Volume I, Section 6
{A} For a description of the notations, see Acceleration
This section contains the following topics:
6.1 Introduction
6.2 General Safety
6.3 Mechanical Hazards
6.4 Electrical Hazards
6.5 Touch Temperature
6.6 Fire Protection and Control
6.7 Decompression Hazards
the video clips
associated with this section.
This section is not intended to be a comprehensive guide to manned
spacecraft safety. It deals only with general safety considerations
and requirements and a specialized subset of the total safety problem.
This specialized subset addresses only the following topics: 1) mechanical
hazards; 2) electrical hazards; 3) thermal hazards; and 4) fire hazards.
Other safety topics are covered in the topical sections on human performance
(Section 4.0), natural and induced environments
(Section 5.0), health management (Section
7.0), architecture (Section 8.0), workstations
(Section 9.0), hardware and equipment (Section
11.0), maintainability (Section 12.0),
and EVA (Section 14.0).
An exhaustive treatment of general system safety is given in AFSC Design
Handbook 1-6 (Reference 21).
The appendices of the Space Station Crew Safety Alternatives Study (Reference
42) provide an exhaustive
treatment of crewmember safety requirements.
6.2.1 Introduction
This section briefly describes some of the principles of system design
and human behavior related to safety and provides general safety requirements.
6.2.2 General Safety Design Considerations
Two primary considerations in crew safety are prevention of the following:
a. System failures affecting the health/safety/survival of the crew.
b. Design-induced crew errors causing crew injury or damage to the
system. Safety Factors
Safety factors shall be given major consideration as a part of system
design. Applying adequate factors of safety in the design of systems
such as unpressurized and pressurized structural subsystems, assures
systems will not fail under expected operating loads. Crew Induced Accidents
The probability of occurrence of crew-induced accidents is directly
related to some principles of human behavior that result in human errors
that might be committed during operation and maintenance of equipment.
Some of these human behavior principles are listed below as an aid to
equipment designers (see references
15 and 21 for a more
detailed discussion of these principles). These principles provide answers
to why people make errors, misuse equipment, and make unsafe judgments.
a. Equipment design that exceeds the physical and psychological limits
of human capability can create situations where the likelihood of accidents
is high.
b. Any design that makes crewmembers work harder because of the physical
requirements of the work situation is likely to promote fatigue and
increase error.
c. When crewmembers must perform tasks in inadequate facilities or
without proper information, errors are likely to occur.
d. When design results in tasks that are unpleasant or complex, crewmembers
may not devote sufficient time and attention to attain satisfactory
e. Crewmembers are less likely to perform tasks as frequently if they
are aware the task is hazardous.
f. If equipment is insufficient or inadequate, crewmembers will modify
it, or improvise, so they can get the job done.
g. Procedures should be definitive, comprehensive, and as accurate
as possible.
h. Equipment must be designed so that it encourages safe use, allowing
a minimum opportunity for the crewmembers to be exposed to hazards.
I. If the equipment is designed so that it does not operate in accordance
with the crewmember's expectancies, he will eventually make an error.
J. If hazards are designed into the equipment, warning notes in the
technical manual, or warning labels on the equipment, special instructions
and special training will reduce, but may not completely eliminate the
possibility of human error.
In summary, the designer should remember that most safety problems
are the result of the equipment not being designed properly and/or people
using it improperly. The designer must, therefore, anticipate how equipment
might be misused and design it so that misuse is less likely and error
effects are not catastrophic.
6.2.3 General Safety Design Requirements
The following general minimum safety requirements shall apply:
a. General Safety Design - Design shall reflect applicable system and
personnel safety factors, including minimization of potential human
error in the operation and maintenance of the system.
b. Fail-Safe Design - A failure tolerant design shall be provided in
areas where failure can disable the system or cause a catastrophe by
damaging equipment, injuring crewmembers, or causing critical equipment
to be operated at undesirable times.
c. Elimination or Minimization of Hazards - Design actions to eliminate
or minimize a hazard shall be conducted in the following order of precedence.
This hazard reduction sequence shall apply to all nominal and contingency
(e.g., planned maintenance or repair) equipment operations.
1.Design - Elimination of hazards by removal of hazardous sources and
operations by appropriate design measures.
2.Safety Devices - Prevention of hazards through the use of safety
devices or features.
3.Warning Systems - Control of hazards through the use of warning devices.
4.Special Procedures - Control of hazards through the use of special
6.3.1 Introduction
This section provides the design considerations and design requirements
for designing IVA hardware to avoid safety problems with burrs, edges,
corners and protrusions.
(Refer to Paragraph 14.1.3, EVA
Safety Design Requirements, for related EVA requirements.)
6.3.2 Mechanical Hazards Design Considerations
Sharp surfaces or protrusions include surfaces, edges, crevices, points,
burrs, wire ends, screw heads, corners, brackets, rivets, braided cable,
cable fittings, cable strands, clamps, pins, latches, lap joints, bolt
ends, lock nuts, etc., which, if contacted, could injure crewmembers
or damage equipment by entrapment, cutting, sawing, abrading, snagging,
tearing or puncturing.
These hazards will be avoided if the above equipment is mounted/installed
so that it does not interfere with crewmember movement in habitable
areas, transfer corridors and tunnels, hatchways, or external surfaces
of equipment within the habitable space. Items that must be grasped
by the bare hands, or that could puncture a space suit, must be free
from hazards.
(Comply with Surface Finish Requirements found in ANSI/ASME/B46.1-1985.)
6.3.3 Mechanical Hazards Design Requirements
Design requirements for the elimination of burrs, corners, edges, protrusions,
pinching, snagging, and cutting for IVA are given in this section:
(Refer to Paragraph 14.1.3, EVA
Safety Requirements, for comparable EVA requirements.) Corner and Edge Requirements
a. Edges with which the crew can come in contact, 6.4 mm (0.25 in.)
