NASA Procedures and Guidelines
This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov
NPR 8715.3B Eff. Date: April 04, 2007 Cancellation Date:	NASA General Safety Program Requirements
| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | Chapter10 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | ALL |

Chapter 1. Institutional and Programmatic Safety Requirements

1.1 Overview of the NASA Safety Program

1.1.1 This document provides the procedural requirements that define the NASA Safety Program. Safety program responsibility starts at the top with senior management's role of developing policies and providing strategies and resources necessary to implement and manage a comprehensive safety program. The NASA Safety Program is executed by the responsible Mission Directorate Associate Administrators, Center Directors, Office of Safety and Mission Assurance (OSMA), component facility managers, safety managers, project managers, systems engineers, supervisors, line organizations, employees, and NASA contractors.

Note: The basic principles for governing, managing, implementing, monitoring, and controlling work at NASA are addressed in NPD 1000.0, Strategic Management and Governance Handbook, which provides direction for Mission Directorates and Centers to execute programs and projects.

The Center Director for NASA Headquarters is the Assistant Administrator for Infrastructure and Administration.

1.1.2 As stated in NPD 8700.1, NASA Policy for Safety and Mission Success, the objectives of the NASA Safety Program are to protect the public from harm, ensure the safety of employees, and affect positively the overall success rate of missions and operations through preventing damage to high-value equipment and property.

1.1.3 In general, the success or failure of an organization's safety efforts can be predicted by a combination of leading indicators (e.g., the number of open vs. closed inspection findings, awareness campaigns, training metrics, progress towards safety goals/objectives, the amount of hazard and safety analyses completed, and close calls) and its achievement measured by lagging indicators (e.g., the number of incidents involving injury or death to personnel, lost productivity [lost or restricted workdays], environmental damage, or loss of, or damage to, property). Like many successful corporations, NASA has learned that aggressively preventing mishaps is good management and a sound business practice.

1.1.4 NASA undertakes many activities involving high risk. Management of this risk is one of NASA's most challenging activities and is an integral part of NASA's safety efforts.

1.1.5 The policy for the NASA Safety Program is provided in NPD 8710.2, NASA Safety and Health Program Policy, for specific health program requirements in NPD 1800.2, NASA Occupational Health Program, and for environmental requirements in NPD 8500.1, NASA Environmental Management.

1.1.6 Policies, requirements, and procedures for mishap investigations are provided in NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping.

1.1.7 NASA identifies issues of concern through a strong network of oversight councils and internal auditors including the Aerospace Safety Advisory Panel (ASAP), the Operations and Engineering Panel (OEP), and the Aviation Safety Panel.

1.1.8 NASA's goal is to maintain a world-class safety program based on management and employee commitment and involvement; system and worksite safety and risk assessment; hazard and risk prevention, mitigation, and control; and safety and health training.

Note: NASA's goals are provided in NPD 1001.0, 2006 NASA Strategic Plan.

1.2 NASA General Safety Program Roles and Responsibilities

Table 1 lists responsible entities that have roles and responsibilities for NASA safety along with the associated paragraphs in this NPR that explain the responsibilities.

1.2.1 Per NPD 1000.3, The NASA Organization, Mission Directorate Associate Administrators, through their project managers, and Center Directors, through their line managers, are responsible for the safety of their assigned personnel, facilities, and mission systems. Toward that end, they shall establish a safety program that adheres to the following principles (Requirement 25005):

a. Ensure that their safety planning and direction; the development of safety requirements, safety policies, safety methodology, and safety procedures; and the implementation and evaluation of their safety programs achieve the safety requirements in this NPR (Requirement 25006).

b. Ensure the conduct of assessments of quantitative and/or qualitative safety risks to people, property, or equipment, and include recommendations to either reduce the risks or accept them (Requirement 31816).

c. Ensure that safety assessments of all system changes are conducted, prior to changes to these systems being implemented, so as to preclude an unknown increase in risk to personnel or equipment (Requirement 25010).

d. Ensure that employees are informed of any risk acceptance when the employees are the ones at risk (Requirement).

e. Ensure that safety surveillance and periodic inspections are conducted to assure compliance with NASA safety policies and to assess the effectiveness of NASA safety activities as required by Federal, State, and local regulations, NASA policy, and national consensus standards (Requirement 25012).

f. Ensure that technical reviews of the safety of development efforts and operations are conducted in accordance with sound system safety engineering principles (Requirement 25009).

g. Ensure that trained individual(s) determine the corrective actions needed for mitigating or controlling safety risk for all activities (Requirement 31814).

h. Ensure that NASA employees and safety professionals are trained for their roles and responsibilities associated with specific safety functions (Requirement).

i. Ensure that software safety is included in their safety programs (Requirement).

Note: Software safety policy and requirements are provided in NPD 2820.1, NASA Software Policy; NPR 7150.2, NASA Software Engineering Requirements; NASA-STD-8719.13, Software Safety Standard; and NASA-STD-8739.8, Software Assurance Standard.

j. Ensure that an ad hoc interagency review and approval process is implemented for the use of radioactive materials in spacecraft to avoid unacceptable radiation exposure for normal or abnormal conditions, including launch aborts with uncontrolled return to Earth (See Chapter 5) (Requirement 25021).

k. Ensure that research and development for new or unique safety functions and technologies are conducted to help meet NASA goals (Requirement 25013).

l. Ensure the integrity of information and information systems, where compromise may impact safety, by adherence to NASA information technology security procedures as required by NPR 2810.1, Security of Information Technology (Requirement).

