Conduct an article research regarding a component, system, or device that has improved aviation safety. Summarize the article, explain and correlate the relevancy of the article to the module and, of course, have the proper citation.
GPS Integrity and Potential Impact on Aviation Safety
Washington Y. Ochieng and Knut Sauer
(Imperial College of Science, Technology and Medicine) David Walsh and Gary Brodin
(University of Leeds) Steve Gri?n and Mark Denney
(The Civil Aviation Authority)
This paper assesses the capability of GPS to provide the level of safety required for di?erent aircraft ?ight navigation operations. It presents an analysis of the protection o?ered against potentialcatastrophicGPSfailuresatsystemanduserlevels.Thisisfollowedbyanassessment of the di?erent approaches to augmenting GPS for civil air navigation. Results show the inadequacy of GPS as a system for real-time safety critical use.
1. Air Navigation. 2. CNS/ATM. 3. GNSS. 4. Augmentation. 5. Safety.
1. INTRODUCTION. Because of the continued growth in air travel world- wide and the inability of traditional air tra?c control systems to cope with the de- mand for airspace capacity, the International Civil Aviation Organisation (ICAO) established the Special Committee on Future Air Navigation Service (FANS) to carry out research into new technologies and to make recommendations for the future development of navigation systems for civil aviation. This led to development of a satellite-based system concept to meet the future civil aviation requirements for communication, navigation, and surveillance/air tra?c management (CNS/ATM). The navigation function of CNS/ATM is to be supported by the use of signals from global satellite navigation systems (GNSS). GNSS must provide the required navi- gation performance (RNP) for civil aviation, speci?ed in terms of the four parameters of accuracy, integrity, continuity of service and availability. Of the RNP parameters, integrity (i.e. the trust that can beplaced in the informationsupplied by the navigation system) is the one that relates most directly to safety and is therefore a crucial element, particularly for safety critical applications such as civil aviation. The main GNSS currently in use for some navigation applications is GPS. CivilaviationauthoritieshavetobesurethattheintegrationofGPSintotraditional and novel safety related applications is done without compromising safety. An im- portantpartofthisistheneedtoensurethatsafetyissuesbothintermsofrequirements and performance limitations associated with the use of GPSfor civil air navigation are clearly understood by service providers and users.
THE JOURNAL OF NAVIGATION (2003), 56, 51?65. f The Royal Institute of Navigation DOI: 10.1017/S0373463302002096 Printed in the United Kingdom
This paper addresses this issue by assessing the level of integrity a?orded by GPS, and the impact that this has on the safety of civil aviation. In particular, the level of integritya?orded by GPS both at system and user level (through receiver autonomous integrity monitoring, RAIM) are investigated. The capability to perform RAIM is analysed and quanti?ed with the aid of a simulation model. Several techniques for augmenting GPS to achieve the integrity requirement for civil aviation are also investigated and quanti?ed.
2. REQUIRED NAVIGATION PERFORMANCE. Required navi- gation performance (RNP) is a concept endorsed by ICAO and is a statement of the navigation performance necessary for operation within a de?ned airspace. RNP is speci?ed for the di?erent phases of ?ight or RNP types in terms of the four par- ameters of accuracy, integrity, continuity and availability. It is important to note that the de?nition of RNP is for the total system including the navigation signal-in- space (SIS), the airborne equipment, and the ability of the aircraft to ?y the desired trajectory. This paper assumes that the airborne receiver is fault free (at the very least meeting the minimum operational performance standards for airborne equipment to be used with GPS), and concentrates on SIS requirements to assess the capability of GPS. A detailed explanation of the concept of RNP and the quanti?cation of the parameters can be found in ICAO (1999; 2000). The performance requirements expected of a global navigation satellite system such as GPS expressed in terms of the RNP par- ametersaregiveninTable1(ICAO,2000;Volpe,2001;RTCA,1998;USDoD,2000). In order to facilitate the understanding of the contents of Table 1, a brief explanation for each of the performance parameters is given below.
Table 1. GNSS Aviation Operational Performance Requirements.
