Safety Policy and Requirements - spacecraft.ssl.umd.eduspacecraft.ssl.umd.edu/design_lib/STS1700_7b.safety.rqmts.pdf · 8 Update sections 202.2c, 209.1, 209.1a, 209.2, 209.2a,

NSTS 1700.7B

Safety Policy andRequirements

For Payloads Using the SpaceTransportation System

January 1989

National Aeronautics andSpace Administration

Lyndon B. Johnson Space CenterHouston, Texas

NSTS 1700.7B

DESCRIPTION OF CHANGES TO

SAFETY POLICY AND REQUIREMENTS FOR PAYLOADS USING THE

SPACE TRANSPORTATION SYSTEM

CHANGENO.

DESCRIPTION/AUTHORITY DATE PAGESAFFECTED

-- Basic issue/R21700-1 1/13/89 All

This document replaces NHB 1700.7A as stipulatedin preface.

The R21700 CR number is being used to facilitate theMICB Automated Payload Tracking System (AMPTS) andstill retain NSTS 1700.7B as the document number.

1 Update section 213.1/S052808 02/24/93 30

2 Delete paragraph 220.2a/S086792B 01/20/94 36

3 Update preface/A096058 12/08/95 1

4 Update table of contents,sections 202.2a(2)(b), 202.4b,202.5, 202.5b, 202.5c, 210,210.1, 212.2, 212.4 and appendixB; delete sections 210.1a,210.1b, and 210.1c/S060891;-S060892;-S060893;-S060894;-S060895;-S060896

03/21/97 3,4,17,17A,19,20,28,29,30,30A,51,52

5 Update sections 103.1, 103.2,200, 200.2, 208.1, 208.4a, 209.2,210.2b, 212.1, 213.2, 214.2, 301,304, appendixes A and B/S061121A

10/12/98 8,9,10,22,23,27,29,30,31,32,41,42,48,51,52

6 Update section 217/S061211 07/28/99 5,33,33A

NSTS 1700.7B

DESCRIPTION OF CHANGES (Concluded)

SAFETY POLICY AND REQUIREMENTS FOR PAYLOADS USING THE

SPACE TRANSPORTATION SYSTEM

CHANGENO.

DESCRIPTION/AUTHORITY DATE PAGESAFFECTED

This document replaces NHB 1700.7A as stipulatedin preface.

The R21700 CR number is being used to facilitate theMICB Automated Payload Tracking System (AMPTS) andstill retain NSTS 1700.7B as the document number.

7 Update table of contents and addnew section 202.6/S061319A

07/29/00 3,20,20A

8 Update sections 202.2c, 209.1,209.1a, 209.2, 209.2a, 209.2b,209.3, 220.1a(1) and appendix B/R21700-0004A

08/22/00 18,26,27,34,51,52

9 Update section 101/R21700-0006 01/29/01 7

10 Update section 306 and appendixB/R21700-0007

03/12/01 44,52,53

11 Update appendix C, figure 3/R21700-0008

05/11/01 57

Note: Dates reflect latest approval date of CR's received by PILS.

1700b Basic CHANGE NO. 11, 05/11/011

NSTS 1700.7B(FORMERLY NHB 1700.7A)

PREFACE

DATE: May 22, 1996

The International Space Station and Space Shuttle Program safety policy is to maintainthe assurance of a safe operation while minimizing Program involvement in the designprocess of the experiment payload and its ground support equipment. Requirements forassuring experiment payload mission success are the responsibility of the experimentpayload organization and are beyond the scope of this document. The intent is toprovide the overall safety policies and requirements while allowing the experimentpayload organization the latitude to determine the best design to meet missionobjectives and still comply with basic safety policies and requirements.

NSTS 1700.7B is an extensive revision of NHB 1700.7A that reflects the increasedsafety awareness that has resulted from the STS-51L Challenger mishap. Therequirements of NSTS 1700.7B will be levied on new and existing payloads, if NSTS1700.7B is specifically referenced in the approved Payload Integration Plan (PIP).Payload organizations which already have an approved PIP may elect to change the PIPand implement NSTS 1700.7B. Subject to the provisions above, NSTS 1700.7Bsupersedes NHB 1700.7A, dated December 9, 1980.

International Space Station (ISS) experiment payloads will use this document to theextent it is defined to be applicable in the ISS Addendum to NSTS 1700.7B datedDecember, 1995. The ISS Addendum addresses each paragraph of this document andidentifies the applicability to ISS experiment payloads. In addition, the ISS Addendumidentifies experiment payload safety policy and requirements that are unique to the ISS.

Note: Preface revised May, 1996 to reflect PRCB Directive A096058.

1700b Basic CHANGE NO. 11, 05/11/012

TABLE OF CONTENTS

Paragraph Page

CHAPTER 1: GENERAL

100 PURPOSE ........................................... 7101 SCOPE ............................................. 7101.1 GSE Design and Ground Operations .................. 7101.2 Flight Rules ...................................... 7

102 RESPONSIBILITY .................................... 7102.1 Payload Organization .............................. 7102.2 NSTS .............................................. 8

103 IMPLEMENTATION .................................... 8103.1 Implementation Procedure .......................... 8103.2 Interpretations of Requirements ................... 8

104 GLOSSARY OF TERMS ................................. 9

105 APPLICABLE DOCUMENTS .............................. 9

106 FIGURES ........................................... 9

CHAPTER 2: TECHNICAL REQUIREMENTS

200 GENERAL ........................................... 10200.1 Design to Tolerate Failures ....................... 10200.1a Critical Hazards .................................. 10200.1b Catastrophic Hazards .............................. 10200.2 Design for Minimum Risk ........................... 10200.3 Environmental Compatibility ....................... 10200.4 STS Services ...................................... 11200.4a Safe Without Services ............................. 11200.4b Critical Orbiter Services ......................... 11

201 CONTROL OF HAZARDOUS FUNCTIONS .................... 11201.1 General ........................................... 11201.1a Inhibits .......................................... 11201.1b Controls .......................................... 12201.1c Monitors .......................................... 12201.1c(1) Near Real-Time Monitoring ......................... 12201.1c(2) Real-Time Monitoring .............................. 12201.1c(3) Unpowered Bus Exception ........................... 13

1700b Basic CHANGE NO. 11, 05/11/013

201.1d Use of Timers ..................................... 13201.1e Computer-Based Control Systems .................... 13201.1e(1) Active Processing to Prevent a Catastrophic

Hazard ............................................ 13201.1e(2) Control of Inhibits ............................... 13201.2 Functions Resulting in Critical Hazards ........... 14201.3 Functions Resulting in Catastrophic Hazards ....... 14

202 SPECIFIC CATASTROPHIC HAZARDOUS FUNCTIONS ......... 14202.1 Solid Propellant Rocket Motors .................... 14202.1a Safe Distance ..................................... 14202.1b Safe and Arm (S&A) Device ......................... 15202.1c Electrical Inhibits ............................... 15202.1d Monitoring ........................................ 15202.1d(1) No Rotation of the S&A Prior to a Safe

Distance .......................................... 15202.1d(2) S&A Will be Rotated to Arm Prior to a

Safe Distance ..................................... 16202.2 Liquid Propellant Propulsion Systems .............. 16202.2a Premature Firing .................................. 16202.2a(1) Safe Distance Criteria ............................ 16202.2a(2) Isolation Valve ................................... 17202.2a(2)(a) Opening the Isolation Valve .................... 17202.2a(2)(b) Pyrotechnic Isolation Valves ................... 17202.2a(3) Electrical Inhibits ............................... 17202.2a(4) Monitoring ....................................... 17A202.2b Adiabatic/Rapid Compression Detonation ............ 18202.2c Propellant Overheating ............................ 18202.2d Propellant Leakage ................................ 19202.3 Inadvertent Deployment, Separation, and

Jettison Functions ................................ 19202.4 Planned Deployment/Extension Functions ............ 19202.4a Preventing Payload Bay Door Closure ............... 19202.4b Cannot Withstand Subsequent Loads ................. 19202.5 RF Energy Radiation ............................... 19202.5a Payload Bay Doors Open ............................ 20202.5b Payload Bay Doors Closed .......................... 20202.5c Monitoring ........................................ 20202.6 Fluid Release from a Pressurized System Inside

of a Closed Volume ................................ 20

203 RETRIEVAL OF PAYLOADS ............................. 20203.1 Safing ............................................ 20203.2 Substantiating Failure Tolerance .................. 20A203.3 Monitoring ........................................ 20A203.4 Certification ..................................... 21

204 HAZARD DETECTION AND SAFING ....................... 21

205 CONTINGENCY RETURN AND RAPID SAFING ............... 21

1700b Basic CHANGE NO. 11, 05/11/014

206 FAILURE PROPAGATION ............................... 21

207 REDUNDANCY SEPARATION ............................. 21

208 STRUCTURES ........................................ 22208.1 Structural Design ................................. 22208.2 Emergency Landing Loads ........................... 22208.3 Stress Corrosion .................................. 22208.4 Pressure Systems .................................. 23208.4a Pressure Vessels .................................. 23208.4b Dewars ............................................ 23208.4c Pressurized Lines, Fittings, and Components ....... 25208.4d Flow Induced Vibration ............................ 25208.5 Sealed Compartments ............................... 25

209 MATERIALS ......................................... 25209.1 Hazardous Materials ............................... 26209.1a Fluid Systems ..................................... 26209.1b Chemical Releases ................................. 26209.2 Flammable Materials ............................... 27209.2a Orbiter Cabin ..................................... 27209.2b Other Habitable Areas ............................. 27209.2c Outside Habitable Areas ........................... 27209.3 Material Offgassing in Habitable Areas ............ 27

210 PYROTECHNICS ...................................... 28210.1 Initiators ........................................ 28210.2 Pyrotechnic Operated Devices ...................... 29210.2a Debris Protection ................................. 29210.2b Must Function Safety Critical Devices ............. 29210.2c Electrical Connection ............................. 29210.3 Traceability ...................................... 29

211 DESTRUCT SYSTEMS .................................. 30

212 RADIATION ......................................... 30212.1 Ionizing Radiation ................................ 30212.2 Emissions and Susceptibility ....................... 30212.3 Lasers ............................................ 30212.4 Optical Requirements ............................... 30

213 ELECTRICAL SYSTEMS ................................ 30213.1 General ........................................... 30213.2 Batteries ......................................... 31213.3 Lightning ......................................... 31

1700b Basic CHANGE NO. 11, 05/11/015

214 VERIFICATION ...................................... 31214.1 Mandatory Inspection Points (MIP's) ............... 31214.2 Verification Tracking Log ......................... 32

215 HAZARDOUS OPERATIONS .............................. 32215.1 Hazard Identification ............................. 32215.2 Exposure to Risk .................................. 32215.3 Access ............................................ 32

216 SERIES PAYLOADS AND REFLOWN HARDWARE .............. 32216.1 Recertification of Safety ......................... 32216.2 Previous Mission Safety Deficiencies .............. 33216.3 Limited Life Items ................................ 33216.4 Refurbishment ..................................... 33216.5 Safety Waivers and Deviations ..................... 33

