Fault Modeling for GBAS Airworthiness Assessments

Fault Modeling for GBAS AirworthinessAssessments

Received June 2011; Revised February 2012

ABSTRACT: A new type of service has been proposed for Ground Based Augmentation Systems (GBAS) that isintended to support approach and landing operations down to the lowest minimums (i.e., CAT IIIb). Proposedstandards for this new service type have been drafted and are currently being validated. This so called GBASApproach Service Type D (GAST D) includes new low level requirements for monitoring as well as a requirementfor additional geometry screening in order to protect the user from failures of several types. This paper discusseshow the proposed requirements can be interpreted in order to develop a fault model that describes the magnitudeand dynamics of malfunction induced navigation systems errors for malfunctions that are undetected, or prior totheir detection. Such a fault model can be used to demonstrate acceptable airplane system level responses to malfunc-tions as part of airworthiness approvals. The paper includes a review of the types of malfunctions that are antici-pated and the monitoring requirements that limit the impact of those malfunctions. Then a dynamic error modelis proposed and the parameters of that model are presented for each type of failure. The relationship between thelargest undetected errors and the user defined geometry screening is explored for each type of malfunction. Somediscussion of how this model is anticipated to be used in the context of airworthiness demonstrations is included.This work represents an important step towards development of airworthiness requirements needed in order forGBAS to support CAT III operations in the future. Copyright # 2012 Institute of Navigation.

INTRODUCTION

The International Civil Aviation Organization(ICAO) Navigation System Panel (NSP) has beendeveloping standards for GBAS since 1993. Theinitial Standards and Recommended Practices(SARPs) for GBAS were finished in the year 2000and defined a system that was intended to supportapproach operations to CAT I minimums. Since thattime, significant work has been done to extend theseSARPs to enable GBAS to support operations to thelowest minimums (i.e., CAT IIIb) [1–7]. This effortrecently reached a milestone with the developmentand technical validation of SARPs which introduce

a new type of GBAS service that is intended tosupport all categories of landing operations.Airworthiness approval of airplanes with low

weather minima approach capabilities requires a sig-nificant safety analysis which includes analysis andsimulation of aircraft performance under normal,limit, and faulted conditions [8, 9]. Airplanes withautomatic landing capabilities must be shown tohave adequate performance. This demonstrationmay be achieved through a combination of a statisti-cal approach using Monte-Carlo autoland simula-tions, and a deterministic approach using simulatorsessions with pilot in the loop and flight tests. Suchsimulations require a noise model to simulate repre-sentative errors and test their effects on performanceof the landing system. Work on a suitable GBASNoise Model has been underway since 1996 [10].

NAVIGATION: Journal of The Institute of NavigationVol. 59, No. 2, Summer 2012Printed in the U.S.A.

TIM MURPHY, MATT HARRISBoeing, Seattle, WA 98124-2207

CURTIS SHIVELYThe MITRE Corporation, 7515 Colshire Drive, McLean, VA 22102

LAURENT AZOULAIAirbus Operations S.A.S., 316 Route De Bayonne-M0141/3, Cedex 09, Toulouse, 31060 France

MATS BRENNERHoneywell International, 8840 Evergreen Blvd., Minneapolis, MN 55433

145

A GBAS noise model has been developed includingextensions to the model to cover GAST D nominalnoise expectations, limit case errors and simulationof limit conditions and fault modes [11]. The historyof the development of the noise model is outlined ina previous paper [12]. The development of this modelcan be attributed to the efforts of many individualsover several years and the model continues to evolveas the GBAS standards have evolved to include GASTD [13–24]. Themost up-to-date proposal for the GBASLanding System (GLS) noisemodel is given in Attach-ment A of reference [11]. It is expected that the modelwill continue to be refined by Boeing, Airbus and otherinterested parties, and will ultimately be documentedin updates to state airworthiness approval criteria(e.g., references [8] and [9]). Reference [11] shows thatthe proposed GAST D SARPS and DO-253C MOPSprovide requirements that are complete enough sothat a signal model supporting airworthiness assess-ments can be derived.This paper specifically focuses on the derivation of

the fault model included in the GBAS noise model.The intent of the fault model is to simulate the beha-vior of the GBAS at the output of the airborne GBASequipment given a failure in some element of theGBAS system (i.e., the ground subsystem or the spacesegment). The fault model is based on the assumptionthat the GBAS ground station and airborne equip-ment correctly perform their intended function andthat faults will eventually be detected and mitigatedby the system. The fault model describes the behaviorof the system after the fault has occurred and until thefault is detected and mitigated.

ANTICIPATED AIRWORTHINESS ASSESSMENTREQUIREMENTS FOR GLS TO SUPPORT CAT IIIOPERATIONS

The current airworthiness criteria are found inFAA Advisory Circular AC 120-28D [8] and EASACS AWO Subpart 1 [9]. Requirements within thesedocuments can be used as a model to define successcriteria for total system landing performance. Theserequirements and the associated success criteria arediscussed below.There are three key conditions for which airwor-

thiness requirements exist regarding performance.These three conditions are: system performanceunder nominal conditions, performance in a limitcase condition, and performance in the presence ofmalfunction. For each of these conditions defined in[8] and [9], acceptable performance is based on suc-cessfully landing inside a certain region of the runway(or more precisely, not landing outside the limits ofthat region). The landing box is illustrated in Figure 1.Table 1 summarizes the three conditions andassociated existing airworthiness requirements. The

table also briefly outlines or paraphrases the successcriteria for the existing requirements which may beused to establish that equivalent safety performancehas been achieved at the system level.

The three general conditions determine the kind ofmodel that will need to be used for performancedemonstrations. In general a suitable signal modelmust have the following capabilities:

• Produce representative errors (magnitude andspectral content) under nominal (fault-free)conditions. This includes nominal noise andother routine events like step errors due togeometry changes, etc.

• Produce representative errors (magnitude andspectral content) under nominal (fault-free)conditions with an error representative of anNSE limit condition applied additively.

• Produce errors (magnitude and dynamics)representative of anticipated system malfunc-tion modes.

In order to be representative, the performancedemonstration encompasses various expected opera-tional conditions in terms of aircraft configurationsincluding aircraft weight and center of gravitylocation, flaps configuration, and airfield elevation.The performance demonstration also includesenvironmental parameters like wind or runwayconfiguration.

As described in [25], in addition to the successfuldemonstration of aircraft landing in the box safely,several other parameters including impact on thecrew workload must be assessed. We can note theability of the pilot in command to identify the failurecondition effect and to react appropriately, in compli-ance with the regulation. In addition, aircraftreaction in terms of control and guidance and cockpiteffects must be adequate and timely.

The other objective of the airworthiness assessmentis to provide a safety classification for the failureaccording to [26] and [27] and to verify that the failureprobability is in accordance with the classification ofthe failure (Minor, Major, Hazardous, Catastrophic).

