This paper concerns itself entirely with the use of modernized GPS [1], [2], [3] and other new satellite navigation systems to aid the navigation of aircraft approaching airports and preparing to land. Vertically guided airport approach deserves such a focused treatment because it is the most demanding phase of flight. The associated requirements on the underlying navigation system are simply extraordinary. Navigation must be available greater than 99% of the time regardless of the weather. The navigation system must be especially reliable after an aircraft approach has commenced. A break in the continuity of the service must affect fewer than one in 100 000 aircraft approaches. In addition, the navigation system must guard vigilantly against the possibility of hazardously misleading information (HMI). In other words, the system must be able to detect any threatening faults or rare-normal events within a few seconds [often referred to as the time-to-alert (TTA)]. These faults are worrisome if they yield undetected navigation errors greater than five to fifty m (depending on the aircraft altitude). This sought after property is called integrity, and the risk of an integrity failure during the approach must be less than 10^{−7} to 10^{−9} per approach (depending on the minimum decision altitude). Further details on these requirements can be found in Section IV.

The approach operation is depicted in Fig. 1. The procedure can be roughly categorized by the lowest decision altitude (DA) enabled by the navigation system. Below this altitude, the pilot must be able to see the runway environment. If not, she or he must abort the landing. Lower DAs demand more crew training and more sophisticated navigation equipment on the ground and in the air. However, lower DAs are certainly desirable in bad weather.

Lateral navigation (LNAV) approach refers to approach procedures where the radio equipment gives lateral guidance only and the vertical information comes from barometric altimetry. A side view of an LNAV approach is shown in the top half of Fig. 2. As shown, the aircraft is allowed to “drive” at a certain barometric altitude until it reaches a specified distance from the airport. At that distance, it may “dive” to a lower altitude known to be clear of obstacles. These “drive and dive” procedures are not favored by pilots because the workload is quite high and any distractions are unwelcome during the stressful approach and landing phases of flight. Precise vertical guidance presents a much more manageable workload to the pilot and thus is significantly safer. This contrast is depicted in Fig. 2.

Worldwide vertically guided approach is an abiding goal of the aviation community. We would like to fly an aircraft down to an altitude of 200 ft anywhere in the world regardless of the weather and time of day, and without the use of any dedicated navigation equipment at the receiving airfield. Moreover, we hope that satellite navigation, especially modernized GPS, will provide the smooth vertical guidance needed to achieve this step towards increased air safety.

The Global Positioning System was developed by the U.S. Department of Defense (DoD) to provide precise estimates of position, velocity, and time to users worldwide. The DoD approved the basic architecture of the system in 1973, the first satellite was launched in 1978, and the system was declared fully operational in 1995 [4]. A GPS user can typically estimate their location with an accuracy of better than 10 m and determine time to better than 100 ns. Today, this capability serves more than 200 million users with a breathtaking variety of applications. Of these, a modest population of approximately 200 000 GPS users requires aviation integrity. However, this aviation number grows steadily since every new Airbus or Boeing aircraft is outfitted with a GPS receiver, and most new General Aviation aircraft also carry GPS.

For aircraft navigation, fault detection and isolation is paramount. Faults that may cause HMI must be noticed and mitigated in real-time. The operation of GPS has been very reliable and clearly reflects the extraordinary skill of the Air Force personnel that operate and maintain GPS. However, faults have occurred. Some are man-made and others are due to Mother Nature.

For example, the navigation data broadcast by the GPS satellites occasionally contain significant errors. As shown in Fig. 3, the GPS satellites are monitored by a relatively sparse ground control network (five stations are shown in Fig. 3 but eight new stations have been recently added [5]). Measurements at the ground stations are used to predict the orbit of the GPS satellites. These predictions are uploaded to the satellite and broadcast to the users. Generally, this estimated orbit is within 1 or 2 m of the true orbit [6]. However, the broadcast ephemeris occasionally contains some rather large errors. Between 1999 and 2007, errors greater than 50 m occurred on 24 different occasions. A true outlier occurred on April 10, 2007, when the broadcast ephemeris for Space Vehicle (SV) 54 contained an error of at least 350 m [7].

The navigation broadcast from each satellite also contains an estimate of the time offset of the onboard atomic clock relative to GPS system time. Nominally, this time offset is accurate to within nanoseconds. However, large clock runoffs were experienced on SV22 on July 28, 2001; SV27 on May 26, 2003; and SV35 on June 11, 2003. These events generated range measurement errors of 1000 m or more [8].

In Fall 1993, navigation engineers noticed that the signal from SV19 was anomalous. Specifically, the falling edge of the digital modulation was not synchronous with the master clock carried by the satellite. The falling edge of the modulation was occurring approximately 30 ns late. This lag caused a ranging error of approximately 3 m and position errors of up to 9 m or so (dependent on receiver and antenna design). This one-time event was cured by switching from the active modulation unit to the backup unit available on all GPS satellites [9]. Though such anomalous performance has only been observed once in GPS operational life, it presents an excellent example of the challenge associated with ensuring integrity at the required service levels.

From time to time, nature offers up a navigation challenge. We are reluctant to call these events *faults,* but these *rare-normal* events must be detected with equal certainty. The ionosphere is the most worrisome source of rare-normal events. The GPS satellites are at an altitude of 20 000 km, and their signals traverse the ionosphere, which occupies the region from 80 to above 1000 km [10]. Since the GPS signals fall in the L-band, the ionosphere nominally introduces a delay of a few meters during the day and approximately 1 m at night. Nominally, the spatial and temporal variation in this delay is very smooth and readily managed. However, every solar cycle offers up some number of ionospheric storms, where the propagation delay is much higher and the spatial and temporal gradients are tough to manage. Indeed, Datta-Barua lists some 40 significant events in the last solar cycle [11]. Only a handful of these yielded navigation threats in the United States, but all must be evaluated in real-time in order to provide the requisite system integrity for navigation.

By 2000, the international civil aviation community had developed two distinct techniques for fault detection: receiver autonomous integrity monitoring (RAIM) and ground-based monitoring. Section II briefly describes this first generation of fault-detection techniques. Around 2020, GPS will be modernized and other satellite navigation systems will be available. Most importantly, modernized GPS and other new systems will broadcast signals at two frequencies suitable for aviation navigation. Today's GPS has only one frequency that can be used in civil aircraft. This forthcoming frequency diversity will be happily embraced because it will obviate most of the ionospheric effects described above. Modernized GPS also invites a second generation of fault-detection methods, and candidate architectures are introduced in Section III. Section IV begins our analysis of these alternatives. It reviews the target requirements and builds the basic error models. Sections V–VII analyze our candidate architectures in more depth and derive the equations needed to evaluate availability. Section VIII provides a quantitative comparison of the availability of each architecture versus constellation strength, and Section IX contains our conclusions.

SECTION II

## FIRST GENERATION INTEGRITY MONITORING

The International Civil Aviation Organization (ICAO) defines a Global Navigation Satellite System (GNSS) as “a worldwide position and time determination system that includes one or more satellite constellations, aircraft receivers, and system integrity monitoring, augmented as necessary to support the required navigation performance for the intended operation.” In 2008, two rather distinct ideas provide the real-time fault-detection capability needed by aviation to implement GNSS. RAIM is based entirely on measurement redundancy. Satellite based augmentation systems (SBASs) and ground-based augmentation systems (GBASs) rely on networks of reference receivers at known locations on the ground. We briefly describe both in this section.

RAIM requires an overspecified navigation solution. Four satellites are required to estimate the four unknown states of the aircraft—latitude, longitude, altitude, and the offset of the receiver clock relative to GPS time [12]. With five satellites, the identification of inconsistent measurements may be possible. With six satellites, it may also be possible to isolate and exclude the satellite that contains the erroneous measurement.

In a typical RAIM implementation [13], the avionics use all satellites in view to form a position and time estimate for the aircraft. The receiver projects this position estimate back onto the line-of-sight vectors to the individual satellites. The differences between the projections and the original pseudorange measurements are used to assess the likelihood of any underlying measurement fault. If only four satellites are available, these measurement residuals are all zero and no fault-detection capability is available. With five or more satellites, a large residual usually indicates the presence of a faulted satellite somewhere in the mix.