1.3 Public Safety

1.3.1 Center Directors, project managers, supervisors, and NASA employees shall:

a. Eliminate risk or the adverse effect of NASA operations on the public, or provide public protection by exclusion or other protective measures where the risk or the adverse effect of NASA operations on the public cannot be eliminated (Requirement 25026).

Note: The responsibility for public safety includes major events such as air shows, open houses, or other events that may be attended by large crowds.

b. Disallow non-NASA (either by contractors or visitors) research and development operations (under grants or cooperative agreements) that interfere with or damage NASA facilities or operations or threaten the health and safety of NASA personnel (Requirement 25027).

1.3.2 Center SMA Directors shall:

a. Require non-NASA research and development personnel and operations exposed to hazardous operations on NASA property to follow all Federal, NASA, and Center safety precautions and to procure needed protective clothing and equipment at their own expense (Requirement 31868).

b. Assure non-NASA research and development personnel operating or using potentially hazardous NASA equipment have received required training and are certified as qualified operators in accordance with Chapter 7 of this NPR (Requirement 31869).

1.3.3 Center Directors are delegated the authority to approve variances to public safety requirements for onsite non-NASA personnel (e.g., press, visitors) if appropriate safety requirements are in place and the risk is no greater than the risk to uninvolved employees.

Note: Diligence should be practiced when waiving public safety requirements since there are situations where NASA employees are exposed to unusual risk which they inherently understand by virtue of their unique job function and experience and they behave accordingly and cautiously based on their knowledge. Members of the public or non-NASA employees may not understand the nuance of particular situations and not know when or how to behave accordingly.

1.4 Institutional Roles and Responsibilities in the NASA Safety Program

1.4.1 The Chief Health and Medical Officer shall:

a. Terminate any NASA operation considered an immediate health hazard (Requirement).

b. When termination occurs, immediately notify affected Center offices (Requirement).

1.4.2 The Director, Safety and Assurance Requirements Division, OSMA, shall:

a. Establish and develop the overall NASA safety program policy and priorities (Requirement 8005).

b. Serve as the senior safety official for the Agency and exercise functional management authority over all NASA safety and risk management activities (Requirement 8006).

c. Terminate any operation that presents an immediate and unacceptable risk to personnel, property, or mission operations (Requirement).

d. When termination occurs, immediately notify affected Center and Mission Directorate officials (Requirement).

1.4.3 Center Directors shall:

a. Be responsible for safety at NASA facilities (Requirement 32643).

b. Place their safety organization at a level that ensures the safety review function can be conducted independently (Requirement).

c. Designate a senior manager as the Center safety and health officer and the safety program implementation authority (Requirement 25015 and 8021).

Note: Senior manager is interpreted to mean that the safety and health officer can interface directly with the Center Director when problems arise.

d. Ensure that:

(1) Adequate resources (personnel and budget) are provided to support mishap prevention efforts (Requirement).

(2) Resource control is independent from any influence that would affect the independence of the advice, counsel, and services provided.

e. Ensure that policies, plans, procedures, and standards that define the characteristics of their safety program are established, documented, maintained, communicated, and implemented (Requirement 25017).

Note: The Annual Operating Agreements enacted and signed at each Center reflect the agreed support activity level of the Center safety organization to the program/projects and institutional operations at the Centers. (See NPD 8700.1, NASA Policy for Safety and Mission Success.)

f. Ensure that the development, implementation, and maintenance of an effective safety and health program is in compliance with NASA, Federal, State, and local requirements (Requirement 8022).

g. Ensure the establishment of an effective system safety program based on a continuous risk assessment process to include the development of safety requirements early in the planning phase, the implementation of those requirements during the acquisition, development, and operational phases, and the use of a scenario-based risk assessment and tracking system to maintain the status of risks during the process (Requirement 25019). (See Chapter 2.)

h. Ensure that all NASA operations and operations performed on NASA property are performed in accordance with existing safety standards, consensus national standards (e.g., ANSI, NFPA), or special supplemental or alternative standards when there are no known applicable standards (Requirement 25022).

i. Ensure that for hazardous NASA operations, procedures are developed for the following circumstances: 1) to provide an organized and systematic approach to identify and control risks, 2) when equipment operations, planned or unplanned, are hazardous or constitute a potential launch, test, vehicle, or payload processing constraint, or 3) when an operation is detailed or complicated and there is reasonable doubt that it can be performed correctly without written procedures (Requirement 31859). (See Chapter 3 of this NPR for requirements for hazardous operating procedures.)

j. Ensure that an aviation safety program that meets the specific operational needs of their Center is established and maintained to comply with national standards and NASA directives and requirements (Requirement 25023). (See Chapter 4.)

k. Ensure that safety lessons learned are disseminated and included in Center communication media to improve the understanding of hazards and risks, the prevention of mishaps, and to suggest better ways of implementing system safety programs (Requirement).

Note: Requirements for lessons learned are provided in NPR 7120.6, Lessons Learned Process. The Lessons Learned Information System (LLIS) provides a library of lessons learned data for use by program managers, design engineers, operations personnel, and safety personnel. Procedures for disseminating lessons learned can be found at the following Internet address: http://nen.nasa.gov/portal/site/llis.

l. Inform personnel of the availability of the NASA Safety Reporting System (NSRS) at their Center (Requirement 25048).

