gala ref date - european gnss agency · gala ref : date : gala-sodeteg-apsys-dd0132 8/12/00 ram...
TRANSCRIPT
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: a
DOCUMENT INFORMATION SHEET
From : T. Morteveille, J. Trouilloud, M. Oberlé,Project Acronym : GALAProject Name : Galileo Overall Architecture DefinitionTitle : RAM Analysis Final ReportIssue : 4.0Reference : GALA-SODETEG-APSYS-DD0132Date : 8/12/00Pages Number : 154File : dd132vIssue : 4.0Classification : TBDWBS : TBDContract : TBDEmitting Entity : SODETEG/APSYSType of Document : TBDStatus : FR1Template Name : gala_aspi.dot (V1)
To :Internal Distribution
Service Name N° Ex. Service Name N° Ex.
SODETEG 1
APSYS 1
External Distribution
Company Name N° Ex. Company Name N° Ex.
ASPI P. Verschueren 1
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: B
THIS PAGE IS INTENTIONALLY LEFT BLANK
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 1
Sustainable Mobility and IntermodalityPromoting Competitive and Sustainable Growth
Galileo Overall Architecture Definition
RAM Analysis Final Report
Written by Responsibility - Company Date Signature
T. Morteveille, J. Trouilloud,M. Oberlé
Verified by
J-F. Delaigue
Approved
M. Oberlé
Documentation Manager
WBS Code : TBDEmitting entity : SODETEG/APSYS
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 2
CHANGE RECORDS
ISSUE DATE § : CHANGE RECORD AUTHOR
1 20/09/00 First issue
2 20/10/00 PDA synthesis, FDA (functional breakdown)
DRS DD-132V1-PVE-01 (Id. 1, 2 partially, 4, 5,6, 7, 8, 9, 10, 11, 12, 13, 14, 17, 18, 19, 20,22),
DRS MC/11.3-001 (Id. 1, 2, 3, 4, 5, 7, 8, 10),
mail from O. Taylor (WP1) (§5 modifications forapplications N°12, 14, 16, 69, 70, 71, 73, 74,93, 94 ,95)
3 16/11/00 � FDA tables (partial)
� DRS MC/GAST MC/11.3-002 dated2/10/00 (Id. 1, 5, 6, 7, 9)
� DRS Ch. Schäfer (Astrium GmbH) dated11/10/00 (Id. 1, 2)
SODETEG/APSYS
GAST
Astrium
4.1 8/12/00 � Section 6 : FDA tables completed
� Section 7 : Apportionment/demonstration ofGALILEO RAM requirements
� Open points answers included (mom 191,231)
SODETEG/APSYS
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 3
TABLE OF CONTENTS
1 INTRODUCTION ......................................................................................................................... 7
2 REFERENCES............................................................................................................................... 8
2.1 DEFINITIONS........................................................................................................................... 82.2 ACRONYMS.............................................................................................................................. 82.3 APPLICABLE DOCUMENTS................................................................................................. 82.4 REFERENCE DOCUMENTS.................................................................................................. 8
3 GALILEO PRESENTATION AND CONTEXT...................................................................... 10
4 METHODOLOGY ...................................................................................................................... 11
4.1 GENERAL................................................................................................................................ 114.2 RAM PARAMETERS UNDER ANALYSIS......................................................................... 12
5 PRELIMINARY DEPENDABILITY ANALYSIS (PDA) ....................................................... 15
5.1 DEPENDABILITY ANALYSIS ON USER APPLICATION ............................................. 155.1.1 Safety of life and security applications...........................................................................16
5.1.1.1 Transportation of passengers and goods ...................................................................165.1.1.1.1 Commercial Air Transport IFR navigation [1]................................................165.1.1.1.2 Commercial Air Transport (surveillance) [2] ...................................................175.1.1.1.3 General Aviation (VFR) [3].................................................................................175.1.1.1.4 Deleted [4].............................................................................................................175.1.1.1.5 General Aviation (Surveillance) [5]...................................................................175.1.1.1.6 Train Control [6]..................................................................................................175.1.1.1.7 Train Supervision [7]...........................................................................................185.1.1.1.8 Energy Optimised Driving Style Manager [8]...................................................185.1.1.1.9 Fleet Management [9] ..........................................................................................185.1.1.1.10 Track Survey [10]..........................................................................................185.1.1.1.11 Passenger Information service [11] .............................................................185.1.1.1.12 Marine Navigation [12] & [13].....................................................................195.1.1.1.13 Marine surveillance [14] ...............................................................................195.1.1.1.14 Marine Engineering [15]...............................................................................195.1.1.1.15 Harbour Docking [16]...................................................................................19
5.1.1.2 Emergency services......................................................................................................205.1.1.2.1 Ambulance : Route Guidance [17] & Vehicle resources management[18] 205.1.1.2.2 Police /Fire : Route Guidance [19] - Vehicle resources management[20] & Pedestrian resource Management [21]...................................................................205.1.1.2.3 Police/ fire : Vehicle Tracking [22].....................................................................215.1.1.2.4 SAR : Alerting Beacons – Marine [23] & [25] – Air [24] – Personal[26] 215.1.1.2.5 SAR : Onboard Navigation of SAR units [27]...................................................215.1.1.2.6 General conclusion on emergency services........................................................21
5.1.1.3 Security .........................................................................................................................225.1.1.3.1 Personal protection: Lone Worker Protection [28] ..........................................225.1.1.3.2 Secured Data: Transport of Nuclear Waste [29]...............................................225.1.1.3.3 Secured Data: Dangerous and valuable loads tracking [30] ............................225.1.1.3.4 Traffic surveillance and monitoring...................................................................22
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 4
5.1.1.3.4.1 Road Tolling [31] ...................................................................................225.1.1.3.4.2 Road surveillance and Regulatory Enforcement [32] ........................23
5.1.2 Mass Market.....................................................................................................................235.1.2.1 Land and River Navigation.........................................................................................23
5.1.2.1.1 Cars [33] to [35] - Truck and buses [36] to [38] - Light CommercialVehicles [40] to [42]..............................................................................................................23
5.1.2.1.1.1 Route Guidance [33, 36 & 40]...............................................................235.1.2.1.1.2 Information Services [34, 37 & 41] ......................................................235.1.2.1.1.3 Emergency call breakdown, Theft and recovery [35, 38 & 42] .........24
5.1.2.1.2 All road Vehicles : Advanced Driver Assistance Systems [39] ........................245.1.2.1.3 Inland Waterways [43] to [45] ............................................................................24
5.1.2.1.3.1 Vessel Navigation [43] ...........................................................................245.1.2.1.3.2 Vessel services [44] ................................................................................245.1.2.1.3.3 Dredging and maintenance [45] ...........................................................25
5.1.2.2 Personal Navigation [46] to [ 49] ................................................................................255.1.2.2.1 Personal Outdoor Recreation [46] to [48] : .......................................................255.1.2.2.2 Location based communication services [49] ....................................................25
5.1.3 Professional market .........................................................................................................255.1.3.1 Timing...........................................................................................................................25
5.1.3.1.1 Network synchronisation for Telecom [50], Power generation anddistribution [51], digital broadcasting [52]........................................................................255.1.3.1.2 Satellite monitoring / navigation (ground based) [53] ......................................265.1.3.1.3 Maintenance of international time standards [55]............................................265.1.3.1.4 Frequency/time calibration services [56] ...........................................................265.1.3.1.5 Time tagging for general user [57] .....................................................................26
5.1.3.2 Space .............................................................................................................................265.1.3.2.1 Space market [58, 59, 60, 61] ..............................................................................26
5.1.3.3 Scientific applications ..................................................................................................275.1.3.3.1 Geodesy applications [62, 63]..............................................................................275.1.3.3.2 Meteo forecasting ionosphere [64, 65, 67]..........................................................27
5.1.3.4 Precision surveying (Id 68)..........................................................................................275.1.3.5 Oil & Gas ......................................................................................................................28
5.1.3.5.1 [69,70,71,73,74].....................................................................................................285.1.3.5.2 FPSO positioning [72]..........................................................................................28
5.1.3.6 Vehicle control and robotics (Id 78, 79, 80) ...............................................................285.1.3.7 Construction and civil engineering [81, 82] ...............................................................295.1.3.8 Land survey and GIS mapping [83] ...........................................................................295.1.3.9 Fleet Management [84] ................................................................................................295.1.3.10 Asset management [85,86,87]..................................................................................295.1.3.11 Precision agriculture [88, 89, 90] ............................................................................305.1.3.12 Fisheries & Exclusive Economic Zone [91, 92] .....................................................305.1.3.13 Environment.............................................................................................................315.1.3.14 Mining.......................................................................................................................31
5.1.3.14.1 3D positioning of mine machinery [97] .......................................................315.1.3.14.2 Mine surveying [98].......................................................................................315.1.3.14.3 Autonomous mining vehicles [99] ................................................................315.1.3.14.4 Truck dispatch [100] .....................................................................................32
5.1.4 Synthesis of dependability analysis on user application...............................................475.1.4.1 Syntheses of application mapping according to dependabilityrequirements ............................................................................................................................475.1.4.2 Interface with Safety Classifications. .........................................................................495.1.4.3 Mapping application/service.......................................................................................49
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 5
5.2 REFERENCE SCENARIO AND IDENTIFICATION........................................................ 505.2.1 Application user ...............................................................................................................505.2.2 Service subscriber ............................................................................................................505.2.3 Service provider ...............................................................................................................505.2.4 System operator................................................................................................................505.2.5 System designer................................................................................................................51
5.3 RAM RELEVANT INDICATORS DEFINITION............................................................... 515.4 TOP LEVEL HAZARDS IDENTIFICATION..................................................................... 525.5 PDA SYNTHESIS.................................................................................................................... 53
6 FUNCTIONAL DEPENDABILITY ANALYSIS (FDA) ......................................................... 55
6.1 GENERAL FDA PRESENTATION...................................................................................... 556.1.1 FDA methodology and used form...................................................................................556.1.2 General assumptions........................................................................................................56
6.2 RAM SEVERITY SCALE ...................................................................................................... 566.3 GALILEO FUNCTIONAL BREAKDOWN......................................................................... 576.4 FDA SYNTHESIS.................................................................................................................... 58
6.4.1 RAM Failure Condition Summary table .......................................................................586.4.2 Common general assumptions........................................................................................596.4.3 RAM Requirements.........................................................................................................606.4.4 RAM Recommendations .................................................................................................616.4.5 Open points.......................................................................................................................626.4.6 GALILEO Functions RAM severity ..............................................................................63
7 APPORTIONMENT/DEMONSTRATION OF GALILEO RAMREQUIREMENTS .............................................................................................................................. 65
7.1 AVAILABILITY BLOCK DIAGRAM METHODOLOGY ............................................... 657.2 PARTICULAR ASSUMPTIONS........................................................................................... 667.3 ORIGIN OF THE RETAINED INPUT DATA..................................................................... 667.4 GALILEO SYSTEM AVAILABILITY BLOCK DIAGRAMS .......................................... 67
7.4.1 Navigation service without integrity ..............................................................................677.4.2 Service with integrity – Global components ..................................................................677.4.3 Service with integrity – Global + regional components................................................687.4.4 TM/TC function ...............................................................................................................687.4.5 Orbit monitoring function...............................................................................................69
7.5 RESULTS ................................................................................................................................. 707.6 ANALYSIS OF THE RESULTS ............................................................................................ 707.7 AVAILABILITY APPORTIONMENT TO MEET THE REQUIREMENTS .................. 71
8 ANNEX :....................................................................................................................................... 72
8.1 PDA TABLES .......................................................................................................................... 728.2 FDA TABLES .......................................................................................................................... 798.3 AVAILABILITY COMPUTATION TABLES ................................................................... 150
8.3.1 Input data .......................................................................................................................1508.3.2 Services without Integrity .............................................................................................1518.3.3 Services with integrity –stand alone (global components) .........................................1528.3.4 Services with integrity (global + regional components)..............................................1538.3.5 TM/TC function .............................................................................................................1548.3.6 Orbit monitoring function.............................................................................................154
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 6
LIST OF FIGURES
Figure 1 : RAM methodology.................................................................................................. 14
LIST OF TABLES
Table 1 :Maximum acceptable time......................................................................................... 15Table 2 : Maximum frequency................................................................................................. 16Table 3 : Proposed Availability Classification per application ............................................... 33Table 4 : Synthesis of availability classification per application............................................. 47Table 5 : RAM Status .............................................................................................................. 48Table 6 : Top level RAM hazards............................................................................................ 52Table 7 : RAM level allocation to Service levels .................................................................... 53Table 8 : severity scale ............................................................................................................ 56Table 9 : GALILEO system functional breakdown................................................................. 58Table 10 : Failure Conditions list ............................................................................................ 59Table 11 : RAM Assumptions from FDA (Ras)...................................................................... 59Table 12 : RAM requirements (Rrq)........................................................................................ 61Table 13 : RAM recommendations (Rrm) ............................................................................... 62Table 14 : RAM open points (Rop) ......................................................................................... 63Table 15 : GALILEO Function Criticality............................................................................... 64
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 7
1 INTRODUCTION
This report constitutes the RAM analysis final report for the GALILEO system in the frameof GALA project.
The context to establish this RAM analyses is the following: after the Mid Term Review heldby the end of may 2000, it has been decided to perform deeper Top-down RAM analyses onGALILEO system with the objective to define RAM requirements for Galileo systemcomponents.
• The first step is to define the main missions of the GALILEO system and expressed themon RAM point of view when relevant. This characterisation can be expressed by definingtop level dependability hazards, which would affect the GALILEO missions success.
• a second step would be to derive these hazards and expressed them in term of qualitativeand quantitative Reliability and Availability parameters, which will constitutesrequirements for the system.
• In a third step these requirements will be derived and apportioned to clearly defined RAMrequirements at GALILEO system components level down to the appropriate levelsegments.
• The objective is in that frame to define clear and comprehensible RAM requirementsfully exploitable at system components level.
• The fourth step will then consists in assessing whether the proposed architecture complywith the specified requirements and to propose recommendations and improvementswhen necessary.
It is important to underline that the GALILEO system can be driven by several types ofRAMS requirements :� Those which are linked to safety considerations and are essentially dedicated to specific
users such as satellite navigation, search and rescue, ... ,� Those which are linked to the availability of the services offered by the GALILEO
system,� Those which are linked to security of the data supported by GALILEO (bank, ...), ...
Obviously, some users can expect simultaneously from GALILEO services severalrequirements expressed previously.
It raises the fact that Safety and RAM requirements are closely linked together in suchsystem. Moreover, Safety requirements can be derived, apportioned and traduced in somecases in RAM requirements (Reliability, maintainability or availability).It means that the whole RAM tasks will have to be performed in close collaboration with theSafety activities. The trade off between Safety and RAM requirements will have to be refinedto comply with both types.
In addition, the RAM activities are involved and contribute to the Risk management processof GALILEO program. It allows to periodically underline the potential risks and occurrenceconditions raised through the RAM analyses and identify the possible mitigation measures.
It is however important to underline that these RAM analyses are performed in the initialstages to give first relevant RAM indicators for system architecture purposes and cost relatedconcerns. They should be further developed and refined in the following GALILEO programphases.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 8
2 REFERENCES
2.1 DEFINITIONS
Availability, Continuity, ReliabilitySee GALILEO DEFINITIONS [DR6] issue from WP2.
RAM indicatorsStarting from general definitions, they are parameters that reflect the dependability attributesand are tailored to the GALA context. They must be understandable, relevant and measurable.
2.2 ACRONYMS
FDA Functional Dependability AnalysisFHA Functional Hazard AnalysisPDA Preliminary Dependability AnalysisPHA Preliminary Hazard AnalysisRAM Reliability Availability Maintainability
2.3 APPLICABLE DOCUMENTS
N/A
2.4 REFERENCE DOCUMENTS
DR1 Master list of GALILEO applications for phase 2 (WP1), Issue 3 Rev E,GALA-RACAL-TN-017
DR2 GALA-RACAL DD005 Issue 2, dated 12/10/00, Market research methodsand overall results
DR3 Architecture baseline definition, Issue 6.0, 1/12/00, GALA-ASPI-DD-027
DR4 Safety and Hazard analysis : Safety case Volume E :Safety assessmentGALA-APSYS-DD049, Issue 4, 30/11/2000
DR5 Synthesis on service definitionGALA-ASPI-TN011, Issue 2, 10/11/00
DR6 GALILEO DEFINITIONSGALA-ASPI-DD092, Issue 3, 16/11/00
DR7 Potential military applications and interest, Issue14, 15/07/00GALA-FDC-dd130
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 9
DR8 Performance budget fileGALA-ASPI-DD036, Issue 3.0, 20/11/00
DR9 Mission Requirements SSSGALA-DD108, Issue 2.1, 21/11/00
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 10
3 GALILEO PRESENTATION AND CONTEXT
Involving Europe in satellite navigation has been of prime interest for several years, given thesituation where US GPS and Russian GLONASS are the only existing systems, both beingmilitary owned, GPS ensuring to US a global leadership, including receiver manufacturing,and GLONASS having a future very uncertain.After sufficient analyses, a process was needed to allow Europe to take an actual decision,based on a large awareness of all potential European actors in the domain. This process wasstarted in January 1998 by the European Commission, which asked for adequate activities tobe realised in the short term to allow a decision to be taken by early 1999.This led to a communication from the European Commission issued on February 10th, 1999,where the main conclusions were drawn: strong recommendation for Europe to develop asatellite navigation system, called “Galileo”, independent but complimentary andinteroperable with US GPS and Russian GLONASS, integrating as far as possible EGNOSsystem currently under development, taking security issues into account, addressing the needsof all potential categories of users and allowing the building-up of a Public-PrivatePartnership (“PPP”).These conclusions were endorsed by European authorities, with the Council resolution ofJune 17th, 1999 on the involvement of Europe in a new generation of Satellite NavigationServices.This led to the preparation of the definition phase, which begins by end of 1999 with the aimto provide, by end of 2000, high quality and timely advice to the Galileo ProgramManagement Board and to the Galileo Steering Committee in order that Ministers may beprovided with a clear and detailed statement of Galileo on cost bounds, feasibility, benefits tousers and society including wealth creation, and technical, cost and timescale risks. Thisstatement should allow to take the decision for going ahead.The final objective of providing recommendations to European Institutions is devoted to a“central” study for the European Commission called GALA, under the leadership fromAlcatel Space Industries.
13 high level tasks have been identified in GALA. The present RAM analysis is performed inthe frame of the following one :
Task 6 – Overall system safety analysisThe methodology to be applied in the frame of GALILEO will be determined, and Reliability,Availability, Maintainability and Safety analyses will be performed. Evidence will beprovided, that specified requirements with regard to safety and reliability are met.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 11
4 METHODOLOGY
4.1 GENERAL
The methodology used is based on a top-down approach. Starting from preliminary userneeds, it intends to detect potential inconsistencies between real user needs and RAMobjectives, to define the RAM top levels feared events, the associated RAM requirements andto assess the GALILEO system architecture compliance through a functional mapping.
The figure 1 presents the main steps, which allow reaching the RAM analyses objectives.
Steps 1 : Preliminary Dependability AnalysisThis first step uses as input the user requirements applications as defined in WP11 activity, theservice levels identification and definition and the mapping between both.
The main tasks of the step one are the following :
• Reference scenarios identification : these scenarios allow to define the several RAMindicators used to identify the top level events
• RAM relevant indicators definition : these indicators have to be significant regarding theuser applications and the several view points (from users to designer)
• Hazards identification : associated to the reference scenario, notably they will allow todefine the severity scale used in the future RAM analyses
• RAM appraisal of the user needs leading to a classification of the applications (using adedicated RAM scale)
• Consistency check between RAM quantitative requirements assigned on services and userneeds (using the applications / service levels mapping).
Based on application definitions Safety of Life, Mass market, Professional Market (userneeds), the Dependability Analysis aims at deriving :• Which user applications have “RAM critical” constraints in term of availability / service
reliability,• Which user applications could become “Galileo project critical” if the RAM
performances are below user expectation.
The hazards are categorised by their consequences on various aspects : economic, Galileoimage and liability.
1 The WP1 activity does not take into account detailed GAS market/needs study. It is thereason why the GAS services is not analysed in the frame of this RAM analysis. Moreover,following the analysis of DR7, it is not possible to establish the mapping between the militaryapplications and the GAS services as performed in the frame of this document for the otherapplications. It appears however, that GAS service RAM requirements seem not to be morerestrictive that some other services already analysed in this document.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 12
Step 2 : Functional Dependability AnalysisThe baseline architecture definition is studied in this phase to build a functional modeldependability oriented. This model will then be used to analyse function failures and toevaluate possible strategies to maintain the RAM performances of the GALILEO systemservice. A close loop with safety analysis is necessary to avoid duplication of analysis and toensure consistency of requirements.This will lead to produce RAM requirements and check architecture constraints.