Thick or greater shall be rounded to a minimum radius of 3.0 mm (0.12
in.) as shown in Figure
b. Edges with which the crew can come in contact, 3.0 to 6.4 mm (0.12
to 0.25 in.) Thick shall be rounded to a minimum radius of 1.5 mm (0.06
in.) as shown in Figure
c. Edges with which the crew can come in contact, 0.6 to 3.0 mm (0.02
to 0.12 in.) Thick shall be rounded to a full radius as shown in
d. The edges of thin sheets less than 0.5 mm (0.02 in.) Thick shall
be rolled or curled as shown in Figure
Requirements for Rounding Exposed Edges 6.4 mm (0.25 in) Thick or Thicker
Reference: 1, Figure 3.5-1,
p. 3.5-10; 155, p. 6-31;
NASA-STD-3000 4
Requirements for Rounding Exposed Edges 3.0 to 6.4 mm (0.12 to 0.25
in) Thick
Reference: 1, Figure 3.5-2,
p. 3.5-11; 155, p. 6-31;
NASA-STD-3000 5
Requirements for Rounding Exposed Edges 0.5 to 3.0mm (0.02 to 0.12 in.)
Reference: 1, Figure 3.5-3,
p. 3.5-11; 155, p. 6-31;
NASA-STD-3000 6
Requirements for Curling of Sheets Less Than 0.5 mm (0.02 in) Thick
Reference: 1, Figure 3.5-4,
p. 3.5-11; 155, p. 6-31;
NASA-STD-3000 7 Exposed Corner Requirements
a. Exposed corners of materials which exceed 25 mm (1.0 in.) thickness
shall be rounded to 13 mm (0.5 in.) spherical radius, as shown in
b. Exposed corners of materials less than 25 mm (1.0 in.) Thick shall
be rounded to a minimum radius of 13 mm (0.5 in.), as shown in
Requirements for Rounding of Corners Less Than 25 mm (1.0 in) Thick
Reference: 1, Figure 3.5-5,
p. 3.5-11; 155, p. 6-32;
NASA-STD-3000 8
Requirements for Rounding of Corners Greater Than 25 mm (1.0 in) Thick
Reference: 1, Figure 3.5-6,
p. 3.5-11; 155, p. 6-32;
NASA-STD-3000 9 Protective Covers on Exposed Protrusions Requirements
Equipment which cannot meet corner and edge requirements of and shall be covered or
shielded when not in use. Holes Requirements
Holes that are round or slotted in the range of 10.0 to 25.0 mm (0.4
to 1.0 in) shall be covered. Latches Requirements
Latches which pivot, retract, or flex such that a gap of less than
25 mm (1.4 in.) exists shall be designed to prevent entrapment of crewmember
appendages. Screws and Bolts Requirements
Screws or bolts with more than two exposed threads shall be capped
to protect against the sharp threads. Securing Pins Requirements
Securing pins in handrails shall be designed to prevent their inadvertently
backing out above the handhold surface. Levers, Cranks, Hooks, and Controls Requirements
Levers, cranks, hooks, and controls shall not be located where they
can pinch, snag, or cut the crewmember or clothing. Burrs Requirements
Exposed surfaces shall be free of burrs. Mechanically Stored Energy Requirements
Mechanical devices capable of storing energy (such as springs, levers,
and torsion bars) shall be avoided in spacecraft design. Bungee cords
are acceptable.
a. Safety Features - Where stored energy devices are necessary, safety
features such as removal tabs, locks, protective devices, and warning
placards shall be provided.
b. Stored Energy Release - Spring-loaded devices (i.e., bungee restraints)
shall provide means for releasing stored energy forces.
c. Backlash - Stored energy devices shall not generate a backlash.
d. Locking Wires - Refer to paragraphs
h and Loose Equipment
See Figure for data regarding
loose equipment edge and corner radiusing requirements.
Loose Equipment Edge and Corner Radiusing Requirements
(in mm)
Mass (Kg) |
Edge radius (mm) |
Corner radius (mm) |
0.0 to 0.25 |
0.3 |
0.5 |
0.25 to 0.5 |
0.8 |
1.5 |
0.5 to 3.0 |
1.5 |
3.5 |
3.0 to 15.0 |
3.5 |
7.0 |
15.0 to 50.0 |
3.5 |
13.0 |
(in inches)
Mass (lb) |
Edge radius (in) |
Corner radius (in) |
0.0 to 0.5 |
0.01 |
0.02 |
0.5 to 1.1 |
0.03 |
0.06 |
1.1 to 6.6 |
0.06 |
0.14 |
6.6 to 33.0 |
0.14 |
0.3 |
33.0 to 100.0 |
0.14 |
0.5 |
Reference: 381; NASA-STD-3000
6.3.4 Non-Exposed Edges and Corners
All edges and corners of hardware exposed to crew contact during maintenance
or servicing shall be rounded to a minimum radius of 0.003 inch.
6.4.1 Introduction
This section contains the design considerations and design requirements
for protection of crewmembers from electrical hazards. This section
does not include considerations or requirements that pertain to protection
of hardware from electrical hazards.
6.4.2 Electrical Hazards Design Considerations
Controls must be in place such that no single failure can allow a critical
hazardous event (e.g., nondisabling injury to personnel), and no two
failures can allow a catastrophic hazardous event (e.g., disabling or
permanent injury to personnel). Implied is that two failures can allow
a critical hazardous event to occur.
For electrical hazards, a crew/machine interface critical hazardous
event is an event which can subject the crew to an electric shock.
If, however, the failure can result in a hazardous event causing other
than a nondisabling injury (e.g., inability to let go of the electrically
energized surface, stoppage of breathing, ventricular fibrillation of
the heart, electric burns, or paralysis), the hazard is classified as
catastrophic. Hazard Controls For Crew/Machine Interface
The design should consider the effects of a worst case, credible, hazardous
scenario including the highest internal voltage applied to or generated
within the equipment under analysis. The scenario should take into account
the potential for a smart short to an accessible conductive surface
(or a surface likely to become electrically energized upon encountering
a fault) such that the fault current supplied to the conductive surface
is internally limited to be below the trip point of the overcurrent
protector. It also should take into account the worst case physiological
effect of frequency and wave form associated with the smart short.
