An integrated fault detection and exclusion scheme to support aviation navigation

The safety critical aviation has stringent requirements on navigation systems. To quantitatively analyze their performance, the International Civil Aviation Organization (ICAO) has defined specific metrics for different navigation methods [1]. Among these metrics, integrity directly relates to operation safety: it measures the trust that can be placed in the correctness of the information supplied by the navigation system. Loss of integrity (LOI) in aviation navigation can result in catastrophic consequences; so, integrity requirement is of the greatest significance during any phase of aircraft flight. In addition to integrity, navigation continuity is another crucial metric: it measures the capability of the system to perform its function without unscheduled interruptions during the intended operation. For the cases where alternative navigation tools are not available, loss of continuity (LOC) can lead the aircraft to be left without means of navigation, which is another severe threat to safety.

After decades of worldwide development, global navigation satellite systems (GNSS) have become the first choice to solve many navigation problems today. This is especially the case in aviation community, because the legacy air navigation capability is limiting the air traffic growth [2]. Given the imperious demand for new technology in aviation, and given its historically consistent and reliable performance, GNSS is expected to significantly improve aviation navigation performance. However, GNSS measurements are vulnerable to faults, including satellite and constellation failures [3], which can potentially lead to major integrity threats to the users. GNSS service can also be interrupted by many sources including false and/or true fault detection (FD), satellite outages, etc. [4, 5, 6]. Such interruptions can significantly impact navigation continuity.

To resolve these issues, a number of research efforts have been put into developing GNSS augmentation techniques, and the outcomes have been serving aviation [7, 8, 9]. In a typical augmentation system, two fundamental capabilities must be enabled: real-time FD test and integrity risk (IR) evaluation. Among those systems, receiver autonomous integrity monitoring (RAIM) has become operational in the mid-1990s as a backup navigation tool to support aircraft en route flight using GPS only [10, 11]. The principle of RAIM is exploiting redundant measurements to achieve self-contained FD at the user receiver [12]. However, due to the limited satellite redundancy from a single constellation, RAIM is only able to provide limited availability, and can only support operations with less stringent navigation requirements.

Future multi-constellation GNSS has been foreseen to provide dramatically increased measurement redundancy. Four constellations including GPS (U.S.), GLONASS (Russia), Galileo (E.U.) and BDS (China) are expected to finish their modernizations and/or full deployments in the near term [13], which will provide many more satellites in view than we have available today using GPS alone. In addition, nominal measurement errors will be significantly reduced using dual-frequency signals, which will remove the largest error source—ionospheric delay. These revolutionary developments in GNSS, together with important advancements in the RAIM concept will open the possibility to independently support aircraft navigation using GNSS, from en route flight towards final approach to landing, with minimal investment in ground infrastructure. Therefore, considerable effort has been expanded, especially in the U.S. and the E.U., to develop ARAIM fault detection and exclusion (FDE) methods to ensure high navigation integrity and continuity [14, 15, 16].

With multiple GNSS constellations available for future ARAIM, the impact of having a large number of available measurements on navigation performance is not entirely obvious. From the integrity perspective, we can naturally expect that increased measurement redundancy will enhance FD capability, and thereby reduce the conditional integrity risk under any given fault hypothesis. But adding satellites also adds more potential fault modes into the navigation function; so, there is a chance that the accumulation of monitored fault modes increases the total (i.e., unconditioned) integrity risk. This is especially concerning given that new emerging constellations may not provide the same (low) levels of nominal ranging error and prior fault probabilities as GPS, especially in the early phases of their deployments. From the continuity perspective, because any reasonable FD algorithm will detect most faults, we can, therefore, also expect the number of detected faults to be larger in multi-constellation systems. This is not a problem for navigation integrity, because the faults are detected, but unless the faults are subsequently identified and excluded, their detection will cause an interruption in the continuity of the navigation operation. Thus, the accumulated likelihood of satellite and constellation faults with multiple constellations could dramatically increase ARAIM continuity risk.