Integrity (1xRisk) Alert Limit
Continuity (1xRisk) Availability Oceanic 12.4 nm 1x10x7/hr 12.4 nm 2 min 1x10x5/hr 0.99 to 0.99999 En-route 2.0 nm 1x10x7/hr 2.0 nm 1 min 1x10x5/hr 0.99 to 0.99999 Terminal 0.4 nm 1x10x7/hr 1.0 nm 30 sec 1x10x5/hr 0.99 to 0.99999 NPA 220 m 1x10x7/hr 0.3 nm 10 sec 1x10x5/hr 0.99 to 0.99999 APVI 220 m (H) 1x2r10x7/0 .3 nm (H) 10 sec 1x8r10x6/0 .99 to 0.99999 20 m (V) approach 50 m (V) 15 sec APVII 16 m (H) 1x2r10x7/ 40 m (H) 6 sec 1x8r10x6/0 .99 to 0.99999 8 m (V) approach 20 m (V) 15 sec Cat. I 16 m (H) 1x2r10x7/ 40 m (H) 6 sec 1x8r10x6/0 .99 to 0.99999 4.0?6.0 m (V) approach 10?15 m (V) 15 sec Cat. II 6.9 m (H) 1x10x9/15 sec 17.3 m (H) 1 sec 1x4r10x6/0 .99 to 0.99999 2.0 m (V) 5.3 m (V) 15 sec Cat. III 6.2 m (H) 1x10x9/15 sec 15.5 m (H) 1 sec 1x2r10x6/0 .99 to 0.99999 30 sec (H) 2.0 m (V) 5.3 m (V) 1x2r10x6/ 15 sec (V)
(H) denotes the horizontal requirement and (V) denotes the vertical requirement, which is the more stringent.
52 WASHINGTON Y. OCHIENG AND OTHERS VOL. 56
2.1. Accuracy. Accuracy is de?ned as the degree of conformance of an estimated ormeasuredpositionatagiventimetoade?nedreferencevalue.Ideally,thisreference valueshouldbeatruevalue, ifknown,orsomeagreed-upon standard value. Accuracy should not be confused with precision, which denotes a measurement quality that describes how well repeated measurements agree with themselves rather than with a reference value. The accuracy requirement of aGNSS navigation system is speci?ed at the 95th percentile, i.e. for anyestimated position at aspeci?c location, the probability that the position error is within the accuracy requirement should be at least 95%. 2.2. Continuity. Continuity of a navigation system is its capability to perform its functionwithoutnon-scheduledinterruptionsduringtheintendedperiod ofoperation (POP). It relates to the capability of the navigation system to provide a navigation output with the speci?ed level of accuracy and integrity throughout the intended POP, assuming that it was available at the start of the operation. The POP depends on the phase of ?ight, for example, 1hour for en-route. Continuityrisk is the probability that the system will be interrupted and not provide guidance information for the intended POP. The risk is a measure of system unreliability. 2.3. Availability. Availability is de?ned as the percentage of time during which the service is available (i.e. reliable information is presented to the crew, autopilot or other system managing the ?ight of the aircraft) for use taking into account all the outages whatever their origins. The service is available if accuracy, integrity and con- tinuity requirements are satis?ed. Unlike ground navigational aid infrastructures, the availabilityofGNSSiscomplicatedbythemovementofsatellitesrelativetoacoverage area and the potentially long time to restore a satellite in the event of a failure. Accuratelymeasuringtheavailabilityofsuchasystemwouldtakemanyyears,toallow the measurement period to be longer than the mean time before failure and to repair (MTBF and MTTR). Hence the availability of GNSS is determined through design, analysisandmodelling,ratherthanmeasurement.Truesystemavailabilitycanonlybe determined (by measurement) after the end of its life. 2.4. Integrity. Integrity relates to the level of trust that can be placed in the informationprovidedbythenavigationsystem.Itincludestheabilityofthenavigation systemtoprovidetimelyandvalidwarningstouserswhenthesystemmustnotbeused fortheintendedoperationorphaseof?ight.Speci?cally,anavigationsystemisrequired to deliver a warning (an alert) of any malfunction (as a result of a set alert limit being exceeded) to users within a given period of time (time-to-alert). Integrity risk, also referred to as the probability of misleading information, is de?ned as the probability that the navigation positioning error exceeds the alert limit and that the event is not detected. Loss of integrity can happen in one of two ways. Either an unsafe condition is not detectedoritisdetected,butthealertisnotreceivedbytheuserwithinthetime-to-alert. The alert limit de?nes the largest position error, which results in a safe operation. This is speci?ed such that the error can degrade to a level larger than the 95th percentile accuracy requirement but still within a safe limit. Time-to-alert is de?ned as the maxi- mumtimeallowedfromthemomentafaultresultinginanunsafeconditionisdetected to the moment that the user is made aware of it. Traditionally, some component of the navigation system and/or an independent monitoring unit assures integrity by monitoring the transmitted signals and provides a timely warning when they are out of speci?cation. For example, LORAN-C pro- vides system integrity by monitoring timing accuracy. Stations that exceed the system
NO. 1 GPS AND AVIATION SAFETY 53
tolerance, nominally 100 nanoseconds, transmit blinking signals. This starts within 60 seconds of detecting an anomaly. VHF omni-directional range (VOR) aviation beacons use an independent monitor to supply system integrity and remove a signal from use within 10 seconds of an out-of-tolerance condition. Integral monitors in instrumentlandingsystemandmicrowavelandingsystemfacilitiesexcludeanomalous signals from use within one second (US DoD, 2000). This paper assesses how the navigation system GPS deals with the issue of integrity and whether this satis?es the requirements in Table 1.