217 EXTRAVEHICULAR ACTIVITY (EVA) ..................... 33

218 PAYLOAD COMMANDING ................................ 33A

219 FLAMMABLE ATMOSPHERES ............................. 34

220 CREW HABITABLE PAYLOADS ........................... 34220.1 Atmosphere ........................................ 34220.1a Verification of Habitability ...................... 34220.1a(1) Offgassing ........................................ 34220.1a(2) Verification for Revisit Missions ................. 34220.1a(3) Experiment Leakage ................................ 35220.1b Internal Environment .............................. 35220.1c Cross Contamination ............................... 35220.1d Evacuation ........................................ 35220.2 Habitability ...................................... 36220.2a Acoustic Noise ..................................... 36220.2b Ionizing Radiation ................................ 36220.2c Mechanical Hazards ................................ 37220.2d Thermal Hazards ................................... 37220.2e Electrical Hazards ................................ 37220.2f Lighting .......................................... 37220.3 Fire Protection ................................... 37220.4 Emergency Safing .................................. 38220.4a Crew Egress ....................................... 38220.4b Electrical System ................................. 38220.5 Hatches ........................................... 38220.6 Caution and Warning ............................... 39220.7 Windows ........................................... 39220.7a Structural Design ................................. 39220.7b Transmissivity .................................... 39220.8 Communications .................................... 39220.9 Pressure Hull ..................................... 40

1700b Basic CHANGE NO. 11, 05/11/016

CHAPTER 3: SYSTEM PROGRAM REQUIREMENTS

300 GENERAL ........................................... 41

301 SAFETY ANALYSIS ................................... 41

302 HAZARD LEVELS ..................................... 41302.1 Critical Hazard ................................... 41302.2 Catastrophic Hazard ............................... 41

303 HAZARD REDUCTION .................................. 41303.1 Design for Minimum Hazard ......................... 41303.2 Safety Devices .................................... 42303.3 Warning Devices ................................... 42303.4 Special Procedures ................................ 42

304 SAFETY ASSESSMENT REVIEWS AND SAFETYCERTIFICATION ..................................... 42

305 SAFETY COMPLIANCE DATA ............................ 43305.1 For GSE and Ground Operations ..................... 43305.2 For Payload Design and Flight Operations .......... 43305.3 Post-Phase III Compliance ......................... 44

306 MISHAP/INCIDENT/MISSION FAILURESINVESTIGATION AND REPORTING ....................... 44

Appendix A Glossary of Terms .............................. 45Appendix B Applicable Documents ........................... 51Appendix C Figures ........................................ 54

Figure 1 Safe Distance for Firing Liquid PropulsionThrusters ......................................... 55

Figure 2 Payload Safety Noncompliance Report ............... 56Figure 3 Certificate of STS Payload Safety

Compliance ........................................ 57

1700b Basic CHANGE NO. 11, 05/11/017

CHAPTER 1: GENERAL

100 PURPOSE

This document establishes the safety policy and requirementsapplicable to Space Transportation System (STS) payloads andtheir ground support equipment (GSE).

101 SCOPE

These requirements are intended to protect the generalpublic, flight and ground personnel, the STS, otherpayloads, GSE public-private property, and the environmentfrom payload-related hazards. This document containstechnical and system safety requirements applicable to STSpayloads (including payload-provided ground and flightsupport systems) during ground and flight operations.

101.1 GSE Design and Ground Operations. For additionalsafety requirements which are unique to groundoperations and GSE design, one shall refer to the jointSpace and Missile Test Organization (SAMTO)/KennedySpace Center (KSC) Handbook, SAMTO HB S-100/KHB 1700.7.

101.2 Flight Rules. Flight rules will be prepared for eachSTS mission that outline preplanned decisions designedto minimize the amount of real-time rationalizationrequired when anomalous situations occur. These flightrules are not additional safety requirements, but dodefine actions for completion of the STS flightconsistent with crew safety. Compliance with minimumsafety requirements of this document will not insurethe mission success of a payload. For example, if anSTS user only monitors two of three inhibits to acatastrophic hazardous function (this is the minimumrequirement specified in paragraph 201.3), a flightrule related to the loss of a monitored inhibit may beimposed which is not favorable to the mission successof the payload.

102 RESPONSIBILITY

102.1 Payload Organization. It is the responsibility of eachpayload organization to assure the safety of itspayload and to implement the requirements of thisdocument. Where a payload integration or missionmanagement organization is identified, that

1700b Basic CHANGE NO. 11, 05/11/018

organization interfaces with the NSTS on behalf of thegroup of individual payload elements or experimentsunder its control. That organization has theresponsibility to assure that the individual payloadelements are safe and meet the requirements of thisdocument. That organization also has theresponsibility to assure that interaction among itspayload elements does not create a hazard.

102.2 NSTS. It is the responsibility of the NSTS tointerface with the responsible payload organization toreview the payload for adequate safety implementation.It is also the responsibility of the NSTS to assurethat interaction among mixed payloads, and betweenpayloads and the STS, does not create a hazard.

103 IMPLEMENTATION

This document identifies the safety policy and requirementswhich are to be implemented by the payload organization.The implementation of safety requirements by the payloadorganization will be assessed by the NSTS during the safetyreview process and must be consistent with hazard potential.The NSTS assessment of safety compliance will include acomplete review of the safety assessment reports (paragraph301) and may include audits and safety inspections of flighthardware. The detailed interpretations of these safetyrequirements will be by the NSTS, and will be determined ona case-by-case basis consistent with the payload's hazardpotential. The following supplementary documents have beenissued to assist payload organization in complying with therequirements of this document.

103.1 Implementation Procedure. NSTS/ISS 13830, a jointlyissued Johnson Space Center (JSC) and Kennedy SpaceCenter (KSC) document, has been published to assist thepayload organization in implementing the system safetyrequirements and to define further the safety analyses,data submittals, and safety assessment review meetings.NSTS/ISS 13830 identifies the respective roles of theNSTS flight operator and the NSTS launch/landing siteoperator. It reflects a basic policy of commonality,compatibility, and coordination between the NSTS flightand ground elements in the implementation effort.

103.2 Interpretations of Requirements. NSTS/ISS 18798 is acollection of interpretations of requirements relativeto specific payload designs. These interpretations

1700b Basic CHANGE NO. 11, 05/11/019

shall be applied to payloads that utilize similardesign solutions. Addenda to NSTS/ISS 18798 aredistributed to payload organizations as additionalinterpretations are generated.

104 GLOSSARY OF TERMS

For definitions applicable to this document, see Appendix A.

105 APPLICABLE DOCUMENTS

A list of documents which are referenced in this document isin Appendix B.

106 FIGURES

Figures referred to in the text are contained in Appendix C.

1700b Basic CHANGE NO. 11, 05/11/0110

CHAPTER 2: TECHNICAL REQUIREMENTS

200 GENERAL

The following requirements are applicable to all payloads.When a requirement cannot be met, a noncompliance reportmust be submitted in accordance with NSTS/ISS 13830 forresolution.

200.1 Design to Tolerate Failures. Failure tolerance is thebasic safety requirement that shall be used to controlmost payload hazards. The payload must tolerate aminimum number of credible failures and/or operatorerrors determined by the hazard level. This criterionapplies when the loss of a function or the inadvertentoccurrence of a function results in a hazardous event.

200.1a Critical Hazards. Critical hazards shall be controlledsuch that no single failure or operator error canresult in damage to STS equipment, a nondisablingpersonnel injury, or the use of unscheduled safingprocedures that affect operations of the Orbiter oranother payload.

200.1b Catastrophic Hazards. Catastrophic hazards shall becontrolled such that no combination of two failures oroperator errors can result in the potential for adisabling or fatal personnel injury or loss of theOrbiter, ground facilities or STS equipment.

200.2 Design for Minimum Risk. Payload hazards which arecontrolled by compliance with specific requirements ofthis document other than failure tolerance are called"Design for Minimum Risk" areas of design. Examplesare structures, pressure vessels, pressurized line andfittings, functional pyrotechnic devices, mechanisms incritical applications, material compatibility,flammability, etc. Hazard controls related to theseareas are extremely critical and warrant carefulattention to the details of verification of complianceon the part of the payload organization and the NSTS.Minimum supporting data requirements for these areas ofdesign have been identified in NSTS/ISS 13830.

200.3 Environmental Compatibility. A payload shall becertified safe in the applicable worst case natural andinduced environments defined in the payload integrationplan (PIP) and/or interface control document (ICD).

1700b Basic CHANGE NO. 11, 05/11/0111

200.4 STS Services

200.4a Safe Without Services. Payloads shall be designed tomaintain fault tolerance or safety margins consistentwith the hazard potential without ground or flight NSTSservices. During Orbiter emergency conditions, powerwill be provided temporarily to payloads for payloadsafing and verification if necessary. Subsequent topayload safing, power may not be available to payloads.Monitoring is not mandatory under these conditions.

200.4b Critical Orbiter Services. When NSTS services are tobe utilized to control payload hazards, the integratedsystem must meet the failure tolerance requirements ofparagraph 200.1 and adequate redundancy of the NSTSservices must be negotiated. JSC 16979 specifies thefault tolerance of Orbiter-provided payload serviceswhich must be used when conducting payload hazardanalyses. The payload organization must provide asummary of the hazards being controlled by STS servicesin the safety assessment report (see paragraph 301) anddocument in the individual hazard reports those Orbiterinterfaces used to control and/or monitor the hazards.Those payload hazards being controlled by Orbiter-provided services will require post-mate interface testverification for both controls and monitors. Inaddition, the payload organization shall identify inthe payload/Orbiter ICD those Orbiter interfaces usedto control and/or monitor the hazards.

201 CONTROL OF HAZARDOUS FUNCTIONS

201.1 General. Hazardous functions are operational events(e.g., motor firings, appendage deployments, stageseparations, and active thermal control) whoseinadvertent operations or loss may result in a hazard.

201.1a Inhibits. An inhibit is a design feature that providesa physical interruption between an energy source and afunction (a relay or transistor between a battery and apyrotechnic initiator, a latch valve in the plumbingline between a propellant tank and a thruster, etc.).Two or more inhibits are independent if no singlecredible failure, event, or environment can eliminatemore than one inhibit.

1700b Basic CHANGE NO. 11, 05/11/0112

201.1b Controls. A device or function that operates aninhibit is referred to as a control for an inhibit.Controls do not satisfy the inhibit or failuretolerance requirements for hazardous functions. The"electrical inhibits" in a liquid propellant propulsionsystem ([paragraph 202.2a(3)]) are exceptions in thatthese devices operate the flow control devices (i.e.,mechanical inhibits to propellant flow), but arereferred to as inhibits and not as controls.

201.1c Monitors. Monitors are used to ascertain the safestatus of payload functions, devices, inhibits andparameters. Monitoring circuits should be designedsuch that the information obtained is as directlyrelated to the status of the monitored device aspossible. Monitor circuits shall be current limited orotherwise designed to prevent operation of thehazardous functions with credible failures. Inaddition, loss of input or failure of the monitorshould cause a change in state of the indicator.Monitoring shall be available to the launch site whennecessary to assure safe ground operations.Notification of changes in the status of safetymonitoring shall be given to the flightcrew in eithernear-real-time or real-time.

201.1c(1) Near-Real-Time Monitoring. Near-real-time monitoring(NRTM) is defined as notification of changes in inhibitor safety status on a periodic basis (nominally onceper orbit). NRTM may be accomplished via ground crewmonitored telemetry data. Switch talk backs shall notbe used as the only source of safety monitoring whenthe hazard exists during crew sleep periods.

201.1c(2) Real-Time Monitoring. Real-time monitoring (RTM) isdefined as immediate notification to the crew. RTMshall be accomplished via the use of the Orbiterfailure detection and annunciation system or by groundcrew monitored telemetry data. An exception to thiswould be where RTM is necessary only during payloadoperations. Under these conditions, switch panel talkback monitoring is acceptable. Real-time monitoring ofinhibits to a catastrophic hazardous function isrequired when changing the configuration of theapplicable payload system or when the provisions ofparagraph 204 are implemented for flightcrew control ofthe hazard. If ground monitoring is used to meet real-time monitoring, a continuous real-time data link

1700b Basic CHANGE NO. 11, 05/11/0113

(containing the applicable safety parameters) must beassured by the payload and continuous communicationsbetween the flight and ground crews must be establishedand maintained during the required period.

