse for information regarding available safety training courses and materials (Requirement).

d. Develop, in conjunction with the Training and Development Division at NASA Headquarters, training courses suited to specific Agency safety needs (Requirement 32145).

e. Co-develop, in conjunction with the OCHMO at NASA Headquarters, training courses and materials in areas of overlapping regulatory or programmatic responsibility (Requirement 32146).

7.2.3 Center training and personnel development offices and safety offices shall be jointly responsible for:

e. Assuring that training records reflect employee safety training (Requirement 32143).

7.3 Planning and Implementation of the Safety Training Program

a. Formulate and document a comprehensive safety training program (see Figure 7-1 below) at their Center (Requirement 32147).

c. Ensure that all persons engaged in physical work are instructed in accident prevention and fully informed of the hazards involved (Requirement 32301).

d. Ensure that training for all persons engaged in electrical work includes first-aid procedures and cardiopulmonary resuscitation (Requirement 32302).

e. Ensure that personnel at risk of exposure to cryogenic liquids receive training in correct first aid measures for these liquids (Requirement).

f. Provide system safety training to meet the needs of programmatic activities (Requirement 32116).

g. Ensure that software safety personnel and project/program lead software safety analysts are trained to NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard (Requirement).

h. Ensure that operators of motorized equipment (including motor vehicles) have formal initial training, consisting of both classroom and operational testing, if operating the motorized equipment involves skills beyond those associated with normal, everyday operation of private motor vehicles, to assure operator proficiency (Requirement 32271).

i. Ensure that operators of motorized equipment have periodic refresher training and testing, as determined by the safety office, if operating the motor vehicle requires skills beyond those associated with normal, everyday operation of private motor vehicles (Requirement 32272).

j. Annually review operations being performed at their Center to ensure that the implemented safety training program is working effectively and to identify and include training for jobs that are potentially hazardous in addition to the mandatory listing in paragraph 7.4.5 (Requirement).

7.3.2 Center subject matter experts shall review NASA training materials at least annually and update materials as needed when regulatory agencies or changes in NASA policy documents generate technical changes (Requirement 32148).

7.3.3 Center SMA Directors shall maintain a current copy of the Center Safety Training Plan (Requirement 25111).

7.4 Personnel Safety Certification Programs for Potentially Hazardous Operations and Materials

7.4.1 Mission Directorate Associate Administrators, Center Directors, project managers, and line managers shall ensure that:

a. Personnel who perform or control hazardous operations or use or transport hazardous material have been trained and certified with the necessary knowledge, skill, judgment, and physical ability (if specified in the job classification) to do the job safely (Requirement 25113).

b. Personnel obtain hazardous operation safety certification for those tasks that potentially have an immediate danger to the individual (death/injury to self) if not done correctly, or could create a danger to other individuals in the immediate area (death or injury), or are a danger to the environment (Requirement 32150).

c. All contractor personnel engaged in potentially hazardous operations or hazardous material handling are certified via a process similar to that for NASA personnel (Requirement 32173).

7.4.2 Center SMA Directors shall develop required safety certification programs for their Center (Requirement 25106).

a. Determine the need for physical and medical examinations including their depth, scope, and frequency to support certification requirements (Requirement).

b. Be responsible for medical certification in health hazard and related activities (Requirement 32144).

c. Oversee or conduct required personnel medical examinations in support of the safety certification effort (Requirement).

d. Ensure that physical and medical examinations to support certification requirements are in compliance with OSHA and other Federal, State, and local agency applicable codes, regulations, and standards covering the occupation or environment including medical monitoring and recordkeeping requirements (Requirement 32187).

7.4.4 Line managers shall manage the certification program for their employees and contractors in accordance with procedures in this NPR (Requirement 25107).

a. Flight crew member certification (FAA licensing may not be sufficient) (Requirement 32151).

c. Propellant and explosives user certification per NSS 1740.12 (Requirement 32153).

d. Propellant and explosives handler certification per NSS 1740.12 (Requirement 32154).

g. Self-contained underwater breathing apparatus user certification (Requirement 32157).

h. High-voltage electrician certification that adheres to NASA and State/local requirements (Requirement 32158).

j. High-pressure liquid/vapor/gas system operator certification (Requirement 32160).

w. Certification for individuals involved strictly with the handling, transport, or packaging of hazardous materials that will not otherwise disturb the integrity of the basic properly-packaged shipping container that holds the hazardous material (Requirement 25115).

7.4.5.2 Center SMA Directors who certify individuals to perform or control hazardous operations, or to use or transport hazardous material, shall ensure the individuals possess the necessary knowledge, skill, judgment, and physical ability to do the job in a safe and healthful manner (Requirement 32331).

7.4.6.1 Center training and personnel development offices and safety offices shall ensure that hazardous operations certification and hazardous material handler certification include as a minimum:

c. A written examination to determine adequacy and retention of training (Requirement 32177).

d. Periodic refresher training as determined by the Center safety official, including review of emergency response procedures (Requirement 32178).

e. A recertification period as determined by the Center safety official in the absence of any local, State, or Federal requirements (but not to exceed a 4-year interval) (Requirement 32179).

f. Applicable requirements of 29 CFR Part 1910, Occupational Safety and Health Standards (Requirement).

g. Specific training in the Federal, NASA, and local rules for preparing, packaging, marking, and transporting hazardous material and/or equipment operation associated with the job (Requirement 32181).

7.4.6.2 Center training and personnel development offices and Center safety offices shall ensure that drivers or operators of vehicles transporting hazardous materials are instructed in the specific hazards of the cargo or material in their vehicle and the standard emergency and first-aid procedures that should be followed in the event of a spill or exposure to the hazardous material (Requirement 32182).

7.4.6.3 Mission Directorate Associate Administrators, Center Directors, project managers, and supervisors shall ensure that:

a. Personnel who are hazardous-operations-safety-certified or hazardous-material-handler-certified are identified through the issuance of a card, license, or badge (to be immediately available) or a listing on a personnel certification roster or database (Requirement 32188).

b. Personnel certification rosters indicate the name, date, materials or operations for which certification is valid, name of certifying official, and date of expiration (Requirement 32189).

7.5 Mission Critical Personnel Reliability Program (PRP)

7.5.1 The Director of each NASA installation shall designate mission critical areas for the Space Shuttle and other critical systems including the International Space Station, designated ELVs, designated payloads, Shuttle Carrier Aircraft, and other designated resources that provide access to space (Requirement).

7.5.2 Personnel having unescorted access to these areas shall meet the suitability, qualification, and screening provisions detailed in 14 CFR Part 1214.5, Space Flight: Mission Critical Systems Personnel Reliability Program: Screening Requirements (Requirement).

7.5.3 Mission Directorate Associate Administrators, Center Directors, project managers, supervisors, COs, and COTRs shall ensure that contracts cover mission critical operations or areas referenced by 48 CFR Part 1852.246-70, NASA FAR Supplement, Mission Critical Space System Personnel Reliability Program (Requirement).

7.6 Hazardous Materials and Chemicals Risk Information

7.6.1 Mission Directorate Associate Administrators, Center Directors, project managers, and supervisors shall ensure that:

a. The risk of all hazardous chemicals produced or imported are evaluated and included in their safety training and certification program (Requirement 32183).

b. Information involving the risk of all hazardous chemicals is made available to all employees in accordance with 29 CFR Part 1910.1200 (Requirement 32184).

7.7 Exclusions

7.7.1 This chapter does not apply to personnel engaged in operations that already require skill certification by quality assurance organizations, such as soldering, brazing, welding, crimping, potting, or to personnel performing inspections using dye penetrant, magnetic particle, ultrasonic, radiograph, and magnaflux.

7.7.2 Certification of equipment and facilities is not within the scope of this chapter but may be as important as personnel certification in relation to safety. Information concerning equipment and facilities certification for operational readiness is found in Chapters 6, 8, and 9.

7.7.3 This chapter shall not be used as a justification for allowing hazardous duty payments, environmental differential pay, or premium pay, nor will the fact that a job qualifies for hazardous duty pay imply that it is covered by this chapter. It has always been NASA safety policy to make all operations as safe as possible. Hazard duty pay differentials are covered in 5 CFR Part 532, Prevailing Rate Systems, and 5 CFR Part 550, Pay Administration (General).

Chapter 8. Safety for Facility Acquisition, Construction, Activation, and Disposal

8.1 Purpose

8.1.1 This chapter establishes procedural requirements for the safety and mission success of the NASA facility acquisition, construction, activation and disposal process. Facility operational safety requirements are covered in Chapter 3. Except in case of imminent danger, it is not the intent of this chapter to require upgrades to existing facilities to meet new codes.

8.1.2 NPR 8820.2, Facility Project Implementation Guide, provides requirements for incorporating safety criteria and requirements into project design criteria before the start of facility project design. Specific safety tasks to be accomplished during construction, operation, maintenance, and final disposition of a facility are documented in a Facility Safety Management Plan (FSMP) in accordance with NPR 8820.2, Facility Project Implementation Guide. The FSMP for each facility acquisition should include those tasks appropriate to the size and complexity of the project and the associated risks.

8.1.3 This chapter does not provide direct instructions to NASA contractors responsible for planning, architect-engineering design, or construction services. It provides requirements for the responsible NASA Center project management, contracting office, and safety assurance and fire protection organization personnel who implement safety programs essential to meeting each facility acquisition and construction work package in accordance with NPD 8820.2, Design and Construction of Facilities, and NPR 8820.2, Facility Project Implementation Guide.

8.2 Roles and Responsibilities

a. Ensure this NPR is applied to the CoF projects and facility maintenance projects (Requirement 25273).

b. Ensure this NPR is applied to Center-approved facility projects according to the degree of safety policy impact and regulatory considerations on those projects (Requirement 32486).

c. Ensure that the requirements in this NPR do not supersede more stringent requirements imposed by individual NASA organizations and other Government agencies (Requirement 32487).

d. Use NASA-STD-8719.7, Facilities System Safety Guidebook, which provides for a review of the facility life cycle and the safety tasks that shall be accomplished during acquisition, modification, and test activities, and facility operations, maintenance, and disposal (Requirement 32485).

e. Ensure that existing facilities undergoing major renovations meet national consensus codes in effect at the time of the renovations (Requirement 25272).

8.3 Facility Acquisition, Construction, and Activation Objectives

8.3.1 Center Directors shall ensure that NASA facility acquisition, construction, and activation safety activities:

a. Identify, track, and resolve hazards at the earliest possible life cycle phase to eliminate risk to personnel and mission success and to minimize the cost and need for a retrofit program (Requirement 32488).

b. Perform safety oversight functions to ensure compliance with NASA safety policies (Requirement 32489).

c. Monitor facility construction, modification, repair, and rehabilitation for compliance with safety, fire protection, and building codes and standards (Requirement 32492).

d. Provide for the programmatic and technical review of all proposed facility acquisition, design, and construction projects to assure that all safety requirements are specified and funded (Requirement 32491).

e. Maintain current building configurations during all phases of the facility acquisition, maintenance, operation, and disposal process (Requirement 32496).

f. Process any change to facility hardware, software, or procedures through the configuration management program (Requirement 32497).

g. Include the safety inspection of all facilities, occupied or unoccupied, at least annually to ensure compliance with safety, fire protection, and building codes and standards (Requirement 32498).