Step 3 : Apportionment of dependability requirements and assessment of the GALILEOsystem complianceThis step includes two tasks :• Starting from availability requirements and expected components reliability order of
magnitude an apportionment is made. For this task a rough modelling by FTA would beused. This step will produce dependability requirements at component level. In thisproject phase, the study will focus on availability requirements more than onmaintainability requirements.
Note :The Fault tree technique allows to build in a relative simple way a representative model easyto understand and validate. The quantitative treatment of the tree leads to apportion RAMperformances to detailed elements decomposed in the tree.
• A refinement of previous model will be made using architecture definition progress andtechnical data from for instance GALILEOSAT, Receiver concept, Station definition, etc.This will allow collecting data such as number of elements and preliminary reliabilityfigures for a first assessment loop. This task will be based on the performed fault treemodels taking the logical combinations between the events into account. However, due tothe nature of the GALILEO system and its behaviour (reconfiguration capabilities, timeaspects) and according to the combined performances under analysis (especiallyavailability and continuity), the possible use of other techniques (Petri nets for instance)may be envisaged.
This will lead to consolidate first evidences of GALILEO system compliance with RAMrequirements, to provide RAM drivers for further RAM analyses and RAM recommendations.
4.2 RAM PARAMETERS UNDER ANALYSIS
In the frame of this RAM analysis and as regard to the objectives of the herein system phase,the present RAM task is focussing on availability parameter. According to the definition ofthe availability in the frame of the GALILEO system, it includes also continuity and integrityperformances. It means that, when assessing the availability performance, continuity andintegrity constraints are considered.
Moreover, the availability parameter is a result of the reliability and maintainabilityparameters; availability assessment will allow then to size the reliability and maintainabilityparameters, as well as to integrate the logistic support parameters (maintenance concept,logistic delay time).
In addition, it has to be highlighted that even if the “time to fix” parameter could influence the“unavailability” time especially seen by the users, it is not detailed in the present assessment.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 13
First of all, TTF is actually not an outage but is included in the operational process to start orrestart an element. It can be thus involved in the restarting phase following an outage. On asecond hand this parameter has to be considered on RAM point of view as an additional timefor unavailability of the services. In that way, it is possible to synthesise the different servicedown times as follows :� Parameters related to reparation of faulty element (related to maintainability aspects or
MTTR),� Parameters for logistic delays (related to logistic concerns),� Parameters for start or restart elements such as TTF (related to operational process).
Down time will have to include at least these three types of parameters. However, thisdetailed analysis will have to be performed further. It can however be notice that among theseparameters, TTF seems not to be the more sizing one. For instance, the size of the logisticdelays are about several ten hours, which is not the case for TTF.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 14
Preliminary Dependability Analysis (PDA) :- Reference scenarios identification for party involved
(from designer to users)- RAM relevant indicators definition
- Feared events identification (from designerto users)
- Mapping between users RAM requirements/service levels
- Checking the consistency between service levelsand users needs
- RAM qualitative requirementsapportioned at Galileo
functional level- Recommendations
(3)
Functional DependabilityAnalysis (FDA) :
- RAM Severity classification- Analysis of GALILEO mission consequences
through generic functional failure modes
Input data Analysis steps Main outcomes
Top level RAMHazards
(1)
Rationale for assigningRAM quantitative
requirements on services(2)
- Galileo functionalbreakdown
System Safety PHA, FHA
Mapping applications/Service levels
Validated (1)
- Mapping with GALILEOarchitecture
(2); (3)
Apportionment/demonstration of RAMrequirements at GALILEO system component
levels
- First evidence of GALILEOsystem compliance with RAM requirements- Requirements for further/lower level studies
- RAM drivers (technical, organisational,economical)
(4)
User Requirements/applications (WP1)
Service levels identificationand definition
Figure 1 : RAM methodology
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 15
5 PRELIMINARY DEPENDABILITY ANALYSIS (PDA)
5.1 DEPENDABILITY ANALYSIS ON USER APPLICATION
General comment:
The objective is to check the consistency between the users RAM needs as expressed in DR 2and the RAM requirements allocated to the service levels as expressed in DR3.
A RAM appraisal of the user needs has been performed and leads to a classification of theapplications based on a dedicated RAM scale.
Two parameters have been defined to characterise the availability level of each application.Four levels of these parameters have been chosen with the objective to be progressive, simpleand meaningful from a user point of view.
1 - Maximum acceptable time – Tmax :It corresponds to the maximum acceptable time to have the service (available) when the usercalls it. It means that, if x is this maximum time, the user will accept to “wait” to access to thefull service (with its performances) in a period of time lower than x.
Note :This Tmax is linked to a dysfunctional case. So it has nothing to do with the Time To First Fix(TTFF) parameter, but it is close to the Service interruption threshold [DR5].
This Tmax includes the four following levels :
Category Tmax
VH (very High) 1 minuteH (High) 1 hourM (Medium) 1 day (24 hours)L (low) > 1 day
Table 1 :Maximum acceptable time
2 – Maximum frequency – Frmax
It corresponds to the Maximum acceptable frequency for a given time unit for the user to nothave the service when he calls it.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 16
This Frmax includes the four following levels :
Category FrmaxVH (very High) 1 time/yearH (High) 1 time/monthM (Medium) 1 time/weekL (low) 1 time/day
Table 2 : Maximum frequencyExample 1 :A given user classified in the VH category will refuse to not access to the service more thanone time per year.
Example 2 :A user application could be classified as L/L. It means that formally, in the worst case, theuser could never have the service. It indicates in fact that the GALILEO application is notessential for its activities.
When the consequence of an unpredictable SIS interruption is limited to the corporation or toa company, the economical effects are generally considered as Medium to High. Theassumption is that user will not claim about Galileo service in case of predicted andannounced SIS interruption.
When the consequence is immediately transferred to the customer of the corporation, theeconomical effects becomes of another order of magnitude. Then the dependabilityrequirements become High to Very High.The applications described in [DR1] have been scanned and assessed with due considerationto the above preliminary remarks.
5.1.1 Safety of life and security applications
5.1.1.1 Transportation of passengers and goodsThe applications described here are well concerned with safety of life as they transportcommercial passengers or crew.
5.1.1.1.1 Commercial Air Transport IFR navigation [1]2
All commercial air transport will rely on satellite navigation systems in the next future. Thedependability requirements are then very high for this application. For Safety reasonsoperators will not rely on a single source of signal, then Galileo dependability will affectoperational aspects and possibly flight delays according to aircraft MEL (MinimumEquipment List) status.
2 SAS-L is mapped on Civil Aviation in [DR9], but not on detailed applications. However, without thismapping, SAS-L has a RAM critical status (see § 5.5) : there is no impact on the final result.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 17
A interruption of service shorter than one hour should be acceptable assuming it does notoccur more frequently than once a year (for instance, the current French nominal regionaltracker system has an unavailability around 5minutes per year).
Conclusion :Failure of Galileo system to provide navigation data is classified H/VH.
5.1.1.1.2 Commercial Air Transport (surveillance) [2]
ATC being in charge of surveillance of the traffic, any loss of availability of aircraft’sposition, heading, speed and time will lead the controllers to revert to back-up procedureswith a significant increase of workload and associated delay in traffic flows (en route,approach and take off).Economical consequences can become rapidly very high for all the operators and customers.
Conclusion:Failure of Galileo system to provide navigation data is classified VH/VH.
5.1.1.1.3 General Aviation (VFR) [3]
Dependability requirements are similar to Commercial air transport [1] due to the customerstypology: business aviation, special air services, police…
Conclusion :Failure of Galileo system to provide navigation data is classified H/VH.
5.1.1.1.4 Deleted [4]
5.1.1.1.5 General Aviation (Surveillance) [5]
General aviation surveillance is considered as a part of the air traffic and it is assumed thandependability requirements are similar to commercial air traffic.
Conclusion :Failure of Galileo system to provide navigation data is classified VH/VH.
5.1.1.1.6 Train Control [6]
It is a traffic control application requiring dependable positioning and communicationresources. ERTMS is directly intended to train separation. Satellite positioning andcommunication resources could be useful as additional means, but it seems also realistic fortrains to experience frequent situations of masking or interference on their link with thesatellites. This application is directly related with safety of life but as it seems very dangerousto rely only on satellite resource. On dependability concern, the unavailability of theGALILEO service for this application leads directly to stop the train traffic with importantconsequences at least on regional area.
Conclusion :Failure of Galileo system to provide navigation data is classified VH/H.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 18
5.1.1.1.7 Train Supervision [7]
As described in the application, the train position information is intended to provide anoverlay to other traffic control means.Confidence in the system will be obtained if services interruption are in the same order ofmagnitude of all other sources of interruption and if the interruptions are not to frequent.However, GALILEO service is not sole mean for the train supervision application. Thedependability requirements can be relaxed compared to application 6.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.1.1.8 Energy Optimised Driving Style Manager [8]
This application is intended to provide a scheduled “track plan” optimised from constraints astime of arrival and fuel consumption. It can be thought as a “driving aid” application and,since the driver remains “ in the loop” for monitoring purpose, it is not foreseen higheconomical consequences in case of service interruption.
Conclusion :Failure of Galileo system to provide navigation data is classified L/L.
5.1.1.1.9 Fleet Management [9]
In this application, the position information is collected for tasks as planning updates,maintenance, location of locomotives or rolling stock.An interruption of Galileo signal will delay commercial exchanges, will affect operationalperformance and could lead to customers’ claims.The requirements are high.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.1.1.10 Track Survey [10]
This application is described as a typical civil engineering survey. In case of impossibility toreceive Galileo SIS, back up procedures can be used with little economic effects assuming itdoes not occurs more frequently than once a month. The economical effects are limited to thecompany in charge of track survey.
Conclusion :Failure of Galileo system to provide navigation data is classified M/H.
5.1.1.1.11 Passenger Information service [11]
Applications described here need intensive communication resources and good positioninginformation. Loss of information on train position, time and delays may affect users as they
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 19
are more and more requesting to be informed in “real time”. Nevertheless the SIS is a smallpart of the information chain, the availability performance should be equally allocatedbetween all the parts (data collection, processing, communication, displays,…). It is assumedthat the requirement part allocated to Galileo is Low (TBC).
Conclusion :Failure of Galileo system to provide navigation data is classified L/L.
5.1.1.1.12 Marine Navigation [12] & [13]
For safety reasons, maritime community is currently using today different systems ofnavigation, avoidance and communication, and will probably not abandon them all in aforeseeable future. Reliable positioning for vessels cruising in shore is essential for safety,particularly for all weather operations. The requirement allocation to Galileo SIS is High.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.1.1.13 Marine surveillance [14]
The loss of vessels position signal for the Surveillance team should become a problem if theduration of this loss leads to the impossibility to locate a vessel. According to the speed ofvessels, it can travel hundreds of miles in one day. Therefore the vessels concerned by thisapplication can not accept interruption time for one day.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.1.1.14 Marine Engineering [15]
The effects of Galileo SIS will at worst ( if it is a sole mean) lead to a delay in work progresswith economical consequences for the company.
Conclusion :Failure of Galileo system to provide navigation data is classified M/M (tbd in relation withWP 1).
5.1.1.1.15 Harbour Docking [16]
In a near future, we can imagine computer aided docking systems using satellite-positioningservices. Major benefits of these systems would be economic, and a misleading positioninginput would have mostly economical consequences. But economic consequences could turn inhigh scale economic disasters. So, to be efficient, these systems would need dependablepositioning input.
Loss of navigation information could lead to a failure of autopilot for docking. This will notprevent hand-over by the pilot in command.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 20
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.1.2 Emergency services
Emergency services are “means oriented” and not “success oriented”. In other hand citizensare more and more demanding for the use of the most efficient means and is not ready totolerate failures or unavailability of emergency services.
Emergency services by themselves are not Safety Critical but their ability to react efficientlyon request makes them Safety Related.
In term of dependability they all require an good availability of service. But the availabilityof the SIS should be consistent with all other sources of interruption from other parts of theEmergency service and with the response time of the emergency means. Consequently mostof them are classified H/M or VH/M.
5.1.1.2.1 Ambulance : Route Guidance [17] & Vehicle resources management [18]
Galileo service is useful and can become strategic for ambulance applications due to theprecise localisation capability of the ambulance and to guide it to the point of intervention.
Safety of life can become affected if there is a delay introduced by Galileo Nav service dueeither by an erroneous localisation of intervention point or by ambulance position.Loss of information will prevent positioning and delay rescue service. If there is one person torescue, the consequences are considered MAJOR as it will affect safety margins for thepatient but cannot be considered as a direct cause of casualty.In case of numerous persons to rescue the consequences can be reassessed to SEVEREMAJOR, as the accidental event and a major disorganisation of ambulance services can resultfrom a common event.
On the other hand emergency/ambulances services are designed and trained to cope withemergency conditions using alternate and sound procedures, which helps to decrease thedependability requirements on Galileo dependability. (TBC)
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.1.2.2 Police /Fire : Route Guidance [19] - Vehicle resources management [20] &Pedestrian resource Management [21]
Galileo service is useful and can become strategic for police / fire applications due tocapability to locate precisely the resources and to guide it to the point of intervention. There isno direct economical consequence. The availability requirements must be balanced by all thepotential causes to loose SIS (masking, communication, …).
Classification is similar to ambulance service.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 21
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.1.2.3 Police/ fire : Vehicle Tracking [22]
Tracking service provide a mean for police services to track co-operative or non co-operativevehicles. This application is an help for police. There is no direct economical consequence.The availability requirements must be balanced by all the potential causes to loose SIS.(masking, communication, …)
Conclusion :Failure of Galileo system to provide navigation data is classified M/H or M/M (tbd inrelation with WP 1).
5.1.1.2.4 SAR : Alerting Beacons – Marine [23] & [25] – Air [24] – Personal [26]
This service provides a means for a person, a ship or aircraft in distress to send an emergencysignal to a SAR Service at a Rescue Co-ordination Centre (RCC)
This application is directly safety related. The key factors are real time precise positionlocation.
Loss of navigation information will prevent positioning and delay SAR service. Theconsequence is a reduction of safety margins for the people in distress but is not a direct causeof casualty.The dependability requirement shall be consistent with the response time of the completeSAR chain (from the beacon, to the rescue operation). Then a maximum average delay of onehour is not unrealistic.
Conclusion :Failure of Galileo system to provide navigation data for SAR is classified H/H.
5.1.1.2.5 SAR : Onboard Navigation of SAR units [27]
This application is related to the SAR units, which are 24H/24H. If they rely on Galileo signalto be guided to the rescue site a high dependability is expected.
Conclusion :Failure of Galileo system to provide navigation data is classified VH/VH.
5.1.1.2.6 General conclusion on emergency services.
The Emergency Service applications are Safety Related but not Safety Critical as stand aloneusers.The dependability requirements are High in term of access to the service, and Medium in termof frequency of unavailability.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 22
5.1.1.3 Security
5.1.1.3.1 Personal protection: Lone Worker Protection [28]
This application is close to SAR application as it is related to worker location and distresscall.The availability of the service is linked to economical constraints. If the service is notavailable, at least two workers are necessary to perform the task in order to be sure thatemergency services will be called in case of one worker problem. Then requirement for theresponse time to get the service is High and the frequency of unavailability is Medium
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.1.3.2 Secured Data: Transport of Nuclear Waste [29]
Monitoring transport of nuclear waste using Galileo data can be considered as inimprovement.A loss of navigation information continuity will not affect safety protections taken withregard to radiation. An interruption during one or several days of the localisation of thecontainers should not become a safety nor an economical problem.
Conclusion :Failure of Galileo system to provide navigation data is classified L/M.
5.1.1.3.3 Secured Data: Dangerous and valuable loads tracking [30]
As this application is described, failure to localise a dangerous or valuable load has noimmediate impact on safety of life or environment.This application could need continuity / availability for Governmental purposes (TBC). A lossof position during a period shorter than one hour seems acceptable, assuming the localisationbecomes possible after this period.The maximum acceptable loss frequency is estimated once a week.
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.1.3.4 Traffic surveillance and monitoring
5.1.1.3.4.1 Road Tolling [31]
The impossibility to locate and identify the vehicles on a toll road has direct economicaleffects on the company incomes. As it is assumed in the application that roadsideinfrastructure is eliminated there is no other way to collect toll fees. The economical effectsare limited to the company (users will certainly appreciate such failures, unless theeconomical risk is considered in the normal price).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 23
In a region a loss of service of one hour means that a large amount of vehicle will not becharged. This event should not appear more frequently than once a month.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.1.3.4.2 Road surveillance and Regulatory Enforcement [32]
This application is a “surveillance” application and is more associated to social and legalobjectives than linked to economical objectives. A loss of service will reduce the capability ofthe regulatory authorities to perform their missions, but as the outlaw vehicles should not beaware of the system failure the risk is low as long as the failure is not long and not frequent.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.2 Mass MarketMass market users are generally waiting for a high level of dependability for a new system.Their tolerance to system failure is generally low, then their requirements are generallyclassified H/H. That means they accept to wait for navigation data during one hour once amonth.
5.1.2.1 Land and River Navigation
5.1.2.1.1 Cars [33] to [35] - Truck and buses [36] to [38] - Light Commercial Vehicles [40]to [42]
5.1.2.1.1.1 Route Guidance [33, 36 & 40]This application is related to determine and optimise the route to reach a predetermineddestination.Success of the service will rely on user satisfaction. It is assumed they will accept to wait fornavigation data during one hour once a month.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.2.1.1.2 Information Services [34, 37 & 41]Purpose of the application differs from route guidance, but user will have the samedependability requirements.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 24
5.1.2.1.1.3 Emergency call breakdown, Theft and recovery [35, 38 & 42]
This application is related to Emergency Calls, Breakdown Calls, vehicle recovery after theft.
The Emergency Call function is similar to SAR function. But the embedded system can beconsidered as an “added means” to reduce the rescue intervention delay in case of crash. Thisadded mean is not permanently monitored, is subjected to hidden failures, and cannot beefficient for all crashes scenarios. It is considered as Safety Enhanced. The availabilityrequirements for Galileo service should be consistent with the expected reliability of massmarket transponders, of GNSS sensors and with the probability of the initiating event whichrequires the application.
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.2.1.2 All road Vehicles : Advanced Driver Assistance Systems [39]
As far as navigation data is used to perform navigation and guidance functions, the worstconsequence associated to a loss of information should be minor because the driver remainsin the loop for vehicle control and collision avoidance. The dependability requirement is thendriven by user satisfaction to have an operational system (certainly a degraded performancecould be acceptable for him…).
Galileo navigation data can be used for car auto piloting only in combination withcomplementary sensors. If not, the navigation data becomes safety critical and will requirevery high dependability level.
Conclusion :Failure of Galileo system to provide navigation data is classified VH/VH if used a sole meanfor Vehicle auto piloting. Otherwise a classification VH/H could be acceptable.
5.1.2.1.3 Inland Waterways [43] to [45]
5.1.2.1.3.1 Vessel Navigation [43]
It is considered that in the future, the navigation system could change from an addition aid tothe skipper to a primary means. In case of loss of service, “classical” means of navigationmust be used, then increasing crew workload and possible delays with economical effects atthe company level.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.2.1.3.2 Vessel services [44]
As far as dependability is concerned, it is assumed that Galileo provides only a vesseltracking service that helps the user for travel preparation, route guidance, and traffic controland information.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 25
A loss of service could lead to possible delays with economical effects at the company level.
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.2.1.3.3 Dredging and maintenance [45]
A loss of service could lead to possible delays with economical effects at the company level.Conclusion :Failure of Galileo system to provide navigation data is classified M/H.
5.1.2.2 Personal Navigation [46] to [ 49]
5.1.2.2.1 Personal Outdoor Recreation [46] to [48] :This application includes yachting, recreational aircraft, golf, hiking, rambling, cycling,marine leisure. The user confidence in the system will depend on their previous experiencesin similar systems (GPS, GSM…). At worst a temporary loss of signal will have detrimentalcommercial consequences. Then failure of Galileo system to provide navigation data isclassified H/M.
5.1.2.2.2 Location based communication services [49]
The scope of service is very wide. It is assumed that user will have similar requirements thanfor other mass market applications. (TBC)
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.3 Professional market
5.1.3.1 Timing
5.1.3.1.1 Network synchronisation for Telecom [50], Power generation and distribution[51], digital broadcasting [52]
This application intends to provide time tagging and conditioning of time and frequencyreferences for telecommunication network management systems (within wireless andwireline), reference for power network management systems, new digital broadcastingsystems.As it is not a real time application, the user who calls the service can accept to wait for theservice for one hour or, punctually, to not access to it without major impact on its applications(the time parameter for the user is not lost when the service is not available; indeed the timedrift in the user application is a slow process which does not preclude to use an application fora given time).
