NPR 8715.3C NASA General Safety Program Requirements (w/Change 9 dated 2/08/13)

P.1 Purpose
P.2 Applicability
P.3 Authority
P.4 Applicable Document and Forms
P.5 Measurement/Verification
P.6 Cancellation

Chapter 1. Institutional and Programmatic Safety Requirements

1.1 Overview of the NASA Safety Program
1.2 NASA General Safety Program Roles and Responsibilities
1.3 Public Safety
1.4 Institutional Roles and Responsibilities in the NASA Safety Program
1.5 Program Management Roles and Responsibilities in the NASA Safety Program
1.6 Risk Assessment and Risk Acceptance
1.7 Technical Safety Requirements for NASA-Unique Designs and Operations
1.8 SMA Program Reviews
1.9 Advisory Panels, Committees, and Boards
1.10 Coordination with Organizations External to NASA
1.11 Safety Motivation and Awards Program
1.12 Safety Management Information
1.13 Request for relief to Agency-level SMA Requirements
1.14 Hazardous Work Activities That Are Outside NASA Operational Control

Chapter 2. System Safety

2.1 Introduction
2.2 Institutional Roles and Responsibilities
2.3 System Safety Framework
2.4 Scope of the System Safety Modeling
2.5 Core Requirements for System Safety Process
2.6 System Safety Reviews
2.7 Change Review
2.8 Documentation

Chapter 3. Operational Safety

3.1 Purpose and Objectives
3.2 Motor Vehicle Safety
3.3 Personal Protective Equipment
3.4 Control of Hazardous Energy (Lockout/Tagout Program)
3.5 Pressure System Safety
3.6 Electrical Safety
3.7 Hazardous Material Transportation, Storage, and Use
3.8 Hazardous Operations
3.9 Laboratory Hazards
3.10 Lifting Safety
3.11 Explosive, Propellant, and Pyrotechnic Safety
3.12 Underwater Operations Safety
3.13 Launch, Entry, and Experimental Aeronautical Vehicle Operations Safety
3.14 Test Operations Safety
3.15 Non-Ionizing Radiation
3.16 Ionizing Radiation
3.17 Confined Spaces
3.18 Fall Protection on Elevated Structures

Chapter 4. Aviation Safety

4.1 Purpose and Scope
4.2 Aviation Safety Program Responsibilities
4.3 Interfaces with Other Agencies

Chapter 5. Fire Protection and Life Safety

5.1 Purpose, Goals, and Objectives
5.2 Responsibilities
5.3 Fire Safety Program
5.4 Fire Protection Systems
5.5 Firefighting
5.6 Emergency (Pre-Fire) Planning and Procedures
5.7 Fire Safety Training
5.8 Reporting
5.9 Current Regulations, Codes, and Standards and Variances

Chapter 6. Nuclear Safety for Launching of Radioactive Materials

6.1 Purpose
6.2 Responsibilities
6.3 Nuclear Launch Safety Approval Process
6.4 Report Requirements

Chapter 7. Safety Training and Personnel Certification

7.1 Purpose
7.2 Responsibilities
7.3 Planning and Implementation of the Safety Training Program
7.4 Personnel Safety Certification Programs for Potentially Hazardous Operations and Materials
7.5 Mission Critical Personnel Reliability Program (PRP)
7.6 Hazardous Materials and Chemicals Risk Information
7.7 Exclusions

Chapter 8. Facility Safety Management

8.1 Purpose
8.2 Roles and Responsibilities
8.3 Facility Acquisition, Construction, and Activiation Objectives
8.4 Basic Requirements for Facility Acquisition, Construction, and Activation
8.5 Facility Managers
8.6 Facility Safety Management Plan

Chapter 9. Safety and Risk Management for NASA Contracts

9.1 Purpose
9.2 Applicability and Scope
9.3 Authority and Responsibility
9.4 Requirements
9.5 Access to NASA Facilities by State and Federal Compliance Safety and Health Officers
9.6 Contractor Citations
9.7 Grants

Chapter 10. Reserved

Chapter 11. Reserved

Preface

P.1 Purpose

a. This NASA Procedural Requirements (NPR) provides the basis for the NASA Safety Program and serves as a general framework to structure more specific and detailed requirements for NASA Headquarters, Programs, and Centers. This document does not stand alone and is to be used in conjunction with the references listed in paragraph P.4.

b. This NPR is directed toward safety requirements and to augment requirements for occupational health and environmental health of personnel and activities. Some health and environmental safety references are included to assist Center safety personnel in interactions with occupational health and environmental personnel. Occupational safety and health requirements that implement 29 CFR Part 1960, are specified in NPR 8715.1. Environmental requirements are specified in NPD 8500.1.

c. This NPR does not provide requirements for emergency planning. Emergency planning requirements are specified in NPD 8710.1, Emergency Preparedness Program.

d. To address special processes and/or discipline-unique processes, the Office of Safety and Mission Assurance publishes standards that provide specific instructions that are beyond the scope and detail of this document. A listing of applicable Federal requirements, NPRs, and standards can be found in paragraphs P.3 and P.4 of this NPR.

P.2 Applicability

a. This NPR is applicable to NASA Headquarters and NASA Centers including Component Facilities, and Technical and Service Support Centers. This NPR applies to the Jet Propulsion Laboratory (JPL), a Federally Funded Research and Development Center (FFRDC), or to other contractors or grant recipients of grants, cooperative agreements, or other agreements only to the extent specified or referenced in applicable contracts, grants, or agreements.

b. The procedural requirements in this document apply: (1) to all NASA organizations, elements, entities, or individuals; (2) to visitors on NASA property; (3) to all NASA equipment, property, systems, and facilities; (4) during all phases of the life cycle of systems or facilities; and (5) as specified in contract requirements.

c. The provisions of this document apply to non-NASA, non-contractor personnel when on NASA property.

d. The requirements in this NPR do not supersede more stringent requirements imposed by other Federal, State, or local government agencies.

e. In this directive, all mandatory actions (i.e., requirements) are denoted by statements containing the term "shall." The terms "may" or "can" denote discretionary privilege or permission, "should" denotes a good practice and is recommended, but not required, "will" denotes expected outcome, and "are/is" denotes descriptive material.

f. This directive is applicable to NASA directives developed or revised after the effective date of this NPR.

g. In this NPR, the word "project" refers to a unit of work performed in programs, projects, and activities. Management of a work unit is referred to as "project management," which includes managing programs, projects, and activities.

h. In this NPR, a system is: (a) the combination of elements that function together to produce the capability to meet a need and (b) the end product (performs operational functions) and enabling products (provide life-cycle support services to the operational end products) that make up a system. The elements include all hardware, software, equipment, facilities, personnel, processes, and procedures needed for this purpose. i. The Center Director for NASA Headquarters is the Assistant Administrator for Infrastructure and Administration. In this NPR, requirements for Center Directors applicable to NASA Headquarters also pertain to the Assistant Administrator for Infrastructure and Administration.

P.3 Authority

e. National Aeronautics and Space Act of 1958, as amended, 51 U.S.C. § 2473(c)(1), Section 203(c)(1).

f. Transportation S 1421, the Occupational Safety and Health Act of 1970, as amended, 49 U.S.C.. h. 49 U.S.C S 5102, Transportation of Hazardous Materials; Definitions.

k. 14 CFR Chapter III, Commercial Space Transportation, Federal Aviation Administration, Department of Transportation.

l. 14 CFR Part 1214, Subpart 1214.5, Space Flight: Mission Critical Space Systems Personnel Reliability Program.

m. 14 CFR Part 1216, Subpart 1216.3, Procedures for Implementing the National Environmental Policy Act (NEPA).

t. 29 CFR Part 1960, Basic Program Elements for Federal Employees, Occupational Safety and Health Programs and Related Matters.

w. 48 CFR Part 1823, NASA FAR Supplement; Environment, Energy and Water Efficiency, Renewable Energy Technologies, Occupational Safety, and Drug-Free Workplace.

x. 48 CFR Part 1842, NASA FAR Supplement; Contract Administration and Audit Services.

z. 49 CFR Part 171.8, Hazardous Material Regulations; Definitions and abbreviations.

ac. EO 12196, Occupational Safety and Health Programs for Federal Employees, dated February 26, 1980, as amended.

ad. EO 13043, Increasing Seat Belt Use in the United States, dated April 16, 1997, as amended.

ae. Presidential Directive/National Security Council Memorandum Number 25 (PD/NSC-25), Scientific or Technological Experiments with Possible Large-Scale Adverse Environmental Effects and Aerospace Use of Major Radioactive Sources.

P.4 Applicable Documents

k. NPD 8700.3, Safety and Mission Assurance (SMA) Policy for Spacecraft, Instruments, and Launch Services.

af. NPR 8580.1, Implementing the National Environmental Policy Act and Executive Order 12114.

ag. NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping.

al. NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects.

aq. NASA-STD-8709.2, NASA Safety and Mission Assurance Roles and Responsibilities for Expendable Launch Vehicle Services.

ar. NASA-STD 8709.20, Management of Safety and Mission Assurance Technical Authority (SMA TA) Requirements.

at. NASA-STD-8719.8, Expendable Launch Vehicle Payload Safety Review Process Standard.

aw. NASA-STD 8719.12, Safety Standard for Explosives, Propellants, and Pyrotechnics.

ba. NSS/WS 1740.10, NASA Safety Standard for Underwater Facility and Non-Open Water Operations.

bc. National Incident Management System, Department of Homeland Security, March 1, 2004.

be. Safety and Mission Assurance Requirements Tree: http://www.hq.nasa.gov/office/codeq/doctree/qdoc.htm).

bf. Lessons Learned Information System (LLIS): http://nen.nasa.gov/portal/site/llis.

bi. NASA Safety Reporting System (NSRS): http://www.hq.nasa.gov/office/codeq/nsrs/index.htm.

bj. Wallops Flight Facility Range Safety Manual: see http://www.wff.nasa.gov/~code803/pages/RSM20022.pdf.

bk. AFSPCMAN 91710, Licensing and Safety Requirements for Launch: see http://thefederalregister.com/d.p/2005-03-01-05-3916.

bm. EM 385-1-1, U.S. Army Corps of Engineers, Safety and Health Requirements: see http://www.usace.army.mil/usace-docs/eng-manuals/em385-1-1/toc.htm.

bn. Federal Standard 313, Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised: see http://assist.daps.dla.mil/quicksearch/basic_profile.cfm?ident_number=53769.

bo. International Atomic Energy Agency (IAEA), Safety Series Number 6, Regulations for the Safe Transport of Radioactive Material, 1985 Edition as amended in 1990, Section III, paragraphs 301 through 306.

bq. Range Commanders Council (RCC) Document 316-91, Laser Range Safety: see http://www.fas.org/nuke/control/ccw/316-98/index.html.

ca. ANSI D6.1, Manual on Uniform Traffic Control Devices for Streets and Highways.

cd. ANSI Z136.2, Safe Use of Optical Fiber Communication Systems Utilizing Laser Diode and LED Sources.

ce. ANSI Z136.4, Recommended Practice for Laser Safety Measurements for Hazard Evaluation.

cg. ANSI/ASSE Z359.0-2007, Definitions and Nomenclature Used for Fall Protection and Fall Arrest

ch. ANSI/ASSE Z359.1-2007, Safety Requirements for Personal Fall Arrest Systems, Subsystems and Components.

ci. ANSI/ASSE 2359.2-2007, Minimum Requirements for a Comprehensive Mnaaged Fall Protection Program.

cj. ANSI/ASSE 2359.3-2007, Safety Requirements for Positioning and Travel Restraint Systems.

ck. ANSI/ASSE 2359.4-2007, Safety Requirements for Assisted-Rescue and Self-Rescue Systems, Subsystems and Components.

cl. Guide for Safety in the Chemical Laboratory, Manufacturing Chemists' Association, Inc.

cm. NIOSH Publication No. 87-113, A Guide to Safety in Confined Spaces: see http://www.cdc.gov/niosh/pdfs/87-113.pdf.

cn. Scientific or Technological Experiments with Possible Large-Scale Adverse Environmental Effects and Launch of Nuclear Systems into Space, dated December 14, 1977, as revised on May 8, 1996.

co. S. Kaplan and B.J. Garrick, "On the Quantitative Definition of Risk," Risk Analysis, 1, 11-27, 1981.

cp. National Research Council's report "Understanding Risk: Informing Decisions in a Democratic Society," National Academy Press, Washington, DC, 1996.

cr. NASA SP 8013, NASA Micrometeoroid Environment Model [Near Earth to Lunar Surface].

cs. NASA SP 8038, Micrometeoroid Environment Model [Interplanetary and Planetary].

cu. NASA TM 4527, Natural Orbital Environment Guidelines for Use in Aerospace Vehicle Development.

cv. "Meteoroid Engineering Model (MEM): A Meteoroid Model for the Inner Solar System," H. McNamara, R. Suggs, B. Kauffman, J. Jones, W. Cooke, and S. Smith: 2004, Earth Moon and Planets, 95, 123-139.

P.5 Measurement/Verification

Compliance with the requirements contained in this NPR will be verified through processes contained in NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments.

Cancellation

Chapter 1. Institutional and Programmatic Safety Requirements

1.1 Overview of the NASA Safety Program

1.1.1 This document provides the procedural requirements that define the NASA Safety Program. Safety program responsibility starts at the top with senior management's role of developing policies and providing strategies and resources necessary to implement and manage a comprehensive safety program. The NASA Safety Program is executed by the responsible Mission Directorate Associate Administrators, Center Directors, Office of Safety and Mission Assurance (OSMA), component facility managers, safety managers, project managers, systems engineers, supervisors, line organizations, employees, and NASA contractors.

1.1.2 As stated in NPD 8700.1, the objectives of the NASA Safety Program are to protect the public from harm, ensure the safety of employees, and affect positively the overall success rate of missions and operations through preventing damage to high-value equipment and property.

1.1.3 In general, the success or failure of an organization's safety efforts can be predicted by a combination of leading indicators (e.g., the number of open vs. closed inspection findings, awareness campaigns, training metrics, progress towards safety goals/objectives, the amount of hazard and safety analyses completed, and close calls) and its achievement measured by lagging indicators (e.g., the number of incidents involving injury or death to personnel, lost productivity [lost or restricted workdays], environmental damage, or loss of, or damage to, property). Like many successful corporations, NASA has learned that aggressively preventing mishaps is good management and a sound business practice.

1.1.4 NASA undertakes many activities involving high risk. Management of this risk is one of NASA's most challenging activities and is an integral part of NASA's safety efforts.

1.1.5 The policy for the NASA Safety Program is provided in NPD 8710.2, for specific health program requirements in NPD 1800.2, and for environmental requirements in NPD 8500.1

1.1.6 Policies, requirements, and procedures for mishap investigations are provided in NPR 8621.1.

1.1.7 NASA identifies issues of concern through a strong network of oversight councils and internal auditors including the Aerospace Safety Advisory Panel (ASAP).

1.1.8 NASA's goal is to maintain a world-class safety program based on management and employee commitment and involvement; system and worksite safety and risk assessment; hazard and risk prevention, mitigation, and control; and safety and health training.

1.2 NASA General Safety Program Roles and Responsibilities

1.2.2 Per NPD 1000.3, Mission Directorate Associate Administrators, through their project managers, and Center Directors, through their line managers, are responsible for the safety of their assigned personnel, facilities, and mission systems. Toward that end, they shall establish a safety program that adheres to the following principles:

a. Ensure that their safety planning and direction; the development of safety requirements, safety policies, safety methodology, and safety procedures; and the implementation and evaluation of their safety programs achieve the safety requirements in this NPR.

b. Ensure the conduct of assessments of quantitative and/or qualitative safety risks to people, property, or equipment, and include recommendations to either reduce the risks or accept them.

c. Ensure that safety assessments of all system changes are conducted, prior to changes to these systems being implemented, so as to preclude an unknown increase in risk to personnel or equipment.

d. Ensure that employees are informed of any risk acceptance when the employees are the ones at risk.

e. Ensure that safety surveillance and periodic inspections are conducted to assure compliance with NASA safety policies and to assess the effectiveness of NASA safety activities as required by Federal, State, and local regulations, NASA policy, and national consensus standards.

f. Ensure that technical reviews of the safety of development efforts and operations are conducted in accordance with sound system safety engineering principles.

g. Ensure that trained individual(s) determine the corrective actions needed for mitigating or controlling safety risk for all activities.

h. Ensure that NASA employees and safety professionals are trained for their roles and responsibilities associated with specific safety functions.

j. Ensure that an ad hoc interagency review and approval process is implemented for the use of radioactive materials in spacecraft to avoid unacceptable radiation exposure for normal or abnormal conditions, including launch aborts with uncontrolled return to Earth (See Chapter 5).

k. Ensure that research and development for new or unique safety functions and technologies are conducted to help meet NASA goals.

l. Ensure the integrity of information and information systems, where compromise may impact safety, by adherence to NASA information technology security procedures as required by NPR 2810.1.

1.3 Public Safety

1.3.1 Center Directors, project managers, supervisors, and NASA employees shall:

a. Eliminate risk or the adverse effect of NASA operations on the public, or provide public protection by exclusion or other protective measures where the risk or the adverse effect of NASA operations on the public cannot be eliminated.

b. Disallow non-NASA (either by contractors or visitors) research and development operations (under grants or cooperative agreements) that interfere with or damage NASA facilities or operations or threaten the health and safety of NASA personnel.

a. Require non-NASA research and development personnel and operations exposed to hazardous operations on NASA property to follow all Federal, NASA, and Center safety precautions and to procure needed protective clothing and equipment at their own expense.

b. Assure non-NASA research and development personnel operating or using potentially hazardous NASA equipment have received required training and are certified as qualified operators in accordance with Chapter 7 of this NPR.

1.3.3 Center Directors are delegated the authority to approve variances to public safety requirements for onsite non-NASA personnel (e.g., press, visitors) if appropriate safety requirements are in place and the risk is no greater than the risk to uninvolved employees.

1.4 Institutional Roles and Responsibilities in the NASA Safety Program

b. Serve as the senior safety official for the Agency and exercise functional management authority over all NASA safety and risk management activities.

c. Terminate any operation that presents an immediate and unacceptable risk to personnel, property, or mission operations.

d. When termination occurs, immediately notify affected Center and Mission Directorate officials.

b. Place their safety organization at a level that ensures the safety review function can be conducted independently.

c. Designate a senior manager as the Center safety and health officer and the safety program implementation authority.

(1) Adequate resources (personnel and budget) are provided to support mishap prevention efforts.

(2) Resource control is independent from any influence that would affect the independence of the advice, counsel, and services provided.

e. Ensure that policies, plans, procedures, and standards that define the characteristics of their safety program are established, documented, maintained, communicated, and implemented.

f. Ensure that the development, implementation, and maintenance of an effective safety and health program is in compliance with NASA, Federal, State, and local requirements.

g. Ensure the establishment of an effective system safety program based on a continuous risk assessment process to include the development of safety requirements early in the planning phase, the implementation of those requirements during the acquisition, development, and operational phases, and the use of a scenario-based risk assessment and tracking system to maintain the status of risks during the process. (See Chapter 2.)

h. Ensure that all NASA operations and operations performed on NASA property are performed in accordance with existing safety standards, consensus national standards (e.g., ANSI, NFPA), or special supplemental or alternative standards when there are no known applicable standards.

i. Ensure that for hazardous NASA operations, procedures are developed for the following circumstances: 1) to provide an organized and systematic approach to identify and control risks, 2) when equipment operations, planned or unplanned, are hazardous or constitute a potential launch, test, vehicle, or payload processing constraint, or 3) when an operation is detailed or complicated and there is reasonable doubt that it can be performed correctly without written procedures. (See Chapter 3 of this NPR for requirements for hazardous operating procedures.)

j. Ensure that an aviation safety program that meets the specific operational needs of their Center is established and maintained to comply with national standards and NASA directives and requirements. (See Chapter 4.)

k. Ensure that safety lessons learned are disseminated and included in Center communication media to improve the understanding of hazards and risks and the prevention of mishaps and to suggest better ways of implementing system safety programs.

(1) Center Directors shall determine if and when a safety stand-down or safety awareness activity is needed.

(2) The Center Director shall lead the planning and execution of all safety stand-downs and safety and health awareness activities using the following process and criteria:

(b) Maximize leadership participation in the awareness activity and ensure effective and interactive communications with employees on the strategic value of safety focus.

(c) Seek a close linkage between the content of safety and health awareness events and with the on- and off-duty activities of the employees.

(d) Include discussion about NASA mishaps, mishaps outside of NASA, and lessons learned.

(e) Conduct mandatory safety and health training while maximizing the learning value for all other time spent in awareness activities.

l. Inform personnel of the availability of the NASA Safety Reporting System (NSRS) at their Center.

n. Ensure that all facilities are designed, constructed, and operated in accordance with applicable/approved codes, standards, procedures, and requirements. (See Chapters 8 and 9.)

o. Ensure that the safety responsibilities of each organizational element are defined and accomplished.

p. Ensure that line managers incorporate safety and health requirements into the planning, support, and oversight of hosted programs, projects, and operations as part of their management function.

q. Evaluate and document the incorporation of safety and health requirements into the planning and support of hosted programs, projects, and operations in senior manager's performance evaluations.

r. Ensure a qualified safety workforce is available to perform the safety function.

s. Ensure that properly equipped and trained personnel are provided to perform or support potentially hazardous or critical technical operations.

Note: Special circumstances involving access to mission critical space systems and other critical equipment may dictate the need for the Personnel Reliability Program (14 CFR Part 1214, Subpart 1214.5, Space Flight: Mission Critical Space Systems Personnel Reliability Program). (See Chapter 3.)

t. Ensure that safety and mission assurance (SMA) risk-based acquisition management requirements are included in procurement, design, development, fabrication, test, or operations of equipment and facilities.

u. Analyze and utilize nonconformance and process control data as feedback in the assessment and management of technical risk.

v. Ensure that qualitative and quantitative risk assessment results, hazard controls, and risk mitigation strategies are not negated when accounting for the analysis of nonconformance and process control data in the assessment and management of technical risk (Requirement).

Note: Quality assurance requirements are provided in NPD 8730.5, NASA Quality Assurance Program Policy.

w. Ensure the results of contractor safety and health provision evaluations are provided to the award fee boards for use in fee determination.

x. Ensure that the Governance Model is being implemented in the procurement process for the acquisition of hardware, software, services, materials, and equipment. (See Chapter 9.)

y. Pursue and obtain within two years, certification under the Occupational Safety and Health Administration (OSHA) Voluntary Protection Program (VPP) or through an equivalent recognized occupational safety certification program.

z. Ensure their safety organization (or its support contractors) has access to certified safety professionals meeting the requirements of the OSHA VPP.

1.4.4 Center Directors and line managers shall ensure that up-to-date configuration control is maintained on all assigned equipment and systems (Requirement 25008).

1.4.5 Line managers and supervisors are accountable for the safety and health of their assigned personnel. To that end, they shall:

a. Ensure employee safety and health training is completed by employees pursuant to the requirements of the job to be performed (Requirement).

b. Ensure that safety is included in the employee's performance plan objectives (Requirement).

c. Encourage safe performance through safety and health incentive awards programs or other institutional programs establishing the safety organization.

a. Incorporate measurable leading safety and health performance criteria in line manager's performance plans.

b. Evaluate and document achievement of the measurable safety and health performance criteria in the line manager's performance evaluations.

1.5 Program Management Roles and Responsibilities in the NASA Safety Program

1.5.1 Paragraph 2.2.2.a.1.vi of NPR 7120.5, requires project managers to prepare and implement a comprehensive SMA Plan early in program formulation to ensure program compliance with all regulatory safety and health requirements from OSHA and all NASA SMA requirements. The importance of upfront safety, reliability, maintainability, and quality assurance requirements should be emphasized in all program activities.

b. Graphically represents project organizational relationships and assurance roles and responsibilities employing a Mission Assurance Process Map as described in NPR 8705.6.

c. Reflects a life cycle SMA process perspective, addressing areas including: procurement, management, design and engineering, design verification and test, software design, software verification and test, manufacturing, manufacturing verification and test, operations, and preflight verification and test.

d. Contains data and information to support each section of the SMA Plan for each major milestone review to include the Safety and Mission Success Review (formerly SMA Readiness Review).

e. Contains trending and metrics utilized to display progress and to predict growth towards SMA goals and requirements.

(2) Reliability and maintainability per NPD 8720.1, NASA Reliability and Maintainability (R&M) Program Policy.

(10) Compliance verification, audit, SMA reviews, and SMA process maps per NPR 8705.6.

1.5.3 Project managers shall ensure that contractor operations and designs are evaluated for consistency and compliance with the safety and health provisions provided in their contractual agreements.

1.6 Risk Assessment and Risk Acceptance

1.6.1 Risk Assessment. The primary purpose of risk assessment is to identify and evaluate risks to help guide decision making and risk management regarding actions to ensure safety and mission success. Risk assessment should use the most appropriate methods that adequately characterize the probability, consequence severities, and uncertainty of undesired events and scenarios. Quantitative methods can be used to evaluate probabilities, consequences, and uncertainties, whenever possible. Qualitative methods characterize hazards, and failure modes and effects provide valuable input to the risk assessment. When qualitative methods are used to assess risks, the qualitative values assigned should be rationalized. The results of the risk assessment along with the results of system safety analyses form the basis for risk-informed decision making. More discussion of system safety and risk assessment is provided in Chapter 2 of this NPR.

1.6.1.1 Project managers for flight systems and line managers for institutional systems shall:

a. Use a process for risk assessment that supports decisions regarding safety and mission success as well as other decisions such as the development of surveillance plans and information security (see Chapter 2).

1.6.2 Risk Acceptance. Center Directors and project/program managers are delegated the authority to accept residual risk associated with hazards based on risk assessment results and all relevant factors for their assigned activities. Center Directors and program managers should include involvement of the Technical Authority as a part of the risk analysis, evaluation, and decision-making processes. For technical matters related to project/program design, development, and operations, and involving the risk of safe and reliable operations as related to human safety, the Technical Authority has approval authority but the project/program manager must still formally accept the residual risk.

a. Establish and document a formal, closed loop, transparent decision-making process for accepting residual risk for their assigned activities, personnel, and/or property.

b. Meet Federal safety and health standards when making risk-informed decisions to accept residual risk.

c. Reduce the risk to an acceptable level using the technical safety requirements provided in Paragraph 1.7 of this NPR.

d. Only accept residual risk consistent with NASA requirements and, in all cases, ensure the acceptance of risk to NASA employees and/or equipment does not endanger the public or NASA employees.

f. Communicate to: 1) the cognizant office of primary responsibility (OSMA, Office of the Chief Engineer (OCE), Office of the Chief Health and Medical Officer (OCHMO)) for review, decisions regarding residual risk acceptance and 2) to any employee or person for whom the risk has been accepted.