Once the worst case scenario is identified, an electrical shock hazard
classification of critical versus catastrophic is made and appropriate
controls are utilized. If the classification is marginal or unclear,
a conservative position is taken with the hazard classified as catastrophic
until proven otherwise. Avionics equipped with three electrical shock
hazard controls need only be assessed for the independence of these
controls. Hazard Control Selection
Hazard controls for electric shock at the crew/machine interface must
be independent controls (i.e., no single equipment failure or event
can eliminate a control, and no single control failure, event, or environment
can eliminate more than one control).
Typical methods of implementing these hazard controls include the use
1. safety (green) wire.
2. bonding,
3. insulation around electrically energized surfaces and conductive
surfaces likely to become electrically energized upon experiencing a
fault within the equipment,
4. barriers to electrically energized surfaces and conductive surfaces
likely to become electrically energized upon experiencing a fault within
the equipment, and
5. a ground fault interrupter (i.e., a device through which power is
applied to the equipment wherein the device continuously monitors the
difference between the current applied power applied upon detecting
a difference in current beyond a preset threshold, the difference in
current presumed to have been undesirably returned through ground).
As long as controls remain independent, two similar methods of hazard
control may be utilized. For example, double insulation in which an
insulation system comprised of basic insulation and supplementary insulation
with the two insulations physically separated and so arranged that they
are not subjected to the same deteriorating influences (i.e., failure,
event , or environment) could represent two controls.
It should be noted that terrestrially, three (3) controls are frequently
used. For example, hair blowers are typically fabricated with double
insulated enclosures and derive power through fixed ground fault interrupters;
many power tools are double insulated and frequently derive power through
fixed or portable ground fault interrupters; and many power tools are
double insulated, have a safety (green) wire, and frequently derive
power through fixed or portable ground fault interrupters (4 controls). Hazard Classification - Physiological Considerations
In order to classify a hazard as critical versus catastrophic, the
physiological effects of electric current must be known. Included within
these effects is the body impedance which appears to change non-linearly
with varying voltages. In addition, a physiological effect of current
through the skin is that the hands will not remain dry; skin will perspire
at the point of contact with an electrically energized surface. Test
reports form several independent investigators indicate that minute
cuts or punctures that may be difficult to visually locate can greatly
reduce the resistance of the skin by acting as short circuits through
the skin. Therefore, conservative analysis should assume that the body
contact areas are wet (i.e., skin resistance is negligible).
Most of the internal body resistance is attributed to the joints (wrist:
250 ohms; elbow: 150 ohms; shoulder: 100 ohms; knee: 100 ohms; ankle:
250 ohms; neck: 50 ohms; torso length: 100 ohms). Also reported is that
people with long body parts appear to have higher body impedance than
those with shorter body parts, and people with strong musculature generally
have less body impedance than those who have weak musculature.
Figure shows the approximate value of internal body resistance
with contact through the torso with different parts of the body.
Internal Body Resistance (in Ohms)
1000 |
700 |
600 |
750 |
1100 |
700 |
400 |
300 |
450 |
800 |
600 |
300 |
100 |
250 |
600 |
750 |
450 |
250 |
300 |
650 |
1100 |
800 |
600 |
650 |
1000 |
Reference: 403; NASA-STD-3000
507 Catastrophic Hazard Classification
The injurious physiological effects of the passage of electric current
through the human body include the inability to let go of the electrically
energized surface, stoppage of breathing, ventricular fibrillation of
the heart, electric burns, and paralysis. The stoppage of breathing
and paralysis are not the critical physiological effects if the limits
for let-go and ventricular fibrillation, is totally disabling, and,
if allowed to continue, can result in a fatal injury, let-go is the
current threshold used to classify hazards as catastrophic.
The let-go current threshold is the current above which a person will
be unable to release his/her grip on the electrically energized surface
because of involuntary muscle contractions. The threshold current for
let-go is affected by the physical characteristics of the body, and
the frequency and wave shape of the current.
The 99.5 percentile rank recommended limits for direct current are
60 milliamperes (mA) for a man, 40 mA for a woman, and 30 mA for a child.
For sinusoidal current at power line frequencies, the recommended limits
are 9 mA root-mean-square (rms) for a man, 6 mA rms for a woman, and
4.5 mA rms for a child. Complex wave forms significantly decrease these
recommended limits. As the frequency of the current is increased, the
recommended current is increased.
If the exposure is expected to be limited to adults, the recommended
limits for a woman is used. If the exposure might include children,
the recommended limits for a child is used.
For many nonsinusoidal waveforms, the parameter of the current that
is used for establishing limits is the peak value of the waveform instead
of the rms value or the average of the rectified waveform. For waveforms
consisting of both alternating current and direct current components,
the recommended limit becomes more complex, and as either component
approaches zero, the limit of the other component approaches the limit
of the component alone.
In addition to using the let-go current threshold as a means of determining
the number of hazard controls required to control the identified hazard,
it is also used in the design of hazard controls that are current sensitive.
As an illustration, assume that a ground fault interrupter was designed
to trip in 25 milliseconds with a 60 mA direct current trip threshold.
Assume that the current conducted through the crewperson as the result
of the open safety (green) wire was 58 mA direct current . The ground
fault interrupter would not trip since the current was below its threshold.
If the crewperson was a man, he would probably be able to let go, but
if the crew person was a woman, there is a significant risk (p~75%)
that she would not be able to let go, and barring intervention by another
crewperson, might be in serious jeopardy.
Clearly, this ground fault interrupter should be designed to trip on
a current threshold as low as possible without introducing false tripping
due to leakage currents or transients. In addition, the selection of
let-go current threshold must take into account the power frequency,
frequencies superimposed on the power form the power system itself,
and frequencies that might be superimposed on the power system form
the load attached to the ground fault interrupter both normally and
as the result of a fault.
