Heft 76/2002

des Instituts für Geodäsie

Heft 76/2002


Performance Evaluation of Satellite Navigation and Safety Case Development

XX, 132 S.

Auflage:  170

ISSN:  0173-1009




Vollständiger Abdruck der von der Fakultät für Bauingenieur- und Vermessungswesen der Universität der Bundeswehr München zur Erlangung des akademischen Grades eines Doktors der Ingenieurwissenschaften (Dr.-Ing.) eingereichten Dissertation.

Vorsitzender: Univ.-Prof. Dr.-Ing. B. Eissfeller
1. Berichterstatter: Univ.-Prof. Dr.-Ing. G. W. Hein
2. Berichterstatter: Univ.-Prof. Dr.-Ing. R. Onken

Die Dissertation wurde am 17. Mai 2001 bei der Universität der Bundeswehr München, Werner-Heisenberg-Weg 39, D-85577 Neubiberg,  eingereicht.

Tag der mündlichen Prüfung:  17. Januar 2002

(in Englisch)

Preface IX
Executive Summary XI
Übersicht XII
Table of Contents XIII
List of Figures XVII
List of Tables XIX
Notation XIX
1.  Introduction 1
     1.1  Objective 1
     1.2  Background 3
     1.3  Outline 8
2.  Satellite Navigation 13
     2.1  History 13
     2.2  Global Positioning System (GPS) 15
     2.3  Global Orbiting Navigation Satellite System (GLONASS) 16
     2.4  GPS, GLONASS and Civil Aviation 17
     2.5  Recent Developemnts - GALILEO 19
3.  Required Navigation Performance 20
     3.1  Overview 20
     3.2  Definitions 20
            3.2.1  Accuracy 20
            3.2.2  Integrity 21
            3.2.3  Availability 22
            3.2.4  Continuity of Service 22
     3.3  Proposal for a Consistent Set of RNP Parameters 22
     3.4  Requirements for Other Modes of Transport 28
4. Theory of Autonomous Integrity Monitoring 29
     4.1  General 29
            4.1.1  Observation Equation 30
            4.1.2  Measurement Model 30
            4.1.3  Dilution of Precision 31
     4.2  Receiver Autonomous Integrity Monitoring (RAIM) 32
            4.2.1  Hypothesis Testing 32
            4.2.2  Parity and Least-Squares-Residuals Method 34
              RAIM Requirements 36
              Availability of Failure Detection (FD) 37
              Availability of Failure Identification (FI) 37
              Failure Detection 38
              Constant-False-Alarm-Rate (CFAR)

              Constant-Probability-Of-Detection (CPOD)

              Failure Identification 39
            4.2.3  Constant-Detection-Rate/Variable-Protection-Level

              RAIM Requirements 42
              Availability of Failure Detection (FD) 42
              Availability of Failure Identification (FI) 42
              Failure Detection 43
              Failure Identification 43
     4.3  Aiding by Barometric Measurements (BARO-AIDING) 43
5.  Flight Trials Onboard Commercial Airliners 44
6.  Software Development and Quality Assurance 46
     6.1  General 46
            6.1.1  'High Quality' Software 46
            6.1.2  Specification of Quality Requirements 46
              Quality Factors                47
              Quality Criteria 47
            6.1.3  Software Quality Engineering and Assurance 49
            6.1.4  Software Development and Life-Cycle 50
              User Requirements 51
              Software Quality Assurance Plan 51
              Prototyping 52
              Software Development 52
     6.2  Development of the Data Evaluation Tool 55
            6.2.1  Development of the User Requirements 55
            6.2.2  Development of the Quality Model 56
            6.2.3  Definition of Quality Metrics 58
            6.2.4  Implementation of the Software Life-Cycle 60
7.  Data Evaluation 62
     7.1  General 62
     7.2  Description of Data Evaluation Tool 62
            7.2.1    Database System 62
            7.2.2    Visibility Scenarios 63
            7.2.3    Aircraft and Antenna Model 63
            7.2.4    Phases of Flight 64
            7.2.5    Flights included in the Database 65
            7.2.6    Accuracy 66
            7.2.7    Availability of RAIM Failure Detection and

            7.2.8    RAIM Failure Detection and Identification Algorithms 68
            7.2.9    Baro-Aiding 69
            7.2.10  Availability 69
            7.2.11  Continuity of Service 70
            7.2.12  GNSS Error Simulator 70
8.  Results 71
     8.1  System Performance 71
            8.1.1  Availability of Accuracy 71
            8.1.2  Predicted Availability of RAIM Detection &

            8.1.3  RAIM FDI Algorithms 77
            8.1.4  Analyses of Outages 78
            8.1.5  Result Compensation 79
            8.1.6  Availability and Continuity of Service 80
            8.1.7  Results of GNSS Error Simulations 80
            8.1.8  Representative Data and Saturation of Statistical

     8.2  Verification of RNP Parameters 87
9.  Safety Case Development 90
     9.1  Introduction 90
            9.1.1  Safety Case Concept 90
            9.1.2  History 92
            9.1.3  The ALARP Principle 93
     9.2  Safety Standards 94
     9.3  Proposed Risk Model 95
     9.4  Recent Developments - Regulatory Mechanism 97
            9.4.1  The Legislator (ICAO) 99
            9.4.2  The Safety Regulation Commission (SRC) 99
            9.4.3  The GNSS Dutyholder 100
            9.4.4  The Auditor 100
            9.4.5  The State Regulators 100
            9.4.6  The State Air Traffic Service Providers 101
     9.5  Application of the Risk Model 101
            9.5.1  Failure Identification Tree 102
            9.5.2  Hazard Assessment 103
10.  Multi-Modal Applicability 107
       10.1  General 107
       10.2  Maritime Transport 107
       10.3  Land Transport 108
11.  Conclusions 110
       11.1  Performance Evaluation 110
       11.2  Safety Case Development 111
       11.3  Summary 112
12.  Recommendations 113
References 115
Annex A - Definitions 122
Annex B - Abbreviations 125
Annex C - GPS Performance Standard 128
Annex D - Onboard Data Recording 129
Curriculum Vitae 132

(in Englisch)

In order to contribute to resolving the problem of restricted approvals of satellite navigation for operational use in civil aviation, a unique attempt was made to exhaustively evaluate and describe satellite navigation performance in the operational environment of commercial airliners through a scientific-technical approach. A total system concept was developed in order to progress the operational approval of satellite navigation applications in civil aviation. For the first time, parameters describing the Required Navigation Performance (RNP) were combined with those describing the performance of satellite navigation. The developed set of parameters established the basis for an exhaustive system evaluation comprising a unique flight trial programme – involving a wide-body airliner –, the development of a world-wide unique database and the subsequent data evaluation process. The overall aim was to demonstrate with a high level of confidence to what extend GPS RAIM could satisfy the developed set of requirements. With the proposal of a Safety Case concept, a methodology was developed and provided which would allow to demonstrate that operations based on satellite navigation can be approved as safe for the operational use in civil aviation.

The following sections summarise the major conclusions which can be drawn from the findings of the performance evaluation of satellite navigation and the Safety Case Development.


A set of parameters describing the Required Navigation Performance was established. They provide a consistent input into the performance evaluation process.

  1. Qualifiers have been developed to describe in practical terms Accuracy, Integrity, Availability and Continuity of Service for the implementation into the data evaluation tools.
  2. The required Accuracy was available for all visibility scenarios and during all phases of flight. This reduced the need to investigate the Availability of the navigation service in favour of the Availability of the Integrity function.
  3. No situation occurred where RAIM Detection was not available due to the fact that less than five satellites were predicted to be visible.
  4. When detection was declared reliable for the RAIM algorithms, detection did never occur and no faulty satellite signal was identified.
  5. The prediction of the system performance showed that FD Availability and the FDI Availability were met by un-aided RAIM only during En-route and Terminal phases of flight. Baro-aiding allowed to meet the requirements during the more demanding phases of flight for the theoretical visibility scenario. The
    dynamic environment during Departure, Initial and Final Approach showed a major impact, in particular, on the RAIM FDI Availability.
  6. This predicted performance was confirmed by the results achieved through two independent RAIM algorithms. The FD Availability requirement was met for the En-route and Terminal phases of flight without baro-aiding, but it required baro-aiding to fulfil the requirement during the more demanding phases of flight. These algorithm results were limited to Failure Detection, because the algorithms were never required to switch into Identification mode.
  7. A high degree of correlation can be observed between the results for two types of RAIM algorithms. This, on one hand, validates that their behaviour and performance is highly comparable; on the other hand, it verifies the correct implementation of the algorithms.
  8. Only one case existed where the maximum allowable outage duration of 300 seconds was exceeded during an en-route phase of flight. This problem was immediately solved when using the algorithms in their baro-aided implementation.
  9. The results obtained using the GNSS error simulator provided the evidence for the correct functioning of the algorithm when errors occur onboard the satellites. It was also demonstrated that the algorithms could handle double satellite errors.
  10. The ‘early warning’ capabilities of the algorithms demonstrated that the Horizontal Alert Limit was never exceeded and, therefore, any alarm was raised within the specified Time-to-Alarm.



  1. The concept of the Safety Case was developed as a means to facilitate the approval of operations based on GNSS in civil aviation.
  2. A Risk Model is proposed which propagates potential GNSS failures along an escalation path until they may lead to a fatal accident. It is shown how mitigation measures - as a series of barriers preventing a system failure escalating into a fatal accident - can ensure that the application of GNSS does not exceed the fraction of the Target Level of Safety which was assigned to it.
  3. A model of a hazard identification tree has been developed together with the associated hazard assessment in order to demonstrate the practical application of the Risk Model to the GNSS.
  4. All tools used to deliver any safety-relevant data have been developed following rules for producing ‘High Quality’ Software. Applying these standards for software development and quality assurance allows the Dutyholder to demonstrate that he has done everything which is ‘reasonably practicable’ to ensure himself and the Regulator about the correctness of his findings.
  5. Two different RAIM algorithms have been independently tested and implemented. They deliver throughout the data evaluation process similar results, which justifies that the obtained results can be considered as having a very high level of confidence.
  6. Investigations into the multi-modal applicability of the proposed Safety Case concept revealed that the concept would exceed the requirements that maritime users may have for their applications. It was felt that the concept would also be of benefit for terrestrial users, as and when they would start looking into safety-critical operations being dependent on GNSS.


In summary, evidence is provided that satellite navigation can be approved as safe for operational use in civil aviation, considering that an augmentation such as baroaiding may be at least required during the more demanding phases of flight. Two independent RAIM algorithms were implemented to confirm the results and a GNSS error simulator was used to provide additional evidence about the correct behaviour of the algorithms. It was argued that the areas of the Earth covered by the flight trials provided geographically representative data. However, saturation graphs showed that an increasing amount of data would improve the confidence level to be placed on the results. The following final chapter derives a number of recommendations from the obtained results.


zurück zum Heft-Verzeichnis






(4 MB)