3. GPS FAILURE MODES. GPS is a complex system based on data mess- ages transmitted from a constellation of satellites. There is a potential for failure at any one of a number of stages, from the production of the data messages and their upload to the GPS satellites, to their transmission, reception and processing within the user receiving equipment. The following sub-sections present a number of things that could go wrong (and result in loss of integrity) at system, operational environ- ment and user receiver levels. The lists have been compiled from a number of sources (Barker and Huser, 1998; Cobb et al., 1995; Walsh and Daly, 2000; Pullen et al., 2001) and contribute to the justi?cation for the need for integrity monitoring. 3.1. System level. System level failures are those that occur within the space segment, the control segment, and the interface between the two (i.e. data trans- mission). Such failures, for example, due to weaknesses in satellite design and al- gorithms within the Master Control Station (MCS) environment, mainly result in excessive range errors. The failure modes are listed in six categories; those related to erroneous clock behaviour, incorrect modelling and malfunction of the MCS, satellite payload performance, space vehicle performance and RF performance as shown in Tables 2a, 2b, 2c, 2d, 2e and 2f. In each case, a high level analysis of the impact has been carried out and in some cases the impact has been quanti?ed. 3.2. Operational environment. These failures are mainly due to interference (in- tended and unintended) and the e?ects of the media along the signal path. The failure modesarelistedinthreecategories;intendedinterference,unintendedinterferenceand signal propagation as shown in Tables 3a, 3b, 3c. In each case a high level analysis of the impact has been carried out. The primary signal characteristic that makes GPS vulnerable to interference is the low power of the signal. A receiver can loose lock on a satellite due to an interfering signal that is only a few orders of magnitude stronger than the minimal received GPS signalstrength(10?16watt, equivalenttox160 dBw).Areceivertryingtolockontoa GPS signal requires 6 to 10 dB more carrier-to-noise ratio than required for tracking (Niesner and Johannsen, 2000; Volpe, 2001). The intervening media between the satellite and the antenna also a?ect signal propagation. This includes the e?ects of the ionosphere, troposphere and multipath. 3.3. User receiver. These failures relate to the end user and the end-user equip- ment, i.e. receiver and receiver software. Failures related to humans include the lack of adequate training, over-reliance on a single navigation system etc. It is import- ant to state that receivers for use with GPS for safety critical applications such as aviation must be certi?ed to meet the minimum standards as speci?ed by the rel- evant authorities. This certi?cation process must also be as vigorous as possible to ensure that failures such as those observed on some certi?ed receivers do not occur
54 WASHINGTON Y. OCHIENG AND OTHERS VOL. 56
Table 2a. Performance failures related to erroneous clock behaviour.
Performance failures Comments
Satellite speci?c clock misbehaviour (based on type of atomic time standards used) often not detected. No no- ti?cation is given either within the navigation message or through NANU. Satellite clock jumps leading to excessive pseudo-range deviation. Malfunctions in the atomic frequency standards. Actual failure: In July 2001, a GPS satellite had a clock failurethatcausedrangeerrorsofthousandsof metres.The errorlastedforapprox90minutes(Clockfailuresareoneof the most common GPS failures).
This can result in excessive code and carrier noise up to range errors of several thousand metres. Drifting L1/L2 frequencies leading to wrong range and Doppler measurements and loss of lock.
Table 2b. Performance failures related to incorrect modelling and malfunction in the MCS.
Performance failures Comments
Incorrect modelling of orbital parameters during and after a period of eclipse because of excessive temperature gradients leading to the need of more frequent navigation uploads. The Kalman clock state does not show a clear convergence. Incorrect modelling in the MCS Kalman ?lter due to shortcoming in the weighting mechanism. Actualfailure:Afailureoccurredon12?22March1993due to erroneous modelling of the satellite orbitsresulting in the broadcast of incorrect satellite co-ordinates. The failure causedrangingerrorsto increase steadilyover thecourseof nearly two weeks. This did not show up in the performance monitoring system at the time. The range errors were up to 40 m. Actual failure: A failure occurred which was caused by incorrect modelling of the orbital parameters during and after a period of eclipse. The e?ect was seen as a steadily increasing range error.
This can result in wrong satellite altitudes leading to wrong range measurements due to wrong ephemeris data.
Table 2c. Satellite payload related performance failures.
Performance failures Comments
Non-standard code due to open time keeping system (TKS) loops (Block IIR). If this happens at the same time the telemetry is output by the navigation data unit (NDU), a reset of the main processor may occur. Erroneous or corrupt navigation data due to several reasons (e.g. the ionisation of silicon material used in memory devices by heavy ion cosmic rays and energy particles from the sun) leading to degraded navigation performance.