8.3.2 For projects with safety or fire protection implications, Center Directors shall ensure that:

a. NASA fire protection and safety personnel formally monitor fire protection and safety compliance efforts during the various phases of the projects (Requirement 32493).

b. NASA fire protection and safety monitoring efforts are documented (Requirement).

c. Fire protection or safety monitoring document(s) have formal concurrence from the safety office or fire protection office (Requirement 32494).

a. Any final inspection effort (operational readiness inspection, operational readiness review, test readiness review, pre-final inspection, final inspection) includes a safety and/or health representative (Requirement).

b. All facility safety and health issues are documented, resolved, or adequately controlled prior to acceptance, activation, and operation (Requirement 32495).

8.4 Basic Requirements for Facility Acquisition, Construction, and Activation

a. Designate and assign facility safety program management responsibilities to a NASA Center SMA organization that is independent from the specific facility (user) management (Requirement 32499).

b. Assure that the NASA fire protection and safety organizations review all proposed NASA-owned, controlled, or operated facility configuration changes and construction work change orders that have a potential fire protection or safety impact (Requirement 32500).

Note: This does not preclude the use of checklists and other guidelines to assist the project in determining the potential fire or safety impact and necessary protection requirements.

c. Ensure compliance with EM 385-1-1, U.S. Army Corps of Engineers, Safety and Health Requirements or local Center requirements, which ever are most stringent, for construction undertaken at NASA site and facilities by the U.S. Army Corps of Engineers (Requirement 32503).

8.5 Facility Managers

a. Appoint a facility operations manager or facility coordinator to oversee proper operation of the facility (Requirement 25195).

b. Ensure that the extent of each facility operations manager's authority is detailed in writing for the complete safety coverage of all facility operations (Requirement 32509).

8.6 FSMP

a. Develop and maintain a written FSMP that includes facility acquisition, modification, test activities, operations, maintenance, and disposal to monitor timely completion of all required life cycle safety program tasks (Requirement 32510).

b. Ensure that the FSMP includes a facility hazard analysis, hazard analysis tracking index, and hazard resolution verification in accordance with NASA-STD-8719.7, Facilities System Safety Guidebook (Requirement).

c. Ensure that the FSMP is used to implement safety requirements including organizational responsibilities, resources, milestones, methods of accomplishment, depth of efforts, and integration with other program engineering and management activities (Requirement 32511).

d. Ensure that the FSMP includes applicable local directives, instructions, and guidelines for minor or normal acquisitions and facility modification projects, as a minimum (Requirement 32512).

e. Ensure that the FSMP contains a realistic milestone schedule commencing with the development of functional requirements during the facility conceptual development phase to monitor timely completion of all required safety program tasks for facility design (Requirement 32513).

f. Ensure that all FSMP milestones support the scheduled facility need date or occupancy date, as appropriate (Requirement 32515).

Chapter 9. Safety and Risk Management for NASA Contracts

9.1 Purpose

This chapter provides the procedural requirements for assuring that NASA contractors have effective safety and risk management programs. This chapter provides requirements for NASA officials with responsibility for assuring safety under NASA contracts.

9.2 Applicability and Scope

9.2.1 When NASA activities include contractor involvement, Center Directors and project managers shall include contractors in the NASA Safety Program (Requirement 25054).

9.2.2 Center SMA Directors, project managers, COs, and COTRs shall ensure that NASA contracts are written to hold contractors accountable for the safety of their employees, their services, their products, and for complying with NASA and Center safety requirements (Requirement 31915).

9.3 Authority and Responsibility

a. Work with cognizant safety officials to develop and approve safety requirements and objectives for efforts to be contracted, and advise COs and COTRS of specific safety concerns or issues related to contract performance (Requirement 31917).

b. Ensure that the application of the requirements in Chapter 2 of this NPR are specified in related contracts, memoranda of understanding, and other documents for joint ventures between NASA and other parties including commercial services, interagency efforts, and international partnerships (Requirement 32103).

c. Ensure that NASA responsibilities are specified in contracts, memoranda of understanding, and other documents for joint ventures between NASA and other parties including commercial services, interagency efforts, and international partnerships (Requirement).

d. Ensure that contracts contain safety, mission success, and risk management requirements for design, development, fabrication, test, and the operations of systems, equipment, and facilities in consultation with Center SMA Directors (Requirement 25060).

e. Use the software safety requirements in NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard, as the basis for contracts, memoranda of understanding, and other documents related to software (Requirement).

f. Provide specific safety tasks to the CO for incorporation into contracts (Requirement 31919).

g. Define the surveillance of contractor safety matters with respect to the nature of the procurement (Requirement 31920).

h. Ensure that performance-based contracts have a surveillance plan (Requirement 31921).

a. Develop safety requirements and objectives that are clearly delineated in contract specifications in conjunction with project officials (Requirement 31918).

b. Establish safety performance as an element to be evaluated in contracts with fee plans (Requirement 31924).

c. Require copies of MSDS for new hazardous materials as requested by the local NASA safety office (Requirement 31925).

d. Participate in onsite visits and pre-bid conferences to ensure potential bidders understand safety provisions (Requirement 31927).

e. Review, comment, and approve (or disapprove) the contractors' safety risk assessment, submitted in response to paragraph 9.3.3, before the start of any hazardous deliverable work or support operations (Requirement).

f. Coordinate any matter regarding proposed deviations to safety requirements of 48 CFR Part 1823.70, Safety and Health, with the OSMA, or designated representative (Requirement 31923).

g. Implement NPR 5100.4, Federal Acquisition Regulation Supplement (NASA FAR Supplement) (Requirement 25058).

h. Implement 48 CFR Parts 1807, Acquisition Planning; 1823, Environment, Energy and Water Efficiency, Renewable Energy Technologies, Occupational Safety, and Drug-Free Workplace; 1842, Contract Administration and Audit Services; and 1846, Quality Assurance (Requirement).

9.3.3 COs or the COTR shall ensure the contractors' safety risk assessments are developed and provided to NASA for approval before the start of any hazardous deliverable work or support operations (Requirement).

a. Assist the CO and COTR in evaluating the prospective contractor's safety record and safety program (Requirement 32095).

b. Assist the CO and COTR in applying any special safety provisions to grants or cooperative agreements (see paragraph 2.7) (Requirement 32096).

c. During the pre-award phase of acquisition, develop, document and provide to the CO criteria for the safety performance elements to be evaluated in contracts with fee plans in a timely manner to ensure inclusion in the solicitation (Requirement).

9.4 Requirements

a. Ensure contract solicitations require the submission of safety and risk management documentation (e.g., corporate safety policies, implementation procedures, safety performance experience, and mishap rates by North American Industrial Classification System (NAICS) codes, and draft program planning documents, such as safety and health plans and risk management plans) as provided by the Center's SMA Organization (Requirement 25061). (See Appendix E and Appendix F for more information to ensure that solicitation instructions include the requirements outlined in both Appendices.)

b. Ensure contract solicitations include the evaluation of safety and risk management documentation (e.g., corporate safety policies, implementation procedures, safety performance experience, and mishap rates by NAICS codes) and draft program planning documents, such as safety and health plans and risk management plans as a factor for evaluating bids (Requirement). (See Appendix E and Appendix F for more information.)

c. Ensure that safety and risk management evaluation criteria and solicitation instructions are developed in conjunction with responsible project personnel and Center SMA organization representatives (Requirement). (See Appendix E and Appendix F for more information.)

a. Brief all onsite contractors on local safety requirements to include incident and accident reporting, emergency evacuation procedures, fire reporting, medical emergency notification and response actions, hazardous material spill reporting and response, site entry/exit procedures, and hot work permit requirements before contract performance begins and at least annually, thereafter (Requirement 25062).

c. Inform the onsite contractor of any adjacent NASA and any other contractor operations that could pose a hazard to their operation and employees (Requirement).

d. Assist the program or project manager or other responsible official in implementing contractor safety surveillance and evaluation programs (Requirement 25066).

e. During the pre-award phase of acquisition; develop, document and provide to the CO safety, mission success and risk management requirements for design, development, fabrication, test, and the operations of systems, equipment, and facilities in a timely manner to ensure inclusion in the solicitation (Requirement).

f. During pre-award phase of acquisition; develop, document and provide to the CO, a statement of work elements, evaluation criteria, and solicitation instructions requiring the submittal of safety and risk management documentation (e.g., corporate safety policies, implementation procedures, safety performance experience, and mishap rates by North American Industrial Classification System (NAICS) codes, and draft program planning documents, such as safety and health plans and risk management plans) in a timely manner to ensure inclusion in the solicitation (Requirement).

g. Participate in the contractor selection and evaluation process providing support to the CO to ensure the proper evaluation of contractor proposal information (e.g., corporate safety policies, implementation procedures, safety performance experience, and mishap rates by NAICS codes) and draft program planning documents, such as safety and health plans and risk management plans, as a factor for evaluating bids (Requirement).

9.4.3 Center SMA Directors, COs, and COTRs shall ensure that contracts include a provision to require the contractor to provide a written plan for mitigating risks from hazardous operations to adjacent and other contractors (Requirement 32098). (See Appendix E and Appendix F for more information.)

9.5 Access to NASA Facilities by State and Federal Compliance Safety and Health Officers

9.5.1 Unless exclusive Federal jurisdiction is claimed by Federal OSHA, Center Directors and project managers shall allow both Federal and State OSHA compliance safety and health officers and investigators to review and survey contractor operations and investigate contractor mishaps at NASA Centers.

a. Notify the OSMA, the OCHMO, Occupational Health Division, and the Designated Agency Safety and Health Official (DASHO) of any OSHA (Federal or State) impending investigations (Requirement).

b. Provide the results of Federal and State OSHA investigations to the OSMA, Safety Assurance and Requirements Division, the OCHMO, and the DASHO (Requirement 32100).

9.6 Contractor Citations

9.6.1 Center Directors and project managers shall ensure contractor organizations are accountable for providing their employees with safe working conditions regardless of where the employees are working (Requirement 25072).

9.7 Grants

9.7.1 Project managers that select research projects that could contain possible safety issues shall:

a. Identify the need for special safety conditions to be included in grants or cooperative agreement award documents (Requirement 25073).

b. Identify special safety conditions that include provisions for applicable OSHA requirements and host institution and general industry-accepted practices to be followed during research to eliminate or control risks associated with implementing the grant or cooperative agreement (Requirement 32101).