RAIM performance is critically dependent on satellite geometry. For fault detection, a minimum of five satellites in view is necessary but not necessarily sufficient. For fault isolation, six satellites are necessary but not necessarily sufficient. The subsets formed by deleting one satellite at a time must also have sufficient geometry for fault-detection capability. Thus, RAIM is admired for its autonomy—little external integrity information is required. However, our admiration is guarded because to provide good coverage, RAIM requires that the basic GNSS constellations be robust with many satellites on orbit.

Both GBAS [14], [15] and SBAS [16], [17] are differential GPS systems. They measure GPS performance with GPS receivers at known reference locations. These reference receivers compare their GPS measurements to those that should exist at their known locations. The differences are converted to corrections and error bounds that are broadcast to participating aircraft in real-time. The corrections are applied by the avionics and improve the accuracy of GPS from several meters to 1 m or better.

GBAS is a local-area differential GPS system because all reference receivers are placed on the property of the airport to be served. The GBAS corrections and error bounds are broadcast to the approaching aircraft using a line-of-sight very high-frequency transmitter that is also located on the airport property. ICAO refers to these systems as ground-based because the data link is a terrestrial radio [18].

As shown in Fig. 4, SBAS is a wide-area differential GPS system. In contrast to GBAS, SBAS reference stations span continental areas, and SBAS develops a four-dimensional correction for each satellite. One element of this 4-tuple corrects the satellite clock and the remaining three correct the satellite ephemeris (location). SBAS also sends a grid of ionospheric errors for the region spanned by the SBAS ground system. These corrections are valid across the area spanned by the reference stations, and so they are broadcast to users through a geostationary satellite with a large coverage footprint. The geostationary satellite modulates the SBAS data onto a signal resembling the GPS signal and that is in the GPS L1 band. This signal is synchronized to GPS time. Consequently, the geostationary satellite serves two purposes: it is a data link and it can augment the normal suite of GPS ranging measurements.

Even though GBAS and SBAS develop corrections to improve accuracy, their truly essential purpose is to provide the means to generate real-time error bounds. These bounds are called protection levels (PLs) and must overbound the true position error under all conditions and in real-time [19]. The avionics uses the current PL to determine whether a particular operation is safe. If the protection level is smaller than the alert limit (AL) required for a particular operation, then the pilot may fly that procedure. The alert limits associated with aircraft approach are listed in Fig. 1. As expected, they become smaller as the aircraft gets closer to the ground. If the PL were to fail to bound the error, then it would not be safe to attempt the landing as integrity would have failed. On the other hand, the PLs cannot be too conservative or the full capability of the system will not be utilized.

Compared to RAIM, GBAS and SBAS are much less sensitive to the strength of the basic GNSS constellation. After all, they derive their essential integrity information by comparing the GPS measurements to ground truth. However, they do require a network of reference receivers and a real-time broadcast to the airborne fleet. The reference network must be installed, tested, operated, and maintained. For SBAS, these networks are dense because they must sample the ionosphere at closely spaced intervals such that sharp gradients are detected with near certainty [20]. Indeed, the SBAS for the United States deploys 38 receivers across North America. Finally, both GBAS and SBAS include high-bandwidth data broadcasts to transmit their integrity information to the airborne fleet. For SBAS, the geostationary satellite must support a bandwidth of 250 bps and the ground-to-aircraft data latency must be no more than a few seconds [21].

SECTION III

## SECOND GENERATION ARCHITECTURES FOR AVIATION INTEGRITY

Up until 2005, GPS satellites broadcast the navigation signals in only the two bands shown in the top trace of Fig. 5. L1 denotes the broadcast at 1575.42 MHz and L2 denotes the broadcast at 1227.60 MHz. As shown, L1 includes a narrow-band signal and a wide-band signal. The narrow-band signal is modulated by a spread-spectrum code, called the C/A code. This code has a modest chipping rate of only 1.023 Mcps, and so the null-to-null bandwidth is 2.046 MHz. The wide-band signal is modulated by the P(Y) code, which has a chipping rate of 10.23 Mcps and so its null-to-null bandwidth is 20.46 MHz. The C/A code and signal is available to everyone and is the basis for the vast majority of today's civil applications [3], [22]. For compactness, we sometimes refer to it as the civil signal, even though the military shares the resource. The wide-band signals are primarily for military use.

Starting in 2005, new GPS satellites began to broadcast the signals shown in the second trace of Fig. 5 [23]. As shown, they will continue to send all the old signals, so existing receivers will continue to work. However, there will be new military signals at L1 and L2 and a new civil signal at L2. This new signal is certainly welcome to the civil community but has little importance to aviation because it does not fall in an Aeronautical RadioNavigation Service (ARNS) portion of the spectrum. Civil aviation organizations around the world demand that these signals be in ARNS bands such that they have institutional control over this spectrum and maintain legal protection from interference [3].

Starting around 2009, new GPS satellites will begin to broadcast the signals in a third band unfortunately called L5 [2], [3]. (L3 and L4, not shown in Fig. 5, carry non-navigation information for the military.) Fortunately, L5 is located in an ARNS band, and the aviation utility of this new signal is enormous. Future avionics will be able to virtually eliminate errors due to the ionosphere. They will leverage a very handy property: The influence of the ionosphere is different at L1 than at L5. Receivers will measure the delays at L1 and L5. Then they will compute the difference in delays and use this difference to estimate the full delay on each frequency and remove its influence on the measurement of distance to the satellite.

The integrity machines of the future will also draw great benefit from the frequency diversity provided by the new signals. The SBAS for the United States deploys 38 reference receivers to serve North America. This reference station density is driven by the need to sample and monitor the ionosphere. The integrity architecture of the future will be based on airborne calculation of the ionosphere, and thus it will only need 30 stations or so to cover the entire globe. This relief is depicted in Figs. 6–8, which show integrity architectures of the future. They are intended to show sparse monitor networks compared to the SBAS depiction in Fig. 4.

Three classes of architectures are currently under investigation as candidates for the integrity machine of the future: GNSS integrity channel (GIC), shown in Fig. 6; relative RAIM (RRAIM), shown in Fig. 7; and absolute RAIM (ARAIM), shown in Fig. 8. All three classes employ a ground monitoring network that observes the satellite signals to identify and exclude faults. However, they place very different fractions of the integrity burden on the aircraft versus the aircraft-external monitors. GIC architectures place all of the responsibility for monitoring the signal in space outside of the aircraft; they are similar to SBAS in this respect. ARAIM architectures place most of the responsibility on the avionics; they are similar to RAIM. RRAIM architectures share the integrity burden between the aircraft and the external monitors.

One form of GIC would essentially be a worldwide implementation of dual frequency SBAS. As mentioned above, the airborne receiver removes the majority of the ionospheric delay using dual frequency measurements. The aircraft-external monitors detect all satellite faults including: ephemeris errors, clock runoffs, and anomalous signals. Like SBAS today, the monitors feed confidence information to the aircraft and the data capacity could be similar to today's SBAS bandwidth of 250 bps. Alternatively, GIC could broadcast just a single user range accuracy (URA) per satellite, requiring far less bandwidth. Unfortunately, all integrity-relevant data must be broadcast every few seconds to honor the time-to-alert requirement for approach guidance. This latency requirement means that the data stream cannot be carried on the GPS satellites themselves, and a separate pipe would be needed to reach the aircraft in time. The most likely broadcast channel pipe would be geostationary transponders similar to those used for SBAS today. Additionally, the ground network that connects the monitors must also have high bandwidth and low latency. Relative to the other candidates described below, GIC demands the shortest broadcast latencies. However, it is least demanding with respect to the geometry of the basic GNSS constellation. After all, overspecified navigation solutions are not required, and residuals tests need not be executed by the avionics.

ARAIM occupies the other extreme in that it places the greatest integrity burden on the aircraft and the smallest burden on the ground monitors. It is similar to today's RAIM and uses measurement residuals to detect faults. However, it enjoys better performance than today's RAIM because the measurements are no longer affected by large ionospheric errors—these have been obviated by frequency diversity. Thus, the ARAIM residuals are subject to more sensitive tests and smaller position errors can be detected with confidence.