1.7 Technical Safety Requirements for NASA-Unique Designs and Operations

1.71 Developing and maintaining technically sound and defensible safety and health requirements is essential to serve as a basis for system design and for system safety analysis efforts. A combination of quantitative (for example, probabilistic) and qualitative (for example, failure tolerance or redundancy) technical safety and mission success requirements complement each other by compensating for weaknesses in one or the other analysis type. This NPR establishes a minimum set of technical SMA requirements to be applied to programs/projects.

1.7.2 To properly support design and operational decisions, it is necessary that alternatives be analyzed not only with respect to their impact on the mission's performance and programmatic objectives, but also with respect to their impact on safety and health. Risk management uses the results of the risk assessment as the basis for decisions to reduce the risk to an acceptable level.

1.7.3.1 Project managers shall ensure that hazards and dominant contributors to risk are controlled according to the following:

a. Eliminate accident scenarios (e.g., eliminate hazards or initiating events by design).

b. Reduce the likelihood of accident scenarios through design and operational changes (hazard control).

d. Improve the state-of-knowledge regarding key uncertainties that drive the risk associated with a hazard (uncertainty reduction to support implementation of the above strategies).

1.7.4.1 Safety critical operations must have high reliability. High reliability is verified by reliability analysis using accepted modeling techniques and data in which uncertainties are incorporated. Where this cannot be accomplished with a specified confidence level, the design of safety critical operations shall have failure tolerance and safety margins in which critical operability and functionality are ensured. Failure tolerance is the ability of a system to perform its function(s) or maintain control of a hazard in the presence of failures of its subsystems. Failure tolerance may be accomplished through like or unlike redundancy. Safety margins are the difference between as-built factor of safety and the ratio of actual operating conditions to the maximum operating conditions specified during design.

1.7.4.2 To assure operability and functionality and to achieve failure tolerance, project managers shall use these design considerations.

a. Design safety critical systems such that the critical operation or its necessary functions can be assured. To provide assurance, design the component, subsystem, or system so it is are capable of being tested, inspected, and maintained.

b. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, design safety critical systems so that no combination of two failures and/or operator errors (fail-safe, fail-safe as a minimum) will result in loss of life.

c. When requesting relief from the two-failure tolerance requirement, provide evidence and rationale that one or more of the following are met.

(2) The system or subsystem is designed and certified in accordance with approved consensus standards.

d. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, design safety critical operations so that no single failure or operator error (fail-safe) will result in system loss/damage or personal injury.

e. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, provide functional redundancy where there is insufficient time for recovery or system restoration. Where there is sufficient time between a failure and the manifestation of its effect, design for restoration of safe operation using spares, procedures, or maintenance provides an alternative means of achieving failure tolerance.

g. When using redundancy, verify that common cause failures (e.g., contamination, close proximity) do not invalidate the assumption of failure independence.

h. When using redundancy in operations that could cause or lead to severe injury, major damage, or mission failure (safety critical operations), verify operability under conditions that singularly or separately added together represent the operating intended condition.

i. When using reliability analyses, assess the probability of failure to provide the function and the time to restore the function, where loss of life, serious injury, or catastrophic system loss can occur. Uncertainties shall be incorporated in these assessments. The time to restore the function shall include the active time to repair and the time associated with the logistics or administrative downtime that affects the ease or rapidity of achieving full restoration of the failed function.

a. Loss of functional protection for safety-critical operations requires termination of the operation at the first stable configuration.

b. At least one single level of functional protection is used to protect high-value facilities and flight systems.

c. In addition to the requirement in paragraph 1.7.2.1.b, for systems intended to be operated by humans, crew survival capabilities such as abort, escape, emergency egress, emergency medical, emergency systems, safe haven, and rescue are valid means of preventing loss of life and, when used, shall include validation, training, and certification.

Note: Definitions for the crew survival and associated capabilities can be found in NPR 8705.2 and other NPRs.

1.7.5.1 Where high reliability is not verified by reliability analysis using accepted data with uncertainties incorporated, the project manager shall ensure that:

a. Operations that require the control of a condition, event, signal, process, or item for which proper recognition, performance, or tolerance is essential to safe system operation, use, or function are designed such that an inadvertent or unauthorized event cannot occur (inhibit).

c. Operations have two inhibits where personal injury, illness, mission loss, or system loss or damage can occur.

d. The capability of inhibits or control procedures when required in operations by this paragraph are verified under operational conditions including the verification of independence among multiple inhibits.

1.7.6 System Safety Managers shall assure that the above requirements are placed in program/project requirements and that any variances to those requirements are processed in accordance with the requirements of this NPR. (See paragraph 1.13 of this NPR.)

1.8 SMA Program Reviews

1.8.1 The Chief, Safety and Mission Assurance, conducts audits, reviews, and assessments of NASA Centers, programs/projects, supporting facilities, and operations.

Note: Requirements for conducting and supporting independent SMA audits, reviews, and assessments are provided in NPR 8705.6.

b. The Center's annual safety program assessment is conducted by competent and qualified personnel.

Note: In addition to normal management surveillance, the Center's annual safety program review can be accomplished through safety staff assistance visits, inspections, and safety audits. The Center's safety staff or an independent outside source may perform the formal assessments.

1.8.3 Center Directors shall ensure that the Center's formal annual assessment has the following elements:

a. A formal assessment report that includes a discussion of the safety posture of the Center and each program reviewed.

b. An assessment of the effectiveness of the safety program using an industry standard template for implementing a comprehensive safety and health program such as that prescribed by OSHA’s Voluntary Protection Program (VPP).

Note: The OSHA VPP includes the critical elements of a comprehensive safety and health program management effort (management leadership and employee involvement, worksite analysis, hazard prevention and control, and safety and health training). A self-assessment checklist such as the one located at http://www.osha.gov/Publications/VPP/vpp_kit.html can be of invaluable assistance in assessing the capability and maturation of these features in a NASA safety and health program.

d. An assessment of safety program documentation (e.g., plans, procedures, monitoring data).

i. The development of formal plans of actions and milestones to correct all open deficiencies that shall be tracked to completion including interim controls that will be implemented if the hazard cannot be immediately corrected.

k. Evaluation of the implementation of 5 U.S.C. S 7902; 29 U.S.C. S 651 et seq.; 49 U.S.C. S 1421, as amended; E.O. 12196, dated February 26, 1980, as amended; OSHA regulations at 29 CFR Part 1910; and other pertinent Federally-mandated requirements.

1.8.4 Center Directors shall ensure that periodic training is conducted for Center safety personnel on safety program assessments covering prereview, review, and postreview procedures and requirements.

1.9 Advisory Panels, Committees, and Boards

1.9.1 NASA strives to use the Nation's most competent safety resources to provide review and advice on the NASA Safety Program.

1.9.2 NASA has established an ASAP as an advisory committee in accordance with Section 6 of the NASA Authorization Act, 1968 (PL 90-67, codified as 42 U.S.C. 2477).

1.9.4 NASA has established the Software Independent Verification and Validation (IV&V) Board of Directors to advise the OSMA as approval authority for IV&V support to programs and projects. The IV&V Board of Directors acts in an advisory capacity to provide input to the Chief, Safety and Mission Assurance, concerning the annual IV&V budget for support to programs and projects.

1.9.5 NASA has established and maintains a Space Flight Safety Panel to promote flight safety in NASA space flight programs involving flight crews and to advise appropriate Mission Directorate Associate Administrators on all aspects of the crewed space program that affect flight safety.

1.9.6 Center Directors and the Chief, Safety and Mission Assurance, shall have the authority to establish ad hoc committees to provide safety oversight review of programs, projects, and other activities.

1.10 Coordination with Organizations External to NASA

1.10.1 The Chief, Safety and Mission Assurance, in coordination with the Office of External Relations (for exchanges with the Department of Defense (DoD), intelligence agencies, and foreign entities) and in consultation with the NASA Office of the General Counsel, shall establish guidelines for exchanging safety information with organizations external to NASA.

1.10.2 NASA shall encourage participation by NASA safety professionals in outside safety-related professional organizations.

1.11 Safety Motivation and Awards Program

1.11.1 The Chief, Safety and Mission Assurance, shall establish a Safety Motivation and Awards Program that recognizes the safety achievements of NASA and other Federal Government employees supporting NASA objectives in all occupational categories and grade levels.

1.11.2 The Associate Administrator for Space Operations Mission Directorate shall manage a spaceflight awareness motivation and recognition program to promote safety, quality, and mission success within NASA and the supporting NASA contractor/partner workforce.

1.12 Safety Management Information

1.12.1 Efficient communication of safety information is necessary to meet the needs of safety officials and the managers they support. This includes communications between and among operational and safety organizations. NASA safety organizations will pursue every practical means for communicating verbal and written safety management information, lessons learned, and statistics. Examples of NASA information systems are the Incident Reporting Information System and the LLIS. Records and reports of accidents, occupational injuries, incidents, failure analyses, identified hazards, mishaps, appraisals, and like items contain information necessary for developing corrective measures and lessons learned.

1.12.2 Detailed records of occupational injuries are reported to OSHA in accordance with 29 CFR Part 1960, Subpart I, and NPR 8621.1. are retained per NPR 1441.1.

1.12.3 Center Directors shall provide or make accessible to the OSMA (through an internet web site):

a. Center executive safety committee or board documentation (e.g., minutes and reports).

c. Top-level Center or program safety procedure documents that implement Headquarters requirements.

1.12.4 The Chief, Strategic Communications, shall provide or make accessible (through internet web site) to the OSMA copies of comments sent to outside regulatory agencies (e.g., OSHA, Department of Transportation (DOT), Environmental Protection Agency (EPA)) concerning proposed rule-making that could affect the NASA Safety Program.

1.12.5 Center SMA Directors shall maintain a census of Government and contract employees performing safety, reliability, maintainability and quality functions (engineering, operations, and assurance) by organization or contractor company at their sites.

1.12.6 COs and COTRs shall ensure that the census of employees performing safety, reliability, maintainability, and quality functions (engineering, operations, and assurance) by organization is a requirement under contracts.

1.13 Requests for Relief to Agency-level SMA Requirements

1.13.1 Paragraph 1.13 and its subparagraphs (1.13.1-1.13.4) provide policy and associated requirements for requesting and approving determination of nonapplicability, waivers, and deviations (aka: requests for relief) to Agency SMA requirements specified as overall SMA requirements for which OSMA is the Office of Primary Responsibility (OPR) or Point of Contact (POC). The primary objective of this policy is to assure that NASA Headquarters maintains oversight of the Agency SMA requirements while providing the Center Directors and program/project managers with the authority and flexibility to accept reasonable risks (in accordance with NPR 8000.4) necessary to accomplish their tasks. This policy is consistent with the ISO 9001 requirement for maintaining process control of services that an organization provides. This policy applies to all requirements for which OSMA is the OPR or POC with the exception of requests for requirements relief to NPR 8715.5 and NPR 8715.7.

1.13.2 Relief from a requirement consists of documented and approved permission to vary from an established SMA requirement. There are four types of relief which can be granted to NASA SMA requirements that may be requested at different times during the life cycle of a program/project/facility: nonapplicable determination, tailoring, deviations, and waivers.

a. Determination of nonapplicability of a requirement eliminates a requirement from the list of applicable senior-level requirements during the requirement development process (NPR 7120.5 program/project phase A, or as defined in NPR 7120.7 or NPR 7120.8).

b. Tailoring may be done to allow a program/project/facility manager to restate, separate, or combine requirement(s) to meet their program/project/facility's need through Phase A as defined in NPR 7120.5 or the early design phase as defined in NPR 7120.7, NPR 7120.8, and NPR 8831.1, and cannot result in an increase in risk. The overall scope and goal of the requirement is maintained in tailoring.

c. Deviations may be done to allow a program/project/facility to decrease the scope of a senior-level requirement or increase the risk associated with a requirement during phases A and B as defined in NPR 7120.5, or the design phases as defined in NPR 7120.7, NPR 7120.8, and NPR 8831.1.

d. Waivers are similar to deviations except they are granted after Phase B as defined in NPR 7120.5, or design complete as defined in NPR 7120.7, NPR 7120.8, and NPR 8831.1.

1.13.3 Requests for relief to this document are processed in accordance with the requirements of NASA-STD 8709.20, Management of Safety and Mission Assurance Technical Authority (TA) Requirements.

a. Serve as the adjudicating official for all requests for relief to Agency SMA requirements where OSMA is the OPR or POC.

b. Review all requests for relief to Federal, State, regulations, or Tribal laws, codes, standards, regulations, directives, and orders, where OSMA is the OPR or POC, before submittal to the Federal/State agency for approval.

c. Forward requests for relief to the NASA Associate Administrator for requirements which are directed from Federal, State, local, or Tribal laws, codes, standards, regulations, directives, and orders and requests that have been denied and are being appealed per NPR 1400.1, NASA Directives Procedural Requirements, and NPR 7120.5, NASA Space Flight Program and Project Management Requirements.

d. Forward appeals to the NASA Associate Administrator where relief requests were originally adjudicated by the Chief, Safety and Mission Assurance.

e. Oversee Center/project/program implementation of the relief request procedures in accordance with NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments.

1.14 Hazardous Work Activities That Are Outside NASA Operational Control

1.14.1 It is NASA policy to formally review and approve NASA participation in hazardous work activities that are outside NASA operational control as needed to ensure that NASA safety and health responsibilities are satisfied. This policy applies unconditionally to NASA participation in commercial human spaceflight where current federal regulations do not necessarily provide for the safety of spaceflight vehicle occupants. This policy is non-retroactive and applies to hazardous ground or flight activities that involve research, development, test and evaluation, operations, or training, where all five of the following conditions exist:

a. NASA civil service personnel, Government detailees, specified contractors, or specified grantees are performing work for NASA.

c. An assessment by the responsible NASA manager indicates there are insufficient safeguards and/or oversight in place.

d. The activity is not covered by a basic contract, grant, or agreement where Federal, State, and/or local requirements address personnel safety.

e. The nature of the activity is such that, if NASA were controlling it, a formal safety and/or health review would be required as part of the NASA approval process.

1.14.2 For NASA work activities that satisfy the conditions listed in paragraph 1.14.1 of this NPR, it is NASA policy to document and verify that risks are adequately controlled and any residual risk is acceptable following the steps below or through implementation of the System Safety process in Chapter 2 of this NPR:

a. As early as practical, conduct a comprehensive, documented review of the planned activity (the review may address a series of related activities). (See paragraph 1.14.3.h of this NPR for requirements that apply to the review.)

b. Document Agency approval by cognizant NASA officials, including formal acceptance of all associated risks.

c. Ensure activity participants are fully briefed on the safety and health aspects of the activity and the associated risks and that they formally consent to take the risk.

d. Ensure activity participants have all necessary training, equipment, and support.

1.14.3 Roles and Responsibilities. The following roles and responsibilities apply with regard to implementing the policy stated in paragraph 1.14.2 of this NPR.

a. The Chief, Safety and Mission Assurance shall oversee and resolve any questions regarding the implementation and applicability of this policy and related requirements to a proposed work activity.

(1) Establish and implement processes and requirements needed to ensure compliance with this policy for applicable work activities within the scope of their authority.

(2) Provide safety expertise as needed to assist programs and projects to successfully complete the required NASA review and approval of applicable work activities.

(3) Formally concur in the scope of hazard assessments executed per paragraph 1.14.3.h.(2) for activities under their cognizance.

(4) Maintain records of all approvals granted under this policy and track the status of each activity.

c. The NASA official, at the appropriate level of authority in the supervisory chain over the participating personnel and any applicable non-NASA supervisor (identified by the Review Team per paragraph 1.14.3.h.(5) of this NPR), shall sign the approval documentation indicating consent for their assigned personnel to take the risk and participate in the activity.

d. Where deemed applicable by the review, the following NASA officials shall sign the approval documentation indicating that the risks are properly characterized for their area of responsibility and that they concur with acceptance of the risks to personnel under NASA safety responsibility, risk to NASA property, and any public risk due to NASA's part in the activity:

(1) The Center SMA official with cognizance over the activity (mandatory for any activity that involves safety risk to participants, the public, or to NASA property).

(2) The Center Health and Medical official with cognizance over the activity (mandatory for any activity that involves health risk to participants or the public or involves medical equipment or operations as part of the safety risk mitigation strategy).

(3) The NASA General Counsel or Center Chief Counsel (mandatory for any activity that involves U.S. or international law).

(4) The designated Technical Authority(ies) with cognizance over the associated project/program (mandatory for any activity that involves system design changes or invocation of NASA technical requirements as part of the risk mitigation strategy).

e. The personnel participating in the hazardous activity shall sign the approval documentation indicating that they are fully briefed on all safety and health risks inherent in the activity and are willing and able to participate.

f. After signature by the officials/personnel identified in paragraphs 1.14.3.c, 1.14.3.d, and 1.14.3.e of this NPR, the NASA official, at the appropriate level, as identified by the review per paragraph 1.14.3.h.(6) of this NPR, shall sign the approval documentation indicating formal acceptance of the associated risks to personnel under NASA safety responsibility, risk to NASA property, and any public risk due to NASA's part in the activity.

g. NASA managers (program/project/grant/institutional/other) shall ensure that all aspects of the policy in paragraph 1.14.2 of this NPR are satisfied for applicable work activities under their authority (Requirement). In accomplishing this, NASA managers shall:

(1) Identify work activities that fall under the applicability of this policy in consultation with the cognizant Center SMA organization (Requirement).

(2) Satisfy local SMA processes and requirements designed to implement this policy.

(3) Establish a Review Team (see paragraph 1.14.3.h of this NPR for Review Team responsibilities) in consultation with the cognizant SMA, Health and Medical, Engineering, and Legal organizations; and ensure that the Review Team incorporates all necessary expertise as required.

(4) Ensure that funding and other resources needed to satisfy this policy are budgeted and allocated.

(5) Ensure all conditions for NASA approval are met, including implementation of all actions identified by the Review Team.

h. The Review Team established per paragraph 1.14.3.g.(3) of this NPR and program/project/grant/institutional/other personnel as needed shall coordinate to:

(1) Identify and evaluate the safety, health and medical, and any safety-legal aspects of the activity.

(2) Identify and evaluate all associated hazards (design and/or operational), including evaluation of existing hazard/risk mitigations and safety requirements being implemented.

(3) Assess and characterize any residual safety risks to personnel, public, and property.

(4) If the initial risks are unacceptable, identify actions that must be implemented to mitigate the risks as conditions for NASA approval to participate.

(5) Identify the NASA official(s), at the appropriate level of authority in the supervisory chain over the participating personnel and any non-NASA supervisor(s) (in the event that non-NASA personnel are involved), who must consent for the personnel to take the risk and participate in the activity.

(6) Identify the NASA official who must formally accept the risks associated with and grant final approval of the activity.

(7) For a series of related activities (that may involve the same or different participants over a period of time), identify a NASA readiness process to be implemented for each activity.

i. If the Review Team determines that a series of activities is a repetition of, or essentially the same as, a previously reviewed and approved activity, the Review Team may recommend that the NASA approving official (identified per paragraph 1.14.3.h.(6) of this NPR) grant a standing approval that will remain in effect until there are substantive changes in the activity, personnel, or a specified period of time has elapsed, not to exceed 5 years.

j. The Assistant Administrator for Procurement, NASA Grant and Contracting Officers, and Cooperative Agreement, and other agreement officers shall ensure that grants, contracts, and agreements governing activities performed in support of NASA allow for implementation of this policy where specified by the cognizant NASA manager in consultation with the cognizant NASA Center SMA organization (per paragraph 1.14.3.g(1) of this NPR).

Chapter 2. System Safety

2.1 Introduction

2.1.1 This chapter establishes requirements for the implementation of system safety processes to support decision making aimed at ensuring human safety, asset integrity, and mission success in programs/projects.

2.1.2 System safety assessment is a disciplined, systematic approach to the analysis of risks resulting from hazards that can affect humans, the environment, and mission assets. It is a critical first step in the development of risk management strategies. System safety covers the total spectrum of technical risk and management activities including safety and risk assessments and safety performance monitoring.

2.1.3 The format of this chapter is different than that of the rest of this NPR because of the need to discuss advanced concepts in system safety by the references.

2.2 Institutional Roles and Responsibilities

2.2.1 Mission Directorate Associate Administrators, Center Directors, program and project managers, and line managers shall ensure that system safety activities are conducted for all programs and projects including system acquisitions, in-house developments (research and technology), design, construction, fabrication and manufacture, experimentation and test, packaging and transportation, storage, checkout, launch, flight, reentry, retrieval and disassembly, maintenance and refurbishment, modification, and disposal (Requirement 25243).

2.2.2 Center Directors, through their Center SMA Directors, shall ensure that knowledgeable system safety and technical risk analysts are made available to program/project managers and Center engineering directors to define and conduct system safety activities, including assurance of prime contractor system safety activities (Requirement 25087).

2.3 System Safety Framework

2.3.1 The term "system," as used here, refers to one integrated entity that performs a specified function and includes hardware, software, human elements, and the environment within which the system operates. A "hazard," as used here, is a state or a set of conditions, internal or external to a system, that has the potential to cause harm. Generally, one or more additional conditions need to exist or additional events need to occur in conjunction with the existence of the hazard in order for an accident or mishap ¹ with consequences adverse to safety ² to result. These additional events enable the hazard to proceed to the adverse consequence. The term "mishap" is NASA's preferred generalization of an accident and it will be used in this document to refer to events leading to safety-adverse consequences. The term "accident" will be retained in the context of risk assessment methodology because of its wide acceptance in the practice of this methodology. The term "state" or "condition" is used in a broad sense to include any intrinsic property and characteristic of the material, system, or operation that could, in certain circumstances, lead to an adverse consequence . ³

2.3.2 Hazards analysis involves the application of systematic and replicable methods to identify and understand hazards, and to characterize the risk of mishaps that involve hazards. MIL-STD-882 describes the systems engineering approach to hazard analysis. This standard is used in conjunction with the following paragraphs to develop a comprehensive scenario-based system safety analysis program.

2.3.3 Risks originate from hazards - the absence of a hazard implies a freedom from the associated risk. In the context of making decisions to manage risk, it is useful to consider "risk" as a set of triplets ⁴: accident scenarios involving hazards; associated frequencies ⁵; and associated adverse consequences. Each triplet is a statement about the likelihood of realizing a postulated accident scenario with the type and magnitude of potential adverse consequences. The expression for risk as a set of triplets is:

¹ NASA defines mishap as -An unplanned event that results in at least one of the following: Injury to NASA personnel, caused by NASA operations; Injury to non-NASA personnel, caused by NASA operations; Damage to public or private property (including foreign property), caused by NASA operations or NASA funded development or research projects; Occupational injury or occupational illness to NASA personnel; Destruction of, or damage to, NASA property except for a malfunction or failure of component parts that are normally subject to fair wear and tear.+

² For example, the presence of fuel vapor in the crew module of a spacecraft is a hazard. Another example is the inoperability of the fire detection system.

³ For example, just having a toxic chemical in a tank constitutes a hazard because of the intrinsic toxicity property of the chemical.

⁴ S. Kaplan and B.J. Garrick, -On the Quantitative Definition of Risk,+ Risk Analysis, 1, 11-27, 1981.

⁵ The frequency estimate for each postulated accident scenario must account for the length of time during which the accident can possibly occur. This duration is often referred to as -exposure time+ or -time at risk.+

2.3.4 The "triplet" concept of risk is operationally useful because it makes clear that in order to define, assess, and understand risk it is necessary to produce:

a. A definition of the scenarios that may happen. This definition is especially useful when organized in logical fashion to identify the cause-consequence relationship of events that constitute accident scenarios.

b. A characterization of the probabilities of the accident scenarios that have been identified. This characterization is expressed quantitatively in the form of a probability over some reference period of time or set of activities, or as a "frequency;" i.e., a probability per unit of time.

c. A characterization of the severity of the consequences associated with the accident scenarios that have been identified. This characterization is expressed quantitatively in the form of a numeric parameter or set of parameters that best represent the magnitude and type of the adverse consequences.

2.3.5 It is also important to identify the uncertainties in the probabilities and consequences and to quantify them to the extent feasible.

2.3.6 NASA uses the term "safety" broadly to include human safety (public and workforce), environmental safety, and asset safety . ⁶ Therefore, safety-adverse consequences of interest to NASA may include:

h. Loss of, or damage to, ground assets (program facilities and public properties).

⁶ The broad definition is -freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.+ In the context of risk-informed decision making, safety can be considered as an overall mission and program condition that provides sufficient assurance that accidents will not result from the mission execution or program implementation, or, if they occur, their consequences will be mitigated. This assurance is established by means of the satisfaction of a combination of deterministic requirements and risk criteria.

⁷ The term -local public+ refers to the population in the vicinity of a site for a NASA operation but not directly associated with the operation.

2.3.7 Risk management involves making decisions that eliminate hazards or reduce the frequency and/or consequences of accidents involving hazards to an acceptable level by introducing hazard control measures and modifying system design (e.g., hardware, software) and/or procedures. Risk management may also importantly involve activities to identify and reduce uncertainties. Monitoring the effectiveness of risk reduction and uncertainty reduction strategies is an important element of risk management activities. The NASA's continuous risk management process shown below (Figure 2.1) provides an approach to track the effectiveness of implemented risk reduction strategies.

2.3.8.1 Scenario-based modeling of hazards as illustrated in Figure 2.2 provides a general framework for the analysis of how hazards lead to adverse consequences. The identified scenarios then provide a basis for the assessment of risk. In the scenario modeling approach, for each hazard, an initiating event is identified, and necessary enabling conditions that result in undesired consequences are also identified. The enabling conditions often involve the failure to recognize a hazard or the failure to implement appropriate controls such as protective barriers or safety subsystems (controls). The resulting accident scenario is the sequence of events that is comprised of the initiating event and the enabling conditions and/or events that lead to the adverse consequences. Scenarios can be classified according to the type and severity of the consequences (i.e., according to their end states). In the scenario-based modeling framework, a linkage between hazards and adverse consequences of interest is established. Modeling of the characteristics of this linkage (i.e., how the presence of a hazard is linked with the occurrence of other events (e.g., hardware failures, software errors, human errors, or phenomenological events leading to formation of a mishap) should be the fabric of hazard analysis. As part of this modeling, the following items are addressed:

a. How a hazard enables or contributes to the causation of initiating events; i.e., the mechanism by which the hazard is translated to the initiating event.

b. How a hazard enables or contributes to the loss of the system's ability to compensate for (or respond to) initiating events.

c. How a hazard enables or contributes to the loss of system's ability to limit the severity of the consequences.

2.3.8.2 In carrying out a hazard analysis, it is important to describe the context for the hazard, which involves identifying the hazard, identifying the enabling conditions and events, and identifying the target of the consequences; i.e., does the hazard represent potential adverse consequences to humans, to the environment, or to the equipment. Analyzing hazards, in the context of the above factors, supports risk management activities that involve prevention of (reduction of frequency of) adverse accident scenarios (ones with undesired consequences) and promotion of favorable scenarios. Understanding the elements of the adverse scenarios (i.e., the structure of accident scenarios and contributing hazards), the risk significance of the adverse scenarios, and elements of successful scenarios are essential to an effective system safety and risk management program. This scenario-based risk information provides required input to risk management that is used to allocate resources optimally for risk reduction.