Chapter 10 Process/Requirements for the SMA Portions of Requests for Liability Insurance or Indemnification of EAV Developers

10.1 Introduction

10.1.1 This chapter is applicable to the safety review process when the developer of an EAV, involved in an agreement with NASA, has requested liability insurance or indemnification.

10.1.2 An EAV is defined by 42 U.S.C. S 2458c, Section 309 of the National Aeronautics and Space Act of 1958, as amended. Section 309(d)(3) defines an EAV as: "an object intended to be flown in, or launched into, orbital or suborbital flight for the purpose of demonstrating technologies necessary for a reusable launch vehicle, developed under an agreement between the Administration and a developer."

10.1.3 Section 309 specifies that the NASA Administrator may provide liability insurance or indemnification for a NASA EAV developer [defined in Section 309(d)(2)] for liability to third parties arising from the operation of an EAV [defined in Sections 308 and 309(b)(2)].

10.1.4 Among other prerequisites for the NASA Administrator to grant liability insurance or indemnification per 42 U.S.C. S 2458c, the developer "establishes to the satisfaction of the Administrator that appropriate safety procedures and practices are being followed in the development of the EAV" [Section 309(b)(2)(D)].

10.1.5 This chapter defines the NASA safety review required to implement Section 309 (b)(2)(D) as a prerequisite to the NASA Administrator's approval of requests for providing liability insurance or indemnification in accordance with 42 U.S.C. S 2458c.

10.2 Responsibility

a. Oversee the process for evaluating the safety review portion of any requests made for liability insurance or indemnification (Requirement).

b. Provide the NASA Administrator or delegee with an evaluation of the safety procedures and practices associated with a request for liability insurance or indemnification (Requirement).

c. Provide the cognizant Mission Directorate Associate Administrator with a listing of the documentation needed to perform a safety review of the request for liability insurance or indemnification (see paragraph 10.3.2) (Requirement).

10.2.1.1 The Chief, Safety and Mission Assurance, may designate, in writing, a NASA management official to represent NASA SMA at EAV reviews. The designee shall keep the Chief, Safety and Mission Assurance, apprised of all SMA issues and actions (Requirement 21020).

10.2.2.1 Coordinate the processing of requests for liability insurance or indemnification made to the NASA Administrator or delegee.

10.2.2.2 Obtain the concurrence of the Chief, Safety and Mission Assurance, the NASA General Counsel, the NASA Chief Engineer, and the NASA Chief Financial Officer prior to submission of the request for liability insurance or indemnification to the NASA Administrator or delegee for approval (Requirement 2007).

10.2.2.3 Ensure that the Chief, Safety and Mission Assurance, is provided full access to all safety documentation related to the request for liability insurance or indemnification (Requirement) (see paragraph 10.3.2).

10.2.3 The NASA General Counsel shall interpret and certify that requests for liability insurance or indemnification for EAV developers are processed in accordance with applicable laws, regulations, and policies. (Requirement 2008).

10.2.4 The overall lead EAV program/project Center's SMA Director shall assure that the required safety procedures and practices are being followed in the development of the EAV and ensure that adequate records are maintained to support the safety reviews associated with any decision on liability insurance or indemnification (Requirement).

10.2.5 The EAV program/project manager shall collect and certify as accurate the safety review material provided to the Chief, Safety Mission Assurance, as part of a request for liability insurance or indemnification (Requirement 2024).

10.2.6 The contracting officer, grants officer, or other designated NASA official shall ensure that EAV funding instruments include procedures and requirements for safety reviews needed with requests for liability insurance or indemnification (Requirement).

10.2.7 The NASA Chief Engineer shall review requests for liability insurance or indemnification for compliance to NASA engineering practices and provide comments to the Chief, Safety and Mission Assurance, and the Mission Directorate Associate Administrator (Requirement).

10.3 EAV SMA Assessment Reviews

10.3.1 Safety and Mission Success Reviews, as defined in NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments, shall be performed at the following times, at a minimum, during a request for liability insurance or indemnification of an EAV (Requirement):

b. A minimum of one month prior to any decision meeting with the NASA Administrator on granting liability insurance or indemnification.

c. A minimum of three weeks prior to each EAV flight where liability insurance or indemnification has been granted.

10.3.2 The overall lead EAV program/project manager, with the Center SMA Director, shall present the following safety materials nominally required as a part of a program compliant with NPD 7120.4, Program/Project Management, and NPD 8700.1, NASA Policy for Safety and Mission Success, and the subordinate documents, at the Safety and Mission Success Review as a minimum (Requirement):

a. Program/project safety or SMA plan(s) implementation (e.g., system safety plan, quality assurance plan, test/mission plan, risk assessment/management plan, hardware/software assurance plan, independent verification and validation plan, emergency/contingency plan(s), and environmental management plans).

e. Safety and hazard risk identification/analyses (including NEPA documentation) and how the risks are closed/mitigated/tracked.

g. The method for reviewing SMA provisions of external interfaces (e.g., system safety working group, Space Shuttle/International Space Station program, Ground Safety Review Panel, range, international partners/participants).

h. Review of demonstrated and documented compliance with applicable range safety requirements.

10.3.3 For EAV program-wide or EAV preflight reviews being held after the Safety and Mission Success Review discussed in paragraph 10.3.1.c, the Mission Directorate Associate Administrator shall ensure that the Chief, Safety and Mission Assurance (or designee), is invited to participate in the reviews (Requirement 21039).

10.3.4 For EAV flights which are performed outside of established U.S. ranges, the EAV program/project manager shall invite any ranges involved in the EAV flight to participate in the safety review process defined in this chapter (Requirement 21069).

10.4 SMA Review Process Products

10.4.1 Upon completion of each Safety and Mission Success Review, the Chief, Safety and Mission Assurance (and/or designee), shall issue an initial assessment of the EAV program/project's SMA process(es) to the applicable Mission Directorate Associate Administrator. The assessment shall include (Requirement):

a. A preliminary assessment of whether the developer is following appropriate safety procedures and practices in the development of the EAV.

b. Recommendations for corrections or additions to the program/project SMA planning.

c. Requests for further actions or information along with a written response to the assessment.

10.4.2 The Mission Directorate Associate Administrator shall ensure that the results of the safety review are included in the package submitted to the Administrator or delegee for review and decision regarding the request for liability insurance or indemnification (Requirement).

10.4.3 The Chief, Safety and Mission Assurance, shall maintain a record of the safety reviews associated with any request for liability insurance or indemnification per NPD 1441.1, NASA Records Retention Schedules, for a minimum of ten years beyond the life of the EAV program/project (Requirement).

10.5 Range Safety Requirements

The EAV operator should use a structured analytical approach in preplanning for orbital, suborbital, and entry flight by developing detailed flight rules, procedures, and checklists prior to the Flight Readiness Review, for both nominal and contingency operations. The EAV operator shall document scenarios that allow for continued safe flight and landing or flight termination in a manner that minimizes risk in off-nominal situations (Requirement 21109).

The EAV operator shall coordinate, develop procedures, and demonstrate (in conjunction with the host range and/or FAA), prior to launch and reentry, the capability to notify maritime and aviation authorities with sufficient time to clear the trajectory, ground-track, and emergency abort areas (if applicable) of traffic (Requirement 21111).

APPENDIX A: Acronym and Abbreviation List

APPENDIX B. Glossary of Safety and Risk Management Terms

APPENDIX C. Safety Motivation and Awards Program

1. The following awards represent NASA's primary means for recognizing outstanding safety performance:

a. NASA Honor Awards. These awards are approved by the Administrator and represent the highest honorary recognition bestowed by NASA. Government and non-Government personnel making significant safety contributions may be nominated for these awards following the guidelines provided in NPR 3451.1, NASA Awards and Recognition Program.

b. NASA Space Flight Awareness, Flight Safety Award. This award is managed by the Space Flight Safety Panel in accordance with NPD 1000.3, The NASA Organization, paragraph 6.21. It is bestowed in recognition of contributions to space flight safety made through design, device, or practice. The purpose of the award is to acknowledge the individuals whose personal efforts, above and beyond their job commitment, result in significant, direct contributions to space flight safety. The award is given to both individuals and groups. Every Government and industry employee supporting NASA's human space flight programs is eligible for this award.

c. NASA QASAR Award. QASAR stands for Quality and Safety Achievement Recognition. The QASAR Award recognizes NASA, other Government, and prime/subcontractor individuals for significant quality improvements to products or services for NASA, as well as safety initiatives within products, programs, processes, and management activities. NASA Headquarters and each of the Centers have local QASAR Award programs; annually, the "Best of the Best" in each award category is chosen for Agency recognition by the Administrator.

d. Center Safety Awards. The majority of NASA safety awards are issued at the local level as part of each Center's overall safety effort. Safety programs at NASA Centers include an awards program, designed in accordance with this document, to recognize and encourage safety in all operations.

2. NASA safety awards should be properly designed to motivate and maintain safe behavior. The following principles should be considered when developing safety awards:

a. Any award based on competition must be carefully designed to avoid possible negative aspects. (For example, employees involved in a competition to reduce on-the job injuries have been known to avoid seeking medical attention for an injury so that it would not be reported.)

b. The safety awards program should be part of the participating safety program and include all personnel.

c. The responsible NASA safety organization should clearly define the purpose of each award, those who are eligible, and the criteria for selection.

d. Award presentations and the safety contributions made by award recipients should be sufficiently publicized to heighten employee safety awareness and to encourage active employee participation in all efforts designed to improve safety performance.

e. Awards should be granted on the basis of merit without regard to age, color, handicap, marital status, national origin, politics, participation or non-participation in a labor organization, race, religion, or sex.

f. NASA awards for safety excellence should be granted based on specific published criteria. Nominations should be evaluated against the individual awards criteria and not against any unwritten standards or interpretations.

3. In conjunction with safety awards, NASA safety programs may distribute items of minimal value to individuals as a means of promoting safe work practices and heightening safety awareness. The following apply to the purchase and distribution of safety promotional items:

a. Procurements made with Federally-appropriated funds are subject to the rulings of the General Accounting Office (GAO). Safety promotional items usually are interpreted by GAO as personal gifts, and therefore have not been allowed. It is recommended that non-appropriated funds be used for the procurement of safety promotional items whenever possible.

b. Safety promotional items should be distributed for valid reasons and shall not be given with such frequency that they lose meaning.

c. All items shall be clearly identified as NASA safety program items via printed markings and/or safety logos.

Appendix D. Activity and Radioactive Material Limits - Basic Al /A2 Values

The A₂ multiplier for each radioactive source is based upon the International Atomic Energy Agency (IAEA), Safety Series Number 6, Regulations for the Safe Transport of Radioactive Material, 1985 Edition as amended in 1990, Section III, paragraphs 301 through 306, and summed to determine the A₂ mission multiple.