ARAIM is almost autonomous, but not quite. Ground monitoring must exist for all the same faults as GIC; however, the latency can be dramatically increased. The ground system will assure the a priori failure probabilities for the individual satellites and provide the associated URAs. Happily, this information need only be updated every hour or so. The time-to-alert requirement is met by the fault-detection algorithm on the aircraft, and the external monitors simply need to ensure that faulted satellites do not stay in the mix for a long time. As such, ARAIM is least demanding with respect to the bandwidth and latency of the integrity pipe to the aircraft. In fact, the ARAIM information could be carried on the GPS satellites themselves, and the cost of a geostationary transponder could be avoided altogether. This possibility is depicted in Fig. 8. However, ARAIM will be the most demanding with respect to satellite geometry. Like RAIM, it requires good geometry amongst the subsets created when deleting satellites from the all-in-view set.

RRAIM occupies the middle ground between ARAIM and GIC because it distributes the integrity burden between the aircraft and the external monitors. In the RRAIM concept, the aircraft performs positioning and punctual integrity monitoring autonomously using current satellite measurements and a prior set of measurements that have been validated by the external network. The time-to-alert requirements for the external monitors can be significantly relaxed relative to the GIC architectures because the previously validated data set that the aircraft uses can age for tens of seconds or even minutes.

The aircraft uses past carrier smoothed code measurements that have been validated by the ground monitors and projects them forward in time by adding to them the difference between current and past carrier phase measurements. These projected range measurements are used to generate position fixes in real-time. Simultaneously, the integrity of these position fixes is ensured by RRAIM, which protects against any failures that have happened after the last externally validated data set. In its most basic form, RRAIM is implemented by checking the least squares residual of the relative carrier phase position fix over the coasting time. For projection, RRAIM only uses the very precise carrier phase measurements, and so extremely tight detection thresholds can be set without incurring high false alert rates, ultimately leading to high levels of RRAIM availability.

RRAIM is strongly dependent on the aircraft-external monitors to provide the externally validated data sets used at the beginning of the coasting period. RRAIM requires that the pseudorange position solution from the recent past be valid and requires redundancy in the ranging signals from multiple satellites to cross-check that faults do not become significant in the intervening time. RRAIM uses the low noise carrier measurements rather than the noisier code phase measurement, and so its geometry requirements are relaxed relative to ARAIM. At the same time, the latency requirements are intermediate relative to GIC and ARAIM. The required data bandwidth is probably commensurate with the excess bandwidth available from the geostationary transponders used today for SBAS. However, it could likely be made compatible with message capacity that would be available from the GPS satellites of the future. The latency requirement may be difficult to fulfill through the GPS satellites unless they have crosslink data transmission capability.

We now turn our attention to a preliminary analysis of these three architectures. The common ground for these analyses is described in the next section.

SECTION IV

## REQUIREMENTS, ERROR SOURCES, AND OVERBOUNDING

As described earlier, we wish to provide vertical guidance capability for aircraft down to an altitude as low as 200 ft. One such procedure has been developed called localizer performance with vertical guidance (LPV)-200. The key requirements as specified in the Wide Area Augmentation System (WAAS) program [24] will be briefly outlined in this section. These include accuracy, integrity, time-to-alert, continuity, and availability. There are requirements on both vertical and horizontal positioning. Since the vertical positioning requirements are much more difficult to meet, this paper will focus exclusively on them.

The accuracy requirement is expressed at the ninety-fifth percentile. In the vertical positioning domain, this value must be below 4 m for each aircraft [18], [24]. As the requirement only extends out to 95%, the rare event tails of the error distributions do not impact the evaluation of this criterion. When modeling these errors as Gaussian, comparatively small biases and sigma values can be used.

Another form of accuracy requirement is known as the effective monitor threshold (EMT). The requirement is that a fault must be detected at least 50% of the time when an error is present that creates a vertical positioning error equal to the EMT. Larger errors must be detected with even greater probability. For this paper, the EMT is being evaluated as 15 m. This requirement primarily ensures that the accuracy, even in the presence of a fault, will guide the airplane to land within the desired touchdown region on the runway.

The integrity requirement states that the probability of HMI must be kept below 2 × 10^{−7} per approach [18], [24]. Note that historically this was evenly split between horizontal (localizer) and vertical (glideslope); 1 × 10^{−7} for each of two independent systems. Since horizontal and vertical guidance are not independently derived for GNSS, we have been using 1 × 10^{−7} per approach as the target requirement. The definition of HMI is any time that the actual vertical position error (VPE) is greater than the dynamically calculated upper bound [known as the vertical protection level (VPL)] without a timely alert to the pilot. Further, the VPL must be below a static vertical alert limit (VAL) to ensure that the aircraft be kept safely away from obstacles. For LPV-200, the VAL is 35 m. The requirement that VPL be below the VAL is the dominant limitation to performance.

Together, the two accuracy requirements and integrity requirement limit the distribution of VPEs. Implicit in the EMT requirement is that faults are rare events (typically occur less frequently than one in 100 000 approaches). Thus, VPE distribution is restricted at 95% (4 m), 99.999% (15 m), and 99.99999% (35 m).

Should a fault arise such that the VPE is greater than the VPL, the pilot must be alerted within the TTA. For LPV-200, the TTA requirement is 6.2 s [24]. Note that this is the requirement on the full system. In RRAIM and ARAIM, the avionics are capable of alerting the pilot well within this TTA. The latency requirement on the ground system component can thus be made longer for these architectures as the ground monitoring is no longer responsible for meeting the 6.2 s TTA on its own.

Continuity requires that the above requirements be met continuously for the duration of the approach. Given that the above requirements are met at the initiation of the approach, the probability that one of them will be exceeded must be at or below 8 × 10^{−6} per 15 second interval [18], [24].

Availability is the fraction of time that all above requirements are met. For the system to be useful, it must be available at least 99% of the time at any location where LPV-200 service is authorized [18], [24]. For scheduled service, it may need to be available for even greater percentages of time (between 99.9% and 99.999%).

All of the architectures considered for this paper rely on dual frequency ranging measurements. The L1 and L5 signals are combined in a way to eliminate the first-order ionospheric delay [25]. Unfortunately, this combination increases the impact of measurement noise and multipath. The measurement noise term for the *j*th satellite can be described as normally distributed with zero mean and variance
TeX Source
$$\sigma_{j,{\rm{DF}}\_{\rm{air}}}^{2}=\left({f_{1}^{2}\over f_{1}^{2}-f_{5}^{2}}\right)^{2}\sigma_{{\rm L1},j,{\rm air}}^{2}+\left({f_{5}^{2}\over f_{1}^{2}-f_{5}^{2}}\right)^{2}\sigma_{{\rm L5},j,{\rm air}}^{2} \eqno{\hbox{(1)}}$$ where *f*_{1} and *f*_{5} are the L1 and L5 frequencies, respectively, and σ_{L1,j,air}^{2} and σ_{L5,j, air}^{2} are the multipath and noise error variances affecting the individual measurements. This dual frequency term replaces the σ_{air} and σ_{UIRE} terms of Appendix J of the SBAS minimum operational performance standards (MOPS) [21]. The specific model for σ_{L1,j, air}^{2} may also be found in this appendix. Although the performance of L5 for noise and multipath is expected to be better than that of L1, we will assume the same airborne model for this frequency. σ_{j, DF\air}^{2} is a deterministic function of the elevation of the satellite.

A term will be broadcast to the user to overbound the errors in the satellite's clock and ephemeris. For GIC and RRAIM, this bound must protect to a fraction of the overall integrity budget as in SBAS. For ARAIM, however, the aircraft has some capability to detect absolute errors on its own, so the broadcast bound may be less stringent.