System response time, including the period from detection through power
removal, must be evaluated so as to ensure rapid power removal (perhaps,
within 25 milliseconds) upon encountering the fault current which might
be exceeding the let-go threshold. Even at a level slightly above the
let-go threshold, the crewperson is at risk for prolonged exposure.
Figure is a compiled
chart of let-go current thresholds and includes the results of composite
waveform test. Figure
graphically describes the composite waveforms.
Let-Go Current Thresholds
AC (rms) |
DC |
AC crest (lm) |
AC (rms) |
DC |
AC crest (lm) |
DC |
60.0 |
40.0 |
Sinusoid: 5 Hz |
14.5 |
9.6 |
10 Hz |
9.8 |
6.5 |
15 - 70 Hz |
9.0 |
6.0 |
180 Hz |
10.4 |
6.9 |
500 Hz |
11.0 |
7.3 |
1 kHz |
13.7 |
9.1 |
2.5 kHz |
20.0 |
13.3 |
5 kHz |
29.3 |
19.5 |
10 kHz |
55.3 |
36.9 |
60 Hz sine with DC):
Sine |
0 |
12.7 |
0 |
8.4 |
25% offset |
15.5 |
3.9 |
10.2 |
2.6 |
50% offset |
10.9 |
5.4 |
7.2 |
3.6 |
141% offset |
5.8 |
8.2 |
3.8 |
5.4 |
Half wave |
3.9 |
9.2 |
2.5 |
5.5 |
Full wave |
9.8 |
5.6 |
6.5 |
3.7 |
1. For adults, let-go current limits are those shown for women.
2. If children might be exposed to the hazard, let-go current
limits are 1/2 those shown for men.
3. Refer to Figure
for graphical descriptions. |
Reference: 403; NASA-STD-3000
Complex Waveforms With DC Components

Reference: 403; NASA-STD-3000
505 Bioinstrumentation
Bioinstrumentation should be designed to consider the interactions
among several bioinstruments when multiple equipment are simultaneously
connected to the same crewperson.
For invasive bioinstrumentation, the design should consider the effects
of fluids contacting energized electrical surfaces (e.g., blood or saline
leakage to an intravenous pressure transducer). It has been demonstrated
that a current gradient, precipitated particles, and gas bubbles can
be rapidly generated within the fluid when the fluid is exposed to voltages
(i.e., test used just 5 volts direct current). The concern with the
particles and gas bubbles is the possibility of migration to the crewmember's
circulatory system, and the concern with the current gradient is the
possibility of inducing ventricular fibrillation. Leakage Current Verification
Hazard analysis for avionics which exhibit leakage currents below the
threshold of perception may consider leakage current design control
as an electrical hazard control for critical hazards.
The physiological response to the perception of current is frequency
sensitive. A relatively precise method of verifying that leakage currents
are below the threshold of perception entails the use of spectrum analysis
to determine the root-mean-square (rms) current for each frequency component
of the leakage current. An analysis is then performed to assure that
these components are below the threshold of perception individually
and in combination.
An alternate technique utilizes a simple, GO/NO-GO method to verify
the leakage current levels. Utilizing a true rms voltmeter in conjunction
with a resistor/capacitor network which synthesizes the human threshold
of perception characteristics, the analysis reduces to determining if
the total avionics leakage current as evidenced by the true rms voltmeter
indication exceeds the maximum permissible level.
6.4.3 Electrical Hazards Design Requirements
Equipment design shall protect the crewmembers from electrical hazards.
In designing to minimize electrical shock hazards, controls shall be
incorporated such that if the worst case credible failure can result
in a crewmember exposure that:
a. is below the threshold for shock (i.e., below maximum leakage current
and voltage requirements as defined within this Section), no control
shall be required;
b. exceeds the threshold for shock and is below the threshold of let-go
(critical hazard) as defined in Figure 6.4.3-1,
two independent controls (e.g., a safety green) wire, bonding, insulation,
leakage current levels below maximum requirements ( shall be required
such that no single failure, event, or environment can eliminate more
than one control.; or, c. exceeds the threshold of let-go (catastrophic
hazardous event), three independent controls shall be required.
If two independent controls are provided the, physiological electrical
shock effect of the combination of the highest internal voltage applied
to or generated within the equipment and the frequency and wave form
associated with a worst case credible failure that can be applied to
the crewmember shall be below that threshold of let-go.
Non-patient equipment with internal voltages not exceeding 30 volts
rms (root-mean-squared) shall be considered as containing potentials
below the threshold for electrical shock.
If the classification of the hazard is marginal or unclear, three independent
hazard controls shall be required.
Figure 6.4.3-1 Let-Go
Current Profile, Threshold Versus Frequency
Based on 99.5 Percentile Rank of Adults
(Hertz) |
Max Total Peak Current
(ac + dc components combined)
(milliamperes) |
DC |
40.0 |
15 |
8.5 |
2000 |
8.5 |
3000 |
13.5 |
4000 |
15.0 |
5000 |
16.5 |
6000 |
17.9 |
7000 |
19.4 |
8000 |
10.9 |
9000 |
22.5 |
>10,000 |
24.3 |
Reference: 404; NASA-STD-3000
506 Grounding
All electrical powered equipment external, non-isolated metal parts
subject to user contact shall be at ground potential. A permanent bonding
means shall be provided to facilitate the connection of metal parts
to ground prior to the connection of any electrical signals or power.
A permanent bonding means shall be provided to facilitate the removal
of all electrical signals and power prior to the removal of metal parts
from ground.
Grounding conductors internal to an ORU shall be secured internally
to the Ores metal enclosure by means of a fastening technique unlikely
to be removed during any servicing operation. Solder alone shall not
be used for securing the grounding conductor.