Table I of this Appendix contains the referenced IAEA document section which tabulates the A₂ values for specific isotopes and forms of radioactive material. Except as noted, for radioisotopes whose A₂ limit in Table I is "Unlimited" or is unlisted, the value of 3.7x10^-2 teraBecquerals (TBq) (1.0 Curies (Ci)) shall be used as the A₂ value.

Exceptions are Sm-147, use 9x10^-4 TBq (0.024 Ci) and Th-232, use 9x10^-5 TBq (0.0024 Ci) as their respective A₂ values.

where n represents each source or line on the report in paragraph 5.4.1.2 for each radioactive material on the launch vehicle and spacecraft.

2. Values of A₁ and A₂ for individual radionuclides, which are the basis for many activity limits elsewhere in this NPR, are given in Table I.

3. For individual radionuclides whose identities are known, but which are not listed in Table I, the determination of the values of A₁ and A₂ shall require competent authority approval or, for international transport, multilateral approval. Alternatively, the values of A₁ and A₂ in Table II may be used without obtaining competent authority approval.

4. In the calculations of A₁ and A₂ for a radionuclide not in Table I, a single radioactive decay chain in which the radionuclides are present in their naturally occurring proportions and in which no daughter nuclide has a half-life either longer than 10 days or longer than that of the parent nuclide shall be considered as a single radionuclide, and the activity to be taken into account and the A₁ or A₂ value to be applied shall be those corresponding to the parent nuclide of that chain. In the case of radioactive decay chains in which any daughter nuclide has a half-life either longer than 10 days or greater than that of the parent nuclide, the parent and such daughter nuclides shall be considered as mixtures of different nuclides.

5. For mixtures of radionuclides whose identities and respective activities are known, the following conditions shall apply:

where B(i) is the activity of radionuclide i and A₁(i) and A₂(i) are the A₁ and A₂ values for radionuclide i, respectively.

where f (i) is the fraction of activity of nuclide i in the mixture and A₂ (i) is the appropriate A₂ value for nuclide i.

6. When the identity of each radionuclide is known but the individual activities of some of the radionuclides are not known, the radionuclides may be grouped and the lowest A₁ or A₂ value, as appropriate, for the radionuclides in each group may be used in applying the formulas in paragraphs 3 - 5. Groups may be based on the total alpha activity and the total beta/gamma activity when these are known, using the lowest A₁ or A₂ values for the alpha emitters or beta/gamma emitters, respectively.

7. For individual radionuclides or for mixtures of radionuclides for which relevant data are not available, the values shown in Table II shall be used.

Contents A₁ A₂ TBq (Ci)^a TBq (Ci)^a Only beta or gamma emitting 0.2 (5) 0.02 (0.5) nuclides are known to be present

Alpha emitting nuclides are 0.1 (2) 2 x 10^-5 (5 x 10^-4) known to be present or no relevant data are available

a The curie values quoted in parentheses are approximate values and are not higher than the TBq values

^a The curie values quoted in parentheses are approximate values and are not higher than the TBq values

Appendix E. Sample Safety and Health Plan for Service or Operations Contracts

A detailed Safety and Health Plan is submitted as part of a Service or Operations contract proposal, showing how the contractor intends to protect the life, health, and well-being of the public, and NASA and contractor employees as well as property and equipment. The plan should include detailed discussions of the policies, procedures, and techniques for all anticipated working conditions that will be encountered throughout the performance of the contract. The safety and health of subcontractor employees should be included in the plan for any proposed subcontract whose value is expected to exceed $1,000,000 including commercial services and services provided in support of a commercial item. An approved Safety and Health Plan will be included as a part of any resulting contract.

If the contractor will conduct work or be located on a NASA site or in a NASA facility, the Safety and Health Plan should discuss measures to be taken to ensure the protection of property, equipment, and the environment in the production of contractor deliverables and/or in the pursuit of any of its activities. An approved onsite contractor will develop and subsequently implement a Safety and Health Program based on the approved plan that will includes policies and procedures for compliance with pertinent NASA policies and requirements, and Federal, State and local regulations for safety, health, environmental protection, and fire protection. The contractor's Safety and Health Program will be used to assure integration of the onsite contractor as a full participant in the Center's Safety and Health Program.

1.1 Policy. Provide the contractor's corporate safety policy statement. Compare this policy statement with those of NASA and OSHA and discuss any differences.

1.2 Goals and Objectives. Describe specific goals and objectives of the Safety and Health Plan. Discuss these goals and objectives using the Performance Evaluation Profile (PEP) as safety performance criteria. Describe the approach (including milestone schedule) to achieve and maintain level 5 of the PEP in all areas (see contents of PEP).

1.3 Management Leadership. Describe the process and procedures for implementing management commitments to safety and health through visible activities and initiatives including the exercise of controls to ensure workplace safety and health. Include a statement from the project manager or designated safety official indicating that the plan will be implemented as approved and that the project manager will take personal responsibility for its implementation.

1.4 Employee Involvement. Describe procedures to implement and promote employee (e.g., non-supervisory) involvement in safety and health program development, implementation, and decision making. Describe the scope and breadth of employee participation so that all safety and health risk areas are addressed.

1.5 Assignment of Responsibility. Describe the line and staff responsibilities for safety and health program implementation. Identify any other personnel or organizations that provide safety services or exercises any form of control or assurance in these areas. State the means of communication and interfaces concerning related issues used by line, staff, and others (such as documentation, concurrence requirements, committee structure, sharing of the work site with NASA and other contractors, or other special responsibilities and support). As a minimum, the contractor will identify the following:

a. Safety Representative. Identify, by title, the individual who will be responsible for the contractor's adherence to Center-wide safety, health, environmental, and fire protection concerns and goals, and will participate in meetings and other activities related to the Center's Safety and Health Program.

b. Company Physician. Provide the identification of a company physician to facilitate communication of medical data to the head of the NASA clinic. The contractor shall identify the point of contact by name, address, and telephone number to the NASA Center Clinic. Any changes that occur in the identity of the point of contact will be promptly conveyed to the NASA Center Clinic.

c. Building Fire Wardens. Each building occupied by the contractor will have an assigned individual to facilitate the Center's fire safety program. Duties will include coordination of fire-related issues with the NASA facility manager, and emergency planning and response officials and their representatives. Identify the assigned contractor Building Fire Warden.

d. Designated Safety Official. Identify, by title, the official(s) responsible for implementing the proposed Safety and Health Plan. Identify all formal contacts with regulatory agencies and with NASA.

1.6 Provision of Authority. Compare the provisions and procedures in the proposed Safety and Health Plan with applicable NASA requirements and contractual directions, and applicable Federal, State, and local regulations. Identify the lines of authority and responsibility for each requirement and regulation. Discuss how the subsequent contractor's Safety and Health Program will be controlled to maintain the identified lines of authority and responsibility for the life of the contract.

1.7 Accountability. Describe the procedures for ensuring that management and employees will be held accountable for implementing their tasks in a safe and healthful manner. The use of traditional and/or innovative personnel management methods (including discipline, motivational techniques, or any other technique that ensures accountability) should be referenced, as a minimum, and described, as appropriate.

1.8 Program Evaluation. Describe the method to be used for internal program reviews and evaluations. The program review and evaluation may consist of either (1) participation in PEP surveys at the request of the Government or (2) described in a written report that documents the methods and procedures for determining the existence and criticality of the contractor's hazardous operations.

If the proposed plan provides for an internal reviews and evaluations other than participation in PEP surveys, the submitted report should include, but not be limited to, methods and procedures for the following: identification of the contractor's hazardous operations and products; approach to be used for conducting risk evaluations; the approach to be used for risk ranking with respect to consequence severity, risk management techniques to be applied to unacceptable safety risks, and the documentation of the results. The report should also include an identification of the personnel who will conduct the reviews and evaluations, to whom the reports will be made, and the frequency (at least annually) at which the reviews and evaluations will be performed. The reviews and evaluations should include subcontracted tasks. The submitted report should clearly describe the correlation between the proposed program review and evaluation approach and applicable criteria of the PEP.

When a written program review and evaluation is requested, it should be delivered to the Government no later than 30 days after the end of each contract year or at the end of the contract, whichever is applicable. Distribution of these program reviews and evaluations will be the same as that for the Safety and Health Plan. The PEP surveys will be scheduled and administered at the discretion of the Government.

1.9 The prospective contractor will describe the approach to be taken to document its safety and health program performance to provide necessary visibility and insight. This description should include: the identification, acquisition, and processing of safety and health data; development of procedures; recordkeeping; statistical analyses including metrics; and the furnishing of data and reports to the Government. Electronic access by the Government to this data is preferred as long as Privacy Act requirements are met and the Government safety and health professionals and their representatives have full and unimpeded access for review and audit purposes.

For contractor activities conducted on NASA property, the contractor will identify what records it will make available to the Government in accordance with the Voluntary Protection Program (VPP) criteria of OSHA as implemented in [the local Center's] Requirements Handbook for Safety, Health, and Environmental Protection, as revised. For the purpose of this plan, safety and health documentation includes, but is not limited to, logs, records, minutes, procedures, checklists, statistics, reports, analyses, notes, or other written or electronic document which contain in whole or in part any subject matter pertinent to safety, health, environmental protection, or emergency preparedness. The contractor will acknowledge the following as a standing request of the Government to be handled as described below.

a. Roster of Terminated Employees. NASA expects the contractor to identify and report terminated employees to the Center occupational health program office. This report should be sent to the Occupational Health Officer no later than 30 days after the end of each contract year or at the end of the contract, whichever is applicable. At the contractor's discretion, the report may be submitted for personnel changes during the previous year or cumulated for all years.

(2) For each person listed: provide name, social security number, assigned Center badge number, and date of termination.

(3) Name, address, and telephone number of contractor representative to be contacted for questions or other information.

b. Material Safety Data. Describe the procedure to be used by the contractor to prepare and/or deliver to NASA, Material Safety Data for hazardous materials brought onto Government property or included in products delivered to the Government. These data are required by the Occupational Safety and Health Administration (OSHA) regulation, 29 CFR Part 1910.1200, Hazard Communication, and Federal Standard 313 (or FED-STD-313), Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised. A single copy of each Material Safety Data Sheet (MSDS) will be sent upon receipt of the material for use on NASA property to the Center's Central Repository, Mail Code ____. Information on new or changed locations and/or quantities of hazardous materials normally stored or used onsite should also be sent to the Center's Central Repository. If the MSDS arrives with the material and is needed for immediate use, the MSDS should be delivered to the Central Repository by close of business of the next working day after it enters the site.

c. Hazardous Materials Inventory. The contractor will be responsible to compile and report the inventory of all hazardous materials within the scope of 29 CFR Part 1910.1200, Hazard Communication, and Federal Standard 313 (or FED-STD-313), Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised and its located on Government property. The call for this annual inventory will be issued by the [responsible NASA official], Mail Code ____. The inventor should contain the following information:

1.10 Government Access to Safety and Health Program Documentation. The contractor shall recognize in its plan that it will be expected to make all safety and health documentation (including relevant personnel records) available for inspection or audit at the Government's request.