Conclusion :Failure of Galileo system to provide navigation data is classified H/L.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 26
5.1.3.1.2 Satellite monitoring / navigation (ground based) [53]GALILEO system is used here to disseminate timing signals for monitoring and tracking ofother satellite systems (ground based). Due to same considerations as applications 50, 51 and52, it is assume that the user can wait one hour to access the service. However, as it is use tomonitor and track ground based satellite systems, the loss frequency of the service needs to belower (1 per week maximum).
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.3.1.3 Maintenance of international time standards [55]GALILEO is used to the maintenance and development of international time standards (timetransfer between primary time standards).As the drift of the time parameter in the atomic clock is a very slow process, it is assumed thatthis application does not involved stringent constraints on RAM point of view. Indeed, in caseof non-access to the service or postponed access, the user does not lose its operationalapplications. He can wait and calls again the service without notable degradations of theperformances of its applications.
Conclusion :Failure of Galileo system to provide navigation data is classified L/L.
5.1.3.1.4 Frequency/time calibration services [56]GALILEO is used to disseminate time and information standards to secondary time/frequencystandards.Same comments than Id [55].
Conclusion :Failure of Galileo system to provide navigation data is classified L/L.
5.1.3.1.5 Time tagging for general user [57]GALILEO system is used to provide time stamps and/or clock synchronisation forprofessional stationary application (e-commerce, time stamping authorities, electronicbanking, traffic light regulation, quality assurance systems).For this type of applications, the service has to be available in a relative short period and thenon-access to the service can not be too frequent. Indeed, even if it is not real timeapplications, the impacts can be rapidly significant with impact (economically, legal,...) at aregional or national scale in case of unavailability of the service. It is assumed in this case thatthe maximum acceptable time to access the service is one hour with a frequency maximum tonot access it of one per month.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H (tbc : DRS DD-132V1-PVE-01 id 15).
5.1.3.2 Space
5.1.3.2.1 Space market [58, 59, 60, 61]
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 27
GNSS is used to position and to allow approach and docking of space vehicles, formationflying spacecraft, space stations. These missions can not be easily postponed and restartedwithout very important economical and technical impacts. Thus, when it is called, the servicehas to be available in a very short time (not exceeding 1 minute), with a very high probabilityto have it (maximum frequency to not have the service one per year). In this context theservice has to be provided with a high level of availability.
Conclusion :Failure of Galileo system to provide navigation data is classified VH/VH.
5.1.3.3 Scientific applications
5.1.3.3.1 Geodesy applications [62, 63]GALILEO will provide new sophisticated equipment for the scientific studies that willcomplement all other means. Geodesic applications use GALILEO signal either to have a co-ordinate reference system and for high precision measurement for regional and globalnetworks or to have precise position of geodetic sensors.
These applications require accuracy but are not time constrained, leaving time to cope with aloss of signal or to detect an erroneous data. However the loss of the GALILEO service canaffect in the first case regional or global networks; in the second case the sensors are installedon ships and aircraft for which the mission are time constrained.
Conclusion :Failure of Galileo system to provide navigation data is classified M/M.
5.1.3.3.2 Meteo forecasting ionosphere [64, 65, 67]These applications correspond to non-time constrained processes, which can accept to bepostponed without significant impact.
The application [67], which involves receiver on radiosonde, is a little bit more stringent duethe fact that the launch of a radiosonde corresponds to a period more time constrained. Thusthe dependability constraints are little bit more restrictive.
Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [64, 65] and M/L for[67].
5.1.3.4 Precision surveying (Id 68)
These applications are related to hydrographic survey.Thus it corresponds to no time constrained processes, leaving time to cope with non-access tothe service. The mission can be postponed and/or restarted without significant impact for theuser.Conclusion :Failure of Galileo system to provide navigation data is classified L/L (tbd in relation withWP 1).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 28
5.1.3.5 Oil & Gas
5.1.3.5.1 [69,70,71,73,74]These application are related to• Marine and land seismic acquisition,• Site survey,• Land and transition zone seismic exploration,• Rig Positioning and associated anchor vessels,• VSP operation positioning.
GALILEO system provides in this frame precise positioning and navigation information forvessels and vehicles. It seems that these applications involve a real time process (cf WP 1).Related to the mission time of these activities, it can be assumed that a frequency to not havethe service available not more than 1 time a week could be acceptable.
Conclusion :Failure of Galileo system to provide navigation data is classified H/M.
5.1.3.5.2 FPSO positioning [72]For this specific application which is directly linked to production activity, non-access to theGALILEO service can rapidly lead to unacceptable situation with economical consequences.The availability constraint is higher than the previous ones.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.3.6 Vehicle control and robotics (Id 78, 79, 80)
In this sector GALILEO system is intended to provide data for positioning of pilotless aerialplatform (including aeroplanes, helicopters, airship), autonomous underwater vehicles orenhanced vehicle control.These robots are performing laborious, tedious continuous and repetitive tasks in place ofhuman operator.
The related activities are time constrained and require high level of availability (shortresponse time) when the service is called. However, due to the mission profile which are morepunctually, it is assumed that the maximum acceptable non-access frequency to the service isaround 1 time per week.
Conclusion :Failure of Galileo system to provide navigation data is classified VH/M (tbc : DRS DD-132V1-PVE-01 id 16).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 29
5.1.3.7 Construction and civil engineering [81, 82]
A high level of accuracy is needed for these applications, but at the construction site scale,considering the environmental and operational process of the construction and civilengineering activities, one day as a maximum time to postpone a task or non-access to theservice one time per week is assumed to be acceptable for the user.
Conclusion :Failure of Galileo system to provide navigation data is classified M/M.
5.1.3.8 Land survey and GIS mapping [83]
Galileo positioning/ navigation service can be used to update or generate maps with variouslevels of accuracy depending on the final user of the map. Galileo provides a new tool formapping sector with potential high benefits.
Establishing sea charts cannot be done in a one-stream process from raw positioninginformation. It is the result of a complex process of correlation and comparison with previouscharts and data.The service unavailability at one-day scale or due to punctual non-access to the service isassumed not to lead to significant impacts for the user. No high availability constraint isrequired for these applications.
Conclusion :Failure of Galileo system to provide navigation data is classified L/L (tbd in relation withWP1).
5.1.3.9 Fleet Management [84]
The fleet management is based on positioning mobile vehicles and communicating theirposition to a management station.
As this application is directly linked to optimisation of fleet management, the availability ofthe GALILEO service is important for the user mission. Moreover, in case of failure ofGALILEO service, potentially regional or national consequences can be observed. Theavailability constraints are high.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H
5.1.3.10 Asset management [85,86,87]
The asset management covers both mapping and locating fixed assets and tracking ofmovable assets (containers, trailers, vehicles for anti theft, livestock, weather balloons…).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 30
The first category, management of fixed assets, is not time-constrained application. Moreover,the failure of GALILEO service, the activity can be postponed without major impact at userlevel or community of users. The availability constraints are low.
Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [85].
For the intermodal cargo operation, the availability constraints can be considered as higherdue to relative short time transitory operations in the process, which can not be stoppedfrequently or for a long period without significant impact.
Conclusion :Failure of Galileo system to provide navigation data is classified H/M for [86].
Asset tracking application can be considered at the mid position between the two previousapplication.
Conclusion :Failure of Galileo system to provide navigation data is classified M/M for [87] (tbd inrelation with WP1).
5.1.3.11 Precision agriculture [88, 89, 90]
The applications described here are related to positioning of agricultural machine (combineharvester, tractor, spray control machine, fertiliser spreader apparatus, crop dusting aircraft) tocontrol chemicals.
Except for the crop dusting by aircraft which could be more restrictive on dependability pointof view, the two first activities are not significantly impacted in case of non-access or waitingof the GALILEO service. The missions can be postponed or reorganised.
Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [88, 89].
For crop dusting by aircraft, the mission may be considered more time constrained andrequires higher availability level.
Conclusion :Failure of Galileo system to provide navigation data is classified M/M for [90] (tbd inrelation with WP1).
5.1.3.12 Fisheries & Exclusive Economic Zone [91, 92]
It is assumed that these activities can accept to wait for the GALILEO service for a given time(around one day max) or to not access it one time per week without significant impact forusers or community of users. Indeed, the fishing campaign is delayed for one day but notcompletely lost with important economical consequences.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 31
Conclusion :Failure of Galileo system to provide navigation data is classified M/M.
5.1.3.13 Environment
These application are not time constrained but need GALILEO service available at time scalelower than one day without failure frequency of the service more than one time per week.Above these thresholds, economical impact at community level may be considered.
Conclusion :Failure of Galileo system to provide navigation data is classified H/M for [93, 94, 95].
For application [96] (animal tracking), it is considered that the impact in case of failure ofGALIEO service is less important (no economical consequences at community level).
Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [96].
5.1.3.14 Mining
5.1.3.14.1 3D positioning of mine machinery [97]This application is involved in real time activity. Failure of GALILEO service impacts rapidlythe exploitation and thus has economical consequences.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
5.1.3.14.2 Mine surveying [98]This application is not directly linked to real time activity. The max acceptable waiting timeto access to the service may be around one day without significant impact. However, the maxfrequency for non-access to the GALILEO service has not to be higher than one time permonth in order to not impact the mine surveying tasks.
Conclusion :Failure of Galileo system to provide navigation data is classified M/H (tbd in relation withWP1).
5.1.3.14.3 Autonomous mining vehicles [99]This application involves time positioning and velocity information. The access time to theservice has to be very short to fully answer to the application parameters. The acceptable maxfrequency for non-access to GALILEO service is one time per month to not lead to significantconsequences.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 32
Conclusion :Failure of Galileo system to provide navigation data is classified VH/H.
5.1.3.14.4 Truck dispatch [100]This application is a key element for the mining exploitation activity. The consequence iftruck dispatch is lost is significant especially economically speaking.
Conclusion :Failure of Galileo system to provide navigation data is classified H/H.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 33
Table 3 : Proposed Availability Classification per application
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
Safety of Life and Security5.1.1.1 Transport of Passengers and Goods
1 5.1.1.1.1 Air CommercialAir Transport(IFR)
Navi. H 100 1 hr Y (H) SAS-GSAS-RSAS-RMEGNOS
H VH Pbe becauseCAT2 & 3added and
NonCompliance
2 5.1.1.1.2 CommercialAir Transport(Surveillance)
Separ H 100 1hr Y(H) SAS-GSAS-RSAS-RMEGNOS
VH VH
3 5.1.1.1.3 GeneralAviation(IFR)
Navi. TBC TBC TBC TBC SAS-GSAS-RSAS-RMEGNOS
H VH
4 5.1.1.1.4 Deleted byWP 1
5 5.1.1.1.5 GeneralAviation(Surveillance)
Separ. TBC TBC TBC SAS-GSAS-RSAS-RMEGNOS
VH VH
6 5.1.1.1.6 Rail Train Control Separ. H 99,98 TBD Y (H) SAS-L VH H7 5.1.1.1.7 Train
SupervisionSuperv. H 99,9 1 year Y (H) CAS1-G H H Not SC
(WP1)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 34
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
8 5.1.1.1.8 Energyoptimiseddriving stylemanager
Manag. H 99,9 1 year Y (M) OAS-G1CAS-G ?
L L
9 5.1.1.1.9 FleetManagement
Manag. M 99 TBD N (L) CAS1-G H H Not SC(WP1)
10 5.1.1.1.10
Track survey Track. M 99,5 1 year N (L) CAS1-L3 M H
11 5.1.1.11.1
Passengerinformationservice
Info. L 98 1 year N (L) OAS-G2OAS-GH
L L
12 5.1.1.1.12
Maritime MarineNavigation(Unregulated)
Navi. M? 99,9 15 s Y (H) SAS-GSAS-RSAS-L ?
M/H H
13 5.1.1.1.12
MarineNavigation(Regulated)
Navi. H? 99,9 15 s Y (H) SAS-G,SAR-RSAS-L ?
H H
14 5.1.1.1.13
MarineSurveillance(Regulated)
Separ. H? 99,9 15 s Y (H) SAS-G,SAR-RSAS-L ?
M H
15 5.1.1.1.14
Engineering Posit. M 99,8 15 s N (L) CAS1-L3 M M
16 5.1.1.1.15
HarbourDocking
Separ. H 99,8 15 s Y (H) CAS1-L2CAS1-L3
H M(H)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 35
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
5.1.1.2 Emergency Services17 5.1.1.2.1 Ambulances Route
GuidancePosit.SAR
TBC TBC TBD TBC GAS-GGAS-LCAS1-G
H M
18 5.1.1.2.1 VehicleResourceManagement
Manag. H 99 ? TBD Y (M) GAS-GGAS-LCAS1-G
H M
19 5.1.1.2.2 Police/Fire RouteGuidance
Posit. TBC TBC TBD TBC GAS-GGAS-LCAS1-G
H M
20 5.1.1.2.2 VehicleResourceManagement
Manag. H 99,9 TBD Y (M) GAS-GGAS-LCAS1-G
H M
21 5.1.1.2.2 PedestrianResourceManagement
Manag. H 99,9 TBD Y (M) GAS-GGAS-LCAS1-G
H M
22 5.1.1.2.3 VehicleTracking
Track. H 99 TBD Y (M) GAS-GGAS-LCAS1-G
M H(M)
23 5.1.1.2.4 Search &Rescue
Alert Beacons(MarineProfessional)
Posit.SAR
H 99 ? TBD Y (M)CAS1-GSAS-GGAS-G
H H
24 5.1.1.2.4 Alert Beacons(Air)
Posit.SAR
H 99 ? TBD Y (M) CAS1-GSAS-GGAS-G
H H
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 36
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
25 5.1.1.2.4 Alert Beacons(MarineRecreational)
Posit.SAR
H 99 ? TBD Y (M)CAS1-G
H H
26 5.1.1.2.4 Alert Beacons(Personal)
Posit.SAR
H 99 ? TBD Y (M)CAS1-G
H H
27 5.1.1.2.5 OnboardNavigation ofSAR units(Air & Sea)
Navi.SAR
H TBC TBD Y (M)SAS-GGAS-G
VH VH
5.1.1.3 Security28 5.1.1.3.1 Personal
ProtectionLone WorkerProtection
Posit.SAR
M 99 NA Y (M) CAS1-GS H M
29 5.1.1.3.2 Transport ofNuclearWaste
Navi. H 99,9 TBD Y (M) GAS-G L M
30 5.1.1.3.3
Secured Data
Tracking ofVeryValuable orDangerousGoods
Track. L 99 NA N (L) GAS-GGAS-L
H M
31 5.1.1.3.4.1
Road Tolling Manag. M 99 NA Y (M) CAS1-GCAS1-GH
H H
32 5.1.1.3.4.2
Trafficsurveillance& monitoring Road
SurveillanceandRegulatoryEnforcement
Separ. TBC TBC TBC TBC GAS-G
GAS-L
H H
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 37
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
Mass Market5.1.2.1 Land and River Navigation
33 5.1.2.1.1.1
RouteGuidance
Posit. M 99 NA N (L) OAS-GSOAS-GH
H H
34 5.1.2.1.1.2
InformationServices
Info. M 99 NA N (L) OAS-GSOAS-GH
H H
35 5.1.2.1.1.3
Cars,Motorcycles
EmergencyCallBreakdownTheft andRecovery
Posit. M 99 NA N (L) OAS-G1OAS-G2OAS-GH
H M
36 5.1.2.1.1.1
RouteGuidance
Posit. TBC TBC TBC TBC OAS-GSOAS-GHCAS1-GSCAS1-GH
H H CAS1 ifintegrityneeded
37 5.1.2.1.1.2
InformationServices
Info. TBC TBC TBC TBC OAS-GSOAS-GHCAS1-GSCAS1-GH
H H CAS1 ifintegrityneeded
38 5.1.2.1.1.3
Trucks andBuses
EmergencyCallBreakdownTheft andRecovery
Posit. TBC TBC TBC TBC OAS-G1OAS-G2OAS-GHCAS1-GSCAS1-GH
H M CAS1 ifintegrityneeded
39 5.1.2.1.2 Cars,Motorcycles
AdvancedDriverAssistanceSystem
Separ. H 99,9 TBD Y (H) CAS1-L1CAS1-GHSAS-L
VH VH
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 38
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
40 5.1.2.1.1.1
LightCommercialVehicles
RouteGuidance
Posit. H 99 TBD N (L) OAS-GSOAS-GHCAS1-GSCAS1-GH
H H CAS1 ifintegrityneeded
41 5.1.2.1.1.2
InformationServices
Info. M 95 TBD N (L) OAS-G1OAS-GHCAS1-GSCAS1-GH
H H CAS1 ifintegrityneeded
42 5.1.2.1.1.3
EmergencyCallBreakdownTheft andRecovery
Posit. M 99 TBD N (L) OAS-G1OAS-GHCAS1-GCAS1-GSCAS1-GH
H H CAS1 ifintegrityneeded
43 5.1.2.1.3.1
InlandWaterways
In-VesselNavigation
Navi. H 99,8 15 s Y (H) CAS1-GOAS-GSSAS-G
H H
44 5.1.2.1.3.2
VesselServices
Separ.Info.
M 99,8 TBD Y (M) CAS1-GS H M
45 5.1.2.1.3.3
Dredging andmaintenance
Posit. M 99 TBD N (L) NotMapped
M H TbdNew
application5.1.2.2 Personal Navigation
46 5.1.2.2.1 PersonalOutdoorRecreation
PersonalOutdoorRecreation(Hiking/Rambling/Cycling)
Posit.Navi.
L 99 NA N (L) OAS-GS H M
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 39
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
47 5.1.2.2.1 RecreationalFlying
Posit.Navi.
TBC TBC TBC TBC SAS-G H M
48 5.1.2.2.1 MarineLeisureVessels(Yachts &MotorVessels)
Posit.Navi.
L 99 NA N (L) SAS-G H M
49 5.1.2.2.2 Integration ofPersonalCom. & Nav.
LocationBasedCommunication Services
Posit. L 99 NA N (L) OAS-G1OAS-GHCAS1-G
H M CAS1 ifintegrityneeded
Professional Market5.1.3.1 Timing
50 5.1.3.1.1 Time NetworkSynchro forTelecom
Manag. TBC TBC TBC TBC SAS-RMGAS-G
H L
51 5.1.3.1.1 NetworkSynchro forPowergeneration &distribution
Manag. TBC TBC TBC TBC SAS-RMGAS-G
H L
52 5.1.3.1.1 NetworkSynchro forDigitalBroadcasting
Manag. TBC TBC TBC TBC SAS-RMGAS-G
H L
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 40
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
53 5.1.3.1.3 SatelliteMonitoring /Navigation(groundbased)
Superv.Navi.
TBC TBC TBC TBC SAS-G(tbc)
H M
APPLICATIONDELETED
55 5.1.3.1.3 MaintenanceofInternationalTimeStandards
Manag. TBC TBC TBC TBC GAS-G L L
56 5.1.3.1.4 Frequency /TimeCalibrationServices
Manag. M 99 TBD N (L)SAS-RM
L L
57 5.1.3.1.5 Time Taggingfor GeneralUser
Manag. TBC TBC TBC TBCOAS-G1
H H
5.1.3.2 Space58 5.1.3.2.1 Space Satellite
Attitude &OrbitDetermination
Posit.Navi.
M 99 NA N (L) NotMapped
VH VH TbdNew
application
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 41
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
59 5.1.3.2.1 Rendez-Vous& Docking ofSpaceVehicles
Separ. TBC TBC TBC TBC VH VH TbdNew
application
60 5.1.3.2.1 Non-militarySpaceLaunchers
Navi. TBC TBC TBC TBC VH VH TbdNew
application61 5.1.3.2.1 Remote
SensingPosit. TBC TBC TBC TBC VH VH Tbd
Newapplication
5.1.3.3 Scientific Applications62 5.1.3.3.1 Reference
FrameMaintenanceandDeformationMonitoring
Posit. L 99 TBD N (L) CAS1-L3(TBD)
M M
63 5.1.3.3.1
Geodesy
PrecisePositioningfor GeodeticSensors
Posit. L 99 TBD N (L) CAS1-L3 M M
64 5.1.3.3.2 MeteoForecastingIonosphere
Measurementof TotalElectronContent ofIonosphere
??? M 99 NA N (L) NotMapped
L L TbdNew
application
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 42
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
65 5.1.3.3.2 MeasurementAtmosph.Water Vapour
??? M 99 NA N (L) NotMapped
L L TbdNew
application66 ) Deleted by
WP 167 5.1.3.3.2 Radiosonde
TrackingPosit.Track.
