If you wish to contribute or participate in the discussions about articles you are invited to contact the Editor
The SBAS Integrity Concept Standardised by ICAO: Application to EGNOS: Difference between revisions
| Line 114: | Line 114: | ||
===Example=== | ===Example=== | ||
The three above discussed integrity tests (HMI, MI and system unavailable) appear more explicitly in figure 3: | The three above discussed integrity tests (HMI, MI and system unavailable) appear more explicitly in figure 3: | ||
[[File:Different non-integrity definitions and tests.jpg|none|thumb|400px|alt=different non-integrity definitions and tests|'''''Figure 3:''''' Example of the different non-integrity definitions and tests.]] | |||
Another practical representation of these different cases is obtained through a 2D plot of the Vertical Position Error (VPE) against the VPL where each pixel corresponds to a measurement epoch as in Fig. 4. This is usually known in Europe as the Stanford diagram. Fig. 4 illustrates the trade off between integrity and availability (Stanford diagram) as obtained through EGNOS real measurements at the ESA EGNOS P.O. in Toulouse, France on March 2005. The diagonal traces the limit between the safe operation of the system (left side) and the unsafe conditions (right side). The EGNOS System is shown to be safe in the nominal test conditions of Fig. 4, with an availability of both APV-1 and APV-1 of 100% for this specific test period. | |||
==References== | ==References== | ||
Revision as of 13:17, 14 November 2010
| EGNOS | |
|---|---|
| Title | The SBAS Integrity Concept Standardised by ICAO: Application to EGNOS |
| Author(s) | Benoit Roturier, DGAC/STNA, France; Eric Chatre GSA, GNSS Supervisory Authority, Brussels, Belgium and Javier Ventura-Traveset, ESA, European Space Agency. |
| Level | Medium |
| Year of Publication | 2006 |
Abstract
There have been a lot of debates, within the International Civil Aviation Organisation (ICAO) GNSS Panel (GNSSP) group of experts[1], on the proper way to ensure SBAS user safety while at the same time respecting the high availability requirement. The group finally validated a method at the GNSSP Seattle meeting in June 2000 which is reproduced in the GNSS Standards And Recommended Practices (SARPs), published in November 2002[2] [1]. Although the technical relevant information for a SBAS system designer to implement the SBAS integrity concept is fully described in the SARPs, only the strict necessary information is reported there, and it is quite difficult to a non specialist to properly understand this important concept. Since the SBAS integrity concept is quite specific and new, some kind of complementary information to the SARPs was felt desirable. This is the main motivation of this paper, which will also illustrate how the integrity is being managed through the European EGNOS SBAS project.
Introduction
The integrity service of ICAO compliant GNSS systems may currently be provided by the three normalised augmentations known under the terms ABAS (Airborne Based Augmentation System), GBAS (Ground Based Augmentation System) and SBAS (Satellite Based Augmentation System)[2] [1]. ABAS integrity concept relies on the single observation through the airborne user receiver of redundant pseudo range information, while GBAS (resp. SBAS) integrity elaboration relies on the use of a single (resp. a network) of ground reference stations.
In addition to integrity service, GBAS and SBAS also provide to the user differential corrections to improve the precision in a restricted area around a single reference station for GBAS and over a wide area defined by a network of reference stations for SBAS. Finally, the SBAS geo satellites also transmit a ranging navigation signal similar to a GPS satellite.
Therefore, the SBAS integrity service which is addressed here should protect the user from both:
- failures of GPS/GLONASS/GEO satellites (drifting or biased pseudo ranges) by detecting and excluding faulty satellites through the measurement of GPS signals with the network of reference ground stations;
- transmission of erroneous or inaccurate differential corrections. These erroneous corrections may in turn be induced from either:
- undetected failures in the ground segment;
- processing of reference data corrupted by the noise induced by the measurement and algorithmic process.