Note: The NSRS supplements local hazard reporting channels and provides NASA employees and contractors with an anonymous, voluntary, and responsive reporting channel to notify NASA's upper management of concerns about hazards or unsafe conditions. The NSRS should be used in the following circumstances: 1) if a hazard has been reported locally and it does not appear any action has been taken, 2) if someone is not satisfied with the response to a reported hazard, or 3) if someone fears reprisal if they were to report the hazard locally. NSRS reports are guaranteed to receive prompt attention.

Information about the NSRS and a copy of the NSRS form can be found at the following Internet address: http://www.hq.nasa.gov/office/codeq/nsrs/index.htm.

NASA contracting officers (COs) and contracting officers technical representatives (COTRs) are encouraged to implement the NSRS program at contractor facilities by citing the NASA FAR Supplement Clause (NFS 1852.223-70). Pre-addressed postage-paid forms can be obtained at any Center Safety Office or from other distribution locations across the Center. Forms should be mailed to:

NASA SAFETY REPORTING SYSTEM
P.O. BOX 5826
BETHESDA, MD 20824-9913

m. Assist with the investigation of NSRS reports (Requirement).

n. Ensure that all facilities are designed, constructed, and operated in accordance with applicable/approved codes, standards, procedures, and requirements (Requirement 25024). (See Chapters 8 and 9.)

o. Ensure that the safety responsibilities of each organizational element are defined and accomplished (Requirement 31818).

p. Ensure that line managers incorporate safety and health requirements into the planning, support, and oversight of hosted programs, projects, and operations as part of their management function (Requirement 31819).

q. Evaluate and document the incorporation of safety and health requirements into the planning and support of hosted programs, projects, and operations in senior manager's performance evaluations (Requirement 31820).

r. Ensure a qualified safety workforce is available to perform the safety function (Requirement 25020).

s. Ensure that properly equipped and trained personnel are provided to perform or support potentially hazardous or critical technical operations (Requirement).

Note: Special circumstances involving access to mission critical space systems and other critical equipment may dictate the need for the Personnel Reliability Program (14 CFR Part 1214, Subpart 1214.5, Space Flight: Mission Critical Space Systems Personnel Reliability Program). (See Chapter 3.)

t. Ensure that safety and mission assurance (SMA) risk-based acquisition management requirements are included in procurement, design, development, fabrication, test, or operations of equipment and facilities (Requirement 25018).

u. Analyze and utilize nonconformance and process control data as feedback in the assessment and management of technical risk (Requirement).

Note: Examples of nonconformance data include process escapes, waivers/deviations, and the results of audits, tests, and inspections.

v. Ensure that qualitative and quantitative risk assessment results, hazard controls, and risk mitigation strategies are not negated when accounting for the analysis of nonconformance and process control data in the assessment and management of technical risk (Requirement).

Note: Quality assurance requirements are provided in NPD 8730.5, NASA Quality Assurance Program Policy.

w. Ensure the results of contractor safety and health provision evaluations are provided to the award fee boards for use in fee determination (Requirement 31856).

x. Ensure that the Governance Model is being implemented in the procurement process for the acquisition of hardware, software, services, materials, and equipment (Requirement 31857). (See Chapter 9.)

Note: The Governance Model includes participation by Engineering, SMA, and the project manager during the entire life-cycle of procurement.

y. Pursue and obtain within two years, certification under the Occupational Safety and Health Administration (OSHA) Voluntary Protection Program (VPP) or through an equivalent recognized occupational safety certification program (Requirement).

Note: The OSHA VPP is established by 5 U.S.C. S 7902; 29 U.S.C. S 651 et seq.; 49 U.S.C. S 1421, the Occupational Safety and Health Act of 1970, as amended, to assure every working man and woman in the Nation safe and healthful working conditions and to preserve our human resources by encouraging employers and employees to reduce the number of occupational safety and health hazards at their work places and to institute new (and to perfect existing) programs for providing safe and healthful working conditions.

z. Ensure their safety organization (or its support contractors) has access to certified safety professionals meeting the requirements of the OSHA VPP (Requirement 31858).

1.4.4 Center Directors and line managers shall ensure that up-to-date configuration control is maintained on all assigned equipment and systems (Requirement 25008).

Note: NPR 7123.1, NASA Systems Engineering Procedural Requirements, requires Center Directors or designees to establish and maintain a process, to include activities, requirements, guidelines, and documentation, for configuration management.

1.4.5 Line managers and supervisors are accountable for the safety and health of their assigned personnel. To that end, they shall:

a. Ensure employee safety and health training is completed by employees pursuant to the requirements of the job to be performed (Requirement).

b. Ensure that safety is included in the employee's performance plan objectives (Requirement).

c. Encourage safe performance through safety and health incentive awards programs or other institutional programs establishing the safety organization (Requirement 31824).

1.4.6 Supervisors shall:

a. Incorporate measurable leading safety and health performance criteria in line manager's performance plans (Requirement).

b. Evaluate and document achievement of the measurable safety and health performance criteria in the line manager's performance evaluations (Requirement 31822).