TBC TBC TBC TBC NotMapped
M L TbdNew
application5.1.3.4 Precision Surveying
68 5.1.3.4 PrecisionSurveying
Hydrographicsurvey
Posit. M 99 TBD Y (M) CAS1-L3 L L
5.1.3.5 Oil & Gas69 5.1.3.5.1 Oil & Gas Marine
SeismicExploration
Posit.Navi.
H 99,9 TBD Y (M) CAS1-L1CAS1-L2
M M
70 5.1.3.5.1 HighResolutionSeismic SiteSurvey
Posit.Navi.
M 99,9 TBD Y (M) CAS1-L1CAS1-L2
M M
71 5.1.3.5.1 Land andTransitionzone SeismicExploration
Posit.Navi.
H 99,9 TBD Y (M) CAS1-L1CAS1-L2
M M
72 5.1.3.5.2 FPSOPositioning
Posit. H 99,9 TBD Y (M) CAS1-L1CAS1-L2SAS-L
H H
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 43
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
73 5.1.3.5.1 RigPositioning &AssociatedAnchorHandlingVesselPositioning
Posit. H 99,9 TBD Y (M) CAS1-L1CAS1-L2
M M
74 5.1.3.5.1 VSPOperations
Posit. H 99,9 TBD Y (M) CAS1-L1CAS1-L2
M M
5.1.3.6 Vehicle Control and Robotics78 5.1.3.6 Unmanned
AerialVehicles
Posit.Navi.
H 99,9 TBD N (L) CAS1-L1SAS-L
VH M
79 5.1.3.6 AutonomousLand-basedVehicles
Posit.Navi.
H 99,9 TBD Y (H) CAS1-L1SAS-L
VH M
80 5.1.3.6
VehicleControl &Robotics
AutonomousUnderwaterVehicles
Posit.Navi.
H 99,9 TBD Y (M) CAS1-L2CAS1-L1SAS-L
VH M
5.1.3.7 Construction and Civil Engineering81 5.1.3.7 Setting Out &
As-BuiltPosit. M 99 24 hr Y (M) CAS1-L3 M M
82 5.1.3.7
Constructionand civilengineering Mobile
StructurePositioning
Posit. M 99 24 hr Y (M) CAS1-L3 M M
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 44
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
5.1.3.8 Land Survey and GIS Mapping83 5.1.3.8 Land Survey
and GISMapping
Land &CadastralSurvey,Mapping andGIS
Posit. M 99 NA N (L)CAS1-L3
L L
5.1.3.9 Fleet Management84 5.1.3.9 Fleet
ManagementManagementof a Fleet ofBuses/taxies/trucks
Manag. M 99 ? NA N (L) OAS-GSOAS-GHCAS1-GS
H H CAS1 ifintegrityneeded
5.1.3.10 Asset Management85 5.1.3.10 Mapping and
Locatingfixed Assets
Manag. L 95 NA N (L) CAS1-GS L L
86 5.1.3.10 IntermodalCargoOperation
Manag. L 99 NA N (L) CAS1-L1/L2
H M
87 5.1.3.10
AssetManagement
AssetTracking
Manag. L 95 NA N (L) CAS1-GS M M
5.1.3.11 Precision Agriculture88 5.1.3.11 Precision
AgricultureYieldMonitoring &ChemicalSpraying
Posit.Navi.
M 99 TBD N (L) CAS1-L1/L2
L L
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 45
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
89 5.1.3.11 Locating forSoil Samplingand Weed /PestInfestations
Posi. M 99 TBD N (L) CAS1-L1/L2
L L
90 5.1.3.11 Crop Dustingby Aircraft
Posit.Navi.
H 99 TBD N (L) CAS1-L1/L2
M M
5.1.3.12 Fisheries and EEZ91 5.1.3.12 Navigation
andMonitoring ofFishingVessels
Posit.Navi.
L 99 TBD N (L) CAS1-G M M
92 5.1.3.12
Fisheries andEEZ
MonitoringFishingApplications
Posit.Manag.
L 99 TBD N (L) CAS1-G M M
5.1.3.13 Environment93 5.1.3.13 Environment Land and
Environmental Mappingand Studies
Posti.Manag.
TBC TBC TBC TBC NotMapped
M M TbdNew
application
94 5.1.3.13 Oceanographic andCryosphericMapping forEnvironmental Studies
Posit.Manag.
TBC TBC TBC TBC NotMapped
M M TbdNew
application
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 46
Availabilityclassification
Appl#
[DR2]
PDAchapter
Market Application ApplicationType
UserPriority[DR1]
PositionAvailability
[DR1](%)
∆∆∆∆t(continuity)
IntegrityYes / No
(Priority)
Proposedservice
level Tmax Frmax
Comment
95 5.1.3.13 AtmosphericEnvironmental Studies
Posit. TBC TBC TBC TBC NotMapped
M M TbdNew
application96 5.1.3.13 Animal
TrackingTrack. TBC TBC TBC TBC Not
MappedL L Tbd
Newapplication
5.1.3.14 Mining97 5.1.3.14.
13DPositioning ofMineMachinery
Posit. H 99,9 TBD Y (M) CAS1-L3 H H
98 5.1.3.14.2
SiteSurveying
Posit. H 99,9 TBD N (L) CAS1-L3 M H
99 5.1.3.14.3
AutonomousMiningVehicles
Posit.Navi.
CAS1-L1(tbc)CAS1-L3
VH H
100 5.1.3.14.4
Mining
TruckDispatch
Manag. CAS1-L1(tbc)CAS1-L3
H H
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 47
5.1.4 Synthesis of dependability analysis on user application
5.1.4.1 Syntheses of application mapping according to dependability requirements
The repartition of applications is illustrated in the following table.Fr VH H M L
TApplications Qté Applications Qté Applications Qté Applications Qté
2, 5, 27, 8 6, 99(tbc) 2 78, 79, 80, 3 - 039, 58(NM), (robotics)
VH 59(NM),60(NM),61(NM)
Applications Qté Applications Qté Applications Qté Applications Qté7, 9, 12, 13, 16, 17, 18,
1, 3 2 14, 23, 24, 24 19, 20, 21, 24 50, 51, 52 325, 26, 31*, 28, 30, 35, (timing)
H 32, 33, 34, 38, 44, 46,36, 37, 40, 47, 48, 49,41, 42, 43, 53(tbc), 69,57, 72, 84, 70, 71, 74,97, 100 86, 93(NM),
94(NM),95(NM)
Applications Qté Applications Qté Applications Qté Applications Qté
- 0 10, 22 4 15, 62(tbd), 10 67(NM) 145(NM), 63, 73
M 98 81, 82, 87,90, 91, 92
Applications Qté Applications Qté Applications Qté Applications Qté
- 0 - 0 29 1 8, 11, 55, 56, 1264(NM),
L 65(NM),68, 83, 85,88, 89, 96(NM),
NM: Not mapped
Table 4 : Synthesis of availability classification per applicationNote :This classification has been modified after being the subject of a first iteration with WP1(RACAL).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 48
It is reminded that the dependability classification has been set on economical consequencesat global country level for a group of users or at corporate /company level (several receivers)and not at individual level (one receiver – a group of users includes several individual users).
We have identified three dependability status :♦ Application RAM Critical♦ Application RAM Essential♦ Application RAM Non Essential.
T Fr V H1/yr
H1/m
M1/wk
L1/day
VH (1’) C C E N/AH (1hr) C E E N/A
M (1day) E E E NEL (>1day) N/A N/A NE NE
N/A : no application identified in these areas.
Table 5 : RAM Status
Each status can be defined as:
RAM CRITICALIncludes applications using SIS for real time control or surveillance. A loss of SIS leads tohigh direct economical consequences (direct economical consequences for users or indirecteconomical consequences for GALILEO system operator) on the user with direct collateraleffects on user’s customers.
The Dependability requirements are to be precise in § 5.6.
RAM ESSENTIALIncludes applications using SIS to :♦ Enhance user safety (SAR, Emergency call, Emergency services guidance)♦ improve company efficiency ( direct economical effects but limited to the company)♦ improve the individual comfort (consequences on service public image )
The Dependability requirements are to be precise in § 5.6.
RAM NON ESSENTIALIncludes applications which use SIS for measurements with low response time. They aretolerant to a loss of SIS. The choice of Galileo Service is mainly based on accuracyperformances, not on availability performance. These applications will use Galileo servicesdesigned for RAM Critical and/or RAM Essential applications and have no specificdependability constraints.
No specific Dependability Requirements are set for RAM Non Essential applications.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 49
5.1.4.2 Interface with Safety Classifications.
In the “Preliminary Hazard Analysis” a Safety status is identified for each application :♦ Safety Critical♦ Safety Related♦ Safety Enhanced♦ Non Safety.
A cross-check between Applications Safety status and RAM Status shows :♦ RAM Critical applications include most of the Safety Critical applications. (Air traffic,
train,…)♦ RAM Essential applications include Safety Related and Safety Enhanced Applications.
Some Safety Critical applications are mapped in RAM Essential ( 78: Uninhabitedaircraft, 79: Ground robotics, 16/43 : vessels control, 72: FPSO positioning, 47-recreational flying )
♦ RAM Non Essential applications are Non Safety applications.
From this analysis it appears a possible conflict between contradictory requirements :A high level of safety can only be obtained by adding features (integrity, redundancies,checks, votes,…) which may add failures causes and then may degrade the reliability andfinally the availability.
N.B. : For Applications linked to “security”, the previous remark applies for the featuresinstalled to protect against threats.
5.1.4.3 Mapping application/service
Using the mapping application/service, the results of the previous classification has beentransformed into an equivalent classification per service levels.The detailed tables are in appendix 8.1.This classification allows to allocate a RAM status (RAM critical or RAM essential) to theGALA service levels.A current result is presented in § 5.6.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 50
5.2 REFERENCE SCENARIO AND IDENTIFICATION
The RAM indicators definition could be expressed differently regarding :• The involved parties (view points) :
� Application user,� Service subscriber,� Service provider,� System operator,� System designer.
• The reference scenarios relevant for each involved parties.
The aim of this section is to express the Reference scenarios, which are the necessary workingassumptions for the RAM indicator definition.
5.2.1 Application userThis user corresponds to an end to end application. He perceives the dependability as a globalattribute of the Galileo system, including the receiver performance.
Its need is to have the service available each time he calls it, repeatedly during the missiontime.
5.2.2 Service subscriberHe subscribes a contract with the provider for a specific duration D, with specificperformances, including RAM performances. This duration D could be the time reference toassess the RAM indicator.
The receiver can be included or not in the system encompassed by the RAM indicator.
Remark : the subscriber could be the user.
5.2.3 Service providerHe sells the service and endorses contractual commitment to provide the subscriber with theexpected service with specific performances (including RAM).
He buys a global service (including a support service) for a long duration (~10 years). Thisduration could be the time reference to assess the RAM indicator.
Local or regional components could be under his responsibility
Remark : the provider could be the operator
5.2.4 System operatorHe sells a global service for a long duration to the provider. He buys the global system to thedesigner.
He is responsible for the system maintenance (excluding the receiver).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 51
There is probably a specific contract between the operator and the provider, includingpenalties if RAM requirements are not met (cost impact).
Remarks : - the operator could be the designer ;- the operator could be a local / regional operator.
5.2.5 System designerHe has a contract with the System operator on performances at the delivery date, includingdemonstration “a priori” that the RAM performances are met (schedule impact, technicalimpact, commercial impact, cost impact).
Remark : these performances are the RAM requirements we have to identify and allocate.Concerning operational behaviour, a specific contract between the designer and the operatoris possible, including penalties if RAM requirements are not met (cost impact).
5.3 RAM RELEVANT INDICATORS DEFINITION
This task is linked to work performed by other WP teams (definitions [DR6], modelling).The RAM indicators must be understandable, relevant and measurable (evaluation a priori,testable).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 52
5.4 TOP LEVEL HAZARDS IDENTIFICATION
The top level hazards identification is done cross checking several elements :� The impact at individual, company or corporate level ,� The parties involved.
Table 6 : Top level RAM hazards
User / Subscriber Provider / Operator Designer
Service outage leading to
a) User dissatisfaction, but theconsequences for hisbusiness or activity areacceptable
Galileo public image is not impaired. Money as compensation forconsequences could be negotiated.
b) Irreversible consequences forthe user activity (business,company, credibility...)
Galileo public image is impaired. The service provider could beinvolved in a lawsuit with the subscriber / user. The service providercould lose business / subscribers.
c) The paralysis of severalmajor user activities
High economical consequences for the Society ; those catastrophicconsequences could lead to the non continuation of the Galileooperation
Mis
sion
Repetitive System breakdownleading to too high operationcosts
d) RAM contractualcommitment lead to penalty
Prog
ram
me e) Inability to achieve (to
demonstrate) the specifiedRAM requirements :inadequacy with programmebudget ...
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 53
5.5 PDA SYNTHESIS
A RAM status (RAM Critical or RAM Essential) has been allocated to each Service Level.RAM requirements (parameters and figures) will be associated to each RAM status.Currently this allocation is mapped with the Availability objectives in [DR5].Without tackling the question of the figures, the following table could justify the allocationperformed in [DR5], which allocates 2 levels of availability.
Service Level RAM Status Availability in [DR5]OAS-G1 Essential 99.0%OAS-G2 Essential 99.0%OAS-GS Essential 99.0%OAS-GL Essential not in [DR5]CAS1-G Essential 99.0%
CAS1-GS Essential 99.0%CAS1-L1 Critical 99.0%CAS1-L2 Essential 99.0%CAS1-L3 Critical tbdSAS-G Critical 99.9%
SAS-GS Not mapped 99.9%SAS-R Critical 99.9%
SAS-RM Critical 99.9%SAS-L Critical 99.9%
SAS-RG Critical not in [DR5]GAS-G Critical 99.9%
GAS-GS Not mapped 99.9%GAS-L Essential 99.9%
Table 7 : RAM level allocation to Service levels
CAS1-L1 is mapped with 2 applications RAM critical : [39] Advanced Driver AssistanceSystem (Cars & Motorcycles) and [99] Autonomous Mining Vehicles.GAS-L is not mapped with a RAM critical application.
Figures under discussion :For the asymptotic availability, 99% means that the system could be unavailable ~ 3,5 daysper year ; 99,9 % is similar to an unavailability of ~ 8,7 hours per year (or ~ 43 minutes permonth).
OASThe PDA shows that the availability need for OAS is higher than 99 % and is around 99,9 %.
CAS-1CAS1-L1 is mapped on the following applications, which require a very high level ofavailability :• [39] Advanced Driver Assistance System (Cars & Motorcycles), with a VH-VH
classification in the PDA,
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 54
• [99] Autonomous Mining Vehicles, with a VH-H classification• [78, 79, 80] Vehicles Control & Robotics (Aerial, Land-based, Underwater), with a VH-M
classification.Without modifying the mapping between these applications and CAS1, the need foravailability is very high (around 99,999 %, meaning unavailable ~ 5 minutes per year).Suppressing CAS1 in the service mapping for these applications could help to reduce the needat a level close to the OAS one (99,9 %).
SASApplications which require high levels of availability are mapped with SAS services. Thehigh level of availability is around 99,999 %. As an indicative way, in the Air Traffic Controlfield, this is the requirement for a radar tracking application. From a RAM expertise point ofview, the requirement allocated to SAS services in [DR5] seems too low (~ 43 minutesunavailable per month).
GASToday, only one application mapped with a GAS requires a high level of availability :• [27] On board Navigation of SAR Units (Air & Sea), with a VH-VH classification.That is to say that GAS-G could have an availability requirement of 99,999 %. Without thisapplication, the requirement for GAS could fall at 99,9 %.
Note 1:More than 10 applications are not mapped with a service level. Four of these applications(Space) are classified VH-VH. Their further mapping on Galileo services may change theprevious synthesis.
Note 2:From a RAM point of view, it seems that SAS-R (SAS-RM) service is the more stressing forthe current (PM5) Architecture Baseline Definition.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 55
6 FUNCTIONAL DEPENDABILITY ANALYSIS (FDA)
6.1 GENERAL FDA PRESENTATION
6.1.1 FDA methodology and used form
The FDA is performed with the aim to be fully consistent with the FHA (Functional HazardAnalysis) detailed for safety GALILEO system concerns. It leads to strictly follow the FHAfunctional break down as well as the scenario developed when relevant. For RAM concerns,the FDA presents different scenarios when necessary to raise specific RAM aspects.
The retained process for the FDA includes the following four steps :� Identification of the GALILEO system functions,� Identification of the external functions, events and GALILEO system configurations,� Identification of failure conditions at GALILEO system level and analysis of their
repercussions,� Elaboration of RAM requirements, recommendations and justifications.
The FDA is performed through tables including the following headings :
� Function :name of the GALILEO system function under analysis as defined in the functionalbreakdown,
� Functional failure :qualification of the functional failure which can occurred; the retained functional failurein this frame are :
✓ Loss of functioning : complete or partial loss of the GALILEO system function,✓ Malfunctioning : production of erroneous misleading data for a GALILEO✓ Erratic functioning : production of erratic data leading to loss of continuity
� Scenario :define the context and the sources of observed functional failure,
� Description of the repercussions on GALILEO system mission :this section includes three main headings which characterise the functional failurescenario :
✓ Effect on the GALILEO services and on the operation,✓ Detection means (if any),✓ Corrective action and GALILEO system resulting condition,
� RAM severity classification according to the severity scale defined below,� RAM requirements, recommendations and assumptions which are derived from the
scenario and its repercussions detailed previously,� GALILEO system failure condition :
different scenarios associated with different functional failure leading to the same effectare grouped together under the same failure condition with a unique reference and title.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 56
6.1.2 General assumptionsThe functional architecture retained to perform the FDA is based on the PM5 GALILEOsystem architecture.
The GALILEO system is considered in a full operational phase (Full Operational Capability).The external systems are not included in the FDA. It means that the Failures from the externalsystems are considered only as potential causes of the failures considered in the analysis.
The consequences are distinguished per service when relevant, especially when impacts canbe different for integrity added services.
6.2 RAM SEVERITY SCALE
The RAM severity scale is established considering two criteria.
Criteria :
� Duration :Depending on the context and the sources of the degraded situations as well as on thepotential recovery means which can be carried out, the duration of the outage is ofdifferent orders. It constitutes a first parameter to graduate the severity of the outageeffects on GALILEO system mission.
� Size of the area/number of users affected :The second criterion is characterised by the size of either the area (in term ofgeographical zone) or the number of users affected by the outage (or both).
The combination of these two parameters is represented in the following tables
Service degradation/interruption Short LongLimited A BExtended B C
Thus, based also on the results of the PDA, the different degraded situations are grouped intothree severity classes as defined below:
Severity classes DefinitionA : Minor Service outage leading to user dissatisfactionB : Major Outage with irreversible impact on user activityC : Severe Major paralysis of users activities
Table 8 : severity scale
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 57
6.3 GALILEO FUNCTIONAL BREAKDOWN
The following functional breakdown has been elaborated in coherence with the FunctionalHazard Analysis (Safety activities). This generic breakdown is built for the Safety and RAManalyses. A traceability matrix with the function list detailed in the GALILEO architecturedocuments is provided in the FHA (refer to DR4).
Fct ref Function Title Resources
SSF1 Schedule and broadcast navigation SIS (autonomousmode).
NAV/INT
SSF2 Synchronise and broadcast navigation/integrity compositeSIS (connected mode).
NAV/INT
SSF3 Receive access management messages. NAV/INT
SSF4 Set TM&TC link with satellite for house-keeping andnavigation messages
CUI, , USF, ULF,P/F
SSF5 Set uplinks to satellites for navigation/ integritycomposite messages
, USF, ULF, P/F
SSF6 Monitor and configure constellation SCF
SSF7 Receive and transmit SAR user signal. SAR
GSF1 Collect globally raw data for position/time parameters ofthe satellites
GMF
GSF2 Build navigation data from position/time parameters OSPF
GSF3 Build globally integrity data from position/timeparameters
GIPF/GCPF
GSF4 Schedule and transmit navigation and/or integritycomposite message
GUI
GSF5 Deliver access management messages. GNCF
GSF6 Monitor navigation global services GNCF
RSF1 Collect regionally raw data for SIS integrity RMF, RIMS
RSF2 Build regionally integrity data from position/timeparameters
RIPF/RCPF, CPF
RSF3 Transmit regional overlay integrity message RUI-USF-ULF,NLES
RSF4 Deliver access management messages. RNCF
RSF5 Monitor regional overlay services RNCF, CCF
CSF1 Transmit SAR centre message to constellation SUI, USF, ULF
KSF1 Build and transmit services access messages KMF-SC
XF1 Establish links between space segment ground elements CAN
XF2 Establish links between ground segment global elements GAN
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 58
Fct ref Function Title Resources
XF3 Establish links between ground segment regionalelements
RAN
USF1 Process SIS and display position User terminal
USF2 Inform user on level of confidence of computed position User terminal
USF3 Broadcast SAR user signal. User terminal
USF4 Receive SAR centre message. User terminal
USF5 Receive access management information. User terminal
DSF1 Collect raw data for position/time parameters of the othernavigation system
External
DSF2 Build other navigation system integrity data External
DSF3 Interface with external time reference External
DSF4 Interface with external geodetic reference system andreference frame
External
DSF5 Interface with external navigation system External
DSF6 Interface with customer /agent /service provider. External
DSF7 Interface with SAR service External
Table 9 : GALILEO system functional breakdown
6.4 FDA SYNTHESIS
Refer to annex section 8.2 for detailed FDA tables.