This can lead to incorrect navigation data or range errors. Satellites reset their processors every 24 se- conds(BlockII/IIA)tomonitorqualityofnavi- gation data (e.g. stored in memory). Block IIR satellites use a watchdog monitor (WDM) to decide when a reset must occur.
NO. 1 GPS AND AVIATION SAFETY 55
Table 2c (cont.)
Performance failures Comments
Actual failure: A failure which caused a range rate error, a range jump and a loss-of-lock was detected by the CAA Institute of Satellite Navigation (ISN) as part of the GPS monitoring project performed for the Safety Regulation Group (SRG). The likeliest cause for this error was an upload from a control station causing a temporary internal hardware failure.
Actual failure: A 6 second loss-of-lock event regarding PRN 17 was reported in 1995. Similar outages were ob- served on most of the Block II satellites. The satellite op- erators stated that this was a generic spacecraft problem caused by command uplinks to Block II satellites, which caused a con?ict in the spacecraft computer.
Table 2d. Failures related to satellite orbits.
Performance failures Comments
Trajectory changes when a satellite has come out of the eclipse.
Range errors up to 30 m could occur.
The Doppler or Doppler rate may be out of speci?cation due to SV manoeuvres.
Instabilities in the satellite attitude.
Miscalculated satellite orbits.
Table 2e. Space vehicle system related performance failures.
Performance failures Comments
Degradedattitudecontrolsystemsleadingto rangeerrors due to malfunctioning hardware devices and excessive solar interference in the vicinity of the eclipse.
Dramatictransmissionpower?uctuation(i.e.+/x20 dB per 1 sec).
Erroneous PRN code, i.e. code does not correspond to any SV in the constellation or to a di?erent one.
Actual failure: A reaction wheel failure for a satellite was reported which caused instability in the satellite attitude causing range errors of about 24 m initially and then maximum range errors of almost 90 m before stabilisation.
Actual failure: Ionospheric scintillations during a solar storm caused a space vehicle to go into nuclear detection mode in which it moved o? its normal orbit.
Leads to malfunction in the channel tracking.
Increasedsignal-to-noise(SNR)causingincor- rect range measurements.
Receiver fails to acquire SV signal or loss- of-lock.
Wrong signal polarisation and data parities.
56 WASHINGTON Y. OCHIENG AND OTHERS VOL. 56
Table 2f. RF related performance failures.
Performance failures Comments
Onboard RF ?lter failure leading to corrupted side lobes. UnstableL1,L2orL1-L2RFdelaysintheSV(i.e.sudden jumps or slow ?uctuation over time). Onboard multipath and onboard signal re?ection. De-synchronisation between data modulation and code. Onboard interferences and inter-channel bias.
Leads to corruption of the transmitted spec- trum. Could result in range errors up to several metres.
Table 3a. Intended Interference.
Jamming: Intentional interference or jamming, i.e. emis- sion of su?ciently powerful enough radio frequency energy. This is either realised as emission of a signal close to the GPS spectrum or if more sophisticated as emission of a GPS-like signal. Civil receivers are vulnerable. Spoo?ng: Is the intended injection of false GPS like sig- nal. The receiver will lock onto a legitimate appearing signal.
This could prevent GPS receivers from track- ing the signal or cause frequent loss-of-lock (positioning error up to 600 m). Sophisticated jamming technology could pre- vent a receiver from acquiring the signal. Spoo?ng, if not detected, could inject hazard- ous misleading information (HMI) and cause signi?cant navigation errors.
Table 3b. Unintended RF Interference.
Interference from RF transmitters emitting unwanted signal power in the L1/L2 band (e.g. Ultra wideband radar and communications broadcast television, VHF, personal electronic devices, mobile satellite services etc.).
This might lead to receivers having di?culty tracking the GPS signal or losing lock.
The new proposed L5 signal partially overlaps with, for example, the military Joint Tactical Information Distri- bution Service (JTIDS) and other commercially used similar services.
Table 3c. Performance failures related to sudden changes in the signal propagation properties.
The ionosphere surrounding the Earth refracts radio signalsintheL1,L2andtheproposedL5band.Therefore small-scale (spatial and temporal) electron density ?uc- tuations especially in periods of high solar activity may a?ect the GPS signals signi?cantly causing non-integrity or non-availability situations.
The troposphere has the e?ect of bending and refracting (delaying)thenavigationsignal.Thebendinge?ectisvery small and can be neglected.
Multipath errors result from re?ection of the navigation signal o? surfaces, which disturb the code and carrier- tracking loop.