This last type of failure, which may occur when the system is in a nominal state (no GPS/GLONASS/GEO satellite failure, no ground segment/user equipment failure) is usually known as “fault free case”. Protection of the user against noise effects has been quite demanding during the process of definition and validation of the ICAO SBAS integrity concept. In fact, the potential for such non integrity events generated in fault free conditions is inherent to data measurement and processing, to provide users with basic and precise correction messages and is thus a permanent risk which has to be carefully managed. This has involved the definition of statistical error bounds called horizontal or vertical protection levels (HPL or VPL) which will be discussed in depth in section V.
Before dwelling in depth into the details of the elaboration of adequate parameters to protect users from non integrity events which might occur from system failure (section IV) or noise (section V), we will recall integrity requirements (section II) and integrity definitions (section 3).
Integrity Requirements
The elaboration of a high level fault tree for all phases of flight leading to a given objective in term of Target Level of Safety (TLS)[3] and further decomposition for a number of phases of flight into aircraft, airborne database and signal in space (SIS) contribution to this risk has been provided by the ICAO All Weather Operational Panel[4] (AWOP) [2][5] [3].
The fault tree for approach with vertical guidance (APVI,II and Category 1 approach type) corresponding to the most demanding operations supported by SBAS derived from AWOP work is shown in Fig. 1[6]. This paper will focus on Non Aircraft, signal in space (SIS) integrity risk corresponding to the bottom right part allocations of Fig. 1. AWOP work has been used as input by GNSSP to define the high level integrity requirements summarised in Fig. 2.
| Typical operation | Time to Alarm | Integrity | Hor. alert limit | Vert. alert limit |
|---|---|---|---|---|
| En-route | 5 mn | 1-10-7/h | 4 NM | N/A |
| En-route | 15 s | 1-10-7/h | 2 NM | N/A |
| En-route, Terminal | 15 s | 1-10-7/h | 1 NM | N/A |
| NPA | 10 s | 1-10-7/h | 0.3 NM | N/A |
| APV I | 10 s | 1-2x10-7/app | 40.0 m | 50 m |
| APV II | 6 s | 1-2x10-7/app | 40.0 m | 20 m |
| CAT I | 6 s | 1-2x10-7/app | 40.0 m | 15 - 10 m |
Integrity Definitions
The provisions for integrity in the SARPs are complex for a non expert, but also are the definitions of non integrity events and three levels of definitions may be identified which are further discussed in this section.
High level definition of integrity
The high level definition of integrity in the SARPs is ([1] §A.1): A measure of the trust which can be placed in the correctness of the information supplied by the total system. Integrity includes the ability of a system to provide timely and valid warnings to the user (alerts).
It has to be noted that the integrity requirement in Fig. 2 includes both an alert limit in horizontal and vertical dimensions and an allocated time to warn the user. Moreover, the integrity is often specified by its inverse, integrity risk, as in Fig. 1. The integrity risk may be defined as the probability of providing a signal that is out of tolerance without warning the user in a given period of time.
The out of tolerance condition is defined in the SARPs in the user position domain. Although it might seem obvious from the high level definition of integrity given above that a non integrity event corresponds to the situation obtained when any user navigation system error (NSE) in horizontal or vertical dimensions is superior to Horizontal or Vertical Alert Limit (HAL or VAL), while not providing timely and valid warnings to the user, the definition which has been retained in the SARPs is a little bit more conservative (as shown in [4]), and is described in the next section.
The above situation (NSE > HAL or VAL) is often referenced as “Hazardously Misleading Information (HMI)” case.
Non integrity event definition applicable to the ground system designer
This definition (in the most demanding case of APVII or Cat I) may be found in [1] §B.3.5.7.5.1 : “Given any valid combination of active data, the probability of an out-of-tolerance condition for longer than 5.2 consecutive seconds shall be less than 2 x 10-7 during any approach, assuming a user with zero latency. An out-of-tolerance condition is defined as a horizontal error exceeding the HPLSBAS or a vertical error exceeding the VPLSBAS (as defined in B.3.5.5.6).” The Horizontal and Vertical Protection Level (HPL and VPL) are elaborated within the user receiver (cf [1] B.3.5.5.6) at each epoch by combining ground transmitted parameters, aircraft parameters and geometry of the user with respect to satellites used in the position calculation. They will be further discussed in section V. This definition (NSE > HPL or VPL) is often referenced as “Misleading Information (MI)” case. It has to be used by a SBAS system designer to prove by simulation and/or tests that the SBAS design is SARPs compliant with respect to integrity requirements. It is also a high level requirement for the calculation of ground parameters used in XPL elaboration by a SBAS system designer, as further discussed in section V.3. However, since this definition implies the knowledge of the NSE, a standard user may obviously not apply this out of tolerance test to raise a flag in case of non-integrity event.