1.11 The contractor may be requested to participate in the review and modification of safety requirements that are to be implemented by the Government including any referenced documents therein. This review activity will be implemented at the direction of the NASA Contracting Officer's Technical Representative in accordance with established NASA directives and procedures.

1.13 Procurement. Identify procedures used to assure that the contractor's procurements are reviewed for safety considerations and that specifications contain appropriate safety criteria and instructions. Set forth authority and responsibility to assure that safety tasks are clearly stated in subcontracts.

2.0 WORKPLACE ANALYSIS. Describe the method and techniques the contractor will use to systematically identify the hazards within the workplace for the duration of the contract. The discussion should describe the information collection process including a combination of surveys, analyses, inspections of the workplace, investigations of mishaps and close calls, and the collection and trend analysis of safety and health data such as records of occupational injuries and illnesses; findings and observations from preventive maintenance activities; reports of spills and inadvertent releases to the environment; facilities-related incidents related to partial or full loss of systems functions; and employee reports of hazard.

Every hazard identified by any of the techniques given below shall be ranked and processed in accordance with Center procedure. All hazards identified on NASA property that are immediately dangerous to life or health should be reported immediately to the NASA safety office. All safety engineering products, which address operations, equipment, and other aspects of safety engineering, on NASA property will be subject to the review and concurrence of the NASA Safety Office unless otherwise specified in the approved safety and health plan. The contractor is expected to have processes to address similar instances in contractor facilities utilizing contractor resources to manage such instances.

2.1 Hazard Identification. Describe the procedures and techniques to be used to compile an inventory of hazards associated with the work to be performed on this contract. This inventory of hazards shall address the work specified in the contract as well as the hazards associated with operations and work environments in close proximity to contract operations. The hazard inventory results will be reported to the Government in a manner suitable for inclusion in facilities baseline documentation as a permanent record. Specific techniques to be considered include:

a. Comprehensive Survey. A "wall-to-wall" engineering assessment of the work site including facilities, equipment, processes, and materials (including waste).

b. Change Analysis. Address modifications in facilities, equipment, processes, and materials (including waste); and related procedures for operations and maintenance. Periodic change analyses will be driven by new or modified regulatory and NASA requirements.

c. Hazard Analysis. Address facilities, systems/subsystems, operations, processes, materials (including waste), and specific tasks or jobs.

2.2 Inspections. This paragraph should include the procedures and frequency for regular inspections and evaluations of work areas hazards and who will be accountable for implementing of corrective measures. The contractor will describe administrative requirements and procedures for the control of regularly scheduled inspections for fire and explosive hazards. The contractor has the option, in lieu of the above detail, to identify policies and procedures with the stipulation that the results (including findings) of inspections conducted on NASA property or involving Government furnished equipment will be documented in safety program evaluations or monthly Accident/Incident Summary reports. Inspections will identify the following:

2.3 Employee Reports of Hazards. The contractor will identify the methods to be used to encourage employees to report hazardous conditions (e.g., close calls) and analyze/abate hazards. The contractor will describe steps to be taken to create reprisal-free employee reporting with emphasis on management support for employees and describe methods to be used to incorporate employee insights into hazard abatement activities.

3.1 Mishap Investigation and Reporting. The contractor will identify the methods to assure that the investigations and reporting of mishaps including corrective actions to be implemented to prevent recurrence. The contractor will describe the methods to be used to investigate and report on NASA property and on contractor or third party property. The contractor will describe procedures for implementing the NASA mishap investigation and reporting forms or use alternate contractor forms with emphasis on the timely notification of NASA. The contractor discussion should include: investigation procedures; exercise of jurisdiction over a mishap investigation involving NASA and other contractor personnel; follow up of corrective actions; communication of lessons learned to NASA; and solutions to minimize duplications in reporting and documentation including use of alternate forms or other solutions. The contractor will discuss its procedures for the immediate notification of fires, hazardous materials releases, and other emergencies. The contractor will include appropriate details to address the use of Incident Reporting Information System, including 24-hour and ten-day mishap reports to the Occupational Safety Office, mail code ___.

3.2 Trend Analysis. The contractor will describe the approach to be used to perform trend analysis of data (occupational injuries and illnesses; facilities, systems, and equipment performance; maintenance findings; etc.). The discussion should include methods to identify and abate common cause failures or occurrences indicated by the trend analysis. The contractor should discuss the following methods of providing data, in support of site-wide trend analysis to be performed by the Government.

a. Accident/Incident Summary Report. The contractor will describe how monthly Accident/Incident Summary Reports are prepared and delivered, as specified on [specify locally used format]. All new and open mishaps, including vehicle accidents, incidents, injuries, fires, and any close calls will be described in summary form along with their current status. Negative reports are also required monthly; date due is the 10th day of the month following each month reported. Reports will be delivered to the Center Safety Office, mail code _____.

b. Log of Occupational Injuries and Illnesses. For each location on or off NASA property that performs work on this contract, the contractor will deliver to the Government (under separate contractor's cover letter), a copy of an annual summary of occupational injuries and illnesses (or equivalent) as described in 29 CFR Part 1904.32, Annual Summary. If contractor is exempt by regulation from maintaining and publishing such logs, equivalent data in the contractor's format is acceptable (such as loss runs from insurance carrier). This data will be compiled and reported each calendar year and provided to the Government within 45 days after the end of the year to be reported (e.g., not later than February 15 of the year following).

4.0 HAZARD PREVENTION AND CONTROL. Identified hazards must be eliminated or controlled. In the multiple employer environment of the Center, it is required that hazards including discrepancies and corrective actions be recorded in the Center's information data system (provide name of system here) for risk management purposes. Describe the approach to implementing this requirement.

4.1 Appropriate Controls. Discuss the approach to be used for considering and selecting controls. Discuss the use of the hazard reduction precedence sequence. Discuss the approach to be used to identify and accept any residual risk. Discuss the implementation of controls including verifying their effectiveness. Discuss the scope of coverage (hazardous chemicals, equipment, discharges, waste, energies, or other). Discuss the need for coordination with safety, health, environmental service, and emergency authorities at NASA.

4.1.1 Hazardous Operations. Establish methods for notifying personnel when hazardous operations are to be performed and when hazardous conditions are found to exist during the course of this contract. NASA policy will serve as a guide for defining, classifying, and prioritizing hazardous operations. Develop and maintain a list of hazardous operations to be performed during the life of this contract. The list of hazardous operations will be provided to the contracting officer as part of the safety and health plan for review and approval. The contracting officer and the contractor will decide jointly which operations are to be considered hazardous, with the contracting officer having final authority. Before hazardous operations commence, the contractor will provide a schedule for the development of written hazardous operations procedures with particular emphasis on identifying the safety steps required. The contractor may implement this requirement as follows:

a. Identify contractor policies and procedures for the management and implementation of hazardous operations procedures together with a statement that NASA will have access, on request, to any contractor data necessary to verify implementation; or

b. In lieu of contractor management and development of such procedures, identify the method whereby the contractor will identify and submit hazardous operations procedures to the NASA Occupational Safety Office for review and approval.

4.1.2 Written Procedures. Provide methods to assure that relevant hazardous situations and proper controls are identified in documentation such as inspection procedures, test procedures, or other, and other related information. Describe methods to assure that written procedures are developed for all hazardous operations, including testing, maintenance, repairs, and handling of hazardous materials and hazardous waste. Procedures will be developed in a format suitable for use as safety documentation (such as a safety manual) and be readily available to personnel as required to correctly perform their duties.

4.1.3 Protective Equipment. Describe procedures for obtaining, inspecting, and maintaining protective equipment, as required, or reference written procedure pertaining to this subject. Describe methods for keeping records of such inspections and maintenance programs.

4.1.4 Hazardous Operations Permits. Identify facilities, operations, and/or tasks where hazardous operations permits will be required as specified in the Center's local requirement. Describe the process to be used to ensure guidance adherence to established NASA Center procedures. Clearly state the role of the safety group or function to control such permits.

a. Operations Involving Potential Asbestos Exposures. Describe methods for assuring compliance with the Center's Asbestos Control Program as established in local policy.

b. Operations Involving Exposures to Toxic or Unhealthful Materials. Such operations must be evaluated by the NASA Occupational Health Office and must be properly controlled as advised by same. Describe the process to be used to notify the NASA Occupational Health Office prior to initiation of any new or modified operation potentially hazardous to health and safety.

c. Operations Involving Hazardous Waste. Identify procedures to be used to manage hazardous waste from the point of generation through disposal. Clearly identify divisions of responsibility between contractor and NASA for hazardous waste generated throughout the life of the contract. Operations which occur on site must also be evaluated by the Center environmental services office and must be properly controlled as advised by same. Describe the process to be used to notify the Center environmental services office prior to initiation of any new or modified hazardous waste operation on site.

d. Operations Involving New or Modified Emissions/Discharges to the Environment. Describe methods for identifying new or modified emissions/discharges and coordinating the results with the Center environmental services office. Discuss procedures to minimize or eliminate environmental pollution. Address the management of hazardous materials; substitution of non-hazardous or less hazardous materials for hazardous materials; proper segregation of hazardous wastes from non-hazardous wastes; and other methods described by NASA. Emphasis shall be placed on providing sufficient lead-time for processing permits through the appropriate State agency and/or the Environmental Protection Agency.

4.2 Discuss responsibilities for maintaining facility baseline documentation in accordance with Center requirements. The contractor will implement any facility baseline documentation tasks (including safety engineering) as provided in the contractor's safety and health plan approved by NASA or as required by Government direction.

4.3 Preventive Maintenance. Discuss the approach to be used for preventive maintenance. Describe scope, frequency, and supporting rationale for the preventive maintenance program including facilities and/or equipment to be emphasized or de-emphasized. Discuss methods to promote awareness in the NASA community (such as alerts, safety flashes, or others) when preventive maintenance reveals design or operational concerns in facilities and equipment (and related processes where applicable).

4.4 Medical Program. Discuss the medical surveillance program used to evaluate personnel and workplace conditions, identify specific health issues, and prevent degradation of personnel health as a result of occupational exposures. Discuss the approach for using cardiopulmonary resuscitation, first aid, and emergency response.

5.0 EMERGENCY RESPONSE. Discuss the approach to be used for emergency preparedness and contingency planning that addresses fire, explosion, inclement weather, environmental releases, etc. Discuss compliance with 29 CFR Part 1910.120, Hazardous Waste Operations and Emergency Response, and the role the contractor will play in the local Incident Command System. Discuss methods to be used for notification of Center emergency forces including emergency dispatcher, safety hotline, director's safety hotline, or other. Discuss the establishment of pre-planning strategies through procedures, training, drills, or other. Discuss methods to verify emergency readiness.