201.1c(3) Unpowered Bus Exception. Monitoring and safing ofinhibits for a catastrophic hazardous function will notbe required if the function power is deenergized (i.e.,an additional fourth inhibit is in place between thepower source and the three required inhibits) and thecontrol circuits for the three required inhibits aredisabled (i.e., no single failure in the controlcircuitry will result in the removal of an inhibit)until the hazard potential no longer exists.

201.1d Use of Timers. When timers are used on deployablepayloads to control inhibits to hazardous functions,complete separation of the payload from the Orbitermust be achieved prior to the initiation of the timer.If credible failure modes exist that could allow thetimer to start prior to a complete separation, a safingcapability must be provided. If this safing is via aradio frequency (RF) command, then the commandcapability must be provided to the flightcrew.

201.1e Computer-Based Control Systems.

201.1e(1) Active Processing to Prevent a Catastrophic Hazard.While a computer system is being used to activelyprocess data to operate a payload system withcatastrophic potential, the catastrophic hazard must beprevented in a two-failure tolerant manner. One of themethods to control the hazard must be independent ofthe computer system. A computer system shall beconsidered zero fault tolerant in controlling ahazardous system (i.e., a single failure will causeloss of control), unless the system utilizesindependent computers, each executing uniquelydeveloped instruction sequences to provide theremaining two hazard controls.

201.1e(2) Control of Inhibits. The inhibits to a hazardousfunction may be controlled by a computer-based systemused as a timer, provided the system meets all therequirements for independent inhibits.

1700b Basic CHANGE NO. 11, 05/11/0114

201.2 Functions Resulting in Critical Hazards. A functionwhose inadvertent operation could result in a criticalhazard must be controlled by two independent inhibits,whenever the hazard potential exists. Requirements formonitoring (paragraph 201.1c) of these inhibits and forthe capability to restore inhibits to a safe conditionare normally not imposed, but may be imposed on a case-by-case basis. Where loss of a function could resultin a critical hazard, no single credible failure shallcause loss of that function.

201.3 Functions Resulting in Catastrophic Hazards. Afunction whose inadvertent operation could result in acatastrophic hazard must be controlled by a minimum ofthree independent inhibits, whenever the hazardpotential exists. One of these inhibits must precludeoperation by an RF command or the RF link must beencrypted. In addition, the ground return for thefunction circuit must be interrupted by one of theindependent inhibits. At least two of the threerequired inhibits shall be monitored (paragraph201.1c). If loss of a function could cause acatastrophic hazard, no two credible failures shallcause loss of that function.

202 SPECIFIC CATASTROPHIC HAZARDOUS FUNCTIONS

In the following subparagraphs, specific requirementsrelated to inhibits, monitoring, and operations are definedfor several identified potentially catastrophic hazardousfunctions.

202.1 Solid Propellant Rocket Motors. Premature firing of asolid propellant rocket motor, while the payload iscloser to the Orbiter than the minimum safe distance,is a catastrophic hazard.

202.1a Safe Distance. The safe distance for firing a solidrocket motor is defined as the separation distanceachieved 45 minutes after deployment with the payloadcoasting with a minimum separation velocity of 1 footper second. Payloads with a positive separationvelocity less than 1 foot per second either:

(1) Shall provide an RF command capability as a flightcrew function to inhibit automatic sequencing until asafe distance is assured; or

(2) Shall initiate payload sequencing (such as,starting a timer that will remove inhibits to cause

1700b Basic CHANGE NO. 11, 05/11/0115

engine firing) by a real-time RF command with priorNSTS coordination and approval and the RF command tostart sequencing shall not be sent until a safeseparation distance is assured. For payloads deployedwith the Remote Manipulator System (RMS), sequencingshall be initiated by a real time RF command.

202.1b Safe and Arm (S&A) Device. All solid propellant rocketmotors shall be equipped with an S&A device thatprovides a mechanical interrupt in the pyrotechnictrain immediately downstream of the initiator. The S&Adevice shall be designed and tested in accordance withprovisions of MIL-STD-1576. If the S&A device is to berotated to the arm position prior to the payloadachieving a safe distance from the Orbiter: rotationmust be a flightcrew function and must be done as partof the final deployment activities of the payload; andthe initiator must meet the requirements of paragraph210. The S&A must be in the safe position duringOrbiter boost and entry. There must be a capability toresafe the S&A device: if the S&A device is to berotated to the arm position while the payload isattached to the Orbiter; or if the solid rocket motorpropulsion subsystem does not qualify for the unpoweredbus exception of paragraph 201.1c(3). In determiningcompliance with paragraph 201.1c(3), the S&A device inthe "safe" position shall be counted as one of therequired inhibits.

202.1c Electrical Inhibits. In addition to the S&A, thereshall be at least two independent electrical inhibits,to prevent firing of the motor if the S&A device willbe in the "safe" position until the payload reaches asafe distance from the Orbiter. There shall be atleast three independent electrical inhibits, inaddition to the S&A, if the S&A device will be rotatedto the arm position prior to the payload reaching asafe distance from the Orbiter.

202.1d Monitoring. Monitoring requirements are a function ofthe design and operations as follows:

202.1d(1) No Rotation of the S&A Prior to a Safe Distance. Thecapability to monitor the status of the S&A device andone electrical inhibit in near real-time is requireduntil final separation of the payload from the Orbiter.No monitoring is required if the payload qualifies forthe unpowered bus exception of paragraph 201.1c(3).

1700b Basic CHANGE NO. 11, 05/11/0116

202.1d(2) S&A Will be Rotated to Arm Prior to a Safe Distance.Prior to rotation of the S&A and separation of thepayload from the Orbiter, the flight or ground crewmust have continuous real-time monitoring to determinethe status of the S&A and to assure that two of thethree electrical inhibits are in place (paragraph201.1c(2)).

202.2 Liquid Propellant Propulsion Systems.

202.2a Premature Firing. The premature firing of a liquidpropellant propulsion system before the payload reachesa safe distance from the Orbiter is a catastrophichazard. Each propellant delivery system must contain aminimum of three mechanically independent flow controldevices in series to prevent engine firing. Abipropellant system shall contain a minimum of threemechanically independent flow control devices in seriesboth in the oxidizer and fuel sides of the deliverysystem. These devices must prevent contact between thefuel and oxidizer as well as prevent expulsion throughthe thrust chamber(s). Except during ground servicingand as defined in paragraph 202.2a(2)(a), these deviceswill remain closed during all ground and flight phasesuntil the payload reaches a safe distance from theOrbiter. A minimum of one of the three devices will befail-safe, i.e., return to the closed condition in theabsence of an opening signal.

202.2a(1) Safe Distance Criteria. The hazard of engine firingclose enough to inflict damage to the Orbiter due toheat flux, contamination, and/or perturbation of theOrbiter, is in proportion to the total thrust impartedby the payload in any axis and shall be controlled byestablishing a safe distance for the event. The safedistance shall be determined using Figure 1 (seeAppendix C). For large thruster systems with greaterthan 10 pounds total thrust, the collision hazard withthe Orbiter must be controlled by considering the safedistance criteria in Figure 1, together with thecorrect attitude at time of firing. For small reactioncontrol system (RCS) thrusters with less than 10 poundstotal thrust, the collision hazard must be controlledby the safe distance criteria in Figure 1 withconsideration of many variables such as deploymentmethod, appendage orientation, and control authority.

1700b Basic CHANGE NO. 11, 05/11/0117

202.2a(2) Isolation Valve. One of the flow control devices shallisolate the propellant tank(s) from the remainder ofthe distribution system.

202.2a(2)(a) Opening the Isolation Valve. If a payload with alarge liquid propellant thruster system also uses asmall reaction control thruster system for attitudecontrol, the isolation valve in a commondistribution system may be opened after the payloadhas reached a safe distance for firing the reactioncontrol thrusters provided the applicablerequirements of paragraphs 202.2a(3) and 202.2a(4)have been met and two mechanical flow controldevices remain to prevent thrusting of the largersystem.

202.2a(2)(b) Pyrotechnic Isolation Valves. If a normallyclosed, pyrotechnically initiated, parent metalvalve is used, fluid flow or leakage past thebarrier will be considered mechanically noncredibleif:

a. The valve has an internal flow barrierfabricated from a continuous unit ofnonwelded parent metal.

b. The valve integrity is established by rigorousqualification and acceptance testing.

When the valve is used as a flow control device,the number of inhibits to valve activationdetermines the failure tolerance against fluidflow.

202.2a(3) Electrical Inhibits. While the payload is closer tothe Orbiter than the minimum safe distance for enginefiring, there shall be at least three independentelectrical inhibits that control the opening of theflow control devices. The electrical inhibits shall bearranged such that the failure of one of the electricalinhibits will not open more than one flow controldevice. If the isolation valve will be opened underthe conditions of paragraph 202.2a(2)(a) prior to thepayload achieving a safe distance for firing a largethruster, three independent electrical inhibits mustcontrol the opening of the remaining flow controldevices for the large thruster system.

1700b Basic CHANGE NO. 11, 05/11/0117A

202.2a(4) Monitoring. At least two of the three requiredindependent electrical inhibits shall be monitored bythe flight or ground crew until final separation of thepayload from the Orbiter. The position of a mechanicalflow control device may be monitored in lieu of its

1700b Basic CHANGE NO. 11, 05/11/0118

electrical inhibit, provided the two monitors used tomeet the above requirement are independent. Eithernear real-time or real-time monitoring will be requiredas defined in paragraphs 201.1c(1) and 201.1c(2). Oneof the monitors must be the electrical inhibit ormechanical position of the isolation valve. Monitoringwill not be required if the payload qualifies for theunpowered bus exception of paragraph 201.1c(3). If theisolation valve will be opened prior to the payloadachieving a safe distance from the Orbiter, all threeof the electrical inhibits that will remain after theopening of the isolation valve must be verified safeduring final predeployment activities by the flight orground crew.

202.2b Adiabatic/Rapid Compression Detonation. While thepayload is inside the Orbiter cargo bay, theinadvertent opening of isolation valves in a hydrazine(N2H4) propellant system shall be controlled as acatastrophic hazard unless the outlet lines arecompletely filled with hydrazine or the system is shownto be insensitive to adiabatic or rapid compressiondetonation. Hydrazine systems will be consideredsensitive to compression detonation unlessinsensitivity is verified by testing on flight hardwareor on a high fidelity flight type system that isconstructed and cleaned to flight specifications. Testplans must be submitted to the NSTS as part of theappropriate hazard report. If the design solution isto fly wet downstream of the isolation valve, thehazard analysis must consider other issues such ashydrazine freezing or overheating, leakage, singlebarrier failures, and back pressure relief.

202.2c Propellant Overheating. Raising the temperature of apropellant above the fluid compatibility limit for thematerials of the system is a catastrophic hazard.Components in propellant systems that are capable ofheating the system (e.g., heaters, valve coils, etc.)shall be two-failure tolerant to heating the propellantabove the material/fluid compatibility limits of thesystem. These limits shall be based on test dataderived from NASA-STD-6001 test methods or on datafurnished by the payload supplier and approved by theNSTS. Propellant temperatures less than thematerial/fluid compatibility limit, but greater than200 degrees Fahrenheit must be approved by the NSTS.

1700b Basic CHANGE NO. 11, 05/11/0119

The use of inhibits, cutoff devices, and/or crew safingactions may be used to make the system two failuretolerant to overheating. Monitoring of inhibits(paragraphs 201.1c and 201.3) or of propellanttemperature will be required.