1.5 Program Management Roles and Responsibilities in the NASA Safety Program

1.5.1 Paragraph 2.2.2.a.1.vi of NPR 7120.5, NASA Program and Project Management Processes and Requirements, requires project managers to prepare and implement a comprehensive SMA Plan early in program formulation to ensure program compliance with all regulatory safety and health requirements from OSHA and all NASA SMA requirements. The importance of upfront safety, reliability, maintainability, and quality assurance requirements should be emphasized in all program activities.

1.5.2 Project managers shall ensure that the SMA Plan (Requirement):

a. Addresses life cycle safety-relevant functions and activities (Requirement).

b. Graphically represents project organizational relationships and assurance roles and responsibilities employing a Mission Assurance Process Map as described in NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments (Requirement).

c. Reflects a life cycle SMA process perspective, addressing areas including: procurement, management, design and engineering, design verification and test, software design, software verification and test, manufacturing, manufacturing verification and test, operations, and preflight verification and test (Requirement).

d. Contains data and information to support each section of the SMA Plan for each major milestone review to include the Safety and Mission Success Review (formerly SMA Readiness Review) (Requirement).

e. Contains trending and metrics utilized to display progress and to predict growth towards SMA goals and requirements (Requirement).

f. As a minimum, addresses the following topics and associated requirements (Requirement):

(1) Safety per this NPR.

(2) Reliability and maintainability per NPD 8720.1, NASA Reliability and Maintainability (R&M) Program Policy.

(3) Risk assessment per NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects.

(4) Quality assurance per NPD 8730.5, NASA Quality Assurance Program Policy.

(5) Software safety and assurance per NASA-STD-8719.13, Software Safety Standard, and NASA-STD-8739.8, Software Assurance Standard.

(6) Occupational safety and health per NPR 8715.1, NASA Occupational Safety and Health Programs.

(7) Range safety per NPR 8715.5, Range Safety Program.

(8) Human-rating per NPR 8705.2, Human-Rating Requirements for Space Systems.

(9) Mishap reporting per NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping.

(10) Compliance verification, audit, SMA reviews, and SMA process maps per NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments.

1.5.3 Project managers shall ensure that contractor operations and designs are evaluated for consistency and compliance with the safety and health provisions provided in their contractual agreements (Requirement 31855).

1.6 Risk Assessment and Risk Acceptance

1.6.1 Risk Assessment. The primary purpose of risk assessment is to identify and evaluate risks to help guide decision making and risk management regarding actions to ensure safety and mission success. Risk assessment should use the most appropriate methods that adequately characterize the probability, consequence severities, and uncertainty of undesired events and scenarios. Quantitative methods can be used to evaluate probabilities, consequences, and uncertainties, whenever possible. Qualitative methods characterize hazards, and failure modes and effects provide valuable input to the risk assessment. When qualitative methods are used to assess risks, the qualitative values assigned should be rationalized. The results of the risk assessment along with the results of system safety analyses form the basis for risk-informed decision making. More discussion of system safety and risk assessment is provided in Chapter 2 of this NPR.

1.6.1.1 Project managers for flight systems and line managers for institutional systems shall:

a. Use a process for risk assessment that supports decisions regarding safety and mission success as well as other decisions such as the development of surveillance plans and information security (see Chapter 2) (Requirement).

Note: Requirements for risk management are provided per NPR 8000.4, Risk Management Procedural Requirements; requirements for probabilistic risk assessments are provided per NPR 8705.5, Probabilistic Risk Assessment (PRA) Procedures for NASA Programs and Projects.

1.6.2 Risk Acceptance. Center Directors and project/program managers are delegated the authority to accept residual risk associated with hazards based on risk assessment results and all relevant factors for their assigned activities. Center Directors and program managers should include involvement of the Technical Authority as a part of the risk analysis, evaluation, and decision-making processes. For technical matters related to project/program design, development, and operations, and involving the risk of safe and reliable operations as related to human safety, the Technical Authority has approval authority but the project/program manager must still formally accept the residual risk.

1.6.2.1 Center Directors and project managers shall:

a. Establish and document a formal, closed loop, transparent decision-making process for accepting residual risk for their assigned activities, personnel, and/or property (Requirement 25085).

b. Meet Federal safety and health standards when making risk-informed decisions to accept residual risk (Requirement).

c. Reduce the risk to an acceptable level using the technical safety requirements provided in Paragraph 1.7 of this NPR (Requirement).

Note: The risk that remains after all mitigation and controls have been applied is the residual risk.

d. Only accept residual risk consistent with NASA requirements and, in all cases, ensure the acceptance of risk to NASA employees and/or equipment does not endanger the public or NASA employees (Requirement).

e. Document the basis for any risk-informed decisions (Requirement).

f. Communicate to: 1) the cognizant office of primary responsibility (OSMA, Office of the Chief Engineer (OCE), Office of the Chief Health and Medical Officer (OCHMO)) for review, decisions regarding residual risk acceptance and 2) to any employee or person for whom the risk has been accepted (Requirement 31870).

1.7 Technical Safety Requirements for NASA-Unique Designs and Operations

Developing and maintaining technically sound and defensible safety and health requirements is essential to serve as a basis for system design and for system safety analysis efforts. A combination of quantitative (for example, probabilistic) and qualitative (for example, failure tolerance or redundancy) technical safety and mission success requirements complement each other by compensating for weaknesses in one or the other analysis type. This NPR establishes a minimum set of technical SMA requirements to be applied to programs/projects.