For single frequency receivers the ionospheric e?ect might result in range errors up to 100 m. Certain ionospheric e?ects may lead to rapid changes in the phase of the signal causing loss- of-lock. Thedelayduetothetropospherecanvaryfrom 2 to 25 m. Most of this e?ect can be modelled. However sudden changes can cause potential non-integrity scenarios. Multipath error is location speci?c and can be di?cult to model. Could result in range errors of hundreds of metres.
NO. 1 GPS AND AVIATION SAFETY 57
(NiesnerandJohannsen,2000).Tables4aand4bgiveahighleveloverviewofpotential receiver level failure modes. Human related failures have been added to give a more complete picture.
4. INTEGRITY MONITORING. 4.1. Background on methods. Various methods for monitoring the integrity of GNSS have been proposed in an attempt to satisfy integrity requirements. Each method aims either to check whether an individual measurement error exceeds a speci?ed threshold, or whether the resulting position error exceeds a speci?ed threshold. The latter approach is more relevant to air navigation, since it is the output of the positioning system, i.e. the aircraft coordinates, which must be checked against the navigation accuracy requirements during the various phases of ?ight. The main
Table 4a. Receiver/user related performance failures.
There have been cases of some receivers, particularly low-cost in-car and handheld units not having been designed to meet the basic receiver hardware and software requirements. In one case, the developer had assumed the values for IODE/IODC would never reach F016. Operational testing later showed this not to be the case. Furthermore, there have been cases where unhealthy satellites have also been included in the navigation solution. There is statistical evidence that even GPS receivers certi?ed for civil aviation (RTCA/DO-208) fail to provide the required navigation information (Niesner and Johannsen, 2000). Receivers shutdown, pause suddenly, or even provide seriously incorrect positions. These failures can be attributed to: ? power system failure or power ?uctuations, ? software incompatibilities (year/week rollovers), ? receiver unit overheating, ? instabilities in the quartz frequency standards, ? receiver interface outages, ? receiver outages related to excessive electromagnetic activities (lightning etc.), ? hardware incompatibilities if the GPS unit is coupled with other means of navigation (i.e. INS, com- passes, external clocks, air data, navigation data bases etc.), ? processing algorithm errors, ? GPS receivers comprise complex hardware and software which are vulnerable to failure, ? Hard-wired and incorrect RAIM parameters have been used in certi?ed receivers. Actual failure: Many certi?ed receivers failed to cope with the Y2K event and the GPS rollover. Actual failure: As part of the CAA ISNs monitoring programme certi?ed receivers have been seen to output position errors of thousands of metres. The main cause is simply badly formatted output through the certi?ed output port. Actual failure: An error in the GPS derived position of 8 nm was reported on 16/2/99 in the North Sea area.
Table 4b. Human related failures.
According to the GPS vulnerability study, most of the accidents to date involving the use of GPS have been the result of human factor issues (Volpe, 2001). The following examples show the signi?cance of this statement. ? cases where pilots were trained inadequately in the use of GPS for navigation, ? pilots were found to be more likely to take greater risks during the ?ight regarding the weather if the plane is equipped with GPS instead of only with traditional navigation aids, ? cases where pilots travel into restricted airspace while using GPS because they felt greater ?exibility to leave the traditional route structure.
58 WASHINGTON Y. OCHIENG AND OTHERS VOL. 56
approaches to the monitoring of integrity of satellite-based navigation systems are external monitoring and Receiver Autonomous Integrity Monitoring (RAIM). Com- plexsystemssuchasGNSSalsoemployintegral/built-inmechanismsforself-checksto o?er adegree of integrityassurance.An exampleof this is aconcept known as Satellite Autonomous Integrity Monitoring (SAIM), which is based on the monitoring of the performance of the frequency generation mechanism on board the satellite. Various checks are also built in, for example, at functional and algorithmic levels within the control and space segments. External monitoring relies on a number of ground stations, positioned at known locations (Fernow and Loh, 1994). Individual satellites are then monitored by com- paring the measured pseudo-ranges with those computed from the coordinates of the satellite and monitor station. If a measurement error exceeds a certain threshold, indicating that a satellite is faulty, then a warning is sent to the users within the time- to-alert. This is a powerful approach to integrity monitoring, since it directly isolates the faulty satellite, enabling navigation to continue if su?cient satellites are still avail- able. It is ideal for monitoring system errors (control and space segments). However, the approach is not able to identify problems local to the user (e.g. multipath). This problem is addressed by a method that relies on actual measurements used in the positioning solution. The RAIM method is applied within the user receiver to enable it to independently or autonomously establish system integrity. RAIM attempts to address two main concerns, the existence of a bad measurement and the identi?cation of the a?ected satellite. If a GNSS is used for supplemental navigation, then addressing the ?rst concern is su?cient because an alternative navigation system is available and can be used instead. However, if the GNSS is used for primary-means navigation, then both concerns above must be fully addressed to identify and remove the a?ected measure- ment (satellite) from the solution allowing the aircraft to proceed safely. Addressing either concern requires redundant measurements, i.e. more than the minimum four measurementsrequiredforapositionsolution.Hence,measurementsfromatleast?ve satellites are required to detect a satellite anomaly, and a minimum of six satellites to remove the a?ected satellite from the navigation solution. A RAIM technique must determine a position error and make a decision as to whether the level of error is ac- ceptable by comparing it to the alert limit for a particular phase of ?ight. If this limit is