2.3.8.3 Evaluating uncertainties ⁸ is an important part of evaluating risks, in particular the uncertainties associated with the accident scenario probabilities and the accident scenario consequences. Randomness (or variability) of physical processes modeled in risk assessments requires use of probabilistic models to represent uncertainty in possible scenario outcomes. The probabilistic models for the accident scenarios reflect these process-inherent uncertainties (referred to as "aleatory uncertainties"). These process-uncertainties are realized for initiating events and system behavior and must be treated explicitly in the hazards modeling. The development of accident scenarios and their risks involves using model assumptions and model parameters that are based on what is currently known about the physics of the relevant processes and the behavior of systems under given conditions. Because there is uncertainty associated with these potentially complex conditions, probabilistic models are also used to represent the state-of-knowledge regarding the numerical parameter values and the validity of the model assumptions. These state-of-knowledge uncertainties (referred to as "epistemic uncertainties") must be properly accounted for as part of risk characterization. The expanded representation of the risk triplets that accounts for epistemic uncertainties is shown below. It is also shown notionally in Figure 2.3.

⁸ -Uncertainty+ is a broad and general term used to describe an imperfect state of knowledge or a variability resulting from a variety of factors including, but not limited to, lack of knowledge, applicability of information, physical variation, randomness or stochastic behavior, indeterminacy, judgment, and approximation. Uncertainty is generally classified into two broad categories or types: epistemic uncertainty and aleatory uncertainty. Epistemic uncertainty is that uncertainty associated with incompleteness in the analyst+s (or analysts+) state of knowledge. Aleatory uncertainty is that uncertainty associated with variation or stochastic behavior in physical properties or physical characteristics of the system being addressed.

⁹ In the above, -RISK+ denotes risk with uncertainty, which is an inherent part of risk.

2.3.9.1 Risk management decisions can involve the elimination of hazards or the reduction in the probability or consequences associated with accident scenarios by modifying designs and/or introducing additional design features (e.g., hardware, software, ergonomic), and/or operational or management procedures that prevent the occurrence of an accident scenario or its propagation (individual events within the scenario) or by mitigating the consequences. Improvements in the state-of-knowledge regarding key uncertainties (i.e., uncertainty reduction) that drive the risk associated with a hazard can also be used to manage risk. (See paragraph 1.7.1 of this NPR.)

2.3.10 Program success is achieved by ensuring that technical objectives of the program are accomplished safely within the constraints of cost and schedule and consistent with stakeholder expectations. Safety is one of NASA's core values. Ensuring safety involves the following high-level safety objectives:

d. Protect program (systems and infrastructures needed to execute a mission) and public assets.

2.3.11 In order to properly support key design and operational decisions, it is necessary that design and operational alternatives ¹⁰ are analyzed not only with respect to their impact on the mission's technical and programmatic objectives, but also with respect to their impact on these high-level safety objectives. Probabilistic risk assessments ¹¹ developed as part of system safety modeling activities and supported by qualitative safety analyses (e.g., Preliminary Hazard Analysis (PHA), Fault Tree Analysis) are used to assess the impact of a decision alternative on the overall objectives. It should be noted that a typical probabilistic risk assessment model combines many engineering models including qualitative safety and reliability models (e.g., PHA, Failure Modes and Effects Analysis (FMEA)) and quantitative hardware and human reliability models for the purpose of quantifying risk. Qualitative system safety analyses are mostly "deterministic," and uncertainties which remain unquantified are managed using redundancy, design for minimum risk, physical margins, and safety factors. The roles of both probabilistic risk assessment and qualitative system safety analyses in decision making are depicted in Figure 2.4. In this NPR, the term "System Safety Models" is used to include both qualitative safety analysis and probabilistic risk assessment models. It is important to emphasize that qualitative safety analysis, to be most effective, needs to be scenario-based, even if the risks of scenarios are not explicitly quantified.

¹⁰ Decision making is the process of selecting "the most preferential (according to predetermined rules) choice+ from a number of available choices. Each choice represents a decision alternative.

¹¹ Probabilistic risk assessments are used to systematically develop the set of risk triplets discussed earlier. Probabilities, magnitude of consequences, and associated uncertainties are evaluated using various analytical models (including reliability and availability models) and all available evidence, which includes physics, past experience, and expert judgment.

2.3.12 Figure 2.4 shows importantly that probabilistic risk assessment complements and supports qualitative safety analyses and does not replace it. The deliberation that takes place before a decision is made utilizes the insights and results of both the qualitative "deterministic" analyses and the probabilistic risk assessment. Possible conflicts between these results may be resolved during the deliberation. This process of decision making is therefore risk-informed, not risk-based. It is important to note that the decision is the result of a combination of analysis and deliberation .

2.3.13 The deliberation at the end of the process imposes a responsibility on the decision makers who must consider subjectively the impact of each decision option on various metrics ¹³ that represent technical and programmatic objectives as well as on metrics that represent safety considerations. Consequently, it would be desirable to move as much of this burden as possible from the deliberation to the analysis and to begin such analysis early in Formulation. ¹²

2.3.14 To facilitate the deliberation, we develop the hierarchical tree of Figure 2.5, which shows how system safety models along with other models are utilized to assess the impact of a decision alternative on safety and other objectives.

2.13.15 The top tier of this tree is "Program Success." The idea is to evaluate the impact on this ultimate objective of each decision alternative listed in the diamond at the bottom of the figure. Since "Program Success" is very general, a hierarchical approach is employed to develop quantitative metrics that will measure the achievement of this top-level objective. The next tier in the tree, lists the general objective categories that constitute program success; i.e., "Affordability," "Program technical objectives," "Safety," and "Stakeholder support ." ¹⁴ At the next tier, these categories are elaborated upon further by listing a number of objectives. Thus, the category "Safety" becomes the four objectives: "Protect public health," "Protect workforce health," "Protect environment," and "Protect program and public assets." The next tier of the tree, labeled "potential adverse consequences," shows quantitative metrics for each objective. For example, two metrics for the objective "protecting environment" are: "earth contamination" and "planetary contamination." These metrics, also called Performance Measures (PMs), allow quantitative assessment of the impact of each decision alternative on the objectives. This hierarchical, tree-like structure shows the objectives that the decision maker values in making the decision. It provides a convenient structure for:

a. Identification of safety PMs (measures of safety adverse consequences) and other technical and programmatic PMs in the context of the program's high-level objectives.

d. Ranking of decision alternatives according to their desirability (based on consideration of PMs and preferences).

¹² Details on the analytic-deliberative decision-making process are given in the National Research Council+s report -Understanding Risk: Informing Decisions in a Democratic Society,+ National Academy Press, Washington, DC, 1996.

¹³ The Institute of Electrical and Electronics Engineers (IEEE) defines metric as a quantitative measure of the degree to which a system, component, or process possesses a given attribute.

¹⁴ These objectives must be fundamental objectives; i.e., objectives that the decision maker fundamentally cares about.

¹⁵ The PMs (adverse consequences), in general, are not valued equally by the decision maker.

2.3.16 A PM is a metric that is related to risk and/or the constituents of risk (e.g., probability, consequence). It provides risk insight into a process, a project, or a product to enable assessment and improvement. Safety PMs are metrics that provide measures of the safety performance of a system. Because adverse space mission mishaps are rare and an absence of mishaps does not assure that no mishaps will occur in the future, safety PMs provide a means of assessing and monitoring safety performance to enable design and operational decisions aimed at preventing mishaps and optimizing safety. High level safety PMs (see the hierarchy shown in Figure 2.5) can be defined in terms of the probability of a consequence type of a specific magnitude (e.g., probability of any general public deaths or injuries) or the expected magnitude of a consequence type (e.g., the number of public deaths or injuries). Metrics such as "Probability of failure to meet a mission critical function" can be used as non-safety PMs. Safety and non-safety PMs, along with other performance measures such as reliability, provide decision makers with the ability (1) to set performance goals (e.g., safety goals), (2) to trade performances, and (3) to monitor performances at different stages of the system life cycle.

Figure 2.5: The Role of System Safety Models and Other Models in Risk-informed Decision Making

2.3.17 Relationship of System Safety Technical Processes with Other Technical Processes

2.3.18 The system safety technical processes provided in this chapter cannot be effective unless they are performed by well-trained and experienced safety analysts and are supported by engineering and safety-related activities that include:

a. Ensuring that safety, software, and quality standards are applied and utilized throughout the project life cycle (e.g., NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard). These are included in the box "Qualitative System Safety Analysis" of Figure 2.4 and in the deliberation.

b. Monitoring processes to ensure that lessons learned are used as feedback to inform safety-related models and activities.

c. Ensuring that best practices in system engineering are followed in the design of the system.

2.4 Scope of System Safety Modeling

2.4.1 Decision makers throughout the entire life cycle of the project, beginning with concept design and concluding with decommissioning, must consider safety. However, the level of formality and rigor that is involved in implementing the system safety processes should match project potential consequences, life cycle phase, life cycle cost, and strategic importance. To assist in determining the scope of activities for safety evaluations as a function of project characteristics, two tables are provided. The categorization scheme identified in Table 2.1 is used to determine a project priority. This table is similar to Table 1 from NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects.

2.4.2 Once the project priority is determined, the scope of system safety modeling is determined using Table 2.2.

2.4.3 Projects identified as "Priority I" ranking from Tables 2.1 are generally the most visible and complex of NASA's product lines. Because of this, the system safety technical processes for Priority I projects must include probabilistic risk assessment as specified in NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects. For Priority II or III projects, Table 2.2 provides latitude to adjust the scope of system safety modeling. This graded approach to the application of system safety modeling also operates on another dimension. That is, the level of rigor and detail associated with system safety modeling activities must be commensurate with the availability of design and operational information . ¹⁶ The two-dimensional nature of the graded approach is intended to ensure that allocation of resources to system safety technical activities considers the visibility and complexity of the project and to ensure that the level of rigor associated with system safety models follows the level of maturity of the system design.

¹⁶ For example, during the formulation phase, an order-of-magnitude or bounding assessment may be performed. In this type of assessment, the probability and/or the magnitude of consequence is approximated or bounded instead of deriving a best-estimate. These assessments are useful for screening purposes and initial risk tradeoff studies.

2.5 Core Requirements for System Safety Processes

2.5.1 The system safety modeling approaches previously described should be implemented as part of technical processes that represent system safety activities. Conceptually, system safety activities consist of three major technical processes as shown in the circular flow diagram in Figure 2.6. These processes are designed to systematically and objectively analyze hazards and identify the mechanism for their elimination or control. These processes begin in the conceptual phase and extend throughout the life cycle of a system including disposal. In general, requirements for safety system technical processes must provide a risk-informed perspective to decision makers participating in the project life cycle. The three critical technical processes to a successful system safety program are (1) system safety modeling, (2) life cycle applications of models for risk-informed decisions and, (3) monitoring safety performance. The circular flow indicates that these technical processes are linked and are performed throughout the project life cycle. A System Safety Technical Plan is used to guide the technical processes and establish roles and responsibilities. This plan is established early in the formulation phase of each project and updated throughout the project life cycle.

2.5.2.1 The SSTP is designed to be a technical planning guide for the technical performance and management of the system safety activities. The SSTP can be a stand-alone document, or part of the SMA plan or the Systems Engineering Management Plan (SEMP). It provides the specifics of the system safety modeling activities and describes what and how safety adverse consequences will be modeled, how system safety models (qualitative and probabilistic risk assessments) will be integrated and applied for risk-informed decision making and safety monitoring, how the technical team(s) responsible for generating and maintaining system safety models will interact with the system engineering organizations, the reporting protocol, and the cost and schedule associated with accomplishing system safety modeling activities in relation to the critical or key events during all phases of the life cycle.

a. Ensure, for Category I project/programs, that the SSTP is approved by the governing Program Management Council (PMC) and has concurrence by the cognizant SMA managers and the project's senior engineer (Requirement).

b. Ensure that the System Safety Manager and the prime contractor (for out-of-house projects) have the resources to implement the SSTP (Requirement 25082).

c. Ensure, for Category I project/programs, that changes to the SSTP are approved by the governing PMC and have concurrence by the Chief, Safety and Mission Assurance (Requirement).

d. When the SSTP is not an integral part of the SEMP, ensure the SSTP is coordinated with the SEMP for the integration of system safety activities with other system engineering technical processes (Requirement).

a. In coordination with the program/project manager, assign a System Safety Manager to have specific responsibility for the development and implementation of the SSTP (Requirement 25081).

b. Ensure that the assigned System Safety Manager has demonstrated expertise in safety analysis including, in the case of Category I and II projects, the application of probabilistic risk assessment techniques (Requirement).

c. Ensure that all personnel with project safety oversight responsibilities are funded by other than direct project funding sources (Requirement).

a. Develop a SSTP during the project formulation phase and update the plan throughout the system life cycle (Requirement).

b. Ensure that the scope of system safety technical processes in the SSTP follows the graded approach specified in Tables 2.1 and 2.2 (Requirement 32105).

c. Ensure that the SSTP provides the specifics of the system safety modeling activities and their application to risk-informed decision making and safety monitoring throughout the project life cycle (Requirement).

d. In consultation with the project managers, establish and document in the SSTP the objectives and scope of the system safety tasks and define applicable safety deliverables and performance measures (Requirement).

e. Provide technical direction and manage implementation of system safety activities as specified in the SSTP (Requirement).

f. Ensure that system safety engineering activities are integrated into system engineering technical processes (Requirement).

g. Determine the acceptability of residual risk stemming from safety assessments (Requirement).

h. Ensure that specific safety requirements are integrated into overall programmatic requirements and are reflected in applicable program and planning documents including the statement of work for contractor designs (Requirement 32120).

i. Maintain appropriate safety participation in the program design, tests, operations, failures and mishaps, and contractor system safety activities at a level consistent with mishap potential for the life of the program (Requirement 25094).

j. Establish an independent safety reporting channel to keep the Center SMA Director apprised of the system safety status (including tests and operations), particularly regarding problem areas that may require assistance from the Center, the NASA Engineering and Safety Center, or Headquarters (Requirement 25095).

k. Support OSMA requirements for audits, assessments, and reviews (Requirement).

2.5.3.1 Developing and maintaining technically sound and tractable safety models are essential activities for ensuring safety. In these activities, analysts use all the relevant and available information including design documents, operational procedures, test results, operational history, and human and software performance to develop comprehensive system safety models. Developing these models is multidisciplinary and may involve diverse and geographically dispersed groups. Thus, it is important for the safety modeling activities to be coordinated in order to ensure consistency and technical quality.

2.5.3.2 Safety models need to be synchronized with the system design and operational state-of-knowledge to ensure the models match the collected engineering information during operation with model predictions.

2.5.2.3 System Safety Managers shall ensure that the system safety modeling activities are fully integrated into system engineering and are supported by domain, systems, and specialty engineers (Requirement).

a. Ensure that system safety models use systematic, replicable, and scenario-based techniques to identify hazards, to characterize the risk of accidents, to identify risk control measures, and to identify key uncertainties (Requirement 32122).

b. Initially conduct system safety analyses during project formulation and design concept phases (prior to the Preliminary Design Review) and maintain and update these analyses continuously throughout the project life cycle (Requirement 32126).

c. Ensure, for Category I and II program/projects, probabilistic risk assessment techniques are used for system safety analysis (Requirement).

d. Ensure that the system safety models are developed in an iterative process to allow model expansion, model updating, and model integration as the design evolves and operational experience is acquired (Requirement).

e. Use system specific and all relevant data including failure histories, mishap investigation findings, and the NASA LLIS in system safety analysis (Requirement).

f. Maintain an up-to-date database of identified hazards, accident scenarios, probabilities and consequences, and key uncertainties throughout the life of the program (Requirement 25093).

g. Document the bases for the system safety analyses including key assumptions, accident scenarios, probabilities, consequence severities, and uncertainties such that they are traceable (Requirement).

2.5.4.1 Safety and technical risk considerations are critical in the decision-making process. When faced with a decision, several conflicting alternatives may be available to the decision maker. In a risk-informed decision-making framework, the decision maker considers safety and other technical attributes as well as programmatic attributes, such as cost and schedule, to select the best decision alternative.

a. Ensure that a framework is constructed for systematically incorporating system safety analysis results into the evaluation of decision alternatives (Requirement).

b. Establish and document a formal and transparent decision-making process for hazard closure ¹⁸ and formally accepting residual risk that has been determined to be acceptable by the cognizant technical authority (Requirement 25085).

c. Ensure acceptable residual risks ¹⁹ are accepted in writing (Requirement 32114). (See paragraph 1.6 of this NPR.)

d. Ensure that decisions to accept risk are coordinated with the governing SMA organization and communicated to the next higher level of management for review (Requirement 32115). (See paragraph 1.6.2 of this NPR.)

e. Where residual risks have been determined by either the cognizant technical authority or the cognizant SMA authority as "unacceptable," initiate risk mitigation/control activities, as appropriate, to reduce the risk to an acceptable level (Requirement).

f. Ensure that the requirements of this Chapter are specified in related contracts, memoranda of understanding, and other agreement documents (Requirement). (See Chapter 9 of this NPR.)

¹⁷ A precursor is an occurrence of one or more events that have significant failure or risk implications.

¹⁸ Closure of a hazard condition or other safety issue is the demonstration that all safety requirements expressly formulated to address the condition or issue have been satisfied.

¹⁹ Residual risk is the level of risk that remains present after applicable safety-related requirements have been satisfied. In a risk-informed context, such requirements may include measures and provisions intended to reduce risk from above to below a defined acceptable level.

a. Ensure that system safety models are constructed to support the implementation of the risk-informed decision framework (Requirement).

b. Ensure that the system safety models incorporate all the safety attributes important to risk-informed decision making by working with the project manager and other decision makers as deemed appropriate (Requirement).

c. Establish the methods and tools that are used in the risk-informed framework (Requirement).

d. Check and validate the methods and tools before implementation and obtain concurrence from the project manager (Requirement).

e. Document the bases for the methods and tools used and analytical results (Requirement).

2.5.5.1 Safety, like other performance attributes, is monitored during the entire life cycle to ensure that an acceptable level of safety is maintained.

2.5.5.2 Project managers shall ensure that the performance attributes and precursors that are identified as being important indicators of system safety are monitored (Requirement).

a. Establish the methods and tools that are used in the performance monitoring and precursor assessments (Requirement).

b. Check and validate the methods and tools used for performance monitoring and precursor assessments before implementation (Requirement).

c. Maintain an up-to-date database of the performance monitoring results and precursor results (Requirement).

d. Ensure that the performance monitoring and precursor data are fed back into system safety analyses and the results updated (Requirement).

e. Document the bases for the methods and tools that are used in the performance monitoring and precursor assessments (Requirement).

2.6 System Safety Reviews

2.6.1 System Safety and Mission Success Program Reviews are conducted in conjunction with other program milestones. The purpose of these reviews is to evaluate the status of system safety and risk analyses, risk management, verification techniques, technical safety requirements, and program implementation throughout all the phases of the system life cycle.

a. Conduct periodic system safety and mission success reviews of their program/project depending on the complexity of the system (Requirement 25099).

b. Document the periodicity of the System Safety and Mission Success Program Reviews in the SSTP (Requirement).

c. Ensure that the System Safety and Mission Success Program Reviews focus on the evaluation of management and technical documentation, hazard closure, and the safety residual risks remaining in the program at that stage of development (Requirement 32129).

d. Establish and maintain dedicated independent assessment activities for Priority I programs and projects, such as the Constellation Program (Requirement 32113).

a. Conduct periodic independent reviews of the system safety tasks keyed to project milestones (Requirement 25091).

b. Assist and support independent review groups established to provide independent assessments of the program (Requirement 25092).

c. Support the OSMA independent safety assessment process to determine readiness to conduct tests and operations having significant levels of safety risks (Requirement).

2.7 Change Review

2.7.1 Systems are changed during their life cycle to enhance capabilities, improve safety, provide more efficient operation, and incorporate new technology. With each change, the original safety aspects of the system can be impacted, either increasing or reducing the risk. Any aspect of controlling hazards can be weakened, risks can be increased, or conversely, risks can be decreased. Even a change that appears inconsequential could have significant impact on the baseline risk of the system. Accordingly, proposed system changes should be subjected to a safety review or analysis, as appropriate, to assess the safety and risk impacts, including implications on controls and mitigations for significant hazards and FMEA/CILS.

a. Update the system safety analyses to identify any change in risk (Requirement 25102).

b. Ensure that safety personnel assess the potential safety impact of the proposed change and any changes to the baseline risk and previously closed hazards (Requirement 32137).

c. Ensure that proposed changes to correct a safety problem are analyzed to determine the amount of safety improvement (or detriment) that would result from incorporation of the change (Requirement 32138).

d. Ensure that the safety impact for every change that is proposed to a program baseline (even if the statement is "No Impact") is documented (Requirement 32139).

2.8 Documentation

2.8.1 The maintenance of the SSTP is required to provide ready traceability from the baseline safety requirements, criteria, and efforts planned in the conceptual phases through the life cycle of the program.

2.8.2 The project manager (or designated agent) and the System Safety Manager shall:

a. Ensure that all pertinent details of the system safety analysis and review are traceable from the initial identification of the risks through their resolution and any updates in the SSTP (Requirement 25100).

b. Ensure that records are maintained per NPR1441.1, NASA Records Retention Schedules (Requirement 32130).

a. Submit a system safety analysis report to the program/project manager at each milestone (formulation, evaluation, implementation, or other equivalent milestones [e.g., Safety Requirements Review ²⁰, Preliminary Design Review, Critical Design Review, and Flight Readiness Review]) detailing the results of the system safety analyses completed to date to document the status of system safety tasks (Requirement 25101).

b. Ensure that each submitted revision to the system safety analysis report lists the risks that have been addressed, the risks that have yet to be addressed, and expected residual risks that will remain following the implementation of risk reduction strategies (Requirement 32132).

c. Ensure that the system safety analysis report documents management and technical changes that affect the established safety baseline (by changes in the planned approach, design, requirements, and implementation) and is revised when required (Requirement 32133).

d. Ensure that a final approved system safety analysis report is produced that contains a verification of the resolution of the risks and a written acceptance of the residual risks from the program/project manager to complete the audit trail (Requirement 32134).

²⁰ Safety requirements include both deterministic and risk-informed requirements. A deterministic safety requirement is the qualitative or quantitative definition of a threshold of action or performance that must be met by a mission-related design item, system, or activity in order for that item, system, or activity to be acceptably safe. A risk-informed requirement is a safety requirement that has been established, at least in part, on the basis of the consideration of a safety-related risk metric and its associated uncertainty.

CHAPTER 3. Operational Safety

3.1.1 This chapter establishes safety procedural requirements for NASA operational safety. The objective of this chapter is to protect the public; flight, ground, laboratory, and underwater personnel; the environment; aircraft; spacecraft; payloads; facilities; property; and equipment from operations-related safety hazards. This NPR is not inclusive of all regulations and requirements governing operations. Citations are indicated throughout the text for applicable standards, specifications, and other references.

3.1.2 NASA has established an Engineering and Construction Innovations Committee to nurture and foster the identification and appropriate use of new innovations and practices to improve the process of delivering high quality facilities projects. Each Center or off-site facility with responsibility for construction projects has one member/vote on the Engineering and Construction Innovations Committee.

3.1.3 Center Directors shall conduct safety inspections of all facilities, occupied or unoccupied, at least annually to ensure compliance with safety, fire protection, and building codes and standards.

3.2.1 Center Directors shall ensure that motor vehicle operating procedures comply with Federal, State, and local motor vehicle safety regulations.

3.2.2.1 Operators of motor vehicles on NASA property or operating a NASA vehicle both on and off NASA property shall:

a. Not drive a motor vehicle for a continuous period of more than 10 hours, including a combination of personal driving and driving for official NASA business.

b. Not drive a motor vehicle for a combined duty period that exceeds 12 hours in any 24-hour period, without at least 8 consecutive hours of rest .

c. Not use hand-held communication devices while the vehicle is motion except for emergency, security, and fire vehicles during official operations.

d. Ensure that children unable to use seat belts while in Federal vehicles are secured in DOT-approved child safety seats that are properly installed.

e. Have formal training, as required in paragraph 7.3.1 of this NPR, if operation of the vehicle involves skills beyond those associated with normal, everyday operation of private motor vehicles.

3.2.2.2 Center Directors shall ensure that any variation from the above policy has safety office approval.

3.2.2.3 Center Directors shall ensure that all NASA motor vehicles used off NASA Centers are inspected to the standards of the State or other jurisdiction's vehicle safety inspection requirements.

3.2.3 Seat Belts Executive Order 13043, Increasing Seat Belt Use in the United States, dated April 16, 1997, as amended, requires all Federal employees to use seat belts while on official business. The EO states seat belt use is required by Federal employees operating or in any vehicle with seat belts while on Federal business.

a. Center policy requires passengers not be carried in the cargo area of pickup trucks, flatbeds, or special purpose equipment such as fire trucks or escape trucks unless designated occupant positions with seat belts are provided (see 49 CFR Part 571, Federal Motor Vehicle Safety Standards).

b. Center policy requires the use of seats belts for all occupants of motor vehicles operated on NASA property, including delivery vans and trucks of all sizes, at all times the vehicle is in motion.

a. Prepare and submit an annual status report to the Secretary of Transportation on NASA-wide seat belt use.

b. Coordinate data for the annual report with the Office of Institutions and Management and the OCHMO.

3.2.5.1 Center Directors shall use the ANSI D6.1, Manual on Uniform Traffic Control Devices for Streets and Highways, for guidance when setting traffic control devices or marking roads for motor vehicle operations on NASA property.

3.3.1 Requirements for the stocking and issuance of PPE are provided in NPR 4100.1, NASA Materials Inventory Management Manual.

3.3.2 Requirements for the accountability of PPE are provided in NPR 4200.1, NASA Equipment Management Manual.

3.3.3 Requirements for the use, including the training for, storage, and maintenance, of PPE are provided in 29 CFR Part 1910, Subpart I, Personnel Protective Equipment.

3.3.4 Examples of PPE. Items which may be purchased and issued by NASA include, but are not limited to, the following:

e. Aprons, suits, and gloves (e.g., fire resistant materials, leather, rubber, cotton, and synthetics).

h.Specialty items of protective nature (e.g., cryogenic handlers suits, Self-Contained Atmospheric Protective Ensemble suits, fire fighter suits, foul weather gear, harnesses, life belts, lifelines, life nets, insulated clothing for "cold test" exposure, supplied air suits, and electrical protective devices).

a. Issue PPE to NASA employees at Government expense in those situations where engineering controls, management controls, or other corrective actions have not reduced the hazard to an acceptable level or where use of engineering controls, management controls, or other techniques is not feasible .

b. Authorize (or deny) the purchase of PPE after the purchase request has been reviewed by safety and health professionals to determine proper specifications and adequacy of abatement.

c. Ensure that only clothing and equipment meeting Federal regulations, industrial standards, or NASA special testing requirements are used for PPE.

d. Ensure that non-NASA, contractor, and non-contractor personnel at their Center procure their own PPE to provide an equivalent level of safety.

e. Ensure that non-NASA, contractor, and non-contractor personnel at their Center provide the appropriate training, fit testing, and compliance with other Federal, State, local, and NASA PPE requirements.

f. Have a formal Respiratory Protection Program if respirators are used at their Center (Requirement 32294) .