6.4.1 RAM Failure Condition Summary tableFrom the functional failure analysis, it is possible to merge different failure scenarios havingsame consequences on system status/behaviour after failure.
These feared events, considered from their effects on GALILEO system, are summarised inFailure Conditions. This FDA process raises a Preliminary Failure Conditions list.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 59
FC Ref. FC classification FC title Class.FC1 Degradation or
loss of theservice
detected Restoration inlimited time
Worldwide
Detected + world wide loss ordegradation of the service withrestoration in limited time
Major
FC2 restricted Detected + restricted loss ordegradation of the service withrestoration in limited time
Minor
FC3 Long termrestoration
Worldwide
Detected + world wide loss ordegradation of the service withlong term restoration
Severe
FC4 restricted Detected + restricted loss ordegradation of the service withlong term restoration
Major
FC5 Undetected Long termrestoration
Worldwide
Undetected + world wide loss ordegradation of the service withlong term restoration
Severe
FC6 restricted Undetected + restricted loss ordegradation of the service withlong term restoration
Major
FC7 Degradation orloss ofmonitoringfunction
Loss or degradation ofmonitoring function
Minor
Table 10 : Failure Conditions listNote :� Restricted/world wide is relative to the size of the area or/and the number of users
affected.� When it is not detected, it is assumed that the restoration is long due to the non detection
and thus no possibility to initiate recovery actions.� In the FDA tables, the classification is given first according to the effect of failure
scenario without including mentioned requirement. Then, the FC classification is given inbrackets taking the RAM requirements into account. It allows to evaluate the impact ofthe requirements on the described Failure Condition.
6.4.2 Common general assumptions
Ref. Description Scenarioreference
Ras1 The applications users where availability requirement is expected are supposed tohave the RAIM function implemented in their terminal
SSF1B2,
Ras2 It is assumed that a satellite in connected mode which experiences a failure can notthen switch in autonomous mode.
SSF2A2, SSF2B2,SSF2A3
Ras3 It is supposed that when the TM/TC link with the satellite is lost, it is not possible tostart recovery action at satellite level
SSF4A1
Ras4 Adequate protections and fallback procedures are supposed to be implemented in thesatellite platform in case of detected interruption of communication means
SSF5A1
Ras5 GALILEO system must be designed to keep non integrity added service available incase of failure of GIPF/GCPF failure
GSF3A1, GSF3B1,GSF3B2
Ras6 The GIPF/GCPF function is world wild distributed in three sites due to TTAconstraint. Thus loss of GIPF/GCPF function could come from common mode/causeevent. If a failure on one site is considered, the loss of GIPF/GCPF function maypartial (degraded mode). However, there is no redundancy between the three sites
GSF3A1
Table 11 : RAM Assumptions from FDA (Ras)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 60
6.4.3 RAM RequirementsRef. Description Scenario
referenceRrq1 No common cause/common mode not shown extremely improbable would lead to
simultaneous failure on several satellitesSSF1A2, SSF1A3,SSF1B1, SSF1B2,SSF1B3, SSF2A1,SSF2A2, SSF2A3,SSF2B1, SSF2B2,SSF2B3, SSF2B4,SSF2B5, SSF4A1,SSF5A1
Rrq2 No common cause/common mode not shown extremely improbable would lead tosimultaneous failure on several ULS components
SSF4A1, SSF5A1,
Rrq3 Detection and reporting of any Failure of ULS components at maintenance entitylevel shall be performed to initiate recovery action
SSF4A1, SSF5A1,
Rrq4 Probability of satellite to broadcast misleading navigation/integrity compositemessage must be less than extremely improbable
SSF5B1
Rrq5 SCF failure shall be without immediate effect on operational service (necessity toexclude beam scheduling function).
SSF6A1, SSF6B1
Rrq6 Recovery time of SCF function shall be less than time leading to unacceptable servicedegradation
SSF6A1
Rrq7 SCF failure shall be detected and report at maintenance entity level to initiateimmediate recovery actions
SSF6A1
Rrq8 GALILEO monitoring system shall be able to test and detect SAR payload failure toinitiate recovery actions
SSF7A1
Rrq9 No common cause/common mode not shown extremely improbable should lead tosimultaneous failure on several SAR payloads
SSF7A1, SSF7B1
Rrq10 Detection and reporting of any GMF failure at maintenance entity level shall beperformed to allow recovery actions in time less than service degradation time leadingto loss of navigation service (alarm limits)
GSF1A1
Rrq11 No common cause/common mode not shown extremely improbable should lead tosimultaneous failure on several GMF
GSF1A1, GSF1B1
Rrq12 GALILEO system shall be robust against one GMF failure in GMS station GSF1B1Rrq13 Detection and reporting of any OSPF failure shall be performed at maintenance entity
level.GSF2A1
Rrq14 OSPF function recovery action shall be performed to allow recovery actions in timeless than service degradation time leading to loss of navigation service (alarm limits).
GSF2A1, GSF2B1
Rrq15 GALILEO system shall be able to localise erroneous navigation data computed byOSPF
GSF2B1,
Rrq16 Detection and reporting of any GIPF/GCPF failure shall be performed at maintenanceentity level
GSF3A1
Rrq17 Recovery actions shall be initiated upon detection of GIPF/GCPF failure to reduce theunavailability time for integrity added services
GSF3A1
Rrq18 No common cause/common mode not shown extremely improbable should lead tosimultaneous failure on several GIPF/GCPF
GSF3A1
Rrq19 GALILEO system shall be designed in order that false alarm due to erroneousintegrity monitoring data computation or alarm limit tuning does not lead tounacceptable unavailability level for integrity added services
GSF3B1
Rrq20 Probability that multiple failures at GIPF/GCPF level leading to integrity event andunavailability of the integrity added service shall be less than extremely improbable
GSF3B2
Rrq21 Detection and reporting of any GUI failure at maintenance entity level shall beperformed to allow recovery actions in time less than service degradation time leadingto loss of navigation service
GSF4A1, GSF4A2
Rrq22 No common cause/common mode not shown extremely improbable shall lead tosimultaneous failure on several GUI
GSF4A2,
Rrq23 Detection and reporting of any RMS failure at regional maintenance entity level shallbe performed to allow recovery actions in order that the unavailability of the servicesis less than TBD hours
RSF1A1
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 61
Ref. Description Scenarioreference
Rrq24 No common cause/common mode not shown extremely improbable shall lead tosimultaneous failure on several RMS
RSF1A1,
Rrq25 Detection and reporting of any RIPF/RCPF failure shall be performed at regionalmaintenance entity level
RSF2A1
Rrq26 Recovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce theunavailability time for regional integrity added services
RSF2A1
Rrq27 Recovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce theunavailability time for regional integrity added services
RSF2A1
Rrq28 GALILEO regional component shall be designed in order that false alarm due toerroneous integrity monitoring data computation or alarm limit tuning does not lead tounacceptable unavailability level for regional integrity added services
RSF2B1
Rrq29 Probability that multiple failures at RIPF/RCPF level leading to integrity event andunavailability of the integrity added service shall be less than extremely improbable
RSF2B2
Rrq30 Detection and reporting of any RUI failure at regional maintenance entity shall beperformed to allow recovery actions in order that the unavailability of the services isless than TBD hours
RSF3A1
Rrq31 No common cause/common mode not shown extremely improbable shall lead tosimultaneous failure on several RUI
RSF3A1
Rrq32 For availability purpose, the integrity regional service shall be robust against one ULSsite failure
RSF3A1, CSF1A1
Rrq33 CAN shall be non-real-time network : its failure shall be without immediate effect onoperational service. Recovery time of a CAN failure shall be less than time leading tounacceptable service degradation.
XF1A1, XF1B1
Rrq34 After a control command message sent by SCF to a ground element, the new status /mode of this element must be checked
XF1B1
Rrq35 No single failure, error, external event not shown extremely improbable shall lead to aloss of transmission chain between GNCF and ULS
XF2A1
Rrq36 Transmission chain between GNCF and ULS must be protected from any single causeof undetected corruption of transmission.
XF2B1
Rrq37 No single failure, error, external event not shown extremely improbable shall lead to aloss of transmission chain between RNCC and ULS (IF is build in RNCC)
XF3A1
Rrq38 The availability / reliability performances of the encryption module shall not degradesignificantly the terminal ones
USF5A1
Rrq39 A RAM analysis shall be performed on time and geodetic references and the way theyare used in GALILEO system
DSF3A1, DSF4A1
Rrq40 A RAM analysis should be performed on the structure and functions of GALILEOmanagement and operating segment (service centre, ...).
DSF6A1
Table 12 : RAM requirements (Rrq)
6.4.4 RAM RecommendationsRef. Description Scenario
referenceRrm1 SCC would be able to initiate diagnosis and recovery actions at any time for any
satelliteSSF1A1, SSF1A2,SSF1B1, SSF2A1,SSF2A2, , SSF2B1,SSF2B2, SSF2B4
Rrm2 The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate(detection capability of SIS misbehaviour) must be relevant with the availabilityquantitative requirements.
SSF1B2; SSF1B3,SSF2B4, SSF2B5
Rrm3 For key management in degraded mode, system may implement an uncrypted mode asfallback
SSF3A1, GSF5A1,GSF5B1, KSF1B1
Rrm4 The satellites should be remained in autonomous mode as long as the degradation ofthe navigation signal is acceptable
SSF6A1, SSF6B1,RSF4B1,
Rrm5 SCF operator should have the capability to check the SCF output data SSF6B1, KSF1A1Rrm6 The opportunity that a RUI failure leads to interrupt all the connected links between
ULS and satellites has to be considered. It allows in that case to restore the links withanother ULS
RSF3A1
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 62
Ref. Description Scenarioreference
Rrm7 The opportunity that a SUI failure leads to interrupt all the connected links betweenULS and satellites has to be considered. It allows in that case to restore the links withanother ULS
CSF1A1
Rrm8 The KMF monitoring data should be transmitted to a higher level monitoring (for aglobal and coherent view of GALILEO system).
KSF1A1
Rrm9 The ground elements of the space segment are monitored by SCF. These monitoringdata should be reported to a higher level monitoring (for a global and coherent view ofGALILEO system).
XF1A1
Rrm10 If the link between GNCC and ULS is broken, the ULS should ask its connectedsatellites for a disconnection (which switch in autonomous mode)
XF2A1
Rrm11 The regional elements are monitored by RNCF. These monitoring data should betransmitted to a higher level monitoring (for a global and coherent view of GALILEOsystem), using the GAN
XF3A1
Rrm12 Transmission chain between RNCC and ULS may be protected from any single causeof undetected corruption of transmission (IF is build in RNCC).
XF3B1
Rrm13 The terminal HMI could have quality indicators of the SIS reception, helping the userto diagnose terminal failure (from SIS discontinuity). In order to discriminatingterminal failures from insufficient SIS information (terminal external causes), forinstance the two indicators could be: SIS/no SIS and Solution/no Solution
USF1A1
Rrm14 For an user, the availability of a service includes the terminal availability. Thisavailability requirement shall be budgeted. In case of RAM contractual commitments,the SIS availability (measurable) will be distinguished from the terminal one(dependent on operating conditions).
USF1A1
Rrm15 Users have to be warned of all operating conditions within their responsibility whichcould impair nominal functioning of the terminal: environment parameters, antennaposition, user system interference, multipath , key validation/activation, etc…(TBD)
USF1A1, USF1B1,USF2B1
Rrm16 User terminal of integrity added service has to implement means to give acomprehensive and convenient information on confidence margin of the computedposition with regard to the alarm levels set by user. It has also to give a projection ofthis information for the immediate future of user's application
USF2A1
Rrm17 Regarding the user application, the concept design of the terminal could be different.For a Mass Market terminal, the position will be always displayed, even if the level ofconfidence is unsatisfactory (availability concept). For a Safety of Life application, indoubt no position will be displayed (safety concept) (tbc).
USF2B1
Rrm18 The terminal should be able to display that the SAR signal had been sent. Thissending acknowledgement could impact the survival choice of the user
USF3A1
Rrm19 A strategy should be defined for the SMCC (MEO LUT ?) in case of overcrowdingSAR signal
USF3B1
Rrm20 Errors issued by a SUI misbehaviour should be confined : without consequences onthe elaboration of the navigation message
DSF7A1
Table 13 : RAM recommendations (Rrm)
6.4.5 Open pointsAs the RAM and Safety analyses have been performed on the same basis with the objective tokeep consistency and presents fully complementary results, the numbering of RAM openpoints follows the numbering of the Safety open points. The safety open points are relevantfor the RAM concerns.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 63
Ref. Description Scenarioreference
Rop19 Possible use of back up key or old keys SSF3A1Rop20 What is the element which can flag the GIPF/GCPF failure (as the GIPF/GCPF are
responsible for the monitoring integrity data) ?GSF3A1, RSF2A1
Rop21 What redundancy can be considered between GIPF/GCPF and RIPF/RCPF GSF3A1, RSF2A1Rop22 Combination of RIPF integrity data and GIPF integrity data to be precise RSF1B2Rop23 RAM user needs have to be defined for the SAR service (allocation on the SMCC, on
the ULS, on the terminal)USF3A1, USF3B1
Table 14 : RAM open points (Rop)
6.4.6 GALILEO Functions RAM severity
Fct ref Function Title RAM status Severity
SSF1 Schedule and broadcast navigation SIS (autonomous mode). Critical Severe
SSF2 Synchronise and broadcast navigation/integrity composite SIS (connected mode). Critical Severe
SSF3 Receive access management messages. Critical Severe
SSF4 Set TM&TC link with satellite for house-keeping and navigation messages Essential Major
SSF5 Set uplinks to satellites for navigation/ integrity composite messages Essential Major
SSF6 Monitor and configure constellation Non essential Minor
SSF7 Receive and transmit SAR user signal. Essential Major
GSF1 Collect globally raw data for position/time parameters of the satellites Essential Major
GSF2 Build navigation data from position/time parameters Essential Major
GSF3 Build globally integrity data from position/time parameters Critical Severe
GSF4 Schedule and transmit navigation and/or integrity composite message Tbd Tbd
GSF5 Deliver access management messages. Tbd Tbd
GSF6 Monitor navigation global services Tbd Tbd
RSF1 Collect regionally raw data for SIS integrity Essential Major
RSF2 Build regionally integrity data from position/time parameters Essential Major
RSF3 Transmit regional overlay integrity message Essential Major (tbc)
RSF4 Deliver access management messages. Essential Major (tbc)
RSF5 Monitor regional overlay services Tbd Tbd
CSF1 Transmit SAR centre message to constellation Tbd Tbd
KSF1 Build and transmit services access messages Critical Severe
XF1 Establish links between space segment ground elements Non essential Minor
XF2 Establish links between ground segment global elements Essential Major
XF3 Establish links between ground segment regional elements Essential Major
USF1 Process SIS and display position Tbd Tbd
USF2 Inform user on level of confidence of computed position Tbd Tbd
USF3 Broadcast SAR user signal. Tbd Tbd
USF4 Receive SAR centre message. Tbd Tbd
USF5 Receive access management information. Tbd Tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 64
Fct ref Function Title RAM status Severity
DSF1 Collect raw data for position/time parameters of the other navigation system Tbd Tbd
DSF2 Build other navigation system integrity data Tbd Tbd
DSF3 Interface with external time reference Tbd Tbd
DSF4 Interface with external geodetic reference system and reference frame Tbd Tbd
DSF5 Interface with external navigation system Tbd Tbd
DSF6 Interface with customer /agent /service provider. Tbd Tbd
DSF7 Interface with SAR service Tbd Tbd
Table 15 : GALILEO Function Criticality
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 65
7 APPORTIONMENT/DEMONSTRATION OF GALILEORAM REQUIREMENTS
7.1 AVAILABILITY BLOCK DIAGRAM METHODOLOGY
Computation of availability has been achieved at each GALILEO service using theavailability block diagram technique and the mathematical underlying expressions. Thistechnique widely used in RAMS studies is briefly reminded:
A availability block diagram may be considered as a functional logic chart, which, by meansof the arrangement of blocks and lines, depicts the effect of failure of equipment subdivisionson the equipment’s functional capability. Items whose failure causes equipment failure areshown in series with other items. Items whose failure causes equipment failure only whensome other item has also failed are drawn in parallel with the other items.Systems constituted of n elements or subsystems, of which only k is required to be operationalfor system success can also be depicted as a k-out-of n configuration.
Whatever the configuration used (series, parallel, k-out-of n configurations or a combinationof all of them), elements are considered stochastically independent toward the failure and therestoration. This means that failure rates are much smaller than repair rates, which is the casefor most practical purpose.
This method includes the 3 following steps :• Step1 : a system functional breakdown into functional blocks at subsystem level.• Step2 : based on this decomposition, identification of the system architecture
underlining the serial and/or redundancy configuration.• Step3 : the representation architecture using the availability block diagrams
methodology.
The availability block diagram method is based on serial and parallel elements representation.In serial configuration :
Afunction = Π AiIn parallel configuration :
Afunction = 1 - Π [1-Ai]
Where A is the availability of the element i.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 66
7.2 PARTICULAR ASSUMPTIONS
A1 : The functional breakdown used for the availability study shows the functional blocks,which are necessary to carry out the service defined in nominal mode.
A2 : Services are modelled with an user view point (1 terminal),A3 : Power supply function is considered as redundant and not included in this first
assessment (unavailability = 1,9 10-6 similar to 4 outage of 15 sec per yearA4 : Key management is not taken into account : the elements of the key management
chain are considered to not impair the services (ratio 100 between the unavailabilityof this chain and the unavailability of the preponderant element for the service)
A5 : GALIEO system is robust to one ULS (respectively GMS) site failure with a 2/3redundancy
A6 : The beam scheduling function implemented in the SCC : for the Nav/Int services,SCF and CAN must be available.
7.3 ORIGIN OF THE RETAINED INPUT DATA
Since similarities exist between GALILEO system and EGNOS system, in this preliminaryassessment, the retained input data are issued from the EGNOS collected data.
In addition, to complete and check the consistency of the necessary used data, some otherrelevant data are extracted from analyses of similar ground systems in the area of spaceapplications.
The availability of the GALILEO MEO constellation (99 %) is taken from performancesbudget [DR8].
At this stage (feasibility phase), it is important to keep in mind that only the orders ofmagnitude of the used data have to be relevant. It is not necessary to focus on detailed datawhich will be defined and developed in the following phases.
The used data are given in appendix 8.3.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 67
7.4 GALILEO SYSTEM AVAILABILITY BLOCK DIAGRAMS
7.4.1 Navigation service without integrity
7.4.2 Service with integrity – Global components
Galileo MEO
Constellation
User
TerminalULSCANGMS GAN
ULS
ULS
GMS
GMS
GNCC SCC
OSPFGNCF SCF
k/nk/n
NAV/INTP/L
GIPFGCPF
GUIUSFULF
CUIGMF C
GMF BGMF A
k/n
Galileo MEO
Constellation
User
TerminalULSCANGMS GAN
ULS
ULS
GMS
GMS
GNCC SCC
GUIUSFULF
OSPFGNCF SCF
k/nk/n
GMF CGMF B
GMF A
NAV/INTP/L
k/n
CUI
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 68
7.4.3 Service with integrity – Global + regional components
7.4.4 TM/TC function
Galileo MEO
Constellation
User
TerminalULSCANGMS GAN
ULS
ULS
GMS
GMS
GNCC SCC
GCPF SCF
k/nk/n
NAV/INTP/LGIPF GNCF
GUIUSFULF
RUI
RMS RAN
RMS
RMS
k/n
RNCC
RNCFRIPFRCPF
GNCC
OSPF
CUI
GMF CGMF B
GMF Ak/n
GMF CGMF B
GMF Ak/n
• TC generation and up-link chain via ULS
• TM acquisition and processing
Galileo MEO
ConstellationULSCAN
ULS
ULS
SCC
CUIUSF
ULF
SCF
k/n
P/L
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 69
7.4.5 Orbit monitoring function
GMF CGMF B
GMS GAN
GMS
GMS
SCCGalileo MEO
ConstellationGNCC
OSPFGNCF SCF
k/n
GMF A
NAV/INTP/L
k/n
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 70
7.5 RESULTS
The following table presents in a synthetic form the results of the availability computation :
Availability results Availabilityrequirements
Navigation service without integrity 98,32 % 99 %
Service with integrity (stand-alone) 98,16 % 99,9 %
Service with integrity (Global + Region components) 98,27 % 99,9 %
TM / TC function 98,68 % /
Orbit monitoring function 98,55 % /
The detailed results are presented in appendix 8.3.