The user will also calculate the overbound for unmodeled tropospheric effects. The tropospheric model and uncertainty used in this paper are identical to those specified in Appendix A of the SBAS MOPS [21]. The error is defined to be normally distributed with variance specified by σ_{j, tropo}^{2}. This variance is also a function of the elevation of the satellite. The three error components are independent, so the variance of the *j*th line of sight for our smoothed pseudorange measurements will be described as
TeX Source
$$\sigma_{j,p}^{2}=\sigma_{j,{\rm clk}\_{\rm eph}}^{2}+\sigma_{j,{\rm{DF}}\_{\rm{air}}}^{2}+\sigma_{j,{\rm tropo}}^{2}.\eqno{\hbox{(2)}}$$

In addition to a variance term, we will include a broadcast bias term per satellite. This term is used to bound errors that may appear random, but that affect users in the same way repeatedly. Examples of such biases are antenna biases [26] or nominal signal deformations [27], [28]. These error sources affect a particular geometry identically each time it is encountered. Further, this term can be used to account for non-Gaussian behavior in the above error terms through a technique known as paired bounding [29]. Thus, a maximum bias term *b*_{j,max } is broadcast to bound the effect of these error sources.

SECTION V

## GNSS INTEGRITY CHANNEL

Conceptually, one of the simplest implementations of GIC is to extend existing SBAS service, as provided in the United States by the WAAS, to include global coverage. Currently, WAAS has 38 reference stations in the United States, Canada, and Mexico and provides LPV-200 service to much of North America [17], [30]. WAAS users only monitor the L1 GPS signal. WAAS requires its dense network to estimate and bound the ionospheric error. If WAAS and its users were upgraded to monitor both L1 and L5 signals, coverage would expand dramatically. However, there are limits to the practical extent of this architectural paradigm since the communication networks to the reference stations are already near the limit of supporting the 6-s TTA. An extended network will likely require too much time to collect the data to support the 6-s TTA.

Additionally, WAAS uses geostationary satellites to broadcast its information to its users. At least four GEOs would be required to provide near-global redundant coverage. Unfortunately, the polar regions still would not be as well covered. While a single global network could conceptually provide worldwide LPV-200 service, transmitting the information to the user in a cost-effective way that supports the required TTA is not trivial and may prohibit the practical implementation of this approach.

One alternative would be to expand each region separately. WAAS could be upgraded to dual frequency and expanded to cover North and South America; its European counterpart similarly enhanced to cover Europe and Africa; and Japanese and Indian SBASs expanded to cover Asia and Oceana. It is certainly possible that this path will develop naturally. The disadvantage is that it relies on other regions to support these goals. It is unclear that this would actually happen or under what time frame.

Another alternative is to put most of the integrity decision making capability on the satellites themselves. This would allow rapid TTA for all faults that can effectively be monitored onboard the space vehicles. Unfortunately, ephemeris errors may not be detectable under this approach. However, it is likely that ephemeris errors are sufficiently slow in developing that a ground monitoring network would have sufficient time to detect them before they became large enough to harm the user. This approach has higher uncertainty, as effective satellite monitors have not been thoroughly developed for each fault mode. There is a risk that during the detailed threat analysis, a rapidly developing fault could be identified that would be impractical for the satellite to detect. It is therefore essential to conduct this threat analysis early in the development path.

Regardless of the exact implementation, these approaches share the common feature that integrity is supplied to the aircraft as it is today for SBAS. Therefore, redundant geometry is not required and the aircraft can operate with only four satellites in view. All of these methods thus use the same VPL equation. It is the SBAS VPL equation with the addition of the explicit bias term [31]
TeX Source
$${\hbox{VPL}}_{\rm GIC} \!=\! K(P_{\rm HMI})\sqrt{\sum_{i=1}^{n}\left(S_{u,i}^{p}\sigma_{i,p}\right)^{2}} + \sum_{i=1}^{n}\left\vert S_{u,i}^{p}\right\vert b_{i,\max} \eqno{\hbox{(3)}}$$ where *S*_{u,i}^{p} is the vertical component of the projection matrix corresponding to satellite *i*, as defined in Appendix J of the SBAS MOPS [21], *K*(*P*_{HMI}) = *Q*^{−1}(1−*P*_{HMI}/2), and *Q* is the cumulative distribution function of a Gaussian random variable with zero mean and unit variance.

SECTION VI

## RRAIM ARCHITECTURE

Because the TTA can be so difficult to meet for global solutions, a novel airborne navigation integrity approach based on RRAIM [32], [33], [34] is proposed here. In this concept, the aircraft can perform positioning and punctual integrity monitoring autonomously using current satellite measurements and a prior set of measurements that have been validated by some combination of ground and satellite monitoring. No additional broadcast data beyond that provided by GIC is needed. Using the RRAIM approach, the TTA requirement for the GIC-like ground and satellite integrity systems to detect failures quickly is greatly lessened because the previously validated data set that the aircraft uses can potentially be tens of seconds, and perhaps even several minutes, old. The use of both carrier smoothed code and raw carrier phase measurements in the RRAIM architecture results in higher availability for weaker constellations than is provided by traditional absolute RAIM architectures, which are based on the use of carrier smoothed code alone.

The RRAIM architecture works as follows. The aircraft receives satellite ranging measurements (dual frequency code and carrier), along with corrections and integrity information generated by ground and/or satellite integrity monitoring. The aircraft stores past measurements for a given time duration, called the “coasting time,” back to a period when ground/satellite integrity monitor detections and notifications are guaranteed to have been received by the aircraft. The specific duration of such storage is still a variable parameter because it influences the performance requirements both for RRAIM and the ground/satellite monitors (time-to-alert, in particular) as well as the type of integrity distribution channel needed. The ground/satellite integrity monitors can follow any of the architectural examples of GIC. The external monitoring still must identify all the same faults as GIC and to comparable integrity levels. The chief advantage of RRAIM is that they now have a longer time to identify threats and alert the user.

The aircraft uses past carrier smoothed code measurements that have been validated by GIC-like ground/satellite integrity monitors and projects them forward in time by adding to them the difference between current and past carrier phase measurements. These projected range measurements are used to generate position fixes in real-time. Simultaneously, the integrity of these position fixes is ensured by RRAIM. In its most basic form, RRAIM is implemented by checking the least squares residual of the relative carrier phase position fix over the coasting time. Because only carrier phase measurements are used in the RRAIM function, tight detection thresholds can be set without incurring high false alert rates. This ultimately leads to high levels of RRAIM availability. The RRAIM detection function acts specifically to capture faults that have occurred during the coasting time (since prior faults are detected externally). More specifically, the detection function needs only to capture faults that affect the carrier phase. Code signal deformation and code-carrier divergence faults during the coasting interval are irrelevant because only carrier measurements from the coasting interval are used for positioning. It is worth noting that satellite orbit ephemeris faults can also be detected using RRAIM, but this is unlikely to be necessary since the aircraft can always use that last ephemeris validated by ground monitoring.

### A. RRAIM Navigation Algorithms

In all of the architectures, positioning is fundamentally based on the use of ionosphere-free carrier-smoothed pseudoranges. For RRAIM specifically, range corrections generated and validated by ground monitoring are also applied. To accommodate the potentially significant latency *T* introduced by the external processing and messaging, the resulting (corrected, ionosphere-free and carrier-smoothed) pseudoranges *p* are projected to the current time using punctual and past ionosphere-free carrier phase measurements φ as follows:
TeX Source
$$\mathhat{p}_{t}=p_{t-T}+\Delta\phi_{t,t-T}.\eqno{\hbox{(4)}}$$

In (4), Δφ_{t,t−T} is φ_{t}−φ_{t−T}, the difference in the ionofree combination of carrier phase measurements between time *t* and *t*−*T*, and these are expressed directly in distance rather than angular units. The projected range measurement is related to the true range *r* between the user and the satellite by
TeX Source
$$\mathhat{p}_{t}=r_{t}+\tau_{t}+\delta p_{t-T}+\delta\Delta\phi_{t,t-T} \eqno{\hbox{(5)}}$$ where τ is the receiver clock bias, δ *p*_{t−T} is the error in *p*_{t−T}, and δΔφ_{t,t−T} is the error in Δφ_{t,t−T}.

### B. RRAIM Error Models

As in the GIC architectures, the error term δ *p*_{t−T} is the sum of three sources found in (2): (a) carrier-smoothed code receiver noise and multipath, (b) residual unmodeled tropospheric error, and (c) residual error in the externally generated range correction (accounting for satellite clock and orbit errors). The standard deviation σ_{p} is a function of time *t*−*T* because the satellite elevation varies with time.

The error term δΔφ_{t,t−T} in (5) is also the sum of three sources: (d) the change in carrier phase receiver noise and multipath over time interval *T*, (e) the change in tropospheric error over the time interval, and (f) the satellite clock drift over the time interval. Error source (d) can be modeled as a zero-mean normally distributed variable with standard deviation σ_{Δ(n+mp)}. Receiver noise is well modeled as white process, so its contribution to σ_{Δ(n+mp)} is not a function of *T*. However, multipath is colored, so time-differencing results in a contribution to σ_{Δ(n+mp)} that will vary with *T* but will become constant as *T* exceeds the multipath time constant (which is typically less than 20 s for a moving aircraft). In this paper, we assume a conservative constant value of σ_{Δ(n+mp)} = 6cm for all values of *T*. Error source (e) accounts for the effect of tropospheric spatial variation experienced by a moving aircraft. This effect is modeled as a zero mean normal distribution with standard deviation σ_{Δtrop}. Based on analysis of tropospheric spatial decorrelation measurement data by van Graas [35], [36] and assuming nominal aircraft speed of 180 kt (0.092 km/s) during final approach, the standard deviation can be empirically modeled as the following function of *T* and satellite elevation *E*:
TeX Source
$$\sigma_{\Delta {\rm trop}}\!=\!\!\left[1.22{\hbox{cm}\over\hbox{km}}\!+\!0.41{\hbox{cm}\over\hbox{km}}\!\times\!{90^{\circ}-E\over 85^{\circ}}\right]\times 0.092\ \hbox{km/s}\times T.\eqno{\hbox{(6)}}$$ These values represent maximum rates that are typically not sustained for long periods of time. Consequently, upper limits are applied to σ_{Δtrop} as a function of elevation as defined in Table 1. The maximum values are reached after a few hundreds of seconds depending on the elevation angles.

The satellite clock drift error over time interval *T* can be modeled as zero-mean and normally distributed with a standard deviation of
TeX Source
$$\sigma_{\Delta {\rm clk}}=0.085{\hbox{cm}\over\hbox{s}}\times T.\eqno{\hbox{(7)}}$$ This is an empirical model that is consistent with GPS measurement data collected and processed by van Graas [35]. The three random error components of δΔφ_{t,t−T} are independent, so the variance of δΔφ_{t,t−T} is
TeX Source
$$\sigma_{\Delta\phi}^{2}=\sigma_{\Delta(n+mp)}^{2}+\sigma_{\Delta {\rm trop}}^{2}+\sigma_{\Delta {\rm clk}}^{2}.\eqno{\hbox{(8)}}$$

The error covariance matrices associated with δ *p*_{t−T} and δΔφ_{t,t−T} for *n* satellites in view are **R**_{δp} = diag(σ_{p,1}^{2},…,σ_{p,n}^{2}) and **R**_{δΔφ} = diag (σ_{Δφ,1}^{2},…,σ_{Δφ,n}^{2}), respectively. Recall that the elements within each of these diagonal matrices are different from each other because the elevations of the individual satellites will differ. In addition, the elements of the matrix **R**_{δΔφ} are functions of the coasting time *T*. The total error associated with the projected ranging measurements in (5) for *n* satellites is then described by the covariance matrix and an unknown bias vector **beta**, whose elements are bounded in magnitude by *b*_{i,max }, where *i* is the satellite index.

### C. RRAIM Positioning

The GPS observation equation for positioning with *n* satellites is
TeX Source
$$\left[\matrix{\mathhat{p}_{t,1}\cr\vdots\cr\mathhat{p}_{t,n}}\right]={\bf G}\left[\matrix{{\bf x}_{\bf t}\cr\tau_{t}}\right]+\left[\matrix{\delta\mathhat{p}_{t,1}\cr\vdots\cr\delta\mathhat{p}_{t,n}}\right]+\beta \eqno{\hbox{(9)}}$$ where
TeX Source
$${\bf G}=\left[\matrix{{\bf a}_{{\bf t},1}^{\ssr T}&-1\cr\vdots&\vdots\cr{\bf a}_{{\bf t},{\bf n}}^{\ssr T}&-1}\right]. \eqno{\hbox{(10)}}$$**a**_{t,i}^{T} is the unit line-of-sight vector from the aircraft to satellite *i*, **x**_{t} is the 3 × 1 position vector for the aircraft, and , which for *n* satellites is normally distributed with zero mean and covariance . When *n*≥ 4, the least squares solution to (9) can be obtained. In this case, the weighted pseudoinverse is
TeX Source
$${\bf S}^{\bf p}=\left({\bf G}^{T}{\bf R}_{{\mmb\delta}\mathhat{\bf p}}^{-1}{\bf G}\right)^{-1}{\bf G}^{T}{\bf R}_{{\mmb\delta}\mathhat{\bf p}}^{-1}\eqno{\hbox{(11)}}$$and the resulting state estimate error covariance matrix is
TeX Source
$${\bf R}_{\bf pos}=\left({\bf G}^{T}{\bf R}_{{\mmb\delta}\mathhat{\bf p}}^{-1}{\bf G}\right)^{-1}.\eqno{\hbox{(12)}}$$

The variance σ_{u}^{2} of the local vertical component of position estimate error can be extracted from this covariance matrix. In addition, the effect in the position domain of the bias vector **beta** is bounded by
TeX Source
$$b_{u}=\sum_{i=1}^{n}\left\vert S_{u,i}^{p}\right\vert\times b_{i,\max} \eqno{\hbox{(13)}}$$where *S*_{u,i}^{p} is the element of the projection matrix **S**^{p} that corresponds to the vertical position component and satellite *i*.

### D. RRAIM Fault Detection

GPS satellite faults that happen prior to *t*−*T* are subject to the detection functions built into the external monitoring. These functions are specifically designed to ensure that the required integrity risk (*P*_{HMI}) is achieved at the time of monitor output. Information from the external integrity monitors is received at the aircraft at time *t*−*T*. The values of the residual bias magnitude bound *b*_{i,max } and standard deviations σ_{j} are parameters that describe the distribution of these monitored ranging errors. However, punctual positioning at time *t* is needed to navigate the aircraft, so it is also necessary to ensure the integrity of the carrier phase measurement Δφ_{t,t−T}, which is used in the range projection (4). This is done using the RRAIM fault-detection algorithm, which is described below.

Under fault-free coasting (FFC) conditions, the vertical position error *e*_{u} is bounded by a VPL corresponding to the following distribution:
TeX Source
$$e_{u}\vert {\hbox{FFC}}\sim N(b_{u},\sigma_{u}).\eqno{\hbox{(14)}}$$

To model the effect of a measurement fault during coasting (FDC) on a given satellite *j*, we introduce the *n* × 1 column vector **q**_{j} whose elements are all zero except the *j*th, which has a value of one. Given a failure of magnitude *f* on satellite *j*, the vertical position error is bounded by the distribution
TeX Source
$$e_{u}\vert {\hbox{FDC}}\sim N(b_{u}+f_{u},\sigma_{u}) \eqno{\hbox{(15)}}$$where
TeX Source
$$f_{u}={\bf S}_{{\bf u},{\bf :}}^{\bf p}{\bf q}_{\bf j}f.\eqno{\hbox{(16)}}$$

In the RRAIM architecture, detection of such failures is performed using only the time differenced carrier phase measurements Δφ_{t,t−T}. For *n* satellites, these measurements are related to the time differenced change in position **Δ****x**_{t,t−T} and clock Δτ_{t,t−T} by
TeX Source
$$\displaylines{\left[\matrix{\Delta\phi_{t,t-T,1}\cr\vdots\cr\Delta\phi_{t,t-T,n}}\right]-{\mmb\Delta}{\bf G}\left[\matrix{{\hskip 5pt}\mathhat{{\hskip -5pt}\bf x}_{t-T}\cr\mathhat{\tau}_{t-T}}\right]={\bf G}\left[\matrix{{\mmb\Delta}{\bf x}_{t,t-T}\cr\Delta\tau_{t,t-T}}\right]\hfill\cr\hfill+\left[\matrix{\delta\Delta\phi_{t,t-T,1}\cr\vdots\cr\delta\Delta\phi_{t,t-T,n}}\right]+{\mmb\Delta}{\bf G}\left[\matrix{{\mmb\delta}{\hskip 5pt}\mathhat{{\hskip -5pt}\bf x}_{t-T}\cr\delta\mathhat{\tau}_{t-T}}\right] \quad\hbox{(17)}}$$where **Δ** **G** is the change in the observation matrix **G** due to satellite line-of-sight motion between *t* and *t*−*T*; and are the estimates the position and receiver clock states at *t*−*T*; and and are the unknown errors in these estimates. The last two terms on the right-hand side of (17) are zero-mean normally distributed errors with covariance matrix
TeX Source
$${\bf R}_{\bf d}={\bf R}_{\mmb{\delta}\Delta\phi}+\Delta{\bf G}\left({\bf G}^{T}{\bf R}_{{\mmb\delta}{\bf p}}^{-1}{\bf G}\right)^{-1}\Delta{\bf G}^{T}.\eqno{\hbox{(18)}}$$The weighted pseudoinverse of **G** associated with (17) and (18) is
TeX Source
$${\bf S}^{\bf d}=\left({\bf G}^{T}{\bf R}_{\bf d}^{-1}{\bf G}\right)^{-1}{\bf G}^{T}{\bf R}_{\bf d}^{-1}.\eqno{\hbox{(19)}}$$

Defining for simplicity of notation Δ Φ = [Δφ_{t,t−T,1} ⋅⋅⋅ , the weighted least squares residual vector is
TeX Source
$${\mmb\delta}{\bf r}=({\bf I}-{\bf GS}^{\bf d}){\Delta\Phi}.\eqno{\hbox{(20)}}$$

It is shown in [37] that under fault-free conditions (i.e., FFC for the RRAIM architecture)
TeX Source
$$z={\mmb\delta}{\bf r}^{T}{\bf R}_{\bf d}^{-1}{\mmb \delta}{\bf r}={\Delta\Phi}^{T}{\bf R}_{\bf d}^{-1}({\bf I}-{\bf GS}^{\bf d}){\Delta\Phi}\eqno{\hbox{(21)}}$$is χ^{2} distributed with *n* − 4 degrees of freedom.

A fault-detection threshold *D* on test statistic *z* is then defined to ensure a fault-free alert probability that complies with the continuity risk requirement (4 × 10^{−6}/15 s, which is one-half of the total requirement for LPV-200). When a fault occurs during coasting (i.e., FDC), the fault vector **q**_{j} *f* is present in the time differenced measurement ΔΦ, and in this case *z* is *noncentrally* χ^{2} distributed with *n* − 4 degrees of freedom and noncentrality parameter λ_{d,j} *f*^{2}
TeX Source
$$z\sim\chi^{2}(n-4,\lambda_{d,j}f^{2})\eqno{\hbox{(22)}}$$where λ_{d,j} = **q**_{j}^{T}**R**_{d}^{−1}(**I**−**GS**^{d})**q**_{j}.

### E. Vertical Protection Levels

The VPL for the RRAIM architecture is defined as the bound on undetected vertical position error (*e*_{u}) that is consistent with the maximum allowable integrity risk *P*_{HMI} = 10^{−7}. Mathematically, this definition may be expressed as follows:
TeX Source
$$P\left\{\left(\vert e_{u}\vert>VPL\right)\cap(z\ <\ D)\right\}=P_{\rm HMI}.\eqno{\hbox{(23)}}$$Under the two mutually exclusive and exhaustive events FFC and FDC, (23) may be expanded as
TeX Source
$$\displaylines{P\left\{\left(\vert e_{u}\vert>{\hbox{VPL}}\right)\cap(z\ <\ D)\vert {\hbox{FFC}}\right\}P_{\rm FFC}\hfill\cr\hfill+\,P\left\{\left(\vert e_{u}\vert>{\hbox{VPL}}\right)\cap(z \ <\ D)\vert {\hbox{FDC}}\right\}P_{\rm FDC}=P_{\rm HMI}.\quad\hbox{(24)}}$$The random parts of *e*_{u} and *z* are independent, so
TeX Source
$$\displaylines{P\left\{\left(\vert e_{u}\vert>{\hbox{VPL}}\vert {\hbox{FFC}}\right)\right\}P\left\{(z\ <\ D\vert {\hbox{FFC}})\right\}P_{\rm FFC}\hfill\cr\hfil +\ P\left\{\left(\vert e_{u}\vert\ >\ {\hbox{VPL}}\vert {\hbox{FDC}}\right)\right\}P\left\{(z\ <\ D\vert {\hbox{FDC}})\right\}P_{\rm FDC}=P_{\rm HMI}.\cr\hfill\hbox{(25)}}$$The probability of satellite failure is assumed to be 10^{−5}/satellite/h, so
TeX Source
$$P_{\rm FDC}=(10^{-5}/{\hbox{h}})\times n\times T.\eqno{\hbox{(26)}}$$Therefore, for coasting times (*T*) less than one hour, we can conservatively assume that
TeX Source
$$\eqalignno{P\left\{(z\ <\ D\vert {\hbox{FFC}})\right\}P_{\rm FFC}=&\,(1-240\times 4\times {\hbox{ 10}}^{-6})\cr&\times(1-n\times 10^{-5})\cr\approx&\,1.&\hbox{(27)}}$$Therefore (25) can be simplified as
TeX Source
$$\displaylines{P\left\{\left(\vert e_{u}\vert>{\hbox{VPL}}\vert {\hbox{FFC}}\right)\right\}+P\left\{\left(\vert e_{u}\vert>{\hbox{VPL}}\vert {\hbox{FDC}}\right)\right\}\hfill\cr\hfill \times\; P\left\{(z\ <\ D\vert {\hbox{FDC}})\right\}P_{\rm FDC}=P_{\rm HMI}.\quad\hbox{(28)}}$$

Because the distributions for all the probabilities in (28) are known, in principle it is possible to iteratively solve for VPL. However, another more practical option is to budget the total integrity risk *P*_{HMI} between the two terms in (28)
TeX Source
$$P\left\{\left(\vert e_{u}\vert>{\hbox{VPL}}_{\rm FFC}\vert \hbox{FFC}\right)\right\}=\alpha P_{\rm HMI}\eqno{\hbox{(29)}}$$and
TeX Source
$$\displaylines{P\left\{\left(\vert e_{u}\vert>{\hbox{VPL}}_{\rm FDC}\vert {\hbox{FDC}}\right)\right\}P\left\{(z\ <\ D\vert {\hbox{FDC}})\right\}P_{\rm FDC}\hfill\cr\hfill=(1-\alpha)P_{\rm HMI}.\quad\hbox{(30)}}$$

For equal division of integrity risk between the two events, α = 0.5. However, it is also possible to select α to maximize system availability by choosing α < 0.5, thereby allocating more of the allowable integrity risk to the faulted (FDC) case.

Therefore, using (29) and (14), the vertical protection level under the hypothesis of fault-free coasting is
TeX Source
$${\hbox{VPL}}_{\rm FFC}=K(\alpha P_{\rm HMI})\sigma_{u}+b_{u} \eqno{\hbox{(31)}}$$where the function *K* is defined as in (3). Note that VPL_{FFC} differs from VPL_{GIC} only by the parameter α and the fact that σ_{u} accounts for the increased position error due to carrier phase coasting over time interval *T*.

The vertical protection level under the hypothesis of fault during coasting can be obtained using (30) and (26), which define the prior probability of a fault during coasting; and (15), (16), and (22), which describe the effect of a fault of magnitude *f* on satellite *j* on the position error and the test statistic. To explicitly define VPL_{FDC}, we consider an arbitrary satellite *j* and find the failure magnitude for that satellite *f*_{HMI,j} such that
TeX Source
$${\rm X}^{2}\left(n-4,\lambda_{d,j}f_{{\rm HMI},j}^{2},D\right)=(1-\alpha)P_{\rm HMI} \eqno{\hbox{(32)}}$$where X^{2} is the noncentral χ^{2} cumulative distribution function evaluated at the threshold *D*. The arguments *n*−4 and λ_{d,j} *f*_{HMI,j}^{2} are the degrees of freedom and the noncentrality parameter, respectively. The vertical protection level for such a failure on satellite *j* is then
TeX Source
$$\displaylines{{\hbox{VPL}}_{{\rm FDC},j}=b_{u}+{\bf S}_{{\bf u},:}^{\bf p}{\bf q}_{\bf j}f_{{\rm HMI},j}\hfill\cr\hfill+\ K\left((1-\alpha)P_{\rm HMI}/P_{\rm FDC}\right)\times\sigma_{u}\quad\hbox{(33)}}$$where *P*_{FDC} is a function of the coasting interval as defined in (26). Assuming the failure occurs on the worst case satellite, the protection level is
TeX Source
$${\hbox{VPL}}_{\rm FDC}=\max_{1\leq j\leq n}({\hbox{VPL}}_{{\rm FDC},j}).\eqno{\hbox{(34)}}$$The final VPL for the RRAIM architecture is then bounded by
TeX Source
$${\hbox{VPL}}_{\rm RRAIM}=\max({\hbox{VPL}}_{\rm FFC},{\hbox{VPL}}_{\rm FDC}).\eqno{\hbox{(35)}}$$

Of the architectures considered in this paper, ARAIM has the least demanding ground monitoring TTA requirement. Faults would first be detected on the aircraft. The role of ground/space monitoring would be to isolate and prevent multiple failures (SVs flagged as bad by ground/space would not be used by ARAIM). However, ground/space monitoring is still essential to maintain the a priori failure rate used by ARAIM. It is important to note that what is called a failure for vertically guided approach is substantially more stringent than what is called a failure for today's RAIM schemes that provide only LNAV approach. Here, a failure is against a URA value of order 0.75 m. Clearly, any fault that creates a five sigma or greater error ( > 3.75 m) can create HMI. However, so can smaller faults if they occur with greater frequency than predicted by Gaussian statistics. Thus, too many satellites with 2 m faults can also create HMI. Today a fault must reach many tens of meters to threaten an LNAV approach. The failure a priori rate, detection, and removal by the GPS operational control segment (OCS) is well established against threats of this magnitude. Unfortunately, we have much less experience with the performance of the constellation with regard to meter level threats. A new layer of monitoring against these smaller threats needs to be implemented in order to support vertically guided approaches.

Ideally, integrity monitoring functionality would be integrated into a future upgrade of the OCS. At a minimum, the provision of integrity could be colocated with the monitoring, control, and provision of accuracy functionality and share the same monitoring stations. This would allow an efficient use of resources and a direct tap into the satellites to broadcast the integrity parameters. However, GPS serves many communities, most of whom are interested in high accuracy and availability rather than high integrity. It may be desirable to keep some separation of these functionalities.

Due to the much longer allowable TTA for ground/space monitoring, one hour or longer, the bandwidth requirements are lower than in the other architectures. For this reason, the integrity information can easily be sent through the GPS satellites. An hour easily supports having the messages wait in a long queue before being broadcast under the planned L5 navigation stream. Of course, messages should be repeated without update more frequently to enable rapid initialization.

### A. Algorithm-VPL Equations

The algorithm used to evaluate the absolute RAIM option is a multiple hypothesis solution separation (MHSS) algorithm modified to optimize the vertical protection level while meeting the *P*_{HMI} requirement. A full description of the algorithm can be found in [38]. MITRE has developed a similar ARAIM implementation [39]. Through mutual collaboration, these implementations have been used for cross-validation and are deliberately kept as similar as possible.

The MHSS algorithm considers both faulted and unfaulted modes (satellite errors) and computes a VPL for each mode. Each mode is assigned a portion of the total integrity budget (such that the sum matches the total). The final user VPL is then the maximum over the VPLs for each mode. The VPL for a mode is given by
TeX Source
$$\displaylines{^{(j)}{\hbox{VPL}}_{\rm ARAIM}=K\left({^{(j)}P_{\rm alloc}\over P_{\rm apriori}}\right)\times{^{(j)}\sigma_{U}}\hfill\cr\hfill+\sum_{i=1}^{n}\left\vert{^{(j)}S_{U,i}^{p}}\right\vert\times b_{i,\max}+{^{(j)}SS({\mmb\varepsilon})}.\quad\hbox{(36)}}$$The ARAIM VPL is given by
TeX Source
$${\hbox{VPL}}_{\rm ARAIM}=\max_{j=0,N}\left[{^{(j)}{\hbox{VPL}}_{\rm ARAIM}}\right] \eqno{\hbox{(37)}}$$where (*j*) denotes the mode: (0) for all-in-view, (1) for first SV removed, etc. *K*(*P*) computes the tail distance for an inverse two-sided cumulative distribution function (cdf) of a normal distribution. σ_{U} and *S*_{U,i} are calculated from geometry (**G**) and weighting (**W** = **R**_{δp}^{−1}) matrices corresponding to the overbound of the error
TeX Source
$$\eqalignno{^{(j)}\sigma_{U}=&\,\sqrt{\left({^{(j)}{\bf G}^{\rm T}}\cdot{^{(j)}{\bf W}}\cdot{^{(j)}{\bf G}}\right)_{3,3}^{-1}}\cr^{(j)}{\bf S}^{p}=&\,\left({^{(j)}{\bf G}^{\rm T}}\cdot{^{(j)}{\bf W}}\cdot{^{(j)}{\bf G}}\right)^{-1}\cdot{^{(j)}{\bf G}^{\rm T}}\cdot{^{(j)}{\bf W}}.&\hbox{(38)}}$$*b*_{i,max } bounds the bias term and *SS*(ε) is the solution separation term as a function of the errors (ε).

The integrity allocation is taken out of the total budget. First, we subtract the probability of the higher order modes which are not evaluated and the constellation fault probability (*P*_{Const}) from the HMI budget (*P*_{HMI} = 10^{−7} approach). We are left with
TeX Source
$$P_{\rm alloc}^{\rm total}=P_{\rm HMI}-P_{\rm Const}.\eqno{\hbox{(39)}}$$

The last term is set to 1.3 × 10^{−8}/approach to account for multiple independent satellite failures and failure of the constellation as a whole. We give each mode an integrity suballocation ^{(j)} *P*_{alloc} such that
TeX Source
$$\sum_{j=0}^{n}{^{(j)}P_{\rm alloc}}=P_{\rm alloc}^{\rm total}.\eqno{\hbox{(40)}}$$*P*_{a priori} is the a priori probability of the fault, here set to 10^{−5}. For *j* > 0 this is the a priori probability of a satellite failure. For *j* = 0, the a priori probability is approximated by one.

An upper bound for the solution separation term can be estimated for prediction and is related to the continuity allocation of *P*_{cont} = 4 × 10^{−6} (half of the total allocation), which is split equally between all *n* fault modes. The vertical solution separation term of the *j*th mode is equal to
TeX Source
$$^{(j)}SS({\mmb\varepsilon})=\left\vert\left({^{(j)}{\bf S}^{p}}\cdot{\mmb\varepsilon}-{^{(0)}{\bf S}^{p}}\cdot{\mmb\varepsilon}\right)_{3}\right\vert.\eqno{\hbox{(41)}}$$The expected variance of this separation is conservatively represented by
TeX Source
$$\left[\left({^{(j)}{\bf S}^{p}}-{^{(0)}{\bf S}^{p}}\right)\cdot{\bf R}_{\rm nom}\cdot\left({^{(j)}{\bf S}^{p}}-{^{(0)}{\bf S}^{p}}\right)^{\rm T}\right]_{3,3}.\eqno{\hbox{(42)}}$$The nominal bias is given by
TeX Source
$$B_{\rm nom}=\sum_{i=1}^{n}\left\vert\left({^{(j)}S_{U,i}^{p}}-{^{(0)}S_{U,i}^{p}}\right)\right\vert\times b_{i,{\rm nom}} \eqno{\hbox{(43)}}$$where the nominal bias is taken to be smaller than the overbounding term used for integrity. Here we set *b*_{nom} to 10 cm. A column of zeros corresponding to the one missing satellite is added to ^{(j)}**S**^{p} to make it the same size as ^{(0)}**S**^{p}. **R**_{nom} is the nominal covariance matrix of the measurement errors. For prediction, the SS term can then be written as
TeX Source
$$\eqalignno{^{(j)}SS=&\,K\left({P_{\rm cont}\over n}\right)\cr&\ast\sqrt{\left[\left({^{(j)}{\bf S}^{p}}\!-\!{^{(0)}{\bf S}^{p}}\right)\cdot{\bf R}_{\rm nom}\cdot\left({^{(j)}{\bf S}^{p}}\!-\!{^{(0)}{\bf S}^{p}}\right)^{\rm T}\right]_{3,3}}\cr&+B_{\rm nom}.&\hbox{(44)}}$$For the purpose of this paper, half of the continuity budget is allocated to the VPL (*P*_{cont} = 4 × 10^{−6}). The integrity allocation is optimized to minimize the predicted VPL. This is done by determining the allocation such that all the terms ^{(j)}VPL_{ARAIM} are equal [38].

The performance of the algorithms was evaluated by using a set of MATLAB scripts (including scripts from the publicly available Matlab Algorithm Availability Simulation Tools (MAAST) [40]) to compute the predicted VPLs (3), (35), and (37) for the set of users distributed over the world during one day. Table 2 shows our results.

Availability is calculated as the fraction of time that the requirements are met. Users are placed on a 5° by 5° grid around the world from −70 to 70° (2088 locations). Geometries are evaluated every minute for a full 24-h period (1440 epochs). Coverage is calculated as the fraction of the users that meet a 99.5% availability goal. The 99.5% availability goal was chosen as a trade between simulation time and expected fidelity of the models. Accurately determining higher availabilities often requires modeling additional effects beyond geometry and requires longer simulation runs. To account for the fact that grid spacing becomes closer at larger latitudes, each user grid contribution to coverage is weighted by the cosine of the latitude. Table 2 gives the fraction of the globe between −70° and 70°, where users would enjoy 99.5% availability of vertical guidance. The availability calculations are based on specific satellite constellations in combination with assumed numerical models for the error bounds.

Several satellite configurations are considered, and Table 2 contains coverage results for three different six-plane GPS constellations optimized for 24 [41], 27, and 30 satellites [42]. It includes the cases with all satellites available and the cases where one of the most important satellites has been removed. The latter cases are to investigate the vulnerability of the performance of each architecture to satellite outages.

In general, the clock/ephemeris and maximum bias values will be functions of the ground networks and algorithms. For this analysis, a simpler estimate of performance is obtained by using constant values that are close to the expected values for well-observed regions. For this analysis, we will assume the following values:
TeX Source
$$\sigma_{j,{\rm clk}\_{\rm eph}}=0.75\ {\hbox{m}},\quad b_{j,\max}=1.125\ {\hbox{m}}.\eqno{\hbox{(45)}}$$These values are based on performance of the satellites best observed by WAAS today and possible contributions of nominal deformations and antenna biases [26], [27], [31].

For each time and location, the VPL, EMT, and accuracy are computed following the algorithms specified above. However, Table 2 only contains results of the VPL check as the accuracy models have not yet been fully verified. For the RRAIM architecture, a coasting time of *T* = 60 s was assumed.

As shown in Table 2, performance for the GIC is very good for all constellations considered. The 24-satellite constellation is near the lower limit for performance, however, as even a single satellite outage can cause large regions to suffer some outage periods. Notice also that the 27-satellite constellation also has some vulnerability, although the availability outages only affect a very small subset of users. It is interesting to note that the 26-satellite constellation arranged suboptimally performs worse than the optimal 24-satellite constellation despite having two more satellites. This holds true for the other two architectures as well. It is not simply a matter of the number of healthy satellites in the constellation; their orbital location in relation to one another is also very important. A single outage can create a gap in coverage.

As expected, ARAIM is more sensitive to the constellation quality. It does not achieve high values for the current 24 satellite optimized constellation. It requires a constellation optimized for 27 or 30 to obtain good performance. RRAIM is much closer to the GIC performance. The additional fault screening causes a small loss in coverage but overall performs well for all three constellations. Like ARAIM, it strongly benefits from having a stronger constellation.

An advantage of ARAIM is that because the aircraft can perform its own absolute integrity validation, the broadcast bounds from the ground/space segment only need to be valid to a less stringent *P*_{HMI} level. Rather than the ground/space segment achieving 10^{−7} per approach on its own, the combination of the two can achieve this level. Thus, the requirement on the ground/space side can be relaxed to 10^{−5} per approach, for instance. The corresponding overbound broadcast to the user can therefore be smaller. Perhaps it can be significantly smaller, as the truly rare event faults will be initially detected by the aircraft. To model this reduction, the bias and variance values used in simulation for ARAIM are the values in (45) divided by 1.5.

This paper describes an interesting and important tradeoff. On one extreme, the GIC places the integrity burden on the monitors external to the aircraft. These monitors may be located on the ground, like today's SBAS, or some of these integrity monitors could be located on the GNSS satellites themselves. In either event, the monitors are responsible for detecting clock runoffs, ephemeris errors in the navigation message, and signal distortions due to faults in the satellite modulation or radio-frequency chain. With GIC, the airborne receiver assumes that the received signal-in-space is free of these potential difficulties. As shown in Table 2, GIC provides high coverage and availability even when the underlying GNSS constellation is quite weak. On the other hand, it must include a data broadcast and monitor system that can send alerts to the aircraft within 6.2 s or less.

On the other extreme, ARAIM places almost the entire integrity burden on the aircraft. GNSS measurement redundancy is used to detect the clock runoffs, ephemeris failures, and signal distortions. The external monitors simply ensure that bad satellites are removed from the GNSS constellation within one or two hours. They may also communicate more conservative a priori failure probabilities for satellites that are brand new or late in life. Since ARAIM is based on measurement redundancy, it requires a very strong GNSS constellation. Indeed, Table 2 shows that 30 satellites are required for 100% coverage. On the other hand, the integrity data broadcast need not be fast. Data latencies can be on the order of one hour. This enables the possible use of the GNSS satellites themselves for the integrity broadcast.

In the middle, we find RRAIM. Like ARAIM, measurement redundancy is used, but now measurement residuals are based on the change in position using carrier phase measurement differences. This shifts fault detection away from absolute range to the change in range. Fast faults can be detected in the aircraft, and the external monitors are only responsible for slow faults. This may be the most elegant operating point in the trade space. The precision of carrier phase measurements is used to relax the requirements on the GNSS constellation. Table 2 shows 100% coverage with 27 satellites. Further, the integrity broadcast can tolerate latencies of minutes, as opposed to seconds for GIC or hours for ARAIM.

These three alternatives span an extremely important trade space—GNSS constellation strength versus integrity data latency. All told, the GIC can serve well for regional systems—today's SBAS are single frequency GICs that serve the continental United States, Europe, and Japan. However, a worldwide GIC is considerably more challenging based on the data latencies that would have to be enforced on a worldwide system. Moreover, such a system would not efficiently leverage the carrier phase measurements, which will become particularly powerful in the upcoming dual frequency environment.

We feel that the next generation of GNSS-based avionics will provide vertical guidance to all airports worldwide without requiring any navigation equipment to be located at or near the airport. The avionics should include RRAIM and ARAIM. In the short term, RRAIM would be implemented based on the excess message capacity in today's SBAS geostationary satellites. In other words, new message types could be defined and multiplexed into today's SBAS data stream. ARAIM would come online as the underlying GNSS constellations grew in size. It would provide vertical guidance as the GPS constellation grew to more than 30 satellites. Alternatively, it would await the completion and validation of the new GNSS constellations from Europe, Russia, or China. If these constellations prove themselves, then the SBAS satellites could eventually be retired. If not, the SBAS satellites would continue to pipe the integrity data. In either event, dual frequency signals and a new integrity augmentation will enable vertical guidance and the associated step forward in aviation safety.

### Acknowledgment

The work in this paper is based on that of the GNSS Evolutionary Architecture Study. The authors gratefully acknowledge this dedicated team that includes the Federal Aviation Administration, Ohio University, MITRE, Zeta, and GREI.