3.3.6 COs and COTRs shall ensure that contracts require non-NASA, contractor, and non-contractor personnel to procure their own PPE.

3.3.7 NASA hosts, guides, or area supervisors shall be responsible for obtaining, issuing, and recovering PPE issued to transients or visitors on site for NASA-related business purposes or at NASA's invitation.

3.4.1 Requirements for all NASA Centers, facilities, and operations that have the responsibility for controlling hazardous energy involving electrical, pressure, hydraulic, pneumatic, and mechanical systems are given in 29 CFR 1910.147, The Control of Hazardous Energy (lockout/tagout).

3.4.2 Center Directors shall establish a program for controlling hazardous energy during service and maintenance operations where the unexpected energizing or startup of equipment could cause injury to employees or equipment damage.

3.5 Pressure System Safety Requirements for NASA pressure vessel and vacuum system safety are provided in NPD 8710.5, NASA Safety Policy for Pressure Vessels and Pressurized Systems.

3.5.1 Center Directors and Project Managers shall use NPD 8710.5, NASA Safety Policy for Pressure Vessels and Pressurized Systems, to protect personnel and property from hazards posed by pressure vessels and pressurized systems.

3.6.1This paragraph provides requirements for protecting personnel and property from electrical hazards. It applies to all NASA uses of electrical power.

a. Electrical systems are designed in accordance with NFPA 70, National Electric Code, MIL-454, Standard General Requirements for Electronic Equipment, or Center-specific requirements if more specific.

b. Electrical systems are operated and maintained to adequately control hazards likely to cause death or serious physical harm or severe system damage.

c. All electrical systems are reviewed by the Center's safety office for appropriate location and for proximity to ignitable or combustible material such as gas, vapor, dust, or fiber.

d. All electrical work deemed hazardous by job safety analysis is performed by personnel familiar with electrical code requirements in accordance with NFPA 70E, Standard for Electrical Safety in the Workplace, and qualified/certified for the class of work to be performed.

e. Transformer banks or high-voltage equipment (600+ volts) are protected by an enclosure to prevent unauthorized access with metallic enclosures being grounded (Requirement 32305) .

f. Entrances to enclosed transformer banks or high-voltage equipment (600+ volts) not under constant observation are kept locked.

g. Signs warning of high voltage and prohibiting unauthorized entrance are posted at entrances and on the perimeter of enclosed transformer banks or high-voltage equipment (600+ volts).

h. An authorized access list of qualified personnel is maintained for enclosed transformer banks or high-voltage equipment (600+ volts) (Requirement 32308) .

i. Inductive floors or other methods are used where electrostatic discharge is a significant hazard to personnel or hardware (Requirement 32309) .

b. One person, trained to recognize electrical hazards, is delegated to watch the movements of other personnel working with electrical equipment to warn them if they get dangerously close to live conductors or perform unsafe acts and to assist in the event of a mishap.

3.7.1 This paragraph provides requirements for protecting persons and property during the transportation, storage, and use of hazardous materials. NASA policy for transporting hazardous material or hazardous or radiological waste is contained in NPD 6000.1, Transportation Management.

3.7.2 Requirements for the transport of hazardous materials on both Federal property and public roadways are provided in applicable Federal regulations (e.g., DOT, EPA, and OSHA) and State and local laws and regulations.

3.7.3 Hazardous material is defined by law as a substance or materials in a quantity and form which may pose an unreasonable risk to health and safety or property when transported in commerce (49 CFR Part 171.8, Regulations, Definitions, and Abbreviations). The Secretary of Transportation has developed a list of hazardous materials given in 49 CFR Part 172.101, Purpose and Use of Hazardous Materials Tables.

3.7.4 Typical hazardous materials are those that may be highly reactive, poisonous, explosive, flammable, combustible, corrosive, and radioactive; produce contamination or pollution of the environment; or cause adverse health effects or unsafe conditions.

a. That the mode of transportation is inspected to the standards of the Federal Highway Administration, U.S. Coast Guard, Department of Transportation, and Federal Railroad Administration.

b. That all contractor motor vehicles, rail cars, boats, and ships covered by NASA Bill of Lading and used for the transportation of hazardous material have passed an inspection prior to loading to assure that the vehicle or vessel is in safe mechanical condition.

c. That all vehicles transporting hazardous materials on NASA and public roadways display all DOT-required placards, lettering, or numbering .

d. That hazardous material defined in 49 CFR Part 171.8, Hazardous Material Regulations, Definitions, and Abbreviations, is not transported in NASA administrative aircraft.

a. That hazardous material storage, use, and disposal inventories are conducted at least annually (Requirement).

b. That the conditions of materials in storage are assessed at least quarterly, and those determined to be unsuitable for use are removed from active inventory.

c. That local procedures address the requirements for release prevention, control, countermeasures, contingency planning, and include a listing of restricted/prohibited materials for purchasing and use at Centers.

d. That NASA procurement activities reference 29 CFR Part 1910.1200, Hazard Communication, and Federal Standard 313, Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised, in commodity specifications, purchase descriptions, purchase orders, contracts, and other purchase documents.

e. That electronic, magnetic, optical, or paper copies of all Material Safety Data Sheets (MSDS) are maintained in the work area where the material is being used or stored.

f. The employees in work areas where hazardous materials are being used or stored are permitted to view any MSDS sheet maintained on file.

3.8.1 NASA hazardous operations involve materials or equipment that, if misused or mishandled, have a high potential to result in loss of life, serious injury or illness to personnel, or damage to systems, equipment, or facilities. Adequate preparation and strict adherence to operating procedures can prevent most of these mishaps. This paragraph applies to operations that occur on a routine or continuous basis. Requirements for protecting personnel and property during hazardous test operations are provided in paragraph 3.14 of this NPR.

a. Identify, assess, analyze, and develop adequate safety controls for all hazardous operations (Requirement 32323) .

b. Ensure that all hazardous operations have a Hazardous Operating Procedure or a Hazardous Operating Permit (HOP) (Requirement 32324) .

c. Ensure that all HOPs developed at NASA sites or for NASA operations have concurrence from the responsible fire protection or safety office (Requirement).

d. Ensure that all HOPs are approved by the NASA Center safety office or the contractor safety office to assure that a review has been performed (Requirement 32329) .

e. Ensure that requests for relief or changes to HOPs are also approved by the cognizant NASA Center safety office or contractor safety office to assure that a review has been performed.

f. Ensure facility operating instructions and changes are developed based on the facility mission and operational requirements.

g. Ensure that all procedures include sufficient detail to identify residual hazards and cautions to NASA personnel.

h. Ensure that hazardous procedures are marked conspicuously on the title page; e.g., "THIS DOCUMENT CONTAINS HAZARDOUS OPERATIONS PROCEDURES," to alert operators that strict adherence to the procedural steps and safety and health precautions contained therein is required to ensure the safety and health of personnel and equipment (Requirement 32328) .

i. Ensure that specific personnel certification requirements are established, as listed in Chapter 7, in cases where hazardous operations (e.g., rigging, high voltage) depend on adherence to specific standards, guidelines, and training.

j. Ensure that personnel other than certified operators are excluded from exposure to hazardous operations that depend on adherence to specific standards, guidelines, and training.

k. Ensure that personnel use the buddy system whereby an adjacent or nearby person not directly exposed to the hazard serves as an observer to render assistance where the risk of injury is high.

3.8.3 Center SMA Directors or their designee shall review and approve HOPs (Requirement).

3.9.1 This paragraph provides guidance for protecting personnel and property in a laboratory environment. For the purposes of this document, a laboratory is a facility in which experimentation, testing, and analyses are performed on human or animal subjects, organisms, biological and other physical materials, substances, and equipment (including bioinstrumentation). Included also are certain equipment, repair, and calibration operations and processing of materials.

a. The design of laboratories incorporates the requirements of State and Federal codes required for the individual Center (e.g., building, electrical, and fire protection for laboratory facilities).

b. Escape routes are provided, designed, and marked in accordance with the NFPA 101, Life Safety Code (Requirement 32333) .

c. Occupational safety and health considerations such as ventilation, shower stalls, and eye wash stations are included in the design of laboratories .

d. The design, fabrication, or modification of laboratories used for experimentation, testing, or analyses performed on human or animal subjects are coordinated in advance with OCHMO at (202) 358-2390.

e. Laboratory facilities and areas with significant quantities of flammable, combustible, corrosive, and toxic liquids, solids, or gases are protected in accordance with provisions of NFPA 45, Standard on Fire Protection for Laboratories Using Chemicals, as modified below (Requirement 32335) .

f. Laboratories not using or fitting the above chemical classification, yet housing unique, mission-critical, or high-value research equipment, conform to the provisions of NASA-STD 8719.11, Safety Standard for Fire Protection.

g. Laboratory designs include additional considerations for biohazards resulting from use or handling of biological materials such as infectious microorganisms, viruses, medical waste, or genetically engineered organisms.

h. Laboratory designs include additional considerations to protect physical samples returned from space against terrestrial contamination and to protect the terrestrial environment against potential biological or toxic hazards due to these samples.

In addition to pertinent safety requirements found elsewhere in this document, the following requirements are specifically applicable to laboratories.

a. Laboratories meeting the definition as described in 29 CFR Part 1910.1450, Occupational Exposure to Hazardous Chemicals in Laboratories, are operated in accordance with chemical hygiene plans.

b. Suitable facilities for quick drenching or flushing of the eyes and body of any person exposed to injurious corrosive materials are provided within the work area for immediate emergency use.

c. Installation, maintenance, and access to facilities for quick drenching and flushing of the eyes and safety showers are in accordance with ANSI 358.1, Emergency Eyewash and Shower Equipment, latest edition .

d. Eyewashes and/or safety showers are located no more than 10 seconds or 50 feet distance away from the hazard source.

3.9.4.1 Center Directors and project managers shall ensure that all personnel wear skin and eye protection while in direct view of a bare pressurized arc lamp, whether energized or not, unless the system is locked out or tagged out for maintenance or repair (Requirement 32344) .

3.9.5.1 Policy and requirements for ventilation systems are provided in NPR 1800.1, NASA Occupational Health Program Procedures.

3.9.5.2 Center Directors shall ensure that their occupational health programs assure proper ventilation.

Because some laboratory operations use a considerable amount of glassware and ceramics, necessary safeguards shall be employed to minimize personnel injury. Refer to the Guide for Safety in the Chemical Laboratory, Manufacturing Chemists' Association, Inc., and Handling Glassware.

3.10.1 Center Directors and project managers shall comply with NASA-STD-8719.9, Standard for Lifting Devices and Equipment, for protecting persons and property during lifting operations.

3.11.1 Center Directors and project managers shall use NASA-STD-8719.12, Safety Standard for Explosives, Propellants, and Pyrotechnics, for protecting personnel and property from hazards of explosives and explosive materials, including all types of explosives, propellants (liquid and solid), oxidizers, and pyrotechnics.

3.11.2 Center Directors and project managers shall ensure that explosive, propellant, and pyrotechnic operations are conducted in a manner that exposes the minimum number of people to the smallest quantity of explosives for the shortest period consistent with the operation being conducted.

3.11.3 Center Directors shall designate in writing an Explosive Safety Officer (ESO) for explosives, propellant, and pyrotechnic operations at their Center (Requirement 32350) .

a. Manage the Center Explosives, Propellants, and Pyrotechnic Safety Program to assure a robust mishap prevention program is in place.

b. Ensure that the Explosives, Propellants, and Pyrotechnic Safety Program meets all Federal, NASA, State, and local requirements.

c. Represent the Center Director in this program to help assure that minimum number of required personnel and critical resources are exposed to the minimum amount of explosives for the minimal amount of time for all explosive operations (Requirement).

d. Advise the Center Director on the programmatic health of the Explosives, Propellants, and Pyrotechnic Safety Program.

e. Represent the Center Director for all explosives, propellants, and pyrotechnic safety matters (Requirement).

f. Assure oversight of all processes required by NASA-STD-8719.12, Safety Standard for Explosives, Propellants, and Pyrotechnics.

g. Review all operating procedures for handling explosives, propellants, and pyrotechnics (Requirement).

h. Review and participate in the development of construction and/or modification plans for facilities or structures containing explosives, propellants, and pyrotechnics.

i. Review all locations and routes that provide for the transportation, storage, and handling of explosives, propellants, and pyrotechnic materials (Requirement).

j. Provide oversight for staff training and records and participate in the evaluation of selected training programs for explosive, propellant, and pyrotechnic safety.

k. Process and provide inputs for the approval of all explosive-related site plans and review current explosive site plans on an annual basis.

l. Assist in processing requests for relief in accordance with NASA-STD 8709.20 (Requirement).

n. Review all Memorandums of Agreement associated with explosive, propellant, and pyrotechnic operations.

o. Perform an independent hazard assessment of all laboratories and test facilities having activities that involve the mixing, blending, extruding, synthesizing, assembling, disassembling and other activities involved in the making of a chemical compound, mixture, or device which is intended to explode.

3.11.5 Explosives, electro-explosive devices (EEDs), electrically initiated devices (EIDs), NASA Standard Initiators (NSIs), and other devices are susceptible to unintentional ignition by many forms of direct or induced electrical energy including electromagnetic radiation (EMR) from ground and airborne emitters (radio frequency communication devices).

3.11.5.1 Center Directors shall ensure that the local radio frequency (RF) environments are characterized as a first step before situating pyrotechnic devices at any location to ensure RF levels are within the limits specified for the device as defined in NASA-STD-8719.12, Paragraph 5.13.5.

3.11.5.2 Center Directors shall ensure that the requirements of NASA-STD-8719.12, Safety Standard for Explosives, Propellants, and Pyrotechnics, Paragraph 5.13.5, are applied to all classes of equipment that may contain RF emitting devices (intentional and unintentional), including: Ground Support Equipment (GSE); Ground Support Systems (GSS); Facility Support Systems (FSS); other institutional equipment and devices; and personal devices.

3.11.5.3 Center Directors shall ensure that when there is a need (including emergency operations) to use an intentional or unintentional RF emitting device at an explosive operating location, explosive location, or explosive facility, only those RF emitting devices that meet and are tagged as meeting the requirements of NASA-STD-8719.12, Safety Standard for Explosives, Propellants, and Pyrotechnics, Section 5.13.5, are used.

3.12.1 The requirements in this subparagraph apply to all NASA underwater operations, including support operations, where members of the NASA workforce are required to work or train in water, using an underwater apparatus (including snorkels) that supplies breathing air or gas. It applies to all diving, snorkeling, and training operations.

3.12.2 Center Directors and project managers are responsible for the safety of their workforce. To this end, Center Directors and project managers shall implement documented safety standards for personnel training, equipment inspection and maintenance, standard and specific task operations, and a diving safety program for all their diving and snorkeling activities (Requirement). The following references should be considered when developing underwater safety standards and safety program:

a. 29 CFR 1910 Subpart T, Commercial Diving Operations, contains regulatory requirements for diving and related support operations conducted in connection with all types of work and employments, including general industry, construction, ship repairing, shipbuilding, shipbreaking, and longshoring. While it is not applicable to scientific diving, it does define two required elements of a scientific diving program: (A) a diving safety manual, and (B) a diving control safety board. Appendix B to Subpart T to Part 1910 contains guidelines for scientific diving.

b. 45 CFR 46 Subpart A, Basic HHS Policy for Protection of Human Research Subjects, contains regulatory requirements which may be applicable to divers participating in research.

c. 46 CFR 197 Subpart B, Commercial Diving Operations, contains regulatory requirements for the design, construction, and use of equipment, and inspection, operation, and safety and health standards for commercial diving operations taking place from vessels and facilities under Coast Guard jurisdiction.

d. NPR 1800.1, NASA Occupational Health Program Procedures, Appendix C, provides requirements for diver physical examinations.

e. NASA-STD 8719.10, NASA Safety Standard for Underwater Facility and Non-Open Water Operations, is no longer maintained as an Agency standard; however, it contains good practices for non-open water operations that provide simulation of a weightless environment, and remains a good starting point for the development of non-open water requirements.

f. SS521-AG-PRO-010 U.S. Navy Diving Manual, has served as the internationally recognized standard, since the late 1950's, for allowable exposure while breathing compressed air at varying depths, and prescribes decompression schedules for dive profiles that exceed allowable exposure limits. It includes volumes on: Diving Principles and Policies, Air Diving Operations, Mixed-Gas Surface-Supplied Diving Operations, Closed-Circuit and Semiclosed-Circuit Diving Operations, Diving Medicine and Recompression Chamber Operations.

g. EM 385-1-1, Safety and Health Requirements Manual for the U.S. Army Corps of Engineers, provides in section 30, Diving Operations, requirements for USACE diving operations. Section 30.G, Scientific Snorkeling, provides requirements for scientific snorkeling activities.

h. FSH 4209.11 "Wildlife, Fish, Water, and Air Research Handbook, Chapter 10 "Diving and Snorkeling Safe Practices, by the US Forest Service establishes direction for "Diving and Snorkeling Safe Practices."

i. The Standards for Scientific Diving, developed by the American Academy of Underwater Sciences, is a consensus standard for scientific diving and presents minimum safety standards for scientific diving.

3.12.3 Project managers shall notify the Center SMA organization and the Center diving control (safety) board before performing diving and snorkeling activities.

3.12.4 Centers that conduct diving and snorkeling operations shall implement a diving safety program that contains the following elements:

(1) Procedures covering all diving and snorkeling operations specific to the program.

(4) Criteria for facility and equipment certifications, use and maintenance procedures, and inspection.

3.13.1 This paragraph provides policy and requirements for protecting the safety of the public, the workforce, and assets during operations involving space launch or entry vehicles or experimental aeronautical vehicles (EAV) and their associated payloads. These vehicles include, but are not limited to, reusable launch vehicles, Expendable Launch Vehicles (ELVs), experimental aerospace vehicles, entry vehicles, sample return capsules, uninhabited aerial vehicles, balloons, sounding rockets, and drones.

a. Establish and oversee the Agency Safety Operations Program elements needed to assure successful implementation of operations safety requirements and assure related concerns are evaluated and resolved.

b. Approve and promulgate Agency-level operations safety policy and requirements, including the provisions of this NPR and associated implementation documents.

(1) Monitor preparations for operations to determine compliance with Agency safety policies, processes, and requirements.

(2) Support programs/projects to provide advice and technical support, and act as a link to independent engineering, safety, and assessment capabilities.

(3) Maintain cognizance over safety issues that have the potential to be elevated to NASA Headquarters for resolution.

(4) Provide a concurrence or nonconcurrence on the safety readiness to begin operations when the decision is elevated to NASA Headquarters.

(5) Participate prior to and during operations to communicate the Agency safety position to appropriate program/project officials.

3.13.3.1 NPR 8715.5, Range Safety Program, contains NASA's range safety policy, roles and responsibilities, requirements, and procedures for protecting the safety of the public, the workforce, and property during range flight operations. These operations include the launch or entry of an orbital, suborbital, or deep space vehicle or operation of an experimental aeronautical vehicle. NPR 8715.5, Range Safety Program, defines the range safety-related roles and responsibilities for all levels of NASA management, including the Agency Range Safety Manager. NPR 8715.5, Range Safety Program, also incorporates NASA's public risk acceptability policy for range flight operations.

3.13.4.1 Payload Safety Policy. It is NASA policy to safeguard people and resources (including flight hardware and facilities) from hazards associated with payloads controlled by NASA and hazards associated with payload-related Ground Support Equipment (GSE) by eliminating the hazards or reducing the risk associated with the hazard to an acceptable level. To accomplish this policy

a. Establish and maintain technical and procedural safety requirements applicable to the design, production, flight-area processing and testing, vehicle integration, flight, and planned recovery of NASA payloads.

b. Coordinate with U.S. or foreign entities that participate in NASA payload projects as needed to ensure compliance with all safety requirements that apply to each payload.

c. Incorporate all applicable safety requirements into the overall requirements for each NASA payload, the contracts for any related procurements, and any related cooperative or grant agreements.

d. Maintain an independent payload safety review and approval process designed to ensure that each NASA payload project properly implements all applicable safety requirements and to facilitate safety risk management appropriate to each payload.

3.13.4.2 Manned Space Flight Payloads. For payloads that will fly on, or interface with, a manned space launch vehicle, spacecraft, or entry vehicle controlled by NASA, Center Directors and program/project managers shall establish the processes and requirements needed to satisfy Paragraph 3.13.4.1 of this NPR.

For example: Space Shuttle payloads are subject to NSTS 1700.7, Safety Policy and Requirements for Payloads Using the Space Transportation System; NSTS/ISS 13830, Payload Safety Review and Data Submittal Requirements for Payloads Using the Space Shuttle and International Space Station; and KHB 1700.7, Space Shuttle Payload Ground Safety Handbook.

3.13.4.3 Unmanned Suborbital Payloads. For a payload that will fly on an unmanned suborbital vehicle controlled by NASA (such as a sounding rocket, balloon, or experimental aeronautical vehicle), Center Directors and program/project managers shall establish the processes and requirements needed to satisfy Paragraph 3.13.4.1 of this NPR.

For example: The Wallops Flight Facility Range Safety Manual applies to Wallops-controlled suborbital payloads.

3.13.4.4 Return-to-Earth Payloads. For a payload that will be launched into space and will return to Earth for recovery or purposes other than disposal, Center Directors and program/project managers shall establish the processes and requirements needed to satisfy Paragraph 3.13.4.1 of this NPR for the recovery aspects of the mission.

that Paragraph 3.13.4.1 of this NPR is satisfied for payload missions that will fly on ELVs. The associated responsibilities and requirements are provided in NPR 8715.7, Expendable Launch Vehicle Payload Safety Program.

Chapter 2 of NPR 8715.5, Range Safety Program, contains policy and requirements applicable to NASA missions that involve the use of commercially-available space launch or entry services. Also see NASA-STD-8709.2, NASA Safety and Mission Assurance Roles and Responsibilities for Expendable Launch Vehicle Services.

Safety policies, regulations, processes, and requirements that apply to the disposal of spaceflight hardware at the end of a mission are contained in NPR 8715.6, NASA Procedural Requirements for Limiting Orbital Debris, and NASA-STD 8719.14, Process for limiting Orbital Debris. Additional information about limiting orbital debris can be found in NASA-Handbook 8719.14, Handbook for Limiting Orbital Debris.

3.14.1 This paragraph provides requirements for protecting personnel and property during test operations, for both human-controlled and unoccupied or robotic tests. Testing includes hazardous training activities and demonstrations of test hardware or procedures. The requirements stated herein apply to test facilities; test equipment located within, or attached to, test facilities; equipment being tested; test personnel; test conduct; andtest documents.

3.14.2 Center Directors and project managers shall ensure that test plans are developed and evaluated to assure test performance within safe operating limits.

3.14.3.1 Safety documentation establishes the basis for safe test conduct by means of engineering analyses (including hazard analyses).

3.14.3.2 Center Directors and project managers shall ensure that established test controls are clearly identified in test drawings, facility drawings, and test procedures.

a. Design test systems such that test personnel or critical test hardware are not subjected to a test environment wherein a credible single-point failure (e.g., power loss) could result in injury, illness, or loss to the critical test hardware.

b. Construct all systems (electrical, mechanical, pneumatic, and/or hydraulic) so that no single failure could cause a critical condition.

c. Ensure that software that may interface with test systems meets the requirements stated in Chapter 1 of this NPR.

d. Calibrate and certify safety-critical instrumentation before test operations and as required by test documentation or the test organization's internal procedures.

e. Ensure all personnel involved in tests are informed of potential hazards, safety procedures, and protective measures.

f. Ensure the availability of appropriate emergency medical treatment facilities.

g. Conduct formal reviews of engineering designs that are complicated or potentially hazardous to facilities.

h. Ensure test result reports include anomalies, safety implications, and lessons learned.

3.14.5.1 Center Directors and project managers shall ensure that Test Readiness Reviews:

a. Are conducted for tests involving new or modified hardware and/or procedures.

b. Determine and document the safety, technical, and operational readiness of the test.

3.14.6.1 Center Directors and project managers shall ensure that a pre-test meeting is conducted with all involved personnel to discuss the facility, design, instrumentation, safety, and operator training and certification.

3.14.7.1 The requirements for the protection of human research subjects are contained in NPD 7100.8, Protection of Human Research Subjects, and 45 CFR Part 46, Protection of Human Subjects.

a. Tests involving hazardous substances, where human test subjects or test team personnel may be exposed, are reviewed for adequacy of test team safeguards, including direct communication between the test subjects and test conductors.

b. A facility environmental control system failure or failure in the distribution system affecting one pressure-suited occupant shall not affect any other pressure-suited occupant for tests requiring crew participation in a pressure suit.

c. A means exists for immediately detecting an incipient fire or other hazardous condition in each crew compartment of any test area.

d. Automatic fire detection is provided for critical areas not suitable for visual monitoring.

e. Crewed test systems are designed for timely and unencumbered rescue of incapacitated crew members.

f. Software controlling crewed test systems are thoroughly analyzed to ensure that no command results in death or injury to the test subjects.

g. Crewed test systems are designed to provide for manual overrides of critical software commands to ensure the safety of test subjects during any system event or test scenario (normal operation, malfunction, emergency).

h. Manual overrides of critical software commands support safe test termination and egress of test subjects.

i. Medical resources and facilities needed for response are alerted, on-call, and immediately available as needed.

3.15.1 Requirements for non-ionizing radiation are provided NPR 1800.1, NASA Occupational Health Program Procedures. Microwave and radar protection standards are covered in various State regulations, national consensus standards, and Federal standards including 29 CFR Part 1910.97, Non-ionizing Radiation. This paragraph provides requirements for protecting personnel and property during laser use in NASA operations. The primary laser hazard to humans is eye and/or skin damage from direct exposure to the beam or specular reflection, and in some cases, from viewing a diffuse reflection.

3.15.2 Exposure requirements for laser radiation are provided in 21 CFR Part 1040, Performance Standards For Light-Emitting Products. Requirements for the procurement and manufacture of laser products are provided in 21 CFR Part 1040.10, Laser Products, and 21 CFR Part 1040.11, Specific Purpose Laser Products.