The current ARAIM research activities are led by a joint Working Group (WG) of the U.S. and E.U., i.e., WG-C, and they have been focusing on the dual-constellation scenario using GPS and Galileo [16]. Because ARAIM will operate as a main navigation means, it must provide a higher continuity performance level as compared to traditional RAIM. To reduce the continuity risk caused by FD events, fault exclusion (FE) function needs to be implemented for ARAIM [17, 18, 19]. Therefore, designing a feasible FE scheme to autonomously identify and exclude the faulty space vehicle (SV) is a key research aspect of ARAIM. However, the currently proposed FE methods are all based on the tradeoff between continuity and integrity, which can only improve continuity by a limited amount while degrading the integrity monitoring capability [17]. In addition, those existing FE algorithms require exhaustive searching processes followed by a second layer detection test, which results in significantly high computational load. This is especially the case when more than two constellations are employed, because the number of monitored SV subsets can increase exponentially [20].

In response, this paper proposes an efficient FDE scheme that integrates two separate functions. Even though the new scheme is established here based on ARAIM, it can also be extended to other applications such as ground-based augmentation system (GBAS), satellite-based augmentation system (SBAS) or multi-sensor integrated navigation systems. The principle of this approach is utilizing the relative magnitudes of the parity vector projections to extract the fault information, thereby determining the final exclusion option. Because the projection matrices of each fault mode can be captured in the FD step, the searching step for exclusion candidates and the second layer detection tests are waived. Moreover, using the maximum projection, the exclusion option can always be made after an alert is triggered, so continuity is fully preserved. This is different from implementing a separate FE function, whose resulting continuity risk depends on the threshold setting [17]. The most challenging part of this work is quantifying the IR associated with the proposed scheme. At this early stage, we will focus on single SV fault mode only, and will rigorously account for the false exclusion probabilities in the quantification. The feasibility of the algorithm is verified and validated using Monte-Carlo simulations, and the performance is analyzed by evaluating the IR.

The paper is organized as follows. Section 2 provides the fundamental knowledge of ARAIM FD, and introduces the parity space concept. Then, the new FDE scheme is developed in Sect. 3, where the FDE zones are visually presented in parity space. In addition, a comparison between the new approach and the state-of-the-art FE algorithms is made, and the limitations of the current algorithms are addressed. Section 4 develops the IR evaluation methodology associated with the new scheme, in which the derivations are specified step by step. Later in Sect. 5, multiple analyses on FDE capabilities are carried out to demonstrate the performance of the proposed method. Finally, Sect. 6 concludes this paper.

The current ARAIM architecture was proposed by WG-C, and it had been evolving over time. In comparison with RAIM, the most innovative designs of ARAIM are (a) employing the integrity support message (ISM) to provide assertions on the constellation performance [21], and (b) creating a new user algorithm to accommodate the dramatically increased measurement redundancy using multiple GNSS constellations. As the most important outcome of WG-C, the ARAIM baseline multiple hypothesis solution separation (MHSS) user algorithm has been well defined and been widely recognized [15]. This section will take advantage of much of the relevant prior work, and provide detailed and comprehensive derivations of the MHSS, from the fundamental GNSS measurement equation to the final upper bound on IR and false alert (FA). Moreover, the definition of parity space is described, the relationship between the parity vector and solution separation (SS) test statistics is established, and a simple measurement model is employed to visualize the FD process in parity space.

2.3 SS test statistics in parity space

The parity space representation is the most illustrative expression of the detection process using measurement redundancy. It had been introduced for residual-based (RB) RAIM in [3, 12]. To get the parity vector, Eq. (1) is first normalized by pre-multiplying \( {\mathbf{V}}^{{ - \frac{1}{2}}} \). Then, the normalized measurement vector, observation matrix, noise vector and fault vector, respectively, become: \( {\mathbf{z}}^{ *} = {\mathbf{V}}^{{ - \frac{1}{2}}} {\mathbf{z}} \), \( {\mathbf{H}}^{ *} = {\mathbf{V}}^{{ - \frac{1}{2}}} {\mathbf{H}} \), \( {\mathbf{v}}^{ *} = {\mathbf{V}}^{{ - \frac{1}{2}}} {\mathbf{v}} \) and \( {\mathbf{f}}^{ *} = {\mathbf{V}}^{{ - \frac{1}{2}}} {\mathbf{f}} \). The \( \left( {n - m} \right) \times n \) parity matrix Q is obtained by taking the singular value decomposition (SVD) of \( {\mathbf{H}}^{ *} \) [23]. Let the following equation to be the SVD result:

$$ {\mathbf{H}}_{n \times m}^{ * } = {\mathbf{U}}_{n \times n} \left[ {\begin{array}{*{20}l} {{\mathbf{S}}_{m \times m} } \hfill \\ {{\mathbf{0}}_{(n - m) \times m} } \hfill \\ \end{array} } \right]{\mathbf{V}}_{m \times m}^{\text{T}} ,\quad {\text{where}}\quad {\mathbf{U}}_{n \times n} = \left[ {\begin{array}{*{20}l} {{\mathbf{U}}_{1,n \times m} } \hfill & {{\mathbf{U}}_{2,n \times (n - m)} } \hfill \\ \end{array} } \right]. $$

(7)

Defining \( {\mathbf{U}}_{2}^{\text{T}} \) as the parity matrix \( {\mathbf{Q}} \), then the \( \left( {n - m} \right) \times 1 \) parity vector \( {\mathbf{p}} \) is []:

$$ {\mathbf{p}} = {\mathbf{Qz}}^{ * } = {\mathbf{Q}}({\mathbf{v}}^{ * } + {\mathbf{f}}^{ * } ). $$

(8)

Moreover, [12] has proved the following relationships:

$$ {\mathbf{QH}}^{ * } = {\mathbf{0}}_{(n - m) \times m} ,\quad {\mathbf{QQ}}^{\text{T}} = {\mathbf{I}}_{(n - m)} \quad {\text{and}}\quad {\mathbf{Q}}^{\text{T}} {\mathbf{Q}} = {\mathbf{I}}_{n} - {\mathbf{H}}^{ * } {\mathbf{S}}_{0}^{ * } , $$

(9)

where \( {\mathbf{S}}_{0}^{*} {\mathbf{V}}^{{ - \frac{1}{2}}} = {\mathbf{S}}_{0} \), and \( {\mathbf{I}}_{n} \) is a \( n \times n \) identical matrix.Given that \( \Delta_{i} = {\varvec{\upalpha}}_{r} \left( {{\mathbf{S}}_{i}^{*} {\mathbf{H}}^{*} {\mathbf{S}}_{0}^{*} - {\mathbf{S}}_{i}^{*} } \right){\mathbf{z}}^{*} \) and \( {\mathbf{S}}_{0}^{*} = {\mathbf{S}}_{i}^{*} {\mathbf{H}}^{*} {\mathbf{S}}_{0}^{*} \) [22], \( \Delta_{i} \) can be expressed as:

$$ \Delta_{i} = {\varvec{\upalpha}}_{r} \left( {{\mathbf{S}}_{i}^{ * } {\mathbf{H}}^{ * } {\mathbf{S}}_{0}^{ * } - {\mathbf{S}}_{i}^{ * } } \right){\mathbf{z}}^{ * } = - {\varvec{\upalpha}}_{r} {\mathbf{S}}_{i}^{ * } {\mathbf{Q}}^{\text{T}} {\mathbf{Qz}}^{ * } = - {\varvec{\upalpha}}_{r} {\mathbf{S}}_{i}^{ * } {\mathbf{Q}}^{\text{T}} {\mathbf{p}}. $$

(10)

The standard deviation of \( \Delta_{i} \) is equivalent to:

$$ \sigma_{{\Delta_{i} }} = \sqrt {{\varvec{\upalpha}}_{r} \left( {{\mathbf{S}}_{i}^{ * } {\mathbf{S}}_{i}^{{ * {\text{T}}}} - {\mathbf{S}}_{i}^{ * } {\mathbf{H}}^{ * } {\mathbf{S}}_{0}^{{ * {\text{T}}}} {\mathbf{S}}_{i}^{{ * {\text{T}}}} } \right){\varvec{\upalpha}}_{r}^{\text{T}} } = \sqrt {{\varvec{\upalpha}}_{r} {\mathbf{S}}_{i}^{ * } {\mathbf{Q}}^{\text{T}} {\mathbf{QS}}_{i}^{{*{\text{T}}}} {\varvec{\upalpha}}_{r}^{\text{T}} } . $$

(11)

Therefore, the relationship between \( q_{i} \) and \( {\mathbf{p}} \) can be established:

$$ q_{i} = {\mathbf{w}}_{i} {\mathbf{p}},\quad {\text{where}}\quad {\mathbf{w}}_{i} = \frac{{ - {\varvec{\upalpha}}_{r} {\mathbf{S}}_{i}^{ * } {\mathbf{Q}}^{\text{T}} }}{{\sqrt {{\varvec{\upalpha}}_{r} {\mathbf{S}}_{i}^{ * } {\mathbf{Q}}^{\text{T}} \left( {{\varvec{\upalpha}}_{r} {\mathbf{S}}_{i}^{ * } {\mathbf{Q}}^{\text{T}} } \right)^{\text{T}} } }}. $$

(12)

In this work, \( {\mathbf{w}}_{i} \) is defined as “fault mode line” for \( H_{i} \). And the projection of the parity vector on this line is the corresponding normalized SS test statistic \( q_{i} \).

To visualize SS-based FD in parity space, a simple measurement model is employed here. The observation matrix and the error model are, respectively, \( {\mathbf{H}} = \left[ {\begin{array}{*{20}c} 1 & 1 & 1 \\ \end{array} } \right]^{\text{T}} \) and \( {\mathbf{v}}\sim N\left( {0_{3 \times 1} , {\mathbf{I}}_{3} } \right) \). Three fault modes i = 1, 2, 3, corresponding to each measurement, are considered in this problem. Since there are two redundant measurements, this example can be easily demonstrated in a 2D parity space.

Figure 1 presents ARAIM FD process under fault hypothesis \( H_{1} \), i.e., the fault is on line \( {\mathbf{w}}_{1} \) (highlighted red). The yellow arrow represents the parity vector, and its projections onto three fault lines are the associated normalized SS test statistics, i.e., Eq. (12). The blue region on the right indicates no detection event \( \bar{D}_{0} \), in which all the statistics are less than the thresholds. It has hexagon shape because the magnitudes of the thresholds are equal for all three \( q_{i} \). In this example case, the parity vector lies outside of the no detection region; so there is a detection event.

Open image in new window

So far, we have described the ARAIM FD process, which only addresses the impact of FA events on continuity. In fact, because ARAIM will take use of multiple constellations, the heightened likelihood of encountering true FD events can significantly increase continuity risk. Therefore, to improve ARAIM continuity, an exclusion step must be implemented after FD, especially given that ARAIM will operate as a main navigation means [19].

3.1 Two-step-based FE function designs

Unlike the MHSS FD algorithm that is generally accepted, the currently proposed FE algorithms are mostly heuristic. Figure 2 shows the flow diagram of a typical FDE procedure, which is composed of three major steps including IR evaluation (labeled blue), FD function implementation (labeled green) and FE function implementation (labeled red). As the precondition of the whole process, the overall IR of the FDE function (\( {\text{IR}}_{\text{FDE}} \)) is computed and compared with the requirement \( I_{\text{REQ}} \) at first. The receiver will proceed to the remaining steps only if \( {\text{IR}}_{\text{FDE}} < I_{\text{REQ}} \). For continuity, the key design element is the exclusion step after detection, and the mechanism to determine which SV to exclude. In most of the current designs, the FE function consists of two steps: exclusion option order determination and final decision-making. Figure 2 has listed three ways to array the exclusion candidates [17, 18, 19], whose goal is to develop an efficient route for the exclusion attempt. To make the final exclusion choice, a second layer detection test is employed to confirm the new satellite subset after exclusion is FF [17]. Following the order made in first step, multiple exclusion tests will be implemented from j = 1 to n. And the final decision (noted as \( E_{j} \)) is made only if there is no second layer detection event after excluding SV j.

Open image in new window

Although the two-step-based FE function design has been widely proposed and discussed, it has several major disadvantages. First, its computational cost is extremely high, which may not be feasible for on-board ARAIM user receiver. This is due to the fact that carrying out the exclusion test requires reevaluating the position estimate and statistics using the second layer SV subsets, which doubles the computational load than only implementing a single FD function. In addition, it may take a number of iterations before the final exclusion decision can be made, and each iteration corresponds to going through one more FD process. Under the worst-case scenario when no exclusion (NE) can be validated after testing all the candidates, the system will output insignificant information, while consuming a large amount of computation power. Given that the complexity of the MHSS FD algorithm has already caused issues [20, 24, 25], it is highly undesirable to add any additional computational load to the user. Other than the concern on computation, another major problem of the current FE function design is due to the tradeoff between continuity and integrity. According to the algorithm description [17], the continuity improvement is highly dependent on the threshold setting of the second layer test statistics. Although the continuity risk can be reduced by employing a larger threshold, it will also lead to a higher IR. For the cases when the continuity requirement is stringent, the resulting \( {\text{IR}}_{\text{FDE}} \) may exceed \( I_{\text{REQ}} \).

3.2 Real-time implementation of the integrated FDE scheme

To overcome the shortcomings of the existing algorithms, our proposed method unifies the FD and FE functions into one process. As shown in Fig. 3, the real-time implementation of the integrated FDE scheme is greatly simplified from the one in Fig. 2. Using the new approach, the final exclusion decision can be directly made after an alert is triggered. Because the second layer FD test and the iteration steps are removed, the algorithm efficiency is dramatically improved. The basis for determining the excluded SV subset is utilizing the properties of the party vector projections in parity space. Under a single SV faulted condition, the mean of the party vector is along the fault mode line, and the deviation of the parity vector from this line is only impacted by the noise from other FF measurements. Therefore, the projection on the actual fault mode is expected to be the maximum, and that is why its corresponding SV subset is chosen to be excluded. Because the maximum projection can always be found, the exclusion attempt will never fail, which means that the operation continuity can be fully preserved after a FD event occurs. According to our derivations in prior section, the projections of single SV fault modes are equivalent to their normalized SS test statistics, so \( q_{i} \) can be directly used to make the exclusion decision. This is captured by the solid purple arrow in Fig. 3.

Open image in new window

It is noteworthy that the second layer detection test is no longer performed using the new approach, which may raise the question whether the resulting position estimate after exclusion can still be trusted or not. The principle for not adopting a double check is that the new exclusion scheme is expected to exclude the faulted measurement, which should generate a FF position estimate. Similar to all the exclusion algorithms, it is true that a FF subset can be wrongly excluded using this approach, but the operation safety is still ensured as long as the probability of having this event is rigorously accounted in the overall integrity risk quantification, i.e., \( {\text{IR}}_{\text{FDE}} \). As shown in Fig. 3, a priori integrity check is employed, and the mission will be executed only if \( {\text{IR}}_{\text{FDE}} < I_{\text{REQ}} \). Therefore, the general \( {\text{IR}}_{\text{FDE}} \) should capture all the possible events that the user may encounter, including wrong exclusion (WE). Evaluating \( {\text{IR}}_{\text{FDE}} \) is a key aspect of this work, and the details will be addressed in next section.

Using the example introduced in prior section, the FDE procedures are visually presented in parity space in Fig. 4. Because measurement 1 is faulted, the parity vector p will move along \( {\mathbf{w}}_{1} \) as the fault magnitude (i.e., \( f_{1} \)) varies, with small deviations orthogonal to \( {\mathbf{w}}_{1} \) due to nominal noise on measurements 2 and 3. The left figure corresponds to the conventional FDE algorithm, where the exclusion zones are distinguished by multiple colors. The green band represents the correct exclusion (CE) event in which measurement 1 will be excluded. The red band results in WE since measurement 2 and 3 will be excluded. The overlapping regions are labeled blue and purple, in which more than one exclusion options will pass the second layer detection test. Finally, the white areas capture the cases that NE can be made after testing all the exclusion options (\( \bar{E} \)). For this approach, the widths of those bands are set by the magnitudes of the exclusion threshold \( T_{e,l} \), and the basis for determining the parity vector’s location is by comparing the second layer test statistics \( q_{e,l} \) with \( T_{e,l} \) [17, 19]. Therefore, Fig. 5 (left) restates the fact that the computational cost to support the conventional FDE approach is significantly high because (a) it requires computing \( q_{e,l} \) and \( T_{e,l} \), and (b) it requires an iterative search to make the final exclusion decision. In addition, even if \( {\mathbf{p}} \) locates in the white regions, the algorithm will still consume the same amount of computational power. And if \( {\mathbf{p}} \) is in the blue or purple area, the probability of having a WE event is increased, which is highly undesirable for the users. In comparison to the conventional approach, the figure on the right presents our proposed integrated FDE scheme in parity space, where the CE region is labeled green and WE region is labeled red. Because the regions are distinguished by the magnitudes of \( q_{i} \), their borders lie in the middle of two fault mode lines. Using the new approach, there is no overlapping regions nor NE regions, which restates the fact that exclusion decision can be immediately made by only using the information from the FD step, and continuity can be fully preserved.

Open image in new window

Open image in new window

In Eq. (14), the actual fault vector \( f_{i} \) of hypothesis \( H_{i} \) can be fully characterized by its direction and magnitude [12]. The worst-case fault is obtained when the conditional \( {\text{IR}}_{\text{FDE}} \) for \( H_{i} \) (the summation over all exclusion options under hypothesis \( H_{i} \)) is maximized. However, directly evaluating IR using Eq. (14) is almost impossible because (a) searching for the worst-case fault over all exclusion options is an arduous task, and (b) the correlations between the events in each exclusion option are complex. Therefore, in the upper bound of Eq. (15), we have implicitly selected \( f_{i} \) to maximize each term individually. In contrast, in Eq. (14), a single fault mode is selected to maximize the sum of all the terms. Therefore, summing the maximized individual risks using Eq. (15) always bounds the maximized summed risk in Eq. (14).

Due to the term of \( \left| {q_{j} } \right| > \left| {q_{i} } \right| \), it is challenging to directly evaluate Eq. (19). Instead, we employ an upper bound, which converts Eq. (19) into a multivariate normal distribution problem. Let \( {\mathbf{q}} \) define as \( \left[ {q_{j} q_{i} } \right]^{\text{T}} \), so \( \varvec{q} \sim N\left( {{\varvec{\upmu}}_{q} , {\varvec{\Sigma}}_{q} } \right) \), where \( {\varvec{\upmu}}_{q} = \left[ {\mu_{{q_{j} }} \mu_{{q_{i} }} } \right]^{\text{T}} \), and the covariance matrix is \( {\varvec{\Sigma}}_{q} = \left[ {\begin{array}{*{20}l} 1 \hfill & {\sigma_{{_{{q_{j} q_{i} }} }}^{2} } \hfill \\ {\sigma_{{_{{q_{j} q_{i} }} }}^{2} } \hfill & 1 \hfill \\ \end{array} } \right] \). Then, using the leftmost figure of Fig. 5, the scenario of \( \left| {q_{j} } \right| > \left| {q_{i} } \right| \) can be visually illustrated in terms of q. The red line represents the mean values of \( {\mathbf{q}} \) that change as a function of fault magnitude. The impact of the nominal bias b is not addressed, so the red line passes the origin when the fault magnitude is 0. As a result, the probability of \( \left| {q_{j} } \right| > \left| {q_{i} } \right| \) is equivalent to the probability of q locating in the blue regions of the leftmost figure. As shown in the dashed box of Fig. 5, the principle of bounding Eq. (19) is independently evaluating the two blue areas. Let two new unit vector define as \( {\mathbf{n}}_{1} = \left[ { - \frac{\sqrt 2 }{2},\varvec{ }\frac{\sqrt 2 }{2}} \right] \) and \( {\mathbf{n}}_{2} = \left[ {\frac{\sqrt 2 }{2},\varvec{ }\frac{\sqrt 2 }{2}} \right] \), then the new variables in the two subfigures in the dashed box are, respectively, \( R_{1} = {\mathbf{n}}_{1} {\mathbf{q}} \) and \( R_{2} = {\mathbf{n}}_{2} {\mathbf{q}} \), where \( R_{1} \sim N\left( {\mu_{{R_{1} }} = {\mathbf{n}}_{1} {\varvec{\upmu}}_{q} , \sigma_{{R_{1} }}^{2} = {\mathbf{n}}_{1} {\varvec{\Sigma}}_{q} {\mathbf{n}}_{1}^{\text{T}} } \right) \) and \( R_{2} \sim N\left( {\mu_{{R_{2} }} = {\mathbf{n}}_{2} {\varvec{\upmu}}_{q} , \sigma_{{R_{2} }}^{2} = {\mathbf{n}}_{2} {\varvec{\Sigma}}_{q} {\mathbf{n}}_{2}^{\text{T}} } \right) \). The deviation between the red line and the origin captures the worst-case impact of nominal bias b on the probability.

With the theoretical methods being fully derived in prior sections, this section investigates the performance of the new FDE scheme. The analyses are, respectively, carried out from the perspective of computational efficiency, algorithm effectiveness and integrity. To clearly present the benefits of this approach, the new results are directly compared to the ones obtained using existing FDE methods.

Figure 6 verifies the effectiveness of the proposed FDE scheme. A Monte-Carlo simulation with 10⁷ trials is performed, and GPS almanac is employed to simulate the SV positions. Figure 6 corresponds to the case where the user is located at Shanghai, China, with 7 GPS satellites in view. To simulate the faulted condition, a measurement fault with the varying magnitude from 0 to 50 m is injected to SV 4. The results are presented in terms of the probability of CE (left) and NE (right). Because the performance of the conventional FDE methods depends on the allocated continuity budget \( P_{\text{FDNE,REQ}} \), three scenarios are considered, and their results are, respectively, labeled green, blue and black in Fig. 6. The red solid lines in both figures correspond to the newly proposed FDE scheme. Using the new approach, maximum CE probabilities can always be obtained without any continuity interruptions, which surpasses the conventional methods.

Open image in new window

Figure 7 presents the IR associated with the integrated FDE scheme. Using the same GPS almanac as the one for Fig. 6, the results are evaluated over a 1-day period at Shanghai, China. According to the figure, the red line is in between the green and blue lines, which indicates that new FDE approach may lead to larger IR than the conventional approach in some special cases. However, unlike the conventional approach whose IR reduction comes at the cost of increased continuity risk, the IR of our proposed FDE scheme is fixed. Therefore, the operational continuity can always be fully preserved using the integrated FDE scheme, which is the key advantage of this method.

Open image in new window

This paper proposes a novel integrity monitoring scheme against GNSS fault for civil aviation navigation. The main contributions are (a) developing an efficient user algorithm that integrates FDE functions, and (b) deriving the analytical methods to quantify its corresponding IR. In this work, the projection matrix is derived for single satellite failure modes, the mechanism for determining exclusion subset is established based on the projection magnitudes, and the false exclusion probabilities are rigorously accounted in the IR quantification. Using the new approach, the computational load of the user is significantly reduced, and the effectiveness of correctly excluding the faulted SV is improved. In addition, full continuity can be preserved using this approach, while achieving promising IR that is in the same order of the magnitude as the conventional FDE methods. In the future work, multiple fault modes will be accounted, and the scheme will be validated under baseline ARAIM simulation scenarios.