202.2d Propellant Leakage. A payload shall be two failuretolerant to prevent leakage of propellant into theOrbiter cargo bay past seals, seats, etc., if the leakhas a flow path to the storage vessel. If the leak isin an isolated segment of the distribution system,failure tolerance to prevent the leak will depend onthe type and quantity of propellant that could bereleased. As a minimum such a leak will be one failuretolerant.

202.3 Inadvertent Deployment, Separation, and JettisonFunctions. Inadvertent deployment, separation orjettison of a payload, payload element or appendage isa catastrophic hazard unless it is shown otherwise.The general inhibit and monitoring requirements ofparagraph 201 shall apply.

202.4 Planned Deployment/Extension Functions.

202.4a Preventing Payload Bay Door Closure. If during plannedpayload operations an element of the payload or anypayload airborne support equipment (ASE) violates thepayload bay door envelope, the hazard of preventingdoor closure must be controlled by independent primaryand backup methods. The combination of these methodsmust be two-fault tolerant. Two methods are consideredindependent if no single event or environment caneliminate both methods (i.e., the methods have nocommon cause failure mode).

202.4b Cannot Withstand Subsequent Loads. If during plannedoperations an element of a payload or its ASE isdeployed, extended, or otherwise unstowed to acondition where it cannot withstand subsequent STSinduced loads, there shall be design provisions to safethe payload with redundancy appropriate to the hazardlevel. Safing may include deployment, jettison orprovisions to change the configuration of the payloadto eliminate the hazard.

1700b Basic CHANGE NO. 11, 05/11/0120

202.5 RF Energy Radiation. Allowable levels of radiationfrom payload transmitting antenna systems are definedin the ICD, NSTS 07700, Volume XIV, Attachment 1 (ICD-2-19001). These levels define payload-to-RMS, payload-to-Orbiter, payload-to-EMU, and payload-to-payloadlimits.

202.5a Payload Bay Doors Open. With the payload bay doorsopened, there shall be three independent inhibitswhenever the impinging radiation would exceed the ICDlimits.

202.5b Payload Bay Doors Closed. Radiation is permitted whenthe payload bay doors are closed only when the RFlevels are 12 decibels(dB) below the levels identifiedfor the payload-to-Orbiter and payload-to-payloadlimits and the specific radiation conditions areidentified in the payload unique ICD. Two inhibits arerequired for transmitting equipment when the radiationlevels are below the ICD limit but within 12 dB of thelimit.

202.5c Monitoring. RF inhibits do not require monitoringunless the radiation levels would exceed the ICDallowable levels by more than 6 dB in which case two ofthree inhibits must be monitored.

202.6 Fluid Release from a Pressurized System Inside of aClosed Volume. Release of any fluid from pressurizedsystems shall not compromise the structural integrityof any closed volume in which hardware is contained,such as the Shuttle cargo bay or crew habitablevolumes. In accordance with NSTS 07700 (Volume XIV,Attachment 1, ICD-2-19001, Section 10.6.2.3),pressurized systems that are two fault tolerant torelease of fluid through controlled release devices donot require analysis. Also, pressurized systems thatare two fault tolerant or designed for minimum risk, asapplicable, to prevent leakage, do not requireanalysis. Systems which do not meet the above shall bereviewed and assessed for safety on a case-by-casebasis, and approval must be given by the SSP.

203 RETRIEVAL OF PAYLOADS

203.1 Safing. Deployable and/or free flying payloads thatare designed to be retrieved or revisited shall havethe capability to return systems which are hazardous toa safe condition (i.e., meet all the applicablerequirements of this document).


203.2 Substantiating Failure Tolerance. Payloads must bedesigned so as to allow substantiation of safing by theOrbiter flightcrew or ground crew prior to retrievaland while the payload is still a safe distance from theOrbiter. By direct or indirect means, it must besubstantiated that catastrophic hazardous functions areat least two-failure tolerant. Specific plans to beused to determine the safe status of a retrievablepayload must be approved by the NSTS.

203.3 Monitoring. After retrieval, the monitoringrequirements of paragraphs 201.1c and 201.3 will apply.

1700b Basic CHANGE NO. 11, 05/11/0121

203.4 Certification. Prior to the NSTS retrieval or revisitmission, the payload organization must certify thesafety of the payload. This certification must bebased upon a hazard analysis that considers the effectof the current condition of the payload (including theimpact of all anomalies) during all subsequent flightand ground operations with the STS.

204 HAZARD DETECTION AND SAFING

The need for hazard detection and safing by the flightcrewto control time-critical hazards will be minimized andimplemented only when an alternate means of reduction orcontrol of hazardous conditions is not available. Whenimplemented, these functions will be capable of being testedfor proper operations during both ground and flight phasesand shall use existing Orbiter systems for fault detectionand annunciation. Likewise, payload designs should be suchthat real-time monitoring is not required to maintaincontrol of hazardous functions. With NSTS approval, real-time monitoring and hazard detection and safing may beutilized to support control of hazardous functions providedthat adequate crew response time is available and acceptablesafing procedures are developed.

205 CONTINGENCY RETURN AND RAPID SAFING

All payloads must be safe for aborts and contingency returnand shall include design provisions for rapid safing.Hazard controls may include deployment, jettison or designprovisions to change the configuration of the payload.

206 FAILURE PROPAGATION

The design shall preclude propagation of failures from thepayload to the environment outside the payload.

207 REDUNDANCY SEPARATION

Safety-critical redundant subsystems shall be separated bythe maximum practical distance, or otherwise protected, toensure that an unexpected event that damages one is notlikely to prevent the others from performing the function.All redundant functions that are required to prevent acatastrophic hazard must not be routed through a singleconnector.

1700b Basic CHANGE NO. 11, 05/11/0122

208 STRUCTURES

208.1 Structural Design. The structural design shall provideultimate factors of safety equal to or greater than 1.4for all STS mission phases except emergency landing.This includes loads incurred during payload and Orbiteroperations for all payload configurations or whilechanging configuration as specified in the PIP.Verification of design compliance shall be inaccordance with NSTS 14046. When failure of structurecan result in a catastrophic event, the design shall bebased on fracture control procedures to preventstructural failure because of the initiation orpropagation of flaws or crack-like defects duringfabrication, testing, and service life. Requirementsfor fracture control are specified in NASA-STD-5003.

208.2 Emergency Landing Loads. The structural design shallcomply with the ultimate design load factors foremergency landing loads that are specified in the ICD'sbetween the Orbiter and the payload. Structuralverification for these loads may be certified byanalysis only.

208.3 Stress Corrosion. Materials used in the design ofpayload structures, support bracketry, and mountinghardware shall be rated for resistance to stresscorrosion cracking (SCC) in accordance with the tablesin MSFC-HDBK-527/JSC 09604 and MSFC-SPEC-522. Alloyswith high resistance to SCC shall be used wheneverpossible and do not require NSTS approval. Whenfailure of a part made from a moderate or lowresistance alloy could result in a critical orcatastrophic hazard, a Material Usage Agreement thatincludes a Stress Corrosion Evaluation Form from MSFC-HDBK-527/JSC 09604 must be attached to the applicablestress corrosion hazard report contained in the safetyassessment report (see paragraph 301). When failure ofa part made from a moderate or low resistance alloywould not result in a hazard, rationale to support thenonhazard assessment must be included in the stresscorrosion hazard report. Approval of the hazard reportshall constitute NSTS approval for the use of the alloyin the documented applications. Controls that arerequired to prevent SCC of components aftermanufacturing shall be identified in the hazard reportand closure shall be documented in the verification log(see paragraph 214.2) prior to flight.

1700b Basic CHANGE NO. 11, 05/11/0123

208.4 Pressure Systems. The maximum design pressure (MDP)for a pressurized system shall be the highest pressuredefined by maximum relief pressure, maximum regulatorpressure or maximum temperature. Transient pressuresshall be considered. Design factors of safety shallapply to MDP. Where pressure regulators, reliefdevices, and/or a thermal control system (e.g.,heaters) are used to control pressure, collectivelythey must be two-fault tolerant from causing thepressure to exceed the MDP of the system. Pressureintegrity shall be verified at the system level.

208.4a Pressure Vessels. Pressure vessels shall comply withthe pressure vessel requirements of MIL-STD-1522A(including revisions as of December 1984) as modifiedby the paragraphs (1), (2), (3), (4) and (5) below.Particular attention shall be given to insurecompatibility of vessel materials with fluids used incleaning, test, and operation. Data requirements forpressure vessels are listed in NSTS/ISS 13830.

(1) Approach "B" of figure 2 is not acceptable.

(2) In addition to other required analyses, compositepressure vessels shall be assessed for adequate stressrupture life.

(3) Nondestructive evaluation (NDE) of pressurevessels shall include inspection of welds after prooftesting.

(4) MDP as defined above (see paragraph 208.4) shallbe substituted for all references to maximum expectedoperating pressure (MEOP).

(5) A proof test of each flight pressure vessel to aminimum of 1.5 x MDP and a fatigue analysis showing aminimum of 10 design lifetimes may be used in lieu oftesting a certification vessel to qualify a vesseldesign that in all other respects meets therequirements of this document and MIL-STD-1522A,Approach A.

208.4b Dewars. Dewar/cryostat systems are a special categoryof pressurized vessels because of unique structuraldesign and performance requirements. Pressurecontainers in such systems shall be subject to therequirements for pressure vessels specified inparagraphs 208.4 and 208.4a as supplemented by therequirements of this section.

1700b Basic CHANGE NO. 11, 05/11/0124

(1) Pressure containers shall be leak-before-burst(LBB) designs where possible as determined by afracture mechanics analysis. Containers of hazardousfluids and all non-LBB designs must employ a fracturemechanics safe-life approach to assure safety ofoperation.

(2) MDP of the pressure container shall be asdetermined in paragraph 208.4 or the pressure achievedunder maximum venting conditions whichever is higher.Relief devices must be sized for full flow at MDP.

(3) Outer shells (i.e., vacuum jackets) shall havepressure relief capability to preclude rupture in theevent of pressure container leakage. If pressurecontainers do not vent external to the dewar butinstead vent into the volume contained by the outershell, the outer shell relief devices must be capableof venting at a rate to release full flow without outershell rupture. Relief devices must be redundant andindividually capable of full flow.

(4) Pressure relief devices which limit maximum designpressure must be certified to operate at the requiredconditions of use. Certification shall include testingof the same part number from the flight lot under theexpected use conditions.

(5) Nonhazardous fluids may be vented into the cargobay if analysis shows that a worst case credible volumerelease will not affect the structural integrity orthermal capability of the Orbiter.

(6) The proof test factor for each flight pressurecontainer shall be a minimum of 1.1 times MDP.Qualification burst and pressure cycle testing is notrequired if all the requirements of paragraphs 208.4,208.4a and 208.4b are met. The structural integrityfor external load environments must be demonstrated inaccordance with NSTS 14046.

1700b Basic CHANGE NO. 11, 05/11/0125

208.4c Pressurized Lines, Fittings, and Components.

(1) Pressurized lines and fittings with less than a1.5-inch outside diameter and all flex-hoses shall havean ultimate factor of safety equal to or greater than4.0. Lines and fittings with a 1.5-inch or greateroutside diameter shall have an ultimate factor ofsafety equal to or greater than 1.5.

(2) All line-installed bellows and all heat pipesshall have an ultimate safety factor equal to orgreater than 2.5.

(3) Other components (e.g., valves, filters,regulators, sensors, etc.) and their internal parts(e.g., bellows, diaphragms, etc.) which are exposed tosystem pressure shall have an ultimate factor of safetyequal to or greater than 2.5.