3.15.3 Center Directors and project managers shall comply with these regulations unless a specific exemption is obtained from the U.S. Department of Health and Human Services, Food and Drug Administration.

a. Only trained and certified employees are assigned to install, adjust, and operate laser equipment.

b. Personnel operating lasers are trained and certified in accordance with Chapter 7 of this NPR.

c. Laser operations during any open-air laser scenario conducted on DoD-controlled ranges or test facilities or by DoD personnel use the Range Commanders Council Document 316-91, Laser Range Safety.

d. Laser operation conforms to the principles and requirements set forth in ANSI

Z136.1, American National Standard for Safe Use of Laser, and ANSI Z136.2, Safe Use of Optical Fiber Communication Systems Utilizing Laser Diode and LED Sources.

e. Exposure of personnel to laser radiation does not exceed the permissible exposure levels provided in ANSI Z136.1, American National Standard for Safe Use of Laser.

f. To the maximum extent practicable, laser hazards to personnel are eliminated by engineering design before they become operational, or procedures are developed and equipment provided to reduce the risk for those hazards that cannot be eliminated

g. Any laser that can cause injury or damage has a Center-approved safety documentation, test plan, and test procedure review.

3.15.5.1 The Center SMA Director shall designate a qualified Laser Radiation Safety Officer for their site.

a. Contact the laser safety clearing house to obtain a "Site Window" clearance where a planned laser operation has the potential for the beam to strike an orbiting craft.

a. Operate Class III-B and IV lasers only in controlled environments or designated areas that have no unintended reflective or transmitting surfaces.

b. Post laser operations areas with standard warning placards as set forth in ANSI Z136.1, American National Standard for Safe Use of Lasers.

d. Wear laser goggles or other approved methods of eye protection in accordance with requirements of ANSI Z136.1, American National Standard for Safe Use of Lasers.

e. Keep all flammable materials/vapors away from any laser during operation unless specifically authorized by the operation/test plan.

a. Identify the airborne use of Class III-B and IV lasers early in the system acquisition process and track their use throughout the program life cycle.

b. Ensure the design of laser systems for NASA aircraft and spacecraft includes a system of interlocks to prevent inadvertent laser beam output.

c. When a test circuit switch is provided to override the ground interlock to aid ground test operations, maintenance, or service, ensure the design precludes inadvertent operation.

d. Ensure that the crew will not operate the laser except in accordance with the prescribed mission profile.

e. For long-range laser shots, designate as large an exclusion area as practical to minimize the risk to the people outside the area.

f. Ensure a hazard evaluation and written safety precautions are completed prior to airborne laser operations.

g. Ensure that the hazard analysis considers catastrophic events and the need for very reliable, high-speed laser shutdown should such events occur.

h. Ensure that qualified personnel perform laser hazard evaluations to determine specific hazards associated with specific uses, establish appropriate hazard control measures, and identify crew and public-at-large protection requirements.

i. When completing the hazard evaluation, consider and document the atmospheric effects of laser beam propagation, the transmission of laser radiation through intervening materials, the use of optical viewing aids, and resultant hazards; e.g., electrical, cryogenic, toxic vapors.

3.15.7.2 The Pilot-in-Command shall ensure that the laser system is used in accordance with the test plan.

3.15.7.3 Program managers and safety evaluators shall assess the safety aspects, compliance with safety requirements, and resolution of laser safety-related problems.

a. Laser software provides safety precautions for fast-moving lasers and prevents misdirected laser operation.

b. Laser software development is subjected to a software safety analysis per Chapter 1 of this NPR.

c. Existing laser software systems are reviewed to assure that safety precautions are provided.

Policies and requirements for the handling, use, and storage of radioactive material and radiation generating equipment are contained in directives under the purview of the occupational health organizations. See NPD 1800.2, NASA Occupational Health Program.

3.17.1 Requirements for operations in confined spaces are provided in OSHA 29 CFR Part 1910.146, Permit-Required Confined Spaces.

3.17.2 A confined space is any space that exhibits all three of the following characteristics: large enough to bodily enter and perform work, not designed for continuous human occupancy, and limited means of entry or exit. A permit-required confined space is a confined space that contains any recognized serious safety or health hazard. No entry into permit-required confined spaces will be made until an assessment of that space has been made and a permit or operating procedures are posted.

3.17.3 Center Directors shall develop and document a confined space operations plan that, at a minimum, establishes a confined space working group, outlines the confined space permit process, and identifies all confined spaces on their Center.

a. Entry into Permit-Required Confined Spaces is performed with written procedures and authorizations (Requirement 32424) .

b. No entry into confined spaces is made until an assessment of that space has been made and a permit or operating procedures posted (Requirement 32425) .

c. All contractors or persons performing work on the Center are notified of all confined spaces (Requirement).

3.17.5 Supervisors shall have the overall responsibility for entry and work in confined spaces and ensure compliance with ANSI Z117.1, Safety Requirements for Confined Space, and the NIOSH Publication No. 87-113, A Guide to Safety in Confined Spaces.

3.18.1 It is NASA’s policy to provide fall protection for any walking working surface where a person is exposed to a fall to a lower level. Fall protection programs shall focus on eliminating, mitigating, and/or controlling the fall hazard before an individual is exposed to the hazard.

a. Fall protection programs shall protect workers who may be exposed to a fall of four feet or greater to a lower level for general industry activities in accordance with 29 CFR 1910 and six feet or greater to a lower level for construction activities in accordance with 29 CFR 1926.

b. "Fall hazards” from any height to lower level shall require protection if the work is over a collateral hazard (e.g. moving machinery, chemicals, electrical hazards, impalement hazards).

3.18.2. All waivers to requirements listed in paragraph 3.18 shall be documented in the Center’s fall protection implementation plan after submission of requests to waive/deviate per paragraph 1.13 of this document.

3.18.3 Each Center Director shall implement a Center fall protection program to protect all Government employees, contractors, subcontractors, international partners, and persons who are exposed to falls at onsite facilities through the course of their work.

a. NASA Center Directors should evaluate the feasibility of establishing a standard fall protection height of four feet for all work at heights, to lessen the harmful impact to worker resulting from a fall to a lower level.

b. The Center Director shall ensure that the Center's fall protection program complies with the requirements of 29 CFR 1910, General Industry, and 29 CFR 1926, Construction Industry; utilizes as guidelines (these versions), ANSI/ASSE Z359, Fall Protection Code series (Z359.0-2007, Z359.1-2007, Z359.2-2007, Z359.3-2007, and Z359.4-2007); and complies with any more stringent requirements necessary for the Center's specific fall hazards.

c. The Center Director shall designate, in writing, a Center Fall Protection Program Administrator who is responsible for the development, implementation, and management of the Center's fall protection program.

d. The Center Director shall ensure that the designated Center Fall Protection Program Administrator and/or team has a working knowledge of current fall protection regulations, standards, and fall protection equipment and systems and the skills, experience, and abilities to effectively manage the Center's fall protection program.

b. Evaluate the Center-wide hazards, determine where protection from falls from elevation is required, and establish any additional, more stringent requirements necessary to protect against Center-specific fall hazards.

c. Provide guidance and oversight to ensure that NASA fall protection requirements are included in contracts where contractor employees of the acquisition will be working in situations that require fall protection (see paragraph 3.18.1).

d. Provide oversight to ensure that NASA fall protection requirements are included in work instructions where individuals will be working in situations that require fall protection (see paragraph 3.18.1).

e. Provide oversight to ensure that anyone who is identified as a qualified person (per ANSI/ASSE Z359.0-2007, paragraph 2.109) to serve as a subject matter expert in support of the Center's fall protection program has an engineering degree or access to a person with an engineering degree to identify and to evaluate unique situations and “non-standard equipment” and has been trained by an industry-recognized trainer, NASA-recognized trainer/training center, or NASA-developed training program equivalent to ANSI and OSHA compliant training.

f. Provide oversight to ensure that, for each situation that requires fall protection at the Center (see paragraph 3.18.1) (NASA or contractor led), there is a competent person (per ANSI/ASSE Z359.0-2007, paragraph 2.27) assigned responsibility for the immediate application of fall protection work where fall protection is required whose education and training has been administered by an industry-recognized trainer, NASA-recognized trainer/training center, or NASA-developed training program equivalent to ANSI and OSHA compliant training.

g. Remain current with changing OSHA and ANSI fall protection requirements, this NPR, local laws, and new fall protection systems (Requirement).

h. Conduct an annual review and audit of the Center's fall protection program to ensure compliance (Requirement). Use of new technology, regulations, and industry practices should be considered during the annual review and audit.

a. Ensure that NASA fall protection requirements are included in work instructions where NASA employees and/or contractors will be working in situations that require fall protection (see paragraph 3.18.1).

Chapter 4. Aviation Safety

4.1 Purpose and Scope

4.1.1 NASA maintains an Aviation Safety Program to ensure the safety of its highly diversified aviation activities. The NASA Aviation Safety Program has the following primary objectives:

a. Preserving human and material resources by preventing damage and injury through the identification and elimination of aviation safety hazards throughout NASA.

b. Enhancing awareness of aviation safety objectives and related considerations by relevant NASA employees and contractor personnel.

4.1.2 This chapter assigns key responsibilities related to the Aviation Safety Program. Additional responsibilities and related requirements are contained in NPR 7900.3.

4.2 Aviation Safety Program Responsibilities

4.2.1 The Chief, SMA delegates responsibilities for the implementation of NASA's Aviation Safety Program to the Director, Aircraft Management Division (AMD). Accordingly, the Director, AMD:

a. Defines aviation safety responsibilities and requirements for Centers, programs, and projects covering NASA's aircraft operations.

b. Performs functional oversight and assessments to assure the implementation of the responsibilities and requirements by Centers, programs, and projects.

c. Informs the Chief, SMA of aviation safety concerns and may halt aviation operations.

d. Adjudicates requests for waivers to the Agency-level aviation safety requirements in NPR 7900.3 or otherwise established by AMD.

e. Periodically informs the Chief, SMA of the state of the Aviation Safety Program.

f. Will remain independent from aircraft operations and maintain the necessary technical expertise.

4.2.2 The Chief, SMA will assign a delegate within OSMA to provide oversight to the Aviation Safety Program by participating in or reviewing program activities, such as;

a. The Inter-Center Aircraft Operations Panel (IAOP) Reviews managed by the AMD.

4.2.3 Center Directors are responsible for the safety of all aircraft, including UASs, and crews assigned to or operating from their Centers. As part of this responsibility, Center Directors implement Center-level aviation safety programs in accordance with NPR 7900.3.

4.2.4 Consistent with NPD 1000.0, Program and Project Managers are responsible and accountable for the safe conduct of aviation activities under their cognizance in conformance with governing requirements.

Chapter 5. Fire Protection and Life Safety

5.1 Purpose, Goals, and Objectives

This chapter establishes the overall purpose, goals, and objectives for the NASA Fire Protection and Life Safety Program. The goals of this program are zero loss of life from fires, a reduction in number of fires to zero, protection for facilities and equipment to preclude major losses, and a reduction in the magnitude of loss for those fires that occur. The objective of NASA's Fire Protection and Life Safety Program is to protect human life, property, and the environment from the risk of fire-related hazards, through the application of codes, standards, and best practices, engineering analysis, fire prevention techniques, and public education and awareness of fire safety for NASA and contractor personnel.

5.2 General Requirements

5.2.1 Chief, Safety and Mission Assurance (Chief, SMA). The Chief, SMA, is the senior safety official for the Agency and exercises functional oversight authority over all NASA fire protection and life safety activities. The Chief, SMA is responsible for the overall NASA fire protection and life safety policy and priorities and for evaluating Center implementation and performance. The Chief, SMA appoints an Agency Fire Protection and Life Safety Program manager to manage these Agency-level activities and evaluate Center implementation and performance.

5.2.2.1 Center Directors shall implement a Fire Protection and Life Safety Program at their Center and associated facilities to:

a. Verify Center and associated facility compliance with the requirements in NASA-STD-8719.11 (Safety Standard for Fire Protection), 15 U. S. C. §2227 (Fire safety systems in federally assisted buildings), 40 U.S.C. §3312 (Compliance with Nationally Recognized Codes), 29 CFR pt. 1910 (General Industry), and 41 CFR §102-80 (Safety and Environmental Management).

c. Apply risk management processes to assess individual programs and adopt additional fire protection requirements as appropriate.

d. Identify fire hazards and provide adequate controls through regular, documented comprehensive fire risk assessments.

e. Document fire protection discrepancies and manage abatement plans for corrective action(s) and tracking.

f. Notify the Chief, SMA of fire protection discrepancies that cannot be corrected or funded locally.

g. Provide documented procedures for controlling flammable materials and hazardous operations.

h. Review and approve facility design drawings for adequate fire protection, life safety, and related features and systems and for compliance with applicable codes and criteria.

i. Ensure construction of new buildings and alterations and additions to existing buildings, facilities, and associated building systems and comply with approved fire protection, life safety, and related building safety requirements in place at the time of the design phase of the project.

5.2.2.2 The Center Director shall appoint a qualified individual to serve as the Authority Having Jurisdiction (AHJ) for fire protection and life safety with the authority and resources to manage the Center's Fire Protection and Life Safety Program.

5.2.2.3 The Center Director shall maintain the AHJ functionality independent from the facilities, systems, and operations they oversee such that they do not oversee their own work, have a mechanism established to avoid undue influence from those they oversee, and have an alternate reporting path to upper management.

5.2.2.4 The Center Director shall maintain fire protection and life safety systems and procedures at the Center and associated facilities in accordance with NASA-STD-8719.11, Safety Standard for Fire Protection.

5.2.3.1 The AHJ is the delegated Safety Technical Authority for fire protection and life safety at the Center and is responsible for authorizing use of associated equipment, materials, installations, and procedures.

a. Review and authorize fire protection and life safety systems and operations prior to operation.

b. Verify the inspection, testing, and maintenance of fire protection and life safety systems and operations to ensure their ongoing fitness for service.

c. Document and maintain the compliance status of fire protection and life safety systems and procedures, including all exceptions, deviations, waivers, non-conformances, special constraints, and instructions required for safe operation.

5.2.3.3 The AHJ shall interpret voluntary consensus standard application(s) to the Center.

5.2.3.4 The AHJ shall review requests for relief from requirements of this NPR, NASA-STD 8719.11, and applicable voluntary consensus standards based on the technical merits of the request. The AHJ may authorize an equivalency for a requirement in NASA-STD 8719.11 or in an applicable voluntary consensus standard if the AHJ determines it would not result in an increase in risk.

5.2.3.5 The AHJ shall verify that trained personnel investigate the fire origin and cause of all fires at their Center and facilities in accordance with NASA-STD 8719.11.

5.2.3.6 The AHJ shall provide annual reports to the Center Director or their designee on the status and health of the Fire Protection and Life Safety Program as outlined in this Chapter.

5.2.3.7 The AHJ shall review and concur on construction of facilities and locally funded project design criteria, conceptual plans, and design documents with life safety and fire protection and life safety implications.

5.2.3.8 The AHJ shall notify the Center Security Office of all suspicious fires.

5.3 Qualifications for the Authority Having Jurisdiction

a. Leadership and managerial experience at a proven level commensurate with the expectations of the AHJ position and one of the following designations/certifications:

(1) Registered professional engineer (PE) who has passed the fire protection engineering written examination administered by the National Council of Examiners for Engineering and Surveying (NCEES) and has a minimum of eight years of work experience directly related to fire safety, building safety, life safety, and related code compliance.

(2) Registered professional engineer (PE) in a related field with a minimum of ten years documented work experience directly related to fire safety, building safety, life safety, and related code compliance.

(3) Certified Safety Professional (CSP) along with certification as either an ICC Certified Building Official or NFPA Certified Fire Protection Specialist with ten years documented work experience directly related to fire safety, building safety, life safety, and related code compliance.

(4) Fire Service Professional meeting all requirements of NFPA 1037, Standard for Professional Qualifications for Fire Marshal, with a minimum of ten years documented work experience directly related to fire safety, building safety, life safety, and related code compliance.

b. Work experience directly related to fire safety, building safety, life safety, and related code compliance shall include multi-faceted experience with significant work in each of the following three major areas:

(1) Risk management, decision analysis, and communication of complex technical issues.

(2) Building construction, code enforcement, life safety and means of egress systems, fire control and suppression systems, fire detection and alarm systems, building tenability systems, building fire resistance, electrical systems, lightning protection systems, conveyance systems, and other building systems and facility infrastructure relating to fire hazards in the workplace.

(3) Hazardous materials control, manual fire response and suppression, facility loss prevention control practices, ignition source controls, inspection, testing, and maintenance of protective systems, fire investigation procedures, and related fire prevention best practices.

5.3.2 Individuals appointed as AHJ at a NASA Center prior to the issuance of this document do not have to meet the requirements of 5.3.1 for the duration of their tenure as AHJ. However, these individuals should, as a matter of professionalism and growth, attempt to gain the requisite skill set during their tenure.

Chapter 6. Nuclear Safety for Launching of Radioactive Materials

6.1 Purpose

6.1.1 This chapter provides internal NASA procedural requirements for characterizing and reporting potential risks associated with a planned launch of radioactive materials into space, on launch vehicles and spacecraft, during normal or abnormal flight conditions. Procedures and levels of review and analysis required for nuclear launch safety approval vary with the quantity of radioactive material planned for use and potential risk to the general public and the environment.

6.1.2 An analysis or evaluation may be required in accordance with paragraph 9 of Presidential Directive/National Security Council Memorandum Number 25 (PD/NSC-25), Scientific or Technological Experiments with Possible Large-Scale Adverse Environmental Effects and Launch of Nuclear Systems into Space, dated December 14, 1977, as amended, in obtaining nuclear launch safety approval. Guidance on procedures, requirements, or licensing details for using, storing, shipping, or handling radioactive materials in ground processing facilities or activities or in preparation for space uses is not included in this chapter (see paragraph 3.16). The tracking of radiation exposures to workers is also not included in this chapter.

6.1.3 Mission Directorate Associate Administrators, Center Directors, and program executives shall ensure that NASA missions involving the launch of radioactive materials comply with the provisions of the National Environmental Policy Act of 1969 (42 U.S.C. 4321 et seq.), and follow the policy and procedures contained in 14 CFR Part 1216, Subpart 1216.3, Procedures for Implementing the National Environmental Policy Act (NEPA), NPR 8580.1, Implementing the National Environmental Policy Act and Executive Order 12114).

6.2 Responsibilities

a. Determine, for NASA, the acceptability of the potential risk of launching and using nuclear materials in space as described in Table 6.1).

b. Request empanelment of an Interagency Nuclear Safety Review Panel (INSRP) with membership and responsibilities in accordance with PD/NSC-25 after receiving a request from the Program Executive (in coordination with SMA).

c. Appoint a NASA member to the empanelled INSRP with consideration of the recommendations(s) by the Chief, Safety and Mission Assurance.

6.2.2 Mission Directorate Associate Administrators, Center Directors, and program executives involved with the control and processing of radioactive materials for launch into space shall ensure:

a. Compliance with space nuclear launch safety requirements and processes provided in this NPR.

b. Basic designs of vehicles, spacecraft, and systems utilizing radioactive materials provide protection to the public, the environment, and users such that radiation risk resulting from exposures to radioactive sources are as low as reasonably achievable.

c. Nuclear safety considerations are incorporated from the initial design stages throughout all project stages to ensure that overall mission radiological risk is acceptable.

d. All space flight equipment (including medical and other experimental devices) that contain or use radioactive materials are identified and analyzed (per paragraph 6.3 of this NPR) for radiological risk.

e. Development of site-specific ground operations and radiological contingency plans commensurate with the risk represented by the planned launch of nuclear materials.

f. Contingency planning, as required by the National Response Plan, includes provisions for emergency response and support for source recovery efforts.

g. Involve the OCHMO in the Federal Radiological Emergency Response planning process.

a. Assure that NASA missions involving the launch of radioactive materials comply with paragraph 9 of PD/NSC-25, as appropriate.

c. Per Table 6.1, prepare, coordinate, and provide the required notification of planned launches of radioactive materials to the Executive Office of the President, Office of Science and Technology Policy (OSTP).

f. Nominate a NASA member for each empanelled ad hoc INSRP following a request by the program or mission office to the NASA Administrator.

g. Provide assistance to the cognizant NASA Mission Directorate and project office(s) in meeting nuclear launch safety analysis/evaluation requirements.

h. Review all radiological contingency and emergency planning as part of the SMA audits, reviews, and assessments process.

i. Ensure that the OCHMO is notified of the intent to launch radioactive materials.

j. Coordinate health physics aspects with the OCHMO periodically and in the event of any related radiological emergencies during the mission.

6.2.4 Mission Directorate Associate Administrators and program executives shall:

a. Designate an individual responsible for ensuring the implementation of the requirements for nuclear launch safety approval in accordance with paragraph 9 of PD/NSC-25.

b. Notify the NASA Headquarters NFSAM in writing as soon as radioactive sources are identified for potential use on NASA spacecraft to schedule nuclear launch safety approval activities.

c. Identify the amount of radioactive material and the process for documenting the risk represented by the use of radioactive materials to the NFSAM in accordance with paragraph 6.4 of this NPR.

d. Provide required reports to the NFSAM in accordance with paragraphs 6.3 and 6.4 of this NPR.

f. Obtain nuclear launch safety approval or launch concurrence in accordance with paragraph 6.3 of this NPR.

6.2.5 Mission Directorate Associate Administrators, Center Directors, and line managers shall:

a. Ensure, to the extent of responsibility applicable under defined licensing/permitting documentation or agreements, compliance with all pertinent directives, licenses, agreements, and requirements promulgated by regulatory agencies relative to the use of radioactive materials planned for a space launch.

b. Coordinate with appropriate project office(s) to ensure radioactive material source reports that are submitted per paragraph 6.4 of this NPR accurately reflect all known radioactive material sources intended for flight.

a. Apply range safety requirements, with regard to the safe launch of radioactive materials, specified in range safety standards.

b. Develop and implement site-specific ground operations and radiological contingency plans to address potential ground handling accidents and potential launch/landing accident scenarios and to support source recovery operations commensurate with the radioactive materials present.

d. Exercise contingency response capabilities as deemed necessary to ensure adequate readiness of participants and adequacy of planning to protect the public, site personnel, and facilities.

e. Ensure appropriate and timely coordination with regional Federal, State, territorial, and local emergency management authorities to provide for support to, and coordination with, offsite emergency response elements.

f. Make provisions for special offsite monitoring and assistance in recovery of radioactive materials that could spread into areas outside the geographical boundaries of the launch site.

g. Establish a radiological control center (RADCC) for launches and landings with radioactive sources possessing a significant health or environmental risk, or having an activity of A2 mission multiple greater than 1,000 as determined per paragraph 6.3 of this NPR, or as specified in applicable interagency agreements.

h. Ensure, when required, that the RADCC provides technical support and coordination with other Federal, State, territorial, and local agencies in the case of a launch or landing accident that may result in the release of radioactive materials (Requirement).

i. Ensure, when required, that the RADCC is operational during launch and landing phases anytime there is a potential for an accident that could release radioactive material.

j. Ensure, when required, that the RADCC is staffed commensurate with the risk associated with the radioactive materials present.

a. Coordinate NASA's participation in activities supporting empanelled INSRP(s) to ensure adequate information is available to the INSRP(s).

b. Make arrangements for NASA personnel to provide technical assistance to empanelled INSRP(s).

c. Coordinate the support needs of those selected to provide assistance to empanelled INSRP(s) as may be appropriate (i.e.; travel, funding, technical).

a. Ensure appropriate coordination with the Department of Homeland Security (Federal Emergency Management Agency) to provide adequate emergency and recovery planning for all NASA missions above a threshold of 1,000 for A2 mission multiple as defined in paragraph 6.3 of this NPR.

b. Ensure that radiological emergency and recovery plans are developed and implemented where NASA is the Lead Federal Agency as defined by the National Response Plan - Nuclear/Radiological Incident Annex.

c. Upon request, provide the program executive and OSMA with mission-specific information recommended for consideration during launch or potential accident site emergency response and clean-up planning as part of the nuclear launch approval process.

6.3 Nuclear Launch Safety Approval Process

The level of analysis, evaluation, review, and the concurrence or approval required for a radiological risk assessment varies with the total amount of radioactive materials planned for launch as follows:

6.3.1 For all planned launches of radioactive materials, program executives shall:

a. Use the A2 mission multiple value to determine the level of assessment required.

b. Use total mission radioactive material inventory contained on the launch to calculate the total A2 mission multiple per Appendix D, Activity and Radioactivity Limits - Basic A1/A2 Values.

c. Use the highest of the algebraic sum of the isotopes' A2 multiples at launch, anytime the spacecraft will be in Earth orbit, or during near Earth interplanetary flight (e.g., Earth Gravity Assists) to determine the level of assessment required.

d. Consult with the NFSAM and the NASA Office of the General Counsel to determine what provisions, if any, of this chapter apply when NASA participates in the launch of a vehicle or spacecraft from other countries or territories, and these vehicles or spacecraft contain a radioactive source.

A summary of the nuclear launch safety review, reporting, and approval requirements is provided in Table 6.1, Nuclear Launch Safety Approval Summary.

6.3.3.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

b. Submit the request to the NFSAM a minimum of 4 months prior to launch (Requirement).

6.3.3.2 The NFSAM shall review the report and inform the program executive in writing of concurrence (or nonconcurrence) and any safety concerns not less than 2 months prior to launch.

6.3.4.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Review the request and inform the program executive in writing of nuclear launch safety concurrence (or nonconcurrence) and any safety concerns not less than 2 months prior to launch

b. Report launches with these quantities of radioactive material to the OSTP prior to launch.

6.3.5 For launches with A2 mission multiples equal to or greater than 10 but less than 500:

6.3.5.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Develop and document, in consultation with the NFSAM, a mutually agreed upon schedule for developing a nuclear safety review.

b. Prepare or have prepared a nuclear safety review of the radiological risk for the proposed mission.

c. Ensure that the nuclear safety review contains the report described in paragraph 6.4 of this NPR.

d. Ensure that the nuclear safety review contains program excerpts describing the mission.

e. Ensure that the nuclear safety review contains an analysis of the probabilities of launch and in-flight accidents which could result in the terrestrial release of radioactive materials (surface and air).

f. Ensure that the nuclear safety review contains an estimate of the upper bound of health and environmental effects due to a radioactive material release.

g. Ensure that the nuclear safety review contains mission-specific information recommended for consideration in the launch or potential accident site emergency response and clean-up planning.

h. Provide the Chief, Safety and Mission Assurance, and the NFSAM the nuclear safety review along with a request for nuclear launch concurrence at least 5 months prior to launch.

a. Make a preliminary scoping evaluation of the radiological risk to identify the extent of analyses needed as part of a prelaunch nuclear safety review.

b. Develop and document, in consultation with the program executive, a mutually agreed upon schedule for developing a nuclear safety review.

c. The NFSAM shall: Notify OSTP of the planned launch with these quantities of radioactive material as a part of the periodic report.