More particularly, some parameters are quantita-tively evaluated. These are longitudinal and lateralposition at touchdown and during rollout, aircraftvertical speed at touchdown, aircraft attitude,speed and yaw rate during landing and rollout,

2700 ft

5 ft

200 ft 2700 ft

5 ft

200 ft

Runway Threshold

Fig. 1–Landing Box Used to Define Acceptable Landing SystemPerformance

146 Navigation Summer 2012

aerodynamic surface deflection and margin withregard to the obstacle clearance surface. If one ofthese criteria is not met, either an airborne systemdesign like a mitigation or a monitor will be requiredto mitigate the effect of the failure, or a change ifpossible in the probability of failure occurrence willbe required. The overall evaluation process is illu-strated below in Figure 2

One example among these criteria evaluatedduring ILS Category III airworthiness demonstra-tion is the non penetration of a 1:29 slope boundaryupon system failures, as defined in [28] and [29]and illustrated below in Figure 3. This slope pro-vides a margin against the obstacles, to enable thepilot or the aircraft to recover from a failure erro-neously guiding the aircraft downward, all otherconditions being nominal. But, because GBAS is a rec-tilinear system, compared to the ILS system beingangular, and due to the specificities of GBAS failurecharacteristics in terms of magnitude and dynamics,

new or adapted criteria should be developed, ensuringsafe landing in the most limiting case.One new criterion currently under consideration

(can be found in [30]) would include the combina-tion of system and signal-in-space failure effectshaving a probability> 10-9 to demonstrate anabsolute margin against obstacles below theflight path, known as the 1:50 slope. By the mostlimiting case, we mean the case where approachparameters are set at values which will have themost impacting effect on the flight guidancesystem, for instance smallest flight path angle ormost critical aircraft configuration.More particularly, types of failures that would be

combined include ranging source failures, referencereceiver failures and airborne system failures butnot ionospheric anomalies. Indeed, since the priorprobability of ionospheric anomalies cannot bewell quantified, their effect on the aircraft landingperformance will be evaluated separately.

Req Change Proposal

Impact Analysis

Wor

st

Cas

es

Malfunction

Limit

Nom

inal

SARPS and MOPSRequirements

GBAS Signal Model

TT

A, M

onito

r P

md,

etc

.

GBAS Failure Identification and Characterization

Computer Simulations

(Monte-Carlo etc.)

Perf Req Met? Yes

No

Integration Simulator Assessment with Pilot in

the Loop

Done

HazardClassification

Classifi-cation > Major?

No

Autoland PerformanceSatisfactory

Yes

Modify Autopilot Feasible?

Total System PerformanceSatisfactory

YesNo

(Validation Phase Only)

Fig. 2–Precision approach failure assessment process

Table 1—Summary of Airworthiness Requirements and Associated Equivalent Safety Criteria

General Condition FAA Criteria EASA Criteria Related Success Criteria

NominalPerformance

AC 120-28DNominal Performance –Section 6.3.1

CS–AWO 131 Performancedemonstration

AMC AWO 131Performance Demonstration

Demonstrate equivalent or better perfor-mance under nominal conditions. (Allvariables varying across entire range).Meet 10-6 box requirements

MalfunctionCondition

AC 120-28DPerformance withMalfunction – Section 6.4.1

CS AWO 161 –General (appears toapply but is less specific thanFAA criteria as to whatconstitutes ’safe’)

For all failures with probability>10-9

demonstrate safe landing -> Land in box(with probability 1) – given environmentand other variables ‘nominal’.

Limit Condition No analogous requirement EASA CS AWO 131 (c) –Performance Demonstration

Limit case conditions

Demonstrate performance when one of thevariables is at its "most critical value"whilethe others vary in their expected manner –Land in defined box with probability<10-5

: Conditional probability approach

147Murphy et al.: Fault Modeling for GBASA AssessmentsVol. 59, No. 2

GBAS Fault Modes

For a GBAS system, three general classes of faultshave been identified:

1. A satellite ranging sources failure,2. Failure of a single reference receiver, and3. An ionospheric anomaly.

The peak magnitude and effective threshold forerror that persists post monitoring differs betweenthese three fault types. The model proposal nowgives information related to computing the maxi-mum error and effective threshold for each fault typein terms of geometry screening factors applied by theairborne equipment [31]. In this way, the airframeintegrator can set the fault model to produce theappropriate sized errors given the specifics of theintegration (i.e., the geometry screening factors).The maximum error that can be expected with a

probability of greater than 10-9 is relevant for testinga landing system in the presence of a malfunction asdefined in [8] and [9].The effective threshold is relevant because the

’limit case’ conditions as discussed in the GBASGAST D concept paper [2] are based on the point ofpeak error probability which is at or just belowthe effective threshold for the monitor. Hence, theeffective threshold relates to the size of an error thatmay need to be used in a limit case demonstrationfor this fault type as defined in [9].

GBAS FAULT MODEL

The effect of GBAS faults is modeled as a ramperror with characteristics as illustrated in Figure 4.The effect of a malfunction is modeled as a ramp,with a start time, a ramp rate, and a total exposure

time, Tmax. The maximum value of the rampdepends on the ramp rate and Time to Detect(TTD). The ramp is assumed to increase to the levelof the Effective Alert Limit and then to exceed thatvalue for a period equal to the Time-to-detect andmitigate the failure. The erroneous satellite isisolated and the error returns to the nominal value(i.e., the fault error is set to zero). The effect at theoutput of the receiver is either that the fault errorreturns to zero and the noise model produces onlynominal errors or that the guidance signal is lost(e.g., the output of the receiver is flagged as unusable).

The model may alternatively produce step errorswhere the maximum change in error due to the stepis specified rather than the ramp rate.

It must be noted that fault errors are modeledseparately from nominal noise errors and added tonominal noise errors where appropriate.

A previous study [16] considered the historicalrecord of documented satellite failures andconcluded that even without considering the groundstation specific failures, a GBAS system could beexposed to transient ramps in pseudorange ofvirtually any slope. The augmentation data fromthe ground station may compensate for pseudorange

time

PositionError on AxisOf Choice

EffectiveAlert Limit

TTD

Slope Characterized by Ramp Rate [ft/s]

Total Exposure Time - Tmax

EMAX

Fig. 4–Malfunction Transient

Fig. 3–1:29 slope penetration boundary


ramp errors, but due to sampling rates and time todetect and mitigate the errors, the airborne equip-ment could output some transient errors driven bythe pseudorange ramps. In the worst case, thesetransients would have a duration defined by themaximum time to detect and mitigate the error.The malfunction model proposed is based on a modelof a failure in progress that is assumed to be aramp with an arbitrary slope from near zero(i.e., essentially a bias over an approach) to nearinfinite (i.e., a step change). The magnitude of theerror at the end of the slope will depend on themonitoring performed by the ground station and inparticular on the minimal detectable error (thethreshold) and the steepness of the slope combinedwith the time to detect (the overshoot).

As mentioned above, it is assumed that the GBASsystem meets its requirements and either indicatesthe failure exists or removes the effect after nolonger than the Time to Alert (TTA) allocated to theground segment. The possibility of data link missedmessages is also considered to determine the maxi-mum exposure interval for the airplane (referencedto the output of the GBAS receiver).

Ramps and steps are believed to be sufficient asmodels for failures based on the observed satellitefailure characteristics. A more recent study per-formed by Honeywell [32] reviewed the expectedfault modes of a GBAS and concluded that virtuallyevery fault mode can be modeled conservatively as aramp. The exception to this rule is an excessivepseudorange acceleration which is expected to besecond order (or quadratic) for the duration of the fail-ure before it is detected and mitigated by the groundsegment. Because the proposed failure model includesthe entire family of ramp rates (from 0 to infinite),then for any postulated constant acceleration error, asimilar ramp error can be found that causes the errorto cross the threshold (i.e., minimum detectable error)at the same time and which results in an error of thesame magnitude at the end of the time to detect. Thissituation is illustrated in Figure 5.