6.0 SAFETY AND HEALTH TRAINING. Describe the contractor's training program including the identification of responsibility for training employees in safe work practices, hazard recognition, and appropriate responses (including protective and/or emergency countermeasures). Address the management techniques used to identify and utilize any Center training resources (such as asbestos worker training/certification, hazard communication, confined space entry, lockout/tagout, or other), as appropriate, with particular emphasis on programs designed for the multiple employer work environment on NASA property. Describe the approach to be used for training personnel in the proper use and care of protective equipment. Discuss tailoring of training towards specific audiences (management, supervisors, and employees) and topics (safety orientation for new hires, specific training for certain tasks or operations). Discuss the approach to ensure that training is retained and practiced. Discuss personnel certification programs. Certifications should include documentation that training requirements have been satisfied and learning validated by one or more of the following: physical examination, testing, on-the-job performance, or other. All training materials and training records will be provided for NASA review upon request.

Appendix F. Sample System Safety Technical Plan for Systems Acquisition, Research, and Development Programs

The NASA program manager (or designee) will publish and maintain an approved System Safety Technical Plan (SSTP) that includes a risk management plan, appropriate to and for the life of the program. This plan may be incorporated in the more comprehensive safety and mission assurance plan, mission assurance plan, or other plan, provided that the required data are identifiable and complete.

1. The SSTP defines the objectives, responsibilities, and methods to be used for overall safety program conduct and risk management control. Integration of system/facility safety provisions into the SSTP is vital to the early implementation and ultimate success of the safety effort. Inclusion of these provisions in the plan will send an unmistakable message to all program participants that safety and risk management are an integral part of the management process and all tasks. The authority to conduct the safety program must originate in the respective SSTP governing each NASA program.

2. The program SSTP will be the vehicle for safety and risk management task planning. The plan should include detailed task requirements for each system safety task, as appropriate for the program. The NASA program organization and system safety relationships and responsibilities will be described along with reporting channels for this task. In particular, the plan will show how NASA will manage its independent safety oversight role. The plan will stipulate the specifics of the system safety modeling activities and describe what and how safety adverse consequences will be modeled, how system safety models (qualitative and probabilistic risk assessments) will be integrated and applied for risk-informed decision making and safety monitoring, how the technical team(s) responsible for generating and maintaining system safety models will interact with the system engineering organizations, the reporting and approval protocol, and the cost and schedule associated with accomplishing system safety modeling activities in relation to the critical or key events during all phases of the life cycle. It will also address requirements for NASA and contractor participation in design, safety, and readiness reviews. The program SSTP should be a compliance document in the request for proposal. Data requirements for the program SSTP are in the data requirements document. For a multi-Field Installation program, each Center should provide a supplement to the plan to ensure compatibility among Field Installation organizations and the ability to comply with task requirements.

3. The level of safety directly correlates with management's emphasis on the safety of the system/facility being developed. Proper identification of the system/facility safety program elements is the first step towards developing a successful program. Each functional safety program will have the following basic elements:

b. System safety modeling activities (system safety, risk assessment, uncertainty assessment)

e. Implementation (planning, organization, interface/coordination, and reporting).

4. Each of these elements is aligned with an overall approach to risk evaluation by:

c. Assessing the probabilities and consequences associated with the risk scenarios.

d. Assessing the uncertainties associated with the probabilities and consequences.

e. Determining risk control strategies to either eliminate or control the safety hazard.

f. Recommending corrective action or alternatives to the appropriate management level for a decision to either eliminate the hazard or accept the risk. Risks acceptance is the responsibility of the program manager. In all cases, notification of risk acceptance will be communicated to the next higher authority (see Chapter 2).

g. Documenting those areas in which a decision has been made to accept the risk, including the rationale for the risk acceptance.

5. During the concept development phase, appropriate safety tasks should be planned that will become the foundation for safety efforts and risk management efforts during system definition, design, manufacture, test, and operations.

a. Identify special safety studies and risk assessments that may be required during system definition or design.

b. Estimate gross personnel requirements for the safety program for the complete system life cycle.

c. Perform trade studies by using the results of hazard analyses and risk assessments that identify high hazardous areas or identify high risk sensitivities, with recommended alternatives.

d. Establish safety and risk goals and objectives that will be used to determine the type of safety and risk inputs for the overall program.

(1) The goals should be measurable and state what would be accomplished by performing the various safety tasks and risk management tasks.

(2) The goals should be structured so that safety tasks and risk management tasks can be selected to accomplish them.

e. Complete hazard analyses and risk assessments to identify potentially hazardous systems and to develop initial safety requirements and risk management criteria. f. Continuously review hardware procedural requirements and concepts to maintain an understanding of the evolving system.

g. Use pertinent historical data from similar systems as input to the risk assessment and to refine initial evaluations.

Appendix G. Aviation Safety Panel

1.1 This charter establishes the Aviation Safety Panel and sets forth its functions, membership, meetings, and duration.

1.2 The Aviation Safety Panel (hereafter referred to as the "Panel") is established to aid the Chief, Safety and Mission Assurance, in fulfilling oversight responsibilities for aviation safety.

This charter applies to NASA Headquarters and all NASA Centers, including Component Facilities.

42 U.S.C. 247(c)(1), Section 203(c)(1) of The National Aeronautics and Space Act of 1958, as amended.

4.1 The Panel will promote NASA aviation safety and advise and assist the Chief, Safety and Mission Assurance, in the oversight of operational aviation safety programs. It will deal with Agency-wide concerns affecting safety of aviation operations or those that cannot be resolved at a Center level.

4.2 The Panel will assist the Chief, Safety and Mission Assurance, in the development of guidelines and criteria to use in the evaluation of aviation safety.

a. Chief, Safety and Mission Assurance, Chair, Office of Safety and Mission Assurance.

b. NASA Headquarters Aviation Safety Assurance Manager, Office of Safety and Mission Assurance.

c. Aviation Safety Officer from each NASA Center (Aviation Safety Officer subpanel of the Intercenter Aircraft Operations Panel).

d. An Executive Secretary, appointed by the Chair, who will publish meeting minutes and retain all Panel records, files, and reports.

The Panel will remain in existence until abolished by the Chief, Safety and Mission Assurance.

The Executive Secretary is responsible for the maintenance of this charter and all other records associated with the Panel.

Appendix H. NASA Operations and Engineering Panel for Facilities

1.2 The OEP evaluates and recommends a consistent and cost effective program ensuring the continuing operational integrity and safety of NASA launch facilities, programmatic operations, and test facilities, such as wind tunnels and pressure systems.

This charter is applicable to NASA Headquarters and NASA Centers, including Component Facilities, and to the Jet Propulsion Laboratory (JPL) to the extent specified in its contract.

42 U.S.C. 2473(c)(1), Section 203(c)(1) of the National Aeronautics and Space Act of 1958, as amended.

4.1 The OEP will provide an independent technical engineering and operational review of specifically selected NASA facilities and facility operations in support of the Office of Safety and Mission Assurance, the NASA Mission Directorates, and the NASA Centers, including Component Facilities. The OEP will produce written evaluations and recommendations to improve NASA engineering and operations.

4.2 The NASA OEP reviews and assesses the effect of changes in the NASA facilities engineering and operations infrastructure on the safety and mission success of NASA programs. In performance of its duties, the OEP shall do the following:

a. Support the mission and goals of the NASA Mission Directorates and functional performance improvement initiatives of the Director, Facilities and Real Property Division, Office of Infrastructure and Administration, through technical engineering and safety, reliability, maintainability, and quality reviews of NASA facilities and operations.

b. Evaluate and recommend a consistent and reasonable program for ensuring the operational safety, reliability, and integrity of NASA facilities within the current environment of declining personnel and budget resources.

c. Identify, analyze, communicate, and initiate the resolution of issues that impact facilities and operations belonging to NASA.

d. Support incorporation of safety, reliability, maintainability, and quality assurance disciplines in NASA facilities projects, from inception through completion.

e. Evaluate operations and engineering technical support systems problems and issues, develop innovative solutions and/or methods for arriving at solutions, and provide recommendations to management in these areas.

f. Review for effectiveness the facility configuration management activities (especially those related to safety).

g. Assist the Director, Facilities and Real Property Division, in encouraging the adoption and use of Reliability Centered Maintenance methodologies to help streamline facilities maintenance programs while maintaining an acceptable level of safety.

h. Support the Chief, Safety and Mission Assurance, and the Director, Facilities and Real Property Division, on any special assignments related to facilities, operations, and engineering activities.

i. Exchange technical expertise and operational experience among key operating officials throughout the Agency so that lessons learned and innovative technologies, processes, and techniques are transferred and applied to promote mission success and to achieve cost effectiveness.

j. Support incorporation of cost-effective pollution prevention and sustainable development principles in facilities projects and assure that operations comply with environmental requirements.

4.3 The OEP will provide a written evaluation, along with any recommendations for engineering or operational improvements, to the Associate Administrator, who has Agency-wide institutional responsibilities, and to the Center Director responsible for the reviewed facility.

4.4 The OEP Executive Secretary within Office of Safety and Mission Assurance will retain all OEP records, files, reports, and meeting minutes.

4.5 The OEP Chairperson will provide a report on OEP activities to the Chief, Safety and Mission Assurance, at the end of each fiscal year.

4.6 NASA OEP members will communicate and coordinate OEP recommendations with their respective NASA Centers and the Manager of the NASA Management Office-Jet Propulsion Laboratory and monitor OEP activities relating to their facilities.

5.1 The OEP will be composed exclusively of full-time NASA employees; however, non-NASA employees may be invited to participate as advisers or observers. The OEP will consist of a Chairperson, an Executive Secretary, and members.

a. The Chief, Safety and Mission Assurance, will serve as an ex officio member of the OEP and will appoint the Chairperson, Executive Secretary, and one representative from the Office of Safety and Mission Assurance, Review and Assessment Division .

b. The Assistant Administrator for Infrastructure and Administration will appoint one representative for Facilities Engineering and one representative for Environmental Management.

e. Manager of the NASA Management Office-Jet Propulsion Laboratory will appoint one representative.

5.3 The OEP may establish such subpanels and subgroups as the Chairperson considers necessary.

5.4 The NASA General Counsel and Chief Engineer, or their designees, will act as permanent advisors to the OEP. The Chairperson may appoint additional advisors and invite observers on a permanent or temporary basis.

6. MEETINGS The OEP will meet at the call of the Chairperson in support of the Associate Administrator. The OEP may also meet at the request of the Center Director of the facility to be reviewed or at the request of the Director, Facilities and Real Property Division.

7. DURATION The Panel will remain in existence until abolished by the Chief, Safety and Mission Assurance.

8. RECORDS The Office of Safety and Mission Assurance is responsible for the maintenance of this charter and all other records associated with the OEP.