6.3.6 For launches with A2 mission multiples equal to or greater than 500 but less than 1,000:

6.3.6.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Develop and document, in consultation with the NFSAM, a mutually agreed upon schedule for developing a nuclear safety review.

b. Prepare or have prepared a Safety Analysis Summary (SAS) that, in coordination with the NFSAM, addresses the radiological risk of the proposed mission.

c. Ensure that the SAS contains a brief description of the planned mission, schedule, launch vehicle, and spacecraft to include operations while in-orbit and during near-Earth flight.

d. Ensure that the SAS contains a description of all radioactive materials, their physical state/chemical form, and quantities.

e. Ensure that the SAS contains probabilities and resulting consequences of launch and in-flight accidents that could result in the terrestrial release of radiological materials.

f. Ensure that the SAS contains an estimate of any health and environmental effects due to a radioactive material release.

g. Ensure that the SAS contains mission-specific information recommended for consideration in the launch or potential accident site emergency response and clean-up planning.

h. Provide the Chief, Safety and Mission Assurance, the SAS along with a request for nuclear launch concurrence at least 6 months prior to launch.

j. Forward the SAS to the NASA Administrator, along with the concurrence of the Chief, Safety and Mission Assurance, no later than 4 months before launch and request nuclear launch safety approval from the NASA Administrator.

a. Make a preliminary assessment of the radiological risk and provide a written assessment to the program executive.

b. Develop and document, in consultation with the program executive, a mutually agreed upon schedule for nuclear launch safety analyses and review activities to be conducted to support a nuclear launch safety concurrence request.

c. Review the SAS and provide timely comments to the program in accordance with the mutually agreed upon schedule.

d. The NFSAM shall: Notify OSTP of the planned launch as a part of the periodic report.

6.3.7.1 Program executives (in addition to requirements in paragraph 6.2 of this NPR) shall:

a. Request, in coordination with the Chief, Safety and Mission Assurance, the NASA Administrator to empanel an ad hoc INSRP for the mission.

c. Develop and document, in consultation with the NFSAM, the empanelled INSRP, the program, and the appropriate Department of Energy (DOE) offices (in accordance with interagency agreements for specific missions), a schedule for the delivery of a Safety Analysis Report (SAR), using a phased approach, with the complete final SAR being delivered no later than 10 months prior to launch.

e. Deliver the agreed iterations of the SAR to the INSRP according to the documented schedule (Requirement).

6.3.7.2 Following the approval by the NASA Administrator to empanel an INSRP, the NASA INSRP Coordinator shall, in accordance with paragraph 6.2.7, facilitate the preparation of an INSRP-developed SER of the radiological risk for the proposed nuclear mission as required by PD/NSC-25.

6.3.8 For orbiting spacecraft being resupplied or modified in which the U.S. Government is the lead (e.g., International Space Station) and the A2 mission multiple is equal to 10 but less than 1000:

b. Perform a safety analysis to the level of detail defined in paragraph 6.3.6 of this NPR.

c. Meet the launch concurrence/approval requirements defined in paragraph 6.3.6 of this NPR.

6.3.8.2 The NFSAM shall conduct reviews as defined in paragraph 6.3.6 of this NPR.

6.3.9 For orbiting spacecraft being resupplied or modified in which the U.S. Government is the lead (e.g., International Space Station) and the A2 mission multiple exceeds 1000:

b. Perform a safety analysis to the level of detail defined in paragraph 6.3.7 of this NPR.

c. Meet the launch concurrence/approval requirements defined in paragraph 6.3.7 of this NPR.

a. Advise the program executive concerning a request to the NASA Administrator to empanel an INSRP as per paragraph 6.2.2 of this NPR.

6.4 Report Requirements

6.4.1 Nuclear launch safety analyses (e.g., SAS, SAR) and evaluation (e.g., SER) are described in previous paragraphs.

6.4.2.1 NASA program executives, Center Directors, facility managers, laboratory managers, and launch and landing site managers shall:

a. Use the Radioactive Materials On-Board Report shown in Figure 6.2 to report planned launches of radioactive materials and request for nuclear launch concurrence/approval.

b. Ensure that entries are made for each isotopic source for planned launch and resupplying missions.

6.4.2.2 The NFSAM shall use the format of the Radioactive Materials On-Board Report shown in Figure 6.2 for the periodic report to notify OSTP of planned launches.

Note: Figure 6.2 shows the format for the reports for planned launch and for resupplying radioactive materials to on-orbit spacecraft.

CHAPTER 7. Safety Training and Personnel Certification

7.1 Purpose

This chapter describes the requirements for establishing safety training programs and the minimum training certification levels necessary for personnel involved in potentially hazardous NASA operations. Much of this training is available on the Internet. Instructor-based courses are available through the NASA Safety Training Center (NSTC). The NSTC can be reached by telephone at (281) 244-1284. This chapter also references Personnel Reliability Program (PRP) requirements that may be imposed for certain mission-critical job functions.

7.2 Responsibilities

7.2.1 Mission Directorate Associate Administrators, Center Directors, project managers, and line managers shall provide training to assist managers/supervisors and employees with their specific roles and responsibilities in safety programs.

a. Assist Center counterparts in ensuring that 29 CFR Part 1960, Basic Program Elements for Federal Employees, Occupational Safety and Health and Health Programs, and Related Matters, requirements are followed.

b. Ensure Agency-wide consistency and uniformity in the NASA safety training program.

c. Act as a clearinghouse for information regarding available safety training courses and materials.

d. Develop, in conjunction with the Training and Development Division at NASA Headquarters, training courses suited to specific Agency safety needs.

e. Co-develop, in conjunction with the OCHMO at NASA Headquarters, training courses and materials in areas of overlapping regulatory or programmatic responsibility.

7.2.3 Center training and personnel development offices and safety offices shall be jointly responsible for:

7.3 Planning and Implementation of the Safety Training Program

a. Formulate and document a comprehensive safety training program (see Figure 7-1 below) at their Center.

c. Ensure that all persons engaged in physical work are instructed in accident prevention and fully informed of the hazards involved.

d. Ensure that training for all persons engaged in electrical work includes first-aid procedures and cardiopulmonary resuscitation.

e. Ensure that personnel at risk of exposure to cryogenic liquids receive training in correct first aid measures for these liquids.

g. Ensure that software safety personnel and project/program lead software safety analysts are trained to NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard.

h. Ensure that operators of motorized equipment (including motor vehicles) have formal initial training, consisting of both classroom and operational testing, if operating the motorized equipment involves skills beyond those associated with normal, everyday operation of private motor vehicles, to assure operator proficiency.

i. Ensure that operators of motorized equipment have periodic refresher training and testing, as determined by the safety office, if operating the motor vehicle requires skills beyond those associated with normal, everyday operation of private motor vehicles.

j. Annually review operations being performed at their Center to ensure that the implemented safety training program is working effectively and to identify and include training for jobs that are potentially hazardous in addition to the mandatory listing in paragraph 7.4.5.

7.3.2 Center subject matter experts shall review NASA training materials at least annually and update materials as needed when regulatory agencies or changes in NASA policy documents generate technical changes.

7.3.3 Center SMA Directors shall maintain a current copy of the Center Safety Training Plan.

7.4 Personnel Safety Certification Programs for Potentially Hazardous Operations and Materials

7.4.1 Mission Directorate Associate Administrators, Center Directors, project managers, and line managers shall ensure that:

a. Personnel who perform or control hazardous operations or use or transport hazardous material have been trained and certified with the necessary knowledge, skill, judgment, and physical ability (if specified in the job classification) to do the job safely.

b. Personnel obtain hazardous operation safety certification for those tasks that potentially have an immediate danger to the individual (death/injury to self) if not done correctly, or could create a danger to other individuals in the immediate area (death or injury), or are a danger to the environment.

c. All contractor personnel engaged in potentially hazardous operations or hazardous material handling are certified via a process similar to that for NASA personnel.

7.4.2 Center SMA Directors shall develop required safety certification programs for their Center.

a. Determine the need for physical and medical examinations including their depth, scope, and frequency to support certification requirements.

b. Be responsible for medical certification in health hazard and related activities.

c. Oversee or conduct required personnel medical examinations in support of the safety certification effort.

d. Ensure that physical and medical examinations to support certification requirements are in compliance with OSHA and other Federal, State, and local agency applicable codes, regulations, and standards covering the occupation or environment including medical monitoring and recordkeeping requirements.

7.4.4 Line managers shall manage the certification program for their employees and contractors in accordance with procedures in this NPR.

h. High-voltage electrician certification that adheres to NASA and State/local requirements.

w. Certification for individuals involved strictly with the handling, transport, or packaging of hazardous materials that will not otherwise disturb the integrity of the basic properly-packaged shipping container that holds the hazardous material.

7.4.5.2 Center SMA Directors who certify individuals to perform or control hazardous operations, or to use or transport hazardous material, shall ensure the individuals possess the necessary knowledge, skill, judgment, and physical ability to do the job in a safe and healthful manner.

7.4.6.1 Center training and personnel development offices and safety offices shall ensure that hazardous operations certification and hazardous material handler certification include as a minimum:

d. Periodic refresher training as determined by the Center safety official, including review of emergency response procedures.

e. A recertification period as determined by the Center safety official in the absence of any local, State, or Federal requirements (but not to exceed a 4-year interval).

f. Applicable requirements of 29 CFR Part 1910, Occupational Safety and Health Standards (Requirement).

g. Specific training in the Federal, NASA, and local rules for preparing, packaging, marking, and transporting hazardous material and/or equipment operation associated with the job.

7.4.6.2 Center training and personnel development offices and Center safety offices shall ensure that drivers or operators of vehicles transporting hazardous materials are instructed in the specific hazards of the cargo or material in their vehicle and the standard emergency and first-aid procedures that should be followed in the event of a spill or exposure to the hazardous material.

7.4.6.3 Mission Directorate Associate Administrators, Center Directors, project managers, and supervisors shall ensure that:

a. Personnel who are hazardous-operations-safety-certified or hazardous-material-handler-certified are identified through the issuance of a card, license, or badge (to be immediately available) or a listing on a personnel certification roster or database.

b. Personnel certification rosters indicate the name, date, materials or operations for which certification is valid, name of certifying official, and date of expiration.

7.5 Mission Critical Personnel Reliability Program (PRP)

7.5.1 The Director of each NASA installation shall designate mission critical areas for the Space Shuttle and other critical systems including the International Space Station, designated ELVs, designated payloads, Shuttle Carrier Aircraft, and other designated resources that provide access to space.

7.5.2 Personnel having unescorted access to these areas shall meet the suitability, qualification, and screening provisions detailed in 14 CFR Part 1214.5, Space Flight: Mission Critical Systems Personnel Reliability Program: Screening Requirements (Requirement).

7.5.3 Mission Directorate Associate Administrators, Center Directors, project managers, supervisors, COs, and COTRs shall ensure that contracts cover mission critical operations or areas referenced by 48 CFR Part 1852.246-70, NASA FAR Supplement, Mission Critical Space System Personnel Reliability Program.

7.6 Hazardous Materials and Chemicals Risk Information

7.6.1 Mission Directorate Associate Administrators, Center Directors, project managers, and supervisors shall ensure that:

a. The risk of all hazardous chemicals produced or imported are evaluated and included in their safety training and certification program.

b. Information involving the risk of all hazardous chemicals is made available to all employees in accordance with 29 CFR Part 1910.1200.

7.7 Exclusions

7.7.1 This chapter does not apply to personnel engaged in operations that already require skill certification by quality assurance organizations, such as soldering, brazing, welding, crimping, potting, or to personnel performing inspections using dye penetrant, magnetic particle, ultrasonic, radiograph, and magnaflux.

7.7.2 Certification of equipment and facilities is not within the scope of this chapter but may be as important as personnel certification in relation to safety. Information concerning equipment and facilities certification for operational readiness is found in Chapters 6, 8, and 9.

7.7.3 This chapter shall not be used as a justification for allowing hazardous duty payments, environmental differential pay, or premium pay, nor will the fact that a job qualifies for hazardous duty pay imply that it is covered by this chapter. It has always been NASA safety policy to make all operations as safe as possible. Hazard duty pay differentials are covered in 5 CFR Part 532, Prevailing Rate Systems, and 5 CFR Part 550, Pay Administration (General).

CHAPTER 8. Facility Safety Management

8.1.1 The purpose of this chapter is to ensure that specific requirements relating to operational and facility hazards during the construction, activation, operations, and disposal stages are considered during the earlier life-cycle phases of project development and planning. The goal is to reduce the occurrence and impact of these hazards. These requirements should be considered with equal weight as functional project objectives and to ensure that appropriate resources are allocated for safe facility management over its entire life cycle.

8.1.2 This chapter establishes procedural requirements for the safety and mission success of NASA facilities throughout their life cycle, consistent with the requirements of the NASA Facilities and Real Estate Division (including NPD 8820.2, NPR 8820.2, and NPR 8831.2). NASA's unique facility needs call for a wide spectrum of compliance methods for facilities-related safety over the life cycle. This life cycle includes: Project Development and Planning, Design, Construction, Activation, Operations, and Disposal. Field Centers may tailor the overall Facility Safety Management Process to meet their unique needs. This chapter outlines programmatic requirements and identifies where more specific life-cycle-dependent requirements may be found.

8.1.3 NPR 8820.2, Facility Project Requirements, provides requirements for incorporating safety into project design criteria during the Project Development and Planning Phase. Safety tasks for each facility during each life-cycle phase include those appropriate to the size and complexity of the project, the nature of operations active in the facility, and the associated risks. These tasks will vary from project to project based upon risk management. Minimum required safety tasks to be accomplished during construction, operation, maintenance, and final disposition of a facility are documented in accordance with NPR 8820.2, Facility Project Requirements.

8.1.4 It is not the intent of this chapter to require upgrades to existing facilities merely because new editions of codes and standards are published. All Federal facilities will comply with nationally recognized consensus codes in accordance with 40 U.S.C. §3312. The edition of the model code and its referenced standards, which is formally adopted at the start of the design life-cycle phase, governs through the activation life-cycle phase and, ultimately, to beneficial occupancy. Operation of the facility beyond that point will meet the requirements established within the Facility Safety Management Process and the facility's certificate of occupancy.

8.2 Facility Safety Requirements

a. Establish project- or program-specific requirements that ensure safety to Center personnel, the public, and mission assurance using risk-informed decision tools.

b. Ensure new facilities or portions of facilities undergoing renovations meet applicable national consensus codes in effect at the time of the renovations.

b. Designate an organization responsible for facility safety management independent from the specific facility management.

c. Identify, track, and resolve hazardous conditions at the earliest possible life-cycle phase to appropriately mitigate risk to personnel and mission success.

d. Provide qualified fire protection and safety personnel to review all proposed NASA-owned, controlled, or operated facility configuration changes and construction work change orders that have a potential to impact fire protection, safety, or health including building codes and standards.

e. Include a safety representative and a health representative in inspection and review efforts (operational readiness inspection, operational readiness review, test readiness review, pre-final inspection, and final inspection).

f. Document, resolve, and control all facility safety and health issues prior to acceptance, activation, and operation.

g. Comply with EM 385-1-1, U.S. Army Corps of Engineers, Safety and Health Requirements or local Center requirements, whichever are most stringent, for construction undertaken at NASA sites and facilities.

8.3 Facility Manager

8.3.1 To facilitate line management implementation of facility safety, Center Directors shall:

a. Appoint an individual for each facility to oversee proper operation of the facility.

b. Document the authority delegated to each of these individuals and provide for safety support, as needed, based on risk to facilities, personnel, and the NASA Mission.

Chapter 9. Safety and Risk Management for NASA Contracts

9.1 Purpose

This chapter provides the procedural requirements for assuring that NASA contractors have effective safety and risk management programs. This chapter provides requirements for NASA officials with responsibility for assuring safety under NASA contracts.

9.2 Applicability and Scope

9.2.1 When NASA activities include contractor involvement, Center Directors and project managers shall include contractors in the NASA Safety Program.

9.2.2 Center SMA Directors, project managers, COs, and COTRs shall ensure that NASA contracts are written to hold contractors accountable for the safety of their employees, their services, their products, and for complying with NASA and Center safety requirements.

9.3 Authority and Responsibility

a. Work with cognizant safety officials to develop and approve safety requirements and objectives for efforts to be contracted, and advise COs and COTRS of specific safety concerns or issues related to contract performance.

b. Ensure that the application of the requirements in Chapter 2 of this NPR are specified in related contracts, memoranda of understanding, and other documents for joint ventures between NASA and other parties including commercial services, interagency efforts, and international partnerships.

c. Ensure that NASA responsibilities are specified in contracts, memoranda of understanding, and other documents for joint ventures between NASA and other parties including commercial services, interagency efforts, and international partnerships.

d. Ensure that contracts contain safety, mission success, and risk management requirements for design, development, fabrication, test, and the operations of systems, equipment, and facilities in consultation with Center SMA Directors.

e. Use the software safety requirements in NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard, as the basis for contracts, memoranda of understanding, and other documents related to software.

g. Define the surveillance of contractor safety matters with respect to the nature of the procurement.

a. Develop safety requirements and objectives that are clearly delineated in contract specifications in conjunction with project officials.

b. Establish safety performance as an element to be evaluated in contracts with fee plans.

c. Require copies of MSDS for new hazardous materials as requested by the local NASA safety office.

d. Participate in onsite visits and pre-bid conferences to ensure potential bidders understand safety provisions.

e. Review, comment, and approve (or disapprove) the contractors' safety risk assessment, submitted in response to paragraph 9.3.3, before the start of any hazardous deliverable work or support operations.

f. Coordinate any matter regarding proposed requests for relief to safety requirements of 48 CFR Part 1823.70, Safety and Health, with the OSMA or designated representative.

g. Implement NPR 5100.4, Federal Acquisition Regulation Supplement (NASA FAR Supplement).

h. Implement 48 CFR Parts 1807, Acquisition Planning; 1823, Environment, Energy and Water Efficiency, Renewable Energy Technologies, Occupational Safety, and Drug-Free Workplace; 1842, Contract Administration and Audit Services; and 1846, Quality Assurance.

9.3.3 COs or the COTR shall ensure the contractors' safety risk assessments are developed and provided to NASA for approval before the start of any hazardous deliverable work or support operations.

a. Assist the CO and COTR in evaluating the prospective contractor's safety record and safety program.

b. Assist the CO and COTR in applying any special safety provisions to grants or cooperative agreements (see paragraph 2.7).

c. During the pre-award phase of acquisition, develop, document and provide to the CO criteria for the safety performance elements to be evaluated in contracts with fee plans in a timely manner to ensure inclusion in the solicitation.

9.4 Requirements

a. Ensure contract solicitations require the submission of safety and risk management documentation (e.g., corporate safety policies, implementation procedures, safety performance experience, Experience Modification Rates, Worker Compensation Claims, and mishap rates by North American Industrial Classification System (NAICS) codes, and draft program planning documents, such as safety and health plans and risk management plans) as provided by the Center's SMA Organization. (See Appendix E and Appendix F for more information to ensure that solicitation instructions include the requirements outlined in both Appendices.)

b. Ensure contract solicitations include the evaluation of safety and risk management documentation (e.g., corporate safety policies, implementation procedures, safety performance experience, Experience Modification Rates, Worker Compensation Claims, and mishap rates by NAICS codes) and draft program planning documents, such as safety and health plans and risk management plans as a factor for evaluating bids (Requirement). (See Appendix E and Appendix F for more information.)

c. Ensure that safety and risk management evaluation criteria and solicitation instructions are developed in conjunction with responsible project personnel and Center SMA organization representatives (Requirement). (See Appendix E and Appendix F for more information.)

a. Brief all onsite contractors on local safety requirements to include incident and accident reporting, emergency evacuation procedures, fire reporting, medical emergency notification and response actions, hazardous material spill reporting and response, site entry/exit procedures, and hot work permit requirements before contract performance begins and at least annually, thereafter.

c. Inform the onsite contractor of any adjacent NASA and any other contractor operations that could pose a hazard to their operation and employees.

d. Assist the program or project manager or other responsible official in implementing contractor safety surveillance and evaluation programs.

e. During the pre-award phase of acquisition; develop, document and provide to the CO safety, mission success and risk management requirements for design, development, fabrication, test, and the operations of systems, equipment, and facilities in a timely manner to ensure inclusion in the solicitation.

f. During pre-award phase of acquisition; develop, document and provide to the CO, a statement of work elements, evaluation criteria, and solicitation instructions requiring the submittal of safety and risk management documentation (e.g., corporate safety policies, implementation procedures, safety performance experience, and mishap rates by North American Industrial Classification System (NAICS) codes, and draft program planning documents, such as safety and health plans and risk management plans) in a timely manner to ensure inclusion in the solicitation.

g. Participate in the contractor selection and evaluation process providing support to the CO to ensure the proper evaluation of contractor proposal information (e.g., corporate safety policies, implementation procedures, safety performance experience, and mishap rates by NAICS codes) and draft program planning documents, such as safety and health plans and risk management plans, as a factor for evaluating bids.

9.4.3 Center SMA Directors, COs, and COTRs shall ensure that contracts include a provision to require the contractor to provide a written plan for mitigating risks from hazardous operations to adjacent and other contractors (Requirement 32098). (See Appendix E and Appendix F for more information.)

9.5 Access to NASA Facilities by State and Federal Compliance Safety and Health Officers

9.5.1 Unless exclusive Federal jurisdiction is claimed by Federal OSHA, Center Directors and project managers shall allow both Federal and State OSHA compliance safety and health officers and investigators to review and survey contractor operations and investigate contractor mishaps at NASA Centers.

a. Notify the OSMA, the OCHMO, Occupational Health Division, and the Designated Agency Safety and Health Official (DASHO) of any OSHA (Federal or State) impending investigations.

b. Provide the results of Federal and State OSHA investigations to the OSMA, Safety Assurance and Requirements Division, the OCHMO, and the DASHO.

9.6 Contractor Citations

9.6.1 Center Directors and project managers shall ensure contractor organizations are accountable for providing their employees with safe working conditions regardless of where the employees are working.

9.7 Grants

9.7.1 Project managers that select research projects that could contain possible safety issues shall:

a. Identify the need for special safety conditions to be included in grants or cooperative agreement award documents.

b. Identify special safety conditions that include provisions for applicable OSHA requirements and host institution and general industry-accepted practices to be followed during research to eliminate or control risks associated with implementing the grant or cooperative agreement.

Chapter 10 Reserved

The National Aeronautics and Space Act of 1958 (42 U.S.C. pt. 2458c), as amended in Section 309, authorized a developer of a reuseable launch vehicle to request indemnification from NASA during testing/operations. Section 309(b)(2)(D) required a NASA safety review prior to the NASA Administrator granting any indemnification.

In 2010, Public Law 111-314 Section 3 relocated Section 309 to 51 U.S.C. pt. 20139 and added section f.1 which set a termination date of December 31, 2010 on the authority for NASA to grant new indemnification under this provision. As a result, Chapter 10 of this document has been withdrawn. Should a developer of a space flight system for NASA be granted the authority to request indemnification or insurance from NASA under federal law or federal regulation requiring the NASA Administrator's approval, then the program/project manager must contact the NASA Headquarters Office of Safety and Mission Assurance for the process needed to perform a safety review of such a request.

CHAPTER 11. Reserved

The content in this chapter on meteoroids has been moved to NPR 8715.6, NASA Procedural Requirements for Limiting Orbital Debris.

Definitions

Acceptable Risk: A level of risk, referred to a specific item, system or activity, that, when evaluated with consideration of its associated uncertainty, satisfies pre-established risk criteria.

Accident: A severe perturbation to a mission or program, usually occurring in the form of a sequence of events, that can cause safety adverse consequences, in the form of death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.

Accident Prevention: Methods and procedures used to eliminate the causes that could lead to a accident.

Assessment: Review or audit process, using predetermined methods, that evaluates hardware, software, procedures, technical and programmatic documents, and the adequacy of their implementation.

Assurance: Providing a measure of increased confidence that applicable requirements, processes, and standards are being fulfilled.

Audit: Formal review to assess compliance with hardware or software requirements, specifications, baselines, safety standards, procedures, instructions, codes, and contractual and licensing requirements.

Availability: Measure of the percentage of time that an item could be used as intended.

Buddy System: An arrangement used when risk of injury is high, where personnel work in pairs, with one person in the pair stationed nearby, not directly exposed to the hazard, to serve as an observer to render assistance if needed.

Catastrophic: (1) A hazard that could result in a mishap causing fatal injury to personnel, and/or loss of one or more major elements of the flight vehicle or ground facility. (2) A condition that may cause death or permanently disabling injury, major system or facility destruction on the ground, or loss of crew, major systems, or vehicle during the mission.

Critical: A condition that may cause severe injury or occupational illness, or major property damage to facilities, systems, or flight hardware.

Critical Single Failure Point: A single item or element, essential to the safe functioning of a system or subsystem, whose failure in a life or mission essential application would cause serious program or mission delays or be hazardous to personnel.

Critical Software Command: A command that either removes a safety inhibit or creates a hazardous condition.

Deviation: An authorization for temporary relief in advance from a specific requirement, requested during the formulation/planning/design stages of a program/project operation to address expected situations. OSHA refers to this as an alternate or supplemental standard.

Emergency: Unintended circumstance bearing clear and present danger to personnel or property which requires an immediate response.

Emergency Egress: The capability for an unassisted crew to exit a vehicle and leave a hazardous situation within a specified amount of time.

Emergency Medical: The capability to respond to illness or injury in order to prevent fatality or permanent disability. This capability includes either an inherent local capability or the timely transfer to a place or vehicle that can provide a similar or higher level of medical care, or both.

Emergency Systems: A set of components (hardware and/or software) used to mitigate or control hazards which present an immediate threat to the crew or crewed spacecraft. Examples include fire suppression systems and extinguishers, emergency breathing devices, and crew escape systems.

Exception: An authorization for permanent relief from a specific requirement and may be requested at any time during the life cycle of a program/project.

Exposure: (1) Vulnerability of a population, property, or other value system to a given activity or hazard; or (2) other measure of the opportunity for failure or mishap events to occur.

Factor of Safety (Safety Factor): Ratio of the design condition to the maximum operating conditions specified during design (see also Safety Margin and Margin of Safety).

Fail-Safe: Ability to sustain a failure and retain the capability to safely terminate or control the operation.

Failure: Inability of a system, subsystem, component, or part to perform its required function within specified limits.

Failure Mode: Particular way in which a failure can occur, independent of the reason for failure.

Failure Modes and Effects Analysis (FMEA): A bottoms up systematic, inductive, methodical analysis performed to identify and document all identifiable failure modes at a prescribed level and to specify the resultant effect of the modes of failure. It is usually performed to identify critical single failure points in hardware. In relation to formal hazard analyses, FMEA is a subsidiary analysis.

Failure Tolerance: Built-in capability of a system to perform as intended in the presence of specified hardware or software failures.

Fault Tree: A schematic representation resembling an inverted tree that depicts possible sequential events (failures) that may proceed from discrete credible failures to a single undesired final event (failure). A fault tree is created retrogressively from the final event by deductive logic.

Fault Tree Analysis: An analysis that begins with the definition or identification of an undesired event (failure). The fault tree is a symbolic logic diagram showing the cause-effect relationship between a top undesired event (failure) and one or more contributing causes. It is a type of logic tree that is developed by deductive logic from a top undesired event to all sub-events that must occur to cause it.