The response of an airplane to a steep rampresulting in an error as large as or larger thanthe error that would be reached with the constantacceleration function in the same exposure inter-val should be as bad as the response to constantacceleration error. (The constant acceleration errorsimply looks like a steeper ramp with a shorterduration). To illustrate this further, consider thespectral content of ramp errors and constant accel-eration errors. Figure 6 shows the ramp error andsimilar constant acceleration error from Figure 5along with the Power Spectral Density (PSD) ofeach waveform. Note the similarity of the PSDs.Similarly, Figure 7 compares the PSDs for a wholefamily of ramp errors and their associated PSDs.The ramp family can produce errors with spectral

content essentially identical to the constant accel-eration family.Figure 8 further illustrates the relative effect of

ramp and constant acceleration errors when the air-plane response is considered. The errors in Figure 8are filtered using the vertical Path Following Error(PFE) filter as defined in ICAO Annex 10 [33]. ThePFE filter was introduced for MLS as a means toisolate MLS errors that would be expected to resultin displacement of the airplane (i.e., errors that theairplane may actually follow). This is essentiallyequivalent to modeling the airplane response as asecond order Butterworth low pass filter with acutoff of 0.3 rad/s. This is a very conservative andsimplemodel of airplane performance as moremodernautopilot systems have a closed loop bandwidth thatis much smaller. From Figure 8 it can be seen thatthe ramp error family can produce responses assevere as or more severe than the similar constantacceleration family.Airplane designs may also include anomaly detec-

tion features based on integration with inertialinformation. This would furthermitigate the responseof the airplane system to the transient errors. A fullinvestigation of the impact of various error character-istics on anomaly detection designs is beyond thescope of this paper. However, a simple example is illu-strated in Figure 9. In this simulation, the airplaneresponse is modeled as a low pass filter in the samemanner as before. However, prior to filtering, a simplealgorithm is applied where the instantaneous errorrate is compared to a 1m/s. threshold. Rates thatexceed 1m/s cause a detection and removal of theerror (or loss of service). The errors with and withoutanomaly detection are shown in Figure 9. Note thatalthough there are some differences as to whendetections occur, etc., the two families result in essen-tially identical envelopes of errors responses. In factthe peak errors are slightly larger for the ramp error

Fig. 5–Comparison of Ramp Error and Similar Constant Accelera-tion Error


family. Given all the considerations above, the ramperror model for GBAS faults is considered sufficientfor testing airborne designs.As mentioned above, the peak magnitude of the

error (Emax) and the effective threshold are differentbetween the different fault types. For each faultmode Emax and the effective threshold can be relatedby geometry screening parameters that are defined

by the aircraft integrator. Reference [34] gives adetailed derivation of the error characteristics forthe single reference receiver failure. References [35]and [36] discuss the analysis done to validate theionospheric anomaly monitoring. The maximumerror that can occur in the pseudorange domain dueto a satellite ranging source failure is specified directlyin the proposed SARPS requirements (Reference [1],

Fig. 7–Comparison of the PSD for a Whole Family of Ramp Errors and the AssociatedSimilar Constant Acceleration Errors

Fig. 6–Comparison of PSD for Ramp Error and Similar Constant Acceleration Errror


Section 3.6.7.3.3.2). Briefly, the requirement statesthat the probability that an error, |Er|, on the 30 ssmoothed corrected pseudorange caused by a rangingsource fault, is not detected and reflected in the

broadcast Type 11 message within 1.5 s shall fallwithin the region specified in Table 2.In addition in Section 3.6.7.3.3.3, the probability of

a error, |Er|, greater than 1.6m on the 30 s smoothed

Fig. 8–Comparison of Airplane Response to Family of RampErrors and SimilarConstantAcceleration Errors

Fig. 9–Comparison of Ramp Error Family and Constant Acceleration Error Familywith Simple Anomaly Detection


corrected pseudorange (Section 3.6.5.2), caused by aranging source failure, is not detected and reflectedin the broadcast Type 11 message within 1.5 s shallbe less than 1x10-9 in any one landing when multi-plied by the prior probability (Papriori).The analyses for each of these fault modes to

which the requirements apply are discussed in thefollowing section.

SATELLITE RANGING SOURCE FAILURES

Satellite failures that cause the measuredpseudorange to deviate from its intended value aretypically not a safety risk in a differential systembut certain satellite failure modes may createunacceptable differential errors due to their particu-lar nature. These are referred to as satellite rangingsource faults and the GAST D standard identifiesthe following four different types: excessive accel-eration, excessive carrier code divergence, excessiveephemeris errors, and signal deformation.For signal deformation the transmitted C/A code is

distorted due to a fault condition in the satellite.This in turn leads to a deformation of the correlationpeak. The deformation of the correlation peak will bemodified by the front end filtering and the resultingcode tracking further depends on the correlator typeand correlator spacing. DO-253C [37] contains theconstraint regions associated with these airbornecharacteristics. The typical outcome of signaldeformation is that since the ground and airbornefilters can have different characteristics the errorswill differ, resulting in a differential error. If thedeformation is present as the satellite is acquiredthe ground will detect it and the satellite will beexcluded from use. The scenario that is of interestfor the airworthiness assessment is the transientcase where there is a sudden failure in the satellitethat instantaneously exposes the differential systemto a deformed correlation peak. This results in adifferential pseudorange step (dpr) that due tothe smoothing in turn will result in an exponentialstep response

ER tð Þ ¼ 1� e�at� �dpr

where dpr, in the range of 1m to 35m, determines theinitial ramp rate and a=1/t=1/30 sec. This stepresponse together with the 10-9 1.6m limit associated

with the malfunction condition are illustrated inFigure 10.

Figure 10 shows how the 10-9 error would exceedthe 1.6m due to the 2.5 s time to alert. The largerthe slope, the further it goes in 2.5 s. Initially thiserror can be approximated by a ramp

ramp tð Þ ¼ a� err� t

but later it tapers off in magnitude and rate.The excessive acceleration affects the airborne

equipment because of the unavoidable delays inthe differential correction broadcast. An instantacceleration in the signal will immediately be sensedby the airborne receiver and cause an error in theestimated airplane position. The ground station willsense the same acceleration but due to communicationand processing both in the ground systemand airbornesystem there is a nominal delay of t seconds (2.5 s). TheGBAS standard includes a differential correction rateused for linear extrapolation to the current time thatreduces the error due to the delay but there is nomeans of including the effect of an acceleration in thisextrapolation. The pseudorange acceleration, A,caused by the fault is unlimited in magnitude. Theerror is 0.5�A�t2 for t in the interval [0,t]. After that,t ≥ t, the error is constant and equal to 0.5�A�t(t+0.5) or the satellite is excluded based on therequirement that ER=0.5�A�t(t+0.5) meets the pmd

constraint (10-9 at 1.6m). The extra 0.5 s term relatesto the way the correction rate is formed based on adifference of two differential corrections and then usedin the extrapolation. The resulting errors are shown inFigure 11 for accelerations in the range 0.1 to 1m/s2.