Each grounding or bonding means shall be capable of conducting the
maximum ground fault current amplitude and duration which might occur
as the result of discharges (static, plasma, etc.), induced RF voltages,
internal power-faulted equipment and accidental short circuits.
All grounding shall conform to the vehicle's grounding requirements. Hinged or Slide Mounted
Panels and Doors Grounding
Hinges or slides shall not be used for grounding paths. A ground shall
be considered satisfactory if the electrical connection between the
conductive door or panel, in both the open and closed position, and
the equipment tie point exhibits a resistance of less than 0.1 ohms
and has sufficient ampacity to insure the reliable and immediate tripping
of associated equipment over-current protection devices. Electrical Bonding
On-orbit electrical bonding shall meet the vehicle's requirements for
electrical bonding to prevent damage to the vehicle or injury to crewmembers
due to discharges (static, plasma, etc.), induced RF voltages, internal
power-faulted equipment, and accidental short circuits. Each independent
bonding path is considered a hazard control for electrical shock. Protective Covers
Equipment shall provide grounded or nonconductive protective covering
for all electrical hardware. These coverings shall protect against inadvertent
contact from foreign object entering electrical junctions, and moisture
accumulation. Interlocks
Equipment access doors or covers shall incorporate interlocks to remove
all potentials in excess of 150 V when open. Warning Labels
Warning labels shall be provided where inadvertent contact with electrical
potentials are hazardous to crewmembers. Warning labels shall comply
with the requirements in Paragraph 9.5.3
Labeling and Coding Design Requirements Warning Labels Plus Recessed
Provide warning labels and recessed connectors or other protective
measures where potentials exceed 150 V. Plugs and Receptacles
Plugs and receptacles shall meet the requirements of Paragraph
11.10 Connectors. In addition:
a. Plugs and receptacles (connectors) shall be selected and applied
such that they cannot be mismated or cross-connected in the intended
system as well as adjacent systems. Although required, the use of identification
alone is not sufficient.
b. Connectors shall be selected and applied such that they have sufficient
mechanical protection to mitigate inadvertent crewmember contact with
exposed electrical contacts.
c. Connectors shall be specifically designed and approved for mating
and demating in the existing environment under the loads being carried,
or connectors shall not be mated or demated until voltages have been
removed (dead-faced) from the powered side(s) of the connectors. Insulation
All materials shall meet the vehicle's requirements for materials and
processes. In addition:
a. All exposed electrical conductors and terminations shall be insulated.
b. The crew shall be protected from electrical hazards when utilizing
tools within 24 inches of exposed electrical potentials. Portable Equipment/Power
A ground fault circuit interrupter (GFCI) used in conjunction with
a portable equipment shall be considered as one hazard control. Non-battery
powered portable equipment shall incorporate a three-wire power cord
with one wire at ground potential. A system of double insulation or
its equivalent, when approved by the procuring agency, may be used without
a ground wire. Moisture Protection
Equipment shall be designed so that moisture collection will not present
a safety hazard to the crew. Static Discharge Protection
Equipment shall be designed so that the crewmembers are protected from
static charge buildup. Overload Protection
a. The functioning of an overload protective device shall not result
in a fire, electric shock, or crewmember injury.
b. An overload protective device shall not be accessible without opening
a door or cover. Exception: The operating handle or operating button
of a circuit breaker, the cap of an extractor-type fuseholder, and similar
parts may project outside the enclosure.
c. The arrangement of extractor-type fuseholders shall be such that
no energized parts are exposed at any time during fuse replacement.
d. Overload protection (fuses and circuit breakers) intended to be
manually replaced or physically reset on-orbit shall be located where
they can be seen and replaced or reset.
e. Each overload protector (fuses and circuit breakers) intended to
be manually replaced or physically reset on-orbit shall be readily identified
or keyed for its proper value.
f. Overload protection shall be designed and rated for on-orbit use
including the maximum environmental range expected as the result of
contingencies. Batteries
Unless intentionally designed for the purpose, batteries shall not
be connected to or disconnected form a current drawing load. Batteries
and their utilization will conform to the requirements of JSC 20793,
Manned Space Vehicle Battery Safety Handbook, and JPL 86-14, The NASA
Aerospace Battery Safety Handbook.
Batteries/battery packs with potentials above 30 volts dc (direct current)
shall provide hazard controls as specified in Paragraph
6.4.3. Non-ORU Batteries
Non-ORU batteries shall be disconnectable and removable without special
equipment. Mounting provisions shall ensure retention for all service
conditions. Polarity of the battery terminals shall be prominently marked
or battery terminal connections shall be polarized to mitigate erroneous
installation. Mechanical Assembly
A switch, fuseholder, lampholder, attachment plug receptacle, or other
energized component that is handled by a crewmember shall be mechanically
held (not relying on friction alone) to prevent turning in its mounting
The mounting of components to a printed wiring board and the mounting
of the printed wiring board itself shall be such that any forces that
might be exerted on the components or board will not displace the components
or deflect the board so as to produce an electric shock or fire. Switches/Controls
Switches/controls shall be designed such as to prevent unplanned hazardous
manual or automatic operation. Switches/controls which provide automatic
starting after an overload initiated shutdown shall not be employed. Power Switches/Controls
Switches/controls performing ON/OFF power functions shall open or dead-face
all supply circuit conductors except the power return and the equipment
grounding conductor while in the power OFF position.
Power OFF markings and/or indications shall only be used if all parts,
with the exception of overcurrent devices and associated EMI filters,
are disconnected from the supply circuit. STANDBY, CHARGING, or other
appropriate nomenclature shall be used to indicate that the supply circuit
is no t completely disconnected for this power condition. Power Driven Equipment Control Requirements
If a risk of injury to a crewmember or damage to equipment can result
from the motion of power driven equipment:
a. the controls for that mechanism shall be of a reversible type and
shall not continue operation of the moving part in the same direction
when a switch readily accessible to that crewmember is activated to
initiate operation in the other direction, or
b. the power driven equipment shall be mechanically constructed such
that the injurious forces are immediately removed by activation of a
switch readily accessible to that crewmember. Ground Fault Circuit Interrupters (GFCI)
A non-portable utility outlet intended to supply power to portable
equipment shall include a GFCI, as an electrical hazard control, in
the power path to the portable equipment. GFCI trip current detection
shall be independent of the portable equipment's safety (green) wire.