To properly support design and operational decisions, it is necessary that alternatives be analyzed not only with respect to their impact on the mission's performance and programmatic objectives, but also with respect to their impact on safety and health. Risk management uses the results of the risk assessment as the basis for decisions to reduce the risk to an acceptable level.

1.7.1 Risk Reduction Protocol

1.7.1.1 Project managers shall ensure that hazards and dominant contributors to risk are controlled according to the following (Requirement):

a. Eliminate accident scenarios (e.g., eliminate hazards or initiating events by design).

b. Reduce the likelihood of accident scenarios through design and operational changes (hazard control).

c. Reduce the severity of accident consequences (hazard mitigation).

d. Improve the state-of-knowledge regarding key uncertainties that drive the risk associated with a hazard (uncertainty reduction to support implementation of the above strategies).

Note: Designs for hazard control and accident prevention and mitigation should include considerations for the possibility of human errors. The level of hazard control should be based on the level of risk associated with that hazard. Examples of risk reduction strategies include: control of system and operational characteristics, incorporation of safety devices, use of caution and warning devices, and the use of operational and management procedures and training. Some hazards may require a combination of several of these approaches for prevention, mitigation, and/or control. Providing protective clothing and equipment is considered an operational procedure.

1.7.2 Reliability and Failure Tolerance

Safety critical operations must have high reliability. High reliability is verified by reliability analysis using accepted modeling techniques and data in which uncertainties are incorporated. Where this cannot be accomplished with a specified confidence level, the design of safety critical operations shall have failure tolerance and safety margins in which critical operability and functionality are ensured. Failure tolerance is the ability of a system to perform its function(s) or maintain control of a hazard in the presence of failures of its subsystems. Failure tolerance may be accomplished through like or unlike redundancy. Safety margins are the difference between as-built factor of safety and the ratio of actual operating conditions to the maximum operating conditions specified during design.

Note: Failure tolerance requirements for human space systems are provided in NPR 8705.2, Human-Rating Requirements for Space Systems.

1.7.2.1 To assure operability and functionality and to achieve failure tolerance, project managers shall use these design considerations.

a. Design safety critical systems such that the critical operation or its necessary functions can be assured. To provide assurance, design the component, subsystem, or system so it is are capable of being tested, inspected, and maintained (Requirement).

b. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, design safety critical systems so that no combination of two failures and/or operator errors (fail-safe, fail-safe as a minimum) will result in loss of life (Requirement).

Note: Safety-critical operational controls are applied to conditions, events, signals, processes, or items for which proper recognition, control, performance, or tolerance are essential to safe system operation, use, or function.

c. When requesting a variance from the two-failure tolerance requirement, provide evidence and rationale that one or more of the following are met (Requirement).

(1) Two-failure tolerance is not feasible for technical reasons.

(2) The system or subsystem is designed and certified in accordance with approved consensus standards.

Note: Safety variances are processed in accordance with the requirements of paragraph 1.13 of this NPR.

d. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, design safety critical operations so that no single failure or operator error (fail-safe) will result in system loss/damage or personal injury (Requirement).

e. Where high reliability cannot be verified by reliability analysis using accepted data in which uncertainties are incorporated, provide functional redundancy where there is insufficient time for recovery or system restoration. Where there is sufficient time between a failure and the manifestation of its effect, design for restoration of safe operation using spares, procedures, or maintenance provides an alternative means of achieving failure tolerance (Requirement).

f. Design safety critical systems and operations to have a safety margin (Requirement).

g. When using redundancy, verify that common cause failures (e.g., contamination, close proximity) do not invalidate the assumption of failure independence (Requirement).

h. When using redundancy in operations that could cause or lead to severe injury, major damage, or mission failure (safety critical operations), verify operability under conditions that singularly or separately added together represent the operating intended condition (Requirement).

i. When using reliability analyses, assess the probability of failure to provide the function and the time to restore the function, where loss of life, serious injury, or catastrophic system loss can occur. Uncertainties shall be incorporated in these assessments. The time to restore the function shall include the active time to repair and the time associated with the logistics or administrative downtime that affects the ease or rapidity of achieving full restoration of the failed function (Requirement).

1.7.2.2 To assure functional protection, project managers shall ensure that:

a. Loss of functional protection for safety-critical operations requires termination of the operation at the first stable configuration (Requirement 25031).

b. At least one single level of functional protection is used to protect high-value facilities and flight systems (Requirement 31882).

c. In addition to the requirement in paragraph 1.7.2.1.b, for systems intended to be operated by humans, rescue and/or escape are a valid means of life protection and, if used, shall include validation, training, and certification (Requirement 31881).

1.7.3 Inhibits

1.7.3.1 Where high reliability is not verified by reliability analysis using accepted data with uncertainties incorporated, the project manager shall ensure that:

a. Operations that require the control of a condition, event, signal, process, or item for which proper recognition, performance, or tolerance is essential to safe system operation, use, or function are designed such that an inadvertent or unauthorized event cannot occur (inhibit) (Requirement).

b. Operations have three inhibits where loss of life can occur (Requirement).

c. Operations have two inhibits where personal injury, illness, mission loss, or system loss or damage can occur (Requirement).

d. The capability of inhibits or control procedures when required in operations by this paragraph are verified under operational conditions including the verification of independence among multiple inhibits (Requirement).