The major reason for the carrier code divergence(CCD) error is that the airborne system (accordingto DO-253C) may use a time variant time constantequal to elapsed time from initialization for the first30 s instead of a fixed time constant of 30 s (after 30 sthe airborne is required to use a fixed time constantof 30 s). The fault mechanism is best described by

Typical Detections

0.5 m

1.0 m

1.5 m

5.0 m

Err = [0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 5.0] metersSDM

Fig. 10–Signal Deformation Malfunction Transient

Table 2—Pmd_limit Parameters

Probability of Missed Detection Pseudorange Error (metres)

Pmd_limit≤1 0≤|Er|<0.75Pmd_limit≤10(�2.56�|Er|+1.92) 0.75≤|Er|<2.7Pmd_limit≤10-5 2.7≤|Er|<1


the Laplace block diagram in Figure 12.As can be seen, the fault mechanism no longer has

any impact if the fault is occurring 30 s after initializa-tion since the time constants are then the same. Theimpact of a carrier code divergence rate (in cm /s) canbe simulated based on the block diagram and thedifference between ground and air is shown inFigure 13 assuming divergence starts immediatelyafter initialization of the smoothing filter in theairborne system. If the CCD rates are carrier driven(code is correct while carrier is drifting), rates greaterthan 40 cm/s typically do not pass the rate and accel-eration monitors. However, if the CCD rates are codedriven, errors may result as shown in Figure 13. It isalso clear from Figure 13 that the error cannot belimited to 1.6m if the rate is increased indefinitely. AMOPS (DO-253C) change has been identified to delaythe incorporation of satellites into the guidancesolution until 30 s has passed to assure the SDMmonitor has enough time to exclude a satellite whenthe fault occurs just before initialization. The CCDfault impact is similar to the SDM impact in that itstarts out as a ramp and then reduces in size andrate and its impact can therefore conservatively bemodeled by a ramp. Note that if the incorporation of

satellites into the guidance solution is delayed then thefault may manifest itself as a step rather than a ramp(see grey line marking the 30 delay in Figure 13).The excessive ephemeris fault is currently split

into three categories: A1, A2, and B. In Category Bthe broadcast ephemeris data is in error due to anOCS-blunder or satellite glitch. The ephemerismonitor always checks the satellite positions in thesection of the orbit that will be used in the groundcalculations before they are used so that the fault isdetected before any differential corrections affectedby the fault are broadcast. The core threat inCategory A1 is broadcast of stale (unchanged)ephemeris parameters after a delta-V maneuverout of view (satellite healthy at acquisition). Thedetection of the fault is part of the acquisitionprocess and no differential corrections will be broad-cast if a fault is detected.The threat in Category A2 is an unannounced

delta-V maneuver in view. In this case the faultcannot be detected in advance. The satellite isdrifting off and at some point the satellite positionerror will be detected. The satellite needs to be atleast several kilometers off to produce a 1.6m radialerror at 10 km. This fault impact can consequentlybe modeled as a slow ramp.

GROUND STATION SINGLE REFERENCERECEIVER FAILURES

Appendix A gives a derivation of the probability ofmissed detection (Pmd) for the Reference ReceiverFault Monitor (RRFM) as defined in the MOPS [37]and supported by SARPS requirements [38]. Thederivation is then used to compute the largesterror that a user can be exposed to with a probabilityof greater than 10-9. It is anticipated that such anerror characterization would be used in assessingairplane landing system performance given a GBAS

30/s11

/s11

+

+

+

= t for t 30 s = 30 s t > 30 s

CCD rates1

Air

Ground

Fig. 12–Excessive CCD Range Error

Typical Detection

Fig. 13–CCD Errors

Err = [0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0] m/s2

1.0 m/s2

0.9 m/s2

0.8 m/s2

0.7 m/s2

0.6 m/s2

0.5 m/s2

0.4 m/s2

0.3 m/s2

0.2 m/s2

0.1 m/s2

Typical Detection

ACC

Fig. 11–Excessive Acceleration Range Error


malfunction (i.e., a worst case single reference recei-ver failure in this case).The derivation in Appendix A shows that if no

additional geometry screening is imposed by theairborne equipment other than VPL<VAL=10m,then the worst case error that can exist with a prob-ability of greater than 10-9 after RRFMmonitoring is9.35m in the vertical. Also assuming no additionalgeometry screening, the RRFM provides a maximumeffective threshold of 6.5m. However, these worstcase conditions are driven by cases where only tworeference receivers are used which is probably not arealistic scenario. Appendix A also includes a discus-sion of possible geometry screening that might beimposed by the airborne equipment with little or noimpact on availability. With appropriate geometryscreening, much smaller values of the maximumerror and effective thresholds for this fault modecan be obtained.The lateral error situation is similar in that if no

additional geometry screening is imposed, then theworst case error that can exist with a probability ofgreater than 10-9 after RRFM monitoring is 35.9min the lateral direction. Also, again, assuming noadditional geometry screening, the RRFM providesa maximum effective threshold of 24.5m in thelateral direction. These worst case conditions aredriven by cases where only two reference receiversare used which is probably not a realistic scenario.The appendix shows that geometry screening canbe employed to substantially lower the worst caseerror (and effective threshold). The most straightforward solution is to geometry screen based on thecomputed threshold TB _air _ lat. If this approach ischosen, then the maximum error that can persistwith a probability of greater than 1x10-9 can be readdirectly from the graph in Figure 22 (in Appendix A)for any particular limit imposed on TB _ air _ lat.

IONOSPHERIC ANOMALIES

Ionospheric anomalies caused by solar storms cancause large changes in error over relatively shortbaselines [39–43]. A significant amount of efforthas gone into implementing mitigations for thepotential errors that could be induced in a GBAS sys-tem by such ionospheric anomalies [44–50]. Themitigations introduced for GAST D include monitor-ing in the airborne equipment, improved monitoringin the ground subsystem, some GBAS siting con-straints and a limitation on the range of ionosphericthreats (i.e., a standardized threat space).References [51] and [52] discuss the analysis done

to validate the ionospheric anomaly mitigations.That analysis showed the largest error that canpersist in the pseudorange after application of all ofthe iono-anomaly mitigation measures is 2.75m.

Figure 14 shows the plot of the maximum error inthe pseudorange domain for any phasing of airplanemotion and front motion as a function of front speedrelative to the reference pierce point after takinginto account airborne CCD monitoring, positiondomain dual solution monitoring, and groundsubsystem monitoring of the absolute gradientbetween reference antennas. The effect of CCDmonitoring in the ground subsystem is not takeninto account in Figure 14 since it is not specified inthe GAST D requirements. However, using an exam-ple design, only the shape of the maximum errorcurve is changed, and the peak value is unaffected.

Figure 15 shows the maximum rate of change of thevertical or horizontal position domain error due toionosphere anomalies that can be experienced at anypoint during the approach up to the point of detection,if it occurs, for the same ionosphere anomalymonitors. The discontinuity at 1350m/s arises froman assumed threat space limitation that is assumedof 100mm/km gradients for ionosphere front ground

Fig. 14–Maximum Range Errors Persisting after IonosphericMitigations

Fig. 15–Maximum Rate of Position Errors During Approach orUntil the Point of Detection


speeds greater than 750m/s as is described in [1].Pierce point motion is assumed at a shell height of350km to reach speeds of 600m/s for a maximumfront speed relative to the pierce point of the sum, or1350m/s. Note that for high relative speeds, themaximum possible error rate is driven by the initialcarrier phase run-off and only persists for the time-to-detect. This rate approaches the product of themaximum gradient and the relative front speed inthe range domain, multiplied by the position solutionprojection in the position domain.