exceeded,thenaRAIMequippedreceivermustissueawarningwithinthetime-to-alert. A number of algorithms for RAIM have been developed including position com- parison,rangecomparison,residualanalysisandparitychecking(Brown,1996).Itcan be shown that these methods are basically the same, provided that care is taken in the selection of the required thresholds. Preference for one over the other is usually for reducing computationalcomplexity.RAIMhastheadvantagesthatitprotectsagainst interference with the SIS, exists regardless of an external monitoring capability, and protects against anomalies associated with signal propagation. However, the reliance on redundant measurements to detect and isolate bad measurements is a major drawback because it lowers availability. It is not always possible to carry out a RAIM computation if, for instance, the user receiver is at a poor location in the coverage area of the GNSS constellation, or if satellites are masked or lost during aircraft ma- noeuvres.ThepowerofRAIMcouldbeincreasedbyaddingmeasurementsfromother instrumentsonboardtheaircraft.Thetechniqueisthennolongerreceiverautonomous but aircraft autonomous, AAIM. AAIM can be applied by adopting the loosely
NO. 1 GPS AND AVIATION SAFETY 59
couplingconceptbycomparingthepositionsolutionfromGNSSwiththatobtainedby other navigation sensors, such as a barometer, or an inertial navigation system (INS). Alternative, the tightly coupling approach could be used involving integrating the raw measurements from each system into a single solution (with appropriate weighting of the various measurements). 4.2. System level integrity monitoring. Protection against anomalies and failures such as those listed in previous sections is assured at two levels. The ?rst is by relying on satellite self-checks and monitoring by the US DoD Operational Control Segment (OCS) Master Control Station (MCS), and the second through signal assessment by users. Thus GPS has both integral and independent mechanisms for integrity monitoring. The control segment maintains the system clock, calculates the satellite orbit and clock error, and monitors and controls the system behaviour. Operations are carried out on the measured pseudo-ranges in order to detect outliers (anomalies), and to reduce measurement noise. The received signal strength is also checked and the navi- gation data carefully checked before upload. The data is transmitted with an error protection code (i.e. parity and sum check). Some self-check functions are also used in the space segment including parity checks, navigation data, frequency synthesiser, anti-spoo?ng generation and memory checks. Although the GPS control segment and the satellites themselves provide a reason- able level of integrity, anomalies could go undetected for too long a period for some applications (see Table 1 for time-to-alert requirements for civil aviation). It typically takes the MCS ?ve to ?fteen minutes to remove a satellite with a detected anomaly from service. Furthermore, if a satellite is not in the view of one of the ground stations (the ground stations provide only 92 percent tracking coverage), an anomaly could go undetectedforalongerperiodoftimebeforetheMCScanrealisethesituationandtake remedial action. Hence, this approach is not adequate for aviation. This is further explainedbythefactthatitisnotpossibletocarryoutacompleteone-to-onemapping between the ICAO RNP parameters and those used to specify GPS performance (US DoD,2001).Inparticular,thereisnospeci?cationplacedonintegrity.Infact,theGPS SPS performance standard document states that GPS SPS performance is not cur- rently monitored in real time. 4.3. User level integrity monitoring. RAIM is a method employed within the user receiver to detect and preferably isolate any measurements, which cause signi?cant errors in the computed position. The basic input to a RAIM algorithm is the same raw measurements used tocomputetheuser?sposition.RAIM availability isaconceptthat is applied to assess whether the right conditions exist to be able to perform a RAIM calculation, i.e. whether RAIM is ?available? to the user, as an integrity monitoring technique. The capability of a receiver to perform a RAIM calculation depends on the number of satellites, their geometry, predicted measurement quality and integrity requirements. Since actual measurements are not required, this is a vital tool that can beused to predictwhether ornot it would bepossibleto carry out aRAIM calculation at some future point in time. A high level assessment of the RAIM availability of the current GPS constellation has been carriedout over the entire globe atspatialandtemporalsampling intervalsof ?ve degrees and ?ve minutes respectively. The assessments have been carried out for the non-precision approach (NPA) and precision approach (APVI and APVII) phases of?ight,takingintoaccounttheintegrityrequirementsgiveninTable1.Astatistichas
60 WASHINGTON Y. OCHIENG AND OTHERS VOL. 56
been produced for each grid node (spatial sampling point) in terms of percentage availability over a period of 24 hours. Figure 1 shows the RAIM availability for NPA using a horizontal alert limit (HAL) of 556 m. It can be seen that the availability of RAIM as an integrity monitoring technique for horizontal positioning for NPA is less than 98% in the mid latitude regions, with other regions experiencing near 100% availability. Figures 2 and 3 show the corresponding horizontal RAIM availability for APVI and APVII. The APVI results are similar to NPA since the requirements are largely the same. The APVII results are comparatively worse as a result of more stringent requirements (e.g. HAL of 40 m compared to 556 m for APVI). Equatorial regions experience better than 97% availability, with the rest below. RAIMavailabilityplotsfortheverticalcomponentsareshowninFigures4and5for APVI and APVII respectively. Because the vertical accuracy and the corresponding alarm limit requirements for precision approach are more stringent than horizontal, RAIM availability is considerably worse. For APVI (e.g. VAL of 50 m), the near equatorial regions experience better than 95% availability of RAIM for integrity monitoring. The mid latitude areas experience between 95 and 65% availability, with the rest generally below 65%. For APVII, with even more stringent requirements than APVI (e.g. VAL of 20 m) most of the earth experiences availability of less than 35%,withonlythemidlatitudeareasfairingbetterwithavailability?guresbetween35 and 45%.