Flight Hardware: Hardware designed and fabricated for ultimate use in a vehicle intended to fly.

Functional Redundancy: A situation where a dissimilar device provides safety backup rather than relying on multiple identical devices.

Ground Support Equipment: Ground-based equipment used to store, transport, handle, test, check out, service, and control aircraft, launch vehicles, spacecraft, or payloads.

Hazard: A state or a set of conditions, internal or external to a system that has the potential to cause harm.

Hazard Analysis: Identification and evaluation of existing and potential hazards and the recommended mitigation for the hazard sources found.

Hazard Control: Means of reducing the risk of exposure to a hazard.

Hazardous Material: Defined by law as "a substance or materials in a quantity and form which may pose an unreasonable risk to health and safety or property when transported in commerce" (49 U.S.C S 5102, Transportation of Hazardous Materials; Definitions). The Secretary of Transportation has developed a list of materials that are hazardous which may be found in 49 CFR Part 172.101. Typical hazardous materials are those that may be highly reactive, poisonous, explosive, flammable, combustible, corrosive, radioactive, produce contamination or pollution of the environment, or cause adverse health effects or unsafe conditions.

Hazardous Operation/Work Activity: Hazardous Operation/Work Activity. Any operation or other work activity that, without implementation of proper mitigations, has a high potential to result in loss of life, serious injury to personnel or public, or damage to property due to the material or equipment involved or the nature of the operation/activity itself.

Hazardous Operation Safety Certification: Certification required for personnel who perform those tasks that potentially have an immediate danger to the individual (death/injury) if not done correctly, could create a danger to other individuals in the immediate area (death or injury), and present a danger to the environment.

Independent Verification and Validation: Test and evaluation process by an independent third party.

Inhibit: Design feature that prevents operation of a function.

Interlock: Hardware or software function that prevents succeeding operations when specific conditions are satisfied.

Margin of Safety: Deviation of the actual (operating) factor of safety from the specified factor of safety. Can be expressed as a magnitude or percentage relative to the specified factor of safety.

Mission Assurance: Providing increased confidence that applicable requirements, processes, and standards for the mission are being fulfilled.

Mission Critical: Item or function that must retain its operational capability to assure no mission failure (i.e., for mission success).

Mission Success: Meeting all mission objectives and requirements for performance and safety.

NASA Safety Standard (NSS): A NASA safety document that requires conditions, or the adoption or use of one or more practices, means, methods, operations, or processes reasonably necessary or appropriate to provide for safe employment and places of operation. The document is promulgated by the NASA Office of Safety and Mission Assurance and implemented and enforced by the Center Safety and Mission Assurance organizations.

Nuclear Flight Safety Assurance Manager (NFSAM): The person in the Office of Safety and Mission Assurance responsible for assisting the project offices in meeting the required nuclear launch safety analysis/evaluation.

Occupational Safety and Health Administration (OSHA): The Federal agency which promulgates and enforces workplace safety regulations and guidance.

Operability: As applied to a system, subsystem, component, or device is the capability of performing its specified function(s) including the capability of performing its related support function(s).

Operational Safety: That portion of the total NASA safety program dealing with safety of personnel and equipment during launch vehicle ground processing, normal industrial and laboratory operations, use of facilities, special high hazard tests and operations, aviation operations, use and handling of hazardous materials and chemicals from a safety viewpoint.

Oversight/Insight: The transition in NASA from a strict compliance-oriented style of management to one which empowers line managers, supervisors, and employees to develop better solutions and processes.

Precursor: An occurrence of one or more events that have significant failure or risk implications.

Pressure Vessel: Any vessel used for the storage or handling of a fluid under positive pressure. A pressure system is an assembly of components under pressure; e.g., vessels, piping, valves, relief devices, pumps, expansion joints, gages.

Probabilistic Risk Assessment (PRA): A PRA is a comprehensive, structured, and logical analysis method aimed at identifying and assessing risks in complex technological systems for the purpose of cost-effectively improving their safety and performance in the face of uncertainties. PRA assesses risk metrics and associated uncertainties relating to likelihood and severity of events adverse to safety or mission.

Programs: For the purposes of this NPR the term "programs" shall be interpreted to include programs, projects, and acquisitions.

Quality: The composite of material attributes including performance features and characteristics of a product or service to satisfy a given need.

Radiological Control Center (RADCC): A temporary information clearinghouse established on an as-needed basis to coordinate actions that could be required for mitigation, response, and recovery of an incident involving the launching of nuclear material.

Range Safety: Application of safety policies, principles, and techniques to ensure the control and containment of flight vehicles to preclude an impact of the vehicle or its pieces outside of predetermined boundaries from an abort which could endanger life or cause property damage. Where the launch range has jurisdiction, prelaunch preparation is included as a safety responsibility.

Redundancy: Use of more than one independent means to accomplish a given function.

Reliability: The probability that a system of hardware, software, and human elements will function as intended over a specified period of time under specified environmental conditions.

Reliability Analysis: An evaluation of reliability of a system or portion thereof. Such analysis usually employs mathematical modeling, directly applicable results of tests on system hardware, estimated reliability figures, and non-statistical engineering estimates to ensure that all known potential sources of unreliability have been evaluated.

Residual Risk: The level of risk that remains after applicable safety-related requirements have been satisfied. In a risk-informed context, such requirements may include measures and provisions intended to reduce risk from above to below an acceptable level.

Risk: The combination of (1) the probability (qualitative or quantitative) of experiencing an undesired event, (2) the consequences, impact, or severity that would occur if the undesired event were to occur and (3) the uncertainties associated with the probability and consequences.

Risk Management: An organized, systematic decision-making process that efficiently identifies, analyzes, plans, tracks, controls, communicates, and documents risk to increase the likelihood of achieving project goals.

Risk (Safety) Assessment: Process of qualitative risk categorization or quantitative risk (safety) estimation, followed by the evaluation of risk significance.

Safety: Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. In a risk-informed context, safety is an overall mission and program condition that provides sufficient assurance that accidents will not result from the mission execution or program implementation, or, if they occur, their consequences will be mitigated. This assurance is established by means of the satisfaction of a combination of deterministic criteria and risk criteria.

Safety Analysis: Generic term for a family of analyses, which includes but is not limited to, preliminary hazard analysis, system (subsystem) hazard analysis, operating hazard analysis, software hazard analysis, sneak circuit, and others.

Safety Analysis Report (SAR): A safety report of considerable detail prepared by or for the program detailing the safety features of a particular system or source.

Safety Analysis Summary (SAS): A brief summary of safety considerations for minor sources; a safety report of less detail than the SAR.

Safety Assurance: Providing confidence that acceptable risk for the safety of personnel, equipment, facilities, and the public during and from the performance of operations is being achieved.

Safety Critical: Term describing any condition, event, operation, process, equipment, or system that could cause or lead to severe injury, major damage, or mission failure if performed or built improperly, or allowed to remain uncorrected.

Safety Device: A device that is part of a system, subsystem, or equipment that will reduce or make controllable hazards which cannot be otherwise eliminated through design selection.

Safety Evaluation Report (SER): A safety report prepared by the INSRP detailing the INSRP's assessment of the nuclear safety of a particular source or system based upon INSRP's evaluation of the program-supplied SAR and other pertinent data.

Safety Margin: Difference between as-built factor of safety and the ratio of actual operating conditions to the maximum operating conditions specified during design.

Safety Oversight: Maintaining functional awareness of program activities on a real-time basis to ensure risk acceptability.

Safety Program: The implementation of a formal comprehensive set of safety procedures, tasks, and activities to meet safety requirements, goals, and objectives.

Serious: When used with "hazard," "violation," or "condition," denotes there is a substantial probability that death or serious physical harm could result.

Single Failure Point: An independent element of a system (hardware, software, or human) the failure of which would result in loss of objectives, hardware, or crew.

Software Hazard Analysis: Identification and verification of adequate software controls and inhibits; and the identification, analysis, and elimination of discrepancies relating to safety critical command and control functions.

System Safety: Application of engineering and management principles, criteria, and techniques to optimize safety and reduce risks within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle.

System Safety Manager: A designated management person who, qualified by training and/or experience, is responsible to ensure accomplishment of system safety tasks.

Vacuum System: An assembly of components under vacuum, including vessels, piping, valves, relief devices, pumps, expansion joints, gages, and others.

Validation: (1) An evaluation technique to support or corroborate safety requirements to ensure necessary functions are complete and traceable; or (2) the process of evaluating software at the end of the software development process to ensure compliance with software requirements.

Variance: An authorization for temporary relief in advance from a specific requirement and is requested during the formulation/planning/design stages of a program/project operation to address expected situations.

Verification (Software): (1) The process of determining whether the products of a given phase of the software development cycle fulfill the requirements established during the previous phase (see also validation); or (2) formal proof of program correctness; or (3) the act of reviewing, inspecting, testing, checking, auditing, or otherwise establishing and documenting whether items, processes, services, or documents conform to specified requirements.

Waiver: A variance that authorizes departure from a specific safety requirement where a certain level of risk has been documented and accepted.

APPENDIX B: Acronyms

APPENDIX C. Safety Motivation and Awards Program

1. The following awards represent NASA's primary means for recognizing outstanding safety performance:

a. NASA Honor Awards. These awards are approved by the Administrator and represent the highest honorary recognition bestowed by NASA. Government and non-Government personnel making significant safety contributions may be nominated for these awards following the guidelines provided in NPR 3451.1, NASA Awards and Recognition Program.

b. NASA Space Flight Awareness, Flight Safety Award. This award is managed by the Space Flight Safety Panel in accordance with NPD 1000.3, The NASA Organization, paragraph 6.21. It is bestowed in recognition of contributions to space flight safety made through design, device, or practice. The purpose of the award is to acknowledge the individuals whose personal efforts, above and beyond their job commitment, result in significant, direct contributions to space flight safety. The award is given to both individuals and groups. Every Government and industry employee supporting NASA's human space flight programs is eligible for this award.

c. NASA QASAR Award. QASAR stands for Quality and Safety Achievement Recognition. The QASAR Award recognizes NASA, other Government, and prime/subcontractor individuals for significant quality improvements to products or services for NASA, as well as safety initiatives within products, programs, processes, and management activities. NASA Headquarters and each of the Centers have local QASAR Award programs; annually, the "Best of the Best" in each award category is chosen for Agency recognition by the Administrator.

d. Center Safety Awards. The majority of NASA safety awards are issued at the local level as part of each Center's overall safety effort. Safety programs at NASA Centers include an awards program, designed in accordance with this document, to recognize and encourage safety in all operations.

2. NASA safety awards should be properly designed to motivate and maintain safe behavior. The following principles should be considered when developing safety awards:

a. Any award based on competition must be carefully designed to avoid possible negative aspects. (For example, employees involved in a competition to reduce on-the job injuries have been known to avoid seeking medical attention for an injury so that it would not be reported.)

b. The safety awards program should be part of the participating safety program and include all personnel.

c. The responsible NASA safety organization should clearly define the purpose of each award, those who are eligible, and the criteria for selection.

d. Award presentations and the safety contributions made by award recipients should be sufficiently publicized to heighten employee safety awareness and to encourage active employee participation in all efforts designed to improve safety performance.

e. Awards should be granted on the basis of merit without regard to age, color, handicap, marital status, national origin, politics, participation or non-participation in a labor organization, race, religion, or sex.

f. NASA awards for safety excellence should be granted based on specific published criteria. Nominations should be evaluated against the individual awards criteria and not against any unwritten standards or interpretations.

3. In conjunction with safety awards, NASA safety programs may distribute items of minimal value to individuals as a means of promoting safe work practices and heightening safety awareness. The following apply to the purchase and distribution of safety promotional items:

a. Procurements made with Federally-appropriated funds are subject to the rulings of the General Accounting Office (GAO). Safety promotional items usually are interpreted by GAO as personal gifts, and therefore have not been allowed. It is recommended that non-appropriated funds be used for the procurement of safety promotional items whenever possible.

b. Safety promotional items should be distributed for valid reasons and shall not be given with such frequency that they lose meaning.

c. All items shall be clearly identified as NASA safety program items via printed markings and/or safety logos.

Appendix D. Activity and Radioactive Material Limits - Basic Al /A2 Values

The A₂ multiplier for each radioactive source is based upon the International Atomic Energy Agency (IAEA), Safety Series Number 6, Regulations for the Safe Transport of Radioactive Material, 1985 Edition as amended in 1990, Section III, paragraphs 301 through 306, and summed to determine the A₂ mission multiple.

Table I of this Appendix contains the referenced IAEA document section which tabulates the A₂ values for specific isotopes and forms of radioactive material. Except as noted, for radioisotopes whose A₂ limit in Table I is "Unlimited" or is unlisted, the value of 3.7x10^-2 teraBecquerals (TBq) (1.0 Curies (Ci)) shall be used as the A₂ value.

Exceptions are Sm-147, use 9x10^-4 TBq (0.024 Ci) and Th-232, use 9x10^-5 TBq (0.0024 Ci) as their respective A₂ values.

where n represents each source or line on the report in paragraph 5.4.1.2 for each radioactive material on the launch vehicle and spacecraft.

2. Values of A₁ and A₂ for individual radionuclides, which are the basis for many activity limits elsewhere in this NPR, are given in Table I.

3. For individual radionuclides whose identities are known, but which are not listed in Table I, the determination of the values of A₁ and A₂ shall require competent authority approval or, for international transport, multilateral approval. Alternatively, the values of A₁ and A₂ in Table II may be used without obtaining competent authority approval.

4. In the calculations of A₁ and A₂ for a radionuclide not in Table I, a single radioactive decay chain in which the radionuclides are present in their naturally occurring proportions and in which no daughter nuclide has a half-life either longer than 10 days or longer than that of the parent nuclide shall be considered as a single radionuclide, and the activity to be taken into account and the A₁ or A₂ value to be applied shall be those corresponding to the parent nuclide of that chain. In the case of radioactive decay chains in which any daughter nuclide has a half-life either longer than 10 days or greater than that of the parent nuclide, the parent and such daughter nuclides shall be considered as mixtures of different nuclides.

5. For mixtures of radionuclides whose identities and respective activities are known, the following conditions shall apply:

where B(i) is the activity of radionuclide i and A₁(i) and A₂(i) are the A₁ and A₂ values for radionuclide i, respectively.

where f (i) is the fraction of activity of nuclide i in the mixture and A₂ (i) is the appropriate A₂ value for nuclide i.

6. When the identity of each radionuclide is known but the individual activities of some of the radionuclides are not known, the radionuclides may be grouped and the lowest A₁ or A₂ value, as appropriate, for the radionuclides in each group may be used in applying the formulas in paragraphs 3 - 5. Groups may be based on the total alpha activity and the total beta/gamma activity when these are known, using the lowest A₁ or A₂ values for the alpha emitters or beta/gamma emitters, respectively.

7. For individual radionuclides or for mixtures of radionuclides for which relevant data are not available, the values shown in Table II shall be used.

Contents A₁ A₂
TBq (Ci)^a TBq (Ci)^a
Only beta or gamma emitting 0.2 (5) 0.02 (0.5)
nuclides are known to be present

Alpha emitting nuclides are 0.1 (2) 2 x 10^-5 (5 x 10^-4) known to be present or no relevant data are available

^aThe curie values quoted in parentheses are approximate values and are not higher than the TBq values

Appendix E. Sample Safety and Health Plan for Service or Operations Contracts

A detailed Safety and Health Plan is submitted as part of a Service or Operations contract proposal, showing how the contractor intends to protect the life, health, and well-being of the public, and NASA and contractor employees as well as property and equipment. The plan should include detailed discussions of the policies, procedures, and techniques for all anticipated working conditions that will be encountered throughout the performance of the contract. The safety and health of subcontractor employees should be included in the plan for any proposed subcontract whose value is expected to exceed $1,000,000 including commercial services and services provided in support of a commercial item. An approved Safety and Health Plan will be included as a part of any resulting contract.

If the contractor will conduct work or be located on a NASA site or in a NASA facility, the Safety and Health Plan should discuss measures to be taken to ensure the protection of property, equipment, and the environment in the production of contractor deliverables and/or in the pursuit of any of its activities. An approved onsite contractor will develop and subsequently implement a Safety and Health Program based on the approved plan that will includes policies and procedures for compliance with pertinent NASA policies and requirements, and Federal, State and local regulations for safety, health, environmental protection, and fire protection. The contractor's Safety and Health Program will be used to assure integration of the onsite contractor as a full participant in the Center's Safety and Health Program.

1.1 Policy. Provide the contractor's corporate safety policy statement. Compare this policy statement with those of NASA and OSHA and discuss any differences.

1.2 Goals and Objectives. Describe specific goals and objectives of the Safety and Health Plan. Discuss these goals and objectives using the framework of the elements of a safety and health management system described by the OSHA VPP (management leadership and employee involvement; worksite analysis; hazard prevention and control; and safety and health training). Describe the approach (including milestone schedule) to achieve and maintain safety and health management practices according to the criteria outlined in four elements of the OSHA VPP safety and health management in all areas.

1.3 Management Leadership. Describe the process and procedures for implementing management commitments to safety and health through visible activities and initiatives including the exercise of controls to ensure workplace safety and health. Include a statement from the project manager or designated safety official indicating that the plan will be implemented as approved and that the project manager will take personal responsibility for its implementation.

1.4 Employee Involvement. Describe procedures to implement and promote employee (e.g., non-supervisory) involvement in safety and health program development, implementation, and decision making. Describe the scope and breadth of employee participation so that all safety and health risk areas are addressed.

1.5 Assignment of Responsibility. Describe the line and staff responsibilities for safety and health program implementation. Identify any other personnel or organizations that provide safety services or exercises any form of control or assurance in these areas. State the means of communication and interfaces concerning related issues used by line, staff, and others (such as documentation, concurrence requirements, committee structure, sharing of the work site with NASA and other contractors, or other special responsibilities and support). As a minimum, the contractor will identify the following:

a. Safety Representative. Identify, by title, the individual who will be responsible for the contractor's adherence to Center-wide safety, health, environmental, and fire protection concerns and goals, and will participate in meetings and other activities related to the Center's Safety and Health Program.

b. Company Physician. Provide the identification of a company physician to facilitate communication of medical data to the head of the NASA clinic. The contractor shall identify the point of contact by name, address, and telephone number to the NASA Center Clinic. Any changes that occur in the identity of the point of contact will be promptly conveyed to the NASA Center Clinic.

c. Building Fire Wardens. Each building occupied by the contractor will have an assigned individual to facilitate the Center's fire safety program. Duties will include coordination of fire-related issues with the NASA facility manager, and emergency planning and response officials and their representatives. Identify the assigned contractor Building Fire Warden.

d. Designated Safety Official. Identify, by title, the official(s) responsible for implementing the proposed Safety and Health Plan. Identify all formal contacts with regulatory agencies and with NASA.

1.6 Provision of Authority. Compare the provisions and procedures in the proposed Safety and Health Plan with applicable NASA requirements and contractual directions, and applicable Federal, State, and local regulations. Identify the lines of authority and responsibility for each requirement and regulation. Discuss how the subsequent contractor's Safety and Health Program will be controlled to maintain the identified lines of authority and responsibility for the life of the contract.

1.7 Accountability. Describe the procedures for ensuring that management and employees will be held accountable for implementing their tasks in a safe and healthful manner. The use of traditional and/or innovative personnel management methods (including discipline, motivational techniques, or any other technique that ensures accountability) should be referenced, as a minimum, and described, as appropriate.

1.8 Program Evaluation. Describe the method to be used for internal program reviews and evaluations. The program review and evaluation may consist of either (1) participation in OSHA VPP surveys at the request of the Government or (2) described in a written report that documents the methods and procedures for determining the existence and criticality of the contractor's hazardous operations.

If the proposed plan provides for an internal reviews and evaluations other than participation in OSHA VPP surveys, the submitted report should include, but not be limited to, methods and procedures for the following: identification of the contractor's hazardous operations and products; approach to be used for conducting risk evaluations; the approach to be used for risk ranking with respect to consequence severity, risk management techniques to be applied to unacceptable safety risks, and the documentation of the results. The report should also include an identification of the personnel who will conduct the reviews and evaluations, to whom the reports will be made, and the frequency (at least annually) at which the reviews and evaluations will be performed. The reviews and evaluations should include subcontracted tasks. The submitted report should clearly describe the correlation between the proposed program review and evaluation approach and applicable criteria of the OSHA VPP.

When a written program review and evaluation is requested, it should be delivered to the Government no later than 30 days after the end of each contract year or at the end of the contract, whichever is applicable. Distribution of these program reviews and evaluations will be the same as that for the Safety and Health Plan. The OSHA VPP surveys will be scheduled and administered at the discretion of the Government.

1.9 The prospective contractor will describe the approach to be taken to document its safety and health program performance to provide necessary visibility and insight. This description should include: the identification, acquisition, and processing of safety and health data; development of procedures; recordkeeping; statistical analyses including metrics; and the furnishing of data and reports to the Government. Electronic access by the Government to this data is preferred as long as Privacy Act requirements are met and the Government safety and health professionals and their representatives have full and unimpeded access for review and audit purposes.

For contractor activities conducted on NASA property, the contractor will identify what records it will make available to the Government in accordance with the Voluntary Protection Program (VPP) criteria of OSHA as implemented in [the local Center's] Requirements Handbook for Safety, Health, and Environmental Protection, as revised. For the purpose of this plan, safety and health documentation includes, but is not limited to, logs, records, minutes, procedures, checklists, statistics, reports, analyses, notes, or other written or electronic document which contain in whole or in part any subject matter pertinent to safety, health, environmental protection, or emergency preparedness. The contractor will acknowledge the following as a standing request of the Government to be handled as described below.

a. Roster of Terminated Employees. NASA expects the contractor to identify and report terminated employees to the Center occupational health program office. This report should be sent to the Occupational Health Officer no later than 30 days after the end of each contract year or at the end of the contract, whichever is applicable. At the contractor's discretion, the report may be submitted for personnel changes during the previous year or cumulated for all years.

(2) For each person listed: provide name, social security number, assigned Center badge number, and date of termination.

(3) Name, address, and telephone number of contractor representative to be contacted for questions or other information.

b. Material Safety Data. Describe the procedure to be used by the contractor to prepare and/or deliver to NASA, Material Safety Data for hazardous materials brought onto Government property or included in products delivered to the Government. These data are required by the Occupational Safety and Health Administration (OSHA) regulation, 29 CFR Part 1910.1200, Hazard Communication, and Federal Standard 313 (or FED-STD-313), Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised. A single copy of each Material Safety Data Sheet (MSDS) will be sent upon receipt of the material for use on NASA property to the Center's Central Repository, Mail Code ____. Information on new or changed locations and/or quantities of hazardous materials normally stored or used onsite should also be sent to the Center's Central Repository. If the MSDS arrives with the material and is needed for immediate use, the MSDS should be delivered to the Central Repository by close of business of the next working day after it enters the site.

c. Hazardous Materials Inventory. The contractor will be responsible to compile and report the inventory of all hazardous materials within the scope of 29 CFR Part 1910.1200, Hazard Communication, and Federal Standard 313 (or FED-STD-313), Material Safety Data, Transportation Data and Disposal Data for Hazardous Materials Furnished to Government Activities, as revised and its located on Government property. The call for this annual inventory will be issued by the [responsible NASA official], Mail Code ____. The inventor should contain the following information:

1.10 Government Access to Safety and Health Program Documentation. The contractor shall recognize in its plan that it will be expected to make all safety and health documentation (including relevant personnel records) available for inspection or audit at the Government's request.

1.11 The contractor may be requested to participate in the review and modification of safety requirements that are to be implemented by the Government including any referenced documents therein. This review activity will be implemented at the direction of the NASA Contracting Officer's Technical Representative in accordance with established NASA directives and procedures.

1.13 Procurement. Identify procedures used to assure that the contractor's procurements are reviewed for safety considerations and that specifications contain appropriate safety criteria and instructions. Set forth authority and responsibility to assure that safety tasks are clearly stated in subcontracts.

2.0 WORKPLACE ANALYSIS. Describe the method and techniques the contractor will use to systematically identify the hazards within the workplace for the duration of the contract. The discussion should describe the information collection process including a combination of surveys, analyses, inspections of the workplace, investigations of mishaps and close calls, and the collection and trend analysis of safety and health data such as records of occupational injuries and illnesses; findings and observations from preventive maintenance activities; reports of spills and inadvertent releases to the environment; facilities-related incidents related to partial or full loss of systems functions; and employee reports of hazard. Every hazard identified by any of the techniques given below shall be ranked and processed in accordance with Center procedure. All hazards identified on NASA property that are immediately dangerous to life or health should be reported immediately to the NASA safety office and to the Contractor's President/Program Manager in order to ensure that proper attention and correction is given to these hazards. All safety engineering products, which address operations, equipment, and other aspects of safety engineering, on NASA property will be subject to the review and concurrence of the NASA Safety Office unless otherwise specified in the approved safety and health plan. The contractor is expected to have processes to address similar instances in contractor facilities utilizing contractor resources to manage such instances.

2.1 Hazard Identification. Describe the procedures and techniques to be used to compile an inventory of hazards associated with the work to be performed on this contract. This inventory of hazards shall address the work specified in the contract as well as the hazards associated with operations and work environments in close proximity to contract operations. The hazard inventory results will be reported to the Government in a manner suitable for inclusion in facilities baseline documentation as a permanent record. Specific techniques to be considered include:

a. Comprehensive Survey. A "wall-to-wall" engineering assessment of the work site including facilities, equipment, processes, and materials (including waste).

b. Change Analysis. Address modifications in facilities, equipment, processes, and materials (including waste); and related procedures for operations and maintenance. Periodic change analyses will be driven by new or modified regulatory and NASA requirements.

c. Hazard Analysis. Address facilities, systems/subsystems, operations, processes, materials (including waste), and specific tasks or jobs.

2.2 Inspections. This paragraph should include the procedures and frequency for regular inspections and evaluations of work areas hazards and who will be accountable for implementing of corrective measures. The contractor will describe administrative requirements and procedures for the control of regularly scheduled inspections for fire and explosive hazards. The contractor has the option, in lieu of the above detail, to identify policies and procedures with the stipulation that the results (including findings) of inspections conducted on NASA property or involving Government furnished equipment will be documented in safety program evaluations or monthly Accident/Incident Summary reports. Inspections will identify the following:

2.3 Employee Reports of Hazards. The contractor will identify the methods to be used to encourage employees to report hazardous conditions (e.g., close calls) and analyze/abate hazards. The contractor will describe steps to be taken to create reprisal-free employee reporting with emphasis on management support for employees and describe methods to be used to incorporate employee insights into hazard abatement activities.