Note: Inhibits (designs that specifically prevent an inadvertent or unauthorized event from occurring) are not to be confused with the lockout/tagout program, which is a program to isolate or control facility system hazards; e.g., electrical, mechanical, hydraulic, pneumatic, chemical, thermal, or other energy.

1.7.4 System Safety Managers shall assure that the above requirements are placed in program/project requirements and that any variances to those requirements are processed in accordance with the requirements of this NPR (Requirement). (See paragraph 1.13 of this NPR.)

1.8 SMA Program Reviews

1.8.1 The Chief, Safety and Mission Assurance, conducts audits, reviews, and assessments of NASA Centers, programs/projects, supporting facilities, and operations.

Note: Requirements for conducting and supporting independent SMA audits, reviews, and assessments are provided in NPR 8705.6, Safety and Mission Assurance Audits, Reviews, and Assessments.

1.8.2 Center Directors shall ensure that:

a. The Center's safety program is formally assessed annually (Requirement 25032).

b. The Center's annual safety program assessment is conducted by competent and qualified personnel (Requirement).

Note: In addition to normal management surveillance, the Center's annual safety program review can be accomplished through safety staff assistance visits, inspections, and safety audits. The Center's safety staff or an independent outside source may perform the formal assessments.

1.8.3 Center Directors shall ensure that the Center's formal annual assessment has the following elements:

a. A formal assessment report that includes a discussion of the safety posture of the Center and each program reviewed (Requirement).

b. An assessment of the effectiveness of safety program management (Requirement 31885).

c. A safety culture survey that includes at least the management and communications functions of the Performance Evaluation Profile (PEP) survey (Requirement).

d. An assessment of safety program documentation (e.g., plans, procedures, monitoring data) (Requirement).

e. An assessment of the adequacy of safety standards and procedures (Requirement 31889).

f. Interviews of key facility and/or program personnel (Requirement).

g. Observations and inspections of workplace compliance with safety practices (Requirement 31890).

h. Identification of deficiencies in the safety program (Requirement 31887).

i. The development of formal plans of actions and milestones to correct all open deficiencies that shall be tracked to completion including interim controls that will be implemented if the hazard cannot be immediately corrected (Requirement).

j. Assessment and verification of corrective actions from previous assessments (Requirement 31888).

k. Evaluation of the implementation of 5 U.S.C. S 7902; 29 U.S.C. S 651 et seq.; 49 U.S.C. S 1421, the Occupational Safety and Health Act of 1970, as amended; E.O. 12196, Occupational Safety and Health Programs for Federal Employees dated February 26, 1980, as amended; OSHA regulations at 29 CFR Part 1910, Occupational Safety and Health Standards; and other pertinent Federally-mandated requirements (Requirement 31886).

1.8.4 Center Directors shall ensure that periodic training is conducted for Center safety personnel on safety program assessments covering prereview, review, and postreview procedures and requirements (Requirement).

1.9 Advisory Panels, Committees, and Boards

1.9.1 NASA strives to use the Nation's most competent safety resources to provide review and advice on the NASA Safety Program.

Note: In keeping with this philosophy, NASA enlists the advice of consultants, interagency and interdisciplinary panels, and ad hoc committees consisting of representatives from industry (management and union), universities, and government (management and union).

1.9.2 NASA has established an ASAP as an advisory committee in accordance with Section 6 of the NASA Authorization Act, 1968 (PL 90-67, codified as 42 U.S.C. 2477).

Note: The ASAP reviews and evaluates program activities, systems, procedures, and management policies and provides assessment of these areas to NASA management and Congress. It is in this role that the ASAP provides independent advice on NASA safety issues to the Chief, Safety and Mission Assurance, and to the Administrator. The ASAP website is http://www.hq.nasa.gov/office/codeq/asap/.

1.9.3 OEP

1.9.3.1 Chief, Safety and Mission Assurance, shall establish and maintain an OEP (Requirement).

Note: The panel supports the OSMA on special assignments related to facility operations and engineering activities.

1.9.3.2 The OEP shall evaluate processes and systems for assuring the continuing operational integrity of NASA test facilities, operations, and engineering technical support systems, address problems and issues at Centers, and provide recommendations to the Chief, Safety and Mission Assurance (Requirement).

Note: The OEP also studies technical support system problem areas and develops alternate solutions or methods. See Appendix H, Operations and Engineering Panel, for further details.

1.9.4 NASA has established the Software Independent Verification and Validation (IV&V) Board of Directors to advise the OSMA as approval authority for IV&V support to programs and projects. The IV&V Board of Directors acts in an advisory capacity to provide input to the Chief, Safety and Mission Assurance, concerning the annual IV&V budget for support to programs and projects.

1.9.5 NASA has established and maintains a Space Flight Safety Panel to promote flight safety in NASA space flight programs involving flight crews and to advise appropriate Mission Directorate Associate Administrators on all aspects of the crewed space program that affect flight safety.

Note: See NPD 1000.3, The NASA Organization, paragraph 6.21, for further details.

1.9.6 Center Directors and the Chief, Safety and Mission Assurance, shall have the authority to establish ad hoc committees to provide safety oversight review of programs, projects, and other activities (Requirement).