CONSEQUENCE CATEGORY	CRITERIA / SPECIFICS		Project Priority Ranking
Human Safety and Health	Public Safety and Health	Planetary Protection Program Requirement	I
		White House Approval (PD/NSC-25)
		Space Missions with Flight Termination Systems
	Human Space Flight
Mission Success (for non-human rated missions)	High Strategic Importance Projects
	Limited Window
	High Cost (See NPR 7120.5)
	Medium Cost (See NPR 7120.5)		II
	Low Cost (See NPR 7120.5)		III

Priority Ranking	Scope (The level of rigor and details are commensurate with the level of design maturity)
I	Probabilistic risk assessment (per NPR 8705.5) supported by qualitative system safety analysis
II	Qualitative system safety analysis supplemented by probabilistic risk assessment where appropriate
III	Qualitative system safety analysis

Isotope	Date Arrived On-Board	Number of Sources	Total Activity at Arrival (Ci)	Isotope Half-life	Activity as of Mission Start (Ci)	A2 Limit for Isotope (Ci)	Current A2 Multiple for Each Isotope Source	Remarks
	(Use one line for each isotope type, size, form, and arrival date)

	(Use one line to sum the A2 mission multiples for the spacecraft)

Acceptable Risk.	A level of risk, referred to a specific item, system or activity, that, when evaluated with consideration of its associated uncertainty, satisfies pre-established risk criteria.
Accident.	A severe perturbation to a mission or program, usually occurring in the form of a sequence of events, that can cause safety adverse consequences, in the form of death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.
Accident Prevention.	Methods and procedures used to eliminate the causes that could lead to a accident.
Assessment.	Review or audit process, using predetermined methods, that evaluates hardware, software, procedures, technical and programmatic documents, and the adequacy of their implementation.
Assurance.	Providing a measure of increased confidence that applicable requirements, processes, and standards are being fulfilled.
Audit.	Formal review to assess compliance with hardware or software requirements, specifications, baselines, safety standards, procedures, instructions, codes, and contractual and licensing requirements.
Availability.	Measure of the percentage of time that an item could be used as intended.
Buddy System.	An arrangement used when risk of injury is high, where personnel work in pairs, with one person in the pair stationed nearby, not directly exposed to the hazard, to serve as an observer to render assistance if needed.
Catastrophic.	(1) A hazard that could result in a mishap causing fatal injury to personnel, and/or loss of one or more major elements of the flight vehicle or ground facility. (2) A condition that may cause death or permanently disabling injury, major system or facility destruction on the ground, or loss of crew, major systems, or vehicle during the mission.
Critical.	A condition that may cause severe injury or occupational illness, or major property damage to facilities, systems, or flight hardware.
Critical Single Failure Point.	A single item or element, essential to the safe functioning of a system or subsystem, whose failure in a life or mission essential application would cause serious program or mission delays or be hazardous to personnel.
Critical Software Command.	A command that either removes a safety inhibit or creates a hazardous condition.
Deviation.	An authorization for temporary relief in advance from a specific requirement, requested during the formulation/planning/design stages of a program/project operation to address expected situations. OSHA refers to this as an alternate or supplemental standard.
Dominant Root Cause.	Along a chain of events leading to a mishap, the first causal action or failure to act that could have been controlled systemically either by policy/practice/procedure or individual adherence to policy/practice/procedure.
Emergency.	Unintended circumstance bearing clear and present danger to personnel or property which requires an immediate response.
Exception.	An authorization for permanent relief from a specific requirement and may be requested at any time during the life cycle of a program/project.
Exposure.	(1) Vulnerability of a population, property, or other value system to a given activity or hazard; or (2) other measure of the opportunity for failure or mishap events to occur.
Facility Hazard Analysis (FHA).	The FHA is a preliminary hazard analysis performed during the planning and decision phases of a facility design and acquisition program. It may later be updated to become the OHA.
Factor of Safety (Safety Factor).	Ratio of the design condition to the maximum operating conditions specified during design (see also Safety Margin and Margin of Safety).
Fail-Safe.	Ability to sustain a failure and retain the capability to safely terminate or control the operation.
Failure.	Inability of a system, subsystem, component, or part to perform its required function within specified limits.
Failure Mode.	Particular way in which a failure can occur, independent of the reason for failure.
Failure Modes and Effects Analysis (FMEA).	A bottoms up systematic, inductive, methodical analysis performed to identify and document all identifiable failure modes at a prescribed level and to specify the resultant effect of the modes of failure. It is usually performed to identify critical single failure points in hardware. In relation to formal hazard analyses, FMEA is a subsidiary analysis.
Failure Tolerance.	Built-in capability of a system to perform as intended in the presence of specified hardware or software failures.
Fault Tree.	A schematic representation resembling an inverted tree that depicts possible sequential events (failures) that may proceed from discrete credible failures to a single undesired final event (failure). A fault tree is created retrogressively from the final event by deductive logic.
Fault Tree Analysis.	An analysis that begins with the definition or identification of an undesired event (failure). The fault tree is a symbolic logic diagram showing the cause-effect relationship between a top undesired event (failure) and one or more contributing causes. It is a type of logic tree that is developed by deductive logic from a top undesired event to all sub-events that must occur to cause it.
Flight Hardware.	Hardware designed and fabricated for ultimate use in a vehicle intended to fly.
Functional Redundancy.	A situation where a dissimilar device provides safety backup rather than relying on multiple identical devices.
Ground Support Equipment.	Ground-based equipment used to store, transport, handle, test, check out, service, and control aircraft, launch vehicles, spacecraft, or payloads.
Hazard.	A state or a set of conditions, internal or external to a system that has the potential to cause harm.
Hazard Analysis.	Identification and evaluation of existing and potential hazards and the recommended mitigation for the hazard sources found.
Hazard Control.	Means of reducing the risk of exposure to a hazard.
Hazardous Material.	Defined by law as "a substance or materials in a quantity and form which may pose an unreasonable risk to health and safety or property when transported in commerce" (49 U.S.C S 5102, Transportation of Hazardous Materials; Definitions). The Secretary of Transportation has developed a list of materials that are hazardous which may be found in 49 CFR Part 172.101. Typical hazardous materials are those that may be highly reactive, poisonous, explosive, flammable, combustible, corrosive, radioactive, produce contamination or pollution of the environment, or cause adverse health effects or unsafe conditions.
Hazardous Operation.	Any operation involving material or equipment that has a high potential to result in loss of life, serious injury to personnel, or damage to systems, equipment, or facilities.
Hazardous Operation Safety Certification.	Certification required for personnel who perform those tasks that potentially have an immediate danger to the individual (death/injury) if not done correctly, could create a danger to other individuals in the immediate area (death or injury), and present a danger to the environment.
Imminent Danger.	Condition or practice that could be reasonably expected to cause death or serious physical harm immediately or in the near term. These are classified as Risk Assessment Code (RAC) 1 using the typical NASA risk assessment matrix.
Independent Verification and Validation.	Test and evaluation process by an independent third party.
Inhibit.	Design feature that prevents operation of a function.
Interlock.	Hardware or software function that prevents succeeding operations when specific conditions are satisfied.
Margin of Safety.	Deviation of the actual (operating) factor of safety from the specified factor of safety. Can be expressed as a magnitude or percentage relative to the specified factor of safety.
Mission Assurance.	Providing increased confidence that applicable requirements, processes, and standards for the mission are being fulfilled.
Mission Critical.	Item or function that must retain its operational capability to assure no mission failure (i.e., for mission success).
Mission Success.	Meeting all mission objectives and requirements for performance and safety.
NASA Safety Standard (NSS).	A NASA safety document that requires conditions, or the adoption or use of one or more practices, means, methods, operations, or processes reasonably necessary or appropriate to provide for safe employment and places of operation. The document is promulgated by the NASA Office of Safety and Mission Assurance and implemented and enforced by the Center Safety and Mission Assurance organizations.
Nuclear Flight Safety Assurance Manager (NFSAM).	The person in the Office of Safety and Mission Assurance responsible for assisting the project offices in meeting the required nuclear launch safety analysis/evaluation.
Occupational Safety and Health Administration (OSHA).	The Federal agency which promulgates and enforces workplace safety regulations and guidance.
Operability.	As applied to a system, subsystem, component, or device is the capability of performing its specified function(s) including the capability of performing its related support function(s).
Operational Safety.	That portion of the total NASA safety program dealing with safety of personnel and equipment during launch vehicle ground processing, normal industrial and laboratory operations, use of facilities, special high hazard tests and operations, aviation operations, use and handling of hazardous materials and chemicals from a safety viewpoint.
Oversight/Insight.	The transition in NASA from a strict compliance-oriented style of management to one which empowers line managers, supervisors, and employees to develop better solutions and processes.
Precursor.	An occurrence of one or more events that have significant failure or risk implications.
Pressure Vessel.	Any vessel used for the storage or handling of a fluid under positive pressure. A pressure system is an assembly of components under pressure; e.g., vessels, piping, valves, relief devices, pumps, expansion joints, gages.
Probabilistic Risk Assessment (PRA).	A PRA is a comprehensive, structured, and logical analysis method aimed at identifying and assessing risks in complex technological systems for the purpose of cost-effectively improving their safety and performance in the face of uncertainties. PRA assesses risk metrics and associated uncertainties relating to likelihood and severity of events adverse to safety or mission.
Programs.	For the purposes of this NPR the term "programs" shall be interpreted to include programs, projects, and acquisitions.
Quality.	The composite of material attributes including performance features and characteristics of a product or service to satisfy a given need.
Radiological Control Center (RADCC).	A temporary information clearinghouse established on an as-needed basis to coordinate actions that could be required for mitigation, response, and recovery of an incident involving the launching of nuclear material.
Range Safety.	Application of safety policies, principles, and techniques to ensure the control and containment of flight vehicles to preclude an impact of the vehicle or its pieces outside of predetermined boundaries from an abort which could endanger life or cause property damage. Where the launch range has jurisdiction, prelaunch preparation is included as a safety responsibility.
Redundancy.	Use of more than one independent means to accomplish a given function.
Reliability.	The probability that a system of hardware, software, and human elements will function as intended over a specified period of time under specified environmental conditions.
Reliability Analysis.	An evaluation of reliability of a system or portion thereof. Such analysis usually employs mathematical modeling, directly applicable results of tests on system hardware, estimated reliability figures, and non-statistical engineering estimates to ensure that all known potential sources of unreliability have been evaluated.
Residual Risk.	The level of risk that remains after applicable safety-related requirements have been satisfied. In a risk-informed context, such requirements may include measures and provisions intended to reduce risk from above to below an acceptable level.
Risk.	The combination of (1) the probability (qualitative or quantitative) of experiencing an undesired event, (2) the consequences, impact, or severity that would occur if the undesired event were to occur and (3) the uncertainties associated with the probability and consequences.
Risk Management.	An organized, systematic decision-making process that efficiently identifies, analyzes, plans, tracks, controls, communicates, and documents risk to increase the likelihood of achieving project goals.
Risk (Safety) Assessment.	Process of qualitative risk categorization or quantitative risk (safety) estimation, followed by the evaluation of risk significance.
Safety.	Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. In a risk-informed context, safety is an overall mission and program condition that provides sufficient assurance that accidents will not result from the mission execution or program implementation, or, if they occur, their consequences will be mitigated. This assurance is established by means of the satisfaction of a combination of deterministic criteria and risk criteria.
Safety Analysis.	Generic term for a family of analyses, which includes but is not limited to, preliminary hazard analysis, system (subsystem) hazard analysis, operating hazard analysis, software hazard analysis, sneak circuit, and others.
Safety Analysis Report (SAR).	A safety report of considerable detail prepared by or for the program detailing the safety features of a particular system or source.
Safety Analysis Summary (SAS).	A brief summary of safety considerations for minor sources; a safety report of less detail than the SAR.
Safety Assurance.	Providing confidence that acceptable risk for the safety of personnel, equipment, facilities, and the public during and from the performance of operations is being achieved.
Safety Critical.	Term describing any condition, event, operation, process, equipment, or system that could cause or lead to severe injury, major damage, or mission failure if performed or built improperly, or allowed to remain uncorrected.
Safety Critical Function.	A system, equipment, or facility function or process that, by not performing as intended, causes a safety critical condition or event.
Safety Critical Item.	Single failure point or other element or item in a life or mission-essential application that, as determined by the results of failure modes and effects analysis or other safety analysis, is essential to the safe functioning of a system or subsystem.
Safety Device.	A device that is part of a system, subsystem, or equipment that will reduce or make controllable hazards which cannot be otherwise eliminated through design selection.
Safety Evaluation Report (SER).	A safety report prepared by the INSRP detailing the INSRP's assessment of the nuclear safety of a particular source or system based upon INSRP's evaluation of the program-supplied SAR and other pertinent data.
Safety Margin.	Difference between as-built factor of safety and the ratio of actual operating conditions to the maximum operating conditions specified during design.
Safety Oversight.	Maintaining functional awareness of program activities on a real-time basis to ensure risk acceptability.
Safety Program.	The implementation of a formal comprehensive set of safety procedures, tasks, and activities to meet safety requirements, goals, and objectives.
Serious.	When used with "hazard," "violation," or "condition," denotes there is a substantial probability that death or serious physical harm could result.
Single Failure Point.	An independent element of a system (hardware, software, or human) the failure of which would result in loss of objectives, hardware, or crew.
Software Hazard Analysis.	Identification and verification of adequate software controls and inhibits; and the identification, analysis, and elimination of discrepancies relating to safety critical command and control functions.
System Safety.	Application of engineering and management principles, criteria, and techniques to optimize safety and reduce risks within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle.
System Safety Manager.	A designated management person who, qualified by training and/or experience, is responsible to ensure accomplishment of system safety tasks.
Vacuum System.	An assembly of components under vacuum, including vessels, piping, valves, relief devices, pumps, expansion joints, gages, and others.
Validation.	(1) An evaluation technique to support or corroborate safety requirements to ensure necessary functions are complete and traceable; or (2) the process of evaluating software at the end of the software development process to ensure compliance with software requirements.
Variance.	An authorization for temporary relief in advance from a specific requirement and is requested during the formulation/planning/design stages of a program/project operation to address expected situations.
Verification (Software).	(1) The process of determining whether the products of a given phase of the software development cycle fulfill the requirements established during the previous phase (see also validation); or (2) formal proof of program correctness; or (3) the act of reviewing, inspecting, testing, checking, auditing, or otherwise establishing and documenting whether items, processes, services, or documents conform to specified requirements.
Waiver.	A variance that authorizes departure from a specific safety requirement where a certain level of risk has been documented and accepted.