Non integrity event definition applicable to a SBAS standard user
The test to be done at user level to check the correctness of transmitted data is defined in SARPs ([1] §B.3.5.8.4.2): “The receiver shall compute and apply horizontal and vertical protection levels defined in B.3.5.5.6” This definition is not really explicit (!), but more may be found in the guidance material section ([1] §C.6.4.4): “… If the computed HPL exceed the Horizontal Alert Limit (HAL) for a particular operation, SBAS integrity is not adequate to support that operation. The same is true for precision approach and APV operations, if the VPL exceeds the vertical alert limit (VAL).” This test (HPL or VPL > HAL or VAL), which is implemented at each epoch, allows to declare the SBAS “system unavailable” for a given level of operation since in this case the probability of an MI (and HMI) event is high. Note that xPL and xAL (x stands either H or V) are now known by the user. If a SBAS is SARPs compliant as defined in section II.2, then a user applying the above test will be protected to the required level.
Example
The three above discussed integrity tests (HMI, MI and system unavailable) appear more explicitly in figure 3:
Another practical representation of these different cases is obtained through a 2D plot of the Vertical Position Error (VPE) against the VPL where each pixel corresponds to a measurement epoch as in Fig. 4. This is usually known in Europe as the Stanford diagram. Fig. 4 illustrates the trade off between integrity and availability (Stanford diagram) as obtained through EGNOS real measurements at the ESA EGNOS P.O. in Toulouse, France on March 2005. The diagonal traces the limit between the safe operation of the system (left side) and the unsafe conditions (right side). The EGNOS System is shown to be safe in the nominal test conditions of Fig. 4, with an availability of both APV-1 and APV-1 of 100% for this specific test period.
References
- ^ Currently (2006) known as Navigation System Panel (NSP).
- ^ a b ICAO Amendment 77, Annex 10 to the Convention on International Civil Aviation, Aeronautical Telecommunications: International Standards and Recommended Practices, Volume 1, Radio Navigation Aids, November 2002.
- ^ The top TLS objective is that the probability of accident leading to hull loss should be inferior to 1.5 10-7 per flight.
- ^ ICAO AWOP/15 Report, 15th meeting, Montreal 26 September- 12 October 1994.
- ^ ICAO AWOP/16 Report, 16th meeting, Montreal 23 June- 4 July 1997.
- ^ The AWOP 2.10-7 figure for SIS integrity risk by approach (150 s) has been further decomposed by GNSSP into a 10-7/approach allocation for the ground system integrity risk and a 10-7/approach allocation for the fault free case.
[1] ICAO Amendment 77, Annex 10 to the Convention on International Civil Aviation, Aeronautical Telecommunications: International Standards and Recommended Practices, Volume 1, Radio Navigation Aids, November 2002.
[2] ICAO AWOP/15 Report, 15th meeting, Montreal 26 September- 12 October 1994.
[3] ICAO AWOP/16 Report, 16th meeting, Montreal 23 June- 4 July 1997.
[4] Liu Fan, “Analysis of Integrity Monitoring for The Local Area Augmentation System Using The GNSS”, PhD. Report, Ohio University, August 1998.
[5] RTCA, “Minimum Operational Performance Standards for Global Positioning System/Wide Area Augmentation System Airborne Equipment”, RTCA-DO 229 C, November 2001.
[6] Bruce DeCleene, “Defining Pseudo Range Integrity – Overbounding” ION Conference, September 2000.
[7] M. Tossaint, J. Samson, F. Toran, J. Ventura-Traveset, A Tadjine, I. Delgado, “The Stanford – ESA Integrity Diagram: Focusing on SBAS Integrity,” Part 1 of this book.