For both Figure 14 andFigure 15, the airborne CCDmonitor was assumed to detect after the test statistichas exceeded the threshold plus six times the noisestandard deviation for up to a time-to-detect of 1.5 sto approximate a 10-9 probability of missed detection(Pmd). The absolute gradient monitor was assumedto detect within the requirement of 1.5m divided bythe threshold distance of 5km, or 300mm/km within2.5 s. It has been shown that this is feasible with amissed detection probability approaching even 10-9

[35]. Finally, the position domain dual solution moni-tor was assumed to detect after the dual solutionexceeded the required 2m threshold plus six timesthe standard deviation of the measurement noise toapproximate a 10-9 Pmd. These are very conservative

assumptions. Themaximum position error rate due toionospheric anomalies at a typical time of detection isless than one meter per second.Ionospheric anomalies are caused by environmen-

tal factors such as space weather resulting fromstrong solar activity. They have been modeled forseveral parts of the world by a large internationaleffort, to determine a practical and representativemodel that anyone could use for airworthinessdemonstrations. Indeed, demonstrations supportingprecision approach certification are anticipated tobe performed once and for all airports withapproaches targeted by the type certificate.However, a lack of hindsight and a lack of suffi-

cient historical data prohibit using a statisticalapproach to demonstrate airworthiness during largeionospheric events. Indeed, precise environmentalconditions and their associated probability of occur-rence > or < 10-9 could not be determined for largepeaks of errors that may be encountered by theaircraft. Assuming this phenomenon is obviouslynot caused by a system failure, is environmental(i.e., external to the GBAS system including theaircraft), and is not predictable, it has been foundadequate to consider this phenomenon as a malfunc-tion event from the airworthiness point of view. As a

Table 3—Malfunction Transient Characteristics in the Vertical Direction

Fault TypeServiceType

Ramp Rates[m/s]

EffectiveVAL [m] Emax [m]

EffectiveThreshold [m]

Time to Detect(TTD) [s]

Ranging SourceFailures

GAST C 0 - 1 10 Dependent N/A 6GAST D 0 - 1 1.6� Svert Dependent 0.75� Svert 2.5

Iono Anomaly GAST C [ 0 – 2 ] N/A 10 N/A N/AGAST D [ 0 – 2 ] N/A [2.75] � Svert N/A N/A

[2.75 ]� Svert2Single Ref ReceiverFailure

GAST C 0 - 1 10 Dependent N/A 6GAST D 0 - 1 9.35

[note 1]Dependent 6.5

[note 1]2.5

Note 1: These values are an absolute worst case assuming no geometry screening is done based on TB_air_vert or M. Only geometryscreening of VPL<VAL=10m is assumed. Smaller maximum values can be obtained by using additional geometry screening per refer-ence [53].

Table 4—Malfunction Transient Characteristics in the Lateral Direction

Fault TypeServiceType

Ramp Rates[m/s]

EffectiveLAL [m] Emax [m]

EffectiveThreshold [m]

Time to Detect(TTD) [s]

Ranging SourceFailures

GAST C 0 - 1 40 Dependent N/A 6GAST D 0 - 1 1.6 � Slat Dependent 0.75� Slat 2.5

Iono Anomaly GAST C [ 0 – 2 ] N/A 40 N/A N/AGAST D [ 0 – 2 ] N/A [2.75] � Slat N/A N/A

[2.75] � Slat2Single Ref ReceiverFailure

GAST C 0 - 1 40 Dependent N/A 6GAST D 0 - 1 35.9

[note 1]Dependent 24.5

[note 1]2.5

Note 1: These values are an absolute worst case assuming no geometry screening is done based on TB_air_lat or M. Only geometry screen-ing of LPL<LAL=40m is assumed. If geometry screening of LPL<LAL=10m is applied, then the values for Effective LAL and EffectiveThreshold would be the same as the values given in Table 3 for Effective VAL and Effective Threshold respectively. Smaller maximumvalues can be obtained by using additional geometry screening per Reference [19] (e.g., a limitation on TB_air_lat or M).


consequence, it is chosen to assess the aircraft air-worthiness against this event with a deterministicapproach.Enhanced modeling of ionospheric anomalies

including probability of occurrence could enable inthe future the adoption of a statistical approachand incorporate it into Monte-Carlo simulations. Inthe meantime, improved monitoring capability andmitigation techniques should be associated withenhanced space weather prediction capability froma ground network, in order to warn crews when con-ditions might exceed the aircraft certificate envelopeas it is done with large crosswind conditions.

GBAS FAULT MODEL SUMMARY

A summary of the parameters for the GBAS faultmodel is given in Table 3 and Table 4 for vertical andlateral errors, respectively. Note that the characteris-tics of the fault (i.e., magnitude and effective thresh-old) are functions of geometry screening parameters,Svert Svert2, Slat and Slat2. Svert (Slat) is the largestvertical (lateral) coefficient magnitude for any singlesatellite. Svert2 (Slat2) is the largest sum of vertical(lateral) coefficient magnitudes for any two satellites.These parameters are set by the airframer to ensurethat the maximum fault mode error magnitudes areacceptable given the airplane performance.It is the airframer responsibility to determine the

most critical altitude at which the failure needs tobe injected as well as all the geometry screeningparameters and thresholds that will impact the sizeof the errors.Attention must also be paid to the way the GBAS

receiver outputs the deviations from the intendedflight path. Indeed, in the angular case for the glideslope, a failure injected as a ramp will not result ina ramp at the output of the GBAS receiver.

CONCLUSIONS

This paper has reviewed the current state of devel-opment of a GBAS signal model which has beendeveloped to support airworthiness assessments. Inparticular, the characteristics of anticipated faultmodes have been explored. A simple ramp errormodel is proposed and the characteristics of the ramperrors as a function of aircraft integrator definedthresholds and geometry screening are presented.The next step for this work is to have this model

internationally recognized and accepted by airworthi-ness authorities in the frame of rulemaking activities,contributing to GBAS GAST D proof of concept andproviding GBAS Category III certification baselinefor aircraft manufacturers.

ACKNOWLEDGMENTS

The authors would like to acknowledge the manypeople whose efforts made this paper possible. Thework described in this paper builds on the work doneby many people over the course of many years. Inparticular, the authors would like to acknowledgethe efforts of Christel Ravier, Diane Rambach,Barbara Clark, Sam Pullen, Boris Pervan, LinganSatkunanathan, Gary McGraw, Pierre Neri,Christophe Macabiau, Young Nam, Tom Zalesak,and Mike Braasch, all of whom have contributed atone point or another to the modeling of GBAS errors.

The authors would also like to thank JimVandenBrooke, Tiffany Lapp, and Dan O’Laughlinfor their careful review of the paper and thethoughtful comments they offered.

APPENDIX A

This appendix explains how to determine Pmd forthe RRFM and how to compute the largest error thata user may see with a probability of greater than 10-9

due to failure of a single reference receiver whenusing GAST D. The derivation draws heavily fromreferences [54] and [55].