7.6 ANALYSIS OF THE RESULTS
As a preamble, it is important to stress on the fact that the availability computationsperformed in the framework of this RAM analysis do not take completely the maintenanceand logistics aspects into consideration. The present results would probably be degraded bythe complementary logistical support scenarios (unavailability of spare parts, of maintenanceoperators, …).
The service availability requirements are not met, but as :• The availability budgeted for the MEO constellation is taken as an input data of
these computations ;• The availability budgeted for the MEO constellation is 99 % ;• The MEO constellation is in serial element with all the availability block
diagrams,the availability results can not be better than 99 %.
The sensitivity studies highlighted the preponderant components on the global results :• The weight of the MEO constellation on the global availability is 54 % to 75 %;• The WAN (GAN, CAN) are the ground components which have a strong impact
on the global availability (around 12 % for each WAN) ;• The GNCC has also a strong weight (from 9 % to 15 %), which could be reduced
by design solution (introducing internal redundancies);• The SCC contribution should be reduced by following the FDA requirements
(SCC shall have only monitoring functions, “beam scheduling” excluded);• The station (ULS, RMS) are not preponderant at this level, if the FDA
requirement, asking for “a service robust to one station site failure”, is met.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 71
7.7 AVAILABILITY APPORTIONMENT TO MEET THEREQUIREMENTS
Non integrity service :To meet the 99 % availability requirement of the non integrity services, it would be necessaryto increase the availability performances of the main sizing elements :For instance :
• MEO constellation : 99,5 %• WAN (GAN, CAN): 99,9 %
In that case, the availability performances of the other elements are sufficient.
Integrity added services :The 99,9 % availability requirements can be meet only in the case where every elementavailability is one order higher than 99,9 %.As it seems for the MEO constellation not economically and technically realistic, a mitigateway could be to apportion it the objective (99,9 %) and increase at a higher level theavailability of the ground segment.For instance,
• MEO constellation : 99,9 %• Ground segment : 99,995
would lead to an availability performances of GALILEO system around 99,89 %.It is equivalent to have a complete redundancy of the GS.In that case, the availability of the non integrity service will be over specified at the samelevel (99,89 %).
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 72
8 ANNEX :
8.1 PDA TABLES
The following tables of this annex are the detailed availability classification using mappingapplication/service and the syntheses of this classification for each service level.
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 73
Fr VH H M L T
Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty QtyOAS-G1 OAS-G1 OAS-G1
2, 5, 27, 8 OAS-G2 6, 99(tbc) 2 OAS-G2 78, 79, 80, 3 OAS-G2 - 039, 58(NM), OAS OAS-GS OAS OAS-GS OAS OAS-GS OAS59(NM), OAS-GL OAS-GL OAS-GL60(NM), OAS-GH OAS-GH OAS-GH61(NM) CAS1-G CAS1-G CAS1-G
CAS1-L1 1 CAS1-L1 1 CAS1-L1 3CAS1 1 CAS1-L2 CAS1 1 CAS1-L2 CAS1 3 CAS1-L2 1 CAS1
CAS1-L3 CAS1-L3 1 CAS1-L3VH CAS1-GS CAS1-GS CAS1-GS
SAS-G 3 SAS-G SAS-GSAS-R 2 SAS-R SAS-R
SAS 4 SAS-L 1 SAS 1 SAS-L 1 SAS 3 SAS-L 3 SASSAS-RM 2 SAS-RM SAS-RMGAS-G 1 GAS-G GAS-G
GAS 1 GAS-L GAS GAS-L GAS GAS-L GASApplications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty
OAS-G1 OAS-G1 3 OAS-G1 31, 3 2 OAS-G2 7, 9, 12, 13, 24 OAS-G2 16, 17, 18, 24 OAS-G2 2 50, 51, 52 3
OAS OAS-GS 14, 23, 24, OAS 10 OAS-GS 7 19, 20, 21, OAS 4 OAS-GS 1 OASOAS-GL 25, 26, 31*, OAS-GL 28, 30, 35, OAS-GLOAS-GH 32, 33, 34, OAS-GH 8 38, 44, 46, OAS-GH 3CAS1-G 36, 37, 40, CAS1-G 9 47, 48, 49, CAS1-G 6CAS1-L1 41, 42, 43, CAS1-L1 1 53(tbc), 69, CAS1-L1 6
CAS1 CAS1-L2 57, 72, 84, CAS1 17 CAS1-L2 1 70, 71, 74, CAS1 14 CAS1-L2 6 CAS1CAS1-L3 97, 100 CAS1-L3 3 86, 93(NM), CAS1-L3
H CAS1-GS CAS1-GS 6 94(NM), CAS1-GS 3SAS-G 2 SAS-G 6 95(NM) SAS-G 3SAS-R 2 SAS-R 3 SAS-R
SAS 2 SAS-L SAS 7 SAS-L 4 SAS 3 SAS-L SAS 3SAS-RM 2 SAS-RM SAS-RMGAS-G GAS-G 3 GAS-G 6
GAS GAS-L GAS 3 GAS-L 1 GAS 6 GAS-L 6 GAS 3
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 74
Fr VH H M L T
Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty QtyOAS-G1 OAS-G1 OAS-G1
- 0 OAS-G2 10, 22 4 OAS-G2 15, 62(tbd), 10 OAS-G2 67(NM) 1OAS OAS-GS 45(NM), OAS OAS-GS 63, 73 OAS OAS-GS OAS
OAS-GL 98 OAS-GL 81, 82, 87, OAS-GLOAS-GH OAS-GH 90, 91, 92 OAS-GHCAS1-G CAS1-G 1 CAS1-G 2CAS1-L1 CAS1-L1 CAS1-L1 2
CAS1 CAS1-L2 CAS1 3 CAS1-L2 CAS1 10 CAS1-L2 2 CAS1CAS1-L3 CAS1-L3 2 CAS1-L3 5
M CAS1-GS CAS1-GS CAS1-GS 1SAS-G SAS-G SAS-GSAS-R SAS-R SAS-R
SAS SAS-L SAS SAS-L SAS SAS-L SASSAS-RM SAS-RM SAS-RMGAS-G GAS-G 1 GAS-G
GAS GAS-L GAS 1 GAS-L 1 GAS GAS-L GASApplications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty
OAS-G1 OAS-G1 OAS-G1- 0 OAS-G2 - 0 OAS-G2 29 1 OAS-G2 8, 11, 55, 56, 12
OAS OAS-GS OAS OAS-GS OAS OAS-GS 64(NM), OAS 2OAS-GL OAS-GL OAS-GL 65(NM),OAS-GH OAS-GH OAS-GH 68, 83, 85,CAS1-G CAS1-G CAS1-G 88, 89, CAS1-L1 CAS1-L1 CAS1-L1 96(NM),
CAS1 CAS1-L2 CAS1 CAS1-L2 CAS1 CAS1-L2 CAS1 6CAS1-L3 CAS1-L3 CAS1-L3
L CAS1-GS CAS1-GS CAS1-GSSAS-G SAS-G SAS-GSAS-R SAS-R SAS-R
SAS SAS-L SAS SAS-L SAS SAS-L SAS 1SAS-RM SAS-RM SAS-RMGAS-G GAS-G GAS-G 1
GAS GAS-L GAS GAS-L GAS 1 GAS-L GAS 1NM: Not Mapped
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 75
OAST / Fr VH H M L
VH 0 0 0 0H 0 10 4 0M 0 0 0 0L 0 0 0 2
OAS-G1 OAS-G2T / Fr VH H M L T / Fr VH H M L
VH 0 0 0 0 VH 0 0 0 0H 0 3 3 0 H 0 0 2 0M 0 0 0 0 M 0 0 0 0L 0 0 0 1 L 0 0 0 1
OAS-GS OAS-GLT / Fr VH H M L T / Fr VH H M L
VH 0 0 0 0 VH 0 0 0 0H 0 7 1 0 H 0 0 0 0M 0 0 0 0 M 0 0 0 0L 0 0 0 0 L 0 0 0 0
OAS-GHT / Fr VH H M L
VH 0 0 0 0H 0 8 3 0M 0 0 0 0L 0 0 0 1
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 76
CAS1T / Fr VH H M L
VH 1 1 3 0H 0 17 14 0M 0 3 10 0L 0 0 0 6
CAS1-G CAS1-L1T / Fr VH H M L T / Fr VH H M L
VH 0 0 0 0 VH 1 1 3 0H 0 9 6 0 H 0 1 6 0M 0 1 2 0 M 0 0 2 0L 0 0 0 1 L 0 0 0 2
CAS1-L2 CAS1-L3T / Fr VH H M L T / Fr VH H M L
VH 0 0 1 0 VH 0 1 0 0H 0 1 6 0 H 0 3 0 0M 0 0 2 0 M 0 2 5 0L 0 0 0 2 L 0 0 0 2
CAS1-GST / Fr VH H M L
VH 0 0 0 0H 0 6 3 0M 0 0 1 0L 0 0 0 1
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 77
SAST / Fr VH H M L
VH 4 1 3 0H 2 7 3 3M 0 0 0 0L 0 0 0 1
SAS-G SAS-RT / Fr VH H M L T / Fr VH H M L
VH 3 0 0 0 VH 2 0 0 0H 2 6 3 0 H 2 3 0 0M 0 0 0 0 M 0 0 0 0L 0 0 0 0 L 0 0 0 0
SAS-L SAS-RMT / Fr VH H M L T / Fr VH H M L
VH 1 1 3 0 VH 2 0 0 0H 0 4 0 0 H 2 0 0 3M 0 0 0 0 M 0 0 0 0L 0 0 0 0 L 0 0 0 1
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 78
GAST / Fr VH H M L
VH 1 0 0 0H 0 3 6 3M 0 1 0 0L 0 0 1 1
GAS-G GAS-LT / Fr VH H M L T / Fr VH H M L
VH 1 0 0 0 VH 0 0 0 0H 0 3 6 3 H 0 1 6 0M 0 1 0 0 M 0 1 0 0L 0 0 1 1 L 0 0 0 0
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 79
8.2 FDA TABLES
FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Loss of capability to schedule or broadcast SIS SSF1A
SCENARIO: Recoverable loss of Payload on one satellite SSF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Navigation payload on one satellite is temporarily inoperative.No SIS transmitted in autonomous mode. Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the
required performance, navigation service can be interrupted for some users.Possible loss of continuity for some users.After recovery (4 hours TBC), system is fully operational.Service outage leading to dissatisfaction for limited duration for a limited number of users.
2 -Detectionmeans(monitoringsystems oroperators)
Situation is monitored by ground system. Status of satellites is propagated to all users throughintegrity messages and almanac.
If monitoring of satellite is permanent, recovery action can start without delay.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Minor
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref.Rrm 1
DescriptionSCC would be able to initiate diagnosis and recovery actions at any time for any satellite.
Galileo systemlevel FailureCondition
Ref.:FC2
Title:Detected + restricted loss or degradation of the service with restoration in limited time
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 80
FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Loss of capability to schedule or broadcast SIS SSF1A
SCENARIO: Irrecoverable loss of Payload in some satellites SSF1A2
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Navigation payload on some satellites is irrecoverably lost.No SIS transmitted in autonomous mode. Some satellites can have stopped transmission in the
same time by coincidence or by a common cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the
required performance, navigation service can be interrupted for several users.Possible loss of continuity for several users.If spare in orbit satellites can be positioned to restore the geometric availability, service can be
restored within 7 (TBC) days.Irreversible impact on operations for a number of users.
2 -Detectionmeans(monitoringsystems oroperators)
Situation is monitored by ground system. Status of satellites is propagated to all users throughintegrity messages and almanac.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Major.
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref.Rrm1
Rrq 1
DescriptionSCC would be able to initiate diagnosis and recovery actions at any time for any satellite.
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.
Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
Galileo systemlevel FailureCondition
Ref.FC4
Title:Detected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 81
FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Loss of capability to schedule or broadcast SIS SSF1A
SCENARIO: Irrecoverable loss of payload in several satellites SSF1A3
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Navigation payload on several satellites is inoperativeNo SIS transmitted in autonomous mode. Several satellites can have stopped transmission in the
same time by coincidence or by a common cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the
required performance, navigation service can be interrupted for a number of users.Possible loss of continuity for a number of users.No sufficient spare in orbit satellites to restore the geometric availability. Service is interrupted for
duration greater than 4 (TBC) months.Possible major paralysis of users activities.
2 -Detectionmeans(monitoringsystems oroperators)
Situation is monitored by ground system. Status of satellites is propagated to all users throughintegrity messages and almanac.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Severe
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref.Rrq1
DescriptionNo common cause/common mode not shown extremely improbable would lead to simultaneous
failure on several satellites.Remark : Common cause and common mode analysis (including external events and other
GALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 82
FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Erroneous scheduling or broadcast of SIS SSF1B
SCENARIO: Detected payload misbehaviour on satellites SSF1B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
SIS broadcast by satellite is misleading.Some satellites can experience misbehaviour in the same time by coincidence or by commoncause.Detection by integrity monitoring network. The misleading data detection is transmitted throughthe integrity flags. The integrity added service users are warned. If remaining healthy satellites inview are not sufficient to compute a position solution with the required performance, navigationservice can be interrupted for some users.Possible loss of continuity for some users.Service outage leading to user dissatisfaction.
The detection by ground system allows to monitor the situation and carry out corrective measuresto recover the nominal state or put the system in an acceptable state for all users.
Remark : For not integrity added service users, possible detection by terminal RAIM function.
2 -Detectionmeans(monitoringsystems oroperators)
Situation is monitored by ground system. Status of satellites is propagated to all users throughintegrity messages and almanac.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Minor
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrm1
Rrq1
Description:SCC would be able to initiate diagnosis and recovery actions at any time for any satellite
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.
Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
Galileo systemlevel FailureCondition
Ref:FC2
Title:Detected + restricted loss or degradation of the service with restoration in limited time
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 83
FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Erroneous scheduling or broadcast of SIS SSF1B
SCENARIO: Undetected payload misbehaviour on some satellites SSF1B2
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
SIS broadcast by satellite is misleading.Some satellites can experience misbehaviour in the same time, by coincidence or by a commoncause.The ground system does not detect the misleading data transmission (double failure or satellitenot monitored).The application users where availability requirement is expected are supposed to have the RAIMfunction implemented in their terminal.In the case where only few satellites are affected, possible detection by the RAIM terminal
function.If remaining healthy satellites in view are not sufficient to compute a position solution with therequired performance, navigation service can be interrupted for few users.Possible loss of continuity for few users.
Ras1
2 -Detectionmeans(monitoringsystems oroperators)
RAIM terminal function in the case where only some satellites are affected.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Major
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq1
Rrm 2
Ras1
Description:No common cause/common mode not shown extremely improbable would lead to simultaneous
failure on several satellites.Remark : Common cause and common mode analysis (including external events and other
GALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements.The application users where availability requirement is expected are supposed to have the RAIMfunction implemented in their terminal
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 84
FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Erroneous scheduling or broadcast of SIS SSF1B
SCENARIO: Undetected payload misbehaviour on several satellites SSF1B3
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
SIS broadcast by satellite is misleading.Several satellites can experience misbehaviour in the same time, by coincidence or by a common
cause.The ground system does not detect the misleading data transmission (double failure or satellite
not monitored).The RAIM function does not detect the misleading data transmission. The users continue to use
misleading information.
If for the users, the services seems to be available, they can experience important consequenceson their applications leading to outage with paralysis of their applications.
2 -Detectionmeans(monitoringsystems oroperators)
No detection mean
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Severe
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq1
Rrm2
Description:No common cause/common mode not shown extremely improbable would lead to simultaneous
failure on several satellites.Remark : Common cause and common mode analysis (including external events and other
GALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements.
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 85
FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Loss of capability to synchronise or broadcast composite SIS SSF2A
SCENARIO: Recoverable loss of Payload on one or some satellites SSF2A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Navigation payload on one or some satellites is temporarily inoperative.Some satellites can have stopped transmission in the same time by coincidence or by common
cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the
required performance, navigation service can be interrupted for some users.The detection by the ground system allows to switch the concerned satellites from connected
mode to autonomous mode.In that case the satellites could transmit the navigation message without the integrity data. The
not integrity added service could have the service available after the switching of the satellites.Users of integrity added services experience loss of continuity.Possible loss of continuity for some users which can be of different duration according to the
considered service level.After recovery of the system (4 hours TBC), system is fully operational.Service outage leading to user dissatisfaction for limited duration.
2 -Detectionmeans(monitoringsystems oroperators)
Situation is monitored by ground system. Status of satellites is propagated to all users throughintegrity messages and almanac.
If monitoring of satellite is permanent, recovery action can start without delay.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Minor
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref.Rrm1
Rrq1
DescriptionSCC would be able to initiate diagnosis and recovery actions at any time for any satellite.
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.
Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
Galileo systemlevel FailureCondition
Ref:FC2
Title:Detected + restricted loss or degradation of the service with restoration in limited time
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 86
FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Loss of capability to synchronise or broadcast composite SIS SSF2A
SCENARIO: Irrecoverable loss of Payload in some satellites SSF2A2
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Navigation payload on some satellites is irrecoverably lost.Some satellites can have stopped transmission in the same time by coincidence or by common
cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the
required performance, navigation service can be interrupted for some users.Possible loss of continuity for some users.It is assumed that a satellite in connected mode which experiences a failure can not then switch in
autonomous mode.If spare in orbit satellites can be positioned to restore the geometric availability, integrity added
services can be restored within 7 (TBC) days.Irreversible impact on operations for a number of users.
Ras2
2 -Detectionmeans(monitoringsystems oroperators)
Situation is monitored by ground system.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Major
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrm1
Rrq1
Ras2
descriptionSCC would be able to initiate diagnosis and recovery actions at any time for any satellite.
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.
Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.It is assumed that a satellite in connected mode which experiences a failure can not then switchin autonomous mode.
Galileo systemlevel FailureCondition
Ref:FC4
Title:Detected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 87
FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Loss of capability to synchronise or broadcast composite SIS SSF2A
SCENARIO: Irrecoverable payload failed on several satellites SSF2A3
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Navigation payload on several satellites is irrecoverably lost.Satellites can have stopped transmission in the same time by coincidence or by common cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the
required performance, navigation service can be interrupted for a number of users.Possible loss of continuity for a number of users.It is assumed that a satellite in connected mode which experiences a failure can not then switch in
autonomous mode.No sufficient spare in orbit satellites to restore the geometric availability. Integrity added services
are interrupted for duration greater than 4 (TBC) months.
Ras2
2 -Detectionmeans(monitoringsystems oroperators)
Situation is monitored by ground system. Status of satellites is propagated to all users throughintegrity messages and almanac.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
severe
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref.Rrq1
Ras2
DescriptionNo common cause/common mode not shown extremely improbable would lead to simultaneous
failure on several satellites.Remark : Common cause and common mode analysis (including external events and other
GALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
It is assumed that a satellite in connected mode which experiences a failure can not then switchin autonomous mode
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 88
FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Erroneous synchronisation or broadcast of composite SIS SSF2B
SCENARIO: Payload misbehaviour on satellites SSF2B1/2B2/2B3
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
SIS retransmission is erratic, unsynchronised and misleading.Possible detection by terminal RAIM function. Immediate detection by integrity monitoring
network.Immediate detection at ULS. Uplink SIS is stopped.Satellite payload is deactivated.Some satellites can have stopped transmission in the same time by coincidence or by a common
cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the
required performance, navigation service can be interrupted for some users.In the case where the erroneous synchronisation or broadcast of composite SIS is detected, the
same scenarios than the loss context is experienced. It leads to distinguish the three samescenarios.