(4) Secondary compartments or volumes that areintegral or attached by design to the above parts andwhich can become pressurized as a result of a crediblesingle barrier failure must be designed for safetyconsistent with structural requirements. Thesecompartments shall have a minimum safety factor of 1.5based on MDP. If external leakage would not present acatastrophic hazard to the Orbiter, the secondaryvolume must either be vented or equipped with a reliefprovision in lieu of designing for system pressure.

208.4d Flow Induced Vibration. Flexible hoses and bellowsshall be designed to exclude flow induced vibrationswhich could result in a catastrophic hazard to the STS.

208.5 Sealed Compartments. Payload sealed compartmentswithin a habitable volume, including containers whichpresent a safety hazard if rupture occurs, shall becapable of withstanding the maximum pressuredifferential associated with emergency depressurizationof the habitable volume. Payloads located in any otherregion of the Orbiter shall be designed to withstandthe decompression and repressurization environmentsassociated with ascent or decent.

209 MATERIALS

MSFC-HDBK-527/JSC 09604 contains a listing of materials(both metals and nonmetals) with a "rating" indicatingacceptability for each material's characteristic. Formaterials which create potential hazardous situations asdescribed in the paragraphs below and for which no prior

1700b Basic CHANGE NO. 11, 05/11/0126

NASA test data or rating exists, the payload organizationshall present other test results for NSTS review or requestassistance from the NSTS in conducting applicable tests.The payload material requirements for hazardous materials,flammability, and offgassing are as follows:

209.1 Hazardous Materials. Hazardous materials shall not bereleased or ejected in or near the Orbiter. Duringexposure to all STS environments, hazardous fluidsystems must contain the fluids unless the use of theOrbiter vent/dump provisions has been negotiated withthe NSTS. Payload organizations shall submit materialdata for toxicological assessments per JSC 27472.

209.1a Fluid Systems. Particular attention shall be given tomaterials used in systems containing hazardous fluids.These hazardous fluids include gaseous oxygen, liquidoxygen, fuels, oxidizers, and other fluids that couldchemically or physically degrade the system or cause anexothermic reaction. Those materials within the systemexposed to oxygen (liquid and gaseous), both directlyand by a credible single barrier failure, must meet therequirements of NASA-STD-6001 at MDP and temperature.Materials within the system exposed to other hazardousfluids, both directly and by a credible single barrierfailure, must pass the fluid compatibility requirementsof NASA-STD-6001 at MDP and temperature. The payloadsupplier's compatibility data on hazardous fluids maybe used to accept materials in this category ifapproved by the NSTS.

209.1b Chemical Releases. The use of chemicals which wouldcreate a toxicity problem (including irritation to skinor eyes) or cause a hazard to STS hardware if releasedshould be avoided. If use of such chemicals cannot beavoided, adequate containment shall be provided by theuse of an approved pressure vessel as defined inparagraph 208.4 or the use of two or three redundantlysealed containers, depending on the toxicologicalhazard for a chemical with a vapor pressure below 15psia. The payload organization must assure that eachlevel of containment will not leak under the maximumuse conditions (i.e., vibration, temperature, pressure,etc.). Mercury is an example of such a chemical, sinceit produces toxic vapors and can amalgamate with metalsor metal alloys used in spacecraft hardware.Documentation of chemical usage, along with thecontainment methods, will be supplied for review andapproval.

1700b Basic CHANGE NO. 11, 05/11/0127

209.2 Flammable Materials. A payload must not constitute anuncontrolled fire hazard to the STS or other payloads.The minimum use of flammable materials shall be thepreferred means of hazard reduction. The determinationof flammability shall be in accordance with NASA-STD-6001. Guidelines for the conduct of flammabilityassessments are provided in NSTS 22648. A flammabilityassessment shall be documented in accordance withNSTS/ISS 13830.

209.2a Orbiter Cabin. Materials used in the Orbiter cabinmust be tested in accordance with NASA-STD-6001 at theuse condition of 10.2 psi total pressure and 30 percentoxygen concentration (worst case Orbiter cabincondition). When flammable materials are used inquantities where the weight or surface area is greaterthan 0.1 pounds or 10 square inches respectively, themethods of control of flame propagation must bedescribed in the flammability assessment report.

209.2b Other Habitable Areas. Materials used in habitableareas other than the Orbiter cabin shall be tested inaccordance with NASA-STD-6001 in the worst caseatmosphere (i.e., oxygen concentration). Propagationpath considerations of paragraph 209.2a apply.

209.2c Outside Habitable Areas. Materials used outside theOrbiter cabin shall be evaluated for flammability in anair environment at 14.7 psi. Propagation pathconsiderations of NSTS 22648 apply for material usagesof greater than 1 pound and/or dimensions exceeding 12inches.

209.3 Material Offgassing in Habitable Areas. Usage ofmaterials which produce toxic levels of offgassingproducts shall be avoided in habitable areas. Payloadelements going into such areas are required to besubjected to offgassing tests (black-box levels) forsafety validation prior to integration with STSelements. Rigorous material control to insure that allselected materials have acceptable offgassingcharacteristics is a negotiable alternative to black-box level testing. The offgassing test specified inNASA-STD-6001 or an NSTS approved equivalent shall beused for the black-box level offgassing test. Thedocument MSFC-HDBK-527/JSC 09604 contains a listing ofmaterials and black boxes that have been subjected tooffgassing tests.

1700b Basic CHANGE NO. 11, 05/11/0128

210 PYROTECHNICS

If premature firing or failure to fire will cause a hazard,the pyrotechnic subsystem and devices shall meet the designand test requirements of MIL-STD-1576.

210.1 Initiators. NASA Standard Initiators (NSI's) are thepreferred initiators for all safety criticalpyrotechnic functions. MIL-STD-1576 qualification andacceptance test requirements, or equivalent, apply ifother initiators are used.

1700b Basic CHANGE NO. 11, 05/11/0129

210.2 Pyrotechnic Operated Devices.

210.2a Debris Protection. Pyrotechnic devices that are to beoperated in the Orbiter or that do not meet thecriteria of this document to prevent inadvertentoperation, shall be designed to preclude hazards due toeffects of shock, debris, and hot gasses resulting fromoperation. Such devices shall be subjected to a"locked-shut" safety demonstration test (i.e., a testto demonstrate the capability of the devices to safelywithstand internal pressures generated in operationwith the moveable part restrained in its initialposition).

210.2b Must Function Safety Critical Devices. Where failureto operate will cause a catastrophic hazard,pyrotechnic operated devices shall be designed,controlled, inspected, and certified to criteriaequivalent to those specified in NSTS 08060. The datarequired for NSTS review are identified in NSTS/ISS13830. If the device is used in a redundantapplication where the hazard is being controlled by theuse of multiple independent methods, then in lieu ofdemonstrating compliance with criteria equivalent toNSTS 08060, sufficient margin to assure operation mustbe demonstrated. When required, pyrotechnic operateddevices shall demonstrate performance margin using asingle charge or cartridge loaded with 85 percent (byweight) of the minimum allowable charge or otherequivalent margin demonstrations.

210.2c Electrical Connection. Payloads with pyrotechnicdevices which if prematurely fired may cause injury topeople or damage to property shall be designed suchthat these devices can be electrically connected in theOrbiter after all payload/Orbiter electrical interfaceverification tests have been completed. Ordnancecircuitry must be verified safe prior to connection ofpyrotechnic devices. Exceptions to this requirespecific approval of the Launch Site Safety Office.

210.3 Traceability. The payload organization shall furnishthe NSTS a list of all safety critical pyrotechnicinitiators installed or to be installed on the payload,giving the function to be performed, the part number,the lot number, and the serial number.

1700b Basic CHANGE NO. 11, 05/11/0130

211 DESTRUCT SYSTEMS

Destruct systems will be used only when approved by the NSTSand must comply with the requirements of paragraphs 200,201, 202, 204, and 210.

212 RADIATION

212.1 Ionizing Radiation. Payloads containing or usingradioactive materials or that generate ionizingradiation shall be identified and approval obtained fortheir use. Descriptive data shall be provided inaccordance with NSTS/ISS 13830. Major radioactivesources require approval by the Interagency NuclearSafety Review Panel through the NASA coordinator forthe panel. DOD payloads involving radioactivematerials will be processed through their ownestablished procedures. Radioactive materials shallcomply with appropriate license requirements at theplanned launch and landing sites.

212.2 Emissions and Susceptibility. Payload emissions shallbe limited to those levels identified in paragraph10.7.3 of ICD 2-19001. The payload must demonstratethat safety critical equipment is not susceptible tothe electromagnetic environment defined in paragraph10.7.2 of ICD 2-19001.

212.3 Lasers. Lasers used on STS payloads shall be designedand operated in accordance with American NationalStandard for Safe Use of Lasers, ANSI-Z-136.1.

212.4 Optical Requirements. Optical instruments shallprevent harmful light intensities and wavelengths frombeing viewed by operating personnel. Quartz windows,apertures or beam stops and enclosures shall be usedfor hazardous wavelengths and intensities. Lightintensities and spectral wavelengths at the eyepiece ofdirect viewing optical systems shall be below theThreshold Limit Values for physical agents defined inthe American Conference of Governmental IndustrialHygienists.

213 ELECTRICAL SYSTEMS

213.1 General. Electrical power distribution circuitry shallbe designed to include circuit protection devices toprotect against circuit damage normally associated withan electrical fault when such a fault could result in


damage to the Orbiter or present a hazard to the crewby direct or propogated effects. Bent pins orconductive contamination in an electrical connectorwill not be considered a credible failure mode if apostmate functional verification is

1700b Basic CHANGE NO. 11, 05/11/0131

performed to assure that shorts between adjacentconnector pins or from pins to connector shell do notexist. If this test cannot be performed, then theelectrical design must insure that any pin if bentprior to or during connector mating cannot invalidatemore than one inhibit and that conductive contaminationis precluded by proper inspection procedures.

213.2 Batteries. Batteries used on STS payloads shall bedesigned to control applicable hazards caused bybuildup or venting of flammable, corrosive or toxicgasses and reaction products; the expulsion ofelectrolyte; and by failure modes of overtemperature,shorts, reverse current, cell reversal, leakage, cellgrounds, and overpressure. Safety guidelines for STSpayload batteries are contained in JSC 20793. Sincelithium batteries have uniquely hazardous failuremodes, their use is discouraged where the use of othertypes of cells is feasible. When lithium batteries areused, the NSTS will require extensive testing andanalyses to demonstrate their safety under allapplicable failure modes.

213.3 Lightning. Payload electrical circuits may besubjected to the electromagnetic fields described inNSTS 07700, Volume XIV, Attachment 1 (ICD-2-19001) dueto a lightning strike to the launch pad. If circuitupset could result in a catastrophic hazard to the STS,the circuit design shall be hardened against theenvironment or insensitive devices (relays) shall beadded to control the hazard.

214 VERIFICATION

Test, analysis, and inspection are common techniques forverification of design features used to control potentialhazards. The successful completion of the safety processwill require positive feedback of completion results for allverification items associated with a given hazard.Reporting of results by procedure/report number and date isrequired.

214.1 Mandatory Inspection Points (MIP's). When proceduresand/or processes are critical steps in controlling ahazard and the procedure and/or process results willnot be independently verified by subsequent test orinspection, it will be necessary to insure theprocedure/process is independently verified in

1700b Basic CHANGE NO. 11, 05/11/0132

real-time. Critical procedure/process steps must beidentified in the appropriate hazard report as MIP'srequiring independent observation.

214.2 Verification Tracking Log. A payload safetyverification tracking log (see NSTS/ISS 13830) isrequired to properly status the completion stepsassociated with hazard report verification items.

215 HAZARDOUS OPERATIONS

215.1 Hazard Identification. The payload organization shallassess all payload flight and ground operations anddetermine their hazard potential to the STS. Thehazardous operations identified shall be assessed inthe applicable flight or ground safety assessmentreport.

215.2 Exposure to Risk. STS exposure to increased risk as aresult of ground or flight operations shall beminimized. Those ground operations (e.g., armpluginstallation in a payload pyrotechnic system, finalordnance connection, radioisotope thermoelectricgenerator (RTG) installation, etc.) which place thepayload in a configuration of increased hazardpotential shall be accomplished as late as practicableduring the payload processing flow at the launch site.

215.3 Access. Payloads shall be designed such that anyrequired access to hardware during flight or groundoperations can be accomplished with minimum risk topersonnel.

216 SERIES PAYLOADS AND REFLOWN HARDWARE

"Reflown hardware" are payloads or elements of payloadswhich are made up of hardware items that have alreadyphysically flown on the STS and are being manifested forreflight. "Series payloads" are payloads or elements ofpayloads which are of the same or similar design topreviously flown STS payloads.

216.1 Recertification of Safety. Series payloads and reflownhardware must be recertified safe and must meet all thesafety requirements of this document. Caution shouldbe exercised in the use of previous safety verificationdata for the new usage.

1700b Basic CHANGE NO. 11, 05/11/0133

216.2 Previous Mission Safety Deficiencies. All anomaliesduring the previous payload missions must be assessedfor safety impact. Those anomalies affecting safetycritical systems must be reported and corrected.Rationale supporting continued use of the affecteddesign, operations or hardware must be provided forNSTS approval.

216.3 Limited Life Items. All safety critical age sensitiveequipment must be refurbished or replaced to meet therequirements of the new STS mission.

216.4 Refurbishment. Safety impact of any changes,maintenance or refurbishment made to the hardware oroperating procedures must be assessed and reported inthe safety assessment reviews (paragraph 304).Hardware changes include changes in the design of thepayload, changes of the materials of construction,changes in sample materials that may be processed bythe payload, etc.

216.5 Safety Waivers and Deviations. The acceptancerationale for all deviations from the previous flightmust be revalidated by the payload organization.Waivered conditions from the previous STS flight mustbe corrected.

217 EXTRAVEHICULAR ACTIVITY (EVA)

All payload requirements for EVA must be defined anddocumented in the PIP. Any agreed to EVA task used tosatisfy the failure tolerance criteria of this document canbe used only as a third level of protection to safe apayload. Payload organizations which plan to use crew EVAfor mission enhancement, mission success, or safety criticalpayload operations will comply with the requirements of NSTS07700, Volume XIV, Appendix 7. Any payload outside the crewhabitable area within 24 inches of the SSP Orbiter sills orairlock hatch, and/or within any 48-inch worksite envelopesmust meet EVA crewmember contact hazard requirements in NSTS07700, Volume XIV, Appendix 7, for inadvertent contact, andthe payload organization must document the associatedhazards. Furthermore, all other payloads outside the crewhabitable area must be assessed for compliance with EVAcrewmember contact hazard requirements in NSTS 07700, VolumeXIV, Appendix 7, for inadvertent contact, and the payloadorganization must document the associated hazards.


218 PAYLOAD COMMANDING

All hazardous commands that can be sent to the payload shallbe identified. Hazardous commands are those that can removean inhibit to a hazardous function or activate an unpoweredhazardous payload system. Failure modes associated withpayload flight and ground operations including hardware,software, and procedures used in commanding from payloadoperations control centers (POCC's) and other groundequipment must be considered in the safety assessment to

1700b Basic CHANGE NO. 11, 05/11/0134

determine compliance with the requirements of paragraphs200.1, 201, and 202. NSTS 19943 treats the subject ofhazardous commanding and presents the guidelines by which itwill be assessed.

219 FLAMMABLE ATMOSPHERES

During Orbiter entry, landing, and postlanding operations(whether planned or contingency), the normal payloadfunctions shall not cause ignition of a flammable payloadbay atmosphere that may result from leakage or ingestion offluids into the payload bay.

220 CREW HABITABLE PAYLOADS

This paragraph establishes additional safety requirementsapplicable to NSTS crew habitable payloads. A crewhabitable payload is defined as a space capsule (spacecraftor module) which when docked or mated with the Orbiter andprovided with atmospheric support from Orbiter systems, iscapable of supporting intravehicular activity (IVA) in ashirt sleeve environment for a limited period of time. Thecrew habitable payload may either be an orbiting capsulevisited by the Orbiter or a capsule launched and returnedwithin the Orbiter cargo bay.

220.1 Atmosphere.

220.1a Verification of Habitability.

220.1a(1) Offgassing. The payload design shall assure theoffgassing load to the internal manned compartment willnot exceed the spacecraft maximum allowableconcentrations (SMAC's) of atmospheric contaminantsspecified in JSC 20584 at the time of ingress. Allcrew habitable payload hardware will be tested foroffgassing characteristics according to NASA-STD-6001as required by paragraph 209.3 of this document andwill include measurement of the internal atmosphere ofa full scale, flight configured payload as a finalverification of acceptability. Time periods prior tocrew ingress during which the payload does not haveactive atmospheric contamination control must beconsidered.

220.1a(2) Verification for Revisit Missions. Payloads thatremain in orbit for extended periods must ensure thatthe manned compartment is environmentally safe prior tocrew ingress during any revisit.

1700b Basic CHANGE NO. 11, 05/11/0135

Additionally, provisions for sampling of therepresentative payload internal atmosphere prior tocrew ingress shall be provided. Post flight groundanalysis of this sample by the NSTS is required priorto the next revisit to determine any unusual gasbuildup and the need to define toxic gas detectionrequirements prior to the subsequent revisit missions.

220.1a(3) Experiment Leakage. Experiments conducted duringmanned operations must meet the containmentrequirements of paragraph 209.1b. Experimentconfigurations during unmanned operations are notrestricted; however, the manned compartment must beenvironmentally safe for crew ingress during anyrevisit. Safe conditions for entry may be establishedby review of the containment design features, proof ofadequate atmospheric scrubbing for the chemicalinvolved, vacuum evacuation, use of payload providedequipment capable of detecting toxic chemicals prior tocrew exposure, or other techniques suitable for theparticular experiment involved.

220.1b Internal Environment. A safe and habitable internalenvironment shall be provided within the payloadthroughout all manned operational phases. The payloadsystem shall provide proper mixing and circulation ofthe atmosphere to assure adequate atmosphererevitalization by the Orbiter Environmental Control andLife Support Subsystem (ECLSS) and distributionthroughout the payload.

220.1c Cross Contamination. The payload shall be designed soas not to create a contamination hazard in theatmosphere being shared with the Orbiter. The payloadshall provide a scrubber and filter system withsufficient capacity to cleanse the payload internalatmosphere of the expected vapor and particulatecontamination load. SMAC's of atmospheric contaminatesare specified in JSC 20584. The scrubber and filtersystem shall be capable of being activated prior tocrew ingress into the payload.

220.1d Evacuation. The capability to isolate the payload fromthe Orbiter and non-propulsively vent the payloadinternal atmosphere shall be provided. The activationof the vent system shall be available to the crew in

1700b Basic CHANGE NO. 11, 05/11/0136

the Orbiter whenever the payload is attached to theOrbiter.

220.2 Habitability. The habitability of the payload directlyaffects the crewmember's ability to perform efficientlyand safely. Payload design features related tohabitability shall be compatible with and equivalent tothose provided by the Orbiter. NASA-STD-3000 definesguidelines for the design of crew-related systems.NASA-STD-3000 does not represent requirements imposedby NASA on manned payloads, but rather, is provided toassist payload organizations in identifying desirablehabitability subsystem design goals. Specificagreements on habitability design will be developed inthe payload integration process. However, if payloadenvironment is jeopardizing crew safety (e.g.,affecting crew health, inducing fatigue to the pointthat safety critical tasks could be affected,interfering with voice communication, etc.), the crewwill egress and isolate the payload atmosphere from theOrbiter.

220.2a Acoustic Noise. Paragraph deleted

220.2b Ionizing Radiation. The payload shall include theradiation protection features/mass shielding requiredto insure that the crewmember dose rates from naturallyoccurring space radiation are kept as low as reasonablyachievable (ALARA). Exposure levels shall not exceedthe limits defined in Figure 5.7.2.2.1-2 of NASA-STD-3000.

1700b Basic CHANGE NO. 11, 05/11/0137

220.2c Mechanical Hazards. Payload and equipment design shallprotect crewmembers from sharp edges, protrusions, etc.during all crew operations. Translation paths andadjacent equipment shall be designed to minimize thepossibility of entanglement or injury to crewmembers.

220.2d Thermal Hazards. During normal operations, crewmembersshall not be exposed to high or low surface temperatureextremes. Protection shall be provided againstcontinuous skin contact with surfaces above 45 degreesCentigrade (113 degrees Fahrenheit) or below 4 degreesCentigrade (39 degrees Fahrenheit). Safeguards such aswarning labels, protective devices or special designfeatures to protect the crew from surface temperaturesoutside these safe limits, shall be provided for bothnominal and contingency operations.

220.2e Electrical Hazards. Grounding, bonding, and insulationshall be provided for all electrical equipment toprotect the crew from electric shock during nominal andcontingency operational phases while the crew is in thepayload.

220.2f Lighting. The lighting illumination level providedthroughout the payload shall permit planned crewactivities without injury. A backup/secondary lightingsystem shall be provided consistent with emergencyegress requirements or in case of failure of theprimary lighting system.

220.3 Fire Protection. A fire protection system comprised offire detection, warning, and Halon 1301 or equivalentsuppression devices shall be provided in the payload.The fire protection system shall encompass bothhardware and crew procedures for adequate control ofthe fire hazard within the cabin volume as well aswithin equipment racks within the pressurized hull.The fire protection system shall incorporate test andcheckout capabilities such that the operationalreadiness of the entire system can be verified by thecrewmembers. The fire protection system shall haveredundant electrical power sources and shallincorporate redundant detection and warning capabilityand redundant activation of suppressant devices. Firedetection annunciation and control of the payload fireprotection system shall be provided to the crew in boththe Orbiter and payload during all Orbiter/payloadattached mission phases.

1700b Basic CHANGE NO. 11, 05/11/0138

220.4 Emergency Safing.

220.4a Crew Egress. The payload design shall be compatiblewith emergency safing and rapid crew escape.Crewmembers shall be provided with clearly definedescape routes for emergency egress in the event of ahazardous condition. Where practical, dual escaperoutes from all activity areas shall be provided.Payload equipment location shall provide for protectionof compartment entry/exit paths in the event of anaccident. Routing of hardlines, cables, or hosesthrough a tunnel or hatch which could hinder crewescape or interfere with hatch operation for emergencyegress is not permitted. Payload hatches which couldimpede crew escape must remain open during all crewoperations.

220.4b Electrical System. The payload electrical powerdistribution system shall have the capability to removeall electrical power from the payload includingtermination of power from both the payload and Orbitersources. This capability shall be available to thecrew in both the payload and the Orbiter. Separatesafing systems, however, shall be used for nominalpayload functions and for essential/emergency functions(e.g., the fire protection, caution and warning, andemergency lighting, etc.). Essential/emergencyfunctions shall be powered from a dedicated electricalpower bus with redundant power sources.

220.5 Hatches. A hatch shall be provided to isolate thepayload from the Orbiter cabin. Payload hatch designshall be compatible with emergency crew egress.Payloads shall provide a capability to allow a visualinspection of the interior of the payload prior tohatch opening and crew ingress. All operable hatchesthat could close and latch inadvertently, therebyblocking an escape route, shall have a redundant(backup) opening mechanism and shall be capable ofbeing operated from both sides. External pressurehatches shall be self-sealing. Hatches shall have apressure difference indicator clearly visible to thecrewmember operating the hatch and a pressureequalization device. All hatches shall nominally beoperable without detachable tools or operating devicesand shall be designed to prevent inadvertent openingprior to complete pressure equalization. Thepayload/Orbiter interface shall provide for Orbitercrew EVA access to the payload bay while the payload isattached to the Orbiter.

1700b Basic CHANGE NO. 11, 05/11/0139

220.6 Caution and Warning. The payload shall incorporate acaution and warning system. All crew safety cautionand warning parameters shall be redundantly monitoredand shall cause annunciation in both the Orbiter andpayload. As a minimum, payload total pressure, cabinfan differential pressure, fire detection, oxygenpartial pressure and carbon dioxide partial pressureshall be monitored. The status of all monitoredparameters shall be available to the crew in theOrbiter prior to entry into the payload. The cautionand warning system shall include test provisions toallow the payload crewmembers to verify properoperation of the system. The payload provided alertsystem shall be consistent with Orbiter annunciationpractices.

220.7 Windows.

220.7a Structural Design. Windows shall be provided in thepayload only when necessary for essential missionoperation, and all assemblies shall provide a redundantpressure pane. The pressure panes shall be protectedfrom damage by external impact. The structural designof window panes in the pressure hull shall provide aminimum initial ultimate factor of safety of 3.0 and anend-of-life minimum factor of safety of 1.4. Windowdesign shall be based on fracture mechanics consideringflaw growth over the design life of the payload.

220.7b Transmissivity. The transmissivity of payload windowsshall be based on protection of the crew from exposureto excess levels of naturally occurring nonionizingradiation. Exposure of the skin and eyes ofcrewmembers to nonionizing radiation shall not exceedthe threshold limit values (TLV's) set and proposed bythe American Conference of Governmental IndustrialHygienists (ACGIH) as specified in "Threshold LimitValues and Biological Exposure Indices for 1987-1988"or its subsequent revisions. Window design shall becoordinated with other shielding protection design tocomply with the ionizing radiation limits specified inparagraph 220.2b.

220.8 Communications. Voice communications, compatible withthe Orbiter communications system, shall be providedbetween the Orbiter crew and payload crewmembers duringall manned operations.

1700b Basic CHANGE NO. 11, 05/11/0140

220.9 Pressure Hull. The design of the manned pressurecompartment shall comply with the structural designrequirements of paragraphs 208.1 and 208.2. The hullmaximum design pressure (MDP) shall be determined asdefined in paragraph 208.4. The ultimate factor ofsafety of hull design shall be equal to or greater than2.0 for both the MDP and the maximum negative pressuredifferential the hull may be subjected to during normaland contingency operations or as the result of twocredible failures. The pressure hull shall be designedto leak-before-burst criteria. Structural verificationshall be in accordance with NSTS 14046.

1700b Basic CHANGE NO. 11, 05/11/0141

CHAPTER 3: SYSTEM PROGRAM REQUIREMENTS

300 GENERAL

The following requirements are applicable to all payloads.

301 SAFETY ANALYSIS

A safety analysis shall be performed in a systematic manneron each payload, its GSE, related software, and ground andflight operations to identify hazardous subsystems andfunctions. The safety analysis shall be initiated early inthe design phase and shall be kept current throughout thedevelopment phase. A safety assessment report whichdocuments the results of this analysis, including hazardidentification, classification, and resolution, and a recordof all safety-related failures, shall be prepared,maintained, and submitted in support of the safetyassessment reviews conducted by the NSTS in accordance withparagraph 304. Detailed instructions for the safetyanalysis and safety assessment reports are provided in NSTS/ISS 13830.

302 HAZARD LEVELS

Hazards are classified according to potential as follows:

302.1 Critical Hazard. Can result in damage to STSequipment, a nondisabling personnel injury or the useof unscheduled safing procedures that affect operationsof the Orbiter or another payload.

302.2 Catastrophic Hazard. Can result in the potential for adisabling or fatal personnel injury, loss of theOrbiter, ground facilities or STS equipment.

303 HAZARD REDUCTION

Action for reducing hazards shall be conducted in thefollowing order of precedence:

303.1 Design for Minimum Hazard. The major goal throughoutthe design phase shall be to insure inherent safetythrough the selection of appropriate design features.Damage control, containment, and isolation of potentialhazards shall be included in design considerations.

1700b Basic CHANGE NO. 11, 05/11/0142

303.2 Safety Devices. Hazards which cannot be eliminatedthrough design selection shall be reduced and madecontrollable through the use of automatic safetydevices as part of the system, subsystem, or equipment.

303.3 Warning Devices. When it is not practical to precludethe existence or occurrence of known hazards or to useautomatic safety devices, devices shall be employed forthe timely detection of the condition and thegeneration of an adequate warning signal, coupled withemergency controls of corrective action for operatingpersonnel to safe or shut down the affected subsystem.Warning signals and their application shall be designedto minimize the probability of wrong signals or ofimproper reaction to the signal.

303.4 Special Procedures. Where it is not possible to reducethe magnitude of an existing or potential hazardthrough design or the use of safety and warningdevices, special procedures shall be developed tocounter hazardous conditions for enhancement ofpersonnel safety.

304 SAFETY ASSESSMENT REVIEWS AND SAFETY CERTIFICATION

Safety assessment reviews will be conducted by the NSTSflight operator and the NSTS launch/landing site operator todetermine compliance with the requirements of this document.An initial contact meeting will be held at the earliestappropriate time and will be followed by formal reviewmeetings spaced throughout the development of the payloadand its GSE. The depth, number, and scheduling of reviewswill be negotiated with the payload organization and will bedependent on complexity, technical maturity, and hazardpotential. The KSC and JSC phase III safety reviews andground safety certification must be completed 30 days priorto delivery of the payload, ASE, and GSE to the launch siteexcept as noted in NSTS/ISS 13830. The ground safetycertification shall include statements that the payload GSEand ground operations are safe and in compliance with NSTSground safety requirements and that open safety verificationfrom the JSC safety reviews for payload design and flightoperations will not affect safe ground operations.Rationale for acceptance of open flight verification (seeparagraph 214.2) during ground operations must be submittedby the payload organization with the ground safetycertification statement and approved by the NSTSlaunch/landing site operator prior to the start of ground

1700b Basic CHANGE NO. 11, 05/11/0143

processing. The flight safety certification shall besubmitted at least 10 days prior to the Flight ReadinessReview (FRR). The flight safety certification shall includestatements that the payload design and flight operations aresafe and are in compliance with the NSTS safety requirementsof this document.

305 SAFETY COMPLIANCE DATA

Safety compliance data packages shall be prepared by thepayload organization to support ground operations of thepayload at the launch and landing sites and inflightoperations of the payload with the STS.

305.1 For GSE and Ground Operations. The data listed belowshall be submitted to the NSTS launch/landing siteoperator as part of the data package for the phase IIIground safety review.

a. A payload safety verification tracking log.

b. A safety assessment report for GSE design andground operations. See paragraph 301.

c. Approved waivers and deviations.

d. A log book maintained on each pressurevessel/system showing pressurization history, fluidexposure, and other pertinent data.

e. A summary and safety assessment of all safety-related failures or accidents applicable to payloadprocessing, test, and checkout.

305.2 For Payload Design and Flight Operations. The datalisted below shall be submitted to the NSTS flightoperator as part of the data package for the phase IIIflight safety review.

a. A safety assessment report for payload design andflight operations. See paragraph 301.

b. A payload safety verification tracking log.

c. Approved waivers and deviations.

1700b Basic CHANGE NO. 11, 05/11/0144

d. A summary and safety assessment of all safetyrelated failures and accidents applicable to payloadprocessing, test, and checkout.

e. A list of all pyrotechnic initiators installed orto be installed on the payload, giving the function tobe performed, the part number, the lot number, and theserial number. Submittal of this list may be delayedto be concurrent with the submittal of the flightsafety certification statement.

305.3 Post-Phase III Compliance. When the flightcertification statement of paragraph 304 is submitted,it shall be included with an updated payload safetyverification tracking log that documents the closeoutof all required safety verification. The verificationtracking log and the certification statements mustreflect the final configuration of the payload thatincludes all post phase III safety activity.

306 MISHAP/INCIDENT/MISSION FAILURES INVESTIGATION AND REPORTING

Mishap/incident/mission failures investigation and reportingfor NASA equipment will be handled under the provisions ofNASA Headquarters policy documents NPD 8621.1 and NPG8621.1. NSTS 07700, Volume VIII, Appendix R containsadditional provisions for payload mishaps/incidents thatinvolve the Space Shuttle. For mishap/incident/missionfailures involving non-DOD payloads occurring after deliveryto NASA facilities, investigation and reporting will be incompliance with the above NASA documents. The payloadorganization and the individual payload element orexperiment contractors will cooperate fully with theinvestigation and provide any records, data, and otheradministrative or technical support and services that may bedeemed by the NSTS to be pertinent. For DOD payloads, the"Agreement Between the Department of Defense and theNational Aeronautics and Space Administration for JointInvestigation of Aircraft or Space System Mishaps" will bethe controlling document.

1700b Basic CHANGE NO. 11, 05/11/0145

APPENDIX A: GLOSSARY OF TERMS

ADIABATIC COMPRESSION DETONATION. An observed phenomenon wherebythe heat obtained by compressing the vapors from fluids (e.g.,hydrazine) is sufficient to initiate a self-sustaining explosivedecomposition. This compression may arise from advancing liquidcolumns in sealed spacecraft systems.

ASE. Airborne support equipment. The flight equipment andsystems needed to support the payload such as data recording,control functions, instrumentation, and payload cradles.

CATASTROPHIC HAZARD. A hazard which can result in the potentialfor: a disabling or fatal personnel injury; or loss of theOrbiter, ground facilities or STS equipment.

CERTIFICATE OF SAFETY COMPLIANCE. (Appendix C, Figure 3). Aformal written statement by the payload organization attestingthat the payload is safe and that all safety requirements forthis document have been met and, if not, what waivers anddeviations are applicable.

CONTROL. A device or function that operates an inhibit isreferred to as a control for an inhibit and does not satisfyinhibit requirements. The electrical devices that operate theflow control devices in a liquid propellant propulsion system areexceptions in that they are referred to as electrical inhibits.

CORRECTIVE ACTION. Action taken to preclude occurrence of anidentified hazard or to prevent recurrence of a problem.

CREDIBLE. A condition that can occur and is reasonably likely tooccur. For the purposes of this document, failures of structure,pressure vessels, and pressurized lines and fittings are notconsidered credible failure modes if those elements comply withthe applicable requirements of this document.

CREDIBLE SINGLE BARRIER FAILURE. (Material/Fluid Compatibility).Potential leaks within a component that permit fluid to directlycontact the materials behind the barrier or expose secondarycompartments to system pressure conditions shall be considered insingle barrier failure analysis (e.g., leaks from a fluidenclosure to an adjacent enclosure such as through mechanicaljoints, O-rings, gaskets, bladders, bellows, and diaphragms).Redundant seals in series which have been acceptance pressuretested individually prior to flight shall not be consideredcredible single barrier failures. Failures of structural parts

1700b Basic CHANGE NO. 11, 05/11/0146

such as pressure lines and tanks, and properly designed andtested welded or brazed joints are not considered single barrierfailures. Metallic bellows and diaphragms designed for andtested to demonstrate sufficiently high margins can be consideredfor exclusion from the category of credible single barrierfailure. In order to be classified as a noncredible failure, theitem must be designed for a safety factor 2.5 on the maximumdesign pressure, pass appropriate manufacturing inspections (suchas dye penetrant, radiographic, and visual inspections) and leakchecks, and be certified for all the operating environmentsincluding fatigue conditions.

CRITICAL HAZARD. A hazard which can result in damage to STSequipment, a nondisabling personnel injury, or the use ofunscheduled safing procedures that affect operations of theOrbiter or another payload.

DEPLOYABLE PAYLOAD. A payload which is planned for release fromthe Orbiter.

DEVIATION. Granted use or acceptance for more than one missionof a payload aspect which does not meet the specifiedrequirements. The intent of the requirement should be satisfiedand a comparable or higher degree of safety should be achieved.

EMERGENCY. (Flight Personnel). Any condition which can resultin flight personnel injury or threat to life and requiresimmediate corrective action, including predetermined flightpersonnel response.

EVA. Extravehicular activity by the flightcrew.

FACTOR OF SAFETY. The factor by which the limit load ismultiplied to obtain the ultimate load. The limit load is themaximum anticipated load or combination of loads, which astructure may be expected to experience. Ultimate load is theload that a payload must be able to withstand without failure.

FAILURE. The inability of a system, subsystem component or partto perform its required function under specified conditions for aspecified duration.

FAILURE TOLERANCE. The number of failures which can occur in asystem or subsystem without the occurrence of a hazard. Singlefailure tolerance would require a minimum of two failures for thehazard to occur. Two-failure tolerance would require a minimumof three failures for a hazard to occur.

1700b Basic CHANGE NO. 11, 05/11/0147

FINAL SEPARATION. Final separation from the Orbiter is achievedwhen the last physical connection between the payload and theOrbiter and/or payload ASE is severed and the payload becomes afree-flying payload.

FLIGHTCREW. Any personnel onboard the Space Shuttle engaged inflying the Space Shuttle and/or managing resources onboard, e.g.,commander, pilot, and mission specialist.

GPC. Orbiter's General Purpose Computer.

GSE. Ground support equipment.

GROUND CREW. With respect to inflight monitoring, the termincludes any personnel supporting the payload officer from aconsole in the Mission Control Center (MCC), remote POCC, orother support area.

HAZARD. The presence of a potential risk situation caused by anunsafe act or condition. A condition or changing set ofcircumstances that presents a potential for adverse or harmfulconsequences; or the inherent characteristics of an activity,condition, or circumstance which can produce adverse or harmfulconsequences.

HAZARD DETECTION. An alarm system used to alert the crew to anactual or impending hazardous situation for which the crew isrequired to take corrective or protective action.

INDEPENDENT INHIBIT. Two or more inhibits are independent if nosingle credible failure, event or environment can eliminate morethan one inhibit.

INHIBIT. A design feature that provides a physical interruptionbetween an energy source and a function (e.g., a relay ortransistor between a battery and a pyrotechnic initiator, a latchvalve between a propellant tank and a thruster, etc.).

JSC. Johnson Space Center, NASA, Houston, Texas.

KSC. Kennedy Space Center, NASA, Florida.

MANNED PRESSURIZED VOLUME. Any module in which a person canenter and perform activities in a shirt-sleeve environment.

MISHAP/INCIDENT. An unplanned event which results in personnelfatality or injury; damage to or loss of the STS, environment,public property or private property; or could result in an unsafe

1700b Basic CHANGE NO. 11, 05/11/0148

situation or operational mode. A mishap refers to a major event,whereas an incident is a minor event or episode that could leadto a mishap.

MCC. Mission Control Center.

MONITOR. Ascertain the safety status of payload functions,devices, inhibits, or parameters.

NONCOMPLIANCE REPORT. A report documenting a condition in whicha requirement cannot be met. It is the report used to request awaiver or deviation. See NSTS/ISS 13830 and Appendix C Figure 2.

NORMAL STS MISSION PHASES. All portions of the mission to beperformed by the STS, excluding STS abort and emergency landing.

NSI. NASA standard initiator (pyrotechnic). The NSI is providedto the payload customer by NASA.

OFFGASSING. The emanation of volatile matter of any kind frommaterials into habitable areas.

OPERATOR ERROR. Any inadvertent payload operation by eitherflight personnel or the ground crew that affects either theOrbiter or a payload.

PAYLOAD. Any equipment or material carried by the STS that isnot considered part of the basic STS itself. It, therefore,includes items such as free-flying automated spacecraft,individual experiments or instruments, and ASE. As used in thisdocument, the term payload also includes payload-provided GSE andsystems and flight and ground systems software.

PAYLOAD ELEMENTS. Experiments, instruments or other individualpayload items which are subsets of an integrated, multipayloadcargo complement on missions such as Spacelab, Long DurationExposure Facility, etc.

PAYLOAD ORGANIZATION. The funding or sponsoring organization forthe experiment, payload or mission. This does not mean theprincipal investigator, payload contractor, designer or developerexcept to the extent delegated by the sponsoring organization.For NASA payloads, a NASA Headquarters payload program office isthe sponsoring organization and usually delegates to a NASA fieldinstallation the authority for formal interface with the NSTS inimplementation of this document. Other payload organizationsinclude, but are not limited to, the following: DOD, other U.S.Government agencies, non-U.S. Government public organizations,private persons or private organizations, internationalorganizations, European Space Agency, and foreign governments.

1700b Basic CHANGE NO. 11, 05/11/0149

PERSONNEL INJURY. With respect to catastrophic hazard levels forSTS payloads, personnel injury will be limited to loss of life ormajor injury which can lead to either temporary or permanentincapacitation of the crew (e.g., bone fractures, second or thirddegree burns, severe lacerations, internal injury, severe(greater than 1Gy) radiation exposure, and unconsciousness).Other personnel injuries are related to a critical hazard levelprovided the injury does not impact the flightcrew's capabilityto accomplish safety critical tasks.

POCC. Payload Operations Control Center.

PRESSURE VESSEL. A container designed primarily for pressurizedstorage of gases or liquids and: (1) contains stored energy of14,240 foot-pounds (0.01 pounds trinitrotoluene (TNT) equivalent)or greater based on adiabatic expansion of a perfect gas; or(2)will experience a design limit pressure greater than 100 poundsper square inch absolute (psia); or (3) contains a fluid inexcess of 15 psia which will create a hazard if released.

RF. Radio frequency.

SAFE. A general term denoting an acceptable level of risk,relative freedom from, and low probability of: personal injury;fatality; damage to property; or loss of the function of criticalequipment.

SAFETY ANALYSIS. The technique used to systematically identify,evaluate, and resolve hazards.

SAFETY CRITICAL. Containing an element of risk. Necessary toprevent a hazard.

SAFING. Actions which eliminate or control hazards.

SEALED CONTAINER. A housing or enclosure designed to retain itsinternal atmosphere and which does not meet the pressure vesseldefinition (e.g., an electronics housing).

SPACE SHUTTLE. The Orbiter, solid rocket boosters and externaltank.

STRUCTURE. Any assemblage of materials which is intended tosustain mechanical loads.

1700b Basic CHANGE NO. 11, 05/11/0150

STS ABORT. An abort of the STS mission wherein flight personnel,payload, and vehicle are returned to a landing site.

WAIVER. Granted use or acceptance of a payload aspect which doesnot meet the specified requirements; a waiver is given orauthorized for one mission only. Safety waivers could includeacceptance of increased risk.

1700b Basic CHANGE NO. 11, 05/11/0151

APPENDIX B: APPLICABLE DOCUMENTS

Except as noted below the latest revision of the followingdocuments form a part of this document to the extent specifiedherein. In the event of conflict between the reference documentsand the contents of this document, the contents of this documentwill be considered superseding requirements. These documents canbe accessed through the Johnson Space Center Payload Safetywebsite: http://jsc-web-pub.jsc.nasa.gov/psrp/.

DOCUMENT NUMBERS AND TITLES REFERENCED IN PARAGRAPH

SAMTO HB S-100/KHB 1700.7, Space 101.1Transportation System Payload GroundSafety Handbook.

NSTS/ISS 13830, Payload Safety Review and 103.1, 200, 200.2,Data Submittal Requirements 208.4, 210.2,

212.1, 214.2, 301,304

NSTS 18798, Interpretations of NSTS/ISS 103.2Payload Safety Requirements.

NSTS 16979, Part 1, Shuttle Orbiter Failure 200.4Modes and Fault Tolerances for Interface Services.Part 2, Failure Modes and FaultTolerances for STS Payload Optional ServiceKit Hardware.

MIL-STD-1576, July 31, 1984, Electroexplosive 202.1, 210, 210.1Subsystem Safety Requirements and Test Methodsfor Space Systems.

Item deleted

NASA-STD-6001, Flammability, Odor, Offgassing, andCompatibility Requirements and Test Procedures forMaterials in Environments that Support Combustion(formerly NHB 8060.1C)

202.2c, 209.1a,209.2, 209.2a,209.2b, 209.3,220.1a(1)

NSTS 07700, Volume XIV, Attachment 1, 202.5, 213.3,(ICD 2-19001), Shuttle Orbiter/Cargo Standard 220.1b, 220.2aInterfaces.

NSTS 14046, Payload Verification Requirements. 208.1, 208.4, 220.9

NASA-STD-5003, Fracture Control Requirements for 208.1Payloads Using the Space Shuttle.

1700b Basic CHANGE NO. 11, 05/11/0152


MSFC-SPEC-522, Revision B, Design Criteria 208.3for Controlling Stress Corrosion Cracking.

MSFC-HDBK-527/JSC 09604, Materials Selection 208.3, 209, 209.3List for Space Hardware Systems.

MIL-STD-1522, Revision A, including changes 208.4as of December 1984, Standard GeneralRequirement for Safe Design and Operationof Pressurized Missile and Space Systems.

JSC 27472, Requirements for Submission of Data Neededfor Toxicological Assessment of Chemicals andBiologicals to be Flown on Manned Spacecraft.

209.1

NSTS 22648, Flammability Configuration Analysis 209.2for Spacecraft Systems.

NSTS 08060, Space Shuttle System Pyrotechnic 210.2Specification.

JSC 20793, Manned Space Vehicle, Battery 212.2Safety Handbook.

ANSI-Z-136.1, American National Standard for 212.3Safe Use of Lasers.

NSTS 07700, Volume XIV, Appendix 7, System 217Description and Design Data - ExtravehicularActivities.

NSTS 19943, Command Guidelines for STS Customers. 218

JSC 20584, Listing of Spacecraft Maximum Allowable 220.1a, 220.1cTrace Gas Concentrations.

NASA-STD-3000, Volume 1, Man-Systems 220.2, 220.2bIntegration Standards.

American Conference of Governmental Industrial 220.7b, 212.4Hygienists (ACGIH), "Threshold Limit Values andBiological Exposure Indices for 1987-1988."

NPD 8621.1, NASA Mishap Reporting and InvestigatingPolicy.

306

NPG 8621.1, NASA Procedures and Guidelines for MishapReporting, Investigating, and Record Keeping.

306

1700b Basic CHANGE NO. 11, 05/11/0153


NSTS 07700, Volume VIII, Appendix R, Space ShuttleProgram Contingency Action Plan.

306

Agreement Between the Department of Defense 306and the National Aeronautics and SpaceAdministration for Joint Investigation ofAircraft or Space System Mishaps.

1700b Basic CHANGE NO. 11, 05/11/0154

APPENDIX C: FIGURES

1700b Basic CHANGE NO. 11, 05/11/0155

Figure 1.- Safe distance for firing liquid propulsion thrusters.

1700b Basic CHANGE NO. 11, 05/11/0156

Figure 2.- Payload Safety Noncompliance Report.

1700b Basic CHANGE NO. 11, 05/11/0157

Figure 3.- Certificate of NSTS Payload Safety Compliance.