Institutional Review Board

Preparing for Research  |  Safety Review Process (Safety & Mission Assurance Office)


As a portion of the assurance aspect required in 45 CFR 46 and 14 CFR 1230, the NASA Institutional Review Board (IRB) performs a safety assessment of the proposed research and research related hardware with the assistance of the JSC Safety and Mission Assurance Directorate.

A protocol may be subject to three separate but unique safety assessments. These are:

A. IRB Safety Review

Assesses hazard analysis

Reviews research subject hardware safety

B. Payload Safety Review (for protocols conducted during orbital flight)

Assesses hazard analysis related to the flight environment

Reviews hardware safety to be operated in flight environment

C. Test Readiness Review

Verifies that all actions required prior to testing are complete

A. IRB Safety Review

Assesses the hazard analysis and safety of the hardware used in the protocol.

Does not assess efficacy or accuracy of the hardware, only that it is safe for use in the intended environment.

1.Hazard Analysis

A hazard analysis (HA) is an organized method for identifying hazards and hazard controls in a system and is needed prior to completing the risks in Section 5.6(a) of the e-IRB. You will attach your HA to the protocol in Section 5.6(c). An HA has, as a minimum:

a list of hazards that may be encountered as a result of conducting the protocol

what happens as a result of the hazard being realized

controls that are in place to prevent or mitigate the results of the hazard

2.Hardware Safety Assessment

The e-IRB protocol template asks questions about the hardware and devices that you will use during your research.

Do not list devices that meet all the following criteria:

FDA certified or European Union CE marked as being Medical Device Directive (MDD) 93/42/EEC compliant

unmodified from the FDA or CE marked versions

used in accordance with the manufacturers published guidelines

during operation does not radiate or store electrical, thermal, or mechanical energy as a primary function

FDA or CE marked radiographic and ultrasonic imaging devices are excluded from this requirement unless they have been modified or are being used outside the manufacturer's recommendations.

Computers used to collect and store data are excluded from this requirement, however computers and the software used to control hazardous operations are not excluded.

Any device that will be in electrical contact with the research subject must show compliance with ANSI/AAMI ES1-1993, "Safe Current Limits for Electromedical Apparatus."

Information required on all hardware that is not FDA certified or CE marked:

For electronic equipment include a:

block diagram

detailed schematic

description of circuit operations

description and test data for software that controls critical functions

For mechanical devices include:

detailed design data

structural or loads analysis showing factors of safety

Information required on all hardware that has been modified:

description of any hardware modifications that have been made,

explain how these changes have not modified the safety of the hardware,

attach design data as required to support these statements.

For hardware that is not being used in accordance with the manufacturers guidelines provide justification that addresses how the research subject’s safety will be maintained.

Provide a list of all hardware whose primary function is to radiate or store electrical, thermal, or mechanical energy that could come into contact with the research subject during their operation. Include devices even if they are FDA certified or MDD 93/42/EEC complaint and CE marked? Do not include radiographic imaging or ultrasound hardware.

You will be contacted should additional information be required. Delays in submittal of this data will delay approval of your protocol.

B. Payload Safety Review

Assesses hazard analysis related to the flight environment

Reviews hardware safety to be operated in flight environment

Payload Safety Review and Data Submittal Requirements

provides a complete discussion of this topic.

C. Test Readiness Review (TRR)


A Test Readiness Review (TRR) is required before all man-in-the-loop testing or series of tests. The review outlines the test plan and identifies all procedures that have the potential to be hazardous. Facility systems and equipment, diagnostic medical tests, and medical treatment procedures are excluded from the TRR. JPR 1700.1, JSC Safety & Health Handbook contains a section on the TRR process.

JSC Safety & Health Handbook

A TRR must:

Determine the readiness of the test facility and the test protocol;

Verify the adequate completion of the safety assessments;

Determine the status and closure of key issues;

Review the test constraints;

Review the open items;

Verify the qualification or certification of the test team;

Review emergency procedures.

A TRR must be completed, and all assigned actions must be closed, before any manned evaluation of equipment or test setup is conducted.

TRR approvals are for a 12 month period for tests operating within the constraints of the original protocol Modified procedures and updated safety analysis may require additional review.

TRRs will be conducted for 'Real Time' or 'Quick-Turnaround Testing' to support a timely start or safe continuation of a space mission. An S&MA representative shall be present for any procedure reviews and the TRR.

2.TRR Personnel

The Medical Officer (MO) or Medical Representative (MR) must be present during each test. The detailed test procedures must specify when each member is to be present, if not required throughout the entire test.

Must certify the fitness of test team personnel to perform hazardous operations and of test subjects to participate before any hazardous testing begins;

Attends the TRR and be informed of the procedures, reasonable risks, and known hazards;

Reviews the protocol to ensure that there are well defined upper limits for maximum physical exertion that will minimize the likelihood of injury;

Monitors tests under the following conditions:

Level 1 and Level 2 "Reasonable Risk" Protocols;

Personnel in hypobaric, hyperbaric, and oxygen-enriched environments;

Suited underwater neutral buoyancy operations;

Ambient pressure suit operations using other than ambient air or where the suit pressure is greater than 8.8 psid

The following individuals have the authority to terminate the test and initiate a review of the test protocol by the IRB before testing is allowed to resume:

Principal investigator;

Medical monitor, PCO, or crew surgeon;

Test subject;

NASA test director;

Mission manager or equivalent; or

IRB Chairperson.

3.Safety and Mission Assurance (S&MA)

S&MA must be informed of upcoming TRR test activities by test request, schedule, or by other means.