1.10 Coordination with Organizations External to NASA

1.10.1 The Chief, Safety and Mission Assurance, in coordination with the Office of External Relations (for exchanges with the Department of Defense (DoD), intelligence agencies, and foreign entities) and in consultation with the NASA Office of the General Counsel, shall establish guidelines for exchanging safety information with organizations external to NASA (Requirement 25038).

Note: New and different methods and practices that may be beneficial to the NASA Safety Program should be brought to the attention of the responsible Headquarters Office by those that may encounter these practices used outside NASA.

1.10.2 NASA shall encourage participation by NASA safety professionals in outside safety-related professional organizations (Requirement).

Note: Examples are functions and committees of the National Safety Council, National Fire Protection Association, DoD Explosive Safety Board, National Academy of Sciences, System Safety Society, Federal Agency Committee on Safety and Health, American Society of Safety Engineers, Field Federal Safety and Health Councils, and the Joint Army, Navy, NASA, Air Force propulsion committee (and subcommittee).

1.11 Safety Motivation and Awards Program

1.11.1 The Chief, Safety and Mission Assurance, shall establish a Safety Motivation and Awards Program that recognizes the safety achievements of NASA and other Federal Government employees supporting NASA objectives in all occupational categories and grade levels (Requirement 25041).

Note: NASA is committed to continued improvement of safety in all operations. NASA's policy is to stimulate the participation of employees in this effort. The presentation of awards is considered appropriate for recognizing outstanding safety-related performance/contributions and is an effective means of encouraging safety excellence. NASA recognizes responsible individuals and organizations for the following: taking significant safety initiatives, making truly innovative safety suggestions, meeting major safety goals, making significant achievements leading to the safer and more effective use of resources or execution of NASA operations, and encouraging and rewarding safety excellence among employees (applies to supervisors).

NASA safety awards programs may provide for the recognition of non-Government personnel (e.g., JPL employees) supporting NASA objectives.

The Space Flight Awareness Employee Motivation and Recognition Program for NASA, supporting Government agencies, private industry, and international organizations, promotes safety, particularly for human space flight programs. The goal of this program is to instill in employees the need to reduce human errors and mistakes that could lead to space flight mishaps and mission failure.

1.12 Safety Management Information

Efficient communication of safety information is necessary to meet the needs of safety officials and the managers they support. This includes communications between and among operational and safety organizations. NASA safety organizations will pursue every practical means for communicating verbal and written safety management information, lessons learned, and statistics. Examples of NASA information systems are the Incident Reporting Information System and the LLIS. Records and reports of accidents, occupational injuries, incidents, failure analyses, identified hazards, mishaps, appraisals, and like items contain information necessary for developing corrective measures and lessons learned.

Detailed records of occupational injuries are reported to OSHA in accordance with 29 CFR Part 1960, Subpart I, Recordkeeping and Reporting Requirements, and NPR 8621.1, NASA Procedural Requirements for Mishap and Close Call Reporting, Investigating, and Recordkeeping. Safety forms and reports are retained per NPR 1441.1, NASA Records Retention Schedules.

1.12.1 Center Directors shall provide or make accessible to the OSMA (through an internet web site):

a. Center executive safety committee or board documentation (e.g., minutes and reports) (Requirement 31904).

b. Results of external (such as OSHA) safety program management reviews (Requirement 31905).

c. Top-level Center or program safety procedure documents that implement Headquarters requirements (Requirement 31906).

Note: Electronic versions or web addresses are acceptable and should be forwarded in conjunction with the data.

d. Copies of safety variances granted at the Center (see paragraph 1.13) (Requirement 31910).

1.12.2 The Chief, Strategic Communications, shall provide or make accessible (through internet web site) to the OSMA copies of comments sent to outside regulatory agencies (e.g., OSHA, Department of Transportation (DOT), Environmental Protection Agency (EPA)) concerning proposed rule-making that could affect the NASA Safety Program (Requirement 31908).

1.12.3 Center SMA Directors shall maintain a census of Government and contract employees performing safety, reliability, maintainability and quality functions (engineering, operations, and assurance) by organization or contractor company at their sites (Requirement).

1.12.4 COs and COTRs shall ensure that the census of employees performing safety, reliability, maintainability, and quality functions (engineering, operations, and assurance) by organization is a requirement under contracts.

1.13 Safety Variances

1.13.1 This paragraph provides policy and associated requirements for requesting and approving variances to safety requirements specified as overall SMA requirements for which OSMA is the Office of Primary Responsibility (OPR). The primary objective of this variance policy is to assure that NASA Headquarters maintains oversight of the Agency SMA requirements while providing the Centers and project managers with the authority and flexibility to accept reasonable risks necessary to accomplish their tasks. This policy is consistent with the ISO 9001 requirement for maintaining process control of services that an organization provides. This policy applies to all requirements for which OSMA is the OPR unless otherwise specified for a set of SMA requirements in an Agency requirements document.