Figure 1. NPA H-RAIM Availability.
Figure 2. APVI H-RAIM Availability.
NO. 1 GPS AND AVIATION SAFETY 61
BasedontheRAIMavailabilityresultsgivenabove,itisclearthatuserlevelintegrity monitoring using RAIM is not su?cient to meet the requirements for NPA and PA phases of ?ight. Given that the requirements for CAT I, II and III are even more stringent than PA, the RAIM availability for these phases will be much lower.
Figure 3. APVII H-RAIM Availability.
Figure 4. APVI V-RAIM Availability.
Figure 5. APVII V-RAIM Availability.
62 WASHINGTON Y. OCHIENG AND OTHERS VOL. 56
5. GPS MODERNISATION AND INTEGRITY MONITORING. GPS achieved full operational capability (FOC) on 17 July 1995 with 24 operational satellites (US DoD, 2000). For many applications GPS delivers a widely accepted service with performance levels that often meet the requirements for the particular application. However, as has been shown in previous sections, for other require- ments including high integrity safety-of-life critical applications such as aviation, the current system does not provide the required navigation performance (RNP). Be- cause of the huge potential market for satellite navigation services, the end of the cold war, developments in satellite navigation systems in other parts of the world, and technological developments in security related areas, the US government has put in place initiatives aimed at enhancing the performance of the system whilst still main- taining its crucial military role. Since 1996, several o?cial announcements have been made in support of this including the Accuracy Improvement Initiative (AII) and the GPS III programme. The objective of the GPS III initiative is to deliver a GPS architecture that will satisfy current and evolving civilian needs, in particular the RNP for air navigation. It will preserve and build on the successes of GPS by creating a new architecture based on de?ned operational requirements (Lee et al., 2001). The system will deliver enhanced position, velocity, and timing (PVT) signals, and re- lated services to meet the requirements of the next generation of military and civil GPS users. The ?rst GPS III satellite is to be launched in 2009, with an eventual 30-satellite constellation to serve users until around 2030 (Lee et al., 2001). FOC is expected around 2020. The program is currently in the requirements de?nition and preliminary design phases. Intheshortterm,thesystemlevelintegrityprovisionwillbene?tfrombetterinternal (built-in) self checks mainly through more robust algorithms and the use of more tracking data from an enhanced tracking network of ground stations. No external (independent) monitoring is proposed. User level monitoring and quanti?ed RAIM availabilityanalysishaveshownthat,eventhoughacertainamountofimprovementis to be expected, it will not be signi?cant compared to the current performance. In the long term, a key element of the proposed GPS III programme is to address the RNP for aviation and how this is to be achieved, particularly the integrity requirements. The expectation is that the system will incorporate an independent external net- work to monitor the signal-in-space (SIS) and notify users of any signi?cant anomaly withtherequiredtime-to-alertsandwithinthespeci?edprobabilitiesofrisk.Forsafety reasons, it would still be necessary to have a RAIM capability within the receiver to protect against some of the anomalies, which may not be captured by the external network.