Review of Monitor and Computation of PmdPerformance

Recall from the MOPS [37] that the form of theMonitor is (considering only the vertical forsimplicity’s sake):

Bj Apr vert�� þDV≤TB air vert (A:1)

where

Bj Apr vert ¼XNi¼1

SApr vert;iB i; j½ � (A:2)

and

TB air vert ¼ Kffd B

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffis2B vert þ s2DV

q(A:3)

and finally,

s2B vert ¼XNi¼1

S2Apr vert;is

2pr gnd 100;i

U i½ � (A:4)

So, it can be seen that the instantaneous geometryaffects both sides of Equation (A.A.1). However, forany given geometry, the size of TB_air_vert is known.Therefore the probability of missed detection can alsobe computed if the distribution of the noise on the detec-tion statistic in the faulted circumstance is known.

The probability of missed detection, Pmd, as afunction of the size of the bias in the vertical errorEV due to the single RR fault is given by:


Pmd EVð Þ ¼ Prob Bj;vert EVð Þ�� þ Vdiff

�� ≤TBAC

� �(A:5)

Where Vdiff is the difference between the 30 ssmoothed position solution and the 100 s smoothedposition solution in the vertical direction.Consequently,

DV ¼ Vdiff

�� (A:6)

Under the assumption that Bj,vert and Vdiff are inde-pendent Gaussian random variables, the Pmd forthe monitor can be computed by:

Pmd EVð Þ ¼Z10

ZTBAC�y

0

pBmd x;EVð ÞpDV yð Þdxdy (A:7)

Where pBmd(x, EV) is the probability density function(pdf) of |Bj,vert(EV)| in the faulted circumstance given by

pBmd x;EVð Þ ¼ x≥0; dnorm x;EV ; sBmdð Þ þ dnorm �x;EV ; sBmdð Þx < 0; 0

�(A:8)

where dnorm(x,m,s) is the Gaussian pdf

dnorm x; m; sð Þ ¼ e�x�mð Þ22s2ffiffiffiffiffiffi2p

ps

(A:9)

It has been previously shown [54, 55] that in thefaulted circumstance, sBmd is given by

sBmd ¼ sB;vertffiffiffiffiffiM

p (A:10)

Since DV is the magnitude of Vdiff, pDV(y) is givenby

pDV yð Þ ¼y≥0;dnorm y; 0; sDVð Þ þ dnorm �y; 0; sDVð Þ¼ 2� dnorm y; 0; sDVð Þ

y < 0; 0

8<:

(A:11)The expression for computing Pmd(EV) given by

Equation (A.7) is exact. However, it involves doubleintegration of pdfs, which is inconvenient and timeconsuming. Therefore, a bounding approximation forPmd(EV) can be formulated by making the followingobservation. Since DV is always positive, including DV

in the decision statistic actually decreases the effectivethreshold (and thus the probability ofmissed detection)for a given size of |Bj,vert(EV)|. Therefore, ignoring theeffect of DV in the decision statistic (but not in thesetting of the threshold TBAC) gives an upper boundon Pmd(EV). The resulting approximation involves onlya single integration

PmdApprox EVð Þ ¼ZTBAC

0

pBmd x;EVð Þdx (A:12)

A plot of both Pmd(EV) and PmdApprox(EV) vs EV isgiven in Figure 16. Note that the approximationprovides a close upper bound. The value of EVbnd is

only 0.25m to 0.5m larger than the value of EV forwhich PmdApprox(EVbnd) =Pmd(EV).For a given aircraft integration, a largest tolerable

error exists such that any larger error would resultin an unacceptable landing. A potential geometryscreening is implied by Equation (A.12). For a givengeometry, the probability of the maximum tolerableEV can be determined by the relationship in (A.12).If the Pmd(Ev)*a priori probability is greater than1x10-9, then the geometry is unacceptable. Sincethe maximum a priori probability of a singlereference receiver fault is (now) specified as 1x10-5/approach, then if Pmd(Ev)>1x10-4, the geometry isunacceptable. Thus, the RRFM monitor can be usedas a means of geometry screening.

Computation of the Maximum Error PostMonitoring

For the purposes of airworthiness certification, weare interested in computing the largest error thatcan occur and be undetected with greater than 10-9

probability. To determine this we need to determinethe largest value of the threshold TB_air_vert thatcan result from any geometry and then the largestvalue of sB, vert in Equation (A.4). To do this wefollow the derivation given first in [54]. A completederivation with computations based on slightlydifferent assumptions is given in [34].Figure 17 shows a plot of the Pmd for RRFM given

the maximum TB _air _ vert and sB, vert as computed inreference [34] for M=4 and VAL=10m. The compu-tation of the curve is per Equation (A.12). Alsoshown on the plot is the maximum Ev (Max Ev) wherePmd(Ev)�(prior probability of a single referencereceiver) is equal to 1�10-9. For GAST D the priorprobability is required to be 1�10-5 or smaller. Hencethe required Pmd(Ev) is 1�10-4 or smaller. So, themaximum size of an error induced by failure of asingle reference receiver that can exist after monitor-ing with a probability of 1�10-9 is 4.45m.

0 1 2 3 4 5 6 7 8 9 10 11 121 .10

10

1 .109

1 .108

1 .107

1 .106

1 .105

1 .104

1 .103

0.01

0.1

1

meters

Pmd j

PmdApprox j

Ej

Fig. 16–Single RR Fault Airborne Monitor Pmd – Exact andApproximation

(A.11)


Figure 18 shows the computation of TB _air _ vert andMax Ev for other values of VAL. It can be seen thatmore aggressive geometry screening (i.e., VPL≤VAL10m) results in smaller maximum detection thresh-olds (TB _air _ vert) and consequently smaller Max Ev.This illustrates that VPL geometry screening is onepossible method to reduce the maximum error andeffective threshold for RRFM. Figure 19 shows thePmd(Ev), TB _air _vert and Max Ev, for M=2, 3 and 4.Note that as the number of active reference receiversdecreases, the detection threshold and Max Ev areincreased substantially. For normal operations witha GAST D ground station, M=3 is considered a prob-able situation. Continued operationswithM=2 seemsless likely. (It is not likely that the ground station canmeet the continuity requirements with only two recei-vers, so it may have to annunciate GAST C as the sta-tus when it goes to two receivers.) However there isnothing in the currently proposed standards explicitly

precluding the use of a signal from a FAST D groundstation which has only two active reference recei-vers. Figure 20 shows the computation of TB _air _vert

and Max Ev for other values of VAL and M=2, 3 or 4.Again, more aggressive geometry screening (i.e.,VPL≤VAL<10m) results in smaller maximum detec-tion thresholds (TB _air _ vert) and consequently smallerMax Ev for a given M. This illustrates that not only isVPL geometry screening one possible method toreduce the maximum error and effective thresholdfor RRFMbut that it could be used in conjunctionwithgeometry screening based on M.

It is important to understand that the metho-dology used to compute the maximum TB _ air _ vert

and Max Ev above is a conservative approximationbased on some assumptions about the relativelevels of noise. To check the veracity of thisapproximation a simulation was constructed. Thedetails of the simulation and the results aregiven in [34]. The results of the simulation were

Fig. 17–Pmd(Ev) for RRFM given M=4 and the AssumptionsListed in Reference [34]

Fig. 18–Max Ev and TB _air _ vert as a function of VAL

Fig. 19–Pmd for RRFM as a function of M and the AssumptionsListed in Reference [34]

Fig. 20–Max Ev and TB _air _ vert as a Function of VAL and M


in close agreement with the results obtained fromthe approximation.

TB _ air _ vert and sB, vert are related per Equation(A.3). Consequently, for a given value of sDV, sB, vertis a direct function of TB _ air _ vert:

sB vert ¼ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiTB air vert

Kffd B

2

� s2DV

s(A:13)

Since, Max Ev is a function of TB_air_vert and sB,vert,this suggests that the magnitude of Max Ev

can be limited directly by geometry screeningwith TB_air_vert. Substituting Equations (A.8), (A.10)and (A.13) into Equation (A.12) we obtain:

Max Ev(TB _air _ vert) can be determined by solvingthe above equation for

PmdApprox EVð Þ ¼ 10�9

Pprior¼ 10�9

10�5 ¼ 10�4 (A:15)

Figure 21 shows a plot of Ev as a function ofTB _air _ vert assuming the prior probability of a refer-ence receiver failure is 1x10-5. There are still threedifferent curves, representing the cases of M=2, 3and 4. (Examination of Equation (A.14) reveals

that Max Ev(TB _ air _ vert) depends on M.) The maxi-mum values of TB _ air _ vert that should ever beencountered for each M are also indicated on thegraph. An airframe integrator could decide to imple-ment a limit on the acceptable TB _ air _ vert andthereby limit the Max Ev. For example, if the maxi-mum TB _ air _ vert was set to 4.5m, then the Max Ev

given M=2 would be about 6m. The value of 4.5mfor TB _ air _ vert is somewhat above the largest valueof TB _ air _ vert that should ever be encountered ifM= 3 (based on both the approximation and simula-tion results above). Hence, geometry screening withTB _ air _ vert ≤ 4.5m should never impact availabilityif the ground station has at least three active

reference receivers (which should virtually alwaysbe true).Reference [34] contains a derivation for the maxi-

mum error in the lateral direction, EL, similar to thatgiven above for EV. The results of that analysis arerepeated here for convenience.Figure 22 shows a plot of Max EL as a function of

TB _air _ lat for the cases of M=2, 3 and 4. Note: Thefigure clearly shows that the Maximum EL that couldbe encountered with a probability of greater than

Fig. 21–Max Ev as a Function of TB _air _ vert (or Tbac)Fig. 22–Maximum EL as a Function of the Lateral RRFMThreshold

PmdApprox EVð Þ ¼ZTBAC

0

dnorm x;EV ;

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi1M

TB air vert

Kf f d B

2

� s2DV

!vuut0@

1A

þdnorm �x;EV ;

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi1M

TB air vert

Kf f d B

2

� s2DV

!vuut0@

1A

0BBBBBB@

1CCCCCCAdx (A:14)


1x10-9 is limited for a given TB _air _ lat. Hence, a geo-metry screening based on TB _air _ lat can be used tolimit the Maximum EL.

REFERENCES

1. ICAO NSP May 2010 WP 59, “Development BaselineSARPs Proposal,” presented by TimMurphy, Montreal,17–28 May 2010.

2. ICAO NSP Nov 09 WGW/Flimsy 6, “ConceptualFramework for the Proposal for GBAS to SupportCAT III Operations,” 2009.

3. Clark, B., and DeCleene, B., “Alert Limits: Do We NeedThem for CAT III?” Proceedings of the 19th InternationalTechnical Meeting of the Satellite Division of The Insti-tute of Navigation, Fort Worth, TX, September 2006,pp. 3070–3081.

4. Shively, C., “Comparison of Methods for DerivingGround Monitor Requirements for CAT IIIB LAAS,”Proceedings of the 2007 National Technical Meeting ofThe Institute of Navigation, San Diego, CA, January2007, pp. 267–284.

5. ICAO NSP WG 1&2 IP 18, “Vertical Alert LimitRequirement for a Level of Service of GBAS Appropri-ate to Support CAT II/III Operations”, Montreal:Bruce DeCleene, 2005.

6. Murphy, T., “Development of Signal in Space Perfor-mance Requirements for GBAS to Support CAT II/IIILanding Operations,” Proceedings of the 15th Interna-tional Technical Meeting of the Satellite Division ofThe Institute of Navigation, Portland, OR, September2002, pp. 20–28.

7. Murphy, T., “Considerations for GBAS Service Levelsto Support CAT II/III Precision Approach,” ICAOGNSSP-WP-19 Meeting, Yokohama, October 2000.

8. FAA Advisory Circular 120-28D, “Criteria forApproval of Category III Weather Minima for Takeoff,Landing and Rollout,” July 13, 1999.

9. EASA, CS AWO 1, “Joint Aviation Requirements – AllWeather Operations,” Subpart 1, “Automatic LandingSystems.”

10. Swider, R., Miller, D., Shakarian, A., Flannigan, S.,and Fernow, J. P., “Development of Local AreaAugmentation System Requirements,” Proceedings ofthe 9th International Technical Meeting of the SatelliteDivision of The Institute of Navigation, Kansas City,MO, September 1996, pp. 35–49.

11. ICAONSPMay10WGW/WP19, “SARPSSupport forAir-worthiness Assessments -More on GLS Signal Modeling,”presented by TimMurphy, Montreal, 17–28 May 2010.

12. ICAO NSP Mar 09 WGW/WP 30, “SARPS Support forAirworthiness Assessments GLS SignalModeling,” pre-sented by Tim Murphy, Bretigny, 17–27 March 2009.

13. Neri, P., Macabiau, C., Azoulai, L., andMuller, J., “GBASNSE Model for CAT II/III Autoland Simulations,” Pro-ceedings of the IEEE Position Location and NavigationSystems (PLANS) Conference, San Diego, CA, May 2010.

14. ICAO NSP Nov 09 WGW/IP 9, “GAST D GBAS SignalModel Assessment by ENAC and AIRBUS,” Presentedby Tim Murphy, November 2009.

15. Neri, P., Macabiau, C., and Azoulai, L., “Study of aGBAS Model for Cat II/III Simulations,” Proceedings

of the 22nd International Technical Meeting of theSatellite Division of The Institute of Navigation,Savannah, GA, September 2009, pp. 1112–1123.

16. Boeing Document D6-83447-5, “Volume V – Charac-terization of the GBAS System Output,” Rev New,October 19, 2005.

17. ICAO NSPWGW IP/17, “A Noise Model for Simulationof Nominal GBAS Errors to Support AirworthinessCertifications”, Navigation Systems Panel, CAT II/IIISubgroup (CSG): Montreal, 18–20 October 2004.

18. Navarro, J.-J., “GBAS Position Error Model,” EURO-CAE WG 28, Working Paper 11, Germany, March2002.

19. Murphy, T., Anderson, L., Harris, M., and Tang, N.,“CAT III Simulated Landing Performance for GLS andILS Systems,” Proceedings of the 14th InternationalTechnical Meeting of the Satellite Division of TheInstitute of Navigation, Salt Lake City, UT, September2001, pp. 1679–1688.

20. Nam, Y., et al. “A GBAS Landing System Model for CATI,” Proceedings of the International Association of Insti-tutes of Navigation (IAIN) Conference, San Diego, CA,June 2000.

21. Nam, Y. and Zalesak, T., “GPS/LAAS CertificationModel,” internal NAWCAD Report (not generallyavailable but largely reproduced in Reference [22]).

22. ICAO Paper GNSSP-WP-8, “Validation of GBAS CAT IAccuracy: A GLS Model and Autoland Simulations forBoeing Airplanes,” ICAO Global Navigation SatelliteSystems Panel, Working Group B Meeting, Seattle,WA, May 29 - June 9, 2000.

23. McGraw, G., Murphy, T., Brenner, M., Pullen, S., andvan Dierendonck, A. J., “Development of the LAASAccuracy Models,” Proceedings of the 13th Interna-tional Technical Meeting of the Satellite Division ofThe Institute of Navigation, Salt Lake City, UT,September 2000, pp. 1212–1223.

24. Braasch, M. and McGraw, G., “GPS Receiver TrackingLoop Modeling to Support Autoland Simulations,”Proceedings of the 1996 National Technical Meetingof The Institute of Navigation, Santa Monica, CA,January 1996, pp. 27–33.

25. Ravier, C., Rambach,D., Plantecoste,M.O., andAzoulai,L., “GBAS Cat 2/3 Failures Assessment,” presented toRTCA SC 159 WG 4 and AWO HWG, October 2009.

26. EASA CS 25.1309, Large Aeroplanes - Equipment,Systems and Installation.

27. FAA Advisory Circular 25.1309-1A, “System Designand Analysis,” 6/21/88.

28. EASA AMC 25.1329 Automatic pilot.29. FAA Advisory Circular 25.1329-1B, “Approval of

Flight Guidance Systems,” dated 7/17/06.30. Ravier, C., Azoulai, L., and Rambach, D., “Vertical

Criterion for GAST D Failures Assessment,” presentedto RTCA SC 159 WG 2C and WG 4, June 2010.

31. Harris, M. and Murphy, T., “Geometry Screening forGBAS to Meet CAT III Integrity and ContinuityRequirements,” Proceedings of the 2007 NationalTechnical Meeting of The Institute of Navigation,San Diego, CA, January 2007, pp. 1221–1233.

32. Brenner, M. et al., “RTCA SC-159 WG2 Position Paper(Version 1),” presented to RTCA SC 159 WG 2C,January 2009.


33. Annex 10 to the Convention on International CivilAviation, Volume 1, “Radio Navigation Aids,” Attach-ment G, Section 2.5.2 and Figure G-1.

34. ICAO NSP May 2010 WGW/WP 16, “Computationof Maximum Undetected Error for RRFM inSupport of Airworthiness Assessments,” NavigationSystems Panel, Working Group of the Whole,Montreal, 17–28 May 2010.

35. ICAO NSP May 2010 WGW/WP 14, “Validation ofIonospheric Anomaly Mitigation for GAST D”, Naviga-tion Systems Panel, Working Group of the Whole:Montreal, 17–28 May 2010.

36. ICAO NSP Nov 2009 WGW/WP 28, “Validation ofGAST D Mitigation of Errors Induced by IonosphericDecorrelation,” Montreal, November 2009.

37. RTCA DO-253C, “Minimum Operational PerformanceStandards for GPS Local Area Augmentation SystemAirborne Equipment,” December 16, 2008.

38. ICAO NSP July 09 CSG/WP 10, “GAST D SingleGround Subsystem Reference Receiver Fault Require-ments Report of the H1 Ad-hoc Group.”

39. Luo,M., Pullen, S.,Walter, T., and Enge, P., “IonosphereSpatial Gradient Threat for LAAS: Mitigation andTolerable Threat Space,” Proceedings of the 2004National Technical Meeting of The Institute ofNavigation, San Diego, CA, January 2004, pp. 490–501.

40. Luo, M., Pullen, S., Datta-Barua, S., Zhang, G., Wal-ter T., and Enge, P., “LAAS Study of Slow-MovingIonosphere Anomalies and Their Potential Impacts,”Proceedings of the 18th International TechnicalMeeting of the Satellite Division of The Institute ofNavigation, Long Beach, CA, September 2005, pp.2337–2349.

41. Pullen, S., Park, Y. S., and Enge, P., “Impact andMitigation of Ionospheric Anomalies on Ground-based Augmentation of GNSS,” Radio Science, Vol. 44,2009.

42. Datta-Barua, S., et al., “Ionospheric Threat Parame-terization for Local Area GPS-Based Aircraft LandingSystems,” Submitted to AIAA Journal of Guidance,Control, and Dynamics, August 2009.

43. Ramakrishnan, S., Lee, J., Pullen, S., and Enge, P.,“Targeted Ephemeris Decorrelation Parameter Infla-tion for Improved LAAS Availability During SevereIonosphere Anomalies,” Proceedings of the 2008National Technical Meeting of The Institute of Naviga-tion, San Diego, CA, January 2008, pp. 354–366.

44. ICAO NSP/WG1 WP 26, “Mitigation of Iono GradientThreat for GSL D,” New Delhi, March 6, 2007.

45. Saito, S., Yoshihara, T., and Fujii, N., “Development ofan Ionospheric Delay Model with Plasma Bubbles forGBAS,” Electronic Navigation Research Institute,Japan – Appendix 1 to IP 4 - NSP March 09 WGW/IP4, Brétigny-sur-Orge, 17–27 March 2009.

46. Murphy, T. and Harris, M., “Mitigation of IonosphericGradient Threats for GBAS to Support CAT II/III,”Proceedings of the 19th International Technical Meetingof the Satellite Division of The Institute of Navigation,Fort Worth, TX, September 2006, pp. 449–461.

47. Murphy, T. and Harris, M., “More Ionosphere AnomalyMitigation Considerations for Category II/IIIGBAS,” Proceedings of the 20th International Techni-cal Meeting of the Satellite Division of The Instituteof Navigation, Fort Worth, TX, September 2007,pp. 438–452.

48. CSG July 2009 WP 17, “Ionosphere Anomaly MonitorsValidation Status 09071,” Presented by Tim Murphy,Seattle, WA, July 2009.

49. ICAO NSP/WGW Flimsy 7, “GAST D SARPS ProposalCurrent Baseline,” presented by Tim Murphy,Montreal, November 2009.

50. ICAO NSP WGW/WP 29, “Standard Threat ModelUsed in GAST D Ionospheric Monitoring Validation,”Presented by Tim Murphy, November 2009.

51. ICAO NSP May 2010 WGW/WP 14, “Validation ofIonospheric Anomaly Mitigation for GAST D”, Naviga-tion Systems Panel, Working Group of the Whole:Montreal, 17–28 May 2010.

52. ICAO NSP WGW/WP 28, “Validation of GAST DMitigation of Errors Induced by Ionospheric Decorre-lation,” Montreal, November 2009.

53. ICAO NSP May10 WGW/WP19, “Computation ofMaximum Undetected Error for RRFM in Support ofAirworthiness Assessments,” 2010.

54. Shively, C., “Derivation of Vertical Alert Limit forLAAS CAT III Autoland Considering Limit RiskRequirement,” Proceedings of the 60th Annual Meetingof The Institute of Navigation, Dayton, OH, June 2004,pp. 281–299.

55. Shively, C., “GBAS GAST-D (CAT IIIB) AircraftMonitor Performance Requirements for SingleReference Receiver Faults,” Proceedings of the 2009International Technical Meeting of The Institute ofNavigation, Anaheim, CA, January 2009, pp. 903–916.


Documents

Fault Modeling for GBAS Airworthiness Assessments