Digital avionics handbook [3. ed] 9781439868614, 1439868611, 9781439868980, 1439868980


412 123 13MB

English Pages 817 Year 2015

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Content: PrefaceAcknowledgmentsEditorsContributorsSection I: Evolution of Avionics: Safety and CertificationEvolving AvionicsUma D. Ferrell and Thomas K. FerrellCommunicationsRoy T. Oishi and Ann HeinkeNavigationMyron KaytonGlobal Positioning SystemChristopher J. Hegarty, John M. Foley, and Sai K. KalyanaramanFault-Tolerant AvionicsEllis F. HittElectromagnetic EnvironmentRichard HessVehicle Health Management SystemsPhilip A. Scandura, Jr.Cockpit Voice Recorders and Data RecordersScott MontgomeryCertification of Civil AvionicsG. Frank McCormickSystem Safety and System DevelopmentMarge JonesUnderstanding the Role of RTCA DO-160 in the Avionics Certification ProcessDonald L. SweeneyRTCA DO-178B/EUROCAE ED-12BThomas K. Ferrell and Uma D. FerrellRTCA DO-178C/EUROCAE ED-12C and the Technical SupplementsThomas K. Ferrell and Uma D. FerrellRTCA DO-254/EUROCAE ED-80Randall FultonSection II: Avionics Functions: Supporting Technology and Case StudiesHuman Factors Engineering and Flight Deck DesignKathy H. AbbottHead-Mounted DisplaysJames MelzerHead-Up DisplayRobert B. Wood and Peter J. HowellsDisplay DevicesThomas M. LippertVision SystemsSteven D. Young, Lynda J. Kramer, and Randall E. BaileySpeech Recognition and SynthesisDouglas W. BeeksTerrain AwarenessBarry C. BreenTraffic Alert and Collision Avoidance System II (TCAS II)Steve HenelyAutomatic Dependent Surveillance-BroadcastJoel M. WichgersFlight Management SystemsRandy WalterElectrical Wiring Interconnect SystemMichael TraskosBatteriesDavid G. VutetakisGenesisRandy Walter and Christopher B. WatkinsBoeing B-777 Avionics ArchitectureMichael J. MorganBoeing B-777Gregg F. BartleyNew Avionics SystemsPeter Potocki de MontalkAirbus Electrical Flight ControlsPascal TraverseSection III: Avionics Development: Tools, Techniques, and MethodsElectronic Hardware ReliabilityP.V. Varde, Nikhil Vichare, Ping Zhao, Diganta Das, and Michael G. PechtMIL-STD-1553B Digital Time Division Command/Response Multiplex Data BusChris de LongARINC 429 Digital Information Transfer SystemPaul J. PrisaznukRTCA DO-297/EUROCAE ED-124 Integrated Modular Avionics (IMA) Design Guidance and Certification ConsiderationsCary R. Spitzer and Leanna RiersonARINC Specification 653, Avionics Application Software Standard InterfacePaul J. PrisaznukTime-Triggered ProtocolMirko JakovljevicDigital Avionics Modeling and SimulationJack Strauss, Joseph Lyvers, Terry Venema, and Andrew ShupeModel-Based Development with AADLJulien Delange and Bruce LewisMathworks Approach to MBDBill Potter, Pieter Mosterman, and Tom ErkkinenEsterel SCADE Approach to MBDJean-Louis CamusModel CheckingTingting Hu and Ivan Cibrario BertolottiFormal MethodsBen Di VitoNavigation and TrackingJames Farrell and Maarten Uijt de HaagSection IV: ConclusionNext FrontierMark G. BallinIndex
Recommend Papers

Digital avionics handbook [3. ed]
 9781439868614, 1439868611, 9781439868980, 1439868980

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

THIRD EDITION

DIGITAL AVIONICS H A N D B O O K

EDITED BY

Cary R. S p itz e r Um a Ferrell • T h o ma s F e r r e ll

THIRD EDITION

DIGITAL AVIONICS H A N D B O O K

THIRD EDITION

DIGITAL AVIONICS H A N D B O O K EDITED BY

Cary R. Spitzer In Memoriam

Uma Ferrell Ferrell and Associates Consulting, Inc.

Thomas Ferrell Ferrell and Associates Consulting, Inc.

Boca Raton London New York

CRC Press is an imprint of the Taylor & Francis Group, an informa business

MATLAB®, Simulink®, and Stateflow® are trademarks of The MathWorks, Inc. and are used with permission. The MathWorks does not warrant the accuracy of the text or exercises in this book. This book’s use or discussion of MATLAB®, Simulink®, and Stateflow® software or related products does not constitute endorsement or sponsorship by The MathWorks of a particular pedagogical approach or particular use of the MATLAB®, Simulink®, and Stateflow® software. RTCA documents referenced in this book may be purchased from RTCA, Inc, 1150 18th Street NW, Suite 910, Washington, DC 20036 (202) 833-9339 www.rtca.org SAE documents referenced in this book may be purchased from SAE International: 400 Commonwealth Drive, Warrendale, PA 15096 (724) 776-4841 www.sae.org ARINC documents referenced in this book may be purchased from SAE-ITC, ARINCIndustry Activities: 16701 Melford Blvd., Suite 120,Bowie, MD 20715 (240) 334-2578 [email protected] Acknowledgments: ARINC standards are affiliated with the SAE. Architecture Analysis and Design Language (AADL) was standardized by SAE. SCADE is a copyrighted product of Esterel Technologies.

CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2015 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20140924 International Standard Book Number-13: 978-1-4398-6898-0 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com

his book is dedicated in loving memory to Cary R. Spitzer.

Contents Preface....................................................................................................................... xi Acknowledgments ................................................................................................. xiii Editors ...................................................................................................................... xv Contributors ..........................................................................................................xvii

Section i

1

evolution of Avionics: Safety and certiication

Evolving Avionics .......................................................................................................... 1-1 Uma D. Ferrell and homas K. Ferrell

2

Communications ........................................................................................................... 2-1 Roy T. Oishi and Ann Heinke

3

Navigation ....................................................................................................................... 3-1 Myron Kayton

4

Global Positioning System .......................................................................................... 4-1 Christopher J. Hegarty, John M. Foley, and Sai K. Kalyanaraman

5

Fault-Tolerant Avionics ................................................................................................ 5-1 Ellis F. Hitt

6

Electromagnetic Environment ................................................................................... 6-1 Richard Hess

7

Vehicle Health Management Systems ...................................................................... 7-1 Philip A. Scandura, Jr.

8

Cockpit Voice Recorders and Data Recorders ....................................................... 8-1 Scott Montgomery

9

Certification of Civil Avionics .................................................................................. 9-1 G. Frank McCormick

10

System Safety and System Development ............................................................... 10-1 Marge Jones

vii

viii

Contents

11

Understanding the Role of RTCA DO-160 in the Avionics Certification Process .................................................................................................. 11-1 Donald L. Sweeney

12

RTCA DO-178B/EUROCAE ED-12B ..................................................................... 12-1 homas K. Ferrell and Uma D. Ferrell

13

RTCA DO-178C/EUROCAE ED-12C and the Technical Supplements ........ 13-1 homas K. Ferrell and Uma D. Ferrell

14

RTCA DO-254/EUROCAE ED-80 .......................................................................... 14-1 Randall Fulton

Section ii Avionics Functions: Supporting technology and case Studies

15

Human Factors Engineering and Flight Deck Design ...................................... 15-1 Kathy H. Abbott

16

Head-Mounted Displays ............................................................................................ 16-1 James Melzer

17

Head-Up Display ......................................................................................................... 17-1 Robert B. Wood and Peter J. Howells

18

Display Devices ............................................................................................................ 18-1 homas M. Lippert

19

Vision Systems ............................................................................................................. 19-1 Steven D. Young, Lynda J. Kramer, and Randall E. Bailey

20

Speech Recognition and Synthesis ......................................................................... 20-1 Douglas W. Beeks

21

Terrain Awareness ....................................................................................................... 21-1 Barry C. Breen

22

Traffic Alert and Collision Avoidance System II (TCAS II) ........................... 22-1 Steve Henely

23

Automatic Dependent Surveillance—Broadcast ................................................. 23-1 Joel M. Wichgers

24

Flight Management Systems .....................................................................................24-1 Randy Walter

25

Electrical Wiring Interconnect System ................................................................. 25-1 Michael Traskos

26

Batteries .........................................................................................................................26-1 David G. Vutetakis

Contents

27

ix

Genesis ........................................................................................................................... 27-1 Randy Walter and Christopher B. Watkins

28

Boeing B-777 Avionics Architecture ......................................................................28-1 Michael J. Morgan

29

Boeing B-777 ................................................................................................................. 29-1 Gregg F. Bartley

30

New Avionics Systems ................................................................................................ 30-1 Peter Potocki de Montalk

31

Airbus Electrical Flight Controls ............................................................................ 31-1 Pascal Traverse

Section iii Avionics Development: tools, techniques, and Methods

32

Electronic Hardware Reliability .............................................................................. 32-1 P.V. Varde, Nikhil Vichare, Ping Zhao, Diganta Das, and Michael G. Pecht

33

MIL-STD-1553B Digital Time Division Command/Response Multiplex Data Bus ..................................................................................................... 33-1 Chris de Long

34

ARINC 429 Digital Information Transfer System .............................................34-1 Paul J. Prisaznuk

35

RTCA DO-297/EUROCAE ED-124 Integrated Modular Avionics (IMA) Design Guidance and Certification Considerations ........... 35-1 Cary R. Spitzer and Leanna Rierson

36

ARINC Specification 653, Avionics Application Software Standard Interface .........................................................................................................................36-1 Paul J. Prisaznuk

37

Time-Triggered Protocol ........................................................................................... 37-1 Mirko Jakovljevic

38

Digital Avionics Modeling and Simulation .......................................................... 38-1 Jack Strauss, Joseph Lyvers, Terry Venema, and Andrew Shupe

39

Model-Based Development with AADL ................................................................ 39-1 Julien Delange and Bruce Lewis

40

Mathworks Approach to MBD .................................................................................40-1 Bill Potter, Pieter Mosterman, and Tom Erkkinen

41

Esterel SCADE Approach to MBD .......................................................................... 41-1 Jean-Louis Camus

x

42

Contents

Model Checking ........................................................................................................... 42-1 Tingting Hu and Ivan Cibrario Bertolotti

43

Formal Methods ........................................................................................................... 43-1 Ben Di Vito

44

Navigation and Tracking ...........................................................................................44-1 James Farrell and Maarten Uijt de Haag

Section iV

45

conclusion

Next Frontier ................................................................................................................ 45-1 Mark G. Ballin

Preface Avionics is the cornerstone of modern aircrat control and operation. Almost every facet of the aircrat is tied to one or more avionics functions. As a result, the complexity and cost of avionics have never been greater. Many technologies that emerged in the last decade will be utilized in the next decade. he global positioning system has enabled satellite-based precise navigation and landing, and communication satellites are now capable of supporting aviation services. hus, the aviation world is upgrading to satellite-based communications, navigation, and surveillance for air traic management. Both the aircrat operator and the air traic services provider are realizing signiicant beneits. Familiar technologies in this book include data buses, one type of which has been in use for over 20 years; head-mounted displays; and ly-by-wire light controls. New bus and display concepts, however, are emerging, for example, a retinal scanning display, which may soon replace these veteran devices. Other emerging technologies include speech interaction with the aircrat and synthetic vision. Speech interaction may soon enter commercial service on business aircrat as another way to perform some noncritical functions. Synthetic vision ofers enormous potential for both military and civil aircrat for operations under reduced visibility conditions or in cases where it is diicult to install suicient windows in an aircrat. his book ofers a comprehensive view of avionics, from the technology and elements of a system to examples of modern systems lying on the latest military and civil aircrat. he chapters have been written with the reader in mind by working practitioners in the ield. his book was prepared for the working engineer and others seeking information on various aspects of avionics. he topic of avionics cannot be fully explored in a single handbook. Readers are encouraged to make use of the References and Further Reading sections to explore topics in more detail. he book has been divided into four sections, each containing a number of related chapters. Section I deals with the evolution of air traic control to air traic management and the reason for avionics support in communication, navigation, and surveillance, as well as the supporting safety and certiication infrastructure. Section II deals with speciic technology and use of diferent avionics, many of which are discussed in the previous section in a broad sense. Topics include an overview of functions accomplished by avionics, case studies of avionics architectures, and speciic instances of avionics. Section III is all about tools, techniques, and methods used to implement avionics functions. Topics include information on data buses, avionics architectures, modeling of avionics, and some additional details on navigation algorithms. Section IV provides a long-range look ahead. While the industry is busy implementing NextGen, it is worth considering what a FarGen might look like. Much of the information in this book deals with equipment and systems subject to regulatory oversight and certiication. Certiication and regulatory framework are constantly evolving as technology and the operating environment evolve (and yes, as lessons are learned from accidents and incidents). Opinions xi

xii

Preface

expressed in these chapters are but one interpretation of standards used for compliance. he material presented here has been collected by the authors from many sources that are believed to be reliable. However, no expressed or implied warranty can be made as to the accuracy or completeness of the material. No responsibility or liability is assumed by the authors or their employers. While utmost care is taken to be aligned with the certiication authority, the inal acceptance of that interpretation within a speciic context is up to the certiication authority. Many of the standards discussed in this book are coupled with issue papers or certiication review items to augment their application on speciic projects. For these reasons, it remains the responsibility of the entity seeking approval of their avionics for light to demonstrate compliance to all necessary regulatory requirements. Avionics concepts are developed and regulated world-wide using numerous industry documents from organizations such as RTCA, European Organization for Civil Aviation Equipment (EUROCAE), Society of Automotive Engineers (SAE), etc. hese documents are developed in committees comprised of industry, academia, and regulators. here are also numerous regulatory documents that afect how avionics are developed, used, and maintained. Naturally, a number of these documents have been referenced, elaborated, and made use of to describe concepts within many chapters in this handbook. he chapters in this handbook are not meant to substitute these industry documents or regulatory documents that promulgate the rules. Furthermore, all of these documents evolve from time to time. It must be noted that applicable regulations take precedence over materials in this handbook. Applicable industry documents must be directly referenced for application on speciic projects since it is quite conceivable that a speciic version of a speciic industry document may be imposed in the regulation applicable to that project.

Acknowledgments Heartfelt thanks to Tom and Uma Ferrell—your dedicated work made this book a reality. Because of his illness, Cary struggled and was unable to complete this project. He would be grateful and pleased. hank you, Nora, for keeping me informed of the progress of this book. Laura Spitzer We would like to thank all of the contributing authors of this handbook. Without their dedication, this book would not have been possible. We also would like to think Taylor & Francis for seeing this project to conclusion. Finally, the resulting volume would not have been possible without the diligence and hard work of Nora Konopka and Deepa Kalaichelvan. hank you very much. Tom and Uma Ferrell

xiii

Editors Cary R. Spitzer (deceased) graduated from Virginia Tech and George Washington University. Ater service in the Air Force, he joined NASA Langley Research Center. During the last half of his tenure at NASA, he focused on avionics. He was the NASA manager of a joint NASA/Honeywell program that made the irst satellite-guided automatic landing of a passenger transport aircrat in November 1990. In recognition of this accomplishment, he was nominated jointly by ARINC, ALPA, AOPA, ATA, NBAA, and RTCA for the 1991 Collier Trophy “for his pioneering work in proving the concept of GPS-aided precision approaches.” Mr. Spitzer led a project to deine the experimental and operational requirements for a transport aircrat suitable for conducting light experiments and to acquire such an aircrat. Today, that aircrat is the NASA Langley B-757 ARIES light research platform. Mr. Spitzer was the NASA representative to the Airlines Electronic Engineering Committee. In 1988, he received the Airlines Avionics Institute Chairman’s Special Volare Award. He was only the second federal government employee so honored in over 30 years. He was active in the RTCA, including serving as chairman of the Airport Surface Operations Subgroup of Task Force 1 on Global Navigation Satellite System Transition and Implementation Strategy and as technical program chairman of the 1992 Technical Symposium. He was also a member of the Technical Management Committee. In 1993, Mr. Spitzer founded AvioniCon, an international avionics consulting irm that specializes in strategic planning, business development, technology analysis, and in-house training. Mr. Spitzer was a fellow of the Institute of Electrical and Electronics Engineers (IEEE) and an associate fellow of the American Institute of Aeronautics and Astronautics (AIAA). He received the AIAA 1994 Digital Avionics Award and the IEEE Centennial Medal and Millennium Medal. He was a past president of the IEEE Aerospace and Electronic Systems Society. Beginning in 1979, Mr. Spitzer played a major role in the highly successful Digital Avionics Systems Conferences, including serving as general chairman. Mr. Spitzer presented one-week courses on digital avionics systems and on satellite-based communication, navigation, and surveillance for air traic management at the UCLA Extension Division. He also lectured for the International Air Transport Association. He was the author of Digital Avionics Systems, the irst book in the ield, published by McGraw-Hill, and editor-in-chief of he Avionics Handbook, published by CRC Press. He held two patents, published more than 40 papers, and was the author of several books on avionics. Having written a tutorial on avionics, he was sought ater as a consultant by UCLA and lectured all over the world. He was proud of the fact that his book, Digital Avionics Systems, was translated into Chinese and widely distributed in the Orient. Uma Ferrell and homas Ferrell are cofounders of Ferrell and Associates Consulting, Inc. (FAA), a certiication and sotware safety consultancy serving the aerospace industry. hey have over 50 years of combined experience in helping industry in accomplishing certiication objectives via training, certiication project support, and related research. hey are frequently sought out to help with new and novel technologies and methods where traditional certiication approaches break down. In recent years, xv

xvi

Editors

their consultancy has evolved to include project management support, especially for projects in need of recovery plans, to ensure successful engine and airframe certiication. Mr. and Mrs. Ferrell have collaborated together in numerous industry eforts as well as jointly authored papers and tutorials for a number of industry conferences, most notably the Digital Avionics Systems Conference (DASC) and the International System Safety Conference (ISSC). hey authored the FAA’s Service History Handbook (DOT/FAA/AR-01/116), an alternative method for DO-178B compliance. heir other research eforts have included work on the use of wireless systems onboard aircrat (accomplished through AVSI) and a comprehensive review of existing airworthiness standards for use in commercial space conducted for the FAA. Mr. and Mrs. Ferrell have authored and presented numerous courses covering various aviation engineering topics, including DO-178C, DO-178B, DO-254, DO-200A, DO-201A, FAA aircrat certiication, system and sotware safety, engineering ethics, technology transfer, and sotware veriication for aviation systems. Uma Ferrell holds a master’s degree in electrical engineering from Johns Hopkins University. She also holds an MSc in solid-state physics; a BSc in physics, chemistry, and mathematics; and a BSc (honors) in physics from Bangalore University in India. Mrs. Ferrell has held senior technical positions at Reliable Sotware Technologies (RST), he MITRE Corporation, General Sciences Corporation (GSC), and Computer Sciences Corporation (CSC). She has also contributed to engineering of large-scale, mission-critical scientiic information systems for National Aeronautics and Space Administration (NASA), National Oceanic and Atmospheric Administration (NOAA), and the Federal Aviation Administration (FAA). Mrs. Ferrell has participated in a number of industry standards eforts, including work for both the RTCA and the IEEE. She served as the U.S. cochair of the Commercial Of the Shelf Sotware (COTS) subgroup of RTCA SC-190 for CNS/ATM-related ground systems. She has conducted numerous engineering studies for the requirements working group of RTCA SC-147 (traic alert and collision avoidance system (TCAS) Minimum Operational Performance Speciication). She represented he MITRE Corporation at the RTCA Certiication Task Force to provide policy recommendations to the FAA. She was a part of RTCA SC-200 to establish design guidance and certiication considerations for integrated modular avionics in RTCA DO-297. She has also contributed to RTCA SC-205 for the formulation of DO-178C, DO-248C, and DO-278A for CNS/ATM systems. Mrs. Ferrell is a sotware designated engineering representative (DER) (parts 23 and 25) Level A for both electrical and mechanical systems. She also performs similar work as an authorized representative (AR) for numerous FAA ODAs. She currently serves on the ASQ Sotware Quality Professional editorial board, providing jury review of sotware-related publications. Mr. homas Ferrell holds a bachelor’s degree in electrical engineering from Northern Illinois University, a master’s degree in information technology management from Rensselaer Polytechnic Institute, and, for something a little diferent, a master’s degree in history from George Mason University. Mr. Ferrell has held senior technical positions at Science Application International Corporation (SAIC), Iridium LLC, and the Boeing Commercial Airplane Group. Mr. Ferrell has served in various leadership capacities for a number of RTCA committees, including SC-190, where he led the efort to create DO-278, and SC-205, where he was responsible for DO-178C document integration. He has served as a private sector advisor to the FAA at ICAO. He is frequently sought out as a guest speaker on a variety of topics associated with system and sotware safety, as well as aircrat certiication. Mr. Ferrell is a sotware and airborne electronic hardware designated engineering representative (parts 23, 25, and 33) for electrical and mechanical systems, as well as engine controls. He is also an authorized representative (AR) for numerous FAA ODAs.

Contributors Kathy H. Abbott Federal Aviation Administration Washington, DC

Barry C. Breen Honeywell Monroe, Washington

and

Jean-Louis Camus Esterel Technologies Toulouse, France

Langley Research Centre National Aeronautics and Space Administration Hampton, Virginia Randall E. Bailey Langley Research Center National Aeronautics and Space Administration Hampton, Virginia Mark G. Ballin Langley Research Center National Aeronautics and Space Administration Hampton, Virginia Gregg F. Bartley Federal Aviation Administration Washington, DC Douglas W. Beeks Beeks Engineering and Design Beaverton, Oregon Ivan Cibrario Bertolotti Institute of Electronics, Computer and Telecommunication Engineering National Research Council of Italy Turin, Italy

Diganta Das Department of Mechanical Engineering Center for Advanced Life Cycle Engineering University of Maryland College Park, Maryland Julien Delange Carnegie Mellon Sotware Engineering Institute Pittsburgh, Pennsylvania Chris de Long Honeywell Aerospace Albuquerque, New Mexico Ben Di Vito Langley Research Center National Aeronautics and Space Administration Hampton, Virginia

homas K. Ferrell Ferrell and Associates Consulting, Inc. Charlottesville, Virginia Uma D. Ferrell Ferrell and Associates Consulting, Inc. Charlottesville, Virginia John M. Foley Garmin AT, Inc. Salem, Oregon Randall Fulton FAA Consultant DER SotwAir Assurance, Inc. Redwood City, California Christopher J. Hegarty he MITRE Corporation Bedford, Massachusetts Ann Heinke Overlook Consulting, Inc. Bridgeton, New Jersey Steve Henely Rockwell Collins Cedar Rapids, Iowa

Tom Erkkinen he MathWorks, Inc. Natick, Massachusetts

Richard Hess Honeywell Aerospace Phoenix, Arizona

James Farrell VIGIL, Inc. Severna Park, Maryland

Ellis F. Hitt StratSystems, Inc. Westerville, Ohio xvii

xviii

Peter J. Howells Rockwell Collins Head-Up Guidance Systems Portland, Oregon Tingting Hu Institute of Electronics, Computer and Telecommunication Engineering National Research Council of Italy and Department of Control and Computer Engineering Polytechnic University of Turin Turin, Italy

Contributors

Joseph Lyvers Xcelsi Group Dayton, Ohio

Leanna Rierson Digital Safety Consulting Wichita, Kansas

G. Frank McCormick Certiication Services, Inc. Eastsound, Washington

Philip A. Scandura, Jr. Honeywell International Phoenix, Arizona

James Melzer Rockwell Collins Optronics Carlsbad, California Scott Montgomery Universal Avionics Systems Corporation Tucson, Arizona

Andrew Shupe Dayton, Ohio Cary R. Spitzer AvioniCon Williamsburg, Virginia Jack Strauss Xcelsi Group Dayton, Ohio

Mirko Jakovljevic TTTech Computertechnik AG Vienna, Austria

Michael J. Morgan Honeywell Olathe, Kansas

Marge Jones Safety Analytical Technologies, Inc. Huntsville, Alabama

Pieter Mosterman he MathWorks, Inc. Natick, Massachusetts

Donald L. Sweeney D.L.S. Electronic Systems, Inc. and D.L.S. Conformity Assessment, Inc. Wheeling, Illinois

Roy T. Oishi ARINC Annapolis, Maryland

Michael Traskos Lectromec Chantilly, Virginia

Michael G. Pecht Electronics and Production Systems Center Center for Advanced Life Cycle Engineering University of Maryland College Park, Maryland

Pascal Traverse Airbus SAS Toulouse, France

Sai K. Kalyanaraman Rockwell Collins Cedar Rapids, Iowa Myron Kayton Kayton Engineering Company Santa Monica, California Lynda J. Kramer Langley Research Center National Aeronautics and Space Administration Hampton, Virginia Bruce Lewis U.S. Army Aviation and Missile Research Development and Engineering Center Madison, Alabama homas M. Lippert Microvision Inc. Bothel, Washington

Peter Potocki de Montalk Airbus Industrie Blagnac, France Bill Potter he MathWorks, Inc. Natick, Massachusetts Paul J. Prisaznuk ARINC Annapolis, Maryland

Maarten Uijt de Haag Department of Electrical Engineering Ohio University Athens, Ohio P.V. Varde Center for Advanced Life Cycle Engineering University of Maryland Washington, DC and Bhabha Atomic Research Centre Mumbai, India

xix

Contributors

Terry Venema Xcelsi Group Dayton, Ohio

Randy Walter GE Aviation Systems Grand Rapids, Michigan

Robert B. Wood Rockwell Collins Head-Up Guidance Systems Portland, Oregon

Nikhil Vichare Dell Computers Austin, Texas

Christopher B. Watkins Gulfstream Aerospace Corporation Savannah, Georgia

Steven D. Young Langley Research Center National Aeronautics and Space Administration Hampton, Virginia

Joel M. Wichgers Rockwell Collins Cedar Rapids, Iowa

Ping Zhao Apple Inc. Cupertino, California

David G. Vutetakis Concorde Battery Corporation West Covina, California

I Evolution of Avionics: Safety and Certiication 1 Evolving Avionics Uma D. Ferrell and homas K. Ferrell .............................................1-1 Avionics: A Historical Perspective • Free Flight to NextGen/SESAR • NextGen • SESAR • Summary • Further Reading

2 Communications Roy T. Oishi and Ann Heinke ...........................................................2-1 Air–Ground Communications • Voice Communications • Data Communications • Summary • References

3 Navigation Myron Kayton ............................................................................................... 3-1 Introduction Reckoning • Navigation • Trade-Ofs •

• Coordinate Frames • Categories of Navigation • Dead Radio Navigation • Celestial Navigation • Map-Matching Navigation Sotware • Navigation Hardware • Design Bibliography • Articles • Journals • Websites

4 Global Positioning System Christopher J. Hegarty, John M. Foley, and Sai K. Kalyanaraman ................................................................................................. 4-1 Introduction • GPS System • Aviation Augmentations • Avionics • Applications • Future Trends • References

5 Fault-Tolerant Avionics Ellis F. Hitt ............................................................................... 5-1 Introduction • System-Level Fault Tolerance • Hardware-Implemented Fault Tolerance: Fault-Tolerant Hardware Design Principles • Sotware-Implemented Fault Tolerance: State Consistency • Sotware Fault Tolerance • Summary • Further Reading • References

6 Electromagnetic Environment Richard Hess................................................................. 6-1 Introduction • EME Energy Susceptibility • Civil Airworthiness Authority Concerns • Architecture Options for Fault Mitigation • Deinitions • Further Reading

7 Vehicle Health Management Systems Philip A. Scandura, Jr. ....................................... 7-1 Introduction • Deinition of Integrated Vehicle Health Management • Evolution of VHM Standards • Maintaining Federated versus Modular Avionics Systems • Key Technologies • Examples of State-of-the-Art IVHM Systems • Summary • Deinitions • Further Reading • References

i-1

i-2

Evolution of Avionics: Safety and Certiication

8 Cockpit Voice Recorders and Data Recorders Scott Montgomery ............................... 8-1 Introduction • System Architecture • History • Current Requirements • Periodic Inspection Requirements • Conclusion • References

9 Certiication of Civil Avionics G. Frank McCormick .................................................... 9-1 Introduction • Regulatory Basis of the FAA • FAA Approvals of Avionics Equipment • Technical Standard Order • Supplemental Type Certiicate • Type Certiicate, Amended Type Certiicate, and Service Bulletin • FAA Designees • System Requirements • Safety Assessment • Environmental Qualiication • Sotware Assurance • Complex Electronic Hardware • Manufacturing Approvals • European Aviation Safety Agency • Summary • Deinitions • Websites

10 System Safety and System Development Marge Jones................................................. 10-1 System Development and Assurance • System Safety Concept • Civil Aviation System Safety Process • Identifying Safety Requirements (Functional Hazard Assessment) • Safety Requirement Validation (Preliminary System Safety Assessment) • Derived Requirements • Deining Development Assurance Levels • Lightning Certiication Level • Safety Veriication (System Safety Assessment) • EWIS • Use of TSOs in Safety Assessments • MIL-STD-882 System Safety • Concluding Summary • Further Reading • References

11 Understanding the Role of RTCA DO-160 in the Avionics Certiication Process Donald L. Sweeney................................................................................................. 11-1 Introduction • Table of Contents from DO-160G • Conclusion

12 RTCA DO-178B/EUROCAE ED-12B homas K. Ferrell and Uma D. Ferrell............ 12-1 Introduction • Comparison with Other Sotware Development Standards • Document Overview • Sotware as Part of the System • Sotware Life-Cycle Processes • Sotware Planning Process • Certiication Liaison Process • Previously Developed Sotware • Tool Qualiication • Conclusions • Further Reading • References

13 RTCA DO-178C/EUROCAE ED-12C and the Technical Supplements homas K. Ferrell and Uma D. Ferrell .................................................... 13-1 Introduction • Core Document Changes • DO-330: Sotware Tool Qualiication Considerations • DO-331: Model-Based Development and Veriication Supplement • DO-332: Object-Oriented Technology and Related Techniques Supplement • DO-333: Formal Methods Supplement • Applying DO-178C

14 RTCA DO-254/EUROCAE ED-80 Randall Fulton ..................................................... 14-1 Introduction • Scope of DO-254 • Make Everything as Simple as Possible, But Not Simpler—Albert Einstein • View from 35,000 t • Electronic Hardware and System Development • Using DO-254 • Invocation of the Guidance • Document Overview • Hardware Life Cycle Processes • Additional Considerations • FAA Order 8110-105 • Certiication Authorities Sotware Team Paper • What’s Next • Conclusions • Further Reading • References

he irst section deals with the evolution of air traic control (ATC) to air traic management (ATM) and the reason for avionics support in communication, navigation, and surveillance and the supporting safety and certiication infrastructure. he chapter on NextGen/Single European Sky ATM Research (SESAR) gives a broad description of the context in which aircrat operates; while pilots retain tactical control, ATM retains the strategic control in order to promote safety and eiciency. he diferent chapters in this section deal mostly with the avionics portion of the functions even though none of these functions are complete without considering the ground portion also. While the chapter on communication is a broad brush on the historic narration as well as various developments in technology, the chapter on navigation is more focused on algorithms. he surveillance part of the communications, navigation, and surveillance (CNS) is dealt with in the chapters on global positioning system (GPS), automatic dependent surveillance-broadcast (ADS-B), and TCAS II. he next group of chapters deals with the basic equipment that allows the aircrat to be managed within the airspace. Safety-speciic avionics are discussed in the next group of chapters. Finally, the set of certiication-speciic guidance that supports design and development assurance are discussed.

1 Evolving Avionics: Meeting the Challenge of NextGen and SESAR 1.1

Uma D. Ferrell Ferrell and Associates Consulting, Inc.

Thomas K. Ferrell Ferrell and Associates Consulting, Inc.

Avionics: A Historical Perspective ................................................. 1-1 Term • Technology, Safety, and Regulations • Top hree Technologies and Air Traic Control

1.2 Free Flight to NextGen/SESAR ...................................................... 1-3 1.3 NextGen ............................................................................................. 1-4 1.4 SESAR ................................................................................................. 1-6 1.5 Summary ............................................................................................ 1-6 Further Reading............................................................................................ 1-6

1.1 Avionics: A Historical Perspective 1.1.1 term he term avionics was coined from “aviation” and “electronics” in the 1970s. If we broaden the deinition to include instruments and mechanical systems, many systems such as radios, altimeters, radar, fuel gauges, and navigation instruments were used in the cockpit before the advent of electronics driven by the military.

1.1.2 technology, Safety, and Regulations Ever since the advent of powered light in 1903, aviation has continuously progressed with a variety of advances in all ields, science and engineering of light as well as how to control the skies for safety from collisions with other aircrat, terrain avoidance, weather avoidance, and safe landing and takeof. Industry leaders pushed to have common safety standards imposed by a government agency—the resulting Air Commerce Act in 1926 was the beginning of the federal certiication authority in the United States. ATC centers were established in Newark, Cleveland, and Chicago to help pilots with en route directions. Traic was controlled using blackboards and “shrimp boats” (paper boats signifying the airplane position) that were manually progressed depending upon the information from dispatchers, radio operators, and airports via telephone. In the history of the Federal Aviation Administration (FAA), two separate branches were created via Civil Aeronautics Act of 1938—one with the responsibility for Air Traic Control (ATC) and another with the responsibility for safety rulemaking, accident investigation, and economic regulation of airlines. he early ATC based on visual signals and light beacons evolved to radar signals following World War II technical developments. he advent of jets and higher density of traic provided more challenges for safety. Avoidance of midair collisions, terrain, and weather came to sharp focus with 1-1

1-2

Evolution of Avionics: Safety and Certiication

each high-proile accident. A single department of transportation to cover all modes of transportation including air transportation was established in 1986 via congressional authorization for a cabinet department with a separate authority for accident investigation transferred to the National Transportation Safety Board. his act took the agency to become the Federal Aviation Administration that we have today. A number of rules and regulations have evolved with both the evolution of technology and the recognition of the need for new technology instigated by accidents, incidents, increase in traic, and increase in operating costs.

1.1.3 top three technologies and Air traffic control he three essential technologies available to pilots in air and air traic controllers on the ground that help tactical and strategic control of aircrat with coordinated functions are communications, navigation, and surveillance. he challenges of these systems include global compatibility and interoperability as well as afording the service to both military and civil aircrat. he three aspects of avionics, namely, Communications, Navigation and Surveillance (CNS), have a parallel history in that advancements in one area necessitate advances in other areas. Wartime advances in navigation and radar detection required that communications be made more sophisticated. hese advances were brought into civil aviation; the same radar technology that was used in military aviation was adapted to be used to control civil aviation. Increase in the air traic necessitated more dependency on distributed CNS equipment both on ground and air to orchestrate traic eiciently while avoiding conlicts. To address the high price of oil during the 1970s, more and more digital systems were introduced to more precisely control light. As more and more instruments were introduced into the cockpit, some aids such as autopilots and warning systems had to be introduced to address pilot workload. Navigation in general is determining own position and velocity so that position and velocity at a future time can be calculated with and without changes in velocity. Navigation of aircrat from a pilot point of view is to know where the aircrat is with respect to a planned track so that the aircrat motion can be controlled. Navigation consists of four functions, namely, planning, tracking, recording, and controlling the aircrat motion. Air navigation has evolved from early ship navigation. In the early days of air travel, avionics equipment for navigation was as rudimentary as following known landmarks such as rail tracks or rivers combined sometimes with sophisticated celestial navigation techniques until there was a need to ly in conditions where visibility was poor because of night lying or bad weather conditions. he basic idea of accurately locating own ship was increasingly important as the skies became crowded and they had to be strategically organized to ly speciic routes via a centralized ground control. he irst blind light and landing based on navigation using gyroscopes and radio navigation aids was at the end of the 1920s. Today, aircrat could be lown under visual light rules (VFR) or instrument light rules (IFR). Accurate navigation technology has been used to maximize the airspace capacity while balancing safety. Navigation systems must satisfy four important categories of performance requirements, namely, accuracy, integrity, availability, and continuity of service. he third aspect of surveillance is determination of the position and velocity of the aircrat as perceived from the outside of the aircrat (e.g., from the ground ATC). Most of the improvements in the CNS were a direct result of technologies developed during World War II. Radio beacons and directional beams came to being in the 1930s. he irst ATC tower was established in 1935 at the Newark Liberty International Airport in NJ in 1935. here are two types of radar onboard the aircrat: primary surveillance radar and secondary surveillance radar. he primary surveillance radar is passive in that the ground detects the radar energy scattered from the surface of the aircrat to measure the distance and heading of the aircrat relative to the source of radar on the ground. he secondary surveillance radar is active in that the radar from the ground initiates a transponder on the aircrat that transmits a reply to the ground signal. his type of transmission can also be picked up by the surrounding aircrat to aid in collision avoidance. A unique address is given to each aircrat so that its transponder transmissions can be unambiguously identiied. his addressing system is followed throughout the world so that the aircrat transponder is useful

Evolving Avionics

1-3

in all airspace. Transponder signals, whether from primary surveillance radar or secondary surveillance radar, will be displayed on the ATC console. Radar signals have been extended to aid in detecting weather and terrain. Navigation and surveillance ideas have been combined using technology such as Automatic Dependent Surveillance-Broadcast (ADS-B) to accomplish avionics for collision avoidance for manned as well as unmanned systems, terrain avoidance, terminal avian hazard detection, and assistance in using parallel runways. hese are only some examples of the ever-growing suite of avionics. ATC has evolved into ATM, which is using processes, procedures, and resources to assure that aircrat are guided in the sky and on the ground. Aircrat safety is a responsibility shared and divided between the ground and the air. Since these responsibilities are so interconnected, the concepts of Required Communications Performance (RCP), Required Navigation Performance (RNP), and Required Surveillance Performance (RSP) have been introduced to support eicient separation between aircrat while addressing possible constraints of the equipment and related procedures. hus, many of the avionics that are described in this handbook ultimately support the strategic management of aircrat in giving proper tools to the pilot.

1.2 Free Flight to nextGen/SeSAR he earliest ATC guiding multiple aircrat was in the early 1930s when the controllers tracked the position of planes using maps, blackboards, and “shrimp boats” with only telephone connections to airline dispatchers, radio operators, and other airport air traic controllers. he same basic system continued as improvements were made to communications, radar sensor data, electronic displays, etc. Many discrete automation systems were introduced in diferent air traic facilities as these were helping the ever-evolving complexity and decision making of the air traic controllers. hese systems introduced complexity in coniguration management of existing functionality and any new introduction of functionality for interoperability. National Airspace System (NAS) plan was introduced by the FAA to systematically manage projected growth for air travel over the next 20 years. his plan proved to be too ambitious; a new Free Flight program was introduced to take advantage of newly developed GPS technology. his concept took NAS from a centralized command-and-control system between pilots and air traic controllers to a distributed system that allows pilots, whenever practical, to choose their own route and ile a light plan that follows the most eicient and economical route. his concept made way to a distributed ATM, which combined distributed decision making for traic separation and self-optimization. hese traits demand that the aircrat have speciic capabilities measured as required performance in CNS. he resulting concept is known as performance-based navigation, which is one of the primary concepts of NextGen and SESAR. In other words, NextGen and SESAR are programs that implement technology that will allow Free Flight concepts to be used safely and securely in an environmentally responsible manner; the concepts include transformation of the air transportation system by changing technologies, infrastructure, and procedures. he resulting demands on avionics suite to be used by aircrat are RCP, RSP, and RNP. RCP deines the required performance of each element of the communications network, including the human element. Each element must perform with certain speciications in order to maintain deined aircrat separation standards. RCP has speciic time requirement in seconds for messages sent and then received. he complete end-to-end communication limit is either 240 or 400 s based on aircrat equipment and the ability to have an alternate means of establishing communication if the primary fails. RSP deines system technical performance requirements independent of technology and architecture to be met by an air traic service (ATS) surveillance system in order to support a particular ATS service or function. Similar to RCP, RSP also has speciic performance requirements in seconds for messages sent and received. he completed end-to-end communication cycle is either 180 or 400 s based on aircrat equipment and whether there is an alternate means of establishing communication if the primary fails. RNP is “a statement of the navigation performance accuracy necessary for operation within a deined airspace.” here are two values that express this qualiication—a distance in nautical miles called

1-4

Evolution of Avionics: Safety and Certiication

“RNP  type” and a probability measure that is 95% for 1 X RNP and 99.999% within 2 X RNP. For example, an airplane is qualiied to operate in an RNP 4 airway; the aircrat must have a demonstrated capability of its navigation system to result in the airplane being within 4 nmi of the indicated position on the navigation system at least 95% of the light duration within a given light segment or phase. It is also necessary for the navigation system to issue a warning to the pilot when this condition cannot be met. Within the “containment limit” of twice the RNP, in this example, 8 nmi of the indicated position, the indicated position on the navigation display panel which includes the total system error is expected to not exceed the designated RNP number at least 99.999% of the light duration within the same segment or phase. Required total system performance (RTSP) is a combination of RNP, RSP, and RCP as well ATC surveillance capability, which deines a benchmark for separation minima and collision safety risk. he required performances are operationally derived without any dependency on any speciic techniques, technologies, and/or architecture. Evolution in ATM impacts airborne avionics equipment, light planning, airspace planning, ground infrastructure, procedures used for managing light traic, certiication, and related activities and stakeholders. his evolution can be viewed by many of these perspectives; indeed there have been many industry activities that have contributed to this evolution.

1.3 nextGen GPS technology has given pilots the tools needed for planning point-to-point lights rather than planning via way points. his satellite-based system will allow for shorter routes, savings in time and fuel, reduction of delays, and increase in en route capacity by giving pilots the tools to ly closer together on direct routes. Better communication between pilots and ground controllers will accommodate an eicient use of airports. Data fusion is being planned to collect global weather observations into a common weather picture

CSS-Wx

ADS-B

SWIM

CATMT

NVS Data comm

FIGURE 1.1 Core set of tools for NextGen. (Courtesy of Federal Aviation Administration, Washington, DC, Available online at: https://www.faa.gov/about/oice_org/ield_oices/fsdo/orl/local_more/media/fy13summit/ NEXTGEN_MCO_Safety_Summit.pdf, accessed on April 27, 2014.)

1-5

Evolving Avionics

to enable better tactical and strategic traic management decisions. hese various goals are being accomplished by a core set of tools shown in Figure 1.1: NAS Voice System (NVS) accommodates the key voice communication component of NextGen, System-Wide Information Management (SWIM) allows sharing of information, Common Support Services Wx (CSS-Wx) is used for disseminating weather information via SWIM, Collaborative Air Traic Management Technologies (CATMT) provides enhancements to existing traic low management systems and works with SWIM, ERAM processes light radar data and provides real-time aeronautical information, and ADS-B increases situational awareness. While some of the following goals are still experimental, some have already been realized in the ield as published/ updated by the FAA: 1. Use of GPS and ADS-B to create a single real-time display of air traic that has the same information disseminated to both pilots and air traic controllers. he use of satellite-based precision approach procedures can be done even in low visibility, without needing ground-based landing systems; many small airports may have only one or no instrument landing system. 2. Creation and provision of a common weather picture across the national airspace. Many diferent tools provide icing and turbulence information at diferent altitudes to pilots. 3. Greater use of data communications via data link for routine messages between pilots and controllers. 4. Use of a single voice communication system for air/ground and ground/ground communications. 5. Integration of unmanned aircrat system into the airspace NextGen utilities and concepts are being put into place in a number of airports with decidedly positive results. SWIM is the key tool that is used in common with international systems to make NextGen compatible with SESAR. SWIM is used for collecting and sharing system-wide information of aircrat and ground facilities. SWIM services handle ive data domains, namely, light data, aeronautical data, weather data, surveillance data, and capacity and demand data. SWIM was adopted by ICAO in 2005. his serviceoriented architecture uses existing networks, of-the-shelf hardware, and SWIM-compatible sotware tools to provide sharing of near real-time information by airline operations, air traic managers and controllers, and the military (Figure 1.2).

Multichannel communications

Data comm

Tracker controller/ automation

Data comm

Radar controller

Advanced decision support tools High capacity

Data comm

Radar assistant controller/ automation

Low voice tasking for radar controller Extensive team coordination Synergistic effect or advanced decision support tools and automation

Enhanced sector productivity Enhanced sector capacity

FIGURE 1.2 (See color insert.) Tomorrow: Evolved sector with data comm. (Courtesy of Federal Aviation Administration, Washington, DC, Available online at: https://www.faa.gov/about/oice_org/ield_oices/fsdo/orl/ local_more/media/fy13summit/NEXTGEN_MCO_Safety_Summit.pdf, accessed on April 27, 2014.)

1-6

Evolution of Avionics: Safety and Certiication

1.4 SeSAR Since Europe is made up of diferent countries, there is no single management of air navigation services. ATC over Europe is extremely busy and dense. hese factors make for a very complex system. he initiative of Single European Sky was introduced to provide a uniform level of safety and eiciency for all of Europe by reorganizing and restructuring European airspace without being constrained to national borders. SESAR is a joint undertaking among all of the stakeholders to deine, develop, and deploy a high-performance ATC infrastructure. Converting from airspace-based management to trajectorybased operations and employing an integrated data communication system are the important features of SESAR, just as NextGen. A set of key performance areas has been deined to focus and measure the progress. hese performance areas are interdependent but have to be balanced in making trade-of decisions. he performance areas focus on accommodating increase in traic in a safe and eicient manner with environmentally friendly methods. SESAR trials have proven success in select airports.

1.5 Summary For both concepts, NEXTGEN and SESAR, the operations are based on shared net-centric information to aid collaborative decision making by all stakeholders and trajectory-based operations for eicient use of resources in both air and ground. here are diferences between the two systems in the way the data are compiled and distributed; while NextGen is more centralized, SESAR is distributed. NextGen is mainly government controlled to ensure interoperability of components, while SESAR is a single multistakeholder consortium. Both NextGen and SESAR represent enormous challenges since the change is one of a paradigm shit and adaptation to new technology. European and American authorities have an agreement on interoperability between their respective ATM infrastructures, thus allowing for uniformity in required avionics capabilities as well.

Further Reading Federal Aviation Administration, NextGen implementation plan, June 2013, Washington, DC. http:// www.faa.gov/nextgen/implementation/. Accessed on April 27, 2014. Federal Aviation Administration, Washington, DC. Available online at: https://www.faa.gov/about/oice_ org/ield_oices/fsdo/orl/local_more/media/fy13summit/NEXTGEN_MCO_Safety_Summit.pdf. Accessed on April 27, 2014. SESAR (Single European Sky ATM Research) program by European Union. http://www.sesarju.eu/. Accessed on April 27, 2014.

2 Communications 2.1

Air–Ground Communications ....................................................... 2-1 History • Introduction of Radios • Introduction of Data Communications • Introduction of ATC Data Link

2.2

Voice Communications ...................................................................2-4

2.3

Data Communications ..................................................................... 2-7

VHF Voice • HF Voice • Voice Developments

Roy T. Oishi ARINC

Ann Heinke Overlook Consulting, Inc.

ACARS Overview • ACARS Avionics • ACARS Management Unit • VHF Subnetwork • Satcom • HFDL • VDL Mode 2 • Iridium • ATN • Data Communications Developments

2.4 Summary .......................................................................................... 2-13 References .................................................................................................... 2-14

2.1 Air–Ground communications 2.1.1 History Airplanes became a tool of war in World War I; they became a tool of commerce in the following decade, the Roaring Twenties. In Europe and America, aircrat were used for entertainment and later as a means to carry mail from city to city. As the number of airspace users grew, so did the need for communications between companies and their pilots, as well as between pilots and the nascent air trafic control (ATC) (namely, airports). Early attempts at air–ground communication used visual means: lights, lags, and even bonires. But more was needed. Early radios used Morse code to communicate, but that was not practical in an open, bouncing cockpit. With practical voice radios, air–ground communications became a necessary element of the ledgling air transport industry, and it remains so to this day. In the 1970s, the airlines introduced data communications to aircrat in light for company communications using the Aircrat Communications Addressing and Recording System (ACARS). Various trials by air navigation service providers (ANSPs) have proven the efectiveness of data communications for ATC. Some oceanic and remote areas have implemented ATC operations via data link, and trials in domestic airspace have shown the value of this medium. In the 1990s, the International Civil Aviation Organization (ICAO) developed the Manual for the Aeronautical Telecommunication Network (ATN), which speciied an air–ground data network based on the International Organization for Standardization (ISO) Open Systems Interconnection (OSI) model. Subsequent work extended this network to support the Internet protocol suite (IPS).

2.1.2 introduction of Radios Early on, the use of radio waves was recognized as an important resource. By its third decade, national and international bodies were allocating the radio spectrum. In the United States, the Federal Radio Commission (FRC), predecessor to the Federal Communications Commission (FCC), was licensing radio frequencies to operators. In 1929, the FRC directed the aircrat operating companies to band together to make consolidated 2-1

2-2

Evolution of Avionics: Safety and Certiication

frequency allocation requests. Aeronautical Radio Inc. (ARINC) was formed in that year speciically for that purpose. he department of ARINC which was responsible for aeronautical radio frequency allocation in the United States is now an independent company known as Aviation Spectrum Resources, Inc. (ASRI). To resolve any issues in the aviation spectrum associated with the use of voice and data at the national and international levels—FAA and FCC work in cooperation and negotiate at the ICAO level. As would be expected, communications needs were greatest around airports. Since each aircrat operating company had its own frequency allocation and its own radio operators, as the industry grew, the need for more frequencies grew. his recurring problem, known as spectrum depletion, has been solved in various ways. In the early days, it was solved by banding together to use common frequencies and radio operators. ARINC was a natural choice to implement these common radio stations. At one point, ARINC had 55 such communication centers across the United States. Another method of solving spectrum depletion was the introduction of new technology. he steady improvements in radio technology have opened higher and higher frequency bands to practical communications use, subject to physical limitations. he increased sophistication of radio circuitry allowed diferent ways of modulating (i.e., impressing information onto) the radio signals. Initially, these improvements allowed better, clearer, and more eicient and efective voice communications. Later technology permitted the evolution of data communications. he combination of higher usable frequencies and improved modulation techniques has served to extend the useful life of air–ground voice communications for nearly a century. In the 1930s and 1940s, air–ground voice moved from the high-frequency (HF) to the very-high-frequency (VHF) bands. Amplitude modulation (AM) was used and continues to be used as the basic means of ATC communications in domestic airspace. Long-range voice communications relies on the properties of the HF band, as will be discussed later.

2.1.3 introduction of Data communications As the airlines came to rely increasingly on information provided to and received from the aircrat in light, voice gave way to data. Changeover from voice to data has a number of reasons such as diferent pilots and diferent air traic controllers with various accents (even though canned words were used), clarity in transmissions, distortion, and overlap between diferent conversations. Data transmission is cleaner and less intrusive. Automating responses where they can be automated also improves eiciency for both the air traic controllers and the light crew. In 1978, the airlines initiated air–ground VHF data link, which served two purposes: (1) to allow the messages to originate automatically on the aircrat, reducing crew workload, and (2) to allow the messages to be relayed to airline computer systems without any ground radio operators. he data link was initially called the ARINC Communications Addressing and Reporting System (ACARS), but “ARINC” was soon changed to “Aircrat” in recognition of the nonproprietary nature of the new medium. Air–ground data link has become the mainstay of airline operations. In the early days, ACARS messages consisted primarily of four automated downlinks per light segment: the so-called OOOI (pronounced oo-ee) or Out, Of, On, and In messages. hese messages allowed the airlines to better track their lights and provided automated timekeeping on the crew. he original 50 aircrat participating in ACARS have grown to almost 10,000. he number of messages now tops 20 million in a month, and the types of messages cover every imaginable facet of airline operations: light operations, administrative information such as crew scheduling, passenger information such as connecting gates, maintenance information such as engine performance and failure reports, airport and airline coordination such as deicing and refueling, and so on. Also, now many data link transactions are two way, including uplinks as well as downlinks. In fact, some applications are interactive with requests and responses initiated by the ground or by the light crew. Although these interactive transactions via data link lack the immediacy of voice conversations, they are asynchronous in that both requestor and responder need not be “on the line” at the same time. For non-time-critical applications, this is a signiicant advantage.

Communications

2-3

2.1.4 introduction of Atc Data Link While VHF voice remains the primary means of ATC communications in domestic airspace, ACARS was irst approved for ATC in the South Paciic light information regions (FIRs) in 1995. Initially, Boeing 747-400 aircrat lying between the United States west coast and Australia and New Zealand pioneered ATC data link by using controller–pilot data link communications (CPDLC) and automatic dependent surveillance (ADS). Boeing ofered this combination of features in the Future Air Navigation System (FANS)-1 avionics package. FANS—originally an acronym coined by the ICAO—was a term covering communication and navigation using satellites; however, the term has taken on a life of its own. Airbus released a similar capability package and named it “FANS-A.” So, FANS-1/A, as it is now known to acknowledge both packages of the same ADS and CPDLC applications, is being supported by air trafic service providers all over the world. he original air traic service providers of the South Paciic have been joined by those of the North Atlantic, North Paciic, Indian Ocean, far east Russia, China, South Africa, and other regions. Prior to the use of ACARS for airborne ATC communications, two applications were implemented on the ground between the aircrat and ATC: Pre-Departure Clearance (PDC) and Digital Automatic Terminal Information Service (D-ATIS). he receipt and acknowledgment of these messages by the light crew is mandatory prior to takeof and landing. Receiving these messages via ACARS has several signiicant advantages. For the light crew, the message need not be transcribed for later reference, and it can be requested and received without the efort of inding the proper voice channel and requesting the PDC or listening for the beginning of the recorded ATIS. he tower controller need not line up all of the PDC slips, call each aircrat, read the clearance, and verify the readback. Plus the reduction in congestion on the clearance delivery channel is a signiicant advantage for situations such as peak departure times at a busy airport. All of these ATC applications use the ACARS air–ground link, which was neither designed for nor initially approved as an ATC communication medium. For that purpose, ICAO developed standards and recommended practices (SARPs) for the Aeronautical Telecommunication Network (ATN), which was designed for both air–ground and ground–ground communication. In the latter role, it is intended to replace the Aeronautical Fixed Telecommunication Network (AFTN), which has served the industry well as a teletype-based, message-switching network for many years. However, technology has overtaken AFTN, and the more modern packet-switched technology of the ATN is seen as more appropriate. he ATN SARPs’ development began in the early 1990s. In the past 15 years, the Internet, which is based on a diferent packet-switched technology, that is, Transmission Control Protocol/Internet Protocol (TCP/IP), has had unprecedented success. ICAO has created another set of ATN SARPs to accommodate the IPS, known as the ATN/IP SARPs. he original ATN, based on OSI protocols, is now known as the ATN/OSI. As ACARS became essential to airline operations, the limitations of the initial VHF link became intolerable, irst because of coverage limitations and then because of speed. he former was solved in two diferent ways. Long-range data link was implemented irst using Inmarsat satellites; this was the basis for initial FANS implementations in the South Paciic. he oceanic coverage, direct pilot-to-controller communication, and improved performance provided by satellites and data link were an improvement over HF voice services. All of the advantages of data link over voice communications were highlighted in the initial FANS trials and operational use. he advantages included (1) direct controller–pilot communications; (2) consistent and rapid delivery of messages; (3) standardized message texts, which were understood by all no matter what their native language is; (4) automated delivery of position reports; and (5) integration of message content with light management systems (FMSs). High-frequency data link (HFDL) provided another long-range ACARS subnetwork that covered the north polar regions, which are not reached by Inmarsat signals. VHF Digital Link (VDL) Mode 2 provided a higher-speed subnetwork in continental airspace. More recently, Iridium provides a satellite subnetwork able to pass ACARS and ATC messages globally, including over both polar regions. hese points will be elaborated in subsequent sections.

2-4

Evolution of Avionics: Safety and Certiication

2.2 Voice communications 2.2.1 VHF Voice he modern VHF transceiver provides air–ground communications for all aircrat in controlled airspace. For transport aircrat (e.g., commercial airliners), the VHF transceiver is a minimum equipment list (MEL) item, meaning the aircrat cannot take of without the requisite number of operational units, in this case two. he reason for the dual-redundancy requirement is that the VHF transceiver is the primary means of communication with ATC. he aeronautical VHF communication band covers the frequency range 118–136.975 MHz. VHF signals are limited to line of sight between the ground station and the aircrat, usually taken as a radius of approximately 120 nmi around the ground station. Aeronautical VHF voice operations are primarily limited by the radio horizon—the lowest unobstructed path angle between the aircrat and the ground station. Other factors include the altitude of the aircrat and the power of the transmission. Practically, aeronautical communications on a given voice frequency are limited to the extent of the ATC sector, as each new sector controller will be assigned a diferent channel. Reuse of a given channel is appropriate at about twice the usable radius. he aeronautical VHF band is a protected spectrum, which means that any transmission not related to the safety and regularity of light is prohibited. he wavelength of these signals is about 2 m or 90 in., which drives antenna size. he VHF band is divided into 760 channels spaced 25 kHz apart from 118.000 to 137.000 MHz. here is a 12.5 kHz guard band on each end of the allocated band. For 8.33 kHz operation, the VHF transceiver must be capable of tuning to one of 2280 channels spaced 8.33 kHz apart in the same frequency band. his capability was developed for European airspace when the number of ATC sectors (and, therefore, the number of radio channels assigned) grew beyond the ability to assign usable 25 kHz channels. he universally recognized emergency frequency is 121.500 MHz, which is monitored by all ATC facilities. ICAO Annex 10 to the Convention on International Civil Aviation “International Standards and Recommended Practices, Aeronautical Telecommunications” promulgates the SARPs for voice and data communications in support of international air traic services. In the case of voice ATC, the ICAO SARPs are generally followed for domestic ATC services as well. he VHF voice audio is impressed upon the radio-frequency (RF) signal at the carrier frequency by using double-sideband (DSB) AM. This modulation method impresses the audio signal, typically 1–2 kHz, on the RF by varying the amplitude of the RF in proportion to the amplitude of the audio signal. In the frequency domain, the signal can be seen as a peak at the carrier frequency lanked by equal peaks above and below the sidebands. Upon reception, this signal is reconverted to audio and distributed to the headsets and the cockpit voice recorder. Figure 2.1 shows an AM signal both in the time domain, where the audio signal can be seen as riding on the RF carrier, and in the frequency domain, where the peaks representing the carrier and the sidebands can be easily seen.

Voice audio

fc Time (a)

FIGURE 2.1

Frequency fc (b)

25 kHz

DSB AM voice signals: (a) time domain view and (b) frequency domain view.

Communications

2-5

Older VHF radios were tuned to a frequency (channel) from a remote radio control panel that housed a set of dials used to select each digit. he remote control panel was connected to the radio by 19 wires. Five lines, two of which were grounded for any selection, represented each decade digit of the frequency. his method originated from a scheme whereby the digit selection grounded a power connection to a motor at the radio. When the motor had driven a similar dial switch to its corresponding position, the ground was removed and the motor stopped. Presumably, the motor turned a tuning device (typically a variable capacitor). Later, non-motor-driven tuning methods kept the two-out-of-ive grounded wire scheme until a digital data bus replaced it. A modern VHF radio (e.g., one speciied by ARINC characteristic 750) is connected to the radio control panel by the two wires of an ARINC 429 bus, which carry command words that perform all of the frequency select functions of the former 20 wires and others as well. Frequency tuning is not the only element of the modern airborne VHF radio that has evolved. Whereas the motor-driven radio performed the DSB AM function using vacuum tubes or later transistors, the modern radio develops the same output signal in a radically diferent manner. Today’s radio replaces the analog RF and modulator circuits with a high-speed microprocessor called a digital signal processor (DSP). he DSP works in conjunction with a high-speed analog-to-digital (abbreviated A to D or A/D) converter (ADC) that takes the voice audio input and converts it into a series of binary words, each representing the amplitude of the signal. A series of such samples, taken at a high enough rates, can faithfully represent the original analog waveform. his is the same method that records music onto a CD-ROM or MP3 ile. A digital-to-analog (D/A) converter (DAC) performs the reverse function. he DSP takes the digital representation of the audio input and algorithmically combines that information with the RF carrier signal and produces the DSB AM signal, which is sent to the power ampliiers. hat was an easy sentence to write, but one that takes many lines of code to implement within the DSP. his method of combining information content, in this case voice audio, with the RF carrier at the selected frequency has tremendous lexibility. Within the constraints imposed by the power and speed of the DSP, the sample rates and sample size of the DAC/ADC, and other considerations, this architecture allows a great deal of lexibility. As will be seen, this type of radio is capable of producing not only DSB AM signals but other voice and data signals as well. he terms “digital” and “analog” must be used with care. It is true to say that the modern avionics VHF radio is a “digital radio.” It is also true to say that it handles voice signals digitally. However, to imply that we have “digital voice” is misleading. he signals propagated from the ground radio to the aircrat are the same DSB AM signals as the motor-tuned, vacuum-tube radio sent and received. Later, we will briely discuss methods of sending voice over the RF in a digital manner.

2.2.2 HF Voice HF voice is used for ATC communications in oceanic and remote airspace at various frequencies between 2.850 and 23.350 MHz with wavelengths between 100 and 10 m, respectively. he nature of the propagation of HF signals is such that it provides reliable communications at ranges of thousands of miles. his is possible because HF signals can be relected by the bottom of the ionosphere at heights of about 70 miles. his efectively permits over-the-horizon or sky wave reception, not unlike the service performed by a satellite. At these frequencies, RF signals propagate with both a ground wave and a sky wave. he ground wave can give useful communication over the horizon, and the sky wave is usable well beyond that. Multiple hops are possible but are not reliable enough for aeronautical voice communication. Other characteristics of HF signals detract from its efectiveness for voice communications. For example, HF signals fade in a diurnal cycle and are susceptible to interference from solar activity. For example, approximately every 11 years, sunspot activity peaks causing signiicant efects on the ionosphere and on HF propagation. he long wavelengths, comparable in length or longer than the aircrat, provide challenges as far as antenna placement is concerned. In the propeller-driven age, long wires from the tail forward were used. Later, long probes were mounted on the wingtips or tail. Now the HF antenna is typically installed in the

2-6

Evolution of Avionics: Safety and Certiication

Suppressed Upper sideband

fc

25 kHz Frequency domain view

FIGURE 2.2

SSB voice signal.

forward edge of the vertical stabilizer, which is commonly made of composite materials. Ground station antennas can cover a football ield. HF voice is modulated onto the RF carrier using single-sideband (SSB) suppressed carrier modulation. Figure 2.2 shows the frequency domain view of an SSB signal. Note that only the upper sideband is used for aeronautical voice communications. Reliable HF communications requires the aircrat to transmit at 200 W peak envelope power (PEP) and the ground stations to transmit at as much as 5 kW PEP. SSB has the advantage over DSB AM of increased power in the intelligence-carrying signal as opposed to the carrier. Flying in remote or oceanic airspace would require long hours of listening to the static-illed HF channel if it were not for selective calling (SELCAL), a technique that allows the light crew to turn down the volume on the HF radio until the ground signals them using preselected tones. Special receive circuits are needed as these tones are not sent as SSB signals. When the preselected tones are recognized, the light crew is alerted to come up on the HF channel.

2.2.3 Voice Developments he proliferation of satellite telephone service on long-range aircrat has raised the question, “Why not just dial up ATC and talk to the controller?” Flight crews would like this method, but the reluctance is with the ANSPs. he management of frequencies in protected spectrum is, by now, a well-established procedure; the management of telephone numbers at each control position is not. here are other considerations, such as the use of nonprotected spectrum and the consequence of probable loss of protected spectrum, that inhibit a wholesale acceptance of telephone calls for ATC. Finally, the successful implementation of data link to the controller workstation environment has replaced the use of voice to the controller at such facilities for suitably equipped aircrat. However, carrying a voice radio remains a safety requirement. Work is underway to create a third-party satellite voice service, similar to the HF voice service, to allow ATC satellite calls to/from the aircrat and the ground voice operator in remote and oceanic airspace. Such calls would terminate at the operator, where they would be converted to data to be sent to/from the controller. Europe has demonstrated that the aeronautical VHF voice band can be expanded by the use of 8.33 kHz voice. he ICAO SARPs for VDL Mode 3 deines a true digital voice signal in space in which the audio signal is converted to a digital representation, is transmitted digitally across the air–ground VDL Mode 3 subnetwork, and is then reconverted to analog audio signals when it reaches its destination.

2-7

Communications

While VDL Mode 3 greatly expands the number of voice channels possible, the costs of replacing all VF radios, both airborne and ground, reduced support for this technique. his issue, along with other technical issues, caused this solution to be removed from further consideration. he long-term possibility that broadband network connectivity to the aircrat may provide acceptable quality voice communication deserves some consideration for the far term. Meanwhile, DSB AM voice will remain the primary method of ATC voice communications for the foreseeable future.

2.3 Data communications 2.3.1 AcARS overview Today, ACARS provides worldwide data link coverage. Five distinct air–ground subnetworks are available for suitably equipped aircrat: original VHF, Inmarsat satcom, HFDL, VDL Mode 2, and Iridium satellite. In order to understand the function of the avionics for ACARS, it is necessary to see the larger network picture. Figure 2.3 shows an overview of the ACARS network showing the aircrat, the four air–ground subnetworks, the central message processor, and the ground message delivery network. he ACARS message-passing network is an implementation of a star topology with the central message processor as the hub. he ground message network carries messages to and from the hub, and the air–ground subnetworks all radiate from the hub. here are a number of ACARS network service providers, and their implementations difer in some details, but all have the same star topology.

Inmarsat

Air–ground subnetworks

Satcom VHFL*

HFDL VDL M2 Central message processor

Ground message network

Ground user

FIGURE 2.3

ACARS network overview. *VHFL, VHF data link; either ACARS or VDLM2.

2-8

Evolution of Avionics: Safety and Certiication

Two  data link service providers provide worldwide ACARS coverage, with several others providing regional coverage. Any given ACARS message can be carried over any of the air–ground subnetworks, a choice conigured by the aircrat operator. It should be noted that ACARS is a character-oriented network, which means that only valid ASCII characters are recognized and that certain control characters are used to frame a valid message.

2.3.2 AcARS Avionics he ACARS avionics architecture is centered on the management unit (MU), communications management unit (CMU), or communications management function (CMF), which acts as an onboard router. All air–ground radios connect to the MU or CMU/CMF to send and receive messages. he CMU/CMF is connected to all of the various radios that communicate to the ground. Figure 2.4 illustrates the avionics architecture.

2.3.3 AcARS Management Unit he MU or CMU/CMF acts as the ACARS router onboard the aircrat. All messages to or from the aircrat, over any of the air–ground subnetworks, pass through the MU or CMU/CMF. Although the MU or CMU/CMF handles all ACARS message blocks, it does not perform a message-switching function because it does not recombine multiple message blocks into a “message” prior to passing it along. It passes each message block in accordance with its “label” identiier, and it is up to the receiving end system (ES) to recombine message blocks into a complete message. he original OOOI messages were formatted and sent to the MU from an avionics unit that sensed various sensors placed around the aircrat and determined the associated changes of state. In the modern transport aircrat, many other avionics units send and receive routine ACARS messages. he multifunction control and data unit (MCDU), along with the printer, is the primary ACARS interface to the light crew. Other units, such as the FMS or the air traic services unit (ATSU), will also interact with the crew for FANS messages. he vast majority of data link messages today are downlinks automatically generated by various systems on the airplane. he MU/CMU/CMF identiies each uplink message block and routes it to the appropriate device. Similarly, it takes each downlink, adds associated

na

Satellite signals an HF

RFU/Amp MCDU

HF radio

Satcom data unit HF data unit

VHF transceiver

VHF antenna VHF signals

FIGURE 2.4

Ant coupler

Printer ACARS MU or CMU

Other message sources

ten

HF signals Low-gain High-gain antenna antenna

ACARS avionics architecture.

Communications avionics Other avionics

Communications

2-9

aircrat information such as the tail number, and sends it to one of the air–ground subnetworks. he latest avionics for each of the four subnetworks accepts an ACARS block as a data message over a data bus, typically ARINC 429. he subnetwork avionics will then transform the message block into the signals needed to communicate with the ground radio. Each subnetwork has its own protocols for link layer and physical layer exchange of a data block.

2.3.4 VHF Subnetwork he original VHF subnetwork that was pioneered in 1978 uses the same 25 kHz VHF channels used by ATC and aeronautical operational communication (AOC) voice; the signal in space is sometimes called plain old ACARS (POA) for reasons that will become clearer when we discuss VDL Mode 2. he VHF subnetwork uses a form of frequency shit keying (FSK) called minimum shit keying (MSK) wherein the carrier is modulated with either a 1200 or 2400 Hz tone. Each signaling interval represents one bit of information, so the 2400 baud (i.e., rate of change of the signal) equals the bit rate of 2400 bps. Ater initial synchronization, the receiver then can determine whether a given bit is a one or a zero. VHF ACARS uses the carrier-sensed multiple access (CSMA) protocol to reduce the efects of two transmitters sending a data block at the same or overlapping times. CSMA is nothing more than the automated version of voice radio protocols wherein the speaker irst listens to the channel before initiating a call. Once a transmitter has begun sending a block, no other transmitter will “step on” that transmission. he VHF ACARS subnetwork is an example of a connectionless link layer protocol in that the aircrat does not “log in” to each ground station along its route of light. he aircrat does initiate a contact with the central message processor, and it does transmit administrative message as it changes subnetworks. A more complete description of the POA signal and an ACARS message block as it is transmitted over a VHF channel can be found in ARINC 618, Appendix B. In congested airspace, such as the northeastern United States or Europe, multiple VHF ACARS channels are needed to carry the message traic load. For example, in the Chicago area, 10 channels are needed and a sophisticated frequency management scheme has been put in place, which automatically changes the frequency used by individual aircrat to balance the loads. Initial ACARS MUs worked with VHF radios that were little modiied from their voice-only cousins. he ACARS modulation signal was created as two-tone audio by the MU (e.g., ARINC 724 MU) and sent to the radio (e.g., ARINC 716 VHF radio), where it modulated the RF, just as voice did from a microphone. Later evolutions of the ACARS interface between the CMU (e.g., ARINC 758 CMU) and the latest radio (e.g., ARINC 750 VDR [VHF data radio]) sent ACARS message blocks between the CMU and the radio over a serial data bus (i.e., ARINC 429 Digital Information Transfer System [DITS]), and the radio modulated the RF directly from the data.

2.3.5 Satcom he irst satellite ACARS subnetwork uses the Inmarsat constellations. In the I-3 constellation, four satellites in geosynchronous orbit provide global beam and spot beam coverage of the majority of the globe (up to about 82° latitude) with spot beam coverage over the continents. In the I-4 constellation, three satellites in geosynchronous orbit provide global beam and spot beam of the major landmasses and northern oceans. he Inmarsat constellation provides telephone circuits as well as data link, so it uses a complex set of protocols over several diferent types of channels using diferent signals in space. In the aeroclassic services, a packet channel is used to send and receive ACARS or cabin packet data messages. he packet channel is established when the avionics satellite data unit (SDU) logs on to a satellite ground earth station (GES). Each frame is acknowledged between the SDU and GES at the data link layer. Any ACARS data link message block generated by the C/MU for transfer over the satcom subnetwork is sent to the SDU for transfer over this channel to the GES, where it is then forwarded to the ACARS central message processor. he message forwarding function requires advance coordination for appropriate

2-10

Evolution of Avionics: Safety and Certiication

routing and billing to take place. In the SwitBroadband data service, which is a 432 kbps packet data service over the I-4 constellation, the ACARS or cabin packet data messages will be sent on available IP bandwidth as connectionless datagrams. he Inmarsat satellite access nodes (SANs) route the message on the ground to appropriate gateway services. he Inmarsat aeroclassic services operate in the L-band, around 1 GHz on frequencies reserved for aeronautical mobile satellite (route) services, or AMS(R)S, which are protected for safety and regularity of light. Satcom avionics have been purpose built, meaning that they did not evolve from the previous use of L-band radios for voice as VHF ACARS and (as we shall see) HFDL radios evolved from voice radios. In the Aero classic services, the RF unit (RFU), along with high-gain and low-noise ampliiers and the diplexer, sends and receives signals over the various L-band channels deined for Inmarsat services. In 1995, the use of ACARS messages over satcom was certiied for use in the south Paciic for long-range ATC communications with the FAA (Oakland Center), Fiji, New Zealand (Auckland Center), and Australia (Brisbane Center). he message set used was called the FANS-1 message set and mirrored HF voice messaging in oceanic airspace. Boeing 747-400 aircrat were the irst to implement FANS-1, but long-range Airbus aircrat soon followed with the FANS-A implementation. Since that time, FANS-1/A has been implemented by many CAAs around the world where the message set supports local ATC procedures.

2.3.6 HFDL he HFDL ACARS subnetwork uses channels in the HF voice band. he HFDL radio can be a slightly modiied HF voice radio connected to the HF data unit (HFDU). Alternatively, an HF data radio (HFDR) can contain both voice radio and data link functions. In either case, the HF communication system must be capable of independent voice or data operation. HFDL uses phase-shit modulation (PSK) and time-division multiple access (TDMA). A 32 s frame is divided into 13 slots, each of which can communicate with a diferent aircrat at a diferent data rate. Four data rates (1800, 1200, 600, and 300 bps) use three diferent PSK methods (8PSK, 4PSK, and 2PSK). he slowest data rate is afected by doubling the power of the forward error-correcting code. All of these techniques (i.e., multiple data rates, forward error correction, TDMA) are used to maximize the long-range properties of HF signals while mitigating the fade and noise inherent in the medium. Twelve HFDL ground stations provide worldwide coverage, including good coverage over the North Pole but excluding the south polar region. More details on HFDL may be found in ARINC 753: HF Data Link System. he need for a large antenna, plus the fact that even a quarter-wavelength antenna is problematic, necessitates an antenna coupler that matches the impedance of the feed line to the antenna. he RFU, whether it is a separate unit or incorporated in the HFDR, combines the audio signal representing the data modulation with the carrier frequency, suppresses the carrier and lower sidebands with appropriate iltering, and ampliies the resultant signal.

2.3.7 VDL Mode 2 VDL Mode 2 operates in the same VHF band as POA. Four channels have been reserved worldwide for VDL Mode 2 services. Currently, the only operating frequency is 136.975 MHz. VDL Mode 2 uses diferential 8-level phase-shit keying (D8PSK) at a signaling rate of 10.5 kbaud to modulate the carrier. Since each phase change represents one of eight discernible phase shits, three bits of information are conveyed by each baud or signal change; therefore, the data rate is 31.5 kbps. With about 10 times the capacity of a POA channel, VDL Mode 2 has the potential to signiicantly reduce channel congestion for ACARS. CSMA is used for media access, but a connection-oriented link layer protocol called the aviation VHF link control (AVLC) is established between the VDR and the ground station. ACARS over AVLC (AOA) is the term used to distinguish ACARS message blocks from other data packets that can also be passed over AVLC. By using AOA, an aircrat equipped with VDL Mode 2 may take advantage of a higher-speed VHF link without any changes to the AOC messages passed to or from the aircrat.

Communications

2-11

It should be noted that VDL Mode 2 has been implemented in accordance with the ICAO SARPs as a subnetwork of the ATN. he ARINC 750 radio is capable of supporting 25 and 8.33 kHz voice, POA, and AOA. It may only be used for one of these functions at any given time.

2.3.8 iridium he Iridium system is capable of connecting telephone calls and data messages to and from aircrat in light anywhere on earth. ACARS uses the short burst data (SBD) capability of the Iridium system to carry ACARS blocks between the MU or CMU and the central processor of the airline-selected ACARS service provider. he Iridium constellation consists of 66 satellites in low earth orbits (LEO) at about 485 miles altitude, in six polar orbital planes. LEO satellites travel rapidly across the sky relative to a ground or airborne subscriber. he connection from the aircrat for telephone calls and the point-to-point protocol (PPP) connection for data are maintained by cross-linking between satellites and then downlinking to the Iridium gateway in Arizona. LEO satellites require less transmit power from the avionics than geosynchronous satellite data links.

2.3.9 Atn 2.3.9.1 Atn History and overview In the 1980s, the ICAO Air Navigation Commission (ANC) recognized the need to assure commonality among future data links used for air traic communications. In 1989, the ANC tasked the secondary surveillance radar (SSR) improvement and collision avoidance panel (SICASP) to develop material to assure that commonality. By 1991, the automatic dependent surveillance panel (ADSP) had produced the Manual of Data Link Applications, deining message sets for use by ANSPs. In 1997, the ANC approved SARPs for the ATN as the framework for all future ATC data communications. 2.3.9.2 Atn Architecture he ATN architecture is based on the OSI model for data communications that was published by the ISO. his architecture, as shown in the following igure, identiies seven layers that provide lexibility in implementation while maintaining an orderly low of message traic to and from the ES. Other basic characteristics of the ATN include bit-oriented messaging and packet-switched routing. he ATN is based on multiple air–ground subnetworks, to facilitate communication to a wide variety of aircrat in widely varying airspace, and multiple ground–ground networks to allow for independent domains for air navigation and other service providers. he structure of the ATN includes ESs, which originate and receive ATN messages with each having a seven-layer ISO stack, and intermediate systems (IS) also called routers, which assure that message packets get to the proper destination ES within the domain. If a message is directed to an ES outside the domain, it is directed to a boundary intermediate system (BIS) for transmission to the proper domain. he aforementioned architecture applies to all ground and airborne ESs. For aircrat in light, the ATN connection is maintained by one or more of the ATN subnetworks. For ground ESs, normal telecommunications infrastructure may be used. 2.3.9.3 Atn Subnetworks At the data link layer (layer 2) and the physical layer (layer 1), the ATN includes SARPs for the following air–ground data links: • • • •

VDL Geosynchronous satellite (satcom) HF data link (HFDL) Iridium satellite

2-12

Evolution of Avionics: Safety and Certiication

ATN messages

ATN aircraft FMS or ATSU

CMU

Radio

ACARS aircraft MU FMS or ATSU or CMU

ATN G/G network Radio

Air/ground router Ground station

ATN router

VDL Mode 2 subnetwork

Message processor

ATN ATC end system

AOC G/G network

ACARS messages AOC end system

FIGURE 2.5

VDL Mode 2 Subnetwork supports both ACARS and ATN.

Each of these subnetworks is implemented with a unique RF modulation and protocol. VDL operates line of sight and therefore requires multiple ground stations to assure continuous coverage. he other three subnetworks may be used in remote and oceanic airspace, but each has its unique advantages and disadvantages. 2.3.9.4 VDL Subnetwork As of this writing, the VDL Mode 2 is in operation and is the only ATN air–ground subnetwork being used for ATN message traic. In Europe, VDL Mode 2 is being used for operational ATC data link messages, while in the United States, ATC data link trials are underway providing departure clearances. Figure 2.5 shows how the VDL Mode 2 subnetwork has been designed to carry both ACARS messages and ATN messages. VDL Mode 2 is a bit-oriented data link layer protocol, which, in the case of AOA, happens to be carrying ACARS message blocks. ACARS message blocks are directed to the message processor for forwarding over the AOC ground–ground network. ATN packets are directed to an air/ground router that forwards them to an ATN router for delivery via the ATN ground–ground network.

2.3.10 Data communications Developments he implementation of broadband Internet connections in the aircrat while in light has the potential to provide versatile, fast, and cheap connectivity between the aircrat and the ground. Since the earliest voice radio links, through all of the ACARS air–ground subnetworks, air–ground communications has been so specialized that the equipment has been specially designed and built at great cost. If broadband Internet (meaning TCP/IP) connectivity can be made reliable and secure, there is no reason this medium could not be made usable for air–ground data link communication. he deinition of the IPS for the ATN has the potential to add near-universal connectivity for ATC communications.

2-13

Communications

ATN aircraft

Voice aircraft

HF voice

FANS 1/ACARS aircraft

Air/ground voice network

HF

VHF voice

HF

ACARS data link network VHF Flight plan data radar data

VHF voice HF voice

Voice report transcription

ATC facility

FIGURE 2.6

ATN data link network VHF

CNS/ATM gateway

Situation display

Controller– pilot communications

Local area network (LAN)

National ATC facility supporting multiple voice and data networks.

he trend in the telecommunications industry is toward high-speed, high-capacity, general-purpose connectivity. For example, iber optic links installed to carry cable TV are being used, without signiicant change, as Internet connections or telephone lines. Sophisticated high-capacity RF modulation techniques are permitting the broadcast of digital signals for high-deinition TV and radio. Mobile telephone technology carries digital voice and data messages over the same network. he Internet itself carries far more than the text and graphics information it was originally designed to carry. Figure 2.6 shows a notional ATC facility of the future, which is able to use voice, ATN data link, and FANS-1/A data links to communicate with suitably equipped aircrat traversing its airspace. he transfer of the majority of routine communications to data link, oten with automatic exchanges between the ground and the aircrat, will reduce workload for aircrews and controllers. his will increase the number of aircrat participating in air traic management (ATM) that will allow beneits for all involved: airlines, aircrews, controllers, and airspace managers.

2.4 Summary he airlines will continue to increase their dependence on air–ground data link to send and receive information necessary to eiciently operate their leets. ATC will increase its dependence on air–ground communications, even as the number of voice transactions is reduced. Looking 10–20 years ahead, data link will increasingly be used for ATC communications. If the concept of ATM is to become the rule instead of the exception, the ground automation systems and the FMSs will no doubt be in regular contact, exchanging projected trajectory, weather, traic, and other information. Voice intervention will be minimal and likely still be over DSB AM in the VHF band. he modern transport aircrat is becoming a lying network node that will inevitably be connected to the ground for seamless data communications. It’s only a matter of time and ingenuity. When that happens, presuming there is suicient bandwidth, availability, and reliability for each use, many applications will migrate to that link.

2-14

Evolution of Avionics: Safety and Certiication

References American Radio Relay League, he Radio Amateur’s Handbook, 36th ed., he Rumford Press, Concord, NH, 1959. ARINC Characteristic 566A-9, Mark 3 VHF Communications Transceiver, Aeronautical Radio, Inc., Annapolis, MD, January 30, 1998. ARINC Characteristic 719-5, Airborne HF/SSB System, Aeronautical Radio, Inc., Annapolis, MD, July 6, 1984. ARINC Characteristic 724-9, Aircrat Communications Addressing and Reporting System, Aeronautical Radio, Inc., Annapolis, MD, October 9, 1998. ARINC Characteristic 724B-5, Aircrat Communications Addressing and Reporting System, Aeronautical Radio, Inc., Annapolis, MD, February 21, 2003. ARINC Characteristic 741P2-7, Aviation Satellite Communication System Part 2 System Design and Equipment Functional Description, Aeronautical Radio, Inc., Annapolis, MD, December 24, 2003. ARINC Characteristic 750-4, VHF Data Radio, Aeronautical Radio, Inc., Annapolis, MD, August 11, 2004. ARINC Characteristic 753-3, HF Data Link System, Aeronautical Radio, Inc., Annapolis, MD, February 16, 2001. ARINC Characteristic 758-2, Communications Management Unit Mark 2, Aeronautical Radio, Inc., Annapolis, MD, July 8, 2005. ARINC Speciication 410-1, Mark 2 Standard Frequency Selection System, Aeronautical Radio, Inc., Annapolis, MD, October 1, 1965. ARINC Speciication 618-5, Mark 2 Standard Frequency Selection System Air/Ground CharacterOriented Protocol Speciication, Aeronautical Radio, Inc., Annapolis, MD, August 31, 2000. ARINC Speciication 619-2, ACARS Protocols for Avionic End Systems, Aeronautical Radio, Inc., Annapolis, MD, March 11, 2005. ARINC Speciication 620-4, Data Link Ground System Standard and Interface Speciication, Aeronautical Radio, Inc., Annapolis, MD, November 24, 1999. ARINC Speciication 720-1, Digital Frequency/Function Selection for Airborne Electronic Equipment, Aeronautical Radio, Inc., Annapolis, MD, July 1, 1980. Institute of Electrical and Electronics Engineers and Electronic Industries Association (IEEE and IEA), Report on Radio Spectrum Utilization, Joint Technical Advisory Committee, Institute of Electrical and Electronics Engineers, New York, 1964. he ARINC Story, he ARINC Companies, Annapolis, MD, 1987.

3 Navigation

Myron Kayton Kayton Engineering Company

3.1 Introduction ...................................................................................... 3-1 3.2 Coordinate Frames ........................................................................... 3-2 3.3 Categories of Navigation ................................................................. 3-2 3.4 Dead Reckoning ................................................................................ 3-3 3.5 Radio Navigation .............................................................................. 3-5 3.6 Celestial Navigation ....................................................................... 3-10 3.7 Map-Matching Navigation ............................................................ 3-10 3.8 Navigation Sotware ....................................................................... 3-11 3.9 Navigation Hardware ..................................................................... 3-11 3.10 Design Trade-Ofs .......................................................................... 3-11 Bibliography ................................................................................................ 3-12 Articles ......................................................................................................... 3-12 Journals ........................................................................................................ 3-13 Websites ....................................................................................................... 3-14

3.1 introduction “Navigation” is the determination of the position and velocity of a moving vehicle, on land, at sea, in the air, or in space. he three components of position and the three components of velocity make up a six-component state vector whose time variation fully describes the translational motion of the vehicle. With the advent of the global positioning system (GPS), surveyors use the same sensors as navigators but achieve higher accuracy as a result of longer periods of observation and more complex postprocessing. In the usual navigation system, the state vector is derived on board, displayed to the crew, recorded on board, or transmitted to the ground. Navigation information is usually sent to other onboard subsystems such as waypoint steering, communication control, display, weapon-control, and electronic warfare (emission detection and jamming) computers. Some navigation systems, called position-location systems, measure a vehicle’s state vector using sensors on the ground or in another vehicle. he external sensors usually track passive radar returns or a transponder. Position-location systems usually supply information to a dispatch or control center. he term guidance has two meanings, both of which are diferent than navigation. In the irst, steering is toward a destination of known position from the vehicle’s present position. he steering equations are derived from a plane triangle for nearby destinations or from a spherical triangle for distant destinations. In the second deinition, steering is toward a destination without calculating the state vector explicitly. A guided vehicle homes on radio, infrared, or visual emissions. Guidance toward a moving target is usually of interest to military tactical missiles in which a steering algorithm assures impact within the maneuver and fuel constraints of the interceptor. Guidance toward a ixed target involves beam riding, as in the instrument landing system (ILS), Section 3.5.

3-1

3-2

Evolution of Avionics: Safety and Certiication Z

Earth’s polar axis

Surface of reference ellipsoid

P = Vehicle C

B

Surface of earth

z 90° Meridian A

Y

x

O λ y

Vehicle’s meridian

Equator X Greenwich meridian

FIGURE 3.1 Latitude–longitude–altitude and XYZ coordinate frames. Note: ϕ, geodetic latitude; OP is normal to the ellipsoid at B; λ, geodetic longitude; h = BP = altitude above reference ellipsoid = altitude above mean sea level.

he term light control refers to the deliberate rotation of an aircrat in three dimensions, which causes its velocity vector to change direction.

3.2 coordinate Frames Navigation is with respect to a coordinate frame of the designer’s choice. For navigation over hundreds of kilometers (e.g., helicopters), various map grids exist whose coordinates can be calculated from latitude and longitude. NATO helicopters and land vehicles use a Universal Transverse Mercator grid. Long-range aircrat navigate relative to an Earth-bound coordinate frame, the most common of which are (Figure 3.1) as follows: 1. Latitude–longitude–altitude, measured with respect to a reference ellipsoid. he most useful reference ellipsoid is described in WGS-84 (1991). Longitude becomes indeterminate in polar regions, rendering these coordinates unsuitable there. 2. Earth-centered rectangular (xyz). hese coordinates are valid worldwide; hence, GPS calculates in them and oten converts to latitude–longitude–altitude for readout.

3.3 categories of navigation Navigation systems can be categorized as absolute, dead reckoning, or mapping. Absolute navigation systems measure the state vector without regard to the path travelled by the vehicle in the past. hese are of two kinds: radio systems (Section 3.5) and celestial systems (Section 3.6). Radio systems consist of a network of transmitters (sometimes transponders) on the ground or in satellites. An aircrat detects the transmissions and computes its position relative to the known positions of the stations

3-3

Navigation

in the navigation coordinate frame. he aircrat’s velocity is measured from the Doppler shit of the transmissions or from a sequence of position measurements. he second absolute system, celestial (Section 3.6), measures the elevation and azimuth of celestial bodies relative to the local level and true north. Electronic star sensors are used in special-purpose high-altitude aircrat and in spacecrat. Manual celestial navigation was practiced at sea for millennia (Bowditch, 1995). Dead-reckoning navigation systems derive their state vectors from a continuous series of measurements beginning at a known initial position. here are two kinds: those that measure heading and either speed or acceleration (Section 3.4) and those that measure emissions from continuous-wave radio stations whose signals create ambiguous “lanes” (Section 3.5). Dead-reckoning systems must be updated as errors accumulate and if electric power is lost. he only radio dead-reckoning system, Omega (Section 3.5), was decommissioned in 1997. Lastly, mapping navigation systems observe and recognize images of the ground, proiles of altitude, sequences of turns, or external features (Section 3.7). hey compare their observations to a stored database. hey are mostly used in cruise missiles.

3.4 Dead Reckoning he simplest dead-reckoning systems measure aircrat heading and speed, resolve speed into the navigation coordinates, and then integrate to obtain position (Figure 3.2). he oldest heading sensor is the magnetic compass: a magnetized needle, an electrically excited toroidal coil (called a lux gate), or an electronic magnetometer, as shown in Figure 3.3. Magnetometers are Hall efect or magnetoresistors that measure the change in electrical resistance of a magnetic substance as the magnetic ield changes. hree orthogonal magnetoresistors are usually mounted on a circuit board (Figure 3.3) that measures the direction of the Earth’s ield to an accuracy of about 2° at a steady aircrat speed. Hall-efect y y΄

Distance travelled along y-axis

Airspeed vector

Wind

or cu

Track angle Heading angle

rrent

r

cto

ee

sp

d un

e dv

o

Gr

x΄ t

y = Vydt o

Path of vehicle

t

x = Vxdt o

Distance travelled along x-axis

FIGURE 3.2

Geometry of dead reckoning.

x

3-4

Evolution of Avionics: Safety and Certiication

FIGURE 3.3 Circuit board from 3-axis digital magnetometer. A single-axis sensor chip and a 2-axis sensor chip are mounted orthogonally at the end opposite the connector. he sensor chips are magnetoresistive bridges with analog outputs that are digitized on the board. (Photo courtesy of Honeywell, Morristown, NJ.)

magnetometers are less common in aircrat. he horizontal component of the magnetic ield points toward magnetic north. he angle from true to magnetic north is called magnetic variation and is stored in the navigation computers as a function of position over the region of anticipated travel (Quinn, 1996). Magnetic deviations caused by iron and motors in the vehicle can exceed 30° and must be compensated in the navigation computer. A more complex heading sensor is the gyrocompass, consisting of a spinning wheel whose axle is constrained to the horizontal plane by a pendulous weight. he aircrat version (more properly called a directional gyroscope) holds any preset heading relative to the Earth, drits at more than 50°/h, and must be reset periodically. Attitude and heading reference systems (AHRS) use inexpensive gyroscopes (some built on silicon chips as vibrating beams) and silicon accelerometers that are coupled to magnetic compasses to reduce maneuver-induced errors and long-term drit. he usual speed sensor on an aircrat or helicopter is a pitot tube that measures the dynamic pressure of the air stream from which airspeed is derived in an air-data computer. To compute ground speed, the velocity of the wind must be vectorially added to that of the aircrat (Figure 3.2). Hence, unpredicted wind will introduce an error into the dead-reckoning computation. Most pitot tubes are insensitive to the component of airspeed normal to their axis, called drit. Pitot tubes must be heated to prevent ice from blocking the oriices. A Doppler radar measures the frequency shit in radar returns from the ground or from water below the aircrat, from which ground speed is inferred. Multibeam Doppler radars can measure all three components of the aircrat’s velocity relative to the relecting surface below. Doppler radars are widely used on military helicopters because of the diiculty of locating pitot tubes on a vehicle that can ly sideways or backward. he most accurate dead-reckoning system is an inertial navigator (Figure 3.4) in which precise accelerometers measure the vehicle’s acceleration, while precision gyroscopes measure the orientation of the accelerometers. An onboard computer resolves the accelerations into navigation coordinates and integrates the components of acceleration once to obtain velocity and again to obtain position. When spinning-wheel gyroscopes were used, they and the accelerometers were mounted in servoed gimbals that angularly isolated them from rotations of the aircrat. Since about 1990, only super-precision star trackers and naval navigators use gimbals. All modern aircrat inertial navigators fasten the gyroscopes and accelerometers directly to the aircrat (“strap down”), thereby exposing these instruments to the angular rates and angular accelerations of the aircrat.

Navigation

3-5

FIGURE 3.4 GPS-inertial navigator. he inertial instruments are mounted at the rear with two laser gyroscopes and electrical connectors visible. he input–output board is next from the rear; it excites and reads the inertial sensors. he computer board is next closest to the observer and includes MIL-STD-1553 and RS-422 external interfaces. he power supply is in front. Between them is the single-board shielded GPS receiver. Round connectors on the front are for signals and electric power. A battery is in the case behind the handle. Weight 10 kg, power consumption 40 W. his navigation set is used in the F-22 and many other military aircrat and helicopters. (Photo courtesy of NorthropGrumman Corporation, Falls Church, VA.)

Attitude is computed by a quaternion algorithm (Kayton and Fried, 1997, pp. 352–356) that integrates measured angular increments in three dimensions. A slower algorithm calculates the navigation coordinates. Inertial systems measure aircrat orientation within 0.1° for steering and pointing. Most accelerometers consist of a gram-sized proof mass that is mounted on a lexure pivot. he least expensive ones measure the delection of the proof mass; the most precise accelerometers restore the proof mass to null electrically, thus not relying on the structural properties of the lexure. In the newest accelerometers, the proof masses are etched into silicon chips. he oldest gyroscopes contained metal wheels rotating in ball bearings or gas bearings that measured angular velocity or angular increments relative to inertial space. More recently, gyroscopes contained rotating, vibrating rings whose frequency of oscillation measured the instrument’s angular rates. he most precise gyroscopes are evacuated cavities or optical ibers in which counterrotating laser beams are compared in phase to measure the sensor’s angular velocity relative to inertial space about an axis normal to the plane of the beams. Vibrating hemispheres and rotating, vibrating bars are the basis of some navigation-quality gyroscopes (drit rates less than 0.1°/h). Fault-tolerant conigurations of cleverly oriented redundant gyroscopes and accelerometers (typically four to six of each) detect and correct sensor failures. Inertial navigators are used in long-range airliners, in business jets, in most military ixed-wing aircrat, in space boosters and entry vehicles, and in manned spacecrat.

3.5 Radio navigation Scores of radio navigation aids have been invented and many of them have been widely deployed, as summarized in Table 3.1. he most precise is the GPS, a network of 24 satellites and 4 or more on-orbit spares, 17 ground monitor stations for monitoring, a master control station, and its backup station.

3-6

Evolution of Avionics: Safety and Certiication

TABLE 3.1

Worldwide Radio Navigation Aids for Aviation Frequency

System Loran-C/Chaika Beacona Instrument landing System (ILS)a

Hz

Band

100 kHz 200–1600 kHz

LF MF VHF

108 − 112 MHz  329 − 335 MHz

VOR VORTAC SARSAT/COSPAS JTIDS DMEa Tacana Secondary surveillance Radar (SSR)a GFS-GLONASS Radar altimeter MLSa

108–118 MHz 243,406 MHz 960–1213 MHz 962–1213 MHz 962–1213 MHz 1030, 1090 MHz 1227, 1575 MHz 4200 MHz 5031–5091 MHz

Airborne Doppler radar SPN-41 carrier-landing monitor SPN-42/46 carrier-landing radar

13–16 GHz 15 GHz 33 GHz

a

a

Number of Stations

Number of Aeronautical Users

50 4000 1500

10,000 130,000 200,000

1500 5 satellites None 1500 120 800 24 + 24 satellites None 5

200,000 200,000 500 120,000 15,000 250,000 200,000 40,000 200,000

UHF VHF UHF L L L L L C C X Ku Ku Ka

None 25 25

40,000 1600 1600

Standardized by International Civil Aviation Organization.

An aircrat derives its 3D position and velocity from one-way ranging signals received from four or more satellites. Each satellite transmits a civil frequency (L1 = 1575.42 MHz), a military frequency (L2 = 1227.60 MHz) with a superimposed L2C civil modulation, and on the newest satellites, a second civil frequency (L5 = 1176.45 MHz). Each spacecrat carries multiple precise atomic clocks (one part in 10E13), whereas the aircrat carry temperature-controlled quartz clocks whose accuracy is 10E8. he largest source of error is delay as the radio signals pass through the ionosphere. he delay is frequency dependent. Hence, by receiving any two of L1, L2, and L5, an aircrat corrects the ionospheric delay to irst order. By receiving all three, it can correct the ionospheric delay to second order. Misra and Enge (2001) and Parkinson and Spilker (1996) describe the GPS in detail. GPS ofers better than 20 m ranging errors on a moving aircrat to civil users and 5 m ranging errors to military users. Single-frequency receivers were available in 2013 for less than $100. GPS receivers are built into cell phones at 100 m accuracy without the ability to track at aircrat speeds. GPS provides continuous worldwide navigation for the irst time in history. It has displaced dead reckoning on many aircrat and reduced the cost of most navigation systems. Figure 3.5 is an artist’s drawing of a GPS Block 2F spacecrat, irst launched in 2010. During the 1990s, Russia deployed a satellite navigation system, incompatible with GPS, called GLONASS (Urlichich, 2011, May 2012). In 2013, more than 20 operating GLONASS were in orbit. In 2013, the European Union had launched test versions of its own navigation satellite system, called Galileo, which will ofer free and paid services (Hein et al., 2003; Anonymous, 2009). he United States plans a major upgrade of GPS by 2015 to reduce vulnerability to jamming (Enge, 2004). he International Global Positioning Service (IGS) issues post-processing (six hour delay and longer) corrections to satellite positions to centimeter accuracy (Novatel, 2014). Diferential GPS (DGPS) employs ground stations at known locations that receive GPS signals and transmit measured ranging errors on a radio link to nearby aircrat via geosynchronous satellites or via Mode-S transponders (1090 MHz). DGPS improves accuracy (centimeters for ixed observers close to a DGPS station) and, more importantly for aeronautical use, detects faults in GPS satellites immediately. Status messages from the satellites can be hours out of date. In 2003, the United States created a nationwide

3-7

Navigation

FIGURE 3.5

GPS, Block 2F. (Photo courtesy of Rockwell, Milwaukee, WI.)

aeronautical DGPS consisting of about 50 stations and monitoring sites. his Wide-Area Augmentation System (WAAS) (Walter et al., 2012) will eventually replace VORTAC on less-used airways and category I ILS (providing navigation signals down to 200 t aboveground in the United States). he European WAAS is called EGNOS based on position ixes from Galileo satellites. In 2006, the United States began experimenting with a dense network of DGPS sites at airports called the Local-Area Augmentation System (LAAS). he intent is to replace several ILS landing aids at each airport with a small number of less expensive DGPS stations. he experiments show that in order to achieve category II and III landing (allweather), inertial aiding will be needed. Error detection for WAAS and LAAS occurs in about 1 s, hence making GPS safe for aircrat operating near the ground. Loran is used by general-aviation aircrat for en route navigation and for nonprecision approaches to airports (in which the cloud bottoms are more than 400 t above the runway). It is principally a maritime navaid but may become a backup to GPS for aeronautical users. Loran’s 100 kHz signals are usable within 1000 nmi (a nautical mile is 1852 m exactly) of a station. Stations were once groups into chains, consisting of 3 or 4 synchronized stations (Kayton and Fried, 1997, Chapter 4.5). Loran stations have been upgraded to Enhanced Loran (eLoran) in which atomic clocks are placed at all stations; hence, an aircrat can use any stations in reception range (Narins, 2002); the need for chains no longer exists. Russia has a compatible system called Chaika that still relies on chains. When receiving eLoran or Chaika, the airborne receiver measures the diference in time of arrival of pulses emitted by any two ground stations, thus locating the vehicle on one branch of a hyperbola whose foci are at the stations. Two or more station pairs give a 2D position ix at the intersection of the hyperbolas whose best accuracy is 0.25 nmi, limited by propagation uncertainties over the terrain between the transmitting station and the aircrat. he measurement of 100 µs time diferences is made with a low-quality clock (one part in 10E4) in the aircrat. American Loran stations were upgraded in the late 1990s and decommissioned in 2010 as a cost-saving measure. housand-foot tall antennas are being demolished, that would have sent eLoran signals. eLoran is operational in South Korea, England, Netherlands, and Saudi Arabia for maritime traic in densely travelled straits. hey are usually diferential eLoran networks whose corrections are broadcast on 300 kHz marine becons. eLoran is a candidate to be a coarse monitor of GPS and as a stand-alone navigation aid whenever GPS is out of service. GPS monitor functions might alternatively be provided by European or Russian navigation satellites, by private communication–navigation (comm–nav) satellites, or by multilateration to DME stations.

3-8

Evolution of Avionics: Safety and Certiication

Satellite-based monitors are more accurate than Loran but are subject to the same outages as GPS: solar lares and jammers, for example. he most widely used aircrat radio aid at the start of the third millennium is VORTAC (Kayton and Fried, 1997, Chapter 4.4), whose stations ofer three services: 1. Analog bearing measurements at 108–118 MHz (very high frequency omni-range, VOR). he vehicle compares the phases of a rotating cardioid pattern and an omnidirectional sinusoid emitted by the ground station. 2. Pulse distance measuring equipment (called DME) at 960–1215 MHz, by measuring the time delay for an aircrat to interrogate a VORTAC station and receive a reply. 3. TACAN bearing information, conveyed in the amplitude modulation of the DME replies from the VORTAC stations. On short lights over oceans, the inertially derived state vector drits 1–2 nmi/h. When an aircrat approaches shore, it acquires a VORTAC station and continues to its destination using VORTAC for navigation and perhaps ILS for landing. On long over-ocean lights (e.g., trans-Paciic), GPS is usually used with one or more inertial navigators to protect against failures in GPS satellites or in airborne receivers. Long-range transport aircrat typically carry three inertial navigators; some have not been upgraded to GPS. Over land in developed areas, air-traic control is based on position determination by radars located en route and in the terminal area. In the United States and Europe, most radars are expected to be phased out in favor of automatic dependent surveillance broadcasts (ADS-B-out [see Chapter 23]). Aircrat broadcast their GPS or inertial or multilateration ix on 1090 MHz at random intervals (“squittering” at 1 s intervals) to a network of 800 ground stations in the United States that send the data to air-traic control centers from which it is sent on 1090 and 978 MHz to other aircrat that are equipped with ADS-in receiving equipment. he ADS ground stations are supposed to be cheaper to maintain than are the radars. Over ocean and in undeveloped areas (such as Arctic and Africa), low-altitude IRIDIUM satellites will receive ADS messages and forward them to air-traic control facilities. his will allow worldwide coverage of aircrat positions by ADS. he same transponders are used for traic alert and collision avoidance (TCAS) transmissions (Kayton and Fried, 1997, Chapter 14). Lo and Enge (2012a) simulated congestion at 1090 MHz caused by radar replies, ADS, TCAS, and DME. hroughout the western world, civil aircrat use VOR/DME, whereas military aircrat use Tacan/ DME for en route navigation. In the 1990s, China and the successor states to the Soviet Union began to replace their direction-inding stations with ICAO-standard navigation aids (VOR, DME, and ILS) at their international airports and along the corridors that lead to them from their borders. DGPS sites (WAAS) will eventually replace most VORTACs; 50 DGPS sites replace a thousand VORTACs thus saving an immense sum of money for maintenance. Nevertheless, VORTAC stations are likely to be retained worldwide on important routes through 2025. WAAS and LAAS allow direct routing and continuous descent and curved approaches, thus saving fuel by eliminating repeated altitude holds on descent. Specially equipped aircrat are used for the routine calibration of radio navigation aids, speed and velocity sensors, heading sensors, and new algorithms. Airborne test beds and hardware–sotware integration laboratories are routinely used to develop algorithms and sensor–sotware interfaces. Test ranges sometimes employ highly accurate multilateration to local ground beacons (Anonymous, 2013) against which to measure the performance of operational navigation systems. Operational navigation aids are becoming so accurate that inding standards against which to measure them is diicult. he Locata reference (Anonymous, 2013) claims better than 10 cm accuracy airborne. Omega was a worldwide radio aid that consisted of eight ground stations each of which emitted continuous sine waves at 10–13 KHz (Kayton and Fried, 1997, pp. 155–171). Most vehicles measured the range diferences between two stations by observing the phase diferences between the received sinusoids. Ambiguous lanes were created when phase diferences exceeded 360°. Errors were about 2 nmi due to radio propagation irregularities in the spherical waveguide above the Earth. Omega was used by submarines, over-ocean general-aviation aircrat, and a few international air carriers. It was decommissioned in 1997.

Navigation

3-9

Landing guidance throughout the world (in the 2000s, even in China, India, and the former Soviet Union) is with the ILS (Kayton and Fried, 1997, pp. 608–620). Transmitters adjacent to each runway create a horizontal guidance signal near 110 MHz and a vertical guidance signal near 330 MHz. Both signals are modulated such that the nulls intersect along a line in space that leads an aircrat from a distance of about 15 nmi to within 50 t above the runway. ILS gives no information about where the aircrat is located along the beam except at two or three vertical marker beacons. Most ILS installations are certiied to the International Civil Aviation Organization’s category I, where the pilot must abort the landing if the runway is not visible at an altitude of 200 t while descending. In the United States, about 100 ILSs are certiied to category II, which allows the aircrat to descend to 100 t above the runway before aborting for lack of visibility. Category III allows an aircrat to land at still lower weather ceilings. A few ILSs are certiied to category III, mostly in Western Europe, which has the worst lying weather in the developed world. Category III ILSs detect their own failures and switch to a redundant channel within 1 s to protect aircrat that are laring out (within 50 t above the runway) and can no longer execute a missed approach. Once above the runway, the aircrat’s bottommounted radio altimeter measures altitude and either the autopilot or the pilot guides the lare maneuver. Landing aids are described by Kayton and Fried (1997). GPS is allowed as the sole navigation aid for nonprecision approaches. Aided GPS (WAAS or EGNOS) is allowed for precision approaches to 200 t altitude. he U.S. Navy aircrat ind their aircrat carriers at sea with TACAN and use a microwave scanning system at 15.6 GHz to land; NASA’s space shuttle used the Navy system to land at its spaceports but an inertially aided DGPS eventually replaced it. Another microwave landing system (MLS) at 5 GHz was supposed to replace the ILS in civil operations, especially for categories II and III. However, experiments during the 1990s showed that DGPS with a coarse inertial supplement could achieve an in-light accuracy of better than 3 m as a landing aid and could detect satellite errors within a second. At most, MLS is deployed at fewer than ive airports worldwide. Hence, it is likely that LAAS will replace or supplement ILS, which has been guaranteed to remain in service at least until the year 2020. NATO uses portable MLS and may use portable LAAS for lights into tactical airstrips. Position-location systems monitor the state vectors of aircrat and usually display the data in a control room or dispatch center. Examples are civil air-traic control systems and naval combat control centers. Some aircrat derive their state vector from the ranging modulations (e.g., DME); others merely report an independently derived position (e.g., GPS reports on ADS-B-out). Secondary surveillance radars interrogate aircrat on 1030 MHz and receive coded replies from aircrat on 1090 MHz so they can be identiied by human air-traic controllers and by collision-avoidance algorithms. Some commercial communication satellites will ofer digital-ranging services worldwide for a fee. he intermittent nature of these commercial ixes would require that vehicles dead-reckon between ixes, perhaps using solid-state inertial instruments. hus, if taxpayers ever insist on collecting fees for navigation services (as does Galileo), private comm–nav networks may supplement the government-funded GPS and air-traic communication networks in the mid-twenty-irst century. In 2014, IRIDIUM and INMARSAT ofer position reporting over oceans via its satellites. INMARSAT, being in geosynchronous orbit, requires a tracking antenna on the aircrat. Military comm–nav systems measure the position of air, land, and naval vehicles on battleields and report to headquarters; examples are the American Joint Tactical Information Distribution System (JTIDS) (for aircrat) and the Position Location Reporting System (PLRS) (for helicopters and land vehicles). heir terminals were said to cost hundreds of thousands of dollars each in 2014. A worldwide network of approximately 40 SARSAT-COSPAS stations monitors signals from emergency location transmitters (on aircrat, ships, and land users) on 243 and 406 MHz, two of the three international distress frequencies, relayed via low-orbit satellite-based transponders. Sotware at the listening stations calculates the position of the emergency location transmitters within 5–15 km at 406 MHz, and within 15–30 km at 243 MHz, based on the Doppler-shit history observed by the satellites so that rescue vehicles can be dispatched. Some 406 MHz emergency location transmitters contain GPS sets that transmit their position to satellites. SARSAT-COSPAS has saved more than 33,000 lives worldwide since 1982 from arctic bush pilots to tropical ishermen (NASA/NOAA website).

3-10

Evolution of Avionics: Safety and Certiication

3.6 celestial navigation Human navigators use sextants to measure the elevation angle of celestial bodies above the visible horizon. he peak elevation angle occurs at local noon or midnight: Elev angle (degrees) = 90 − latitude + declination hus, at local noon or midnight, latitude can be calculated by simple arithmetic from a table of declination (the angle of the sun or star above the Earth’s equatorial plane). When time began to be broadcast to vehicles in the 1930s, of-meridian observations of the elevation angles of two or more celestial bodies became possible at any known time of night (cloud cover permitting). hese ixes were hand calculated using logarithms, then plotted on charts by a navigator. In the 1930s, handheld bubble-level sextants were built that measured the elevation of celestial bodies from an aircrat without the need to see the horizon. he human navigator observed sun and stars through an astrodome on top of the aircrat. he accuracy of airborne celestial ixes was 5–30 miles in the air, limited by the uncertainty in the horizon and the inability to make precise angular measurements on a pitching, rolling vehicle. Kayton (1990) reviews the history of celestial navigation at sea and in the air. he irst automatic star trackers were built in the late 1950s (Kayton and Fried, 1997, Chapter 12.4). hey measured the azimuth and elevation angles of stars relative to a gyroscopically stabilized platform. Approximate position measurements by dead reckoning allowed the telescope to point within a fraction of a degree of the desired star. hus, a narrow ield of view was possible, permitting the telescope and photodetector to track stars in the daytime through a window on top of the aircrat. An onboard computer stored the right ascension and declination of 20–100 stars and computed the vehicle’s position. Automatic star trackers are used in long-range military aircrat and on space shuttles, physically mounted on the stable element of a gimballed inertial navigator. Clever design of the optics and of stellar-inertial signalprocessing ilters achieves accuracies better than 500 t (Kayton and Fried, 1997). Future lower-cost systems may mount the star tracker directly to the vehicle. Automatic star trackers mounted on gimbaled inertial navigators are said to cost more than a million dollars in 2014.

3.7 Map-Matching navigation On manned aircrat, mapping radars and optical sensors present an image of the terrain to the crew whereas on unmanned aircrat, navigation must be autonomous. Automatic map matchers have been built since the 1960s that correlate the observed image to stored images of patches of distinctive terrain, choosing the closest match to update the dead-reckoned state vector. Since 1980, aircrat and cruise missiles have measured the vertical proile of distinctive patches of terrain below the aircrat and match it to a stored proile. Updating with the matched proile, perhaps hourly, reduces the long-term drit of the inertial navigator. he proile of the terrain is measured by subtracting the readings of a baro-inertial altimeter (calibrated for altitude above sea level) and a radio altimeter (measuring terrain clearance). An onboard computer calculates the cross-correlation function between the measured proile and each of many stored proiles on possible parallel paths of the vehicle. he onboard inertial navigator usually contains a digital ilter that corrects the drit of the azimuth gyroscope as a sequence of ixes is obtained. Hence, the direction of light through the stored map is known, saving the considerable computation time that would be needed to correlate for an unknown azimuth of the light path. he most complex mapping systems observe their surroundings by digitized video (oten stereo) and create their own map of the navigated space. In the 2000s, optical mappers were developed, which allow landings at ields that are not equipped with electronic aids. Systems that use sensor data (usually millimeter wave or infrared) to create an image to assist pilots to land at such ields are called “enhanced vision” (Read, 2002). Systems that use stored terrain to create the image are called “synthetic vision.” hese images

Navigation

3-11

are oten projected onto a head-up display. he synthetic vision image is sharper and more detailed than the enhanced image but it will not show mobile equipment (taxying aircrat or construction cranes) on the runway. he trend is to superimpose both images onto the head-up display if budgets permit.

3.8 navigation Software Navigation sotware is sometimes embedded in a central processor partitioned with other avionic-system sotware, sometimes conined to one or more navigation computers. he navigation sotware contains algorithms and data that process the measurements made by each sensor (e.g., GPS, inertial, or air data). It contains calibration constants, initialization sequences, self-test algorithms, reasonability tests, and alternative algorithms for periods when sensors have failed or are not receiving information. In the simplest systems, a state vector is calculated independently from each sensor while the navigation sotware calculates the best estimate of position and velocity. Prior to 1970, the best estimate was calculated from a least-squares algorithm with constant weighting functions or from a frequency-domain ilter with constant coeicients. Since the 1970s, a multisensor algorithm calculates the best estimate of position and velocity. he most widely used multisensor ilter is the Kalman ilter that calculates the best estimate from mathematical models of the dynamics of each sensor (Kayton and Fried, 1997, Chapter 3). Digital maps are carried on ever-more aircrat so position can be visually displayed to the crew and terrain warnings issued. Many civil aircrat superimpose their navigated position, weather, and ADS-B-in traic reports on a stored map of the terrain. In 2014, general-aviation aircrat are the principal users of superimposed displays. Military aircrat superimpose their navigated position on a stored map of terrain and cultural features to aid in the penetration of and escape from enemy territory. Algorithms for waypoint steering and for control of the vehicle’s attitude are contained in the sotware of the light management and light-control subsystems. Attempts to improve the reliability of avionic sotware led to the Radio Technical Commission for Aeronautics (RTCA) standard DO-178C (see Chapter 13). It deines ive levels of sotware reliability. Level A failures result in a catastrophic failure of the aircrat. Level B failures cause a loss of system function, for example, the ability to complete a mission. hese levels difer in the amount of documentation and testing required. Navigation sotware is usually rated for level B, while light-control and air-data sotware are usually level A.

3.9 navigation Hardware Navigation hardware is installed in the avionics bays and instrument panel. Hardware and wiring are built to the same standards as other avionics equipment. Navigation is dependent on clock accuracy; hence, aircrat oten carry quartz crystal clocks in a thermally controlled or thermally monitored oven. Numerous antennas are mounted on top and bottom of the fuselage, on the in, and on wings. Unbroken point-to-point wiring for power, signals, and coaxial radio is the most reliable but new aircrat are oten built in prewired sections and assembled, requiring wiring connectors. he comparative reliability is yet to be established. Civil aviation hardware is usually qualiied to RTCA standard DO-160 (Chapter 11).

3.10 Design trade-offs he navigation-system designer conducts trade-ofs for each aircrat to determine which navigation systems to use and how to interface them. Trade-ofs must be consistent with the current edition of the U.S. Federal Radionavigation Plan. Trade-ofs consider the following attributes: 1. Cost, including the construction and maintenance of transmitter stations and the purchase of onboard electronics and sotware. Users are concerned only with the costs of onboard hardware and sotware.

3-12

Evolution of Avionics: Safety and Certiication

FIGURE 3.6 Navigation displays in the U.S. Air Force C-5 transport showing lat-panel displays in front of each pilot; vertical situation display outboard and horizontal situation display inboard. Waypoints are entered on the horizontally mounted control-display unit just visible at of the throttles. In the center of the instrument panel are status and engine displays and backup analog instruments. (Photo courtesy of Honeywell, Morristown, NJ.)

2. Accuracy of position and velocity, which is speciied as a circular error probable (CEP) (in meters or nautical miles). he maximum allowable CEP is oten based on the calculated risk of collision on a typical mission. Over land, modern navigation systems and their pilots are oten asked to achieve a required navigation performance (RNP) of 0.3 nmi for which the aircrat and crew are rated. Over-ocean RNPs of 20 nmi are common. 3. Autonomy, the extent to which the vehicle determines its own position and velocity without external aids. Autonomy is important to unmanned air vehicles popularly called “drones.” 4. Time delay in calculating position and velocity, caused by computational and sensor delays. Time delays are sometimes called “latency.” 5. Geographic coverage: Radio systems operating below 100 KHz can be received beyond line of sight on Earth; those operating above 100 MHz are conined to line of sight. GPS is usable globally because many satellites give users line-of-sight coverage. 6. Automation: he vehicle’s operator (onboard crew or ground controller) receives a direct reading of position, velocity, and equipment status, usually without human intervention. he navigator’s crew station disappeared in the 1970s because electronic equipment automatically selects stations, calculates waypoint steering, and accommodates failures (Figure 3.6). New aircrat have multiple screens (“glass panels”) that show navigation data, engine status, airborne radar images, and other data. hey can be switched for redundancy.

Bibliography Articles Anonymous, Galileo slips, EGNOS operates. GPS World, November 2009, 12–14. Anonymous, Iridium to put ADS-B receivers on next constellation. Avionics Magazine, August 2012, 8. Anonymous, Locata tests lead to air force contract. GPS World, January 2013, 29–30. Billingsley, T.B. et al., Collision avoidance for general aviation. IEEE Aerospace Magazine, July 2012, 4–12. Bowditch, N., he American practical navigator. U.S. Government Printing Oice. Re-issued approximately every ive years. Marine focus but good discussion of celestial navigation, 1995, 873pp.

Navigation

3-13

Braf, R., Description of the FAA’s Local Area Augmentation System (LAAS). Navigation, Winter 1997–1998, 411–423. Craig, D., USAF’s new reference system. Inside GPS, May 2012, 37–48. Enge, P., Global positioning system. Scientiic American, May 2004, 91–97. Hein, G.W. et al., Galileo frequency and signal design. GPS World, January 2003, 30–45. Kayton, M., Navigation: Land, Sea, Air, and Space. IEEE Press, New York, 1990, 461pp. Kayton, M. and W.R. Fried, Avionics Navigation Systems, 2nd edn. John Wiley, New York, 1997, 650pp. Lo, S.C. and P. Enge, Assessing the capability of DME to support future air traic capacity. Navigation, Winter 2012a, 249–260. Lo, S.C. and P. Enge, Capacity study of multilateration-based navigation FR alternate position, navigation, and timing services for aviation. Navigation, Winter 2012b, 263–279. Lo, S.C. et al., Loran data modulation: A primer. IEEE Aerospace and Electronic Systems Magazine, September 2007, 31–50. May, M., GLONASS in perspective. ION Newsletter, Fall 2012, 4–19. Minzner, R.A., he U.S. Standard Atmosphere 1976. NOAA report 76-1562, NASA SP-390. 1976 or latest edition, 1976, 227pp. Misra, P. and P. Enge, Global Positioning System. Ganga-Jamuna Press, Lincoln, MA, 2001, 390pp. Narins, M., Status of loran-C modernization testing. Ion Newsletter, Winter 2001–2002, 4–5. Novatel, Multi-GNSS monitoring, INSIDE GNSS, January 2014, 30–34. Parkinson, B.W. and J.J. Spilker, Eds. Global Positioning System, heory and Applications. American Institute of Aeronautics and Astronautics, Reston, VA, 1996, 1300pp., 2 volumes. Quinn, J., 1995 Revision of joint US/UK geomagnetic ield models. Journal of Geomagnetism and Geo-Electricity, Fall 1996. Read, B., Seeing clearly. Aerospace International, May 2002, 30–33. Taylor, J. et al., GPS control segment upgrade details. GPS World, June 2008, 27–33. Urlichich, V.S. et al., GLONASS modernization. GPS World, November 2011, 34–39. U.S. Air Force, Navstar-GPS Space Segment/Navigation User Interfaces. IRN-200c-004. ARINC Research, Annapolis, MD, 2000, 160pp. U.S. Government, Federal radionavigation plan. Departments of Defense and Transportation, issued biennially, 200pp. U.S. Government, Federal radionavigation systems. Departments of Defense and Transportation, issued biennially, 200pp. U.S. Government, WGS-84 World Geodetic System. U.S. Defense Mapping Agency, Washington, DC, 1991. Van Graas, F. et al., Ohio University/FAA light test demonstration of local area augmentation system (LAAS). Navigation, Summer 1998, 129–135. Walter, T. et al., Evolving WAAS to service L1/L5 users. Navigation, Winter 2012, 317–325. Zhao, Y., Vehicle Location and Navigation Systems. Artech House, Norwood, MA, 1997, 345pp.

Journals IEEE Transactions on Aerospace and Electronic Systems; bimonthly through 1991, now quarterly. Proceedings of the IEEE Position Location and Navigation Symposium (PLANS), biennially. Navigation, Journal of the U.S. Institute of Navigation, Quarterly. Journal of Navigation, Royal Institute of Navigation (UK), Quarterly. AIAA Journal of Guidance, Control, and Dynamics, bimonthly. GPS World, monthly. Inside GPS, monthly. Commercial aeronautical standards produced by International Civil Aviation Organization (ICAO, Montreal), Aeronautical Radio, Inc. (ARINC, Annapolis, MD), Radio Technical Committee for Aeronautics (RTCA, Inc., Washington, DC), and European Commission for Aviation Electronics (EUROCAE, Paris).

3-14

Evolution of Avionics: Safety and Certiication

Websites www.faa.gov (landing category I, II, III requirements). www.navcen.uscg.gov (almanac and constellation status). www.gps.losangeles.af.mil. www.inmarsat.org. www.sarsat.noaa.gov. www.arinc.com. www.loran.org. www.gpsworld.com/the-almanac. www.garmin.com/adsb. http://microwavelandingsystem.com.

4 Global Positioning System 4.1 4.2

Introduction ...................................................................................... 4-1 GPS System ........................................................................................ 4-1 Constellation • Navigation Signals • Principle of Operation • Services and Performance

Christopher J. Hegarty

4.3

Aviation Augmentations.................................................................. 4-5

4.4

Avionics ..............................................................................................4-6

4.5

Applications ..................................................................................... 4-16

Aircrat-Based • Satellite-Based • Ground-Based

The MITRE Corporation

John M. Foley Garmin AT, Inc.

Sai K. Kalyanaraman Rockwell Collins

Standards • General Aviation • Air Transport • Military Navigation • Automatic Dependent Surveillance • Terrain Awareness Warning Systems • Timing

4.6 Future Trends .................................................................................. 4-20 References .................................................................................................... 4-21

4.1 introduction he global positioning system (GPS) [1–4] is a satellite navigation system operated by the United States. he system consists of a constellation of nominally 24 satellites in medium Earth orbit, as well as a worldwide ground network to monitor and control the satellites. he GPS program began in the early 1970s and the system was declared fully operational in 1995. Internationally, the GPS constellation is considered to be just one component within the global collection of navigation satellites that is referred to as the global navigation satellite system (GNSS). GPS has found widespread use on both civilian and military aircrat. his chapter provides an overview of the GPS system, aviation augmentations, GPS avionics, and aviation applications. he chapter concludes with a discussion of future trends.

4.2 GPS System he following sections provide short descriptions of the GPS constellation, signals, principle of operation, services, and performance. he interested reader is referred to [2–4] for more comprehensive treatments.

4.2.1 constellation he GPS constellation nominally consists of 24 satellites in circular orbits with an orbital radius of 26,559 km [5]. Redundant atomic clocks, rubidium, and/or cesium are key components of each satellite so that signals that are precisely synchronized to a common timescale can be broadcast. he satellite orbits are inclined 55° with respect to the equatorial plane. Four satellites are contained in each of six orbital planes, which are equally spaced with respect to their orientation around the Earth’s spin axis. 4-1

4-2

Evolution of Avionics: Safety and Certiication

In recent years, the constellation has been overpopulated with up to 31 operational satellites. he irst 3 satellites beyond 24 are placed into expandable slots of the baseline 24-satellite constellation (see [5]). Surplus satellites beyond 27 are typically launched into locations adjacent to satellites that are expected to require replacement the soonest. he GPS satellites were procured over time in blocks, with increasing capabilities from each block to the next. Presently, there are 31 operational GPS satellites including 7 Block IIA, 12 Block IIR, 7 modernized Block IIR (IIR-M), and 5 Block IIF vehicles. he Block IIA satellites were built by Rockwell International and launched between 1990 and 1997. he Block IIR and IIR-M satellites were built by Lockheed Martin and launched between 1998 and 2009. he Block IIFs are, at the present time, still being built by Boeing. Twelve IIFs are planned, and thus far, ive have been launched. he irst launch was in August 2010. he GPS satellites to follow the Block IIFs were originally referred to as Block III but are now referred to as GPS III. A contract to build the irst GPS III satellites was awarded to Lockheed Martin in May 2008. he irst GPS III satellite is anticipated to be launched in 2015.

4.2.2 navigation Signals Code division multiple access (CDMA) is utilized for all the GPS navigation signals, that is, all of the satellites broadcast their signals upon the same carrier frequencies. Up through the Block IIR vehicles, the GPS satellites broadcast what are referred to now as the legacy navigation signals upon two carrier frequencies: Link 1 (L1) at 1575.42 MHz and Link 2 (L2) at 1227.6 MHz. he legacy navigation signals include two direct sequence spread spectrum (DSSS) signals with rectangular symbols that are broadcast in phase quadrature on L1 [6]. he coarse/acquisition (C/A) code signal has a 1.023 MHz chipping rate and the precision (P) code signal has a 10.23 MHz chipping rate. he C/A code is generated using length-1023 Gold codes [7], which repeat every millisecond. he P code is 1 week long when unencrypted but is normally encrypted to deter spooing, and when it is, it is referred to as the Y code. An identical P(Y) code signal is also broadcast on the L2 carrier. Both the C/A and P(Y) code signals are further modulated by the same 50 bps data. his 50 bps data stream includes information required for navigation including the ephemeris, clock corrections, and health information for the broadcasting satellite, as well as almanac data for the entire constellation. he Block IIR-M satellites introduced two new navigation signals—a new military signal on L1 and L2 referred to as the M code [8] and a new civil signal on L2 referred to as L2C [6,9]. Both of these new signal types have advanced designs that include a dataless signal component and forward error correction of the navigation data to enable robust tracking and data demodulation by user equipment. L2C uses DSSS modulation with rectangular symbols and a 1.023 MHz chipping rate. he M code uses DSSS modulation with a 5.115 MHz chipping rate and a spread spectrum symbol that is two cycles of a 10.23 MHz square wave. his DSSS modulation variant is referred to as binary ofset carrier (BOC) [10] and may alternatively be viewed and in practice may be generated as the product of (1) an ordinary DSSS signal using rectangular symbols and (2) a square wave subcarrier. he Block IIF satellites add an additional civil navigation signal on a new carrier frequency. he new carrier frequency, at 1176.45 MHz, and signal are both referred to as Link 5 (L5) [11,12]. L5 is generated with DSSS modulation using rectangular symbols and a 10.23 MHz chipping rate. As with the other modernized GPS signals (e.g., L2C and M code), L5 includes a dataless signal component and forward error correction of the navigation data for robust tracking and data demodulation. he GPS III spacecrat will broadcast an additional L1 civil signal (L1C), which will employ a signal that is created using BOC modulations with a 1.023 MHz chipping rate and time-multiplexed mixture of symbols that are derived from 1.023 and 6.138 MHz square wave subcarriers [13,14]. Figure 4.1 illustrates the overall evolution of the GPS navigation signals. he vertical axis of the plot represents the power spectrum of each signal and the horizontal axis is not contiguous. he bandwidth spanned by the C/A code and L2C signals, as measured between the irst spectrum null on either side of the carrier frequency, is 2.046 MHz. he null-to-null bandwidth for the P(Y) code and L5 signals is 20.46 MHz.

4-3

Global Positioning System C/A-code Block I/II/IIA/IIR

P(Y)-code

P(Y)-code

C/A-code L2C P(Y)-code

Block IIR-M

P(Y)-code M-code

M-code

C/A-code Block IIF

L2C P(Y)-code L5

P(Y)-code M-code

M-code

C/A-code L1C P(Y)-code

L2C P(Y)-code

Block III L5

M-code

M-code

Frequency L5 (1176.45 MHz)

FIGURE 4.1

L2 (1227.6 MHz)

L1 (1575.42 MHz)

Evolution of the GPS signals.

4.2.3 Principle of operation GPS receivers determine their position and precise time using passive range measurements to visible satellites. hese range measurements are obtained through a measurement of the transit time of the broadcast navigation signals and are referred to as pseudoranges since all simultaneous measurements may have a large common bias due to a low-cost receiver clock. he pseudorange measurements available at one instant in time with N visible satellites may be modeled as ρ1 = R1 + c ⋅ b + ε1 ρ2 = R 2 + c ⋅ b + ε 2

(4.1)

⋮ ρN = R N + c ⋅ b + ε N where for the ith visible satellite, ρi is the pseudorange in meters, Ri is the true range between the satellite and receiver antennas in meters, c is the speed of light in meters per second, b is the receiver clock error in seconds, and εi (meters) is the contribution from all other error sources. he true range between the receiver antenna at position coordinates (x, y, z) and the ith satellite antenna at coordinates (xi, yi, zi) is given by Ri =

2

2

( x − xi ) + ( y − yi ) + ( z − zi )

2

(4.2)

4-4

Evolution of Avionics: Safety and Certiication

he measurement errors are generally reduced to the extent possible through various methods including equipment design, models (e.g., for atmospheric delay errors and relativistic efects), and application of corrections supplied within the broadcast navigation data. he satellite antenna position coordinates in (4.2) are computed by the receiver using elements of the navigation data broadcast by each satellite. Neglecting the measurement errors and with the substitution of Equation 4.2, Equation 4.1 can be viewed as a system of N equations with four unknowns (x, y, z, b). Although nonlinear, the system of equations can be readily solved in most situations to yield estimates of the receiver antenna coordinates and receiver clock error when at least four satellites are visible (i.e., N ≥ 4) [2–4]. he accuracy of the solution depends on both the accuracy of the pseudorange measurements, that is, the statistics of the residual measurement errors ater the measurements are corrected by all available means, and the geometry of the visible satellites in the sky. he latter accuracy factor is oten quantiied by various metrics referred to as dilutions of precision (DOPs) [2–4]. Commonly used DOPs include vertical DOP (VDOP), horizontal DOP (HDOP), and position DOP (PDOP) that relate, respectively, the ratios of one-sigma vertical, horizontal, and 3-D position errors to one-sigma pseudorange errors. For instance, if a receiver’s pseudorange errors are independent and identically distributed with a one-sigma value of 5.0 m, and assuming typical midlatitude HDOP and VDOP values of 1.0 and 1.5, respectively, the receiver’s position estimates would be expected to exhibit a 5.0 m horizontal one-sigma error and 7.5 m vertical one-sigma error.

4.2.4 Services and Performance GPS presently provides two services—one for civilian users referred to as the standard positioning service (SPS) [5] and one available only to authorized users (primarily the U.S. military and the militaries of U.S. allies) referred to as the precise positioning service (PPS) [15]. he SPS is based upon use of only the L1 C/A code signal, whereas PPS users may additionally use the L1/L2 P(Y) code signals. he United States has pledged to make the GPS SPS available for civil aviation use on a continuous worldwide basis, free of direct user fees, with a minimum of 6 years advance notice to be provided in the event that this service will be terminated. his commitment was initially made by the administrator of the Federal Aviation Administration (FAA) in 1994 [16]. he commitment to provide GPS SPS service was reiterated in 2007 [17], with an additional commitment made at that time to provide GPS– satellite-based augmentation system (SBAS) services in North America, free of direct user charges, through the FAA’s Wide Area Augmentation System (WAAS) (see Section 4.3 for a description of SBASs, including WAAS). At one time, the accuracy of the SPS was intentionally degraded using a technique referred to as selective availability (SA), which was observed to be implemented as a pseudorandom dithering of the satellite clock that could be removed only by PPS receivers with knowledge of the generation algorithm and cryptographic keys [2]. On May 1, 2000, the intentional degradation of SPS performance due to SA was ceased [18] and in September 2007, the United States announced that the capability to implement SA will be removed from future GPS satellite procurements [19]. The specified accuracy for GPS SPS pseudoranges is better than or equal to 7.8 m, 95% [5]. This specification is for the signal in space (SIS) only (i.e., it does not include errors due to the atmosphere, multipath, or user equipment) and is based upon a global average. With typical GPS DOP values, the specified SPS pseudorange accuracy would be expected to yield 95% horizontal and vertical positioning accuracies on the order of 8 and 12 m, respectively. Actual performance is typically significantly better than this. For instance, the observed 95% horizontal and vertical positioning accuracies for 28 GPS SPS receivers distributed throughout North America from July 1 to September 30, 2012, were 2.8 and 4.3 m, respectively [20]. Further, the data reported in [20] include all real-world errors, whereas the accuracy specification in the SPS performance standard [5] only includes SIS errors.

4-5

Global Positioning System

4.3 Aviation Augmentations While GPS provides a robust, global positioning and timing capability, it does not at present meet all of the requirements for navigation and other airborne applications (see Section 4.5) without augmentation. In particular, although GPS is normally extremely accurate, there have been rare instances when extremely large range errors have occurred without any indication to the receiver that the associated satellite is unhealthy. he SPS performance standard [5] includes a listing of potential failure modes and a discussion of their characteristics. he International Civil Aviation Organization (ICAO) deines three augmentations to GPS that alleviate the problems discussed earlier. hese are referred to as aircrat-based augmentation systems (ABAS), SBAS, and ground-based augmentation systems (GBAS). hese augmentations are described, in turn, in the following sections.

4.3.1 Aircraft-Based ICAO deines an ABAS as “an augmentation system that augments and/or integrates the information obtained from the other GNSS elements with information available onboard the aircrat.” ABAS includes methods to provide integrity monitoring through either the exploitation of redundant GNSS measurements referred to as receiver autonomous integrity monitoring (RAIM) [21] or through the use of onboard sensors (e.g., barometric altimeters, inertial navigation systems, other navigation systems). As noted in Section 4.2.3, only four visible satellites are required for positioning with GPS, so redundant measurements are available anytime ive or more satellites are visible. With exactly ive visible satellites and good geometry, receivers can detect the presence of one abnormally biased pseudorange. his function is referred to as either RAIM or fault detection (FD). With at least six visible satellites and good geometry, receivers can not only detect the presence of one bad pseudorange but can also determine which satellite the error corresponds to and exclude it (see Figure 4.2). his enhanced capability is oten referred to as fault detection and exclusion (FDE). ABAS also includes the use of other onboard sensors to enhance continuity, availability, or accuracy over that provided by the other elements of GNSS [22].

2 measurements—cannot determine if one is erroneous.

3 measurements—can detect if there is one erroneous measurement, but cannot determine which is erroneous.

4 or more measurements—can detect and isolate an erroneous measurement

(a)

4 measurements—4 equations, 4 unknowns leads to one solution, zero measurement residuals.

5 measurements—solution determined in least squares sense, can detect if there is one bad measurement

6 or more measurements—can detect and isolate a bad measurement

(b)

FIGURE 4.2 Illustration of RAIM concept through an analogy of (a) a 2-D problem involving noisy measurements of a linear relationship and (b) the 4-D problem of solving user position and clock error in GNSS.

4-6

Evolution of Avionics: Safety and Certiication

38 reference stations

3 geostationary satellite links

FIGURE 4.3

3 master stations

6 ground earth stations

2 operational control centers

(See color insert.) WAAS. (Courtesy of the Federal Aviation Administration, Washington, DC.)

4.3.2 Satellite-Based SBAS [23] are being developed around the world by the global civil aviation community to augment GPS so that it may be used for aircrat navigation in instrument conditions for en route through precision approach. An SBAS consists of a widespread ground network of monitoring stations that collect GNSS satellite measurements (today primarily GPS-only) and geostationary (GEO) satellites to broadcast diferential corrections, integrity parameters, and ionospheric data to end users. Current-generation SBAS GEOs broadcast directly on the GPS L1 carrier frequency of 1575.42 MHz. he SBAS signal [24] is open (i.e., unencrypted), resembles the GPS C/A code signal, and may be used for ranging. As compared with GPS C/A code, a higher data rate of 250 bps is employed with rate ½ forward error correction encoding to enable all the requisite system data to be provided to the user. User equipment process GPS C/A code and SBAS signals on L1 only. Several SBAS systems are either already operational or in the inal development stage. hese include the WAAS [25–27] in the United States (see Figures 4.3 and 4.4), the European Geostationary Navigation Overlay Service (EGNOS) in Europe [28], the Multifunctional Transport Satellite (MTSAT)-Based Augmentation System (MSAS) in Japan [29], the GPS and GEO Augmented Navigation (GAGAN) system in India [30], and the Russian System of Diferential Correction and Monitoring (SDCM) [31]. China has recently announced its intentions to develop an SBAS as well. It is envisioned that SBAS services will eventually migrate toward supporting dual-frequency user equipment with signals at both 1575.42 and 1176.45 MHz [32].

4.3.3 Ground-Based A GBAS provides diferential corrections and integrity data for the GPS or other GNSS signals using redundant reference stations situated at an airport and a very high frequency (VHF) data broadcast (VDB). he GBAS architecture is illustrated in Figure 4.5. GBAS is intended to provide area navigation in the terminal area and support category I–III precision approach operations. A detailed description of the GBAS concept and various implementations may be found in [33].

4.4 Avionics his section addresses GPS avionics. he irst section provides an overview of prevalent international and domestic standards. Subsequent sections describe, in order, typical equipment found on general aviation (GA), air transport, and military aircrat.

4-7

Global Positioning System

Current WAAS GEO coverage

  FIGURE 4.4 (See color insert.) WAAS GEO coverage. (Courtesy of the Federal Aviation Administration, Washington, DC.)

GPS satellites

Ranging sources

Status information

Differential corrections, integrity data and path definition

GBAS ground facility GBAS reference receivers

Omnidirectional VHF data broadcast (VDB) signal

FIGURE 4.5

(See color insert.) GBAS architecture. (Courtesy of the Federal Aviation Administration, Washington, DC.)

4-8

Evolution of Avionics: Safety and Certiication TABLE 4.1

FAA TSOs for GNSS Navigation Equipment

Equipment Stand-alone GPS Stand-alone GPS Antennas Antennas GPS/satellite-based augmentation system (SBAS) GPS/SBAS GPS/ground-based augmentation system (GBAS) GBAS VDB

TSO

Invoked RTCA Document

Date First Published

Status

TSO-C129 TSO-C196 TSO-C144a TSO-C190a TSO-C145 TSO-C146 TSO-C161 TSO-C162

DO-208 DO-316 DO-228 DO-301 DO-229 DO-229 DO-253 DO-253, DO-246

1992 2009 1998 2007 1998 1998 2003 2003

Cancelled Active Active Active Active Active Active Active

a he latest revision of TSO-C144 (-C144a) is intended only for new passive antenna models. he latest revision of TSO-C190 should be used for new active antenna models.

4.4.1 Standards Standards and recommended practices (SARPs) for GNSS were irst adopted by ICAO in 2001. he GNSS SARPs have subsequently been amended numerous times and are contained within Annex 10 to the International Convention on Civil Aviation [34]. Current SARPs only include standards for two core constellations (GPS and the Russian GLONASS system) and also for the aviation augmentations introduced earlier in Section 4.3. Relevant FAA technical standard orders (TSOs) are listed in Table 4.1 [35–42]. As with many FAA TSOs, those listed are typically short documents but invoke by reference much longer documents produced by RTCA, Inc. [24,43–48]. hese are cross-referenced in the table. he FAA standards address four types of equipment: • Antennas—TSO-C144 originally provided requirements for passive and active airborne GNSS antennas, but the latest revision (-C144a) may only be used for new passive antenna models. TSOC190 is an updated standard for active antennas. Both of these standards are for L1-only equipment. • Stand-alone GPS receivers—TSO-C129 was the irst FAA TSO for stand-alone GPS equipment and has been replaced by TSO-C196. Both of these standards are for GPS L1 C/A-code-only equipment that meets applicable integrity requirements using ABAS/RAIM. • GPS/SBAS receivers—TSO-C145 and TSO-C146 provide standards for airborne receivers relying on GPS L1 C/A code signals augmented by SBASs such as WAAS in the United States. • GPS/GBAS receivers—TSO-C161 provides standards for airborne GPS receivers relying on L1 C/A code signals augmented by GBAS. TSO-C162 provides standards for the VDB link that is required to support GBAS operation. As noted earlier, current-generation airborne equipment standards only require processing of L1 signals. Aviation standards organizations, including RTCA and ICAO, are currently working on updated standards that will include airborne receiver processing of the GPS L5 signal, as well as L1/L5 signals that will be broadcast by foreign satellite navigation systems such as Europe’s Galileo.

4.4.2 General Aviation GPS avionics used in GA aircrat fall into two main categories: integrated light decks and panel-mounted GPS navigators. Integrated light decks have become standard equipment on many new GA aircrat. Such systems are generally forward-it avionics installed by the aircrat manufacturer, although some retroit options are available. Integrated light decks typically employ two or more large LCD screens that serve as a primary light display (PFD) and a multifunction display (MFD). he GPS receivers themselves may be remote mounted and combined with VHF omnidirectional range (VOR)/instrument landing system (ILS) and VHF communication receivers. Figure 4.6 shows one example of such a system.

4-9

Global Positioning System

FIGURE 4.6

GA integrated light deck (Garmin G1000).

GPS is used in conjunction with attitude and heading reference systems (AHRS) and air data computers to drive the PFD and MFD. State-of-the-art systems provide synthetic vision displays that combine GPS position with attitude and terrain data to provide realistic 3-D depiction of ground and water features, airports, obstacles, and traic. Integrated light decks employ dual GPS receivers and antennas for redundancy, with one unit feeding the PFD on the pilot side, and the other feeding the second PFD on the copilot side. he other main category of GA GPS receiver is the panel-mounted GPS receiver. A typical coniguration will combine GPS, VOR/ILS, and VHF communications functionality into a single unit. Panelmounted GPS receivers are available as both forward-it and retroit equipment and are by far the most common type of receiver found in the GA leet. Well over 100,000 panel-mounted receivers have been sold to date. More than 30,000 of these units include SBAS functionality. Figures 4.7 and 4.8 depict two examples of common panel-mounted GPS navigators. Both GA integrated light decks and modern panel-mounted GPS receivers include moving map displays that depict the aircrat position relative to the light path, landmarks, and ground-based navigation aids. Many units are able to depict detailed terrain data, with some providing a TSO-compliant

  FIGURE 4.7

Panel-mounted GPS (Garmin GTN 750).

4-10

Evolution of Avionics: Safety and Certiication

FIGURE 4.8

Panel-mounted GPS (Garmin GNS 530W).

terrain awareness and warning system (TAWS) function. When coupled to appropriate external sensors, these displays can also overlay real-time weather and traic data onto the moving map. he inclusion of airport surface charts can improve situational awareness during ground operations and help prevent inadvertent runway incursions. GA GPS receivers are typically certiied for IFR en route, terminal, and nonprecision approach capability. SBAS-capable receivers certiied under TSO-C146 can also support vertically guided approaches to lateral/vertical navigation (LNAV/VNAV) and localizer precision with vertical guidance (LPV) minimums. Even though GA GPS is certiied for IFR use, VFR operations also beneit from the enhanced situational awareness GPS provides. he ability to ly direct to any given waypoint can greatly simplify light planning. In the event of an in-light emergency, GPS allows the pilot to quickly identify the nearest airport and provides guidance at the push of a button. Due to the wide variety of missions GA aircrat undertake, there is a great deal of variation in GA installations and the GPS receiver may interface with many other types of equipment in the cockpit. Table 4.2 lists some of the external equipment interfaces found in a common GA panel mount GPS receiver. GPS installations in GA aircrat almost universally use active antennas that are powered by DC voltage passed through the antenna coax cable. hese antennas may use an ARINC 743A [49] form factor TABLE 4.2

Panel Mount GPS Receiver External Interfaces

Type of Equipment Air data computer Altimeter Attitude and heading reference system (AHRS) Autopilot Course deviation indicator (CDI)/vertical deviation indicator (VDI) Distance measuring equipment (DME) Electronic light instrument system (EFIS) Fuel management system Horizontal situation indicator (HSI) Mode-S transponder Satellite weather receiver Traic advisory system

Interface ARINC 429, RS-232 Parallel (Gray code), RS-232 ARINC 429, RS-232 Analog, ARINC 429 Analog Parallel, serial ARINC 429 RS-232 Analog, ARINC 429 ARINC 429, RS-232 RS-232 ARINC 429

Global Positioning System

4-11

or similar sized tear drop coniguration. Many GA aircrat are relatively small in size, so antenna placement can be a challenge. A common solution is the use of combination antennas that include not only a GPS antenna but also VHF communications and/or satellite data antennas. Portable GPS receivers are commonly used in GA aircrat, sometimes sharing the cockpit with more traditional installed GPS equipment. Portable receivers are stand-alone units that have built-in antennas and batteries, making them a valuable source of accurate navigation in the event of an aircrat power failure. hey are oten speciically designed for aviation use and have many of the features of a panelmounted GPS, including moving map displays, satellite weather, and ADS-B traic, at a signiicantly lower price point. However, portable GPS receivers are not certiied for installation in an aircrat and cannot be used as a navigation source in instrument meteorological conditions (IMC).

4.4.3 Air transport Air transport aircrat typically carry redundant multimode receivers (MMRs) as the onboard GNSS sensor (see Figure 4.9). As of 2012, over 28,000 MMRs have been purchased for use in the worldwide air transport leet. hese receivers are referred to as multimode, because they also provide other navigation sensor functionality. Two major form factors in use include the digital MMR [50] and the analog MMR [51]. he digital MMR provides GNSS, ILS, and optional microwave landing system (MLS) receiver capabilities within a single unit. A typical analog MMR additionally provides VOR and marker beacon (MB) functionality. Although some MMRs include hardware to process GLONASS signals, this capability is largely a growth path and current-generation MMRs rely primarily if not exclusively on the GPS L1 C/A code signals for their GNSS functionality. Older MMRs with GPS capability were primarily based on unaugmented GPS. hese were certiied under TSO-C129, while the newer MMRs include SBAS and/or GBAS capabilities and have a combination of TSO-C145/-C146/-C161/-C196 functionality as applicable. Until recently, the majority of air transport aircrat operators had shown increased interest in GBAS than in SBAS due to the greater perceived operational beneits for the former system versus the latter. However, with the mature status of WAAS (and growth of other SBAS systems around the world), the availability of more published WAAS LPV approaches and the FAA’s ADS-B OUT mandate; air transport operators are displaying additional interest in GBAS and SBAS-capable MMRs. MMRs that support GBAS augmentations also implement VDB receiver functionality, which receives and processes the diferential eight-phase-shit-keyed (PSK)

  FIGURE 4.9

GLU 925 digital MMR. (Courtesy of Rockwell Collins, Cedar Rapids, IA.)

4-12

Evolution of Avionics: Safety and Certiication

Other navigation sensors

Flight management system (FMS)

VOR/ILS antennas

Autopilot

Multimode receiver

GNSS antenna

FIGURE 4.10

Terrain awareness warning system

Flight instruments/ displays

Typical integration of MMR within air transport aircrat navigation system.

signal carrying the GBAS corrections. All ielded MMRs, at a minimum, use RAIM for integrity monitoring. he MMRs are capable of accepting external aiding inputs (such as barometric altimeter inputs) in order to provide augmented availability. hey are also capable of accepting inputs from inertial reference sensors and provide position and velocity outputs in aided navigation modes. A typical integration of MMRs within an air transport aircrat’s navigation system is shown in Figure  4.10. Redundant GNSS and VOR/ILS antennas supply the requisite inputs to the redundant MMRs. he GNSS antennas are top mounted on the aircrat for good visibility of the satellites, typically near the centerline of the fuselage, fore of the wings to avoid blockage and multipath from the wings and tail structure. A common form factor for airborne GPS antennas is speciied in ARINC 743A [49]. his form factor calls for a conformal antenna that is 4.7 in. × 2.9 in. × 0.75 in., with the height dimension (0.75 in.) only accounting for the portion of the unit protruding above the fuselage. Transport aircrat typically carry aeronautical mobile satellite service (AMSS) communication equipment that transmits in the frequency band close to GPS (1626.5–1660.48 MHz). As a result, these GPS antennas are located at a minimum distance from the Satcom antenna in order to provide suicient isolation. Additional inputs to the MMRs may be supplied from the light management system (FMS) or other navigation sensors for initialization purposes, as well as from control units (not shown) for, for example, mode selection and channel tuning. he ARINC standard (743A, 755, 756) outputs of the MMRs are provided to the FMS and also to light displays, autopilot, and terrain awareness warning system (TAWS). MMRs that are SBAS and/or GBAS capable can provide GPS-based approach guidance to the FMS/light director (FD). hey use the SBAS/GBAS augmented GPS position information and runway database parameters to compute lateral and vertical deviations that are transmitted on the ARINC compliant redundant deviation bus outputs. hese deviations may be angular or rectilinear deviations as required by the FMS/FD. Table 4.3 shows some of the labels that are provided by the MMR on the deviation output bus: TABLE 4.3 Octal Label 116 117 126 127 166 167 173 174 377

MMR Output Labels Message Description

Maximum Message Transmit Interval (ms)

Horizontal GLS deviations—rectilinear (BNR) Vertical GLS deviation—rectilinear (BNR) Computed vertical alert limit FAS vertical alert limit Computed lateral alert limit FAS lateral alert limit Localizer deviation Glide slope deviation Equipment ID

50 50 200 200 200 200 50 50 1000

Global Positioning System

4-13

As seen in Table 4.3, the MMR will provide downstream avionics equipment with lateral and vertical deviations (116 and 117/173 and 174) based on the runway reference parameters and augmented GNSS position in GLS (GNSS Landing System) mode. When the MMR is tuned to the ILS/MLS mode (controlled by the tuning head at the aircrat level), it will provide labels 173 and 174 based on the corresponding mode. In some aircrat conigurations, the MMR will also compute FLS (FMS Landing System) deviations that are based on position and reference path inputs provided to the MMR by the FMS. his allows the crew to see deviations with respect to a virtual “beam” and perform necessary corrections similar to lying an ILS approach. However, this mode is typically used for nonprecision approaches. In principle, immaterial of the approach used to compute the deviation information (SBAS GLS/GBAS GLS/ILS/ MLS/FLS), the data in labels 173/174 would be used to provide course deviation indication at the light deck thereby reducing crew workload during critical phases of light. In addition to the deviation outputs, the MMRs also provide the FMS/FD with the computed lateral and vertical integrity limits and relevant inal approach segment (FAS) alert limits for decision making at the aircrat level. he FMS may implement integrity monitoring or performance enhancement of the GNSS input through cross-checking with other redundant onboard GNSS sensors or blending with other available navigation sensor inputs. As a function of the target level of safety to be met at the sensor level, additional cross checks may be performed within the MMR by comparing position and deviation outputs across multiple redundant solutions. Today’s MMRs are capable of performing ILS cat I/II/III and GBAS cat I approaches, while the next generation of MMRs will be designed to support GBAS cat II/III capabilities and have the ability to process signals at multiple frequencies from diferent GNSS constellations. Future MMRs will also be capable of computing an integrated GNSS–inertial solution in support of worldwide aircrat operations that require tighter RNP thresholds. Another variety of GNSS solution present in air transport and business and regional aircrat is a standalone GNSS sensor such as the GPS4000(S) shown in Figure 4.11. his is a standard 2 MCU coniguration and provides ARINC 743A compliant redundant navigation data outputs. hese outputs are provided to the FMS that may fuse the GNSS sensor output along with other navigation sensor information (barometric altimeter/inertial sensor) and/or perform cross checks across redundant GNSS sensors. he GNSS

FIGURE 4.11

Stand-alone GPS sensor—GPS4000(S). (Courtesy of Rockwell Collins, Cedar Rapids, IA.)

4-14 TABLE 4.4

Evolution of Avionics: Safety and Certiication Stand-Alone GPS Sensor Output Data

Octal Label 060 061 062 063 064 065 066 070 071 072 073 074 076 101 102 103 110 111 112 120 121 124 125 130 133

Parameter

Nominal Transmit Interval (s)

Max. Transmit Delay (ms)

SV Measurement status Pseudorange Pseudorange ine Range rate Delta range SV position X SV position X ine SV position Y SV position Y ine SV position Z SV position Z ine UTC measurement time GPS altitude (MSL) HDOP VDOP Track angle—true (GPS) Present position latitude (GPS) Present position longitude (GPS) Ground speed (GPS) Present position latitude, ine (GPS) Present position longitude, ine (GPS) Digital time mark (GPS) UTC (GPS) Horizontal integrity limit autonomous Vertical integrity limit autonomous

1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0/0.2 1.0/0.2 1.0/0.2 1.0/0.2 1.0/0.2 1.0/0.2 1.0/0.2 1.0/0.2 1.0/0.2 1.0 1.0/0.2 1.0/0.2 1.0/0.2

200 200 200 200 200 200 200 200 200 200 200 200 50 N/A N/A 50 50 50 50 50 50 25 50 50 50

position information provided by this sensor can also be used by the FMS in conjunction with its runway database information in order to provide approach guidance information at the cockpit level. A subset of labels seen on the navigation data bus is shown in Table 4.4. In essence, the navigation information comprises of the phase center location of GPS antenna mounted atop the aircrat, time as derived from GPS, the protection level of computed position, user velocity, and the raw satellite measurements from all the GPS satellites that are tracked by the receiver. It is to be noted that in addition to the data provided on the deviation bus, the GNSS-capable MMRs transmit the aforementioned labels on the ARINC 743A bus. In order to be able to support aircrat operations based on augmented GNSS functionality (e.g., LPV with SBAS augmentation), the update rate of the augmented solutions has to be higher and is typically required to be no less than 5 Hz.

4.4.4 Military GPS signals have an inherent level of interference resistance by virtue of their CDMA signal structure. As mentioned earlier (Section 4.2.2), the GPS satellites transmit signals in both L1 and L2 frequency bands in addition to some satellites that transmit in the L5 band. he United States and Allied military’s GPS receivers process the encrypted P(Y) code signals at both L1 and L2 frequencies using hardware architectures that support PPS Security Module (PPS-SM) or the more modern SA Anti-Spooing Module (SAASM). hese receivers are designed with speciic mission capabilities and meet performance requirements in the presence of jammer and/or spooing threats. Airborne military GPS solutions can be broadly separated into weapons and aircrat platforms. he top row of Figure 4.12 shows two views of a receiver that is capable of processing GPS signals in both L1

Global Positioning System

4-15

and L2 frequency bands in the presence of interfering signals that are 90 dB more powerful than the desired GPS signal. Receivers of this type are designed to be small (size of a hockey puck) and it onto projectiles and spinning platforms that would experience signiicant accelerations (up to 20,000G’s) over short time intervals. In order to perform under these conditions, these keyed receivers employ digital nulling capabilities (with up to ive antenna inputs in this case) along with the ability to support ultratight GPS–inertial coupling that enables the receiver design to reduce the carrier tracking loop’s equivalent noise bandwidth. hese receivers communicate with the rest of the munitions platform via high-speed serial interfaces and provide a 1 pulse per second (PPS) signal for the purposes of synchronization. he middle row of Figure 4.12 shows a sectioned view of this gun-hardened GPS receiver. When size, weight, and power (SWAP) constraints are relaxed, additional capabilities can be realized in a precision-guided missile or munitions platform. he bottom row in Figure 4.12 shows an integrated

FIGURE 4.12 NavStorm™ +, gun-hardened GPS receiver (top row), integrated GPS AJ system (IGAS— bottom row). (Courtesy of Rockwell Collins, Cedar Rapids, IA.)

4-16

Evolution of Avionics: Safety and Certiication

FIGURE 4.13 From let to right—GEM (GPS embedded module), ASR (airborne SAASM receiver), and MicroGRAM (shown along with U.S. postage stamp for size comparison). (Courtesy of Rockwell Collins, Cedar Rapids, IA.)

GPS antijam (AJ) system found in Joint Direct Attack Munition (JDAM) receivers that are capable of steering beams to all satellites in view. hese receivers perform direct Y (encrypted P) code acquisition in the presence of jammer threats and provide a high level of jamming immunity while tracking the desired GPS signal in challenging signal operating environments. Military aircrat are also equipped with SAASM GPS receivers that, when integrated with high-grade inertial sensors (either iber-optic or ring laser gyro), are referred to as embedded GPS–inertial (EGI) units. hese units provide the ability to support both navigational warfare (NAVWAR) and global air traic management (GATM) requirements and can also be interfaced with advanced antenna electronics for applications requiring AJ capabilities. he irst two receivers in Figure 4.13 (from the let) are used on both ixed and rotary wing platforms. hese dual-frequency (L1/L2) receivers have the ability to operate on both PPS and SPS (L1 C/A) signals in order to support operations in civil airspace by providing FDE capabilities in line with RTCA/DO-229 MOPS. hey communicate via ICD-GPS-155 compatible dual-port RAM (DPRAM) and/or serial host control interfaces (SHCI) and provide pseudorange and carrier phase outputs that can be used to compute a tightly coupled GPS–inertial navigation solution. In addition, they provide one PPS I/O capability and an enhanced accuracy HAVEQUICK output (a frequency-hopped system) to support secure UHF radio communications. Although GPS receivers such as the ASR can be hosted on unmanned airborne platforms, the next generation of lightweight ( ( last 'SpeedTarget)

Manual

AltitudeTarget

SpeedTarget

not AutoPilot

AltitudeTarget

SpeedTarget

Altitude

AltitudeTarget

SpeedTarget

Speed

DisplayLogic

1

AlarmManager

1

FlightController

1

SDY_Baro_Scale

SDY_Alti

SDY_Roll_Angle

SDY_Pitch_Angle

SDY_Airspeed

JV_Alti_Alarm

JV_Speed_Alarm

elevatorCmd

throttleCmd

Esterel SCADE Approach to MBD 41-5

41-6

Avionics Development: Tools, Techniques, and Methods

41.4 typical MBDV Lifecycle with ScADe here are various possible lifecycles with SCADE, depending on the position of the models in the lifecycle and on techniques. In this document, we present a typical lifecycle, where the Scade model is essentially used to specify a part of the application sotware architecture and low-level requirements (LLR).

41.4.1 Lifecycle overview In this lifecycle, the Scade model is essentially used for fully describing the architecture and LLR of a part of the application sotware. his model is the input to autocoding with the qualiied code generator KCG (Figure 41.6). Note: With this type of lifecycle, the Scade editor may be used for describing some elements of the high-level requirements (HLRs) such as identiication of high-level functions and their connections. But this type of model is incomplete and is illustrative only.

41.4.2 Design Process and Related Veriication Process 41.4.2.1 Design Process overview Using the HLRs as input, the design process starts by decomposing sotware into major parts. Some of these are allocated to SCADE development (40%–95%), the rest to traditional development. hen the Scade part is further reined into Scade architecture and Scade LLRs (Figure 41.7). 41.4.2.2 traceability Traceability between the HLR and the LLRs contained in the model is established while building the model. Several techniques are available for that purpose, ranging from the use of a spreadsheet tool System requirements process Text, Simulink, etc.

System requirements allocated to software SW requirements process SCADE and/or Text editor

High-level requirements and architecture

SW design process SCADE editor

Low-level requirements and architecture SW coding process SCADE KCG

Source code

SW integration process

Traceability of requirements: SCADE RM Gateway*

FIGURE 41.6

Typical lifecycle overview.

Integrated executable

41-7

Esterel SCADE Approach to MBD

SRS

Requirements process

Master design document

Global architecture design Derived requirements Textual design

SCADE architecture design

SCADE Module A LLR

In master design document or annex

FIGURE 41.7

SCADE Module B LLR

SCADE Module X LLR

Global SCADE model

Design process overview.

or model annotations up to dedicated tools such as the SCADE Requirements Management Gateway and/or DOORS. his traceability is veriied during model veriication. 41.4.2.3 Design integrity here are two possible approaches for achieving sotware integrity: 1. Use a general-purpose permissive language/notation and attempt to impose/verify rules that constrain the use of that language. For instance, the C language at source code level or the UML at model level usually need a lot of coding/design rules. 2. Design and use a language for speciic classes of applications with appropriate built-in properties. hese are sometimes called “application-oriented languages.” he Scade language has been designed from its origin for the development of safety-critical sotware and is based on integrity principles. hese are formalized in the language reference manual and veriied by the qualiied semantic checker. he Scade language is deterministic, and this is relected in code generated from the model: for a given input sequence, there will always be the same output sequence, determined by the language reference manual, whatever the version of the code generator and the code generation options. he language is strongly typed, in the sense that each data low has an explicit type and that type consistency in Scade models is veriied by the SCADE Suite tools. here is no language construct with a risk of side efect: a module body cannot write to any other data than its formal output, which is itself explicitly connected to other modules in its calling modules. here is no risk related to undeined data or data overriding: any data that are consumed in a cycle have to be produced once and only once in that cycle. Scade is modular: the behavior of an operator does not vary from one context to another. hus, veriication of the contents of a module remains valid for any use of that module. Scade makes it possible to deal properly with issues of timing and causality. Causality means that if datum x depends on datum y, then y has to be available before the computation of x starts. A recursive

41-8

Avionics Development: Tools, Techniques, and Methods

FIGURE 41.8

Causality loop.

data circuit poses a causality problem, as shown on Figure 41.8, where the “hrottle” output depends on itself via the ComputeTargetSpeed and Computehrottle operators. Inserting a unit delay in the loop resolves the causality issue. As a summary, a large amount of design integrity is systematically ensured by the inherent properties of the Scade language, which prevents a large number of risks either by not ofering risky constructs (e.g., pointer handling) or by qualiied veriication of language integrity rules (e.g., typing, causality). 41.4.2.4 Model Review and Simulation As a complement to veriication ensured by syntax and semantic checks, model review, analysis, and simulation are used for veriication of the following: • A-4.1: Compliance of the model to its HLR (simulation is well suited to veriication of dynamic aspects). • A-4.5 and A-4.12: Conformance to modeling rules that the user has added (if any) to the predeined (imposed) rules of the language reference manual. • A-4.6: Traceability to the model’s HLR. • A-4.7: Algorithms accuracy (simulation is well suited to dynamic aspects). • A-4.8: Compatibility of architecture with HLR. • A-4.9: Consistency of interface with non-Scade sotware. • A-4.3 and A-4.10: Preliminary assessment of amount of resources needed for compatibility with target computer. his is ultimately veriied during HW/SW integration testing. • Sotware partitioning (A-4.13) analysis is performed in a traditional way. Simulation cases shall be based on HLR (Figure 41.9).

41.4.3 coding Process and Related Veriication Process 41.4.3.1 coding and integration Process he coding process combines two threads (Figure 41.10): qualiied autocoding with KCG and manual coding. Both codes are compiled and integrated for building the inal sotware. KCG generates structured code suited to safety-critical embedded sotware, for instance: • • • •

Portability (target and OS independent). Readability and traceability with respect to the design. It is based on static memory allocation and contains no pointer arithmetic. It contains no recursion and has bounded loops only and bounded execution time.

41-9

Esterel SCADE Approach to MBD

FIGURE 41.9

Requirements-based model simulation.

SW design process

Textual design

SCADE modeling

Low-level requirements and architecture SW coding process

SCADE Suite KCG

Manual coding

Manual code

FIGURE 41.10

Coding process overview.

Generated code SW integration process

Integrated executable

41-10

Avionics Development: Tools, Techniques, and Methods

41.4.3.2 Source code Veriication he qualiication of KCG at TQL-1 (development tool for level A in DO-178B) saves human review of the source code with respect to objectives of table A-5: A-5.1 Source code complies with LLR. A-5.2 Source code complies with sotware architecture. A-5.3 Source code is veriiable. A-5.4 Source code conforms to standards. A-5.5 Source code is traceable to LLR. A-5.6 Source code is accurate and consistent. Veriication of output of integration process is done traditionally.

41.4.4 testing here is an eicient approach consisting in sharing requirements-based veriication cases between model simulation and testing. he qualiied test environment (QTE) allows running these shared veriication cases both for model simulation, for target testing and for the model coverage analysis (Figure 41.11). In all cases, the actual sotware response is compared to the expected response, which is included in the veriication cases that are developed and veriied with independence. HLR-based tests are irst developed. Wherever possible, they are also used to cover nonderived LLRs. Dedicated low-level tests need to be developed for derived LLRs (if any), since by deinition they are not traceable (their accidental coverage by HLR tests would have no value). LLR coverage analysis and resolution are used in order to detect insuicient testing, inadequate HLRs, and dead/deactivated/unintended model elements. his analysis is supported by SCADE model test coverage (MTC). Scade model coverage criteria are designed in order to support accurate analysis of data low and control low coverage of the LLRs contained in the model. his analysis addresses both ine-grain coverage of primitive constructs (e.g., MC/DC, time operators) and activation of libraries functionality (e.g., watchdog iring, ilter reset). In addition to the primary purpose of MTC, which is LLR coverage analysis, there is a secondary beneit: KCG preserves coverage from model to code and MTC analyzes structural code coverage with traceback to the code . his allows the user to concentrate in analyzing coverage at the model level rather than at code level.

MTC Model

SCADE simulator Qualified test engine

Test Test cases

RTRT LDRA …

FIGURE 41.11

Model coverage

Uniied requirements-based simulation and testing.

Test Results (Pass/Fail)

41-11

Esterel SCADE Approach to MBD

41.5 ScADe Aeronautics Applications SCADE has been irst qualiied as level A development tool in 1999 for the autopilot of the Eurocopter EC 135. Since then, it has been deployed on more than 100 diferent airborne equipments including but not limited to: • • • • • • • •

Autopilot and light control systems Braking and landing gear systems Cockpit display systems FADEC Flight warning systems Fuel management systems Navigation, guidance, and inertial units Electrical load management

41.6 Summary and conclusions Experience has shown that MBDV is an eicient means to achieve high integrity at reduced cost when combining the following: • First of all, a real understanding of the principles of DO-178B/C with an appropriate application to MBDV. his was irst done in the frame of DO-178B and is now transposed into DO-331 (MBDV supplement to DO-178C and DO-278A). We would like to stress that a model is no more no less than other development lifecycle data: there is no mystery; there shall be no less rigor. • Use of an application-oriented language with a formal basis. • Qualiied model semantic check. • Qualiied code generation. • Uniied simulation and testing with model coverage analysis.

Glossary Acronym FADEC HLR HW LLR KCG MBDV MTC QTE Scade SCADE SW UML

Deinition Full authority digital engine controller High-level requirement Hardware Low-level requirement SCADE qualiiable code generator Model-based development and veriication Model test coverage Qualiied test environment Scade language Safety-critical application development environment Sotware Uniied modeling language

41-12

Avionics Development: Tools, Techniques, and Methods

References [DO-178C] Sotware Considerations in Airborne Systems and Equipment Certiication, RTCA DO-178C, RTCA Inc, 2012. [DO-248C] Final report for clariication of DO-178C Sotware Considerations in Airborne Systems and Equipment Certiication, RTCA DO-248C, RTCA Inc, 2012. [DO-330] Sotware Tool Qualiication Considerations, RTCA DO-330, RTCA Inc, 2012. [Benveniste et al., 2003] A. Benveniste, P. Caspi, S.A. Edwards, N. Halbwachs, P.L. Guernic, R. de Simone, he synchronous languages 12 years later, Proceedings of the IEEE, 91(1): 64–83, January 2003. [Halbwachs, 1991] N. Halbwachs, P. Caspi, P. Raymond et Daniel Pilaud, he synchronous datalow programming language Lustre, Proceedings of the IEEE, 79(9):1305–1320, September 1991.

42 Model Checking Tingting Hu Institute of Electronics, Computer and Telecommunication Engineering and Polytechnic University of Turin

Ivan Cibrario Bertolotti Institute of Electronics, Computer and Telecommunication Engineering

42.1 Introduction ....................................................................................42-1 42.2 Promela Modeling Language......................................................42-2 Processes • Variables and Data Types • Expressions, Statements, and heir Execution • Control Statements • Channel Operations • Property Speciication

42.3 Spin Usage Notes ............................................................................42-8 Spin Veriication Flow • Performance Hints

42.4 Example ..........................................................................................42-12 Interactive Consistency Protocol • Modeling the Protocol • Analysis Results

References ..................................................................................................42-20

42.1 introduction Model checking [5] is a widespread formal veriication technique aimed at evaluating the properties of a complex system. In recent years, the general approach of model checking has been applied to a broad spectrum of application areas, ranging from hardware components design to sotware and system engineering. To limit the scope of the discussion, in the following, we will focus exclusively on the veriication of concurrent, distributed sotware systems. In this domain, one of the most prominent tools is the Spin model checker [1,10], and this chapter is focused on it. Like virtually all other model checkers, Spin requires and works on a model of the system under analysis and a property to be veriied, both speciied by means of a suitable formal language. Informally speaking, Spin aims at proving that the property of interest holds by systematically exploring every possible state the system under analysis can reach during its execution, starting from its initial or starting state. Collectively, these states are called the state space of the system. Each individual state is represented by a state vector, which contains all the information to fully characterize that state, for example, state variables. he system transitions from one state to another by means of elementary computation steps. he possible computation steps originating from a given state are speciied by the model. herefore, a path from the starting state up to a inal state, in which no more transitions are possible, represents one of the possible inite computations the system can perform. Ininite computations are also possible, if the path contains a cycle. Unless the model speciies a strictly sequential system, many diferent computations are possible, leading to diferent results. In its original form, and unlike other model checking tools, Spin does not include time as a native concept. When this concept is needed, it must be modeled explicitly, for instance, by introducing additional state variables to keep track of time. A notable example of model checker that directly supports the concept of time, by means of the timed automata formalism [4], is Uppaal [3,7]. Spin itself has been extended to support discrete time, too, leading to DTSpin [8]. 42-1

42-2

Avionics Development: Tools, Techniques, and Methods

Similarly, Spin is only able to assess whether or not a certain state can be reached in the computation. Other model checkers, for instance, Prism [2,15], allow the users to specify a probability for a transition to occur, and hence, they are also able to calculate the probability of the system reaching a certain state. In both cases, the price to be paid to have a richer model is oten a loss of performance in the veriication. he goal of this chapter is to give an overview of how Spin works and a short example of its application. It  is structured as follows: Section 42.2 briely describes the Spin input languages, for instance Promela [9,6]. hen, Section 42.3 provides more details on the veriication low and gives some hints to improve performance. Lastly, Section 42.4 contains a practical example on how it is possible to model and verify a couple of interesting properties of a simple communication protocol. he last section contains a small number of references that can be useful as a starting point for further reading.

42.2 PROMELA Modeling Language his section provides a general idea about the structure of the Promela modeling language, whose syntax is similar to the C programming language [13]. he description will be given informally for the most part and should be taken as a starting point to thoroughly learn the language. Additional information can be found in more specialized textbooks, for instance, [9,6].

42.2.1 Processes he concept of concurrency is expressed by means of processes in Promela. For example, in a distributed system, a node can be represented as a set of processes, modeling functions of interest performed by that node. Processes can execute concurrently and, hence, interleave with each other. For this reason, processes are the main component in a Promela model. hey contain all the executable statements of a model and can be declared by means of the proctype keyword: proctype P() {

}

Previously, P is the name of the process, and is a list of parameters, which is optional, while is a sequence of statements constituting the body of the process. Here and in the following examples, the notation (with angular brackets) is used as a placeholder for parts of code that are not shown. Unlike in the C language, statements within a sequence are separated (but not terminated) by a semicolon. Processes declared as in the previous text must be instantiated explicitly, zero or more times, by means of the run operator, that is to say, the run keyword followed by the name of a process and its instance parameters, if appropriate. An alternative way of process declaration makes use of the active keyword: active [] proctype P() {

}

With the active keyword, the process will be instantiated implicitly at veriication start-up. However, in this case, the process cannot have any parameters. By specifying a positive integer value , the same process can be instantiated times, but all instances will be identical. If [] is omitted, the number of instances of P defaults to one. If necessary, a special process called init can also be declared as follows: init {

}

42-3

Model Checking

he init process, if declared, is always the irst process to be instantiated. It is typically used to instantiate other processes and initialize global variables in a more complex way than simply giving them a ixed, predeined initial value.

42.2.2 Variables and Data types Variables are the most basic elements in the Promela language and they are typed. Table 42.1 lists all basic data types supported in Promela. Data type representation on a given architecture depends on the underlying C compiler, as it will be better explained in Section 42.3.1. Table 42.1 gives the range of numeric data types on a typical 32-bit architecture. he main factor afecting the choice of which data type to use for a certain numeric variable is a compromise between its range requirements and the size of the state vector. It should also be noted that some data types, which are common in other programming languages, are not available in Promela, such as characters, strings, pointers, and loating-point numbers [9]. In terms of scope, variables can be classiied into local variables and global variables, depending on where they are declared with respect to processes. If a variable is declared within a process, then it is local to that process and it is private, that is, it cannot be referenced outside that process. On the other hand, if a variable is declared out of all processes, then it is global and it is shared among them. Variables can be declared as follows: byte x = 4

his statement declares a variable named x, of type byte, and initializes it to 4. In Promela, all numeric variables are initialized to 0 by default if no initial value is given explicitly. Moreover, Promela also provides support for arrays. Array elements are of the same type, and they can be referred to by a numeric index, which indicates its position within the array. Similar to the C language, the irst element is at index zero. Arrays can be declared as follows: int a[5] = 8

In this example, int is the data type of the array elements, a is the array name, and the number within the square brackets indicates the total number of elements in this array. Only one-dimensional arrays are directly supported in Promela, but it is possible to declare multidimensional data structures using a typedef declaration, to be discussed later. If an initial value is speciied, like 8 in the example, it is assigned to all array elements. he channel is a quite useful data type for modeling concurrent and distributed systems, where nodes and communication networks can be modeled as concurrent processes and channels over which processes exchange messages, respectively. Channels can be declared as follows: chan ch = [] of {,…, }

TABLE 42.1 Summary of Basic Promela Data Types with heir Size and Range on a Typical 32-Bit Architecture Name bit bool byte short int unsigned chan

Size (Bits) 1 1 8 16 32 n ≤ 32 n/a

Range 0, 1 false, true 0, …, 255 −32768, …, 32767 −231, …, 231 − 1 0, …, 2n − 1 n/a

42-4

Avionics Development: Tools, Techniques, and Methods

In this declaration, ch is the name of a channel, and is either zero, representing a rendezvous unbufered channel, or greater than zero, which means that the channel is bufered. In turn, this afects the behavior of the send and receive operations on the channel itself, as it will be better described in Section 42.2.5. he sequence of data type names ,…, deines the message structure. It is also worth noting that the channel capacity must be taken into account when assessing the state vector size. Using a large capacity without good reasons can impair the veriication process. Generally in Promela, channels are declared as global variables. In this way, any process can send/ receive messages to/from any channel. So, somewhat contrary to their name, channels are not constrained to be point to point. Local channels are possible [6], too, but their usage is beyond the scope of this chapter. In order to make the code more readable, symbolic names can be given to values by means of an mtype declaration. For instance, mtype = {mon, tue, wed, thu, fri, sat, sun}; mtype date = fri

Internally, values of this type are represented as positive values of type byte. It should be noted that only one set of names of this type can be deined for the whole program. If symbolic names are given in multiple mtype declarations, they will all be part of the same set. he mtype type was originally introduced to use symbolic names instead of numbers to represent diferent types of messages. Compound data types can be deined by using the typedef keyword, followed by the name of the new data type and by a list of components. For instance, typedef message { mtype msg; var_1; var_2 }

declares a compound data type called message with three ields: msg, var_1, and var_2. Compound data types are especially useful, for instance, to represent the structure of a message. Individual ields within a compound data type can be referenced by the well-known C-language “dot notation.” For instance, if x is a variable of type message, x.var_1 refers to ield var_1 of x.

42.2.3 expressions, Statements, and their execution he way a Promela expression is constructed is, for the most part, the same as in the C language and most C-language operators are supported. hey are listed in Table 42.2 in decreasing precedence order; operators with the same precedence are listed together. he most important diference relates to the fact that it must be possible to repeatedly evaluate a Promela expression to determine whether or not a process is executable. Expressions are therefore constrained to be side-efect-free, that is, their evaluation must not modify the system state in any way. For this reason, unlike in C, Promela assignments are not expressions (because they change the value of the variable on their let side), and the postix increment and decrement operators (++ and −−) can be used only in a stand-alone assignment, like a++, and not in an expression. All other aspects of the expression syntax are the same as in C, except for the conditional expression operator (in which the ? operator is replaced by ->). Both individual expressions and assignments are valid Promela statements. Besides these, there are ive more control statements in Promela, to model how the computation low proceeds in a process, namely, sequence, selection, repetition, jump, and the unless clause. he sequence has already been discussed in Section 42.2.1. Among the others, only the most basic ones (i.e., selection and repetition) will be described here for conciseness.

42-5

Model Checking TABLE 42.2

Summary of Promela Operators in Decreasing Precedence Order

Operators

Assoc.

Meaning

() [] · !˜ */% +− > < = > == != & ˆ | &&

L R L L L L L L L L L

Parentheses, array indexing, field selection Negation, bitwise complement Multiplication, division, modulus Addition, subtraction Let/right bitwise shit Relational Equality/inequality Bitwise and Bitwise exclusive or Bitwise or Logical and

|| -> :

L R

Logical or Conditional expression

Before discussing control statements in detail, it is necessary to briely introduce two key concepts in Promela, that is, the executability of statements and atomicity of execution. hese concepts are extremely important because they are tied to how passive wait and synchronization—two crucial aspects of any concurrent system—are formalized in a Promela model. he basic deinition of executability is straightforward. Any Promela statement may or may not be executable in a given state. Whenever a process encounters a nonexecutable statement during its execution, it blocks (passively waits) without proceeding further, until the statement becomes executable again in a future state of the computation. he executability rules that apply to a given statement depend on the kind of statement. he rules for some kinds of statement, like expressions and assignments, are fairly simple. Namely, an expression is executable if its value is not false, whereas assignments are always executable. he executability rules for the other, more complex, kinds of statement will be given along with their description. Expressions can proitably be used to synchronize multiple processes. For example, the following fragment of code (unfortunately not completely correct, as we will see later) is an attempt to force multiple processes to enter a critical region in a mutually exclusive way: bool lock = false; !lock; lock = true;

lock = false

he reasoning behind the code is that the value of the global variable lock tells whether or not any process is within the critical region at any given instant. At the beginning, no processes are in the critical region, and hence, its initial value is false. hus, the expression !lock will not be executable when lock is true, that is, it will block any process trying to enter the critical region while another process is already inside it. When a process successfully goes beyond that expression—meaning that it is allowed to enter the critical region—it will execute the assignment lock = true (i.e., always executable) to prevent other processes from doing the same. he lock variable is reset to false when the process is about to exit from the critical region. his assignment will make the expression !lock executable and, hence, allow another process formerly blocked on it to proceed and enter the critical region. As said before, this solution to the mutual exclusion problem is not fully correct, for a reason related to the atomicity of execution. In Promela, unless speciied otherwise, only expressions and assignments

42-6

Avionics Development: Tools, Techniques, and Methods

are executed as an indivisible unit, that is, atomically. On the contrary, any sequence of statements, like the one shown before the critical region in the example, is not indivisible and its execution by a process can interleave with other processes’ activities. In our example, it is therefore possible that a process A evaluates !lock and proceeds beyond it, because lock is false at the moment. Then, before A sets lock = true in the next statement, it is possible that another process B evaluates !lock, too. As a result, both A and B are allowed to enter the critical region together, leading to a race condition, a well-known pitfall in concurrent programming. A straightforward solution to this issue, oten available at the instruction set level of modern microprocessors, is to execute both the test expression and the subsequent assignment atomically. his can be modeled in Promela by means of the following construct: atomic {!lock; lock = true}

In Promela, an atomic sequence is executable if any only if its irst statement is executable. When a process begins executing an atomic sequence, it does not interleave with any other process until either the sequence ends or a nonexecutable statement is encountered within it. In the second case, the process blocks until the ofending statement becomes executable again. At that point, execution is resumed within the atomic sequence and without interleaving, as before. It is important to remark that introducing an atomic sequence in the model is reasonable if and only if it is guaranteed that the modeled system works in exactly the same way. Otherwise, veriication results may be incorrect.

42.2.4 control Statements he concept of sequence of statements has already been introduced in Section 42.2.1 and models unconditional sequential execution. On the other hand, the selection statement models the choice among a number of execution alternatives. Its general syntax is as follows: if :: -> … :: -> fi

Overall, the selection statement is executable if at least one guard expression among , …, is true. In this case, execution proceeds with the execution of the sequence of statements that follows a true guard. he special guard else is true when no other guards in the same statement are true. When more than one guard is true, a nondeterministic choice exists among the corresponding sequences of statements and all the possible execution paths will be considered during veriication. For instance, when both i and j are 1, the following fragment of code speciies a nondeterministic choice between the two assignments. As a result, k can be set to either 1 or 2, and veriication will consider both possibilities: if :: i == 1 -> k = 1 :: j == 1 -> k = 2 fi

This concept is particularly important, because nondeterminism appears in all sorts of systems of practical interest. For instance, even in a very simple distributed system, a node may have to react to a number of external events. A suitable way to model this behavior is, therefore, a selection statement

Model Checking

42-7

in which the guards check whether or not a certain event has occurred and the related sequences of statements contain the reactions. It is of course quite possible that several events occur roughly together, and hence, the exact order in which they are handled cannot be uniquely determined in advance. In all these cases, it is crucial that the veriication process considers all possible orders, instead of just one or some, to get reliable results. he syntax of the repetition statement is quite similar to the selection statements, with the keywords if and fi replaced by do and od, respectively: do :: -> … :: -> od

Execution proceeds in the same way for the most part, with the important diference that, ater a certain sequence of statements has been executed, execution goes back to the beginning of the repetition statement itself, leading to a loop. Within the repetition statement, the keyword break can be used to abandon the loop and execute the next statement.

42.2.5 channel operations Statements and functions associated with communication channels, mentioned in Section 42.2.2, can roughly be divided into two groups, that is, send/receive and channel status operations. Although all kinds of send and receive statements available in Promela perform message transmission and reception through a communication channel as their primary goal, they difer in a few very important aspects. he most basic form of the send (!) and receive (?) statements is as follows: ch ! , ..., ch ? , ...,

he send statement evaluates the expressions , …, and sends their values as a message through channel ch. he corresponding receive statement receives a message from channel ch and assigns the values found in it to the sequence of variables , …, . In both cases, the number of expressions and variables, as well as their type, must match the channel declaration. In a receive statement, the special variable _ (underscore) means that the corresponding value shall be discarded. If ch is a rendezvous channel—that is, it has a capacity of [0]—the send statement becomes executable when another process reaches the receive statement and vice versa. At this point, data transfer between the two processes takes place atomically. On the other hand, when ch is bufered and has a capacity for [k] messages, with k > 0, the send statement is executable as long as the channel holds less than k messages, that is, it is not full. Symmetrically, the receive statement is executable if the channel holds at least one message, that is, it is not empty. Other, more powerful variants of the send and receive statements exist. hey are able to store and retrieve messages into and from a bufered channel in an order that is not necessarily irst in, irst out (FIFO). In addition, a nondestructive receive statement, which does not remove the message from the channel, is available. Several expressions check the number of messages stored in a bufered channel and can be used as guards to execute a certain operation only if, for instance, the channel is not empty. Last, a polling receive expression has a syntax similar to a receive statement. It is true if and only if the corresponding receive statement could be executed without blocking. As the previous ones, this expression is mostly used as a guard.

42-8

Avionics Development: Tools, Techniques, and Methods

42.2.6 Property Speciication When the model is ready, properties expressing requirements on the behavior of the system should be speciied. Ater that, the model checker can be used to check if the properties hold on the model. Simple correctness properties, for instance, mutual exclusion, can be speciied by means of an assertion of the Promela language: assert()

Assertions can be placed anywhere between two statements in the model. he is evaluated when the assertion is encountered during state space exploration and an assertion failure (i.e.,  being false) leads to a veriication error. Since an assertion is checked only in a speciic location of a speciic process, it lacks the ability to evaluate global properties regardless of what processes are executing, for example, absence of deadlocks. Complex properties like those can be speciied by means of a higher-level formalism, namely, linear temporal logic (LTL) [19] formulae. In its simplest form, an LTL formula can be built from the following elements (Spin syntax shown in parentheses; refer to [16] for a thorough treatment of this topic): • Atomic propositions. Any Boolean Promela expression is a valid atomic proposition in LTL. • Propositional calculus operators, such as not (!), and (&&), or (||), implication (->), and equivalence (). Atomic propositions can be combined by means of propositional calculus operators to get propositional calculus formulae. • Besides, temporal operators, such as always ([]) and eventually (), can be applied to the previous two elements to specify temporal features. LTL formulae can be automatically translated to Promela code before veriication and can become part of the model being veriied as a never claim. As an example, the following LTL formula speciies that, along a computation, it will always be true that if F is true, then it implies that sooner or later G will eventually be true: [](F -> G)

he example highlights an important distinction between atomic propositions and can propositional calculus formulae, on the one hand, and temporal operators on the other. Both atomic propositions and propositional calculus formulae can be evaluated by looking only at a single state in the computation. Instead, the evaluation of temporal operators involves looking at future states in the computation. In the previous example, whenever there is a state within which F is true, it is necessary to examine the following states to see whether there is a state within which G is true.

42.3 SPIN Usage notes 42.3.1 SPIN Veriication Flow Starting from a model, Spin can perform two diferent activities: simulate the system behavior in various ways and verify whether or not a property holds by means of state space exploration. Simulation is especially useful when developing and debugging a model but will not be discussed in detail here, whereas veriication is usually the main, ultimate users’ goal. he basic Spin veriication low is enumerated in the following and is shown in Figure 42.1: • he main input of Spin consists of the model and the property to be veriied, both shown as light gray boxes in Figure 42.1. Both the model and simple properties, like assertions, are speciied directly in Promela. • More complex properties are speciied in LTL, and as explained in Section 42.2.6, they must be translated into a Promela never claim before use. he translation is done by Spin itself, when invoked with either the -f or the -F command-line option.

42-9

Model Checking

Graphical front end

Model (P)

Verification report

Simple property (P)

Verifier (executable)

Complex property (P)

Complex property (LTL)

spin -f

Input

FIGURE 42.1

Verifier (C code)

Trail

spin -a

C compiler

Intermediate files

Execution Output

Simpliied view of the Spin veriication low.

• When both the model and the property to be veriied are available, Spin generates the veriier, that is, a C-language program that will carry out the veriication. In order to do this, it must be invoked with the command-line option -a. • he veriier source code is compiled into an executable program by means of the native C compiler of the computer on which the veriication will run. Traditionally, the veriier is called pan. • he veriier is then run to produce a veriication report and, possibly, a trail. Both outputs are shown as dark gray boxes in Figure 42.1. he veriication report summarizes the outcome of the veriication and the trail contains the full details about counterexamples, if some were found. Most oten, Spin is not invoked directly by the user, but through a graphical front end. Besides ofering a more user-friendly interface to the tool, front ends also provide other useful functions. In particular, they are able to postprocess Spin textual output and present it in a more convenient form. A typical example is the generation of a detailed message sequence chart (MSC) [14] derived from the Spin trail. he MSC is very useful to truly understand a counterexample, because it lists in an intuitive, graphical form the computation steps and message exchanges leading to the violation of the property being veriied. Several diferent front ends exist, with diferent levels of sophistication and supporting a variety of operating systems. More details can be found in [1]. In addition, Spin itself is able to perform a certain amount of trail postprocessing, when invoked with the -t option. Of special interest is a simulation mode, in which the simulator is forced to follow the trail leading to a counterexample. his feature, used in conjunction with the graphical display of variables and communication channels contents ofered by most front ends, oten sheds more light on the counterexample itself.

42.3.2 Performance Hints Time and memory resources to be used during veriication are always a critical issue, common to all model checkers. his is because veriication is assumed to be done over the whole state space and it is quite easy to get state space explosion. Although it is impossible to fully describe how Spin works internally in a little space—see [9] for an authoritative reference on this topic—some high-level information is oten useful to use it more efectively.

42-10

Avionics Development: Tools, Techniques, and Methods

As deined in Section 42.1, a state is represented as a state vector. In particular, it consists of values of global and local variables, including channels, and location counters, which indicate where each process currently is in its execution. On the one hand, nondeterminism and interleaving are important aspects to be modeled for concurrent and distributed systems. On the other hand, they can signiicantly afect the size of the state space. For example, chan c = [N] of {byte}; active proctype fill() { do :: c ! 1 :: c ! 0 od }

In the previous listing, the fill process ills channel c with N byte-sized values, chosen in a nondeterministic way, and then blocks because the channel bufer is full. During an exhaustive state space exploration, the number of states x grows exponentially with N, that is, x ≃ 2N +1. his is because, just considering the channel variable c, the content of its bufer goes from being completely empty (at the beginning of veriication) to being completely full (at the end), and at any step, it can contain any sequence of values, from all 0s to all 1s. In order to perform an exhaustive search, it is necessary to consider and check the property of interest in all these states. It is not the case that the whole state space is built all at once, and then veriication is carried out on it. Instead, state vectors are calculated on the ly and stored into a hash table. Namely, when storing a state vector, a hash function is applied to calculate an index that indicates the position where the state vector should be stored within the table. If there is already a state vector stored in that position, and it is not the same as the current one, a hash conlict occurs. In this case, the new state vector is stored elsewhere and linked to the existing state vector through a linked list. By intuition, as the number of hash conlicts increases, storing a new state becomes less eicient, because the linked lists grow. As a consequence, more time is required to linearly scan the lists, in order to check whether or not a certain state vector is already in the table. Veriication is the process to check whether a given property holds in each state. As a consequence, if a state has already been checked, there is no need to check it again. Let us assume that the veriication is currently considering a certain state, and it is about to execute a statement. Ater execution, the values of some variables in the model may change. his leads to another state, namely, a state transition happens. What Spin does next is to look into the hash table. If the new state has not been stored yet, then it checks whether the property holds on that state. If it does, Spin stores the state vector into the hash table, otherwise Spin just found a counterexample, that is, a point of the state space in which the property does not hold. If the state has already been stored in the table, it is a proof that the property holds on that state. here is no need to store it again and the program can move to the next step. Overall, during veriication, Spin keeps storing state vectors into the hash table and looking up newly created state vectors to see whether or not the corresponding states have already been visited before. his process may be highly time and memory consuming, depending on a lot of diferent aspects. For instance, if the quality of the hash function is not good enough, it is possible to have long linked lists somewhere in the hash table, whereas other parts of the table are still empty. When trying to improve the performance of Spin, the goal is to achieve the best trade-of between speed and memory requirements. More speciically, speed depends on many factors, such as how large the hash table is, how efective its management algorithms are, and how eicient Spin is in updating and searching it. However, speed improvements in most cases have some impact on memory requirements.

Model Checking

42-11

his topic can be addressed in diferent ways and at diferent levels, starting from the model itself down to tune how some Spin algorithms work internally: • Writing eicient models. More eicient models can be developed by carefully considering which aspects of a model have a bigger efect on state vector size and on the number of states. For instance, using as few concurrent processes as possible, enclosing sequences of statements into atomic sequences when possible, and introducing nondeterministic constructs only when necessary considerably reduce the number of distinct states to be considered during veriication. Similarly, in order to reduce the state vector size, it is useful to keep the amount of channel bufer as small as possible and declare numeric variables with the narrowest size compatible with their range requirements. he approaches mentioned earlier will improve the performance in terms of both memory and time, because less space will be required to store states and state comparison will be faster, too. On the other hand—as discussed in Section 42.2.3 for atomic sequences—special care is necessary to make sure that the simpliied model is still a faithful representation of the real system or, at least, the side efects of the simpliication are well understood. • Allocating more memory for the hash table. As discussed earlier, the time spent walking through the linked list associated with a hash table entry is signiicantly higher than the time spent on calculating its index. If more memory is allocated for the hash table, the probability to have hash conlicts will usually be reduced and the veriication time will improve. However, in this case, we need to sacriice memory for eiciency. Another important point to consider is that, in any case, the hash table must it in the physical memory available on the machine Spin is running on. Although most operating systems do provide an amount of virtual memory that is much bigger than the physical memory, the overhead associated with disk input/output operations due to virtual memory paging would certainly degrade Spin’s performance more than hash conlicts. his is especially true because paging algorithms rely on memory access predictability (or locality) to achieve good performance, whereas hash table accesses are practically pseudorandom and, hence, very hard to predict. • Compressing state vectors. State vectors of several hundred bytes are quite common. Instead of storing them as they are, it is possible to compress them. In this case, the memory they require will be smaller. However, more time will be spent on compression whenever it is necessary to store a state vector. his option therefore represents a trade-of between memory and time requirements. • Partial order reduction. he details of partial order reduction are quite complex and fully described in [12]. Informally speaking, it may happen that, starting from a certain state, it can be proved that the execution order of several computation steps does not afect the inal state, and the diferent execution orders cannot be distinguished in any way. his may happen, for instance, when two concurrent processes are working independently on their own local variables. In this case, instead of considering all the possible execution orders and generating the corresponding intermediate states, it is enough to follow just one execution order. In some cases, this is a quite efective method since it can reduce the size of the state space sharply. • Bitstate hashing and hashing compact. Instead of allocating more memory to accommodate a large hash table, it is also possible to reduce its memory requirements. In bitstate hashing, a state is identiied by its index in the hash table. As a result, a single bit is suicient to indicate whether a state has already been visited or not. However, two diferent states may correspond to the same index, due to hash conlict. If the “visited” bit is already set for

42-12

Avionics Development: Tools, Techniques, and Methods

a certain state, when coming to verify whether the property of interest holds on a diferent, but conlicting, state, the result is positive, even if this may not be the case in reality. In other words, some parts of the state space may not be searched and it is possible to miss some counterexamples. However, if a counterexample is found, it does represent a true error. In hashing compact, instead of storing a large hash table, the indexes of visited states in that table are stored in another, much smaller, hash table. It has the same issue as bitstate hashing, because two diferent states may have the same index in the large hash table and thus collide. Both methods are quite efective to reduce the memory requirements of state storage. However, they are lossy and entail a certain probability of having a false positive in the veriication results, that is, a property may be considered true although some counterexamples do exist. he false-positive probability can be estimated and oten brought down to an acceptable level by tuning some of the algorithm parameters [11].

42.4 example In this example, it will be shown how to model and check the correctness of a simple communication protocol. he goal of the protocol—proposed and thoroughly discussed in [18]—is to enable a set of agents to pass to each other a private value, by means of a communication network, and reach an agreement on the value each agent has got. he protocol must still function correctly even if some of the agents are faulty and may send fake messages. he speciic protocol being discussed was originally developed to address a few important design issues in the sotware implemented fault tolerance (SIFT) fault-tolerant computer for aircrat control [20]. Many of its ofspring are still very relevant and widespread in avionics and other fault-tolerant systems.

42.4.1 interactive consistency Protocol he protocol and the proof of its correctness presented in [18] are based on the following assumptions: a set of n agents is considered, and it is known that at most m of them are faulty. Agents communicate by means of point-to-point messages sent through a perfect network, which never drops, alters, or duplicates messages. Faulty agents are allowed to send messages with whatever content they wish, but it is assumed that the recipient can always identify the true sender of a message. In other words, faulty agents cannot lie about their identity on the network. It is also assumed that faulty agents will nevertheless send all the messages required by the protocol. Otherwise, a time-out mechanism on the receiving side would detect their failure. Under these hypotheses, the protocol guarantees that, for any n ≥ 3m + 1, each nonfaulty agent will be able to compute an interactive consistency vector of n elements, that is, a vector containing one element for each agent in the system. he interactive consistency vectors computed by the nonfaulty agents have the following two properties: 1. hey are exactly the same. 2. he vector element that corresponds to a nonfaulty agent A holds the private value of A. It should be noted that the element that corresponds to a faulty agent F may not correspond to the private value of F. However, all the vectors computed by nonfaulty agents will still have the same (albeit arbitrary) value in that element. In turn, this enables the nonfaulty agents to have a consistent, shared view of each agent’s value, including the faulty ones. For the sake of simplicity, only the simplest case of m = 1, giving a minimum value of n = 4, will be analyzed in detail. In this case, the protocol performs two rounds of message exchanges, in which each agent sends n − 1 = 3 messages. Namely, 1. Each agent sends to the others a message containing its own private value 2. Each agent sends to the others a message containing all the values it received during the irst round

Model Checking

42-13

Ater the second round, each agent Ai will therefore have 3 reports about the private value of agent Aj, i ≠ j: one from Aj itself (received during the irst round) and two more from the other two agents present in the system (received during the second round). Agent Ai will then construct its interactive consistency vector VAi based on those reports. In particular, • he element of VAi corresponding to Ai itself is set to the private value of Ai • he element of VAi corresponding to another agent Aj is set to the value contained in the majority of the reports about Aj received by Ai, if such a value exists. Else, it is set to a reserved or default value, called nil in the following Although the protocol works with private values of any kind, to further simplify modeling, it will be assumed that these values are a simple Boolean lag. his restriction does not change the protocol structure in any way.

42.4.2 Modeling the Protocol he very irst modeling step is the deinition of the data types required by the protocol agents. In this case, they are as follows: typedef buffer_t { bool agent[NA] } typedef report_t { byte i; /* Number of reports */ bool value[NB] /* Their values */ } #define nil 2 typedef result_t { byte agent[NA] } typedef results_t { result_t opinion[NA] }

Namely, buffer_t represents the message bufer used in the second round for message exchanges, report_t represents the reports about the private value of a single agent collected during protocol execution, and results_t represents the overall results of the protocol, that is, the opinion each agent has about the private value of every other agent. he compound data type report_t has two ields: he array value holds the reports themselves, while i counts how many reports have already been received and holds the index of the irst free element of value. Unlike in the other data type deinitions, the elements of results_t are of type byte instead of bool because they can assume the value nil. In the model, NA is a macro that represents the total number of agents in the system, 4 in this case, and NB is set to NA-1. To facilitate property veriication, as it will be discussed in Section 42.4.3, the results of the protocol are held in the global variable results declared as follows: results_t results;

Figure 42.2 summarizes the main data structures used by the interactive consistency protocol agents. It shows that each agent holds its private value in the local variable bool my_value, collects the reports about other agents’ values in the local array report_t reports[NA], and stores its interactive consistency vector into row id of global variable results_t results. A local variable

42-14

Avionics Development: Tools, Techniques, and Methods

results.opinion [id].agent[j]

report[j] .i

Opinion of agent id about the private value of agent j

N. of reports collected so far about the private value of agent j (2 in this case)

results_t results report[j].value[] Reports about the private value of agent j

Agent A1

Agent A0

Agent A2

Agent A3

bool my_value

report_t report[]

2

FIGURE 42.2

Main data structures used by the interactive consistency protocol agents.

buffer_t buffer also exists, but it is used only as temporary storage during the second round of message exchanges and it is not shown for clarity. hen, the communication channels among agents are declared as follows: chan c1[NA] = [NB] of {byte, bool} chan c2[NA] = [NB] of {byte, buffer_t}

Two distinct arrays of NA input channels are used: c1 for the irst round and c2 for the second. his equates to assuming that no confusion can arise between messages pertaining to diferent rounds. In each group, each input channel is uniquely associated with an agent. he channel bufers are big enough to store all the messages expected in one round, that is, NB messages. he irst message ield, of type byte, is always illed with the agent identity, in both rounds. On the contrary, as explained earlier, the structure and contents of the second ield depend on the round. he behavior of each agent is speciied by means of the following proctype deinition: proctype P(byte id) { bool my_value; report_t report[NA]; buffer_t buffer = false; byte i, j; choose_my_value(my_value); first_round(); second_round(); compute_result() }

Model Checking

42-15

In the deinition, argument id is a value that uniquely identiies each agent upon instantiation and can assume any integer value in the range from 0 to 3 included. As shown in Figure 42.2, the local variable my_value represents the private value of agent id, and report is an array holding the reports received by agent id about the private values held by the other agents. Element [id] of this vector corresponds to the agent itself and is unused. he other local variables are used as temporary storage during execution. For clarity, the deinition makes use of the inline construct, a convenient way to give a symbolic name to a sequence of statements. When the name of the sequence is found elsewhere, it is replaced by the corresponding sequence of statements, like in a macro expansion. Inline sequences may have formal parameters. In this case, they are replaced by the corresponding actual parameters during the expansion, by means of a simple textual substitution. Formal parameters are therefore not typed, and syntax and semantics checks are performed only ater expansion. For instance, the inline sequence choose_my_value is deined as follows: inline choose_my_value(v) { if :: v = false :: v = true fi }

When its body is expanded in P, the formal parameter v is replaced by my_value. he efect of the code is therefore to set my_value to either false or true in a nondeterministic way and, hence, model how each agent chooses its private value. he inline sequence first_round performs the irst round of message exchanges and is deined as follows: inline first_round() { byte source, dest; bool val; dest = 0; skip_id(id, dest); do :: (dest { c1[dest] ! id, my_value; dest++; skip_id(id, dest) } :: else break od; i = 0; do :: (i { c1[id] ? source, val; add_report(source, val); i++ } :: else break od }

42-16

Avionics Development: Tools, Techniques, and Methods

he irst repetition (do) construct sends the private value my_value of agent id to every other agent. he agent identiier currently being handled is held in variable dest. he skip_id inlined sequence (whose expansion is not shown for conciseness) increments its second argument by one if it is equal to the irst, and hence, it prevents agents from sending messages to themselves. he second repetition construct waits for the NB messages that agent id expects to receive during the irst round, by means of a blocking receive statement. Each message contains a report about the private value of another agent. he inlined sequence add_report handles it, by appending the new value val to the set of reports collected about agent source. No deadlock may come from putting the send and receive phases of the irst round in strict sequence, because the channel bufers can hold all the messages they are expected to contain during the round without blocking the sender. he same technique is used in the second round as well. he second round of message exchanges is modeled similarly. he added complexity comes from the fact that, in the second round, each message contains more than one report. Each agent gathers the reports it will send out into the variable buffer, of type buffer_t, taking them from its report variable. Since exactly one report about the value of each agent was collected during the irst round, and they were stored in the irst free element of each report_t data structure (i.e., element [0]), the report concerning agent i is retrieved from report[i].value[0]. he element [id] of buffer_t is not actually used and defaults to false, because agent id does not send reports about its own value in the second round. he initialization of buffer has been enclosed in a d_step (or deterministic step), a more restrictive form of atomic sequence, in which nondeterminism is forbidden and blocking statements are allowed only at the very beginning of the sequence. Provided these restrictions are acceptable in the model, veriication handles the whole sequence in a very eicient way, that is, as a single deterministic execution step. his is the case here because, from the protocol point of view, the buffer setup is an activity internal to each agent that cannot possibly afect any other agent. he send loop that follows is very similar to the previous one: inline second_round() { d_step { i=0; do :: (i { buffer.agent[i] = ((i==id) -> false : report[i].value[0]); i++ } :: else break od } dest=0; skip_id(id, dest); do :: (dest { c2[dest] ! id, buffer; dest++; skip_id(id, dest) } :: else break od; atomic { i=0; do

42-17

Model Checking :: (i { c2[id] ? source, buffer; j=0; do :: (j { if :: (j==source || j==id) -> skip :: else  add_report(j, buffer.agent[j]) fi; j++ } :: else break od; i++ } :: else break od } }

he receive phase of the second round is instead more complex, because each of the NB messages received by an agent contains NA-2 reports to be processed. It is therefore made of two nested repetition constructs. he outer one is executed NB times (using i as an index), and its body handles one single incoming message. he inner one is executed NA times (using j as an index) and processes message contents by means of the add_report construct discussed previously. Elements [source] and [id] of the incoming message are discarded, because agent id does not collect reports about a certain agent source from the message sent from source itself; moreover, agent id does not collect reports about itself. he receive phase as a whole is deined as an atomic sequence of statements. herefore, during veriication, it will be assumed that, ater an agent resumes execution ater receiving a message, its execution will continue uninterrupted—that is, without interleaving with other agents—until it blocks again, waiting for the next one. As explained in Section 42.3.2, this assumption speeds up veriication, because it reduces state space size, without afecting its correctness. In fact, all operations executed by an agent upon receiving a message are internal to that agent and cannot afect the others in any way. A d_step cannot be used instead, because it cannot contain any blocking statements except the irst one. he very last phase of each agent’s activity is to generate its own interactive consistency vector from the reports it got. his is modeled by the following code: inline compute_result() { d_step { i=0; do :: (i { if :: (i==id) -> results.opinion[id].agent[id] = my_value :: else -> majority_report( results.opinion[id].agent[i], report[i])

42-18

Avionics Development: Tools, Techniques, and Methods fi; i++ } :: else break od

} }

Previously, the inlined sequence majority_report stores into its irst argument the value found in the majority of the elements of its second argument. Its code is not shown here, due to lack of space. Some eicient algorithms to do this are presented, for instance, in [17]. All the interactive consistency vectors are stored in the global results data structure for analysis.

42.4.3 Analysis Results he primary goal of the analysis is to check whether or not the protocol is able to ensure that the properties of the interactive consistency vector listed in Section 42.4.1 are satisied, even if up to one agent may be faulty. Furthermore, we will look for counterexamples, that is, scenarios in which some of the properties are not satisied, when two or more agents are faulty. he second aspect of the analysis is important, too, because it may give useful hints on why a protocol or system is not working as it should and on how to improve it. In order to model faulty agents, an alternate agent model, called faulty_P, has been deined. According to the model, a faulty agent completely ignores the messages it receives and sends fake messages—whose contents are chosen nondeterministically—to the other agents. At the same time, the model relects the restrictions on faulty behavior set forth in Section 42.4.1, which were taken for granted when the protocol was designed. he properties of interactive consistency vectors have been modeled as LTL formulas. For instance, when agent A0 is faulty, the irst property can be written as [] p

where p is deined as (results.opinion[1]. agent[0] results.opinion[1]. agent[1] results.opinion[1]. agent[2] results.opinion[1]. agent[3] results.opinion[2]. agent[0] results.opinion[2]. agent[1] results.opinion[2]. agent[2] results.opinion[2]. agent[3]

== == == == == == == ==

results.opinion[2]. agent[0] && results.opinion[2]. agent[1] && results.opinion[2]. agent[2] && results.opinion[2]. agent[3] && results.opinion[3]. agent[0] && results.opinion[3]. agent[1] && results.opinion[3]. agent[2] && results.opinion[3]. agent[3])

his LTL property is true if and only if in every computation, eventually () p is always ([]) true. In turn, p is true if and only if the interactive consistency vectors of agents A1 to A3 (the good ones) are identical. Very informally speaking, this means that sooner or later in their execution, the good agents will compute identical interactive consistency vectors and they will be identical from then on, regardless of what the faulty agents may do. he second property can be modeled in a similar way and is not shown for conciseness. Other properties of interest can be speciied in a similar way. For instance, it is possible to verify that all agents conclude protocol execution, by having them set a termination lag at the end and checking that in every computation those lags are eventually set. Quite unsurprisingly, since the protocol being analyzed is known to be correct in these scenarios, Spin conirms that both properties are satisied when four agents, of which at most one can be faulty, are instantiated and their behavior is checked against the properties. On the other hand, instantiating two faulty agents (A0 and A1) along with two good ones (A2 and A3) leads Spin to ind several interesting counterexamples. Two of them will be shortly commented here.

42-19

Model Checking

A0 has T

A0 has F A0

A1

A2

A3

F T F,_,_ T,_,_ F,_,_ T,_,_

FIGURE 42.3 First counterexample: A2 and A3 have diferent views of A0’s private value, violating property 1 of interactive consistency (irrelevant messages and message ields not shown for clarity).

he irst counterexample is illustrated by the simpliied MSC shown in Figure 42.3 and derived from the Spin output trail, which lists the computation steps and message exchanges leading to the violation of the property being veriied. he messages irrelevant to illustrate how the counterexample works have been removed for clarity. In the counterexample, the two faulty agents coalize and lead the two good agents to disagree on the private value of faulty agent A0, thus violating property 1 of interactive consistency: • In the irst round, A0 sends to A2 and A3 contrasting reports about its own private value. • he anomaly would be detected during the second round, if A0 were the only faulty agent in the system, by means of the reports about A0’s value sent by the other agents. • In the counterexample, however, the other faulty agent A1 sends to A2 and A3 contrasting reports on the value it got from A0 in the irst round. Although A2 and A3 send to each other correct reports about A0’s value, this is no longer enough to ensure correctness. Namely, A2 receives two reports that A0’s value is false (F in the igure), from A0 itself and from A1. he third, minority report from A2 says that the value is true (T), but A2 concludes anyway that A0’s value is false. On the other hand, A3 receives two reports that A0’s value is true (from A0 itself and from A1) and one conlicting report (from A2), coming to the conclusion that A0’s value is indeed true. he outcome of the second counterexample, shown in Figure 42.4, is even worse because it leads good agent A3 to a false belief about the private value of the other good agent, A2. his violates the second A2 has T

I have F A0

A1

A3

A2 F

_,T,_ _,T,_

FIGURE 42.4 Second counterexample: A3 has an incorrect view of A2’s private value, violating both properties of interactive consistency (irrelevant messages and message ields not shown for clarity).

42-20

Avionics Development: Tools, Techniques, and Methods

property of interactive consistency and, incidentally, also the irst one—because the interactive consistency vectors of A2 and A3 are not identical. Namely, • In the irst round, A2 sends to A3 a correct report about its own private value, which is false • In the second round, A0 and A1 lead A3 into believing that A2’s private value is true instead, by sending it two false reports about A2’s value

References 1. Unix group of the Computing Science Research Centre of Bell Labs, On-the-ly, LTL model checking with Spin. Berkeley Heights, NJ, Online. Available at http://spinroot.com/. Accessed on March 2014. 2. D. Parker, G. Norman and M. Kwiatkowska. PRISM—probabilistic symbolic model checker. Online. Available at http://www.prismmodelchecker.org/. Accessed on March 2014. 3. Department of Information Technology, Uppsala University, Sineden and Dept. of Computer Science, Aalborg University, Denmark. UPPAAL home. Online. Available at http://uppaal.org/. Accessed on March 2014. 4. R. Alur and D.L. Dill. A theory of timed automata. heoretical Computer Science, 126(2):183–235, 1994. 5. C. Baier and J.-P. Katoen. Principles of Model Checking. he MIT Press, Cambridge, MA, 2008. 6. M. Ben-Ari. Principles of the Spin Model Checker. Springer-Verlag, London, U.K., 2008. 7. J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, and W. Yi. Uppaal—A tool suite for automatic veriication of real-time systems. In Hybrid Systems III, LNCS 1066, pp. 232–243. Springer-Verlag, Berlin, Germany, 1995. 8. D. Bošnački and D. Dams. Discrete-time Promela and Spin. In Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 1486 of Lecture Notes in Computer Science, pp. 307–310. Springer, Berlin, Germany, 1998. 9. G. Holzmann. he Spin Model Checker: Primer and Reference Manual. Pearson Education, Boston, MA, 2003. 10. G.J. Holzmann. he model checker SPIN. IEEE Transactions on Sotware Engineering, 23(5):279–295, 1997. 11. G.J. Holzmann. An analysis of bitstate hashing. Formal Methods in System Design, 13(3):289–307, November 1998. 12. G.J. Holzmann and D. Peled. An improvement in formal veriication. In Proceedings of the Seventh IFIP WG6.1 International Conference on Formal Description Techniques, pp. 197–211, Berne, Switzerland, 1994. 13. International Standard ISO/IEC 9899, Programming Languages—C. International Organization for Standardization, Geneva, Switzerland, 2011. 14. ITU-T. Recommendation Z.120—Message Sequence Chart (MSC), International Telecommunication Union, Geneva, Switzerland, 2004. 15. M. Kwiatkowska, G. Norman, and D. Parker. PRISM: Probabilistic symbolic model checker. In P.  Kemper, ed., Proceedings of Tools Session of Aachen 2001 International Multiconference on Measurement, Modelling and Evaluation of Computer-Communication Systems, pp. 7–12, September 2001. VDE Verlag, Berlin, Germany. 16. Z. Manna and A. Pnueli. he Temporal Logic of Reactive and Concurrent Systems—Speciication. Springer-Verlag, New York, 1992. 17. J. Misra and D. Gries. Finding repeated elements. Science of Computer Programming, 2(2):143–152, 1982. 18. M. Pease, R. Shostak, and L. Lamport. Reaching agreement in the presence of faults. Journal of the ACM, 27(2):228–234, 1980. 19. A. Pnueli. he temporal logic of programs. In Proceedings of the 18th Annual Symposium on Foundations of Computer Science, pp. 46–57, November 1977. IEEE Computer Society, Washington, DC. 20. J.H. Wensley, L. Lamport, J. Goldberg, M.W. Green, K.N. Levitt, P.M. Melliar-Smith, R.E. Shostak, and C.B. Weinstock. SIFT: Design and analysis of a fault-tolerant computer for aircrat control. Proceedings of the IEEE, 66(10):1240–1255, October 1978.

43 Formal Methods 43.1 Introduction ....................................................................................43-1 43.2 Formal Methods Landscape..........................................................43-2 Certiication ater RTCA DO-333 • Overview of Analysis Techniques

43.3 Example Application ......................................................................43-3 Requirements for the Mode Control Panel • Requirements for Coordinating Two Panels

43.4 Deductive Methods ........................................................................43-5 PVS Veriication System • Formally Specifying the Mode Control Panel • Formally Verifying the Mode Control Panel

43.5 Model Checking ..............................................................................43-9 SPIN Model Checker • Modeling the Two-Panel Subsystem • Analyzing the Two-Panel Subsystem

43.6 Abstract Interpretation ................................................................43-13 General Characteristics • Properties Veriiable Using Abstract Interpretation

Ben Di Vito Langley Research Center

43.7 Summary ........................................................................................43-15 43.A Appendix ........................................................................................ 43-16 References ..................................................................................................43-20

43.1 introduction Formal methods provide powerful tools and techniques for modeling and analyzing sotware designs and implementations. hey make use of mathematics and formal logic to achieve high levels of assurance that sotware components have important behavioral properties or will not raise runtime errors. For safety-critical avionics, formal methods can help achieve higher degrees of sotware dependability than would be possible using only testing, simulation, and other nonformal techniques. Since the publication of the irst edition of the Digital Avionics Handbook, the ield of formal methods has experienced substantial growth. his growth has occurred in core technical capabilities, in the maturity and variety of sotware tools, and in adoption by engineers across several industries. From 2012 onward, increased recognition and acceptance by certiication authorities in civil aviation is expected to lead to higher adoption of formal methods by avionics developers. In the previous handbook edition, Sally Johnson and Ricky Butler provided a chapter on formal methods that emphasized the techniques of writing formal speciications. Although the example application from that chapter has been retained, this edition examines diferent aspects of formal methods technology. Formal modeling and speciication are still discussed, but more attention will be focused on techniques for analysis and veriication. In addition, current regulatory guidance is factored in, owing to recent favorable developments in that area. No prior familiarity with formal methods is assumed. Nevertheless, familiarity with engineering mathematics or computer science would be quite helpful. Monin and Hinchey [14] have provided a valuable survey of the mathematical and logical background used in this ield. Due to space limitations, 43-1

43-2

Avionics Development: Tools, Techniques, and Methods

speciication examples will be presented with limited explanation so that the exposition can focus on veriication methods. he example application is of modest complexity so the reader should be able to grasp the essence of the formal models without a full understanding of the language features.

43.2 Formal Methods Landscape While the technology of formal methods has advanced steadily, more recent developments of note concern avionics certiication guidance. Opportunities to use the results of formal analysis in certiication are on the rise. In addition to the obvious importance for digital avionics developers, the expected increase in applications could motivate technology developers to enhance their tools to accommodate avionics-oriented users.

43.2.1 certiication after RtcA Do-333 Formal methods have been available for use by digital avionics developers as an aid in creating dependable designs and implementations. heir use to support certiication, however, has been limited to special cases where an “alternative means of compliance” would be permitted ater suicient justiication has been provided. his deliberately modest endorsement in DO-178B relected the technological immaturity of formal methods in the early 1990s. Consequently, formal methods have yet to assume any signiicant role in the certiication process. Recent events promise to change the outlook. In January 2012, RTCA and European Organization For Civil Aviation Equipment (EUROCAE) released several documents, products of RTCA Special Committee 205 (SC-205) and EUROCAE Working Group 71 (WG-71), that are key to the future of certiication of avionics sotware. Foremost among these are DO-178C (ED-12C), Sotware Considerations in Airborne Systems and Equipment Certiication, and DO-278A (ED-109A), Sotware Integrity Assurance Considerations for Communication, Navigation, Surveillance, and Air Traic Management (CNA/ATM) Systems. As the long-awaited successors to DO-178B and DO-278, these documents provide updated guidance for developers of airborne and ground-based sotware. SC-205 and WG-71 also created four supplements to accompany DO-178C and DO-278A. One of these, Formal Methods Supplement to DO-178C and DO-278A, has been published as RTCA document DO-333 [21]. he corresponding EUROCAE document is ED-216. For the irst time, avionics developers will have extensive guidance on applying formal methods technology to produce evidence that certiication authorities can accept for certiication credit. his will provide a pathway for the gradual introduction of formal methods into the development life cycle and the eventual certiication of aircrat and engines whose sotware airworthiness is assured (in part) by formal methods. Much of DO-333 is concerned with how formal methods can be used to satisfy relevant certiication objectives in DO-178C and DO-278A. DO-333 neither endorses nor restricts the types of formal methods that might be suitable for generating certiication evidence. It does, however, stipulate that an analysis method can only be regarded as formal if its determination that a property holds is sound. A sound analysis is deemed to be one that never asserts a property to hold when it does not. he converse, asserting a property fails to hold when it does, is acceptable, albeit undesirable. An outcome such as this is regarded as merely a “false alarm.”

43.2.2 overview of Analysis techniques In the 1990–2010 time frame, formal methods experienced substantial growth by almost every measure. his includes the variety of modeling and analysis techniques, the number of researchers and practitioners, the number and maturity of sotware tools, and the record of successful applications in project settings. In one industry, namely, commercial digital electronics, formal techniques and specialized tools to support them have been adopted as standard practices in the design worklow. In this chapter, we describe only a small subset of current analysis techniques. We will irst sketch the three broad categories of formal methods cited in DO-333: (1) deductive (theorem-proving) techniques, (2) model checking, and (3) abstract interpretation. Later, we will choose a representative tool from the irst two categories and focus on their capabilities, illustrated via examples.

Formal Methods

43-3

Most formal methods need to have formal models or speciications to work from. Normally, these are written by users. In some cases, models and other formalizations are extracted directly from source code in an automated fashion. he techniques have diferent approaches to modeling, but they all share an underlying reliance on formal logic(s) and a formalization of some mathematical domains. Where they exhibit greater diferences is in the analysis and veriication techniques that form the heart of their methodologies. Key characteristics of the DO-333 analysis categories mentioned earlier can be summarized as follows: • Deductive techniques establish the truth of explicitly stated properties using a theorem-proving system. Properties are typically expressed in the same notation as the formal models. heorem provers can be either automatic or interactive. In both cases, users need to understand the underlying logical formalism to construct proofs efectively. • Model checking makes use of eicient exploration of large state spaces to verify properties of formal models. Most models are based on state transition systems of various kinds. An important tool feature is the ability to generate counterexamples or other diagnostic information in response to failed veriication attempts. • Abstract interpretation relies on formalized semantics of programming languages to analyze properties over abstract domains. he technique is normally realized through sound algorithms that examine source code to ascertain whether various predeined properties hold. Tools usually take the form of static analyzers for mainstream programming languages. Not all analysis tools and techniques can be classiied to it these categories neatly. Some involve the hybrid application of multiple techniques. Others provide core deduction capabilities that are not seen as end user tools but more as components to be incorporated in other tool suites. An example is the category of satisiability modulo theories (SMT) solvers. hese tools accept logical formulas and apply disparate deduction algorithms knitted into a framework called SMT. SMT-based techniques are making rapid progress and are appearing as key components in several veriication tools. Another distinction in analysis tools is whether they act on formal models or act directly on program source code. his latter category is enjoying greater success and renewed interest. Signiicant tools in both the model checking and abstract interpretation categories are capable of analyzing source code. Moreover, deductive techniques originated from the study of “program veriication” in the 1970s, which advocated program proving as an analog to unit testing. Although we will not have an opportunity to illustrate these techniques in this chapter, this category is likely to expand in future years.

43.3 example Application We will demonstrate two diferent formal techniques using a highly simpliied but representative avionics subsystem. he following mode control panel (MCP) is based loosely on features found in early Boeing 737 autopilots. While newer aircrats use more sophisticated light management systems, the core elements of modes, displays, and controls are still relevant. Informal sotware requirements are presented in the succeeding text in a form similar to what sotware developers oten encounter in practice (minus the “shall” verbiage). Readers might wish to skim over some requirement details and return to them later when examining the formal models.

43.3.1 Requirements for the Mode control Panel he following speciication for the MCP focuses on a limited aircrat function and its pilot interface. Other interfaces and commands that would be needed in a real design are omitted for brevity’s sake: 1. he MCP contains four buttons for selecting modes and three displays for dialing in or displaying values, as shown in Figure 43.1a. he system supports the following four modes: (a) attitude control wheel steering (att_cws), (b) light path angle select (fpa_sel), (c) altitude engage

43-4

Avionics Development: Tools, Techniques, and Methods

att_cws

cas_eng

fpa_sel

alt_eng

Commands

Commands

MCP

MCP

ALT FPA CAS (a)

FIGURE 43.1

2.

3.

4.

5.

6. 7.

(b)

MCP selector

MCP: (a) pilot interface and (b) dual-panel coniguration.

(alt_eng), and (d) calibrated air speed (cas_eng). Exactly one of modes (a)–(c) should be engaged at all times. Mode (d), cas_eng, can be engaged at the same time as any of the others. he pilot engages a mode by pressing the corresponding button on the panel. Engaging any of the modes (a)–(c) disengages the other two. hree displays lie on the panel: altitude (ALT), light path angle (FPA), and calibrated air speed (CAS). he displays usually show the current values for these quantities. he pilot can, however, enter a new value by dialing the knob next to the display to choose a target or “preselected” value for the aircrat to attain. For example, to climb to 25,000 feet, the pilot dials 25,000 into the ALT display and then presses the alt_eng button. Once the target is reached or the mode is disengaged, the display reverts to showing the “current” value. If the pilot dials in an ALT that is more than 1200 feet above the current ALT and then presses the alt_eng button, the ALT mode will not directly engage. Instead, alt_eng mode changes to “armed” and fpa_sel mode becomes engaged. he pilot must then dial in an FPA for the light control system to follow until the aircrat attains the desired ALT. fpa_sel mode will remain engaged until the aircrat is within 1200 feet of the desired ALT, ater which the alt_eng mode engages. he CAS and the FPA values need not be preselected before the corresponding modes are engaged— the current values displayed will be used. he pilot can dial in a diferent target value ater the mode is engaged. Conversely, an ALT must be preselected before pressing the alt_eng button; otherwise, the command is ignored. he cas_eng and fpa_sel buttons toggle on and of every time they are pressed. In contrast, if either the att_cws or alt_eng button is pressed while the corresponding mode is already engaged, the button is ignored. Whenever a mode other than cas_eng is engaged, all other preselected displays should be returned to their current values. If the pilot dials in a new ALT while the alt_eng button is already engaged or armed, then the alt_eng mode is disengaged and the att_cws mode is engaged. If the alt_eng mode was armed, then the fpa_sel should be disengaged as well.

43.3.2 Requirements for coordinating two Panels he MCP example can be extended by postulating a dual-panel arrangement to support two pilots. he following speciication stipulates a minimal capability along these lines: 1. here will be two MCPs, one for each pilot, as shown in Figure 43.1b. Only one panel can be active at a time. Only commands issued on the active side will have the efects described in Section 43.3.1. Commands issued on the passive side will be ignored.

Formal Methods

43-5

2. Communication channels will exist for the two panels to exchange information. Ater each pilot command is processed, the active panel will forward any resulting state changes to the other panel. he passive panel will accept these updates and keep its state information current. It will also update its three displays (ALT, FPA, and CAS) so that both pilots will be able to see the current values. 3. A switch or other control mechanism available to the crew will be provided to choose when the passive side should become active. When the switch is operated to initiate a changeover, a deactivate signal will be sent to the currently active panel. For a brief instant during the changeover, it is possible that neither panel will be active. 4. When the currently active panel receives the deactivate signal, it irst completes any command processing that might be underway and then disables its command processing functions. Next, it notiies the other panel that it should now assume the role of the active panel. On receiving this notiication, the passive panel immediately enables its command processing functions.

43.4 Deductive Methods Historically, deductive techniques were the original formal methods, dating back to the late 1960s. he other types of formal methods were introduced later in response to theoretical advances that made them possible. heorem proving has existed as an organized academic discipline since the 1950s. In the early days, theorem proving was mostly of interest to artiicial intelligence researchers. Its application to formal methods arose in the early 1970s as the use of mathematical logic to reason about program behavior began to gain traction with researchers. Today, there are relatively few formal veriication tool suites organized around major theorem-proving systems. Two of the more signiicant tools in the United States are prototype veriication system (PVS) [17,18] (described in the next section) and a computational logic for applicative common lisp (ACL2) [11]. In Europe, the Coq [10], Isabelle [19], and higher order logic (HOL) [7] systems are popular. Most make use of a higher-order logic. ACL2 uses a more restrictive logic; in return, it ofers fully automated proofs. he other systems opt for greater theoretical power at the expense of requiring users to carry out proofs interactively. hey are oten said to represent a “heavyweight” style of formal methods. A number of smaller research eforts that ofer more automated veriication using weaker logics are currently under study. Many of these eforts are built around SMT solvers.

43.4.1 PVS Veriication System PVS was introduced by SRI International in 1992. It features an interactive theorem prover for a typed form of classical higher-order logic. he speciication language, also called PVS, is based on a syntax similar to modern programming languages. he PVS user interface is implemented using the Emacs text editor as a front end to the proof system. hrough the Emacs interface, users manage and edit iles, submit analysis and veriication commands, and carry out all other system interactions including interactive proving. PVS is available from SRI International as open-source sotware. A user group at NASA Langley Research Center has compiled a substantial collection of PVS libraries [15] covering various mathematical domains as well as several theories speciic to computing. Other PVS users have constructed libraries and made them available to the user community. Some have been incorporated into the NASA Langley collection.

43.4.2 Formally Specifying the Mode control Panel In the previous handbook edition, Johnson and Butler illustrated the process of developing formal speciications using the MCP example. In this chapter, our focus is to describe several analysis techniques, which precludes a detailed discussion of the modeling task. Readers wishing to understand

43-6

Avionics Development: Tools, Techniques, and Methods

the reasoning behind the PVS model can consult the previous handbook chapter. We use the same example here with only minor modiications. he MCP requirements described in Section 43.3.1 have been modeled in PVS as shown in Section 43.A.1. In PVS, the basic modular unit is called a theory. hree theories are included: defs, tran, and panel. he irst theory (lines 1–24) introduces types needed to describe the interface, commands, and internal state of an MCP. he second theory (lines 26–115) formalizes the state transition function, which captures high-level design details, namely, how the MCP responds to commands and other inputs. he inal theory (lines 117–160) formalizes some of the requirements expressed informally in Section 43.3.1. To accomplish this, it introduces a constraint on valid initial states, a trace notion used to express invariant properties, and two invariants that are to be proved about the model. In theory tran, the function nextstate (lines 101–113) plays the key role in formalizing the transition relation for the state machine model: Sn+1 = nextstate(Sn, e). he preceding deinitions in that theory handle the speciics for each type of input event. States belong to a record type (lines 11–18). Each subordinate transition function maps from current state st into a new state using IF expressions and WITH expressions. he expression “st WITH [f := v]” yields a state value identical to st, except on ield f where it takes the value v. Unfortunately, space limitations prevent a more thorough presentation of the PVS model. We encourage the reader to try to grasp the general outline of the model without being overly concerned with its details.

43.4.3 Formally Verifying the Mode control Panel Veriication activities take several possible forms depending on the veriier’s goals. Proving that a design or implementation meets its speciication is one such goal. In the case of the MCP model, the tran theory captures design details that can be proved to satisfy the requirements expressed in theory panel. Several deductive aids have been placed in theory panel to facilitate the proof of invariant properties. he trace type (lines 134–137) deines the set of all state sequences that can result from repeated application of the nextstate function. Each trace can contain only those states reachable from a valid initial state. Traces are formalized here as ininite sequences. Since any inite trace will be a preix of an ininite trace, this formulation is general enough to serve all cases of interest. A parameterized deinition of the invariant concept appears in is_invariant (line 139). Given a predicate P on states, is_invariant expresses succinctly that P is an invariant if and only if it holds on every state in every trace. his deinition is used to express conjectures (lines 156 and 158) that will be submitted to the theorem prover. Such conjectures could be proved by induction using the deinitions for trace and is_invariant. Simpler proofs are obtained, though, by appealing to the lemma invariant_cases (lines 141–144), which makes the induction cases explicit. Higher-order logic facilitates the expression and proof of such deductive utilities. Although seldom encountered in most engineering disciplines, mathematical induction is a commonly used proof technique in deductive formal methods. Its most basic form gives a method for proving that a proposition P(n) holds for all natural numbers n. To proceed, irst prove the base case, P(0). hen show that P(k) implies P(k + 1) for any natural number k. his latter case is generally known as the induction step and P(k) is known as the induction hypothesis. Variants of this basic scheme are used to handle diferent numerical ranges or diferent data types. heorem provers typically provide built-in commands for carrying out induction proofs. In theory tran, the predicate mode_rqmt (lines 146–152) captures how the modes are related to one another. hese relationships stem from requirements (1) and (3). For example, the requirement that exactly one of the modes att_cws, fpa_sel, and alt_eng be engaged at all times is expressed as follows. First, specify that at least one of the modes is engaged: att_cws(st) = engaged OR fpa_sel(st) = engaged OR alt_eng(st) = engaged

Formal Methods

43-7

hen, specify that at most one mode is engaged: (alt_eng(st)/= engaged OR fpa_sel(st)/= engaged) AND (att_cws(st) = engaged IMPLIES alt_eng(st)/= engaged AND fpa_sel(st)/= engaged)

he conjunction of these two conditions yields the desired result. A claim that the formal requirement on modes is an invariant of the MCP model appears in the theorem on line 156. It is worth noting that all the conditions in mode_rqmt need to be present to achieve a provable invariant. If one were to break these into separate invariant conditions and attempt to prove them one by one, the attempt would fail. his is a typical situation when proving invariants. Being individually true does not mean they are provable in isolation. To succeed, an induction proof oten, but not always, requires an induction hypothesis broad enough to cover the interdependent relationships among state components. A second invariant, armed_rqmt (line 154), expresses an additional condition from requirement (3) concerning the armed mode. A claim of its invariance appears on line 158. armed_rqmt is a fairly simple relationship that expresses a necessary condition for entering the armed mode. hus, it can be proved in isolation, in contrast to the invariant described in the previous paragraph. Using the PVS interactive prover involves submitting commands to advance the proof toward its conclusion incrementally. Each step causes the proof state to be altered in a sound manner consistent with the underlying logic. he prover displays the new goal that results ater each proof step. Some steps can cause the proof to branch into two or more paths. PVS proofs are therefore inherently tree structured. To illustrate interactive proving, we show the proof of theorem armed_invariant: armed_invariant: |— — — — — — {1} is_invariant(armed_rqmt)

Initially, the prover displays the conjecture to be proved. he user proceeds by entering commands (inference rules) in the form of parenthesized expressions. he next command requests the prover to import and apply the lemma invariant_cases: Rule? (use “invariant_cases”) Using lemma invariant_cases, this simplifies to: armed_invariant: {–1} (FORALL st: (is_initial(st) IMPLIES armed_rqmt(st)) AND (armed_rqmt(st) IMPLIES (FORALL (e: events): armed_rqmt(nextstate(st, e))))) IMPLIES is_invariant(armed_rqmt) |— — — — [1] is_invariant(armed_rqmt)

he current goal of a proof takes a particular form known as a sequent. A sequent appears as two numbered lists of formulas (Boolean expressions) separated by a symbol called the turnstile: |— — —. he meaning is that the conjunction of the antecedent formulas (those above the turnstile) implies the disjunction of the consequent formulas (those below the turnstile). Next, the user requests the prover to apply some basic simpliication.

43-8

Avionics Development: Tools, Techniques, and Methods

Rule? (ground) Applying propositional simplification and decision procedures, this simplifies to: armed_invariant: |— — — — {1} FORALL st: (is_initial(st) IMPLIES armed_rqmt(st)) AND (armed_rqmt(st) IMPLIES (FORALL (e: events): armed_rqmt(nextstate(st, e)))) [2] is_invariant(armed_rqmt)

At this point, consequent formula 2 is no longer needed and it would be best to remove it from the sequent before proceeding: Rule? (hide 2) Hiding formulas: 2, this simplifies to: armed_invariant: |— — — — — [1] FORALL st: (is_initial(st) IMPLIES armed_rqmt(st)) AND (armed_rqmt(st) IMPLIES (FORALL (e: events): armed_rqmt(nextstate(st, e))))

Completing the proof only requires one additional command. It is, however, quite a powerful command that carries out a large variety of deductive heuristics, some of which require much computation. In this case, the invocation of the (grind) command does lead to many individual actions, whose details have been omitted: Rule? (grind) is_initial rewrites is_initial(st) to…

Trying repeated skolemization, instantiation, and if-lifting, Q.E.D. Run time = 0.48 secs. Real time = 11.65 secs.

Needing only four commands, the proof completed successfully, establishing that predicate armed_rqmt is indeed an invariant property of all possible state sequences. his result holds for sequences of all lengths, up to and including ininitely long sequences. he proof of theorem mode_invariant is conducted in exactly the same manner. By way of comparison, the proof of support lemma invariant_cases involves a few more steps, although it is not much longer. Only the completed “proof script” is shown in the following; intermediate sequents resulting from the proof steps are omitted: (“” (skosimp*) (expand “is_invariant”) (skolem!) (induct “i”) ((“1” (inst?) (flatten) (hide-2) (typepred “T!1”) (ground)) (“2” (skosimp*) (inst?) (typepred “T!1”) (grind))))

his proof contains a few of the prover’s more “technical” commands. If theorems mode_invariant and armed_invariant were proved directly without using lemma invariant_cases, they would

Formal Methods

43-9

require most of these same proof steps. Hence, using the lemma is advantageous because proof steps subsequent to invoking the lemma are less challenging.

43.5 Model checking he ield of model checking dates to a pair of seminal publications from 1981 [2,20]. Since then, it has grown dramatically to become the most frequently used type of formal method. his appeal can be attributed to several factors, including a more gentle learning curve, more highly automated analysis techniques, and an ability to provide diagnostic information such as counterexamples. he latter trait has also enabled some model checkers to serve as advanced debugging tools. Shared by most model checkers is the ability to search large state spaces during the analysis process. Moderately diferent approaches, though, are used by the various tools. For example, SPIN [8,9], one of the most widely used veriiers, belongs to the category of explicit-state model checkers. hese tools generate and “visit” each reachable state within the user’s model, simultaneously testing whether the states or paths violate the desired properties. Exploring a vast set of states obviously requires substantial memory and processor resources. Model checking tools try to guard against the “state explosion” problem that comes with increasing model size. Many language and tool features are designed to keep state sizes manageable. Users must be aware of how language features contribute to state growth so they can write models that minimize the problem. It is not hard to create models whose analysis is infeasible. Clarke et al. [3] present basic model checking algorithms and describe techniques for containing state growth. Symbolic model checkers form a second category, making use of special techniques such as binary decision diagrams (BDDs) to represent state information and transition functions in a more indirect manner. BDDs encode large Boolean functions using a data structure based on directed acyclic graphs, leading to much smaller structures than alternatives such as binary trees. his allows larger state spaces to be explored, although the states are not literally visited individually. A key drawback is a limit on the complexity of transition functions. Explicit-state model checkers, by comparison, can work with models having more complicated transition functions. Nevertheless, symbolic model checkers have enjoyed much success in verifying digital hardware designs. his tool class is typiied by symbolic model veriier (SMV) [1] and its successor NuSMV [16]. Other model checking approaches have been pursued by researchers. Symbolic Analysis Laboratory (SAL) supports multiple model checking algorithms within a common language and modeling framework. SAL, and other tools such as Kind, makes use of SMT solving within their algorithms. Another concept is that of “sotware model checking,” where the checker analyzes sotware source code directly. Java PathFinder (JPF) is an example of this category, as is the Berkeley lazy abstraction sotware veriication tool (BLAST) checker for C programs. Beyond these are a host of other approaches such as real-time and probabilistic model checking.

43.5.1 SPin Model checker We use SPIN in this chapter to explore the coordination aspects of the MCP example and illustrate the use of analysis techniques diferent from that of PVS. SPIN is more of a loosely coupled collection of tools than PVS. here is the core SPIN analyzer that runs as a command-line tool. hen there is a graphical front end (called XSPIN) to provide a user-friendly way to invoke the analyzer and examine its output. A variety of third-party utilities also have been created to improve various aspects of SPIN modeling and veriication. In a companion chapter in this edition of the handbook, Hu and Bertolotti introduce the concept of model checking and present the use of SPIN in some detail. We refer the reader to that chapter for background information on the SPIN tool and especially its modeling language, process metalanguage (Promela).

43-10

Avionics Development: Tools, Techniques, and Methods

43.5.2 Modeling the two-Panel Subsystem A second set of requirements for the example application was presented in Section 43.3.2. hese requirements concern the behavior of a dual-panel coniguration, as depicted in Figure 43.1b, where one panel is provided for each pilot. Coordination between the two panels is necessary to maintain consistency of operation and avoid ambiguous states that might result from unconstrained operation. Most importantly, we wish to ensure that only one panel is active at a time. SPIN was designed to model and analyze the interactions of concurrent processes and communication protocols. A message-passing style of communication is supported by the PROMELA modeling language. It is well suited, therefore, to analyze coordination in the two-panel coniguration speciied in Section 43.3.2. Section 43.A.2 lists the model for the two-panel subsystem expressed in the PROMELA language. he primary language features at the heart of the model are processes and channels for interconnecting them. Other items include type and variable declarations. he central process type of interest in the model is named MCP (lines 11–41). It has the following general structure: proctype MCP (bit side) /* Mode-control panel process */ { byte panel_state,c,s; bit b; do ∷ guard-1 → action-1 ∷ guard-2 → action-2 ∷ guard-3 → action-3 ∷ guard-4 → action-4 od }

his declaration introduces the process type MCP, which will be instantiated twice, once for each side of the dual-panel MCP. he parameter side of the process declaration will assume the values 0 and 1 so each process knows which side it is operating on. he do… od structure is a do-loop whose body has been presented in skeleton form. Details within its body (lines 17–39) represent the actions performed by the MCP process in response to received commands and other inputs. Each alternative of the do-loop has the form G → S, where G is known as a guard or guard statement. Guard G is either a Boolean expression or a channel operation (sending or receiving a message). If a guard expression is true or its channel operation is enabled, the statement sequence that follows is executable. When multiple guarded sequences are eligible, one is selected for execution nondeterministically. All four guards within the do-loop of process MCP are channel receive operations. Channel operations are written chan?v to receive into variable v and chan!e to send value e. he statements ater each guard specify how the process responds to the corresponding type of incoming message. A local variable panel_state (line 13) provides a stub for the state information represented in the PVS model. Because the SPIN model is only concerned with the panel interactions and not the details of internal MCP behavior, an abstraction of the MCP state is used here. SPIN, like other model checkers, favors concrete data types in contrast to the more abstract approach used by PVS and similar systems. In this case, the type byte is used to represent the internal MCP state. Several pairs (arrays) of channels are provided to connect to the MCP processes (lines 5–9). Each is indexed by a “side” ID (0 or 1) to refer to a single channel. chan MCP_commands[2] = [1] of {byte}; chan switch_over[2] = [1] of {bit}; chan to_MCP[2] = [1] of {mtype, byte};

/* Represents buttons, dials */ /* Signal to activate other MCP */ /* Pipes between MCPs */

Each channel provides inputs to the MCP processes, corresponding to the arrows in Figure 43.1b. Channel MCP_commands[i] represents inputs resulting from pilot commands (button presses and dial

Formal Methods

43-11

rotations) as well as sensor inputs such as ALT-related events. Channel switch_over[i] carries the signal used to indicate when the crew has requested activation of the passive MCP. Channel to_MCP[i] allows the two MCP processes to communicate with one another to exchange state information and notify the other when it has been requested to become the active side. Two additional processes are provided to serve as sources of inputs for the MCP processes: proctype crew_commands () {/* Simulates commands from pilots */ do ∷ MCP_commands[0]!0 → skip ∷ MCP_commands[1]!0 → skip od }

he crew _ commands process (lines 50–55) emits “messages” to the command inputs of the MCP processes in a nondeterministic manner. hese messages simulate the crew commands and ALT notiications that were included in the PVS model. No attempt is made to model any details; only the occurrence of command inputs is of interest in this model. Likewise, the switcher process (lines 43–48) emits activate/deactivate signals to both MCP processes in a nondeterministic manner: proctype switcher () {/* Generates switch-over inputs */ do ∷ switch_over[0]!0 → skip ∷ switch_over[1]!0 → skip od }

In practice, activation signals would occur infrequently. Nonetheless, to achieve a thorough veriication, generating all possible interleaved MCP process inputs is desirable. Moreover, explicitly providing generator processes can be useful during model debugging and simulation. Finally, a special process called init (lines 62–67) is a standard part of SPIN models. Its primary purpose is starting the other processes in the model and passing any parameters that might be needed: init {atomic {side_active[0] = true; run MCP(0); run MCP(1); run crew_commands(); run switcher(); run monitor() }}

Two instances of MCP are started with the IDs 0 and 1. he two generator processes are also started as well as a monitor process (described in the next section).

43.5.3 Analyzing the two-Panel Subsystem SPIN provides a variety of tools for analysis and veriication. Included are simulation features that allow users to perform random simulations, guided simulations from previously recorded event traces (“trails” in SPIN terminology), and interactive simulations, where the user selects the next nondeterministic choice. Output information includes detailed trace information and message sequence charts, which are graphical renditions of the communication events in a simulation showing chronological relationships.

43-12

Avionics Development: Tools, Techniques, and Methods

Veriication applies the state exploration algorithm to search for any of several types of errors. One type is the failure of user-supplied assertions. PROMELA allows the introduction of assertions throughout a model. During veriication (and simulation) runs, the assertions are tested and any that evaluate to false are lagged as errors. Another class of detectable errors is deadlock. SPIN will report an error type of “invalid inal state” to indicate that the model was found to have a inal state in which at least one process is not at its expected termination point. Usually, such a condition indicates a deadlock, that is, an unintended state from which no transition is possible. Deadlocks typically happen when multiple processes are waiting for each other, leaving no opportunity to proceed without receiving input from the other process(es). Invariants can be veriied in SPIN using several techniques. One way is to add a process to the model that includes statements of the form assert(P). Assertions are always executable, so they would be interleaved with all other actions in the model, causing them to be repeatedly checked during analysis. If the condition P ever evaluates to false, SPIN recognizes an assertion violation and reports it as such. A variant of this approach uses a guarded statement of the form atomic {!P → assert(P)}. As before, the condition !P is repeatedly checked during analysis. If it ever evaluates to true, a violation of P has been found. Now executable, the assert statement triggers SPIN’s reaction to an assertion violation. his variant is a standard SPIN idiom that achieves the same efect as the simpler assert(P) but executes more eiciently. his approach was used to verify an invariant of the MCP model by introducing the monitor process (lines 57–60): proctype monitor () {/* Checks on invariant assertions */ atomic {(side_active[0] && side_active[1]) → assert(!(side_active[0] && side_active[1]))} }

Expressed in the monitor invariant earlier is the condition that at most one side will be active at a time. he array variable side _ active (line 3) records whether each side thinks it is the active panel. Ruled out by the invariant is the situation where both sides think they are active, an obviously undesirable circumstance: Several other techniques exist for expressing invariants in SPIN models. One makes use of a never claim, a special SPIN construct whose analysis is based on Büchi automata, theoretical structures having suitable semantics for this task. Another approach is to write formulas in linear temporal logic (LTL), which SPIN irst translates to never claims. LTL can be used to express additional properties besides invariants. Figure 43.2 shows the output reported by the SPIN veriier ater being presented with the twoMCP model. he report includes information on which kinds of errors were checked during the search. In this case, assertion violations and invalid end states were selected. Also displayed are counts of states visited, the maximum extent of the depth-irst search, and various statistics on memory usage. Listed at the end of the report is the inal verdict: “no errors found.” For this model, the absence of errors means (1) the invariant on side_active held true in every state, and (2) no deadlock states were found in the model. It would be possible to verify additional invariants or LTL formulas that express desired properties. An example would be an invariant that the panel state is always the same on both sides, except during the middle of processing actions that update these values. Another possibility would be the property that ater side k receives a signal to deactivate, side 1–k eventually becomes active. Expressing this property requires a temporal logic (LTL) formula.

Formal Methods

43-13

(Spin Version 6.2.3 -- 24 October 2012) + Partial Order Reduction Full statespace search for: never claim - (not selected) assertion violations + cycle checks - (disabled by -DSAFETY) invalid end states + State-vector 72 byte, depth reached 9773, errors: 0 51373 states, stored 106910 states, matched 158283 transitions (= stored+matched) 5 atomic steps hash conflicts: 542 (resolved) Stats on memory usage (in Megabytes): 4.115 equivalent memory usage for states (stored*(State-vector + overhead)) 3.413 actual memory usage for states (compression: 82.93%) state-vector as stored = 58 byte + 12 byte overhead 64.000 memory used for hash table (-w24) 0.343 memory used for DFS stack (-m10000) 67.664 total actual memory usage pan: elapsed time 0.11 seconds No errors found -- did you verify all claims?

FIGURE 43.2

Veriication output from running SPIN on the model.

It is worth noting that the PVS model in Section 43.A.1 could be expressed and analyzed using SPIN or several other model checkers. In fact, Lüttgen and Carreño [12] examined three model checkers to determine how well they can analyze designs for possible sources of mode confusion, a problem domain similar to that explored in this chapter. On the other hand, if the MCP model of Section 43.A.1 was more numerical in nature, or it formalized nontrivial data structures, then deductive veriication would likely be a more appropriate choice than model checking.

43.6 Abstract interpretation Abstract interpretation was introduced in 1977 [4]. Based on a broad array of mathematical underpinnings, this method is primarily used to develop static analyzers that directly examine source code. Rather than verifying user-supplied models or properties, these static analyzers look for code defects that can result in a variety of runtime errors. he analyzers are intended for use by sotware development teams even though the theories and algorithms have a deep mathematical basis. Despite ongoing research to expand the range of abstract interpretation tools, they have already been incorporated into two commercial products. PolySpace was developed in France and later purchased by MathWorks to incorporate into their product line [13]. PolySpace can analyze sotware written in C, C++, and Ada. A second-generation tool known as analyseur statique de logiciels temps-réel embarqués (real-time embedded sotware static analyzer, ASTRÉE) [5] has been used to analyze large amounts of sotware (over 400 KLOC) for Airbus aircrat. It is now distributed by a commercial tool vendor. A noncommercial efort that also produced a successful system was the C Global Surveyor [22], developed at the NASA Ames Research Center and used to verify array-bound compliance. his tool was applied to the light sotware of the NASA Mars Exploration Rover mission (over 550 KLOC). In addition, it analyzed sotware for missions Deep Space 1 (280 KLOC) and Mars Pathinder (140 KLOC). Unfortunately, the development of tools based on abstract interpretation is suiciently costly that few oferings are available. Outside of the products mentioned, the only other implementations are research prototypes. Few tools of any signiicance are available in open-source form. Also, abstract

43-14

Avionics Development: Tools, Techniques, and Methods

interpretation can be computationally expensive; implementations occasionally require ine tuning by experts. In spite of these limitations, the track record of successful applications to aerospace sotware makes abstract interpretation a viable technique for avionics projects.

43.6.1 General characteristics Several static analysis tools have been introduced in recent years that have become popular with sotware developers. hese include products from companies such as Coverity and Klocwork. While undoubtedly useful at bug inding, these tools apply heuristics that can lead to both false-positives and false-negatives. Results that harbor false-negatives, that is, undetected defects, are problematic for dependable sotware. In contrast, analysis by abstract interpretation is sound—no false-negatives are possible. If an analyzer fails to ind a particular class of defect in a section of code, then the code is guaranteed to be free of such defects. For this reason, the analysis constitutes a strong form of veriication. False-positives, however, are still possible with abstract interpretation. Tool developers try to improve their precision and reduce their false-positive rate. Greater precision typically requires more computation, so there are practical limits to achieving higher-quality results. False-positive results oten stem from inadequate information about the runtime environment in which the sotware will run. Careful examination by sotware engineers can determine when the runtime errors in question cannot occur because the conditions that enable them cannot arise. At the heart of abstract interpretation is a notion of abstract domains and a disciplined form of discrete approximation. An abstract domain A includes operations and properties forming an abstraction of a concrete domain C. Although less precise than C’s semantics, A and its associated approximation algorithms yield an abstract semantics suicient to analyze speciic program properties. Moreover, computation of the abstract semantics is generally tractable. Several abstract domains, such as intervals and convex polyhedra, are commonly used. By mapping between concrete domains and abstract domains, the methods achieve a type of “overapproximation” that allows useful inferences to be drawn about possible values of program variables. For instance, by using intervals to constrain the value of an integer variable in a loop, the algorithms can infer the range of possible values ater n iterations. In the process, they derive a loop invariant that constrains the space of variable values. For a more detailed illustration, consider the following code fragment: x = 0; for (i = 0; i < 10; i++) { if (f(i, x) > 20) x + = 2; else x + = 1; }

A possible analysis approach would use the 2D space formed by the values of variables i and x. Since variable x is incremented by 1 or 2 on each iteration, typical algorithms could deduce the invariant i ≤ x ≤ 2i. Using a convex hull approach, the value of variable i at loop exit can be found by a narrowing process, and the range of variable x can be narrowed to the interval [10,20]. In turn, this range could be used to show that other operations (e.g., array accesses) are within their bounds. While these results are obvious for such a trivial example, the method works for much more complicated cases where manual analysis is far from practical. Besides the mathematical theories mentioned so far, abstract interpretation relies on fully accurate representations of programming language semantics. Given that most languages have areas of semantic uncertainty (e.g., ambiguities and undeined behaviors), analyzers need to accommodate these semantic diiculties. Any features that can afect program execution are potentially involved in the analysis process. In fact, some types of analysis that compilers have historically performed during code generation can be considered instances of abstract interpretation.

Formal Methods

43-15

43.6.2 Properties Veriiable Using Abstract interpretation Sotware defects that lead to several kinds of runtime errors can be detected by abstraction interpretation. Veriiers can determine when code is defect-free with respect to many of these categories: • • • • • • • • • •

Out-of-bound array accesses and bufer overlows Read accesses to uninitialized data Pointer dereferencing problems (null pointers, out-of-bound accesses) Invalid arithmetic operations (division by zero, square root of negative numbers, others) Illegal-type conversions Integer and loating point overlow and underlow Some cases of nontermination of loops Concurrent accesses to shared data Various cases in the C language standard that are earmarked as having undeined behavior Violations of certain user-deined runtime properties

Research in abstract interpretation is aimed at exploring new abstract domains and increasing precision without incurring too large a computational cost. A team at NASA Ames, for example, is developing the Inference Kernel for Open Static Analyzers (IKOS). Rather than leading to a selfcontained application, IKOS will create a C++ library designed to facilitate the development of sound static analyzers based on abstract interpretation. When combined with other sotware packages, developers will eventually be able to use IKOS to create custom analyzers having the characteristics needed for a particular application domain. Microsot Research has pursued another approach with their cccheck tool [6]. Also called Clousot, cccheck uses abstract interpretation to perform static analysis of program contracts in a languageindependent manner. It has been added to the Code Contracts framework for design-by-contract programming. Preconditions, postconditions, and object invariants are the types of contracts supported. cccheck aims to decide if a program violates its contracts using analysis only.

43.7 Summary In this chapter, we have presented a brief sampler of formal methods tools and techniques. Although the example used (MCP) is quite simple compared to avionics systems of realistic complexity, it nevertheless suices to illustrate elementary use of formal languages and their tools. Readers are encouraged to explore the websites of PVS, SPIN, and other tools to learn more about their capabilities. In the end, there is no substitute for actually trying to carry out small modeling and veriication projects. Such exploratory ventures are advisable before choosing to embark on a serious veriication efort. Most of the methods require signiicant investments of time to achieve proiciency. Lesser levels of expertise, however, are oten suicient for determining whether a method is appropriate for one’s current needs. In any case, the growing sophistication of formal methods will lead to higher rates of adoption in safety-critical avionics. As the engineering workforce becomes more conversant with formal methods, their use in mainstream projects is likely to increase. As should be apparent, none of the three categories of formal methods discussed, nor any of the individual tools or methodologies, constitutes a complete analysis approach. In real-world usage, developers are likely to incorporate several tools and techniques to achieve their veriication objectives. While few of the tools are designed to facilitate such heterogeneous usage, there is a growing awareness by formal methods tool developers that interoperability should receive more serious attention. Recently completed by Rockwell Collins is a set of case studies intended as an aid for practitioners and certiiers who expect to work with formal methods certiication evidence in accordance with DO-333. hese case studies were recently published as a NASA Contractor Report [23].

43-16

Avionics Development: Tools, Techniques, and Methods

43.A Appendix 43.A.1 Listing of PVS Speciication 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

defs: THEORY BEGIN md_status: TYPE = {off, armed, engaged} off_eng: TYPE = {md: md_status | md = off OR md = engaged} disp_status: TYPE = {pre_selected, current} altitude_vals: TYPE = {away, near_pre_selected, at_pre_selected} state: TYPE = [# att_cws: off_eng, cas_eng: off_eng, fpa_sel: off_eng, alt_eng: md_status, alt_disp: disp_status, fpa_disp: disp_status, cas_disp: disp_status, altitude: altitude_vals #] events: TYPE = {press_att_cws, press_cas_eng, press_fpa_sel, press_alt_eng, input_alt, input_fpa, input_cas, alt_reached, alt_gets_near, fpa_reached} END defs tran: THEORY BEGIN IMPORTING defs event: VAR events st: VAR state tran_att_cws(st): state = IF att_cws(st) = off THEN st WITH [att_cws := engaged, fpa_sel := off, alt_eng := off, alt_disp := current, fpa_disp := current] ELSE st%%IGNORE ENDIF tran_cas_eng(st): state = IF cas_eng(st) = off THEN st WITH [cas_eng := engaged] ELSE st WITH [cas_eng := off, cas_disp := current] ENDIF tran_fpa_sel(st): state = IF fpa_sel(st) = off THEN st WITH [fpa_sel := engaged, att_cws := off, alt_eng := off, alt_disp := current]

Formal Methods 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106

43-17

ELSE st WITH [fpa_sel := off, fpa_disp := current, att_cws := engaged, alt_eng := off, alt_disp := current] ENDIF tran_alt_eng(st): state = IF alt_eng(st) = off AND alt_disp(st) = pre_selected THEN IF altitude(st)/= away THEN %% ENG st WITH [att_cws := off, fpa_sel := off, alt_eng := engaged, fpa_disp := current] ELSE %% ARM st WITH [att_cws := off, fpa_sel := engaged, alt_eng := armed] ENDIF ELSE st%% IGNORE request ENDIF tran_input_alt(st): state = IF alt_eng(st) = off THEN st WITH [alt_disp := pre_selected] ELSE st WITH [alt_eng := off, alt_disp := pre_selected, att_cws := engaged, fpa_sel := off, fpa_disp := current] ENDIF tran_input_fpa(st): state = IF fpa_sel(st) = off THEN st WITH [fpa_disp := pre_selected] ELSE st ENDIF tran_input_cas(st): state = IF cas_eng(st) = off THEN st WITH [cas_disp := pre_selected] ELSE st ENDIF tran_alt_gets_near(st): state = IF alt_eng(st) = armed THEN st WITH [altitude := near_pre_selected, alt_eng := engaged, fpa_sel := off, fpa_disp := current] ELSE st WITH [altitude := near_pre_selected] ENDIF tran_alt_reached(st): state = IF alt_eng(st) = armed THEN st WITH [altitude := at_pre_selected, alt_disp := current, alt_eng := engaged, fpa_sel := off, fpa_disp := current] ELSE st WITH [altitude := at_pre_selected, alt_disp := current] ENDIF tran_fpa_reached(st): state = st WITH [fpa_disp := current] nextstate(st, event): state = CASES event OF press_att_cws: tran_att_cws(st), press_alt_eng: tran_alt_eng(st), press_fpa_sel: tran_fpa_sel(st), press_cas_eng: tran_cas_eng(st),

43-18 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160

Avionics Development: Tools, Techniques, and Methods input_alt: tran_input_alt(st), input_fpa: tran_input_fpa(st), input_cas: tran_input_cas(st), alt_reached: tran_alt_reached(st), fpa_reached: tran_fpa_reached(st), alt_gets_near: tran_alt_gets_near(st) ENDCASES END tran panel: THEORY BEGIN IMPORTING tran event: VAR events st: VAR state P: VAR pred[state] is_initial(st): bool = att_cws(st) = engaged AND cas_eng(st) = off AND fpa_sel(st) = off AND alt_eng(st) = off AND alt_disp(st) = current AND fpa_disp(st) = current AND cas_disp(st) = current trace: TYPE = {s: sequence[state] | is_initial(s(0)) AND FORALL (i: nat): EXISTS (e: events): s(i + 1) = nextstate(s(i), e)} is_invariant(P): bool = FORALL (T: trace): FORALL (i: nat): P(T(i)) invariant_cases: LEMMA (FORALL st: (is_initial(st) IMPLIES P(st)) AND (P(st) IMPLIES FORALL (e: events): P(nextstate(st, e)))) IMPLIES is_invariant(P) mode_rqmt(st): bool = (att_cws(st) = engaged OR fpa_sel(st) = engaged OR alt_eng(st) = engaged) AND (alt_eng(st)/= engaged OR fpa_sel(st)/= engaged) AND (att_cws(st) = engaged IMPLIES alt_eng(st)/= engaged AND fpa_sel(st)/= engaged) AND (alt_eng(st) = armed IMPLIES fpa_sel(st) = engaged) armed_rqmt(st): bool = (alt_eng(st) = armed IMPLIES altitude(st) = away) mode_invariant: THEOREM is_invariant(mode_rqmt) armed_invariant: THEOREM is_invariant(armed_rqmt) END panel

Formal Methods

43-19

43.A.2 Listing of SPIN Model 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

mtype = {pstate, activate} bool side_active[2] = false; chan MCP_commands[2] = [1] of {byte};/* Represents buttons, dials */ chan switch_over[2] = [1] of {bit};/* Signal to activate other MCP */ chan to_MCP[2] = [1] of {mtype, byte};/* Pipes between MCPs */ proctype MCP (bit side)/* Mode-control panel process */ { byte panel_state,c,s; bit b; do ∷ switch_over[side]?b →/* Need to activate other side */    if ∷ side_active[side] →       side_active[side] = false;       to_MCP[1-side]!activate,panel_state ∷ else → skip fi ∷ MCP_commands[side]?c → /* Following represents a panel state transition */ panel_state = 1 ∷ to_MCP[side]?activate,s →/* Other MCP is passing the baton */ if ∷ !side_active[side] →       panel_state = s        side_active[side] = true ∷ else → skip fi ∷ to_MCP[side]?pstate,s →/* Received a state update from other MCP */ If ∷ !side_active[side] →      panel_state = s ∷ else → skip fi od } proctype switcher () {/* Generates switch-over inputs */ do ∷ switch_over[0]!0 → skip ∷ switch_over[1]!0 → skip od od } proctype crew_commands () {/* Simulates commands from pilots */ do ∷ MCP_commands[0]!0

43-20 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

Avionics Development: Tools, Techniques, and Methods ∷ MCP_commands[1]!0 od od } proctype monitor () {/* Checks on invariant assertions */ atomic {(side_active[0] && side_active[1]) → assert(!(side_active[0] && side_active[1]))} } init {atomic {side_active[0] = true; run MCP(0); run MCP(1); run crew_commands(); run switcher(); run monitor() }}

References 1. J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model checking: 1020 states and beyond. Information and Commutation, 98, 142–170, 1992. 2. E.M. Clarke and A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs Workshop, volume 131 of Lecture Notes in Computer Science, SpringerVerlag, Yorktown Heights, NY, 1981. 3. E.M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, Cambridge, MA, 1999. 4. P. Cousot and R. Cousot. Abstract interpretation: A uniied lattice model for static analysis of programs by construction or approximation of ixpoints. In Fourth Symposium on Principles of Programming Languages, pp. 238–353, 1977. 5. P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Mine, D. Monniaux, and X. Rival. he ASTREE analyzer. In European Symposium on Programming (ESOP’05), volume 3444 of Lecture Notes in Computer Science, pp. 21–30, Springer, Heidelberg, Germany, 2005. 6. M. Fähndrich and F. Logozzo. Static contract checking with abstract interpretation. In Formal Veriication of Object-Oriented Sotware FoVeOOS, pp. 10–30, Springer-Verlag, Paris, France, 2010. 7. M.J.C. Gordon and T.F. Melham. Introduction to HOL: A heorem Proving Environment for HigherOrder Logic, Cambridge University Press, Cambridge, England, 1993. 8. G. Holzmann. he model checker Spin. IEEE Transactions on Sotware Engineering, 23(5): 279–295, 1997. 9. G. Holzmann. he Spin Model Checker: Primer and Reference Manual. Addison-Wesley, Pearson Education, Boston, 2004. 10. INRIA. he Coq Proof Assistant Reference Manual. http://coq.inria.fr/documentation. 11. M. Kaufmann, P. Manolios, and J.S. Moore. Computer-Aided Reasoning: An Approach. Kluwer Academic Press, Dordrecht, Netherlands, 2000. 12. G. Lüttgen and V. Carreño. Analyzing mode confusion via model checking. Technical Report NASA/CR-1999–209332 (ICASE Report No. 99–18), NASA Langley Research Center, May 1999. 13. he MathWorks. PolySpace veriier. http://www.mathworks.com/products/polyspace. 14. J.F. Monin and M.G. Hinchey. Understanding Formal Methods. Springer, NY, 2003. 15. NASA Langley PVS library collection. heories and proofs available at http://shemesh.larc.nasa. gov/fm/tp/larc/PVS-library/pvslib.html. 16. NuSMV symbolic model checker. http://nusmv.bk.eu/NuSMV. 17. S. Owre, J. Rushby, and N. Shankar. PVS: A prototype veriication system. In 11th International Conference on Automated Déduction (CADE), volume 607 of Lecture Notes in Artiicial Intelligence, pp. 748–752, Saratoga, NY, 1992.

Formal Methods

43-21

18. S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal veriication for fault-tolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Sotware Engineering, 21(2): 107–125, 1995. 19. L.C. Paulson. Isabelle: A Generic heorem Prover, volume 828 of LNCS, Springer, Heidelberg, Germany, 1994. 20. J.P. Queille and J. Sifakis. Speciication and veriication of concurrent systems in Cesar. In Fith International Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pp. 195–220. Springer-Verlag, Heidelberg, Germany, 1981. 21. RTCA, Inc. Washington, DC. DO-333, Formal Methods Supplement to DO-178C and DO–278A, December 13, 2011. http://www.rtca.org. 22. A. Venet and G.P. Brat. Precise and eicient static array bound checking for large embedded C programs. In International Conference on Programming Language Design and Implementation (PLDI), pp. 231–242, 2004. 23. Darren Cofer and Steven Miller. Formal Methods Case Studies for DO-333. Technical Report NASA/ CR-2014-218244, NASA Langley Research Center, April 2014. Available at http://ntrs.nasa.gov.

44 Navigation and Tracking 44.1 Introduction ....................................................................................44-1 44.2 Fundamentals ..................................................................................44-2 44.3 Applications .................................................................................... 44-6 Position and Velocity along a Line • Position and Velocity in 3D Space • Position, Velocity, and Acceleration of a Tracked Object • Position, Velocity, and Attitude in 3D Space (INS Aiding)

44.4 Operational Developments .........................................................44-12

James Farrell VIGIL, Inc.

Maarten Uijt de Haag Ohio University

Individual GPS Measurements as Observables • VelocityRelated Observables: Sequential Changes in Carrier Phase • Tracking: Relative Velocity and Position Determination

44.5 Conclusion .....................................................................................44-17 Further Reading........................................................................................44-17 References ..................................................................................................44-18

44.1 introduction he task of navigation (“nav”) interacts with multiple avionics functions. To clarify the focus here, this chapter will not discuss tight formations, guidance, steering, minimization of fuel/noise/pollution, or managing time of arrival. he accent instead is on determining position and velocity (plus, where applicable, other variables: acceleration, verticality, heading)—with maximum accuracy reachable from whatever combination of sensor outputs are available at all times. Position can be expressed as a vector displacement from a designated point or in terms of latitude/longitude/altitude above mean sea level, above the geoid—or both. Velocity can be expressed in a locally level coordinate frame with various choices for an azimuth reference (e.g., geodetic north, Universal Transverse Mercator [UTM] grid north, runway centerline, wander azimuth with or without Earth sidereal rate torquing). In principle, any set of axes could be used—such as an Earth-centered, Earth-ixed (ECEF) frame for deining position by a Cartesian vector and velocity in Cartesian coordinates or in terms of ground speed, light path angle, and ground track angle—in either case, it is advisable to use accepted conventions. Realization of near-optimal accuracy with any coniguration under changing conditions is now routinely achievable. he method uses a means of dead reckoning (DR)—preferably an inertial navigation system (INS)—which can provide essentially continuous position, velocity, and attitude in three dimensions by performing a running accumulation from derivative data. Whenever a full or partial ix is available from a nav sensor, a discrete update is performed on the entire set of variables representing the state of the nav system; the amount of reset for each state variable is determined by a weighting computation based on modern estimation. In this way, “initial” conditions applicable to the DR device are in efect reinitialized, as the “zero” time is advanced (and thus kept current), with each update. Computer-directed operation easily accommodates conditions that may arise in practice (incomplete ixes, inconsistent data rates, intermittent availability, changing measurement geometry, varying accuracies) while providing complete lexibility for backup with graceful degradation. he approach inherently combines short-term 44-1

44-2

Avionics Development: Tools, Techniques, and Methods

accuracy of the DR data with the navaids’ long-term accuracy. A commonly cited example of synergy ofered by the scheme is a tightly coupled GPS/INS wherein the inertial information provides short-term aiding that vastly improves responsiveness of narrowband code and/or carrier tracking, while GPS information counteracts long-term accumulation of INS error. he goal of navigation has long progressed far beyond mere determination of geographic location. Eforts to obtain double and triple “mileage” from inertial instruments, by integrating nav with sensor stabilization and light control, are over a decade old. Older yet are additional tasks such as target designation, precision pointing, tracking, antenna stabilization, and imaging sensor stabilization (and therefore transfer alignment). Digital beamforming (DBF) for array antennas (including graceful degradation to recover when some elements fail) needs repetitive data for instantaneous relative position of those elements; on deformable structures, this can require multiple low-cost transfer-aligned inertial measuring units (IMUs) and/or itting of spatial data to an aeroelastic model. he multiplicity of demands underlines the importance of integrating the operations; the rest of this chapter describes how integration should be done.

44.2 Fundamentals To accomplish the goals just described, the best available balance is obtained between old and new information—avoiding both extremes of undue clinging to old data and jumping to conclusions at each latest input. What provides this balance is a modern estimation algorithm that accepts each data fragment as it appears from a nav sensor, immediately weighing it in accordance with its ability to shed light on every variable to be estimated. hat ability is determined by accounting for all factors that inluence how much or how little the data can reveal about each of those variables; those factors include • Instantaneous geometry (e.g., distance along a skewed line carries implications about more than one coordinate direction) • Timing of each measurement (e.g., distance measurements separated by known time intervals carry implications about velocity as well as position) • Data accuracy, compared with accuracy of estimates existing before measurement Only when all these factors are taken into account, accuracy and lexibility as well as versatility are maximized. To approach the ramiications, gradually consider a helicopter hovering at constant altitude, which is to be determined on the basis of repeated altimeter observations. Ater setting the initial a posteriori estimate to the irst measurement Yˆ1 , an a priori estimate xˆ 2(−) is predicted for the second measurement and that estimate is reined by a second observation: 1 xˆ 2(−) = xˆ1(+) ; xˆ 2(+) = xˆ 2(−) + z 2 ; z 2 ≜ Yˆ2 − xˆ 2(−) 2

(44.1)

1 xˆ 3(−) = xˆ 2(+) ; xˆ 3(+) = xˆ 3(−) + z 3 ; z 3 ≜ Yˆ3 − xˆ 3(−) 3

(44.2)

and a third observation

and then the fourth observation 1 xˆ 4(−) = xˆ 3(+) ; xˆ 4(+) = xˆ 4(−) + z 4 ; z 4 ≜ Yˆ4 − xˆ 4(−) 4

(44.3)

which now clariies the general expression for the mth observation 1 xˆ m(−) = xˆ m(+−)1 ; xˆ m(+) = xˆ m(−) + z m ; z m ≜ Yˆm − xˆ m(−) m

(44.4)

44-3

Navigation and Tracking

which can be rewritten as m − 1 ˆ ( −) 1 ˆ x m + Ym , m > 0 xˆ m(+) = m m

(44.5)

Substitution of m = 1 into this equation produces the previously mentioned condition that the irst a posteriori estimate is equal to the irst measurement; substitution of m = 2, combined with that condition, yields a second a posteriori estimate equal to the average of the irst two measurements. Continuation with m = 3, 4, … yields the general result that, ater m measurements, estimated altitude is simply the average of all measurements. his establishes an equivalence between the recursive estimation formulation expressed in (44.1) through (44.5) and the block estimate that would have resulted from averaging all data together in one step. Since that average is widely known to be optimum when all observations are equally accurate statistically, the recursion shown here must then be optimum under that condition. For measurement errors that are sequentially independent random samples with zero mean and variance R, it is well known that mean squared estimation error Pm(+) ater averaging m measurements is just R/m. hat is the variance of the a posteriori estimate (just ater inclusion of the last observation); for the a priori estimate, the variance Pm(−) is R/(m − 1). It is instructive to express the last equation earlier as a blended sum of old and new data, weighted by factors R R /Pm(−) m −1 ≡ = P + R 1 + R /Pm(−) m ( −) m

(44.6)

and ( −) m ( −) m

P

P

+R

=

1 m

(44.7)

respectively; weights depend on variances, giving primary inluence to information having lower mean squared error. his concept, signiied by the let-hand sides of the last two equations, is extendible to more general conditions than the restrictive (uniform variance) case considered thus far; we are now prepared to address more challenging tasks. As a irst extension, let the sequence of altimeter measurements provide repetitive reinements of estimates for both altitude x1 and vertical velocity x2. he general expression for the mth observation now takes a more inclusive form:  x m ,1  − xˆ m(−) = Φm xˆ m(+−) 1 ; xˆ m(+) = xˆ m(−) + Wm z m , z m ≜ Yˆm − xˆ1(,m) , x m ≜    x m ,2 

(44.8)

so that the method accommodates estimation of multiple unknowns, wherein the status of a system is expressed in terms of a state vector (“state”) x, in this case a 2 × 1 vector containing two state variables (“states”); superscripts and subscripts continue to have the same meaning as in the introductory example, but for these states, the conventions m,1 and m,2 are used for altitude and vertical velocity, respectively, at time tm. For this dynamic case, the a priori estimate at time tm is not simply the previous a posteriori estimate; that previous state must be premultiplied by the transition matrix: 1 Φm =  0

t m − t m −1  1 

(44.9)

which performs a time extrapolation. Unlike the static situation, elapsed time now matters since imperfectly perceived velocity enlarges altitude uncertainty between observations—and position

44-4

Avionics Development: Tools, Techniques, and Methods

measurements separated by known time intervals carry implicit velocity information (thus enabling vector estimates to be obtained from scalar data in this case). Weighting applied to each measurement is inluenced by three factors: • A sensitivity matrix Hm whose (i, j) element is the partial derivative of the ith component of the mth measured data vector to the jth state variable. In this scalar measurement case Hm is a 1 × 2 matrix [1 0] for all values of m. • A covariance matrix Pm of error in state estimate at time tm (the ith diagonal element = mean squared error in estimating the ith state variable and, of the diagonal, Pij = Pji = Pii Pjj × (correlation coefficient between ith and jth state variable uncertainty)). • A covariance matrix Rm of measurement errors at time tm (in this scalar measurement case, Rm is a 1 × 1 matrix—i.e., a scalar variance Rm). Although formation of Hm and Rm follows directly from their deinitions, Pm changes with time (e.g., recall the efect of velocity error on position error) and with measurement events (because estimation errors fall when information is added). In this “continuous–discrete” approach, uncertainty is decremented at the discrete measurement events: − − + Pm( ) = Pm( ) − Wm Hm Pm( )

(44.10)

and, between events, dynamic behavior follows a continuous model of the form Pɺ = AP + PAT + E

(44.11)

where E acts as a forcing function to maintain positive deiniteness of P (thereby providing stability and efectively controlling the remembrance duration—the “data window” denoted herein by T—for the ɺ = AΦ). In the estimator) while A deines dynamic behavior of the state to be estimated ( xɺ = Ax and Φ example at hand, 0 A= 0

1   xɺ 1   x1  ;   = A   0  xɺ 2  x 2 

(44.12)

Given Hm, R m, and Pm(−) , the optimal (Kalman) weighting matrix is

(

Wm = Pm(−) HTm Hm Pm(−) HTm + R m

)

−1

(44.13)

which for a scalar measurement produces a vector Wm as the previous inversion simpliies to division by a scalar (which becomes the variance Rm added to P11 in this example):

(

Wm = Pm(−) HTm Hm Pm(−) HTm + Rm

)

−1

(44.14)

he preceding (hovering helicopter) example is now recognized as a special case of this vertical nav formulation. To progress further, horizontal navigation addresses another matter, that is, location uncertainty in more than one direction—with measurements afected by more than one of the unknowns (e.g., lines of position [LOPs] skewed of a cardinal direction such as north or east; Figure 44.1). In the classic “compass-and-dividers” approach, DR would be used to plot a running accumulation of position increments until the advent of a ix from two intersecting straight or curved LOPs; position would then

44-5

Navigation and Tracking N

Shifted intersection point

Original intersection point

FIGURE 44.1

Nonorthogonal LOPs.

be reinitialized at that ixed position, from whence DR would continue until the next ix. For integrated nav, we fundamentally alter that procedure as follows: • In the reinitialization, data imperfections are taken into account. As already discussed, Kalman weighting (Equations 44.13 and 44.14) is based on accuracy of the DR extrapolation as well as the variance of each measurement and its sensitivity to each state variable. An optimal balance is provided between old and new information—and the optimality inherently applies to updating of every state variable (e.g., to velocity estimates as well as position, even when only position is observed directly). • Fixes can be incomplete. In this example, one of the intersecting LOPs may be lost. An optimal update is still provided by the partial ix data, weighted by Wm of (44.14). Implications of these two alterations can be exempliied by Figure 44.1, depicting a pair of LOPs representing partial ixes, not necessarily synchronous. Each scalar measurement allows the entire state vector to be optimally updated with weighting from (44.14) in the relation xˆ m(+) = xˆ m(−) + Wm z m

(44.15)

where zm is the predicted residual formed by subtracting the predicted measurement from the value observed at time tm and acceptance-tested to edit out wild data points: z m = y m + ε = Ym − Yˆm(−) + ε = Yˆm − Yˆm(−) ; Yˆm(−) = Y xˆ (m−)

( )

(44.16)

he measurement function Y(x) is typically a simple analytical expression (such as that for distance from a designated point, the diference between distances from two speciied station locations, GPS pseudorange or carrier-phase diference). Its partial derivative with respect to each position state is obtained by simple calculus; other components of Hm (e.g., sensitivity to velocity states) are zero—in which case, updating of those states occurs due to dynamics, from of-diagonal elements of P in the product Pm(−)HTm . Rm—whether constant or varying (e.g., with signal strength)—is treated as a known quantity; if not accurately known, a conservative upper bound can be used. he same is true for the covariance matrix P0 of error in state estimate at the time of initiating the estimation process—ater which, the changes are tracked by (44.10) at each measurement event and by (44.11) between measurements—thus P is always available for Equations 44.13 and 44.14.

44-6

Avionics Development: Tools, Techniques, and Methods

It is crucial to note that the updates are not obtained in the form of newly measured coordinates, as they would have been for the classical “compass-and-dividers” approach. Just as old navigators knew how to use partial information, a properly implemented modern estimator would not forfeit that capability. he example just shown provides best updates, even with no dependably precise way of obtaining a point of intersection when motion occurs between measurements. Furthermore, even with a valid intersection from synchronized observations, the north coordinate of the intersection in Figure 44.1 would be more credible than the east. To show this, consider the consequence of a measurement error efectively raising the dashed LOP to the solid curve as shown; the north coordinate of the new intersection point “+” exceeds that of point “O”—but by less than the east–west coordinate shit. Unequal sensitivity to diferent directions is automatically taken into account via Hm—just as the dynamics of P will automatically provide velocity updating without explicitly forming velocity in terms of sequential changes in measurements—and just as individual values of Rm inherently account for measurement accuracy variations. heoretically then, usage of Kalman weighting unburdens the designer while ensuring optimum performance; no other weighting could provide lower mean squared error in the estimated value of any state. Practically, the fulillment of this promise is realized by observing additional guidelines, some of which apply across the board (e.g., usage of algorithms that preserve numerical stability) while others are application dependent. Now that a highly versatile foundation has been deined for general usage, the way is prepared for describing some speciic applications. he versatility just mentioned is exhibited in the examples that follow. Attention is purposely drawn to the standard process cycle; models of dynamics and measurements are suicient to deine the operation.

44.3 Applications Various operations will now be described, using the uniied form to represent the state dynamics * with repetitive instantaneous refresh via discrete or discretized observations (ixes, whether full or partial). Finite space necessitates some limitations in scope here. First, all updates will be from position-dependent measurements (e.g., Doppler can be used as a source of continuous DR data but is not considered herein for the discrete ixes). In addition, all nav reference coordinate frames under consideration will be locally level. In addition to the familiar north–east–down (NED) and east–north–up (ENU) frames, this includes any wander azimuth frame (which deviates from the geographic by only an azimuth rotation about the local vertical). Although these reference frames are not inertial (thus the velocity vector is not exactly the time integral of total acceleration as expressed in a nav frame), known kinematical adjustments will not be described in any depth here. his necessitates restricting the aforementioned data window T to intervals no greater than a tenth of the 84 min Schuler period. he limitation is not very severe, when considering the amount of measured data used by most modern avionics applications within a few minutes duration. Farrell [1] is cited here for expansion of conditions addressed, INS characterization, broader error modeling, increased analytical development, physical basis for that analysis, and myriad practical “dos and don’ts” for applying estimation in each individual operation.

44.3.1 Position and Velocity along a Line he vertical nav case shown earlier can be extended to the case of time-varying velocity, with accurately (not necessarily exactly) known vertical acceleration ZV :  xɺ 1  0 xɺ  = 0  2 

1  x1   0  + 0  x 2  ZV 

(44.17)

* A word of explanation is in order: For classical physics, the term dynamics is reserved for the relation between forces and translational acceleration, or torques and rotational acceleration—while kinematics describes the relation between acceleration, velocity, and position. In the estimation ield, all continuous time variation of the state is lumped together in the term dynamics.

44-7

Navigation and Tracking

which allows interpretation in various ways. With a positive upward convention (e.g., as in the ENU reference), x1 can represent altitude above any datum while x2 is upward velocity; a positive downward convention (NED reference) is also accommodated by simple reinterpretation. In any case, the previous equation correctly characterizes actual vertical position and velocity (with true values for ZV and all x’s) and likewise characterizes estimated vertical position and velocity (denoted by circumlexes over ZV and all x’s). herefore, by subtraction, it also characterizes uncertainty in vertical position and velocity (i.e., error in the estimate, with each circumlex replaced by a tilde ~). hat explains the role of this expression in two separate operations: 1. Extrapolation of the a posteriori estimate (just ater inclusion of the last observation) to the time of the next measurement, to obtain an a priori estimate of the state vector—which is used to predict the measurement’s value. If a transition matrix can readily be formed (e.g., Equation 44.9 in the example at hand), it is sometimes, but not always, used for that extrapolation. 2. Propagation of the covariance matrix from time tm−1 to tm via Equation 44.11 initialized at the a posteriori value Pm(+−)1 and ending with the a priori value Pm(−). Again an alternate form using (44.9) is an option. Ater these two steps, the cycle at time tm is completed by forming gain from (44.14), predicted residual from (44.16), update via (44.15), and decrement by (44.10). he operation just described can be visualized in a generic pictorial representation. Velocity data in a DR accumulation of position increments predicts the value of each measurement. he diference z between the prediction and the observed ix (symbolically shown as a discrete event depicted by the momentary closing of a switch) is weighted by position gain Wpos and velocity gain Wvel for the update. Corrected values, used for operation thereater, constitute the basis for further subsequent corrections. For determination of altitude and vertical velocity, the measurement prediction block in Figure 44.2 is replaced by a direct connection; altimeter ixes are compared versus the repeatedly reinitialized accumulation of products (time increment) × (vertical velocity). In a proper implementation of Figure 44.2, time history of a posteriori position tracks the truth; root mean square (RMS) position error remains near P11 . At the irst measurement, arbitrarily large initial uncertainty falls toward sensor tolerance—and promptly begins rising at a rate dictated by P22 . A second measurement produces another descent followed by another climb—now at gentler slope, due to implicit velocity information gained from repeated position observations within a known time interval. With enough ix data, the process approaches a quasi-static condition with P11 maintained at levels near RMS sensor error.

adjusted velocity a priori velocity Velocity data

+

a posteriori velocity

Fix data Wvel

DR accumulation

Measurement prediction



Z

Wpos a priori position adjusted position

FIGURE 44.2

Position and velocity estimation.

+

a posteriori position

44-8

RMS Error

Avionics Development: Tools, Techniques, and Methods

Time

FIGURE 44.3

Time history of accuracy.

Extensive caveats, ramiications, etc., could be raised at this point; some of the more obvious will be mentioned here. ( −) • In analogy with the static example, the let side of (44.7)—with Pm11 substituted for Pm(−) —implies high initial weighting followed by lighter weights as measurements accumulate. If ixes are from sensors with varying tolerance, the entire approach remains applicable; only parameter values change. he efect in Figure 44.3 would be a smaller step decrement and less reduction in slope, when RMS ix error is larger. • Vertical velocity can be an accumulation of products, involving instantaneous vertical acceleration—which comes from data containing an accelerometer ofset driven by a randomly varying error (e.g., having spectral density in conformance to E of [44.11]). With this ofset represented as a third state, another branch would be added to Figure 44.2, and an augmented form of (44.17) could deine dynamics in instantaneous altitude, vertical velocity, and vertical acceleration (instead of a constant bias component, extension to exponential correlation is another common alternative):

 xɺ 1  0 xɺ  = 0  2  xɺ 3  0

1 0 0

0   x 1  0  1  x 2  + 0  0  x 3  e 

(44.18)

Rather than ramping between ixes, position uncertainty then curves upward faster than the linear rate in Figure 44.3; curvature starts to decrease ater the third ix. It takes longer to reach quasi-static condition, and closeness of “steady-state” P11 to RMS sensor error depends on measurement scheduling density within a data window. • (44.12) and Figure 44.2 can also represent position and velocity estimation along another direction, for example, north or east—or both—as developed in the next section.

44.3.2 Position and Velocity in 3D Space For brevity, only a succinct description is given here. First, consider excursion over a meridian with position x1 expressed as a product [latitude (Lat) increment] × [total radius of curvature (R M + altitude)]: RM =

(

a E 1 − e E2

)

1 − e E2 sin 2 ( Lat )   

3/2

; a E = 6, 378,137 m; e E2 = ( 2 − f ) f , f =

1 298.25722

(44.19)

44-9

Navigation and Tracking

so that, for usage of A in (44.12), x2 is associated with north component VN of velocity. North position ixes could be obtained by observing the altitude angle of Polaris (appropriately corrected for slight deviation of the north pole). To use the formulation for travel in the east direction, the curvature radius is (RP + h): RP =

aE 1 − e sin2 ( Lat ) 2 E

; h = altitude

(44.20)

and, while the latitude rate is V N/(R M + h), the longitude rate is VE sec(Lat)/(R P + h). Even for limited distance excursions within a data window, these spheroidal expressions would be used in kinematic state extrapolation—while our short-term ground rule allows a simpliied (“lat-Earth” Cartesian) model to be used as the basis for matrix extrapolation in (44.11). he reason lies with very diferent sensitivities in Equations 44.15 and 44.16. he former is signiicantly less critical; a change δW would modify the a posteriori estimate by only the second-order product zmδWm. By way of contrast, small variations in an anticipated measurement (from seemingly minor model approximations) can produce an unduly large deviation in the residual—a small diference of large quantities. hus, for accuracy of additive state vector adjustments (such as velocity × Δtime products in dynamic propagation), Equations 44.19 and 44.20 properly account for path curvature and for changes in direction of the nav axes as the path progresses. At the poles, the well-known singularity in {sec(Lat)} of course necessitates a modiied expression (e.g., Earth-centered vector). In applying (44.12) to all three directions, a basic decision must be made at the outset. Where practical, it is desirable for axes to remain separated, which produces three uncoupled 2-state estimators. An example of this form is radar tracking at long range—long enough so that, within a data window duration, the line-of-sight (LOS) direction remains substantially ixed (i.e., nonrotating). If all three axes are monitored at similar data rates and accuracies, experience has shown that even a fully coupled 6-state estimator has position error ellipsoid axes aligned near the sensor’s range/azimuth/elevation directions. In that case, little is lost by ignoring coupling across sensor reference axes—hence, the triad of uncoupled 2-state estimators, all in conformance to (44.12). To resolve vectors along cardinal directions at any time, all that is needed is the direction cosine matrix transformation between nav and sensor axes—which is always available. When the conditions mentioned earlier do not hold, the reasoning needs to be revisited. If LOS direction rotates (which happens at short range) or if all three axes are not monitored at similar data rates, decoupling may or may not be acceptable; in any case, it is suboptimal. If one axis (or a pair of axes) is unmonitored, a fully coupled 6-state estimator can dramatically outperform the uncoupled triad. In that case, although (44.12) represents uncoupled dynamics for each axis, coupling comes from multiple changing projections in measurement sensitivity H as the sensor sight-line direction rotates. Even the coupled formulation has a simple dynamic model in partitioned form; for a relative position vector R and velocity V driven by perturbing acceleration e,  Rɺ  0 ɺ=  V  0

I   R  0  + 0   V   e 

(44.21)

where 0 and I are null and identity partitions, respectively. he next section extends these concepts.

44.3.3 Position, Velocity, and Acceleration of a tracked object In this chapter, it has been repeatedly observed that velocity can be inferred from position-dependent measurements separated by known time intervals. In fact, a velocity history can be inferred. As a further generalization of methods just shown, the position reference need not be stationary; in the example now to be described, the origin will move with a supersonic jet—carrying a radar and INS. Furthermore, the object whose state is being estimated can be external, with motions that are independent of the platform carrying the sensors that provide all measurements.

44-10

Avionics Development: Tools, Techniques, and Methods

For tracking, irst, consider the uncoupled case already described, wherein each of three separate estimator channels corresponds to a sensor reference axis direction—and each channel has three kinematically related states, representing that directional component of relative (sensor-to-tracked-object) position, relative velocity, and total (not relative) acceleration of the tracked object.* he expression used to propagate state estimates between measurements in a channel conforms to standard kinematics, that is,   xˆ m( −,1)  1    xˆ m( −,2)  = 0  −    xˆ m( ,)3  0   

t m − t m −1 1 0

1 1 2 (t m − t m −1 )   xˆ m( +−)1,1   (t m − t m −1 )qm  2 2      + qm t m − t m −1  xˆ m( −)1,2  −      ˆ (+)   1 0    x m −1,3     

(44.22)

where qm denotes the component, along the sensor channel direction, of the change in INS velocity during (tm − tm−1). In each channel, E of (44.11) has only one nonzero value, a spectral density related to data window and measurement error variance σ2 by

(

 20σ2 / T 5 E 33 =  g2  

) (g/s) /Hz 2

 

(44.23)

To change this to a fully coupled 9-state formulation, partition the 9 × 1 state vector into three 3 × 1 vectors R for relative position, Vr for relative velocity, and ZT for the tracked object’s total acceleration—all expressed in the INS reference coordinate frame. he partitioned state transition matrix is then constructed by replacing each diagonal element in (44.22) by a 3 × 3 identity matrix I33, each zero by a 3 × 3 null matrix, and multiplying each above-diagonal element by I33. Consider this transition matrix to propagate covariances as expressed in sensor reference axes, so that parameters applicable to a sensing channel are used in (44.23) for each measurement. Usage of diferent coordinate frames for states (e.g., geographic in the example used here) and P (sensor axes) must of course be taken into account in characterizing the estimation process: an orthogonal triad Ib JbKb conforms to directions of sensor sight line Ib, its elevation axis Jb in the normal plane, and the azimuth axis Kb = Ib × Jb normal to both. he instantaneous direction cosine matrix Tb/A will be known (from the sensor pointing control subsystem) at each measurement time. By combination with the transformation TA/G from geographic to airframe coordinates (obtained from INS data), the transformation from geographic to sensor coordinates is Tb /G = Tb /A TA /G

(44.24)

which is used to resolve position states along Ib JbKb  0 1 Tb /G R =  pA R  − p E

   

(44.25)

where pA and pE —small fractions of a radian—are departures above and to the right, respectively, of the a priori estimated position from the sensor sight line (which due to imperfect control does not look exactly where the tracked object is anticipated at tm). * Usage of relative acceleration states would have sacriiced detailed knowledge of INS velocity history, characterizing ownship acceleration instead with the random model used for the tracked object. To avoid that unnecessary performance degradation, the dynamic model used here, in contrast to (44.18), has a forcing function with nonzero mean.

44-11

Navigation and Tracking

For application of (44.16), pA and pE are recognized in the role of a priori estimated measurements— adjusting the “dot-of-the-crosshairs” azimuth (“AZ”) and elevation (“EL”) observations—so that a full 3D ix (range, AZ, EL) in this operation would be   1  yR    y  = 0  AZ    yEL   0 

0

0

1 R

0

0

1 R

    0   Tb /G R −  pA   − pE   

   

(44.26)

Since R contains the irst three states, its matrix coeicient in (44.26) provides the three nonzero elements of H; for example, for scalar position observables, these are comprised of • he top row of Tb/G for range measurements • he middle row of Tb/G divided by scalar range for azimuth measurements • he bottom row of Tb/G divided by scalar range, × (−1), for elevation measurements By treating scalar range coeicients as well as the direction cosines as known quantities in this approach, both the dynamics and the observables are essentially linear in the state. his has produced success in nearly all applications within experience of the writers the sole need for extension arising when distances and accuracies of range data were extreme (the cosine of the angle between sensor sight line and range vector could not be set at unity). Other than that case, the top row of Tb/G suices for relative position states—and also for relative velocity states when credible Doppler measurements are available. A more thorough discourse would include a host of additional material, including radar and optical sensing considerations, sensor stabilization—with its imperfections isolated from tracking, error budgets, kinematical correction for gradual rotation of the acceleration vector, extension to multiple track iles, sensor fusion, myriad disadvantages of alternative tracking estimator formulations, etc. he ramiications are too vast for inclusion here.

44.3.4 Position, Velocity, and Attitude in 3D Space (inS Aiding) In the preceding section, involving determination of velocity history from position measurement sequences, dynamic velocity variations were expressed in terms of an acceleration vector. For nav (as opposed to tracking of an external object) with high dynamics, the history of velocity is oten tied to the angular orientation of an INS. In straight-and-level northbound light, for example, an unknown tilt ψN about the north axis would produce a ictitious ramping in the indicated east velocity VE ; in the shortterm, this efect will be indistinguishable from a bias naE in the indicated lateral component (here, east) of the accelerometer output. More generally, velocity vector error will have a rate vɺ = ψ × A + na = −A × ψ + na

(44.27)

where bold symbols (v, n) contain the geographic components equal to corresponding scalars denoted by italicized quantities (v, n) A represents the vector, also expressed in geographic coordinates, of total nongravitational acceleration experienced by the IMU

44-12

Avionics Development: Tools, Techniques, and Methods

Combined with the intrinsic kinematical relation between ν and a position vector error r, in a nav frame ɶ rad/s, the 9-state dynamics with a time-invariant misorientation ψ can be expressed via rotating at ω 3 × 3 matrix partitions: ɶ×  rɺ   −ω  vɺ  =  0    ψɺ   0

I 0 0

0 r   0  (− A×)  v  +  na  0   ψ   e 

(44.28)

which lends itself to numerous straightforward interpretations; for brevity, these will simply be listed here: • For strapdown systems, it is appropriate to replace vectors such as A and na by vectors initially expressed in vehicle coordinates and transformed into geographic coordinates—so that parameters and coeicients will appear in the form received. • Although both na and e appear as forcing functions, the latter drives the highest order state and thus exercises dominant control over the data window. • If na and e contain both bias and time-varying random (noisy) components, (44.28) is easily reexpressible in augmented form, wherein the biases can be estimated along with the corrections for estimated position, velocity, and orientation. Especially for accelerometer bias elements, however, observability is oten limited; therefore, the usage of augmented formulations should be adopted judiciously. In fact, the number of states should in many cases be reduced, as in the next two examples: ◦ In the absence of appreciable sustained horizontal acceleration, the azimuth element of misorientation is signiicantly less observable than the tilt components. In some operations, this suggests replacing (44.28) with an 8-state version obtained by omitting the ninth state—and deleting the last row and column of the matrix. ◦ When the last three states are omitted—while the last three rows and columns of the matrix are deleted—the result is the fully coupled 3D position and velocity estimator (44.21). he options just described can be regarded as diferent modes of the standard cyclic process already described, with operations deined by dynamics and measurement models. Any discrete observation could be used with (44.28) or an alternate form just named, constituting a mode subject to restrictions that were adopted here for brevity (position-dependent observables only, with distances much smaller than Earth radius). At this point, expressions could be given for measurements as functions of the states and their sensitivities to those state variables: (44.26) provides this for range and angle data; it is now appropriate to discuss GPS information in the context of integrated nav and tracking, while including considerations for usage in operation.

44.4 operational Developments his extension to the “Navigation and Tracking” chapter in earlier editions of the Avionics Handbook can begin with a brief historical perspective. Much of the methodology needed for nav integration was developed decades ago. Optimal, near-optimal, and suboptimal estimation all arrived before 1960, and inertial navigation existed long before that (though strapdown, with its greater demand for processing capability, came about a decade later). In addition to those two pillars of the operation, much of the requisite theory—though not yet all of the required processing power demanded by the algorithms—is likewise decades old. Even the irst attempt [1] to collect applicable theory together with models for all nav sensor data in existence, to cover integrated nav in an all-inclusive modern estimation framework, is over 35 years old at the time of this writing. What is diferent now is an opportunity to capitalize on

Navigation and Tracking

44-13

all these ingredients, due to continued (and in fact progressive) advances in that processing power—in combination with another landmark occurrence in capability enhancement: satellite navigation. he explosive growth of navigation applications within the past few decades has been largely attributed to GPS. Never before had there been a nav data source of such high accuracy, reachable from any Earth surface location at any time. Elsewhere in this handbook, the reader is shown how GPS data can be used to • Solve for 3D position and user clock ofset with pseudorange observations received simultaneously from each of four space vehicles (SVs) • Use local diferential GPS corrections that combine, for each individual SV, compensation for propagation efects plus SV clock and ephemeris error • Compensate via wide-area augmentation that, though not as straightforward as local, is valid for much greater separation distances between the user and reference station • Use diferencing techniques with multiple SVs to counteract user clock ofsets while multiple receivers enable compensation of the errors mentioned • Apply these methods to carrier phase as well as to pseudorange so that, once the cycle count ambiguities are resolved, results can be accurate to within a fraction of the L-band wavelength he following will describe usage of satellite data in navigation and tracking applications. Examples will begin with discussion of methodology, followed by progression toward results—irst simulation, then testing (both van and light test). All of this material clearly goes signiicantly beyond current conventional practice; justiication is evident from dramatically improved performance with robustness and potential for ease of operation.

44.4.1 individual GPS Measurements as observables Immediately, we make a deinite departure from custom here; each scalar GPS observable will call for direct application of Equation 44.15. To emphasize this, results are irst summarized for instances of sparse measurement scheduling: initial runs were made long ago with real SV data, taken before activation of selective availability (SA) degradations, collected from a receiver at a known stationary location but spanning intervals of several hours. Even with that duration consumed for the minimum required measurements, accuracies of 1 or 2 m were obtained—not surprising for GPS with good geometry and no SA. he results just mentioned, while not remarkable, airm the realization that full ixes are not at all necessary with GPS. hey also open the door for drawing dependable conclusions when the same algorithms are driven by simulated data containing errors from random number generators. Section 8.1.1 of [2] describes a subsequent high-speed aircrat simulation with no more than one pseudorange observation every 6 s (and furthermore with some gaps, even in that slow data rate). Since the results are again unremarkable, only a brief synopsis suices here: • Position and velocity estimates settled as soon as measurement accumulation was suicient to produce a nav solution (e.g., two asynchronous measurements from each of three noncoplanar SVs for a vehicle moving in three dimensions, with known clock state, or four SVs with all states initially unknown). • Initial errors tended to wash out; the estimation accuracies just mentioned were determined by measurement error levels ampliied through geometry. • Velocity errors tended toward levels proportional to the ratio of RMS measurement error to (T), where T here represents either time elapsed since the irst measurement on a course leg or the data window, whichever is smaller. he former deinition of the denominator produced a transient at the onset and when speed or direction changed. • Doppler data reduced the transient, and INS velocity aiding minimized or removed it.

44-14

Avionics Development: Tools, Techniques, and Methods

• Extreme initial errors interfered with these behavioral patterns somewhat—readily traceable to usage of imprecise direction cosines—but the efects could be countered by reinitialization of estimates with a posteriori values and measurement recycling. hese results mirror familiar realworld experience (including actual measurement processing by many authors); they are mentioned here to emphasize adequacy of partial ixes at low rates that many operational systems to this day still fail to exploit [3]. Although the approach just described is well known (i.e., in full conformance to the usual Kalman ilter updating cycle) and the performance unsurprising, the last comment is signiicant. here are numerous applications wherein SV sight lines are oten obscured by terrain, foliage, buildings, or structure of the vehicle carrying the GPS receiver. In addition, there can be SV outages (whether from planned maintenance or unexpected failures), intermittently strong interference or weak signals, unfavorable multipath geometry in certain SV sight-line directions, etc., and these problems oten arise in critical situations. At the time of this writing, there remain widespread opportunities, accompanied by urgent need, to replace loose (cascaded) conigurations by tightly coupled (integrated) conigurations. Accentuating the beneit is the bilateral nature of ultratight integration. As tracking loops (code loop and, where activated, carrier-phase track) contribute to the estimator, rapid dynamics maintenance enhances ability to maintain stable loop operation. For a properly integrated GPS/INS, this enhancement occurs even with narrow bandwidth in the presence of rapid change. Loop response need not follow high dynamics—but only error in the perceived dynamics—with ultratight integration. It is also noted that the results just described are achievable under various conditions and can be scaled over a wide accuracy range. Sensitivity H of an individual SV observation contains the SV-to-receiver unit vector; when satellite observations are subtracted, that sensitivity contains a diference of two SV-to-receiver unit vectors. Position measurements may be pseudoranges, diferentially corrected pseudoranges, or carrier phase with their ambiguities resolved, with typical RMS accuracies of