1.13.2 A variance consists of documented and approved permission for relief from an established SMA requirement. There are three types of variances to NASA SMA requirements that may be requested at different times during the life cycle of a program/project: exceptions, deviations, and waivers. Variances can result from tailoring in the early phases of planning or from the analysis of designs, test results, and failures that occur throughout the project or facility life cycle. Tailoring is the process of determining which specific requirement(s) in a governing document shall be implemented. This process involves establishing minimum success criteria. Tailoring also authorizes relief from a specific requirement because it is not applicable to a specific mission, program/project operation, or facility and may include permanent exceptions (see paragraph 1.13.2.a of this NPR) and temporary deviations and waivers (see paragraphs 1.13.2.b and 1.13.2.c of this NPR).

a. An exception authorizes permanent relief from a specific requirement and may be requested at any time during the life cycle of a program/project. An exception typically addresses a situation where a requirement does not apply to a portion of a system. An exception may involve the approval of alternative means that provide an equivalent or lower level of risk; or formal acceptance of increased risk due to the fact that the requirement is not satisfied.

b. A deviation authorizes temporary relief in advance from a specific requirement and is requested during the formulation/planning/design stages of a program/project operation to address expected situations. A deviation involves the approval of alternative means that provide an equivalent or lower level of risk or formal acceptance of increased risk due to the fact that the requirement is not satisfied.

Note: Exceptions and deviations may be approved as part of tailoring; i.e., a process that occurs early in the planning stages of a project and involves documenting and formally approving project requirements.

c. A waiver authorizes temporary relief after the fact from a specific requirement and is requested during the implementation of a project or operation to address situations that were unforeseen during design or advanced planning. A waiver involves the approval of alternative means that provide an equivalent or lower level of risk; or formal acceptance of increased risk due to the fact that the requirement is not satisfied.

1.13.3 It is NASA policy for final approval of an SMA variance to incorporate the following:

a. All variances to project level safety, reliability, and quality requirements require signature (indicating approval of the technical approach) by the Center Director (or designee) that hosts, or is directly responsible for, the project, operation, or facility. This constitutes final approval for a variance where there is an equivalent or lower level of risk.

b. All variances to program level safety, reliability, and quality requirements require signature by the Headquarters requirement owner (OCE, OSMA, OCHMO, etc. or designee). This constitutes final approval for a variance where there is an equivalent or lower level of risk.

c. If there is a net increase in risk, in addition to the signature(s) specified in paragraphs 1.13.3.a and b, a variance requires co-signature (indicating formal acceptance of the risk associated with the variance) by the responsible project/program manager and by each Center Director (or designee) responsible for people or property exposed to the associated risk.

Note: NASA does not have approval authority for variances to Federal, State, or local regulations (e.g., OSHA, Cal OSHA), nor to consensus standards that are referenced by Federal regulations (e.g., ANSI, American Conference of Governmental Industrial Hygienists) that apply to NASA. Any variance of a Federal, State, or local regulation must be reviewed by OSMA prior to submittal to the appropriate Federal/State/local agency for approval. For example, the NASA Alternate Safety Standard for Suspended Load Crane Operations was approved by OSHA.

1.13.4 Center Directors (or designees) and project managers shall:

a. Establish and implement Center/program/project-level processes and requirements as needed to satisfy the SMA variance policy and associated requirements provided in this NPR to include processes for preparation, review, and approval of variance requests (Requirement).

b. Ensure that all variance requests include (but are not limited to) documentation as to why the requirement cannot be met, alternative means to reduce the hazard or risk, the type of variance, the duration of the variance if temporary, and comments from any affected workers or their representatives if the variance affects personnel safety (Requirement).

c. Ensure all variance requests include a risk assessment that determines whether there is an increase in risk because the requirement is not satisfied or that the intent of the requirement is met through alternate means that provide an equivalent or lower level of risk (Requirement).

d. Ensure all requests for deviations or waivers include a plan for correcting the associated deficiency and identify a date or development milestone for bringing the project into compliance with the associated requirement (Requirement).

e. Ensure variance requests are approved in accordance with the policy in paragraph 1.13.3 of this NPR (Requirement).

f. Provide copies of all approved safety variances to the OSMA (Requirement).

g. Forward any request for variance to Federal, State, or local regulations to the OSMA for review prior to submittal to the appropriate Federal/State/local agency (Requirement).

1.13.5 Center SMA Directors shall:

a. Assist programs/projects in the preparation of variance requests (Requirement).

b. Assure that the risk associated with a variance request is properly characterized (quantitatively or qualitatively) and that any increase in overall risk (as compared to a system or operation designed to meet the requirement in question) is properly identified (Requirement).

c. Assure that the variance process is carried out in accordance with this NPR (Requirement).

d. Concur (or nonconcur) with variance requests based on paragraphs 1.13.5.b. and 1.13.5.c. above (Requirement).

Note: Center SMA Directors and their personnel do not serve as approving officials unless specifically designated to do so by their Center Directors (for project level requirements) or Headquarters OSMA (for program level requirements).

1.13.6 The Chief, Safety and Mission Assurance, shall:

a. Serve as the approving official for variances to program level safety, reliability, and quality requirements under SMA cognizance (ownership) (Requirement).

b. Oversee Center/project/program implementation of the variance policy and associated requirements provided in this NPR (Requirement).

c. Review all requests for variance to Federal, State, or local regulations before submittal to the Federal/State/local agency for approval (Requirement 31912).

1.13.7 The Chief Engineer shall serve as the approving official for variances to program level technical requirements under OCE cognizance (ownership) (Requirement).

1.13.8 The Chief Health and Medical Officer shall serve as the approving official for variances to program level requirements under Chief Health and Medical Officer cognizance (ownership) (Requirement).

DISTRIBUTION:
NODIS