SSF2B1 : Recoverable detected misbehaviour on some satellites : refer to SSF2A1.SSF2B2 : Irrecoverable detected misbehaviour on some satellites: refer to SSF2A2SSF2B3 : Irrecoverable detected misbehaviour on several satellite : refer to SSF2A3
2 -Detectionmeans(monitoringsystems oroperators)
SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3
3- Correctiveaction andGALILEO systemresultingcondition
SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3
SeverityClassification
SSF2B1 : refer to SSF2A1 - SSF2B2 : refer to SSF2A2 - SSF2B3 : refer to SSF2A3
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3
Galileo systemlevel FailureCondition
Ref: Title:SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 89
FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Erroneous synchronisation or broadcast of composite SIS SSF2B
SCENARIO: Undetected payload misbehaviour on few or some satellites SSF2B4
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
SIS broadcast by satellite is misleading.Some satellites can experience misbehaviour in the same time, by coincidence or by a commoncause.The ground system does not detect the misleading data transmission.In the case where only few satellites are affected, possible detection by the RAIM terminal
function.In this case, if remaining healthy satellites in view are not sufficient to compute a position solutionwith the required performance, navigation service can be interrupted for some (?) users.Possible loss of continuity for some users.Service outage leading to user dissatisfaction.As failure is not detected by ground system, potential recovery solutions are not carried out.
Possible degradation leading to outage with irreversible impact on user operation or business.
2 -Detectionmeans(monitoringsystems oroperators)
RAIM terminal function detection in the case where only some satellites are affected.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Major
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrm1
Rrq1
Rrm2
Description:SCC would be able to initiate diagnosis and recovery actions at any time for any satellite.
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.
Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements.
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 90
FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Erroneous synchronisation or broadcast of composite SIS SSF2B
SCENARIO: Undetected payload misbehaviour on several or more satellites SSF2B5
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
SIS broadcast by satellite is misleading.Several satellites can experience misbehaviour in the same time, by coincidence or by a commoncause.The ground system does not detect the misleading data transmission (double failures).The RAIM function does not detect the misleading data transmission. The users continue to usemisleading information.
If for the users, the services seems to be available, they can experience important consequenceson their applications leading to outage with major paralysis of user activities.
2 -Detectionmeans(monitoringsystems oroperators)
No detection mean
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Severe
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq1
Rrm2
Description:No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.
The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 91
FUNCTION: Receive access management messages SSF3FUNCTIONAL FAILURE: Error in reception or process of protection keys. SSF3A
SCENARIO: Corruption or misuse of coding keys in payload. SSF3A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Failure can interrupt normal TM&TC transactions with satellite.Final resulting state is supposed to be a stop of SIS transmission. Satellite is inoperative.Failure can interrupt normal encoding of encrypted signal (SAS). Immediate detection by
monitoring system. Final resulting state is supposed to be a satellite payload stopped ordeclared unhealthy. Satellite is inoperative.
No undetectable corruption in retransmission of navigation and integrity messages due toencoding/decoding process in satellite payload is foreseen (in connected mode).
Geographic deactivation/denial of service is supposed not to make use of satellites depending oftheir position in orbit.
In case of failure due to common cause or common mode, several satellites are affected.Loss of service for most of the users leading to major paralysis of their activities.
OP3
OP4
OP5OP6
2 -Detectionmeans(monitoringsystems oroperators)
Immediate detection by GNCC. Possible use of back up key or old keys. ROP19
3- Correctiveaction andGALILEO systemresultingcondition
For key management, system may implement an uncrypted mode as fallback. Rrm3
SeverityClassification
Severe
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrm 3(Rec12)
Rop19
DescriptionFor key management, in degraded mode system may implement an uncrypted mode as
fallback.
Possible use of back up key or old keys
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 92
FUNCTION: Set TM&TC link with satellite for housekeeping and navigationmessages
SSF4
FUNCTIONAL FAILURE: Loss of transmission means SSF4A
SCENARIO: Failure on TM&TC chain: CUI, USF, ULF, P/F SSF4A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Failure interrupts normal TM&TC transactions with satellite.If failure on P/F. Immediate detection by ULS. The satellite is not monitored. The status of the
satellite is transmitted to the users. Several satellites may experience the failure in the sametime by coincidence or by common cause.
In that case, if remaining satellites in view are not sufficient to compute a position solution with therequired performance, navigation service can be interrupted for some users.
Possible loss of continuity for some users.(It is supposed that as the TM/TC link with the satellite is lost, it is not possible to start recovery
action at satellite level).If spare in orbit can be positioned to restore the lost satellites, full service can be restored within 7
(tbc) days. Irreversible impact on operations for a number of users.
If failure on one of the elements of the ground “segment” chain, immediate detection at GNCClevel. Possible use of another ULS to recover the TM/TC link with the satellite. Several ULScomponents could experience the failure in the same time by coincidence of common cause. Inthat case recovery action by use of another ULS could be not possible. In that case (worst case),the system could be partially (or totally) inoperative during the ULS components necessaryrecovery time.Outage with irreversible impact on user activity.
Ras 3
2 -Detectionmeans(monitoringsystems oroperators)
ULS can detect the P/F failure.GNCC can detect the ULS component failures.
3- Correctiveaction andGALILEO systemresultingcondition
In case of failure on satellite P/F, the status of the satellite is transmitted to the users.In case of ULS components failure, possible use of another ULS to set TM/TC link with the
satellite. The recovery action on the faulty ULS component is initiated after detection andreporting at maintenance entity level.
Rrq3
SeverityClassification
Severe (worst case) – (Major if Rrq3 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq1
Rrq 2
Rrq 3
Ras3
Description:No common cause/common mode not shown extremely improbable would lead to simultaneous
failure on several satellites.
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several ULS components
Detection and reporting of any Failure of ULS components at maintenance entity level shall beperformed to initiate recovery action.
It is supposed that when the TM/TC link with the satellite is lost, it is not possible to start recoveryaction at satellite level
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration(FC4 if Rrq applied)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 93
FUNCTION: Set TM&TC link with satellite for housekeeping and navigationmessages
SSF4
FUNCTIONAL FAILURE: Undetected erroneous transmission SSF4B
SCENARIO: TM&TC chain misbehaviour SSF4B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
TBDCorruption of navigation message must be assessed during transmission and in satellite and
ground buffers.
OP3
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref: Title:
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 94
FUNCTION: Set uplinks to satellites for navigation/ integrity composite messages SSF5FUNCTIONAL FAILURE: Loss of transmission means SSF5A
SCENARIO: Failure on uplink chain: USF, ULF, P/F SSF5A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Failure interrupts connected mode with satellite.Adequate protections and fallback procedures are supposed to be implemented in the platform in
case of detected interruption of communication means.Current resulting satellite state is supposed to be autonomous mode.ULS detects the satellite failure to initiate the recovery actions. After recovery (4 hours TBC),
satellite P/F is operative.Several satellite payloads may be stopped in the same time by coincidence or by common cause.If no sufficient active satellites in view, integrity monitoring service can be discontinued for some
users.Possible loss of continuity for some users of integrity added services. The other services (non
integrity added services) does not experience effect. In that case, outage leading to userdissatisfaction.
If failure on one of the elements of the ground “segment” chain, immediate detection at GNCClevel. Possible use of another ULS to recover the uplink function with the satellite. Several ULScomponents could experience the failure in the same time by coincidence of common cause. Inthat case recovery action by use of another ULS could be not possible. In that case (worst case),the system could be partially (or totally) inoperative during the ULS components necessaryrecovery time for the integrity added services.Outage with irreversible impact on user activity.
OP3
2 -Detectionmeans(monitoringsystems oroperators)
ULS can detect the P/F failure.GNCC can detect the ULS component failures.
3- Correctiveaction andGALILEO systemresultingcondition
In case of failure on satellite P/F, Satellite switches in autonomous mode.In case of ULS components failure, possible use of another ULS to set uplink with the satellite.
The recovery action on the faulty ULS component is initiated after detection and reporting atmaintenance entity level.
Rrq3
SeverityClassification
Minor (P/F failure)Severe (ULS chain – worst case) – Major if Rrq applied
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq1
Rrq2
Rrq3
Ras4
Description:No common cause/common mode not shown extremely improbable would lead to simultaneous
failure on several satellites.
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several ULS components
Detection and reporting of any Failure of ULS components at maintenance entity level shall beperformed to initiate recovery action
Adequate protections and fallback procedures are supposed to be implemented in the satelliteplatform in case of detected interruption of communication means.
Galileo systemlevel FailureCondition
Ref:FC2FC3
Title:Detected + restricted loss or degradation of the service with restoration in limited time (P/F)Detected + world wide loss or degradation of the service with long term restoration (ULS chain)(FC4 if Rrq applied)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 95
FUNCTION: Set uplinks to satellites for navigation/ integrity composite messages SSF5FUNCTIONAL FAILURE: Undetected erroneous uplink transmission SSF5B
SCENARIO: Uplink chain misbehaviour SSF5B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
TBDIf misbehaviour is originated by GUI, USF or ULF, it can affect most of the satellites in link.Navigation integrity composite messages are misleading.Possible detection by GIC (tbc)Possible detection by RAIM function (tbc)Capability for user terminal to discriminate information from different sources ?Loss of continuity of service ? (false alarm)Loss of integrity of service ?
OP3
OP15OP10
2 -Detectionmeans(monitoringsystems oroperators)
TBD
3- Correctiveaction andGALILEO systemresultingcondition
If ULF system has capability to directly monitor signal broadcast by satellite in connection, it canimmediately stop connected mode in case of discrepancy.
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 4
Description:Probability of satellite to broadcast misleading navigation/integrity composite message must be
less than extremely improbable
Galileo systemlevel FailureCondition
Ref:TBD
Title:TBD
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 96
FUNCTION: Monitor and configure constellation status (housekeeping) SSF6FUNCTIONAL FAILURE: Loss of capability to monitor or configure constellation SSF6A
SCENARIO: SCF failed SSF6A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Satellites remain active for a moment.GNCF is supposed to keep control on satellites operating in connected mode.No monitoring of satellites status, ULS status and CAN status. No capability to reconfigure them.No capability to reconfigure satellite in connected mode. Satellites in connected mode revert
progressively in autonomous mode.No capability to update navigation tables in payloads operating in autonomous mode (beam
scheduling is SCF function).Navigation signal degrades progressively.The satellites should be remained in autonomous mode as long as the degradation of the
navigation signal is acceptable.If detected, possible reconfiguration without impact on the non integrity services.Otherwise service is discontinued for most of users.For integrity added services, loss of service.
OP7
Rrm4
2 -Detectionmeans(monitoringsystems oroperators)
Possible detection by operators (tbc)
3- Correctiveaction andGALILEO systemresultingcondition
SCF failure shall be without immediate effect on operational serviceRecovery time of SCF function shall be less than time leading to unacceptable service
degradation.
Rrq5Rrq6
SeverityClassification
Severe – (Minor if Rrq5 applied; Major if Rrq6 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 5
Rrq 6
Rrq 7
Rrm 4
Description:SCF failure shall be without immediate effect on operational service (necessity to exclude beam
scheduling function).
Recovery time of SCF function shall be less than time leading to unacceptable servicedegradation
SCF failure shall be detected and report at maintenance entity level to initiate immediaterecovery actions
The satellites should be stayed in autonomous mode as long as the degradation of thenavigation signal is acceptable
Galileo systemlevel FailureCondition
Ref:FC3FC7FC1
Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq5 : FC7;if Rrq6/7 : FC1)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 97
FUNCTION: Monitor and configure constellation status (housekeeping) SSF6FUNCTIONAL FAILURE: Undetected error in monitoring or configuring constellation SSF6B
SCENARIO: SCF misbehaviour SSF6B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Unpredictable behaviour of SCF with regard to satellites status, ULS status or CAN status.As relation between SCF and ULS network is hierarchical, repercussions could be to lock most of
ULS functions on several or more stationsGlobal and regional integrity added services could be impaired or interrupted.Service possibly discontinued for most of users of services with integrity function.Satellites are supposed to remain active for a moment.Possible incapacity to update navigation tables in autonomous mode.Navigation signal degrades progressively.The satellites should be remained in autonomous mode as long as the degradation of the
navigation signal is acceptableService is discontinued for most of users.
OP7
Rrm4
2 -Detectionmeans(monitoringsystems oroperators)
SCF operator should have the capability to check the SCF output data. Rrm5
3- Correctiveaction andGALILEO systemresultingcondition
SCF failure shall be without immediate effect on operational service Rrq5
SeverityClassification
Severe (Minor if Rrq5 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq5
Rrm 5
Rrm4
Description:SCF failure shall be without immediate effect on operational service (necessity to exclude beam
scheduling function).SCF operator should have the capability to check the SCF output data
The satellites should be remained in autonomous mode as long as the degradation of thenavigation signal is acceptable
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq5 : FC7)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 98
FUNCTION: Receive and transmit SAR user signal SSF7FUNCTIONAL FAILURE: Loss of capability to receive or retransmit SAR user signal SSF7A
SCENARIO: SAR payload failure on several satellites. SSF7A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Risk to discontinue SAR service for some users (from common cause).Outage with irreversible impact on user activity.
OP8
2 -Detectionmeans(monitoringsystems oroperators)
GALILEO monitoring system shall be able to test and detect SAR payload failure to initiaterecovery actions
Rrq8
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Severe (Major if Rrq8or9 applied; Minor if Rrq8+9 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 8
Rrq 9
Description:GALILEO monitoring system shall be able to test and detect SAR payload failure to initiate
recovery actions
No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several SAR payloads.
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq8 :FC1; if Rrq9 : FC4; if Rrq8+9 : FC2)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 99
FUNCTION: Receive and transmit SAR user signal SSF7FUNCTIONAL FAILURE: Undetected error in transmitted SAR user signal SSF7B
SCENARIO: SAR payload misbehaviour. SSF7B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Risk to discontinue SAR service for some users (from common cause). OP8
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
Severe (major if Rrq9 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq9
Description:No common cause/common mode not shown extremely improbable would lead to simultaneous
failure on several SAR payloads
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq9 : FC6)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 100
FUNCTION: Collect globally raw data for position/time parameters of the satellites GSF1FUNCTIONAL FAILURE: Loss of capability to provide raw data for position & time parameters. GSF1A
SCENARIO: All GMF in several stations fail to provide intended data GSF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Failure can come from common cause/mode failure.GIPF/GCPF/OSPF do not receive intended dataInability to compute valid integrity information for several satellites.Integrity added service is discontinued for a number of users.OSPF do not receive intended data.Inability to update navigation data for most of the satellites.After some time (TBD) the failure leads to a general decrease of SIS accuracy and degradation of
service for most of users.When alarm limits rise up, navigation service is discontinued for users.Detection at maintenance entity level allows to initiate the recovery actions. If recovery actions are
performed in a time less than the degradation of service leading to loss of navigation service(alarm limits), the non integrity added navigation service is degraded for most of users. Integrityadded service is lost for most of users.
Outage with irreversible impact on user activity for integrity added services.Service outage leading to user dissatisfaction for non integrity added services (if Rrq
applied).
OP1
Rrq10
2 -Detectionmeans(monitoringsystems oroperators)
Immediate detection at GNCC.
3- Correctiveaction andGALILEO systemresultingcondition
Recovery actions (operational and maintenance) can be initiated to recover the nominal operatingstate (without service loss for non integrity added services).
SeverityClassification
Severe (Major if Rrq10 or 9 applied; Minor if Rrq9+10 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 10
Rrq 11
Description:Detection and reporting of any GMF failure at maintenance entity level shall be performed to
allow recovery actions in time less than service degradation time leading to loss of navigationservice (alarm limits)
No common cause/common mode not shown extremely improbable should lead to simultaneousfailure on several GMF
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq10 : FC4; if Rrq9 : FC1 for integrity added service – no effect on other services; if Rrq9+10: FC2 for integrity added services)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 101
FUNCTION: Collect globally raw data for position/time parameters of the satellites GSF1FUNCTIONAL FAILURE: Undetected erroneous raw data is provided GSF1B
SCENARIO: Undetected loss of synchronisation for all GMF in several stations GSF1B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Failure can come from common cause/mode failureOSPF will compute navigation solution from erroneous data and may be misled.After some time (TBD) this erroneous navigation data is transmitted to the satellites.Possible loss of SIS/SISA accuracy for a number of users.Users can receive misleading navigation information.Possible outage leading to major paralysis of users activities.
OP13
2 -Detectionmeans(monitoringsystems oroperators)
TBD
3- Correctiveaction andGALILEO systemresultingcondition
If GMS network has capability to fully backup a failed GMS, the system is still operative.System can be designed as a misleading information from one GMS can not degrade significantlythe service.
SeverityClassification
Severe (major if Rrq11 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq11
Rrq 12
Description:No common cause/common mode not shown extremely improbable should lead to simultaneous
failure on several GMF
GALILEO system shall be robust against one GMF failure in GMS station
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq11 : FC6)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 102
FUNCTION: Build navigation data from position/time parameters GSF2FUNCTIONAL FAILURE: Loss of capability to compute navigation data GSF2A
SCENARIO: Navigation data processing function failed GSF2A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Navigation data can not be computedNavigation data in all satellite navigation payloads are not updatedAfter some time (TBD) the failure leads to a general decrease of SIS/SISA accuracy.General degradation of service for the users.When alarm limits rise up, service is discontinued for users.Detection at GNCC level (tbd).Immediate loss of integrity added serviceDegradation of non integrity added service.
2 -Detectionmeans(monitoringsystems oroperators)
Detection at GNCC level (tbd).Detection and reporting of any OSPF failure shall be performed at maintenance entity level. Rrq13
3- Correctiveaction andGALILEO systemresultingcondition
If failure detected and reported, OSPF function recovery action shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service(alarm limits).
Rrq14
SeverityClassification
Severe (Major if Rrq13+14 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 13
Rrq 14
Description:Detection and reporting of any OSPF failure shall be performed at maintenance entity level.
OSPF function recovery action shall be performed to allow recovery actions in time less thanservice degradation time leading to loss of navigation service (alarm limits).
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration(If Rrq13+14 : FC1) (if Rrq14 : no effect on non integrity added service)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 103
FUNCTION: Build navigation data from position/time parameters GSF2FUNCTIONAL FAILURE: Computation of erroneous navigation data GSF2B
SCENARIO: Navigation data processing function misbehaviour GSF2B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Note : if detected same as GSF2A1OSPF will compute erroneous navigation dataAfter some time (TBD) this erroneous navigation data is transmitted to the constellationLoss of SIS/SISA accuracy for navigation SIS.Users can receive misleading navigation information.When alarm limits rise up, service is discontinued for most of users, but source of the
misbehaviour is not identified. Localisation problem).
2 -Detectionmeans(monitoringsystems oroperators)
GALILEO system shall be able to detect erroneous navigation data computed by OSPF. Rrq15
3- Correctiveaction andGALILEO systemresultingcondition
OSPF function shall have redundancy allowing OSPF function back up without loss of service ortemporarily service degradation.
Rrq14
SeverityClassification
Severe (Major if Rrq 14+15 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 15
Rrq14
Description:GALILEO system shall be able to localise erroneous navigation data computed by OSPF
OSPF function recovery action shall be performed to allow recovery actions in time less thanservice degradation time leading to loss of navigation service (alarm limits).
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq14+15 : FC1)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 104
FUNCTION: Build globally integrity data from position/time parameters GSF3FUNCTIONAL FAILURE: Loss of capability to compute integrity data GSF3A
SCENARIO: GIPF or GCPF have failed GSF3A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Global integrity information is no more updated.
Service is discontinued for most of users of services with integrity function.Services without integrity function are not impacted.
Remark :The GIPF/GCPF function is world wild distributed in three sites due to TTA constraint. Thus loss
of GIPF/GCPF function could come from common mode/cause event. If a failure on one site isconsidered, the loss of GIPF/GCPF function may partial (degraded mode). However, there is noredundancy between the three sites.
OP10
Ras6
2 -Detectionmeans(monitoringsystems oroperators)
Detection at GNCC level (tbd).Detection and reporting of any GIPF/GCPF failure shall be performed at maintenance entity level Rrq16
3- Correctiveaction andGALILEO systemresultingcondition
Recovery actions shall be initiated upon detection of GIPF/GCPF failure to reduce theunavailability time for integrity added services.
GALILEO system must be designed to keep non integrity added service available in case offailure of GIPF/GCPF failure
Rrq17
Ras5
SeverityClassification
No effect for services without integrity functionSevere for services with integrity function (Major if Rrq16/17or18 applied; Minor if Rrq16/17/18 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 16Rrq 17
Rrq 18
Ras5
Rop20
Rop21Ras6
Description:Detection and reporting of any GIPF/GCPF failure shall be performed at maintenance entity levelRecovery actions shall be initiated upon detection of GIPF/GCPF failure to reduce the
unavailability time for integrity added services.No common cause/common mode not shown extremely improbable should lead to simultaneous
failure on several GIPF/GCPFGALILEO system must be designed to keep non integrity added service available in case of
failure of GIPF/GCPF failureWhat is the element which can flag the GIPF/GCPF failure (as the GIPF/GCPF are responsible
for the monitoring integrity data) ?What redundancy can be considered between GIPF/GCPF and RIPF/RCPF ?The GIPF/GCPF function is world wild distributed in three sites due to TTA constraint. Thus loss
of GIPF/GCPF function could come from common mode/cause event. If a failure on one site isconsidered, the loss of GIPF/GCPF function may partial (degraded mode). However, there is noredundancy between the three sites
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration (for int. Add.Services)(if Rrq16+17 : FC1; if Rrq18 : FC4; if Rrq16+17+18 : FC2)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 105
FUNCTION: Build globally integrity data from position/time parameters GSF3FUNCTIONAL FAILURE: Computation of erroneous integrity monitoring data GSF3B
SCENARIO: GIPF or GCPF compute an undue degradation of navigation data. GSF3B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Global integrity information is updated with flagged integrity or not monitored status for several ormore satellites.