GFCI will be designed to trip below the threshold of let-go based upon
the 99.5 percentile rank of adults. Non-portable utility outlets supplying
power to portable equipment shall include a GFCI with trip point characteristics
such that tripping will not exceed the currents specified in the profile
shown in Figure 6.4.3-1.
Ground fault circuit interrupters that depend upon the analysis of
current shall remove power within 25 milliseconds upon encountering
the fault current.
GFCI shall provide an on-orbit method for testing trip current detection
threshold at a frequency within the maximum human sensitivity range
of 15 to 70 Hertz. Leakage Current Design
Non-patient equipment with internal voltages not exceeding 30 volts
rms (root-mean-squared) and non-patient equipment incorporating three
independent hazard controls (excluding non-patient equipment incorporating
leakage current as a control) shall not be required to verify leakage
current design requirements.
For designs using leakage current as a control, verification of leakage
current design requirements shall be accomplished suing the network
shown in Figure The leakage
current (milliamperes) shall be computed as the voltage (volts) measured
across the network in series with the grounding conductor (for chassis
leakage current), or in series with the crewmember connection lead (for
ordinary patient connection leakage current), divided by 1000. For isolated
patient connection lead leakage current, a non-inductive, 1000 ohm resistor
shall replace the network shown in Figure for this measurement.
Leakage Current Verification Network

1. Resistors are non-inductive.
2. Voltmeter is a true RMS (root-mean-squared) type with frequency
bandwidth appropriate for the frequencies of the voltages being
measured. Voltmeter frequency bandwidth may be limited to 20 mega
Hertz (MHz) for equipment-under-test frequencies above 20 MHz. |
Reference: 394; NASA-STD-3000
503 Chassis Leakage Current
Crewmembers shall not be exposed to excessive levels of leakage current
form direct or indirect contact with electrically powered equipment.
Equipment qualification shall include verification of acceptable chassis
leakage currents as defined within paragraph
Leakage current test procedures for DC powered equipment shall not include
reversed polarity input power tests. Chassis Leakage Current - Nonpatient Equipment
The chassis leakage currents for nonpatient equipment shall not exceed
the values shown in Figure
Leakage current shall not exceed 0.700 milliamperes (ma) DC for grounded
nonpatient Equipment, and leakage current shall not exceed 0.350 ma
DC for double insulated nonpatient Equipment.
Figure Non-Patient Equipment Maximum Chassis Leakage Current
DC ma |
AC ma RMS |
DC ma |
AC ma RMS |
0.700 |
0.500 |
0.350 |
0.250 |
Reference: 394; 399;
NASA-STD-3000 502 Chassis Leakage Current - Patient Care Equipment
The chassis leakage currents for patient care equipment shall not exceed
the values shown in Figure
Leakage current shall not exceed 0.140 ma DC for grounded patient care
Equipment, and leakage current shall not exceed 0.070 ma DC for double-insulated
patient care Equipment.
Figure Patient Care Equipment Maximum Leakage Current
Patient Interface |
DC ma |
AC ma RMS |
DC ma |
AC ma RMS |
Invasive |
0.014 |
0.010 |
Not Permitted |
Non-Invasive |
0.0701 |
0.0501 |
0.070 |
0.050 |
Patient Interface |
DC ma |
AC ma RMS |
DC ma |
AC ma RMS |
Invasive |
0.140 |
0.100 |
0.070 |
0.050 |
Non-Invasive |
0.140 |
0.100 |
0.070 |
0.050 |
1. If equipment labeling indicates isolated, the maximum current
is 0.014 ma dc/0.010 ma RMS. |
Reference: 394; 399;
NASA-STD-3000 501 Crewmember Applied Current
Crewmembers shall not be exposed to excessive levels of leakage current
from direct or indirect contact with electrically powered equipment.
Equipment qualification shall include verification of acceptable patient
connection leakage currents as defined within paragraph Leakage current test procedures for DC powered equipment
shall not include reversed polarity input power test.
The leakage currents for patient care equipment as seen from the patient
end of cables or terminals shall not exceed the values shown in
Leakage currents shall be tested:
a. lead to ground
1.between each patient lead and ground, and
2.between combined patient leads and ground; and,
b. between leads
1.between any pair of patient leads, and
2.between any single patient lead and all other patient leads. Leakage
Current - Patient Care Equipment - Patient Connection - Isolated
a. Invasive Patient Interface - Isolated, patient connected, patient
care equipment leakage current shall not exceed 0.014 ma DC for isolated,
patient connected, patient care, Equipment such as intra-aortic pressure
b. Non-Invasive Patient Interface - Isolated, patient connected, patient
care equipment leakage current shall not exceed 0.070 ma DC for isolated,
patient connected, patient care, Equipment such as muscle stimulators
utilizing attached body surface electrodes provided that equipment labeling
does not indicate the equipment is isolated. Leakage
Current - Patient Care Equipment - Patient Connection - Ordinary
Ordinary, patient connected, patient care equipment leakage current
shall not exceed 0.070 ma DC for ordinary, patient connected, patient
care, Equipment such as blood pressure cuffs, thermometers, and limb
muscle stimulators. Health Maintenance
System Instrumentation Grounding
Any two exposed conductive surfaces in the instrumented crewmember's
vicinity shall not exceed a 40.0 millivolt potential difference at frequencies
up to 1000 Hertz or less measured across a 1000 ohm resistor. conductive
surfaces which can be contacted by an attending crewmember while the
attending crewmember is in contact with the instrumented crewmember
shall be considered as within the crewmember's vicinity. Countermeasure
Any two exposed conductive surfaces in the instrumented crewmember's
vicinity shall not exceed a 40.0 millivolt potential difference at frequencies
up to 1000 Hertz or less measured across a 1000 ohm resistor. conductive
surfaces which can be contacted by an attending crewmember while the
attending crewmember is in contact with the instrumented crewmember
shall be considered as within the crewmember's vicinity. Portable
Medical Instrumentation
While attached to a crewmember, electrically powered medical instrumentation
shall be:
a. battery powered,
b. double insulated,
c. electrically isolated from ground, and
d. not connected to vehicle power (e.g., charging). Bioinstrumentation System
Microshock Protection
All bioinstrumentation systems shall be designed with sufficient series
resistance/isolation to limit to safe levels electrical shock currents
that could flow through an instrumented crewmember including as the
result of:
a. contact with available electric sources, including those sources
applied by an attending crewmember's simultaneous contact with the instrumented
crewmember and other equipment or ground, and
b. transients that may occur when the bioinstrumentation is either
energized (turned ON) or deenergized (turned OFF).
Bioinstrumentation shall be designed with fault tolerant protection
to prevent exceeding the current limit requirements defined within
Maximum Permissible Bioinstrumentation Fault Current
(milliamperes dc/rms) |
(para. |
0 |
0.014 / 0.010 |
1 |
0.014 / 0.010 |
2 |
0.020 / 0.020 |
(para. |
0 |
0.070 / 0.050 |
1 |
0.140 / 0.100 |
2 |
0.500 / 0.500 |
Reference: 405; NASA-STD-3000
6.5.1 Introduction
This section provides the design considerations and design requirements
for surface touch temperature limits, both the upper and lower temperature
limits, for IVA applications.
(Refer to Paragraph,
EVA Touch Temperature and Pressure Design Requirements, for EVA-unique
touch temperature limitations.)
6.5.2 Touch Temperature Design Considerations
Definition of surface touch temperature limits depends on several factors:
a. Temperature of the surface to be touched
b. Duration of touch
c. Degree of thermal control
1. Finish on surface
2. Force of contact
3. Size of contact area
d. Diffusivity of the surface touched. Diffusivity is determined by
the thermal conductivity divided by the product of the density of the
material times its specific heat.
Tissue burns can occur when skin temperature reaches 45°C (113°F).
Objects at temperatures in excess of this can be touched safely, depending
on the variables listed above, as long as skin temperature is not raised
to this level during the period of contact.
The lower temperature limits for surfaces continuously touched by the
bare skin are controlled by the dew point and the variables listed above.
6.5.3 Touch Temperature Design Requirements
Surface touch temperature design requirements for minimizing crewmember
discomfort and injury are as follows:
a. The design goal for the maximum surface temperatures which can come
into contact with bare skin shall be 40°C (104°F).
b. The maximum allowable surface
temperature for continuous contact with bare skin shall be 45°C
c. Incidental or momentary bare skin contact with surface temperatures
from 46° - 49°C (114° - 120°F) is permissible. Warning
labels shall be provided to alert crewmembers to these excessive temperature
levels. Guards or insulation shall be provided to prevent crewmember
contact with surface temperatures in excess of 49°C (120°F).
Where contact with surfaces above this limit is required, adequate warning
labels and protective equipment are required.
d. For surfaces that must be touched with bare skin, the minimum temperature
shall not be below 4°C (39°F). Where contact with surfaces below
this limit is required, adequate warning labels and protective equipment
are required.
(Refer to Paragraph,
EVA Touch Temperature and Pressure Design Requirements, for EVA-unique
touch temperature requirements.)
6.6 FIRE
6.6.1 Introduction
This section provides fire hazard design considerations and requirements
that pertain to the man/system interface. This includes fire detection
and warning, crew interfaces with fire extinguishing systems, and crew
emergency procedures. Materials selection, sensors, extinguishing systems
are outside the scope of this document. Users interested in these topics
should refer to Reference 1,
Section 3.5.2, and Reference 21,
6.6.2 Fire Protection and Control Design
Fire is one of the most difficult hazards with which to cope in the
aerospace environment. From the first statement of mission concept,
the interactions between fire hazards and vehicle configuration must
be analyzed and corrective action initiated during the initial design
phases when cost is at a minimum.
a. Fire Hazard - Any cabin atmosphere where oxygen concentration is
greater than 30% by volume is considered hazardous and special considerations
must be made. Although the fire hazard is reduced significantly by the
use of a two-gas system, it cannot be completely eliminated. The ignition
temperature of most materials is decreased as much as 50% when exposed
to this type of atmosphere. Spacecraft atmospheres of 100% oxygen amplify
the dangers of fire once ignition occurs. This increased potential fire
hazard places special emphasis on material selection and system design.
Only materials with high ignition temperatures, slow combustion rates,
and low explosion potentials should be used inside the pressurized cabin.
Atmosphere movement by ventilation, cabin venting, or even crew movement
can resupply the fire with oxygen, allowing flame propagation in the
absence of convection.
First response during a fire emergency in a shirtsleeve environment
should be to don an oxygen mask and turn off cabin ventilation. The
oxygen mask is necessary because rapid oxygen consumption and toxic
products of combustion allow little time for corrective action once
the fire starts.
Careful design and proper choice of atmosphere and materials, in conjunction
with a design hazard study to reduce flame propagation, can ensure that
the three conditions of combustion (fuel, oxygen, and ignition source)
are not encountered.
b Toxic Hazards - Within the confines of a space module, toxic products
of combustion may pose a serious threat to the crew since the oxygen
supply is limited and large amounts of carbon monoxide can be generated.
c. Fire Extinguishing - The fire potential within a spacecraft cabin
cannot be totally eliminated. Spacecraft atmospheres make the cabin
a fire zone and so require fire detection and extinguishing systems.
Materials should be selected which minimize the likelihood of ignition,
limit the spread of fire, and are self-extinguishing. Housekeeping also
affects this potential because pure, nonflammable waste does not exist.