4.Test System Requirements

Test System Requirements for all hazardous and non-hazardous test systems:

Test systems must be designed and constructed so that a single-point failure, loss of utilities, fluctuation of utilities, or software command cannot cause injury or property damage. Follow fault tolerance requirements in Paragraph 109 of NHB 1700.1 (V1-B) NHB 1700.1 (V1-B), "NASA Safety Policy and Requirements Document."

Test systems used in oxygen-enriched, high-vacuum, or enclosed environments must undergo materials scrutiny as defined by the testing organization's material control process. If the facility does not have a material control process, the test system's materials must follow the material control requirements of NHB 1700.1H, Part 10 "Safety and Health Requirements for Test, Vacuum, and Oxygen-enriched Facilities."

Safety instrumentation must be calibrated and certified before the test and as required by the test documentation or the testing organization's operating procedures.

For non-hazardous test, follow Paragraphs 4, 8, 9, and 10 (operating procedures, test systems, and test team members) of this appendix and any other requirements that you or SMA decide to include. Test documentation should be made available to S&MA on request.

Software that controls test systems must meet NASA-STD-8719.13, "NASA Software Safety Standard."

Make sure that no test team member can be exposed to hazardous materials used in the system.

5.Human Test Systems

Human test systems must meet the additional following requirements:

Have a means of immediately detecting an incipient fire or other hazardous condition in each occupied compartment of any test area. Automatic detection must be provided for critical areas not suitable for visual monitoring.

Be designed for rescue of an incapacitated test subject.

Be designed for safe test termination and removal of test subjects if a power failure, fire, or other emergency occurs.

Have software controlling test systems analyzed to make sure no command can cause death or injury to test subjects.

Provide manual overrides for software commands to ensure the safety of test subjects. The commands must support safe test termination and egress of the test subject;

Plan for maintaining voice and visual contact with test subjects, providing backup voice communications if feasible. Deliberate loss of voice or visual (but not both simultaneously) communications as part of a test is allowed if it is documented in the approved test procedures;

Ensure appropriate emergency medical equipment and treatment is available.

Keep a hyperbaric treatment chamber on standby during the following test operations with human subjects:

Pressure-suited operations in a vacuum or underwater environment;

Ambient pressure suit operations where the suit pressure is greater than 8.8 psi above ambient;

Pre-breathe studies, vacuum chamber runs or other studies utilizing a hypobaric environment;

Have an MO certify test subjects for participating in hazardous operations;

Stop the test when a test subject requests that the test be discontinued;

Monitor critical physical parameters on test subjects using MO designated instrumentation.

6.Overall Test Plan

The following documentation must be completed as part of the overall test plan. Everything but the test report and the mishap report must be completed before the test. A test plan must be written for each new study and include the following as a minimum:

Test objectives;

Safety and medical planning provisions and known medical issues;

Test requirements;

Special safety considerations;

Other items, if required by the testing organization.

7.Detailed Test Procedures (DTP)

The DTP describes the steps that will be used to run the test. Test procedures should be made available for critical review at least 1 to 5 days before the TRR. Each DTP containing safety-critical steps must state that on the cover page. DTPs must include the following:

Operating procedures, including the method of documenting the results of safety assessment;

Measures to prevent mishaps;

Emergency procedures to be taken in the event of systems failure or malfunction such as fire, smoke, power outages, and system failure. Emergency procedures must be immediately available to personnel at their duty stations unless it isn't practical (such as divers).

Test rules which define equipment and instrument limits, operating limits, off-nominal conditions, and operational situations which would require abort, hold, or proceed decisions for each test or checkout operation;

Safety requirements, individual tasks, and personnel involved in hazardous operations;

Special considerations and procedural steps that address and update specific hazards identified during the hazard analysis process. These and steps containing actions critical to the protection of life or property must be flagged as safety critical steps for easy identification by test team personnel;

A safety assessment that identifies specific subjects and identifies the hazards associated with the test, the hazard controls, and verifications in the operating procedures. The process should begin in the early phases of test planning and operations and should involve S&MA at every step as there must be S&MA concurrence on DTPs.

Elimination, control/closure or the risk acceptance of all hazards before testing begins;


NHB 1700.1H "Hazard and job safety analysis," on system safety requirements and concepts;

JSC 17773, "Instructions for the Preparation of Hazard Analysis for JSC Ground Operations," for format or thought processes for conducting safety assessments;

MIL-STD-882, "System Safety Program Requirements;"

NHB 1700.1(V3), "System Safety."

8.Test Readiness Review Board (TRRB)

A management official or designee from the testing organization who is not personally involved with the test will chair the TRRB. The TRRB will include representatives from:

S&MA Test Safety Officer;

S&MA Quality Assurance (for tests supported by the Quality Assurance Group);

The Medical Operations Branch or IRB Compliance Officer;

Other members who are selected for their special knowledge;

The members will sign a TRRB summary sheet/readiness statement to indicate approval for the test to proceed.

A TRRB summary sheet generally will include:

Test objective;

Statement covering test article's readiness;

Test schedule;

Approval of the staffing, operation, procedures, and safety assessments.

9.Post Test Review

A post-test debriefing discusses the test results and any test or facility anomalies with all significant test team members.

Test Report includes any anomalies, safety implications, and safety lessons learned. Forward a copy of the report to S&MA. You may send lessons learned by means other than the report.

Notify the S&MA Office of the post-test debriefing if safety issues or significant anomalies arose during the test activities.

Mishap Report: Submit a mishap report for any incident causing damage or injury or for any incident that could cause damage or injury (close call).