3.1 Mishap Investigation and Reporting. The contractor will identify the methods to assure that the investigations and reporting of mishaps including corrective actions to be implemented to prevent recurrence. The contractor will describe the methods to be used to investigate and report on NASA property and on contractor or third party property. The contractor will describe procedures for implementing the NASA mishap investigation and reporting forms or use alternate contractor forms with emphasis on the timely notification of NASA. The contractor discussion should include: investigation procedures; exercise of jurisdiction over a mishap investigation involving NASA and other contractor personnel; follow up of corrective actions; communication of lessons learned to NASA; and solutions to minimize duplications in reporting and documentation including use of alternate forms or other solutions. The contractor will discuss its procedures for the immediate notification of fires, hazardous materials releases, and other emergencies. The contractor will include appropriate details to address the use of Incident Reporting Information System, including 24-hour and ten-day mishap reports to the Occupational Safety Office, mail code ___.

3.2 Trend Analysis. The contractor will describe the approach to be used to perform trend analysis of data (occupational injuries and illnesses; facilities, systems, and equipment performance; maintenance findings; etc.). The discussion should include methods to identify and abate common cause failures or occurrences indicated by the trend analysis. The contractor should discuss the following methods of providing data, in support of site-wide trend analysis to be performed by the Government. Further, the contractor should describe how the results of these trend analysis will be shared with employees so that they are aware of potential safety problems or hazards.

a. Accident/Incident Summary Report. The contractor will describe how monthly Accident/Incident Summary Reports are prepared and delivered, as specified on [specify locally used format]. All new and open mishaps, including vehicle accidents, incidents, injuries, fires, and any close calls will be described in summary form along with their current status. Negative reports are also required monthly; date due is the 10th day of the month following each month reported. Reports will be delivered to the Center Safety Office, mail code _____.

b. Log of Occupational Injuries and Illnesses. For each location on or off NASA property that performs work on this contract, the contractor will deliver to the Government (under separate contractor's cover letter), a copy of an annual summary of occupational injuries and illnesses (or equivalent) as described in 29 CFR Part 1904.32, Annual Summary. If contractor is exempt by regulation from maintaining and publishing such logs, equivalent data in the contractor's format is acceptable (such as loss runs from insurance carrier). This data will be compiled and reported each calendar year and provided to the Government within 45 days after the end of the year to be reported (e.g., not later than February 15 of the year following).

4.0 HAZARD PREVENTION AND CONTROL. Identified hazards must be eliminated or controlled. In the multiple employer environment of the Center, it is required that hazards including discrepancies and corrective actions be recorded in the Center's information data system (provide name of system here) for risk management purposes. Describe the approach to implementing this requirement.

4.1 Appropriate Controls. Discuss the approach to be used for considering and selecting controls. Discuss the use of the hazard reduction precedence sequence. Discuss the approach to be used to identify and accept any residual risk. Discuss the implementation of controls including verifying their effectiveness. Discuss the scope of coverage (hazardous chemicals, equipment, discharges, waste, energies, or other). Discuss the need for coordination with safety, health, environmental service, and emergency authorities at NASA.

4.1.1 Hazardous Operations. Establish methods for notifying personnel when hazardous operations are to be performed and when hazardous conditions are found to exist during the course of this contract. NASA policy will serve as a guide for defining, classifying, and prioritizing hazardous operations. Develop and maintain a list of hazardous operations to be performed during the life of this contract. The list of hazardous operations will be provided to the contracting officer as part of the safety and health plan for review and approval. The contracting officer and the contractor will decide jointly which operations are to be considered hazardous, with the contracting officer having final authority. Before hazardous operations commence, the contractor will provide a schedule for the development of written hazardous operations procedures with particular emphasis on identifying the safety steps required. The contractor may implement this requirement as follows:

a. Identify contractor policies and procedures for the management and implementation of hazardous operations procedures together with a statement that NASA will have access, on request, to any contractor data necessary to verify implementation; or

b. In lieu of contractor management and development of such procedures, identify the method whereby the contractor will identify and submit hazardous operations procedures to the NASA Occupational Safety Office for review and approval.

4.1.2 Written Procedures. Provide methods to assure that relevant hazardous situations and proper controls are identified in documentation such as inspection procedures, test procedures, or other, and other related information. Describe methods to assure that written procedures are developed for all hazardous operations, including testing, maintenance, repairs, and handling of hazardous materials and hazardous waste. Procedures will be developed in a format suitable for use as safety documentation (such as a safety manual) and be readily available to personnel as required to correctly perform their duties.

4.1.3 Protective Equipment. Describe procedures for obtaining, inspecting, and maintaining protective equipment, as required, or reference written procedure pertaining to this subject. Describe methods for keeping records of such inspections and maintenance programs.

4.1.4 Hazardous Operations Permits. Identify facilities, operations, and/or tasks where hazardous operations permits will be required as specified in the Center's local requirement. Describe the process to be used to ensure guidance adherence to established NASA Center procedures. Clearly state the role of the safety group or function to control such permits.

a. Operations Involving Potential Asbestos Exposures. Describe methods for assuring compliance with the Center's Asbestos Control Program as established in local policy.

b. Operations Involving Exposures to Toxic or Unhealthful Materials. Such operations must be evaluated by the NASA Occupational Health Office and must be properly controlled as advised by same. Describe the process to be used to notify the NASA Occupational Health Office prior to initiation of any new or modified operation potentially hazardous to health and safety.

c. Operations Involving Hazardous Waste. Identify procedures to be used to manage hazardous waste from the point of generation through disposal. Clearly identify divisions of responsibility between contractor and NASA for hazardous waste generated throughout the life of the contract. Operations which occur on site must also be evaluated by the Center environmental services office and must be properly controlled as advised by same. Describe the process to be used to notify the Center environmental services office prior to initiation of any new or modified hazardous waste operation on site.

d. Operations Involving New or Modified Emissions/Discharges to the Environment. Describe methods for identifying new or modified emissions/discharges and coordinating the results with the Center environmental services office. Discuss procedures to minimize or eliminate environmental pollution. Address the management of hazardous materials; substitution of non-hazardous or less hazardous materials for hazardous materials; proper segregation of hazardous wastes from non-hazardous wastes; and other methods described by NASA. Emphasis shall be placed on providing sufficient lead-time for processing permits through the appropriate State agency and/or the Environmental Protection Agency.

4.2 Discuss responsibilities for maintaining facility baseline documentation in accordance with Center requirements. The contractor will implement any facility baseline documentation tasks (including safety engineering) as provided in the contractor's safety and health plan approved by NASA or as required by Government direction.

4.3 Preventive Maintenance. Discuss the approach to be used for preventive maintenance. Describe scope, frequency, and supporting rationale for the preventive maintenance program including facilities and/or equipment to be emphasized or de-emphasized. Discuss methods to promote awareness in the NASA community (such as alerts, safety flashes, or others) when preventive maintenance reveals design or operational concerns in facilities and equipment (and related processes where applicable).

4.4 Medical Program. Discuss the medical surveillance program used to evaluate personnel and workplace conditions, identify specific health issues, and prevent degradation of personnel health as a result of occupational exposures. Discuss the approach for using cardiopulmonary resuscitation, first aid, and emergency response.

5.0 EMERGENCY RESPONSE. Discuss the approach to be used for emergency preparedness and contingency planning that addresses fire, explosion, inclement weather, environmental releases, etc. Discuss compliance with 29 CFR Part 1910.120, Hazardous Waste Operations and Emergency Response, and the role the contractor will play in the local Incident Command System. Discuss methods to be used for notification of Center emergency forces including emergency dispatcher, safety hotline, director's safety hotline, or other. Discuss the establishment of pre-planning strategies through procedures, training, drills, or other. Discuss methods to verify emergency readiness.

6.0 SAFETY AND HEALTH TRAINING. Describe the contractor's training program including the identification of responsibility for training employees in safe work practices, hazard recognition, and appropriate responses (including protective and/or emergency countermeasures). Address the management techniques used to identify and utilize any Center training resources (such as asbestos worker training/certification, hazard communication, confined space entry, lockout/tagout, or other), as appropriate, with particular emphasis on programs designed for the multiple employer work environment on NASA property. Describe the approach to be used for training personnel in the proper use and care of protective equipment. Discuss tailoring of training towards specific audiences (management, supervisors, and employees) and topics (safety orientation for new hires, specific training for certain tasks or operations). Discuss the approach to ensure that training is retained and practiced. Discuss personnel certification programs. Certifications should include documentation that training requirements have been satisfied and learning validated by one or more of the following: physical examination, testing, on-the-job performance, or other. All training materials and training records will be provided for NASA review upon request.

Appendix F. Sample System Safety Technical Plan for Systems Acquisition, Research, and Development Programs

The NASA program manager (or designee) will publish and maintain an approved System Safety Technical Plan (SSTP) that includes a risk management plan, appropriate to and for the life of the program. This plan may be incorporated in the more comprehensive safety and mission assurance plan, mission assurance plan, or other plan, provided that the required data are identifiable and complete.

1. The SSTP defines the objectives, responsibilities, and methods to be used for overall safety program conduct and risk management control. Integration of system/facility safety provisions into the SSTP is vital to the early implementation and ultimate success of the safety effort. Inclusion of these provisions in the plan will send an unmistakable message to all program participants that safety and risk management are an integral part of the management process and all tasks. The authority to conduct the safety program must originate in the respective SSTP governing each NASA program.

2. The program SSTP will be the vehicle for safety and risk management task planning. The plan should include detailed task requirements for each system safety task, as appropriate for the program. The NASA program organization and system safety relationships and responsibilities will be described along with reporting channels for this task. In particular, the plan will show how NASA will manage its independent safety oversight role. The plan will stipulate the specifics of the system safety modeling activities and describe what and how safety adverse consequences will be modeled, how system safety models (qualitative and probabilistic risk assessments) will be integrated and applied for risk-informed decision making and safety monitoring, how the technical team(s) responsible for generating and maintaining system safety models will interact with the system engineering organizations, the reporting and approval protocol, and the cost and schedule associated with accomplishing system safety modeling activities in relation to the critical or key events during all phases of the life cycle. It will also address requirements for NASA and contractor participation in design, safety, and readiness reviews. The program SSTP should be a compliance document in the request for proposal. Data requirements for the program SSTP are in the data requirements document. For a multi-Field Installation program, each Center should provide a supplement to the plan to ensure compatibility among Field Installation organizations and the ability to comply with task requirements.

3. The level of safety directly correlates with management's emphasis on the safety of the system/facility being developed. Proper identification of the system/facility safety program elements is the first step towards developing a successful program. Each functional safety program will have the following basic elements:

b. System safety modeling activities (system safety, risk assessment, uncertainty assessment)

e. Implementation (planning, organization, interface/coordination, and reporting).

4. Each of these elements is aligned with an overall approach to risk evaluation by:

c. Assessing the probabilities and consequences associated with the risk scenarios.

d. Assessing the uncertainties associated with the probabilities and consequences.

e. Determining risk control strategies to either eliminate or control the safety hazard.

f. Recommending corrective action or alternatives to the appropriate management level for a decision to either eliminate the hazard or accept the risk. Risks acceptance is the responsibility of the program manager. In all cases, notification of risk acceptance will be communicated to the next higher authority (see Chapter 2).

g. Documenting those areas in which a decision has been made to accept the risk, including the rationale for the risk acceptance.

5. During the concept development phase, appropriate safety tasks should be planned that will become the foundation for safety efforts and risk management efforts during system definition, design, manufacture, test, and operations.

a. Identify special safety studies and risk assessments that may be required during system definition or design.

b. Estimate gross personnel requirements for the safety program for the complete system life cycle.

c. Perform trade studies by using the results of hazard analyses and risk assessments that identify high hazardous areas or identify high risk sensitivities, with recommended alternatives.

d. Establish safety and risk goals and objectives that will be used to determine the type of safety and risk inputs for the overall program.

(1) The goals should be measurable and state what would be accomplished by performing the various safety tasks and risk management tasks.

(2) The goals should be structured so that safety tasks and risk management tasks can be selected to accomplish them.

e. Complete hazard analyses and risk assessments to identify potentially hazardous systems and to develop initial safety requirements and risk management criteria. f. Continuously review hardware procedural requirements and concepts to maintain an understanding of the evolving system.

g. Use pertinent historical data from similar systems as input to the risk assessment and to refine initial evaluations.

Appendix G. RESERVED

Appendix H. Reserved

The sporadic meteoroid complex as observed from Earth is known to have four major sources in six radiants distributed symmetrically about the celestial sphere. In this Appendix, describing the locations of these different sources is done using a Sun-centered coordinate system. Referring to the Jones and Brown orbital survey paper of 1993, the primary sporadic meteoroid sources are the Helion/Anti-Helion, the North/South Apex, and the North/South Toroidal; these three sources are associated with cometary material. Sporadics from the Helion source at ~342¦ solar longitude appear to originate from near the Sun; Anti-Helion sporadics, at ~198¦ solar longitude, appear to originate opposite the Sun and are thought to consist of material from short-period comets, such as Comet D'Arrest. The Apex source, broken up into North Apex and South Apex branches, straddles the ecliptic plane in the direction of Earth's motion at ~270¦ and is comprised of material from long-period comets, like Comet Hyakutake. The Toroidal source, divided into North Toroidal and South Toroidal branches, has high ecliptic latitudes above and below the Earth resembling a toroid around the Earth's orbit. The source of these particles is less well understood, but current work points to the Halley family of short period comets. The fourth and least understood source is the Asteroidal source. Observed asteroidal meteoroids are predicted to come from directions close to the ecliptic poles, at about ¦90¦.

Each of the four sources has a relative strength and a speed distribution (see Figure I-2 for individual source distributions). MEM accounts for these varying source strengths and speed distributions and has initially been validated against radar observations from the Canadian Meteor Orbit Radar (CMOR) and corrected for known biases to the best ability of the developers. The total average cross-sectional flux as a function of mass as given by the interplanetary model at 1 AU follows the same mass index as the popular Grnn/Zook mass index reported in NASA TM 4527 and SSP 30425. These values for average cross-sectional flux are within 2 percent of the daily flux values as reported by CMOR. This average cross-sectional flux does contain meteor shower fluxes but in an average sense only. Meteor storms and outbursts should be modeled separately and the risks mitigated operationally; a listing of major annual showers is given in Table I-1.

Table I-1. Major annual meteor showers

Shower Name	Approx Date	Hourly Rate +/-	# of Days
Quadrantids	Jan 03	40	1
Lyrids	Apr 21	15	2
Eta Aquarids	May 04	20	3
Delta Aquarids	July 28	20	7
Perseids	Aug 13	70	5
Orionids	Oct 21	25	2
South Taurids	Nov 03	15	Weeks
Leonids	Nov 17	15	Broad range
Geminids	Dec 13	100	3
Ursids	Dec 22	15	2

Ch#	Office	Date	Description
1	Chief, Safety and Mission Assurance	05/30/2008	Paragraphs 3.13.4.5 through 3.13.4.5.6 of NPR 8715.3C, NASA General Safety Program Requirements were cancelled by NPR 8715.7.
2	Chief, Safety and Mission Assurance	11/21/2008	Modified paragraph 1.4.3k replaces and cancels NASA Interim Directive (NID) NM 8715-58/NPR 8715.1, Policy for Mission Focused "Safety Day" Activities. Added paragraph 1.11.2 formally documents an existing Space Operations Mission Directorate requirement. Add paragraph 1.14 adds policy and requirements for review and approval of high-risk work activities that are outside NASA operational control. Note: This change captures version D of this directive that was previously coordinated.
3	Chief, Safety and Mission Assurance	4/17/2009	Applicable Documents - add additional documents Paragraph 3.18, add title to table of contents Section 1.2, Table 1, add new responsibilities listed in paragraph 3.1.8.2 and add a row that read Center Fall Protection and Administrator Add new paragraph to 3.18 - Fall Protection on Elevated Structures Note: This change captures version E of this directive that was previously coordinated.
4	Chief, Safety and Mission Assurance	7/20/2009	This change removes the "Performance Evaluation Profile (PEP)" and replaces it with the more generic requirements from the "Occupational Safety and Health Administration (OSHA) Voluntary Protection Program (VPP)" which are already required in NPR 8715.3C, paragraph 1.4. This change also provides examples of what types of information contractors should include in their safety and risk management documentation.
5	Chief, Safety and Mission Assurance	8/11/2009	NASA Interim Directive (NM 8715-79) established for Chapter 1, paragraph 1.13, Safety Variances.
6	Chief, Safety and Mission Assurance	2/3/2011	Corrects references in paragraph P.4 for NASA-STD 8719.12 and NASA-STD 8719.14. Adds paragraph P.5, Measurement/Verification. Updates paragraphs 1.7.2.c, 1.13, 3.8.2.e, 3.11.4.L, and 9.3.2.f. to reflect processes established in NASA-STD-8719.20. Rescinds NM 8715-79. Updates paragraphs 6.3.5.2.c, 6.3.6.2.d, and 6.4.2.2 to change the periodicity of the report to the OSTP. Adds paragraph 3.11.5 to add requirements for preventing inadvertent initiation of explosive-like devices due to electromagnetic radiation. Updates references for NSS 1740.12 and NSS 1740.14 to the current documents NASA-STD 8719.12 and NASA-STD 8719.14. Removes references to the Aviation Safety Panel. Note: This change captures version F of this directive that was previously coordinated.
7	Chief, Safety and Mission Assurance	2/25/2011	Removes references to the Operating and Engineering Panel
8	Chief, Safety and Mission Assurance	6/20/2012	The National Aeronautics and Space Act of 1958 (42 U.S.C. § 2458c), as amended in Section 309, authorized a developer of a reusable launch vehicle to request indemnification from NASA during testing/operations. Section 309(b)(2)(D) required a NASA safety review prior to the NASA Administrator granting any indemnification. In 2010, Public Law 111-314, Section 3, relocated Section 309 to 51 U.S.C. § 20139 and amended (f)(1) which set a termination date of December 31, 2010 on the authority for NASA to grant new indemnification under this provision. As a result, Chapter 10 of this document has been withdrawn. Should a developer of a space flight system for NASA be granted the authority to request indemnification or insurance from NASA under federal law or federal regulation requiring the NASA Administrator's approval, then the program/project manager must contact the NASA Headquarters Office of Safety and Mission Assurance for the process needed to perform a safety review of such a request.
9	Chief, Safety and Mission Assurance	2/8/2013	After discussions with various Centers, and JSC in particular, OSMA has decided to cancel NASA-STD 8719.10, Standard for Underwater Facility and non-Open Water Operations, as a mandatory standard. JSC is the only Center using this standard, and JSC will be responsible for maintaining a safety standard for its underwater activities. This is consistent with Agency policy. Cancelling NASA-STD 8719.10 necessitates administrative changes to NPR 8715.3C, NASA General Safety Program Requirements, paragraph 3.12, Underwater Operations Safety. In addition to eliminating the reference to NASA-STD 8719.10 in NPR 8715.3, references to regulatory, other Agency, and consensus standards are added to the NPR, and the requirements for a diving safety manual and diving control board that were contained in NASA-STD 8719.10 are moved from NASA-STD 8719.10 to NPR 8715.3.
10	Chief, Safety and Mission Assurance	8/1/2017	Update with 1400 Compliance which include the applicability section, applicable documents and forms, deleted requirement tags, updated section numbers throughout document, added a section to 3.5) deleted definitions and acronyms not cited within the text, added a reference section, and remove requirements from Chapter 11 which are now published in NPR 8715.6. I

CONSEQUENCE CATEGORY	CRITERIA / SPECIFICS		Project Priority Ranking
Human Safety and Health	Public Safety and Health	Planetary Protection Program Requirement	I
		White House Approval (PD/NSC-25)
		Space Missions with Flight Termination Systems
	Human Space Flight
Mission Success (for non-human rated missions)	High Strategic Importance Projects
	Limited Window
	High Cost (See NPR 7120.5)
	Medium Cost (See NPR 7120.5)		II
	Low Cost (See NPR 7120.5)		III

Priority Ranking	Scope (The level of rigor and details are commensurate with the level of design maturity)
I	Probabilistic risk assessment (per NPR 8705.5) supported by qualitative system safety analysis
II	Qualitative system safety analysis supplemented by probabilistic risk assessment where appropriate
III	Qualitative system safety analysis

Isotope	Date Arrived On-Board	Number of Sources	Total Activity at Arrival (Ci)	Isotope Half-life	Activity as of Mission Start (Ci)	A2 Limit for Isotope (Ci)	Current A2 Multiple for Each Isotope Source	Remarks
	(Use one line for each isotope type, size, form, and arrival date)

	(Use one line to sum the A2 mission multiples for the spacecraft)

	NASA Procedures and Guidelines
This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov

AFB	Air Force Base
AFOSH	Air Force Occupational Safety and Health
AHJ	Authority Having Jurisdiction
ANSI	American National Standards Institute
ASAP	Aerospace Safety Advisory Panel
CFR	Code of Federal Regulations
CMOR	Canadian Meteor Orbit Radar
CO	Contracting Officer
CoF	Construction of Facilities
COTR	Contracting Officers Technical Representative
DASHO	Designated Agency Safety and Health Official
DoD	Department of Defense
DOE	Department of Energy
DOT	Department of Transportation
EAV	Experimental Aeronautical Vehicle
ELV	Expendable Launch Vehicle
EPA	Environmental Protection Agency
ESO	Explosive Safety Officer
FAA	Federal Aviation Administration
FAR	Federal Acquisition Regulation
FED-STD	Federal Standard
FMEA	Failure Modes and Effects Analysis
GAO	General Accountability Office
GSE	Government Supplied Equipment
HOP	Hazardous Operating Procedure or Hazardous Operating Permit
IAEA	International Atomic Energy Agency
IAOP	Inter-Center Aircraft Operations Panel
INSRP	Interagency Nuclear Safety Review Panel
IV&V	Independent Verification and Validation
JPL	Jet Propulsion Laboratory, a Federally Funded Research Development Center
KHB	Kennedy Handbook
LED	Light Emitting Diode
LLIS	Lessons Learned Information System
MSDS	Material Safety Data Sheet
NAICS	North American Industrial Classification System
NASA	National Aeronautics and Space Administration
NASA SP	NASA Special Publication
NASA-STD	NASA Standard
NASA TM	NASA Technical Memorandum
NEPA	National Environmental Policy Act
NFPA	National Fire Protection Association
NFS	NASA FAR Supplement
NFSAM	Nuclear Flight Safety Assurance Manager
NIOSH	National Institute of Occupational Safety and Health
NPD	NASA Policy Directive
NPR	NASA Procedural Requirements
NSRS	NASA Safety Reporting System
NSS	NASA Safety Standard
NSTC	NASA Safety Training Center
NSTS	National Space Transportation System
OCE	Office of the Chief Engineer
OCHMO	Office of the Chief Health and Medical Officer
OD	Orbital Debris
OPR	Office of Primary Responsibility
OSHA	Occupational Safety and Health Administration
OSMA	Office of Safety and Mission Assurance
OSTP	Office of Science and Technology Policy
PD/NSC	Presidential Directive/National Security Council
PHA	Preliminary Hazard Analysis
PL	Public Law
PM	Performance Measure
PMC	Program Management Council
PPE	Personal Protective Equipment
PRA	Probabilistic Risk Assessment
PRP	Personnel Reliability Program
PSAR	Preliminary Safety Analysis Report
QASAR	Quality and Safety Achievement Recognition
RAC	Risk Assessment Code
RADCC	Radiological Control Center
RCC	Range Commanders Council
SAR	Safety Assessment Report, Safety Analysis Report
SAS	Safety Analysis Summary
SER	Safety Evaluation Report
SEMP	Systems Engineering Management Plan
SMA	Safety and Mission Assurance
SSP	Space Shuttle Program
SSTP	System Safety Technical Plan
USAR	Updated Safety Analysis Report
VPP	Voluntary Protection Program

NASA Procedures and Guidelines

This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov

NPR 8715.3C Effective Date: March 12, 2008 Cancellation Date: August 11, 2017 Responsible Office: GA

NASA General Safety Program Requirements (w/Change 9 dated 2/08/13)

Table of Contents

Chapter 10. Reserved

Preface

P.1 Purpose

P.2 Applicability

P.3 Authority

P.4 Applicable Documents

P.5 Measurement/Verification

Cancellation

Chapter 1. Institutional and Programmatic Safety Requirements

1.1 Overview of the NASA Safety Program

1.2 NASA General Safety Program Roles and Responsibilities

1.3 Public Safety

1.4 Institutional Roles and Responsibilities in the NASA Safety Program

1.5 Program Management Roles and Responsibilities in the NASA Safety Program

1.6 Risk Assessment and Risk Acceptance

1.7 Technical Safety Requirements for NASA-Unique Designs and Operations

1.8 SMA Program Reviews

1.9 Advisory Panels, Committees, and Boards

1.10 Coordination with Organizations External to NASA

1.11 Safety Motivation and Awards Program

1.12 Safety Management Information

1.13 Requests for Relief to Agency-level SMA Requirements

1.14 Hazardous Work Activities That Are Outside NASA Operational Control

Chapter 2. System Safety

2.1 Introduction

2.2 Institutional Roles and Responsibilities

2.3 System Safety Framework

2.4 Scope of System Safety Modeling

2.5 Core Requirements for System Safety Processes

2.6 System Safety Reviews

2.7 Change Review

2.8 Documentation

CHAPTER 3. Operational Safety

Chapter 4. Aviation Safety

4.1 Purpose and Scope

4.2 Aviation Safety Program Responsibilities

Chapter 5. Fire Protection and Life Safety

5.1 Purpose, Goals, and Objectives

5.2 General Requirements

5.3 Qualifications for the Authority Having Jurisdiction

Chapter 6. Nuclear Safety for Launching of Radioactive Materials

6.1 Purpose

6.2 Responsibilities

6.3 Nuclear Launch Safety Approval Process

6.4 Report Requirements

CHAPTER 7. Safety Training and Personnel Certification

7.1 Purpose

7.2 Responsibilities

7.3 Planning and Implementation of the Safety Training Program

7.4 Personnel Safety Certification Programs for Potentially Hazardous Operations and Materials

7.5 Mission Critical Personnel Reliability Program (PRP)

7.6 Hazardous Materials and Chemicals Risk Information

7.7 Exclusions

CHAPTER 8. Facility Safety Management

8.2 Facility Safety Requirements

8.3 Facility Manager

Chapter 9. Safety and Risk Management for NASA Contracts

9.1 Purpose

9.2 Applicability and Scope

9.3 Authority and Responsibility

9.4 Requirements

9.5 Access to NASA Facilities by State and Federal Compliance Safety and Health Officers

9.6 Contractor Citations

9.7 Grants

Chapter 10 Reserved

CHAPTER 11. Reserved

Definitions

APPENDIX B: Acronyms

APPENDIX C. Safety Motivation and Awards Program

Appendix D. Activity and Radioactive Material Limits - Basic Al /A2 Values

Appendix E. Sample Safety and Health Plan for Service or Operations Contracts

Appendix F. Sample System Safety Technical Plan for Systems Acquisition, Research, and Development Programs

Appendix G. RESERVED

Appendix H. Reserved

DISTRIBUTION: NODIS

This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov

NPR 8715.3C
Effective Date: March 12, 2008
Cancellation Date: August 11, 2017
Responsible Office: GA

DISTRIBUTION:
NODIS

This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov