Development of Global Safety Orientations for Space Exploration Regulations and Bridging with Aviation Standards

Abstract

The transportation capabilities for human-rating space exploration missions are emerging. Safety is a major argument on which the agencies commit to ensure to crew a safe journey and return to Earth. Secure mission success requires a regulated safety assessment process. Space safety regulations and standards already exist in agencies and institutions, but they do not represent a common vision, committed and shared internationally. That is why the elaboration of a safety standard for human-rating space exploration needs to benefit from existing safety standards approved worldwide. The standardized process for civil airborne systems is the world's most severe civil aviation standard, and is enriched by decades of maturation and improvement. It is expandable to space exploration in terms of set of methods for conducting a safety assessment process. In this frame, it represents the common safety orientations to be targeted by the space agencies toward the incredible evolution of the concept of safety for mission success.

Introduction

The architecture of the Mars exploration mission pursues 2 objectives: one is minimizing the mass to send beyond low Earth orbit, the other one is ensuring safety during each step of the mission (launch, journey, approach on Mars orbit, entry, descent and landing, and return, including takeoff, ascent, extraction of orbit, journey, re-entry, and landing). The challenge of this 2 years duration mission is to bring the failure probability down to an acceptable level, in particular for the critical functions that have catastrophic failure conditions, leading to the loss of crew/loss of mission (LOM). But at the same time, it should be done without adding complexity to the overall design in a way that the design is compromised (e.g., the systems have to be repairable by the crew).

Finding an international consensus on how to define the adequate safety requirements and methods of assessment and then reach the mission objectives is crucial because the space exploration endeavor is based on an international interest and collaboration. For this reason, space safety rules defined through a common long-term safety assessment process need to be globally shared and standardized.¹

Space exploration could benefit from the civil airborne process—the most severe, mature standard accepted worldwide—in order for the space agencies to reach an international consensus on a space exploration safety standard.¹ This article intends to compare the safety implementation of these 2 aerospace processes and evaluate the synergies that can easily be extended from aviation to space exploration to reach an international consensus as a first step for the elaboration of a dedicated global safety standard applied to space transportation capabilities.

The sections present the following:

The evolutions of the space safety standards to analyze the relevant procedures and requirements useful to mitigate the hazards inherent to human-rating space exploration missions.

The assessment of the synergies between the international civil airborne standards and the existing space safety procedures.

The evaluation of the credibility of the civil airborne standards to be expanded and adapted to space exploration in terms of methods and criteria (quantitative and qualitative).

The analysis of the other parameters to be considered for reaching an international consensus for regulating space exploration.

Applicable Space Safety Procedures for Space Exploration

The current International Space Safety Standards are based on several International Organization for Standardization (ISO) standards. They represent the basic space policy standards funded in ISO 14300:

ISO 14600 that covers Space Systems Safety requirements Parts 1–3 includes System Safety, Launch Site Operations, and Flight Safety Systems.

ISO 17666 addresses Space Systems Risks Management.

ISO 14624 Parts 1–7 covers Space Systems Safety and Compatibility of Materials.

Also the United Nations Orbital Debris Coordination Working Group has developed and adopted the following:

ISO 24113 covers The Space Debris Mitigation Principles and Management Procedures.

ISO 27875 covers The Re-entry Safety Control for Unmanned Spacecraft and Launch Vehicles Upper Stages.

Although the ISO standards are useful in establishing international coordination, the problem is that they are voluntary. National laws and regulations may supersede them. In order for international space regulations and standards to have enforcement power, governments as well as voluntary standards bodies must support them. In summary, the ultimate objective must be standards and regulations backed by international treaties that are fully agreed by all the nations involved in space activities and implemented through national regulatory mechanisms.

There are indeed existing space safety regulations and standards by agencies and institutions. They have a lot of similarities in terms of approach (e.g., they are based on lessons learnt and state-of-the-art best practices in terms of knowledge, expertise, and quality) and process for elaborating a hazard analysis (HA). But do they represent a common vision, committed and shared globally by all of them? That is the point. The need has been identified, for the institutional stakeholders of space-faring countries, to jointly establish safety consensus standards to become recommended references for national regulations. In this frame, it seems interesting here to:

list the safety regulations and requirements applied by the main agencies and institutions in preparation of missions beyond Earth orbit and

assess the evolutions of these space safety regulations to better understand:

○ What are the constraints inherent to live, travel, and work in deep space?

○ Is it possible to partially mitigate these constraints by using safety processes and procedures coming from other standards (e.g., aviation) that have already matured and improved?

Space transportation capabilities, such as crew transportation and operation capabilities defined in the Global Exploration Roadmap,² are driven by mission and safety requirements. NASA, as one of the leaders in the space exploration endeavor, has elaborated NASA Procedural Requirements (NPRs) that are key to produce human-rating space systems that accommodate human needs, effectively utilize human capabilities, control hazards, manage safety risk associated with human spaceflight, and provide, to the maximum practical extent, the capability to safely recover the crew from hazardous situations³:

Human-Rating Requirements for Space Systems, NPR 8705-2B⁴: it defines the set of technical requirements to be applied to its crewed space systems to reach the human-rating certification at the end of development. The key certification elements to be compliant with are:

○ the definition of reference missions for certification,

○ the incorporation of system capabilities to implement crew survival strategies for each phase of the reference missions,

○ the implementation of capabilities coming from the applicable technical requirements,

○ the utilization of safety and reliability analyses to influence system development and design, and decide on risk-reduction measures such as failure tolerance,

○ the integration of human into the system and human error management,

○ the verification, validation, and testing of critical systems performance,

○ the flight test program and test objectives, and

○ the system configuration management and related maintenance of the human-rating certification.

Technical Probabilistic Risk Assessment (PRA) Procedures for Safety and Mission Success for NASA Programs and Projects, NPR 8705-5A⁵: PRA is a systematic and comprehensive methodology to evaluate risks associated with every life-cycle aspect of a complex engineered technological entity (e.g., facility, spacecraft, or power plant) from concept definition, through design, construction and operation, and up to removal from service. In a quantitative risk assessment or a PRA, consequences are expressed numerically (e.g., the number of people potentially hurt or killed) and their likelihoods of occurrence are expressed as probabilities or frequencies (i.e., the number of occurrences or the probability of occurrence per unit time). The final result of a PRA is given in the form of a risk curve and the associated uncertainties.

Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners⁶ is a companion document of the NPR 8705-5A and provides further details on PRA methodology for aerospace applications.

These NPRs are useful to defend/challenge design options in the frame of the decision-making process,⁴ as they provide relevant data based on examined design alternatives, identified key uncertainties related to the design options (e.g., uncertainty in system performance, or in human performance, or in understanding phenomena), established confidence in the analyses and the resulting design, and identified focus areas for testing. A good example of their application is for enhancing crew safety design techniques of the Orion vehicle, in particular for establishing the survivability requirements.⁷

There is no need to start from scratch to establish a standardized safety regulation for space exploration, as a safety assessment process already exists. Nevertheless, the need is to evaluate its potential to be the most credible and adapted procedure for global human-rating missions. To do so, it is possible to benefit from an existing global standardized process that has demonstrated its efficiency through decades of improvement and lessons learnt: this is the case for the civil airborne standard in place.

Bridge Between Aircraft and Spacecraft Safety Assessment Processes Internationally

We are now going to focus on the global aviation standards, and in particular

analyze U.S. and European standards to assess the similarities between each other,

then assess their similarities with the NASA space safety procedures (presented in the previous section “Applicable Space Safety Procedures for Space Exploration”), and

finally, start assessing their potential to be expanded to human-rating space exploration (as a first step in the elaboration of a standardized space safety regulation).

Standardized Safety Assessment Process in Aviation

The standardized safety process, applicable for the civil airborne systems, is composed of the following set of standards (as shown in Fig. 1) called Aerospace Recommended Practices (ARPs):

Guidelines and methods for conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, ARP4761. ⁸

Guidelines for development of Civil Aircraft and Systems, ARP4754A.⁹ It is supported by 2 other main aviation standards:

○ Design Assurance Guidance for Airborne Electronic Hardware, RTCA/DO-254.¹⁰

○ Design Assurance Guidance for Airborne Electronic Software, RTCA/DO-178B/C.¹¹

Fig. 1.

SAE ARP 4761 and 4754A. ARP, aerospace recommended practices.

This set of standards is the set of methods for conducting safety assessment process used worldwide. It is the world's most severe civil aviation standard, and is enriched by millions of flight hours each year.

These ARP standards are recognized by both U.S. and European regulations, that is:

U.S. FAA Federal Aviation Regulations (FARs),

European Joint Aviation Requirements, which have been replaced by European Aviation Safety Agency (EASA) certification standards.

They are also recognized worldwide by other agencies such as in China, Brazil, and South Korea.

FAA and EASA have elaborated consistent and harmonized airworthiness standards that provide equivalent criteria for:

the certification specifications of equipment, systems, and installations for:

○ large airplanes through 2 equivalent U.S. and European standards: FAR 25.1309¹²/EASA CS-25.1309,¹³

○ lighter airplanes through 2 equivalent U.S. and European standards: FAR 23¹⁴/EASA CS-23.¹⁵

the associated equivalent means of compliance: FAA Advisory Circulars (AC)/EASA Acceptable Means of Compliance (AMC). In particular, AC 25.1309-1¹⁶/AMC 25.1309¹⁷ describes acceptable means for showing compliance with the airworthiness requirements of §25.1309. This AC/AMC is fundamental as it establishes the principle that the more severe the hazard resulting from a system or equipment failure, the less likely that failure must be. Failures that are catastrophic must be extremely improbable. First released in 1982, AC 25.1309-1 (then AMC 25.1309 in 2003) has been revised to embody increasing experience through the development of airplanes, and to address the increasing integration and computerization of aircraft functions.

In conclusion, the standardized safety assessment process for aviation has been matured through years, with a continuous harmonization between U.S. regulations and European standards, and in turn approved worldwide. AC 25.1309-1 describes the acceptable means for showing compliance with the airworthiness requirements FAR 25.1309. It recognizes ARPs ARP4754A and ARP4761 as a global standardized process in the aviation industry. This standardized aviation safety process represents a relevant guideline for comparison with space safety process.

Comparison Between Aviation Standards and Space Procedures/Guidelines Regarding Safety Assessment Process

Functional mission failure conditions

The critical functions to be ensured within the range of missions are similar between aviation and space transportation capabilities¹:

Transportation of the crew/cargo including collision avoidance.

Environmental control and life support ensuring crew survival.

Propulsion, which is vital to the safe operation at any mission phase.

Communication, which is essential to be able to send orders that may have safety implications, such as alarm and rescue.

Power supply, which is a common mode of failure conditions.

Navigation, for the determination, at any time, of the vehicle's position, velocity, and attitude.

These critical functions are triggered through safety objectives that will be determined and fine tuned through continuous trade-off taking into account many factors inherent to the mission scenario (as shown in Fig. 2). In this frame, the different specificities between civil airborne systems and space transportation systems, which are intrinsic to their respective mission architecture, will be considered, for example, in terms of servicing (maintainability) and failures rate (reliability).¹

Fig. 2.

Role of critical functions in safety process (e.g., SAE ARP 4761). Color images available online at www.liebertpub.com/space

Based on the identification of these critical functions, we compare the implementation of safety process in both aviation and space exploration fields, and assess the similarities in terms of methodology, requirements, and criteria for evaluation of failure conditions. This comparison is performed based on the following standards, requirements, and guidelines:

For Space: NASA NPR 8705-2B,⁴ NPR 8705-5A,⁵ and PRA guideline.⁶

For Aviation: ARP4761⁸/ARP4754A⁹ and AC 25.1309.¹⁶

Common objectives for aviation and space safety assessment

Both aviation standards and space procedures/guidelines share major targets in terms of safety assessment.

Define the set of mission requirements that ensure the requested level of mission safety.

Provide guidance in implementing fail-safe design, with an emphasis on redundancy and monitoring, including eliminating common mode failures and hazards (seen as the causes of the unsafe control).

Implement the system safety assessment (SSA) process on the critical functions that may have catastrophic failure conditions.

Are based on safety rules coming from lessons learnt and recommendations from the past, for example:

○ aviation: millions of flight hours per year, and

○ space: Apollo, ISS, space shuttle, exploration missions (to come),

regarding different aspects such as design, manufacturing, testing, instrumentation, review, and control. Most of them are used commonly within the global safety community as best practices. They are particularly valuable for large and complex programs that require a certain codification of the lessons learnt.

The implementation of the safety assessment process implies tools (e.g., analysis and methodology) and criteria (to achieve certification) to cover all mission phases from liftoff to re-entry, and also include the launch preparation phases. Moreover, a combination of quantitative (e.g., probabilistic) and qualitative (e.g., failure tolerance or redundancy) technical safety and mission requirements complements each other by compensating for weaknesses in 1 or the other analysis type.¹⁸

Comparison of safety tools (e.g., analysis and methodology)

While comparing aviation standards and space exploration procedures, we can obtain the list of safety analyses and methodologies that combine existing techniques.

In NASA NPR 8705-2B,⁴ aviation/space common approaches or tools for performance of this activity include, but are not limited to:

Traditional safety and reliability analysis techniques:

○ HA.

○ Fault tree analysis (FTA).

○ Failure modes and effects analysis (FMEA).

○ Damage modes and effects analysis (DMEA).

○ Critical items lists (CILs).

PRA.

Simulation modeling techniques (e.g., physics-based simulations of the failure environments).

Accident precursor analysis (APA).

The integration of design and safety analyses consists in the active and iterative application of these techniques, and in the use of the collective results from these analyses to inform design decisions. The integrated analysis is done in a consistent manner throughout the program and at the overall system level. This implies that techniques such as HA, FMEA, and probabilistic risk analyses cannot be performed in isolation and that such analyses should be internally consistent. The resulting assessments and rankings, along with probabilistic safety requirements, serve to inform decisions regarding safety-enhancing measures such as necessary failure tolerance levels, margins, abort triggers, and crew survival capabilities.

The list of corresponding analysis and methods in the aviation standard ARP 4761⁸ is the following:

For the HAs (as shown in Fig. 3):

The scenarios leading to the “loss of vehicle” are assessed with estimates of their frequencies, and are specified in terms of functional-level events: this list of dysfunctional scenarios with the assessment of their criticality is equivalent to the functional hazard assessment (FHA) in the ARP4761.

These scenarios, which involve several distinct system failures, may contain a very large number of such combinations of failure conditions: the list of failure conditions at system level associated with subsystem level safety requirements is equivalent to the preliminary system safety assessment (PSSA) in the ARP4761, and the subsystem safety requirements include Design Assurance Levels (DALs).

For each system failure occurring in a particular scenario, there may be many distinct combinations of component-level failures that yield that system failure. These combinations are called “minimal cut sets” (MCSs). The MCSs are one of the major outputs of a PRA. They are a basis for quantification of top event likelihood and also provide qualitative insight: this assessment down to component level and back to the system level is equivalent to the SSA in ARP4761. It aims to update the failure conditions list or FHA, which includes rationales showing compliance with safety requirements (qualitative and quantitative).

Fig. 3.

Functional hazard assessment (FHA), preliminary system safety assessment (PSSA), and system safety assessment (SSA).

FTA and FMEA: they are common methods in both aviation and space.

DMEA: it reveals damage modes and their domino effects to guide the design and operations: it is equivalent to the zonal safety analysis in ARP4761. This analysis is usually supported by a common cause analysis, which is used to find and eliminate or mitigate common causes for multiple failures.

For CILs: the FMEA is performed to identify failure modes. As part of this process, critical failure modes that could lead to loss of life or LOM are also identified. These critical failure modes are then placed into a CIL, which is carefully examined for programmatic control by implementing inspection requirements, test requirements, and/or special design features or changes, which would minimize the failure modes occurrence¹⁹: the control of these critical failure modes is monitored through a particular risk analysis in ARP4761.

For PRA: this is a scenario-based probabilistic risk analysis. Quite generally, a scenario is prevented through prevention of all of its MCSs, and each MCS is prevented through prevention of any of its elements. The role of the PRA in the context is to quantify each risk/MCS, by taking into account the individual risks/MCS that surface during the program/project⁶: this risk assessment enables to define particular probabilistic safety requirements when quantitative risk assessment is deemed necessary (e.g., without sufficient experience-based engineering data) and is equivalent to a particular risk analysis in ARP4761.

Simulation modeling techniques: they are common methods in both aviation and space (e.g., failure propagation is a complex process that usually augments generic statistical data with computer simulations).

APA: it provides a systematic means of analyzing candidate accident precursors by evaluating anomaly occurrences for their system safety implications and, through both analytical and deliberative methods used to project to other circumstances, identifying those that portend more serious consequences to come if effective corrective action is not taken.⁶ This aims to update the HA when an anomaly occurs: this APA is well integrated into the FHA, PSSA, and SSA as the implementation of corrective mitigation actions after anomalies investigation is equivalent, and particularly well controlled in the aviation safety process.

The assessment of the safety analyses between aviation (ARP 4761⁸) and NASA space safety procedures (NPR 8705-2B⁴) shows that the methodology for safety assessment process is similar as based on the same tools in both areas. So, from the methodology point of view, space transportation approach could be easily inspired by the existing methods and analysis already standardized for aviation and applicable to space transportation capabilities.

Comparison of safety criteria

The assessment of dedicated criteria for failure conditions—for any mission scenario, system, at any mission phase—is way more difficult to be established by comparison of aviation standards and space procedures. As recalled in the subsection “Functional mission failure conditions,”, the mission constraints are very different between civil aircraft and space transportation vehicle because of their specific environment and mission architecture; this will indeed lead to different quantitative and qualitative criteria that will be used in the definition of the overall set of safety requirements to be applied to the respective missions.

Considerations for defining these criteria for space exploration missions are in continuous evolution, demonstrating the complexity of the safety assessment activity to reach a dedicated international consensus and regulations. As an example, it is worth mentioning that NPR 8705-2 has been updated:

NPR 8705-2 (no revision)²⁰ has been initially released in 2003 at the time of the application of the human-rating requirements for international space station missions. It was based on 2-failures tolerance (2 FT) to prevent hazards that could result in loss of life. It means that 3 independent failures would have to occur to lead to a catastrophic consequence. This deterministic approach has provided an excellent assurance for system safety and has been for years the single reference for human-rating requirements. Besides, the International Association for the Advancement of Space Safety (IAASS) proposal for space safety standard considers this 2 FT requirement regarding catastrophic hazards.²¹

Nevertheless, over the life of programs, process errors or other unforeseen events could still cause controls to fail. So, the concept of spacecraft vulnerability reduction⁷ has been envisioned as an opportunity to optimize design choices within the design parameters. Additional separation of redundancy or layouts of equipment to establish natural barriers were examples seen as improving the safety of design without adding another layer of safety to further reduce the likelihood of occurrence. Additional considerations—to minimize weight (use smaller launch vehicles and raise performance) versus mission cost and schedule—have also increased the need for a safety approach in favor of a more risk-based decision-making process, including a more engineering approach in the establishment of proper levels of safety. NASA released the NPR 8705 revision 2B⁴ wherein the acceptable level of safety is now reached by:

single failure tolerance and

a probabilistic requirement specified in the PRA procedure.⁵

So, the definition of quantitative/qualitative criteria for safety assessment depends on various parameters that are not only based on technical considerations but also considers programmatic (cost/schedule) and management aspects for mission success (more risk-based decision-making process). Moreover, several risk-mitigation strategies are available to reach the requested level of mission safety. That is why the set of safety requirements defining space exploration safety regulations is not mature yet.

Other parameters to be considered for safety assessment

Other parameters have to be considered to reach international consensus regulating space exploration. An independent study²²—mandated by Commercial Space Launch Amendments Act of 2004—has addressed, in particular, the standards of safety and concepts of operation that should guide the regulation for human spaceflight. In this frame, it has evaluated whether the standard of safety should vary by class or type of vehicle, by purpose of flight, or other considerations. The main principles considered in the development of this analysis were as follows:

Leverage-relevant experience (both internal and external) to characterize the considerations that go into developing standards.

Provide an acceptable level of spaceflight participant, crew, and third party safety/casualty mitigation while minimizing overly complex, cumbersome, and undefined processes and standards.

Allow for the broadest possible ranges of design, concepts of operations, and flight purposes/uses.

Develop the standards in a manner that minimizes the need for detailed case-by-case analyses.

The feedback from industry²² on these topics reveals the following key recommendations:

Need for preventing the establishment of highly invasive or cumbersome regulations that would discourage private risk taking and investment.

No need to attempt to perform regulation by class, or type of vehicle, or purpose of flight, because of the unavailability of sufficient relevant experience and data. It would only serve to artificially restrict innovation and unique design approaches.

Need for providing a path toward evolutionary improvements in regulation. Using aircraft industry examples, more rigorous rules and regulations could be implemented and enforced as the experience base matures.

As the human spaceflight industrial base matures, opportunities exist to refine this proposed methodology, the related data requests and documentation, and the regulations. This is analogous to the pre-FAR era of commercial aircraft. Another option is to begin to enforce increasing levels of crew/mission survival and/or apply FAR-type regulations derived from past data. Mission assurance activities could further augment these options. These options are submitted to discussion within agencies, safety association, and industry. For instance, this last option is supported by IAASS that has proposed to not wait for industry to get maturation for starting the elaboration of global safety. Instead IAASS promotes since years the idea of creating an international space safety institute that can develop space standards globally.²³

So, these other parameters have still to be discussed between the different partners (in particular agencies and industry) to converge on a common approach based on the series of proposals that have emerged.

Conclusion

The aviation safety standard ARP4761 is a valuable guideline for the elaboration of a safety assessment process for human-rating space exploration, as it offers a safety approach that enables to reach the requested level of safety for such a challenging mission. Then, the aviation safety standard can be used as a convincing bridge for space to agree on an international consensus.

Although the aviation standards are valid and beneficial to space domain while developing an analysis of the policy implications on the way to the global consensus, there is 1 difference between aviation and space that resides in the safety criteria.

Therefore, regarding the implementation of safety requirements related to failure conditions applied to crew transportation and operation capabilities, the safety criteria defined for aviation are not applicable to space because of the specificities of the space exploration missions. The list of the safety criteria in space can be narrowed down to a limited set of criteria (quantitative and qualitative) that need to be defined in terms of failure tolerance philosophy and redundancy policy.

In this frame, we observe a clear need for more maturation of the concepts at this step: several risk-mitigation strategies may exist (mixing technical, managerial, and programmatic considerations).

Agencies and industry have started iterating on these aspects on a collaboration manner, and need to find their way on how to advance innovative mission concepts, while being compliant to stringent certification criteria.

Footnotes

Disclaimer

This article was prepared or accomplished by Aline Decadi in her personal capacity. The opinions expressed in this article are the author's own and do not reflect the view of the European Space Agency.

Author Disclosure Statement

No competing financial interests exist.

References

Decadi

. Develop Global Safety Synergies for Long-Range Human Space Exploration with Focus on Launch Systems. The Netherlands: Space Safety Magazine, 3; 3:136–144, 2016.

NASA Global exploration Roadmap (GER), International Space Exploration Coordination Group, 2013.

Shivers

. NASA Space Safety Standards and Procedures for Human Rating Requirements. 2009.

NASA Offices of Safety & Mission Assurance. Human-Rating Requirements for Space Systems. NASA NPR 8705-2B, 2008.

NASA Offices of Safety & Mission Assurance. Technical Probabilistic Risk Assessment (PRA) Procedures for Safety and Mission Success for NASA Programs and Projects. NASA NPR 8705-5A, 2010.

NASA Offices of Safety & Mission Assurance. The Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners. NASA/SP-2011-3421, second edition, 2011.

Buchanan

, Saemisch

. Enhancing Human Spaceflight Safety Through Spacecraft Survivability Engineering. AIAA 2009-6523, Pasadena, CA, 2009.

SAE International. Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. ARP4761, 1996.

SAE International. Guidelines for Development of Civil Aircraft and Systems. ARP4754A, 2010.

10.

RTCA, Inc.. Design Assurance Guidance for Airborne Electronic Hardware. DO-254, 2000.

11.

RTCA, Inc.. Design Assurance Guidance for Airborne Electronic Software. DO-178C, 2011.

12.

FAA. Airworthiness Standards: Transport Category Airplanes. US FAR 25.1309-1, 1988.

13.

EASA. Certification Specifications and Acceptable Means of Compliance for Large Aeroplanes. CS-25.1309, 2011.

14.

FAA. Airworthiness Standards: Normal, Utility, Acrobatic and Commuter Airplanes. US. FAR 23, 1987.

15.

EASA. Certification Specifications for Normal, Utility, Aerobatic, and Commuter Category Aeroplanes. CS-23, 2012.

16.

FAA. System Design and Analysis. AC 25.1309-1A, 1988.

17.

EASA. System Design and Analysis. AMC 25.1309, 2011.

18.

NASA. NASA General Safety Program Requirements. NPR 8715.3C, 2008.

19.

Identification, Control, and Management of Critical Items Lists. http://llis.nasa.gov/lesson/803 (last accessed August 2, 2017).

20.

NASA Offices of Safety & Mission Assurance. Human-Rating Requirements for Space Systems. NASA NPR 8705 (no revision), 2003.

21.

IAASS-ISSB-S-1700-REV-B. Space Safety standard for commercial human-rated system. March 2010.

22.

FAA Office of Commercial Space Transportation. Commercial Space Launch Amendments Act of 2004, Analysis of Human Space Flight Safety, report to Congress. 2008.

23.

Pelton

. The Vision: An International Institute for Space Safety. The Netherlands: Space Safety Magazine, 2011.