Toxic and flammable gases from waste can evolve and the interaction
of various items can cause spontaneous combustion. Therefore it is necessary
to consider an integrated spacecraft fire extinguishing system. Selection
of a fire extinguishing system for a spacecraft presents a unique problem.
It must be usable in a microgravity environment and be completely compatible
with an enriched oxygen atmosphere. In addition, the extinguishing agent
must not support combustion in an oxygen enriched environment, emit
toxic or anesthetic products when applied to a fire, interfere with
visual observation, or result in liquid or solid residue that will contaminate
the spacecraft. Information available indicates three agents which best
satisfy these basic requirements: carbon dioxide, Halon 1301, and water
or water based agents.
d. Venting - Venting or cabin depressurization may be useful in dealing
with accidental fires or cleanups. Venting action may initially accelerate
flame propagation, depending on vent location and other considerations.
Venting may be impractical for the following reasons: crewmembers are
normally not in space suits, time to don space suits, ability to don
a suit without assistance, and ability to don a suit in poor lighting
(electrical equipment damage), and other stress factors should point
out the inability of using this as an operational technique. The quantity
of oxygen onboard is a governing factor in determining the use of venting.
Therefore, if the loss of oxygen in an unmanned area or compartment
can be tolerated, then the possible use of venting for fire control
or cleanup should be considered.
e. Detection Systems - The ability to detect an in-flight fire is difficult
to predict. Open fire may be seen, although the heat load may not be
sensed. Convection is provided in manned areas and this could make smoke
visible or cause its odor to be detected. The enclosed out-of-sight
regions around electrical equipment may not produce convection. Incipient
overheated conditions may exist for extended periods before a fire occurs.
These are not easy to detect unless sensors are provided. Also, the
effect of microgravity, without convection or reduced convection, may
cause no initial flame flicker.
(Refer to Reference 21,
DN3N2, for more detailed discussion of manned spacecraft fire protection
and control.)
6.6.3 Fire Protection and Control Design
{A }
Fire protection and control design requirements are given below. General Requirements
{A} Fire Protection System
A fire protection system comprising detection, warning, and extinguishing
devices shall be provided during all mission phases. Material Selection
Only approved fire-retardant materials shall be used. Detection Requirements
{A} Detection System Signals
The fire detection system shall provide signals to the vehicle warning
system. Reset and Self-test
The fire detection system shall have reset and self-test capabilities. Sensor Replacement
All sensors shall be replaceable and accessible. Warning System Requirements
Warning - General requirements for the fire warning system are as follows:
(Refer to Paragraph 9.4,
Caution and Warnings, for complete description of design considerations
and requirements.)
a. The caution and warning system shall include a fire warning system
to alert the crew in case of a fire.
b. The fire warning system shall be capable of operating independently.
c. Warnings shall be both visual and auditory to provide maximum information
to the crew for timely action.
d. The visual fire warning display shall be aviation red in accordance
with MIL-STD-25050. Extinguishing Requirements
a. Automatic extinguishing equipment shall be provided to aid the crewmember
in containing and extinguishing fires.
b. Design of the vehicle and its components shall provide for rapid
access with fire fighting equipment.
c. Chemical agents used for fire extinguishing shall be compatible
with the toxicity requirements of the spacecraft.
d. Portable fire extinguishers shall be provided for open areas and
a fixed fire extinguishing system shall be provided for enclosed inaccessible
e. Capability for removal of expended fire extinguishing material during
post-fire cleanup shall be provided.
f. Automatic extinguishing systems shall incorporate a disabling feature
to prevent inadvertent activation during servicing.
The major effects of failure of a pressurized cabin or a space suite
arises from;
a. hypoxia due to the reduction in the partial pressure of oxygen in
the lungs,
b. decompression sickness due to the evolution of nitrogen bubbles
in the blood and tissues,
c. expansion of gas within various body cavities,
d. cold injury and hypothermia due to exposure to low ambient temperatures
and connective cooling of the individual,
e. and vaporization of tissue fluids.
The physiological constraints imposed by these potential hazards requires
judicious tradeoffs in order to meet engineering limitations and operational
objectives so that performance, comfort, and protection of crewmembers
are not compromised.
6.7.1 Hypoxia
Hypoxia is the most serious hazard following decompression. Although
the degree of hypoxia is primarily related to the pressure to which
the crewmember is exposed, the pressure differential and rate as well
as the time elapsing before an adequate pulmonary partial pressure of
oxygen is restored also influences the degree of the hypoxia in the
period immediately following the decompression.
6.7.2 Decompression Sickness
The incidence of symptoms of decompression sickness depends on the
absolute pressure and the duration of exposure. There are wide differences
between individuals in their susceptibility to decompression sickness.
Several factors seem to predispose individuals to decompression sickness,
such as age, obesity and physical activity.
6.7.3 Gas Expansion
Gas expansion is generally not a significant problem during rapid decompression.
Gas containing body cavities include the lungs, middle ear, sinuses,
and gastrointestinal tract. Although the lung contains the largest volume
of gas, rarely does pulmonary barotrauma occur; an overpressure of approximately
80 mm Hg is required. If pulmonary barotrauma occurs, a secondary hazard,
that of arterial gas embolism can occur.
6.7.4 Short Duration Exposure
A short duration exposure to low temperatures will not cause serious
impairment of performance or serious injury to individuals wearing lightweight
clothing which encompasses the whole body. However, if exposure to low
temperature lasts for more than a few minutes, uncovered skin will be
damaged and general hypothermia may occur.
6.7.5 Vaporization of Tissue Fluids
Vaporization of tissue fluids will occur on exposure to pressures less
than 47 mm Hg if portions of the body remain unpressurized. The need
to maintain adequate oxygen pressure in the respiratory tract, and hence
throughout the cardiovascular system to prevent hypoxia, also prevents
vaporization of tissue fluids, except in the skin and subcutaneous tissues
of unpressurized regions of the body.
Return to Volume I Home