	NASA Procedures and Guidelines
This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov

AFB	Air Force Base
AFOSH	Air Force Occupational Safety and Health
AHJ	Authority Having Jurisdiction
ANSI	American National Standards Institute
ASAP	Aerospace Safety Advisory Panel
CFR	Code of Federal Regulations
CO	Contracting Officer
CoF	Construction of Facilities
COTR	Contracting Officers Technical Representative
DASHO	Designated Agency Safety and Health Official
DoD	Department of Defense
DOE	Department of Energy
DOT	Department of Transportation
EAV	Experimental Aeronautical Vehicle
ELV	Expendable Launch Vehicle
EM	Engineering Memorandum
EO	Executive Order
EPA	Environmental Protection Agency
ESO	Explosive Safety Officer
FAA	Federal Aviation Administration
FAR	Federal Acquisition Regulation
FED-STD	Federal Standard
FHA	Facility Hazard Analysis
FMEA	Failure Modes and Effects Analysis
FOM	Facility Operations Manager
FSAR	Final Safety Analysis Report
FSMP	Facility Safety Management Plan
GAO	General Accountability Office
GSE	Government Supplied Equipment
GSE	Ground Servicing/Support Equipment
HOP	Hazardous Operating Procedure or Hazardous Operating Permit
IAEA	International Atomic Energy Agency
IAOP	Inter-Center Aircraft Operations Panel
INSRP	Interagency Nuclear Safety Review Panel
IV&V	Independent Verification and Validation
JPL	Jet Propulsion Laboratory
KHB	Kennedy Handbook
LED	Light Emitting Diode
LLIS	Lessons Learned Information System
MSDS	Material Safety Data Sheet
NAICS	North American Industrial Classification System
NASA	National Aeronautics and Space Administration
NASA-STD	NASA Standard
NEPA	National Environmental Policy Act
NFPA	National Fire Protection Association
NFS	NASA FAR Supplement
NFSAM	Nuclear Flight Safety Assurance Manager
NIOSH	National Institute of Occupational Safety and Health
NPD	NASA Policy Directive
NPR	NASA Procedural Requirements
NSRS	NASA Safety Reporting System
NSS	NASA Safety Standard
NSTC	NASA Safety Training Center
NSTS	National Space Transportation System
OCE	Office of the Chief Engineer
OCHMO	Office of the Chief Health and Medical Officer
OEP	Operations and Engineering Panel
OPR	Office of Primary Responsibility
OSHA	Occupational Safety and Health Administration
OSMA	Office of Safety and Mission Assurance
OSTP	Office of Science and Technology Policy
PD/NSC	Presidential Directive/National Security Council
PEP	Performance Evaluation Profile
PHA	Preliminary Hazard Analysis
PL	Public Law
PM	Performance Measure
PMC	Program Management Council
PPE	Personal Protective Equipment
PRA	Probabilistic Risk Assessment
PRP	Personnel Reliability Program
PSAR	Preliminary Safety Analysis Report
QASAR	Quality and Safety Achievement Recognition
RAC	Risk Assessment Code
RADCC	Radiological Control Center
RCC	Range Commanders Council
SAR	Safety Assessment Report, Safety Analysis Report
SAS	Safety Analysis Summary
SER	Safety Evaluation Report
SEMP	Systems Engineering Management Plan
SMA	Safety and Mission Assurance
SSP	Space Shuttle Program
SSTP	System Safety Technical Plan
UL	Underwriter Laboratories
USAR	Updated Safety Analysis Report
VPP	Voluntary Protection Program

NASA Procedures and Guidelines

This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov

NPR 8715.3B Effective Date: April 04, 2007 Cancellation Date: Responsible Office: GA

NASA General Safety Program Requirements

Table of Contents

Appendices

Change History

NPR 8715.3, NASA General Safety Program Requirements

Preface

P.1 Purpose

P.2 Applicability

P.3 Authority

P.4 References

P.5 Cancellation

Chapter 1. Institutional and Programmatic Safety Requirements

1.1 Overview of the NASA Safety Program

1.2 NASA General Safety Program Roles and Responsibilities

1.3 Public Safety

1.4 Institutional Roles and Responsibilities in the NASA Safety Program

1.5 Program Management Roles and Responsibilities in the NASA Safety Program

1.6 Risk Assessment and Risk Acceptance

1.7 Technical Safety Requirements for NASA-Unique Designs and Operations

1.8 SMA Program Reviews

1.9 Advisory Panels, Committees, and Boards

1.10 Coordination with Organizations External to NASA

1.11 Safety Motivation and Awards Program

1.12 Safety Management Information

1.13 Safety Variances

Chapter 2. System Safety

2.1 Introduction

2.2 Institutional Roles and Responsibilities

2.3 System Safety Framework

2.4 Scope of System Safety Modeling

2.5 Core Requirements for System Safety Processes

2.6 System Safety Reviews

2.7 Change Review

2.8 Documentation

CHAPTER 3. Operational Safety

Chapter 4. Aviation Safety

4.2 Aviation Safety Program Responsibilities

4.3 Interfaces with Other Agencies

Chapter 5. Fire Safety

5.1 Purpose, Goals, and Objectives

5.2 Responsibilities

5.3 Fire Safety Program

5.4 Fire Protection Systems

5.5 Firefighting

5.6 Emergency (Pre-Fire) Planning and Procedures

5.7 Fire Safety Training

5.8 Reporting

5.9 Current Regulations, Codes, and Standards and Variances

Chapter 6. Nuclear Safety for Launching of Radioactive Materials

6.1 Purpose

6.2 Responsibilities

6.3 Nuclear Launch Safety Approval Process

6.4 Report Requirements

CHAPTER 7. Safety Training and Personnel Certification

7.1 Purpose

7.2 Responsibilities

7.3 Planning and Implementation of the Safety Training Program

7.4 Personnel Safety Certification Programs for Potentially Hazardous Operations and Materials

7.5 Mission Critical Personnel Reliability Program (PRP)

7.6 Hazardous Materials and Chemicals Risk Information

7.7 Exclusions

Chapter 8. Safety for Facility Acquisition, Construction, Activation, and Disposal

8.1 Purpose

8.2 Roles and Responsibilities

8.3 Facility Acquisition, Construction, and Activation Objectives

8.4 Basic Requirements for Facility Acquisition, Construction, and Activation

8.5 Facility Managers

8.6 FSMP

Chapter 9. Safety and Risk Management for NASA Contracts

9.1 Purpose

9.2 Applicability and Scope

9.3 Authority and Responsibility

9.4 Requirements

9.5 Access to NASA Facilities by State and Federal Compliance Safety and Health Officers

9.6 Contractor Citations

9.7 Grants

Chapter 10 Process/Requirements for the SMA Portions of Requests for Liability Insurance or Indemnification of EAV Developers

This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov

NPR 8715.3B
Effective Date: April 04, 2007
Cancellation Date:
Responsible Office: GA

DISTRIBUTION:
NODIS

This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov