GPS AS A PRIMARY MEANS OF NAVIGATION FOR OCEANIC/REMOTE

OPERATIONS

1. PURPOSE. This notice proposes interim guidance for approving the installation of global positioning system (GPS) equipment to be used as a primary means of navigation for oceanic/remote operations (including minimum navigation performance specifications (MNPS) airspace). To clarify terminology, this guidance adopts the term "primary means of navigation" as opposed to "sole means of navigation" to identify navigation equipment which provides the only required means on the aircraft of satisfying the necessary level of accuracy, integrity, continuity and availability for a particular area, route, procedure or operation. The failure of a primary means of navigation may require reversion to a non-normal means of navigation (e.g., dead reckoning). Examples of systems which can provide a primary means of navigation include: very high frequency omnidirectional range (VOR) for domestic en route, terminal, and nonprecision approach where it is available; VOR/distance measuring equipment (DME) for domestic en route above flight level 240, terminal, and nonprecision approach where it is available; Omega for oceanic operation; and inertial navigation systems (INS) for oceanic operation. The GPS installations which revert to another long-range navigator, such as Omega or INS, need not apply for GPS primary means approval; they may utilize GPS under supplemental Instrument Flight Rules (IFR) approval.

2. DISTRIBUTION. This notice is distributed to the branch level in Washington headquarters, Aircraft Certification Service, section level in all Aircraft Certification Directorates; and maximum distribution in all the Aircraft Certification Offices (ACO), with limited distribution in the General Aviation District Offices, Air Carrier District Offices, Flight Standards District Offices, and Aeronautical Quality Assurance Field Offices.

3. CANCELLATION. Notice 8110.57, GPS as a Primary Means of Navigation for Oceanic/Remote Operations, dated 7/7/95 is canceled.

4. PERFORMANCE REQUIREMENTS. The following requirements must be met by the GPS equipment, in addition to the performance requirements of RTCA/DO-208, Minimum Operational Performance Standards for Airborne Supplemental Navigation Equipment Using Global Positioning System, as modified by Technical Standards Order (TSO)-C129. The approval process for evaluating compliance to these requirements is discussed in paragraph 6.

a. The GPS equipment must be capable of detecting and excluding a GPS satellite failure by means of a fault detection and exclusion (FDE) algorithm including receiver autonomous integrity monitoring (RAIM) for detection. The exclusion of a satellite failure must be automatic, thus pilot action is not permitted to accomplish exclusion. The specific requirements of the exclusion function can be found in appendix 1.

b. In addition to FDE, the equipment must use an acceptable means to detect and exclude from the navigation solution, any satellite which is being tracked that experiences a failure which causes a pseudorange step function. The requirements for detection and exclusion of a pseudorange step function can be found in appendix 2.

c. The GPS equipment must exclude, without pilot action, any satellite designated unhealthy by any of the GPS navigation data. The satellite must be excluded within 5 minutes of the designation as unhealthy by the satellite. See appendix 3 for specific requirements on what portions of the GPS navigation data shall be used to determine GPS health.

d. If a GPS satellite failure results in loss of GPS navigation (due to the failure to exclude or a hard satellite failure which results in an inadequate number of satellites), an appropriate indication (TSO-C129, paragraphs (a)(3)(xiii)1c, (a)(4)(iv)10, and (a)(5)(iv)9) of the failure must be provided to the aircraft crew.

e. The equipment must provide, upon request, an indication of the current estimate of position uncertainty in terms of nautical miles. This estimate must be based on measurement inconsistency and must bound the true error with high confidence (approximately 99.9 percent). It is related to the test statistic calculated as part of FDE. This estimate will not be available if there are only four measurements available (because there is no redundancy). This output is intended to be used to provide information about the approximate magnitude of a potential positioning failure, when the horizontal integrity limit (HIL) exceeds the alert limit or when a positioning failure has been detected and not excluded.

f. The loss of the long-range navigation function must be demonstrated to be improbable according to Advisory Circular (AC) 23.1309-1A, Equipment, Systems, and Installations in Part 23 Airplanes, or AC 25.1309-1A, System Design Analysis. For many oceanic/remote operations, this requirement must be met by equipping the aircraft with at least two (or more) independent (i.e., dual control display unit, dual GPS antenna, dual power sources, dual GPS sensors, etc.) navigation systems with a mean time between failures of at least 1000 hours each (for dual equipage).

g. A prediction program is required to support operational departure restrictions. See appendix 4 for specific requirements for this program.

5. DESIRED PERFORMANCE. In addition to the required features described above, it is recommended that the GPS equipment provide the following features. These features increase the versatility and availability of the GPS receiver and may facilitate obtaining future operational benefits.

a. The installed GPS equipment should be capable of acquiring and tracking satellites above a threshold that is at or below the horizon (no mask angle) in the oceanic/remote mode. However, the introduction of this capability also incurs a requirement to provide an automatic and/or manual method of switching between the oceanic/remote mode of operation (lower mask angle) and the standard mode of operation. If the selection is manual, the selected value must be continuously displayed to the flight crew and must not inhibit the required automatic changes specified in TSO-C129.

b. The GPS equipment should provide an oceanic/remote mode of operation in which the alert limit for RAIM, as defined in RTCA/DO-208, can be increased up to 4 nautical miles (nm) to improve FDE availability. Care must be taken in the design of the crew annunciations so that there is a clear distinction between loss of FDE availability and loss of navigation (this may be due to a detected satellite failure that cannot be excluded.) The time-to-alert in the oceanic/remote mode of operation can be greater than 30 seconds, but shall not exceed 5 minutes.

c. The GPS equipment should also continue to process the FDE algorithm when the internal HIL exceeds the alert limit in order to provide some level of integrity monitoring; any detected failure should be annunciated even if the HIL exceeds 4 nm. When the HIL is greater than 4 nm, the equipment must enunciate that integrity monitoring is inadequate (TSO-C129 paragraphs (a)(3)(xiii)2a, (a)(4)(iv)10, and (a)(5)(iv)9).

d. During normal operation, the equipment should be capable of computing and displaying the current wind speed and wind direction.

e. The GPS equipment should have the capability to accept forecast wind conditions at waypoints along a route in order to improve estimated time of arrival performance.

f. The navigation system should include an automatic dead reckoning (DR) navigation mode that becomes active when GPS navigation capability is lost. The system, if provided, must include electronic inputs of true airspeed, altitude, and stabilized heading for use in generating

the DR position. The system should use calculated winds from the last valid GPS data and incorporate the ability for the crew to input forecast winds. The system should be demonstrated to be capable of navigation with drift rates of no more than 14 nm per hour (assuming no wind changes).

g. If the system provides a DR mode, then it should automatically revert to the dead reckoning mode when a GPS navigation solution cannot be provided, and should provide an alert to the pilot. The system should also allow the pilot to select DR when FDE has detected a satellite failure and the failure cannot be excluded. An indication that the system has reverted to dead reckoning mode must be continuously provided to the aircraft crew if the mode is provided. The dead reckoning mode of the GPS equipment shall retain the capability to couple with the flight guidance system (autopilot / flight director), if provided, and should not disconnect when switching between GPS and dead reckoning modes. The GPS equipment must automatically revert to normal navigation as soon as a navigation solution can be provided. Both transitions must be clearly annunciated (GPS to DR and DR to GPS).

6. APPROVAL PROCESS.

a. The GPS equipment manufacturer or aircraft manufacturer obtains a TSO-C129 authorization (Class A1, A2, B1, B2, C1, or C2) from the cognizant Aircraft Certification Office (ACO). The manufacturer may also demonstrate compliance with the requirements in paragraph 4 of this notice and any of the additional functions specified in paragraph 5. The FDE prediction capability defined in appendix 4 must also be evaluated to comply with the requirements in appendix 4 and to accurately predict the availability of the FDE algorithm. In this case, the aircraft certification office engineer should issue a separate letter of design approval, stating that the appliance (including part number) and software prediction program (including revision number) has been found to comply with this notice. It is assumed that the appliance will be manufactured under a TSO authorization (TSOA). Alternatively, the applicant must demonstrate that the performance requirements of TSO-C129 are met as part of the installation approval.

b. The applicant obtains installation approval of the GPS navigation system via the amended Type Certificate (TC) or Supplemental Type Certificate (STC) certification process. An acceptable means of compliance to determine airworthiness can be found in AC 20-138, Airworthiness Approval of Global Positioning System (GPS) Navigation Equipment for Use as a VFR and IFR Supplemental Navigation System, or AC 20-130A, Airworthiness Approval of Navigation or Flight Management Systems (FMS) Integrating Multiple Navigation Sensors.

(1) If the manufacturer has previously obtained a TSOA and obtained a letter of design approval as described in paragraph 6a of this notice, no additional testing is required beyond AC 20-138 or AC 20-130A.

(2) If the manufacturer has not obtained a TSOA or letter of design approval as described in paragraph 6a of this notice, then the applicant must demonstrate compliance with the requirements in paragraph 4 of this notice and any of the additional functions specified in paragraph 5. The FDE prediction capability defined in appendix 4 must also be evaluated to comply with the requirements in appendix 4 and to accurately predict the availability of the FDE algorithm.

c. Once the installation has been approved, the aircraft flight manual supplement (AFMS) must be updated to state: "The XXX GPS equipment as installed has been found to comply with the requirements for GPS primary means of navigation in oceanic and remote airspace, when used in conjunction with the XXX prediction program. This does not constitute an operational approval." Appropriate operational procedures assumed for aircraft certification, as well as procedures for operating any additional features (such as dead reckoning) must be identified in the AFMS. These procedures must include the use of the FDE prediction algorithms.

d. The FAA Form 337, Major Alteration or Repair, process may be used for follow-on installations of the same navigation system for which there is a TC or STC in the same model aircraft and the engineering data developed for the initial certification is used to accomplish the follow on installation approval.

e. The applicant should be aware that an operational approval must be obtained before conducting Class II navigation (remote/oceanic). Applicants should contact the appropriate Flight Standards District Office to seek approval.

John, K. McGrath

Manager, Aircraft Engineering Division

1. INTRODUCTION. GPS equipment shall have a fault detection and exclusion (FDE) capability that utilizes GPS measurements to provide independent integrity monitoring. The detection function refers to the capability to detect a satellite failure which affects navigation, while the exclusion function refers to the capability to exclude one or more failed satellites from the solution and prevent a satellite failure from affecting navigation. The FDE algorithm must meet the following requirements under the standard assumptions of GPS performance specified in paragraph 4 of this appendix. The detection and exclusion functions must be accomplished without pilot interaction. The FDE algorithm must be aided by barometric altimetry measurements, as required by TSO-C129. Additional augmentations (such as clock aiding) are not precluded.

2. DEFINITIONS. In order to assist in the interpretation of these definitions, figure 1 shows a fault tree relating the FDE events to each other for a snapshot in time.

*Wrong exclusion is not possible, since there is no real failure to incorrectly exclude

Figure 1. FDE Event Tree (snapshot in time)

a. Alert. An alert is defined to be an indication that is provided by the GPS equipment that the navigation performance achieved by the equipment is not acceptable. The conditions for this alert are defined below. Note that an alert refers only to those indications that are provided by the sensor, and does not refer to any internal processing associated with the FDE algorithm.

b. Horizontal Alert Limits. The horizontal alert limit for oceanic/remote navigation mode is defined to be at least 2 nm, but shall not exceed 4 nm. RTCA/DO-208 specifies a limit of 2 nm, but a higher limit of 4 nm increases availability and is adequate for oceanic/remote operation (see paragraph 5b of this notice).

c. Time-to-Alert. The time-to-alert for oceanic/remote navigation mode is defined to be at least 30 seconds, but shall not exceed 5 minutes. RTCA/DO-208 specifies a time-to-alert of 30 seconds, but a higher time-to-alert of 5 minutes increases availability and is adequate for oceanic/remote operation (see paragraph 5B of this notice).

d. Positioning Failure. A positioning failure is defined to occur whenever the difference between the true position and the output position exceeds the applicable horizontal alert limit.

e. Missed Detection. A missed detection is defined to occur when a positioning failure is not detected (internal to the FDE algorithm).

f. False Detection. A false detection is defined to occur when a positioning failure does not exist, but a failure is detected (internal to the FDE algorithm).

g. Wrong Exclusion. A wrong exclusion is defined to occur when a positioning failure is detected and the positioning failure still exists, but is undetected after exclusion, resulting in a missed alert.

h. Missed Alert. Positioning failures which are not annunciated (as an alert) within the time-to-alert are defined to be missed alerts. Both missed detection and wrong exclusion conditions are missed alerts.

i. False Alert. A false alert is defined as the indication of a positioning failure when a positioning failure has not occurred.

j. Horizontal Integrity Limit. The horizontal integrity limit (HIL) is the radius of a circle in the horizontal plane, with its center being at the indicated position, which describes the region which is assured to contain the true position. It is the horizontal region for which the missed alert and false alert requirements can be met. It is only a function of the satellite and user geometry and the expected error characteristics: it is not affected by actual measurements. Therefore, this value is predictable.

k. Availability of Detection. The detection function is defined to be available when the constellation of satellites provides a geometry for which the missed alert and false alert requirements can be met on all satellites for the alert limit and time-to-alert. When the constellation is inadequate to meet these requirements (paragraphs 3a and 3b of this appendix), the fault detection function is defined to be unavailable. Thus the availability of detection for a specific time, location, and constellation is defined to be the product of satellite-specific terms, as follows:

N

l. Failed Exclusion. A failed exclusion is defined to occur when a true satellite failure is detected and the detection condition is not eliminated within the time-to-alert (from the onset of the positioning failure). A failed exclusion results in an annunciation of a detected satellite failure. A failed exclusion does not imply that the exclusion must be correct, only that it eliminates the detection condition and therefore prevents an indication of loss of integrity monitoring. The probability of false exclusion is included in the probability of missed alert. In addition, failed exclusion of false internal detections are not included, because they are included in the false alert rate.

m. Availability of Exclusion. The exclusion function is defined to be available when the constellation of satellites provides a geometry for which the FDE algorithm can meet the failed exclusion requirement, and prevent the indication of a positioning failure or a loss of integrity monitoring function. Therefore, exclusion must occur before the duration of a positioning failure exceeds the time-to-alert, and the detection function as defined above must be available after exclusion. Note that for a given geometry and a given failed satellite, the success of the exclusion function to prevent an alert condition (duration of positioning failure exceeds time-to-alert) may be probabilistic. For example: given a particular exclusion algorithm, a satellite geometry, and a failed satellite, the algorithm could have a 99 percent probability of successfully preventing a warning condition. However, the exclusion function is only defined to be available if the probability of excluding a satellite and preventing an alert (given a satellite failure has occurred and has been detected) satisfies the failed exclusion requirement. Thus the availability of exclusion for a specific time, location, and constellation is defined to be:

N

3. FDE REQUIREMENTS

a. Missed Alert Probability. The probability of missed alert shall be less than or equal to 0.001 for every geometry and every navigation mode. If this requirement is not met for a given geometry, then the detection function is defined to be unavailable for that geometry (see paragraph 2k of this appendix). This requirement is on the missed alert rate external to the GPS equipment. When related to the internal algorithm, it includes both probabilities of missed detection and false exclusion.

b. False Alert Probability. The probability of false alert shall be less than or equal to 0.002/hour. If this requirement is not met for a given geometry, then the detection function is defined to be unavailable for that geometry (see paragraph 2m of this appendix). Note that a false alert rate of 10^-5 is more consistent with the requirement for loss of navigation. This requirement is relaxed to the RTCA/DO-208 requirement for oceanic operations, since the duration of the false alert will be short. This requirement is on the false alert rate external to the GPS equipment. When related to the internal algorithm, it includes both probabilities of false detection and the failure to exclude the false detection.

c. Failed Exclusion Probability. The probability of failed exclusion shall be less than or equal to 10^-3 for every geometry and every navigation mode for which exclusion is implemented. Exclusion must be implemented for the oceanic mode. If this requirement is not met for a given geometry, then the exclusion function is defined to be unavailable for that geometry (see paragraph 2m). This requirement is on the alert rate external to the GPS equipment due to failed exclusion. It is equivalent to the probability that a positioning failure is annunciated when a GPS satellite failure occurs and is detected internally.

For some algorithms, this probability may be zero in that exclusion is always conducted when a failure is detected. However, note that such an algorithm must also meet the missed detection requirement above, which includes the probability of false exclusion.

4. GPS STANDARD ASSUMPTIONS.

a. Selective Availability. Selective Availability (SA) shall be modeled as the sum of (1) a second-order Gauss-Markov process with an auto-correlation time of 120 seconds and a standard deviation of 23 m, and (2) a random constant with normal distribution, a mean of zero and a standard deviation of 23 m. The SA processes on all satellites are to be statistically independent. When modeling a single independent SA sample (for a single snapshot or for samples greater than 2 minutes apart), SA can be modeled by a Gaussian random variable with a mean of zero and a standard deviation of 30.5 m. Note that any additional errors must be added to this model, yielding a typical value of 33 m.

b. Satellite Failure. The probability of a satellite integrity failure is 10^-4 per hour for the GPS position solution (based on 3 satellite major service failures/year/constellation, assuming 8 satellites in view). A satellite integrity failure is defined to be a failure that can contribute to a hazardously misleading situation. For the purpose of testing, a slow-ramp failure of 5 meters/second may be used as described in RTCA/DO-208, paragraph 2.5.2.5.2.2.

1. STEP DETECTOR.

a. The equipment shall detect a pseudorange step error greater than 1000 meters, including steps which cause loss of lock for less than 10 seconds. A pseudorange step is defined to be a sudden change in the measured distance to a satellite. It can be written as:

where PR_PREDICTED is the predicted pseudorange at the time of measurement, based on previous measurements, and PR_MEASURED is the pseudorange at the time of the measurement.

b. If a pseudorange step is detected for a satellite, that satellite shall be excluded from use in the navigation algorithm until its integrity can be verified through fault detection (RAIM). The manufacturer is free to choose any method to calculate the predicted pseudorange. However, any method used should properly take into account satellite movement and aircraft dynamics up to a groundspeed of 750 knots (kts) and accelerations up to 14.7 meters/second/second (1.5 g's).

1. In addition to monitoring by using FDE and the step detector, the GPS equipment shall monitor the GPS navigation data to detect any of the following conditions within 5 minutes of the onset of the condition. Any satellite which meets any of the following criteria shall not be used for navigation for the duration of the condition.

a. Ephemeris health word in subframe 2 or 3 set to the "not healthy" state.

b. Failure of parity on 3 successive words.

c. User range accuracy (URA) of 128 meters or more.

d. Bit 18 of the hand-over word (HOW) set to 1.

e. Default navigation data is being sent (alternate 0's and l's).

f. Navigation data is all 1's (could inadvertently cause all satellites to be declared unhealthy).

g. Mismatching issue of data ephemeris (IODE) and issue of data clock (IODC).

1. A prediction program is required to support the operational requirement for a predeparture outage check. This prediction program can be provided on any processing platform (in the GPS equipment or not), but it must employ an identical FDE algorithm as the one that is utilized in the GPS equipment.

2. The prediction program must have the capability to manually designate GPS satellites which will be out of service during the operation. This will include GPS satellites scheduled to go out of service for maintenance, as well as satellites already out of service (if the program does not have access to that information directly through a GPS receiver and the almanac data).

3. The prediction program must have the capability for the operator to designate a route, defined by a series of waypoints. It must also allow for designation of a departure time and expected ground speeds. Since specific ground speeds may not be maintained, this pre-flight check will have to be performed for a range of ground speeds (expected ground speed ± 100 kts in 20 kt increments). Finally, it must allow for the entry of the route spacing (centerline to centerline) on the intended oceanic/remote route. This information will be used to determine the maximum length of an outage on the intended route.

4. For the route that is specified, the program must determine and output a bound for the outage durations specified below. This bound must be accurate for the complete range of flight times/speeds as described in paragraph 3 of this appendix. Note that this requirement is not intended to imply that the equipment must always compute these parameters in real time. This information may be precompiled and available via a look-up table within the equipment. For example, if the maximum worldwide outage with 24 satellites operating were 30 minutes, then the equipment could use that information as a conservative bound of the actual performance. Another example is the reduction in the velocity variation computation; if the applicant only computes the boundary conditions, and can prove that the conditions which are evaluated truly are the boundary conditions, then no additional calculations would be necessary.

a. The maximum outage duration of the loss of fault exclusion to within 5 minutes. An outage of exclusion is defined to occur when the exclusion function is unavailable (as defined in paragraph 2m of appendix 1).

b. The maximum outage duration of the capability to navigate (provide a position solution) to within 5 minutes.

5. If the maximum outage of exclusion (in hours) is greater than half the route spacing (in nm) divided by 35 or there is an outage of the ability to navigate, the program shall indicate that the operation should not be conducted.

6. This program can be used by the operator for planning purposes, and will be used prior to departure to determine if GPS has sufficient availability to conduct the operation.