6. GPS AUGMENTATION AND INTEGRITY MONITORING. There are various augmentation mechanisms that could be used to support the in- tegrity requirements for civil aviation. GNSS1 based approaches include satellite- based augmentation system (SBAS), ground-based augmentation system (GBAS) and aircraft based augmentation system (ABAS). SBAS and GBAS systems should enable precision approach and landing to be achieved. With respect to ABAS, the integration of GPS with barometric aiding has the potential to achieve the integrity requirements for oceanic and en-route phases of ?ight. GPS and INS integration appears to have the potential to satisfy the required navigation performance for up to non-precision approach phase of ?ight. However, so far research on this has
NO. 1 GPS AND AVIATION SAFETY 63
not been entirely conclusive and further research is required (Lee and O?Laughlin, 1999). The potential of the combined use of data from GPS and GNSS2 represented by the Galileo system has been assessed through a RAIM availability analysis. It has been shown that the availability of RAIM for APVI (horizontal and vertical) and APVII (horizontal)nears100%.TheverticalRAIMavailabilityforAPVIIiscloseto100%in most places with the exception of the higher and lower latitude areas experiencing availability at the 96% level.
7. CONCLUSION. This paper has presented the main results of research con- ducted to investigate the level of safety as measured by integrity (i.e. trustworthiness) a?orded by GPS as a source of navigation data for civil aircraft. The main objec- tive was to investigate potential cases of non-integrity (i.e. failures) that could result in safety risks, their causes and mitigation techniques. It has been shown that GPS is susceptible to di?erent types of failures with potential impacts on safety if not identi?ed and reported within speci?ed time periods. The current system level and user level monitoring mechanisms have been shown to be inadequate for providing the necessary integrity monitoring capability. Di?erent augmentation approaches have been presented based on the concepts of GNSS1 (ground-based, aircraft-based and space-based augmentation systems) and GNSS2 (stand-alone navigation sys- tems such as Galileo). These have been shown to have the potential to satisfy the RNP for all phases of ?ight. The systems are currently under development and further re- search is required before they can be used for civil air navigation. It should be noted that there are plans to modernise GPS (the so-called GPS III programme) to support the navigation requirements for many more applications including civil aviation. The system is expected to be operational in 2020.
REFERENCES AND BIBLIOGRAPHY
Barker, B. and Huser S. (1998). Protect yourself! Navigation payload anomalies and the importance of adhering to ICD-GPS-200. Proceedings of ION GPS-98, Nashville, Tennessee. Brown, R. G. (1996). Receiver Autonomous Integrity Monitoring. Global Positioning System: Theory and Applications, Vol. 2. Eds. Parkinson, B. W. and Spilker, J. J., Jr., American Institute of Aeronautics and Astronautics. Cobb, H. S., Lawrence, D., Christie, J., Walter, T., Chao, Y. C., Powell, J. D. and Parkinson, B. (1995). Observed GPS signal continuity interruptions. Proceedings of ION GPS-95, Palm Springs, California. Fernow,J. P.andLoh,R.(1994).IntegrityMonitoringinaGPSWideAreaAugmentationSystem(WAAS). Proceedings of the Third International Conference on Di?erential Satellite Navigation Systems, April, London. ICAO (1999). Manual on Required Navigation Performance. International Civil Aviation Organisation, 2nd Edition. ICAO (2000). Validated ICAO GNSS Standards and Recommended Practices (SARPS), November. Lee, R., Slattery, R., Kovach, K., Thompson, R. and Kuhlmann, K. (2001). Improving GPS for Aviation: GPS Operational Requirements Document (ORD) Aviation Annex. ION National Technical Meeting, 22?24 January, Long Beach California. Lee, Y. C. (1992). Analysis of RAIM function availability of GPS augmented with barometric altimeter aiding and clock coasting. ION GPS-92. Lee, Y. C. and O?Laughlin, G. (1999). A performance analysis of a tightly coupled GPS/inertial system for two integrity monitoring methods. ION GPS-99, September, Nashville.
64 WASHINGTON Y. OCHIENG AND OTHERS VOL. 56
Niesner,P. D.andJohannsen,R. (2000).TenmilliondatapointsfromTSO-approvedGPSreceivers: results and analysis and applications to design and use in aviation. Navigation, Journal of the Institute of Navigation, Vol. 47, No. 1, pp 43?50. RTCA (1998). Minimum Aviation Performance Standards for Local Area Augmentation Systems (LAAS). Radio Technical Commission for Aviation DO-245, September. US DoD (2000). Federal Radionavigation Plan. US Department for Defense, February. US DoD (2001). Global Positioning System Standard Positioning Service Performance Standard; October 2001. Pullen, S., Xie, G. and Enge, P. (2001). Soft failure diagnosis and exclusion for GBAS ground facilities. Proceedings of RIN NAV 2001, London, UK. Volpe Report (2001). Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System. John A. Volpe National Transportation Policy, August 29. Walsh,D.andDaly,P.(2000).De?nitionandCharacterisationofKnownandExpectedGPSAnomalyEvents. Final Report to the UK CAA (Safety Regulation Group).
NO. 1 GPS AND AVIATION SAFETY 65