Service is discontinued for a number of users of services with integrity function.
OP10
2 -Detectionmeans(monitoringsystems oroperators)
No detection means
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
No effect for services without integrity functionSevere for services with integrity function (No effect if Rrq19 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Ras5
Rrq 19
Description:GALILEO system must be designed to keep non integrity added service available in case of
failure of GIPF/GCPF failureGALILEO system shall be designed in order that false alarm due to erroneous integrity
monitoring data computation or alarm limit tuning does not lead to unacceptable unavailabilitylevel for integrity added services
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq19 : No effect (TBC))
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 106
FUNCTION: Build globally integrity data from position/time parameters GSF3FUNCTIONAL FAILURE: Computation of erroneous integrity monitoring data GSF3B
SCENARIO: GIPF and GCPF compute integrity data that do not reflect a real degradation ofnavigation data (multiple failures).
GSF3B2
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Safety related scenario : integrity eventGlobal integrity information is updated with integrity status that do not reflect a real degradation of
service for several or more satellites. Users are not informed.Service is discontinued for a number of users with RAIM like capability receivers.Several users can receive misleading navigation information. These users would have
experienced multiple failures:� SISA values computed by OSPF for some satellites would not reflect a degradation of SIS
- not caused by artificial interference or multi-path effect –� GIPF/GCPF would fail to detect this degradation from relevant information provided by
GMS network.� User receiver would experience an unsuccessful RAIM check.
On RAM point of view and risk project, this scenario when detected afterwards by users couldimpact seriously the GALILEO system program even if the nominal state has been recovered. Itcorresponds for the integrity added services to an unavailability time during the degraded states.Outage leading to major paralysis of user activities for integrity added services.No impact on user activities for non integrity added services.
2 -Detectionmeans(monitoringsystems oroperators)
TBD
3- Correctiveaction andGALILEO systemresultingcondition
TBD
SeverityClassification
Severe for integrity added servicesNo impact for non integrity added services
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 20
Ras5
Description:Probability that multiple failures at GIPF/GCPF level leading to integrity event and unavailability
of the integrity added service shall be less than extremely improbable.GALILEO system must be designed to keep non integrity added services available in case of
failures of GIPF/GCPF failure
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 107
FUNCTION: Schedule and transmit navigation and/or integrity compositemessage
GSF4
FUNCTIONAL FAILURE: Reduction of GUI capability to transmit navigation data GSF4A
SCENARIO: One or some GUI failed GSF4A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
One or some GUI have failed and can not transmit navigation data to the target satellite payloadsAll satellites impacted remain or revert to autonomous mode.Navigation data in several or more satellite navigation payloads are not updated in due time.After some time (TBD) the failure can lead to a general decrease of SIS accuracy.Possible degradation of service for a number of users.Non integrity added services remain operational for a given time.
2 -Detectionmeans(monitoringsystems oroperators)
GUI Failure is detected by GNCF.
3- Correctiveaction andGALILEO systemresultingcondition
Detection and reporting of any GUI failure at maintenance entity level shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service.
Rrq21
SeverityClassification
Major (Minor if Rrq21 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 21
Description:Detection and reporting of any GUI failure at maintenance entity level shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service
Galileo systemlevel FailureCondition
Ref:FC4
Title:Detected + restricted loss or degradation of the service with long term restoration(if Rrq21 : FC2)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 108
FUNCTION: Schedule and transmit navigation and/or integrity compositemessage
GSF4
FUNCTIONAL FAILURE: Reduction of GUI capability to transmit navigation data GSF4A
SCENARIO: Several or more GUI failed GSF4A2
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
One or some GUI have failed and can not transmit navigation data to the target satellite payloads
Several GUI can experience failure in the same time, by coincidence or by a common modecause.
All satellites impacted remain or revert to autonomous mode.Service is discontinued for a number of users of services with integrity function.Navigation data in most of the satellite navigation payloads are not updated in due time.After some time (TBD) the failure leads to a general decrease of SIS accuracy.Degradation of service for a number of users.Immediate loss of continuity for integrity added services.Non integrity added services remain operational for a given time.
2 -Detectionmeans(monitoringsystems oroperators)
GUI Failure is detected by GNCF.
3- Correctiveaction andGALILEO systemresultingcondition
Detection and reporting of any GUI failure at maintenance entity level shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service.
Rrq21
SeverityClassification
Severe (Major if Rrq21or22 applied; Minor if Rrq21+22 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq21
Rrq 22
Description:Detection and reporting of any GUI failure at maintenance entity level shall be performed to allow
recovery actions in time less than service degradation time leading to loss of navigation service.
No common cause/common mode not shown extremely improbable shall lead to simultaneousfailure on several GUI
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq21 : FC1; if Rrq22 : FC4; if Rrq21+22 : FC2)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 109
FUNCTION: Schedule and transmit navigation and/or integrity compositemessage
GSF4
FUNCTIONAL FAILURE: Undetected corruption in transmission of message for GUI GSF4B
SCENARIO: GUI misbehaviour. GSF4B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Message passing through GUI may experience corruption of data or error in dispatch.Situation can result in some satellites to revert in autonomous mode or transmit misleading
integrity messages.Service can be discontinued for a number of users of services with integrity function.
OP2OP9
2 -Detectionmeans(monitoringsystems oroperators)
TBD
3- Correctiveaction andGALILEO systemresultingcondition
TBD
SeverityClassification
Severe/major TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:FC5/FC6(Tbd)
Title:Undetected + world wide loss or degradation of the service with long term restoration/Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 110
FUNCTION: Deliver access management messages GSF5FUNCTIONAL FAILURE: Loss of capability in dispatching and scheduling protection keys. GSF5A
SCENARIO: GNCF failure GSF5A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Renewal of encoding and decoding keys will be partially completed or not performed.Risk of interruption of related services for a number of users.TBD
OP5OP6
2 -Detectionmeans(monitoringsystems oroperators)
At global level, completeness of delivery process can be verified by GNCC.At user level, receiver can advise in case of inability to process with the next decoding key.TBD
3- Correctiveaction andGALILEO systemresultingcondition
For key management, in degraded mode, system may implement an unencrypted mode asfallback mode
Rrm3
SeverityClassification
Severe (TBD)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrm3
Description:For key management, in degraded mode, system may implement an unencrypted mode as
fallback mode.
Galileo systemlevel FailureCondition
Ref:FC5/FC3(Tbd)
Title:Undetected + world wide loss or degradation of the service with long term restoration/ Detected +world wide loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 111
FUNCTION: Deliver access management messages GSF5FUNCTIONAL FAILURE: Misleading dispatching or scheduling of protection keys. GSF5B
SCENARIO: GNCF misbehaviour GSF5B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Supposed risk of interruption of related services for categories of users. OP4OP5OP6
2 -Detectionmeans(monitoringsystems oroperators)
TBD
3- Correctiveaction andGALILEO systemresultingcondition
If system (TBD ) has capability to detect abnormal dispatching or processing of key management,it could deactivate encryption.
Rrm3
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrm3
Description:For key management, in degraded mode, system may implement an unencrypted mode as
fallback mode.
Galileo systemlevel FailureCondition
Ref:FC5(Tbd)
Title:Undetected + world wide loss or degradation of the service with long term restoration (tbd)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 112
FUNCTION: Monitor navigation global services GSF6FUNCTIONAL FAILURE: Loss of capability for monitoring global services. GSF6A
SCENARIO: GNCF failure. GSF6A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Strategy for connected/autonomous modes sharing.Monitoring and configuration strategy of GAN.TBD
OP2
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref: Title:
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 113
FUNCTION: Monitor navigation global services GSF6FUNCTIONAL FAILURE: Misleading monitoring of global services. GSF6B
SCENARIO: GNCF misbehaviour. GSF6B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Strategy for connected/autonomous modes sharing.TBD
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref: Title:
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 114
FUNCTION: Collect regionally raw data for SIS integrity RSF1FUNCTIONAL FAILURE: Loss of capability to provide raw data for SIS integrity RSF1A
SCENARIO: All RMF in several stations fail to provide intended data RSF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Failure can come from common cause/mode failureRIPF/RCPF do not receive intended data.Inability to compute valid integrity information for several satellites.If remains no sufficient active satellites in view, integrity monitoring service is discontinued for a
number of users.No effect on non integrity added services.
2 -Detectionmeans(monitoringsystems oroperators)
Immediate detection at RNCC.
3- Correctiveaction andGALILEO systemresultingcondition
If RMS network has sufficient redundancy, other stations can fully backup the failed ones.Recovery actions can be initiated to recover the nominal operating state Rrq23
SeverityClassification
Major (Minor if Rrq24 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 23
Rrq 24
Description:Detection and reporting of any RMS failure at regional maintenance entity level shall be
performed to allow recovery actions in order that the unavailability of the services is less thanTBD hours.
No common cause/common mode not shown extremely improbable shall lead to simultaneousfailure on several RMS
Galileo systemlevel FailureCondition
Ref:FC4
Title:Detected + restricted loss or degradation of the service with long term restoration(if Rrq23 : FC2)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 115
FUNCTION: Collect regionally raw data for SIS integrity RSF1FUNCTIONAL FAILURE: Undetected erroneous raw data for SIS integrity RSF1B
SCENARIO: RMF in one or some stations transmit data related to an undue degradation of SIS RSF1B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
RIPF/RCPF can be misled and detect undue regional degradation of navigation SIS for several ormore satellites.(false alarm)
RIPF/RCPF will alert with the integrity flag, which does not reflect current performance for thesesatellitesIf safety user terminal has sufficient remaining active satellites in view, position can be computedwith guaranteed integrity performance.If no sufficient active satellites in view, integrity monitoring service is discontinued for a number of
users.Possible outage with irreversible impact on user activities.
2 -Detectionmeans(monitoringsystems oroperators)
No detection means (TBD)
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Major
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 116
FUNCTION: Collect regionally raw data for SIS integrity RSF1FUNCTIONAL FAILURE: Undetected erroneous raw data for SIS integrity RSF1B
SCENARIO: RMF in one or some stations transmit data that do not reflect a real degradation ofSIS (double failure).
RSF1B2
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
RIPF/RCPF can be misled and not detect degradation of SIS performance.RIPF/RCPF will transmit a normal integrity message not reflecting the real degradation of
navigation SIS for these satellites.If safety user terminal has sufficient remaining active satellites in view to compute a valid RAIMsolution rejecting this erroneous information, position can be computed with guaranteed integrityperformance.In all other cases, users receive misleading navigation information.Loss of integrity of service for several users.
Combination of RIPF integrity data and GIPF integrity data to be precise Rop22
2 -Detectionmeans(monitoringsystems oroperators)
User terminal RAIM function.
3- Correctiveaction andGALILEO systemresultingcondition
TBD
SeverityClassification
Major
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rop22
Description:Combination of RIPF integrity data and GIPF integrity data to be precise
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 117
FUNCTION: Build regionally integrity data from position/time parameters RSF2FUNCTIONAL FAILURE: Loss of capability to compute integrity data RSF2A
SCENARIO: RIPF/RCPF failed RSF2A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Integrity monitoring service is discontinued for all users in the region. OP10
2 -Detectionmeans(monitoringsystems oroperators)
Detection at RNCC level (tbd)Detection and reporting of any RIPF/RCPF failure shall be performed at regional maintenance
entity levelRrq25
3- Correctiveaction andGALILEO systemresultingcondition
Recovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce theunavailability time for integrity added services.
Rrq26
Rrm6
SeverityClassification
Major (Minor if Rrq25+26 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 25
Rrq 26
Rrq 27
Rop20
Rop21
Description:Detection and reporting of any RIPF/RCPF failure shall be performed at regional maintenance
entity levelRecovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce the
unavailability time for regional integrity added servicesNo common cause/common mode not shown extremely improbable should lead to simultaneous
failure on several RIPF/RCPFWhat is the element which can flag the GIPF/GCPF failure (as the GIPF/GCPF are responsible
for the monitoring integrity data) ?What redundancy can be considered between GIPF/GCPF and RIPF/RCPF ?
Galileo systemlevel FailureCondition
Ref:FC4
Title:Detected + restricted loss or degradation of the service with long term restoration(if Rrq25/26 : FC1)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 118
FUNCTION: Build regionally integrity data from position/time parameters RSF2FUNCTIONAL FAILURE: Undetected erroneous computation of integrity data RSF2B
SCENARIO: RIPF/RCPF compute data related to an undue degradation of SIS. RSF2B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Erroneous SIS integrity data for several satellites is broadcast to all users of regional service.If safety user terminal has sufficient remaining active satellites in view, position can be computedwith guaranteed integrity performance.If no sufficient active satellites in view, integrity monitoring service is discontinued for a number of
users.
OP10
2 -Detectionmeans(monitoringsystems oroperators)
No detection means.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action.
SeverityClassification
Major (no RAM effect if Rrq28 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 28
Description:GALILEO regional component shall be designed in order that false alarm due to erroneous
integrity monitoring data computation or alarm limit tuning does not lead to unacceptableunavailability level for regional integrity added services
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq28 : no effect (tbc))
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 119
FUNCTION: Build regionally integrity data from position/time parameters RSF2FUNCTIONAL FAILURE: Undetected erroneous computation of integrity data RSF2B
SCENARIO: RIPF/RCPF compute data that do not reflect a degradation of SIS (double failure). RSF2B2
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
RIPF/RCPF will compute a normal integrity message not reflecting the real degradation ofnavigation SIS for these satellites.
If safety user terminal has sufficient remaining active satellites in view to compute a valid RAIMsolution rejecting this erroneous information, position can be computed with guaranteed integrityperformance.In all other cases, users receive misleading navigation information.Loss of integrity of service for several users.On RAM point of view and risk project, this scenario when detected afterwards by users couldimpact seriously the GALILEO system program even if the nominal state has been recovered. Itcorresponds for the integrity added services to an unavailability time during the degraded states.
OP10
2 -Detectionmeans(monitoringsystems oroperators)
User terminal RAIM function.Integrity information provided by global system.
3- Correctiveaction andGALILEO systemresultingcondition
tbd
SeverityClassification
Major
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 29
Description:Probability that multiple failures at RIPF/RCPF level leading to integrity event and unavailability
of the integrity added service shall be less than extremely improbable.
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 120
FUNCTION: Transmit regional overlay integrity message RSF3FUNCTIONAL FAILURE: Reduction of capability to transmit regional overlay integrity message. RSF3A
SCENARIO: One or some RUI failed RSF3A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Service is supposed to be discontinued for several users of services with regional integrityfunction.
Possible several RUI failure due to common cause/mode event.
OP9OP10
2 -Detectionmeans(monitoringsystems oroperators)
RNCF has information of RUI failure.
3- Correctiveaction andGALILEO systemresultingcondition
Detection and reporting of any RUI failure at regional maintenance entity shall be performed toallow recovery actions in order that the unavailability of the services is less than TBD hours.
Rrq
SeverityClassification
Major (Minor if Rrq30 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq 30
Rrq 31
Rrq 32
Rrm 6
Description:Detection and reporting of any RUI failure at regional maintenance entity shall be performed to
allow recovery actions in order that the unavailability of the services is less than TBD hours.No common cause/common mode not shown extremely improbable shall lead to simultaneous
failure on several RUIFor availability purpose, the integrity regional service shall be robust against one ULS site failure.
The opportunity that a RUI failure leads to interrupt all the connected links between ULS andsatellites has to be considered. It allows in that case to restore the links with another ULS.
Galileo systemlevel FailureCondition
Ref:FC4(tbd)
Title:Detected + restricted loss or degradation of the service with long term restoration(if Rrq30 : FC2)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 121
FUNCTION: Transmit regional overlay integrity message RSF3FUNCTIONAL FAILURE: Undetected corruption in transmission of regional overlay integrity message. RSF3B
SCENARIO: RUI misbehaviour. RSF3B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Message passing through RUI may experience corruption of data or error in dispatch.Situation can result in some satellites to revert in autonomous mode or transmit misleading
integrity messages.Service can be discontinued for a number of users of services with integrity function.TBD
OP2OP9
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
Major (TBC)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration (tbc)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 122
FUNCTION: Deliver access management messages RSF4FUNCTIONAL FAILURE: Loss of capability in dispatching and scheduling protection keys. RSF4A
SCENARIO: RNCF failure RSF4A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Renewal of encoding and decoding keys will be partially completed or not performed.Risk of interruption of related services for a number of users.TBD
OP4
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
Major (TBC)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration (tbc)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 123
FUNCTION: Deliver access management messages RSF4FUNCTIONAL FAILURE: Misleading dispatching or scheduling of protection keys. RSF4B
SCENARIO: RNCF misbehaviour RSF4B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Supposed risk of interruption of related services for categories of users.TBD
OP4OP5OP6
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
Rrm3
SeverityClassification
Major (TBC)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrm3
Description:For key management, in degraded mode, system may implement an unencrypted mode as
fallback mode.
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration (tbc)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 124
FUNCTION: Monitor regional overlay services RSF5FUNCTIONAL FAILURE: Loss of capability for monitoring regional services. RSF5A
SCENARIO: RNCF failure. RSF5A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Assessment pending refined definition of RNCF functions TBD
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:FC7(tbd)
Title:Loss or degradation of monitoring function (tbd)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 125
FUNCTION: Transmit SAR centre message to constellation CSF1FUNCTIONAL FAILURE: Inability to transmit SAR acknowledgement message CSF1A
SCENARIO: SUI failure CSF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Assessment pending refined definition of SAR message path (SUI ). OP11
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ras)
Ref:Rrq32
Rrm 7
Description:For availability purpose, the integrity regional service shall be robust against one ULS site failure
The opportunity that a SUI failure leads to interrupt all the connected links between ULS andsatellites has to be considered. It allows in that case to restore the links with another ULS
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 126
FUNCTION: Build and transmit service access messages. KSF1FUNCTIONAL FAILURE: Loss of capability to build or transmit coding keys. KSF1A
SCENARIO: KMF failed. KSF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Assessment pending refined definition of key management process. OP5OP6
2 -Detectionmeans(monitoringsystems oroperators)
KMF is monitored by (tbd)
3- Correctiveaction andGALILEO systemresultingcondition
Without KMF, the strategy must keep operational facilities (processing GALILEO products)working together. For instance, if KMF is inoperative Galileo system can be reverted tounencrypted mode of operation
OP4Rrm3
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrm5
Rrm 8
Description:
For key management, in degraded mode system may implement an uncrypted mode as fallback.
The KMF monitoring data should be transmitted to a higher level monitoring (for a global andcoherent view of GALILEO system).
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration (tbd)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 127
FUNCTION: Build and transmit service access messages. KSF1FUNCTIONAL FAILURE: Undetected error in set of coding keys. KSF1B
SCENARIO: KMF misbehaviour. KSF1B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Assessment pending refined definition of key management process. OP5OP6
2 -Detectionmeans(monitoringsystems oroperators)
No detection for a misleading KMF transmission.
3- Correctiveaction andGALILEO systemresultingcondition
KMF misbehaviour must similar to a KMF failure ; the strategy must keep operational facilities(processing GALILEO products) working together (how to detect a KMF error in order to avoidthe unavailability of all user terminals ?).
OP4
SeverityClassification
Severe
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrm3
Description:
For key management, in degraded mode system may implement an uncrypted mode as fallback.
Galileo systemlevel FailureCondition
Ref:FC5(tbd)
Title:Undetected + world wide loss or degradation of the service with long term restoration (tbd)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 128
FUNCTION: Establish links between space segment ground elements XF1FUNCTIONAL FAILURE: Interruption of links between ground elements of space segment XF1A
SCENARIO: CAN failure XF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Transmissions between space segment ground elements are not impaired.For several ULS and satellites, neither control nor monitoring is available.Navigation data in several autonomous satellites can be not updated (beam scheduling is a SCF
function).Degradation of service performance for most of users.After some time, some ULS waiting for control messages can revert in standby mode (tbc).ULS capability to maintain link with connected satellites can be seriously degraded.Service becomes unavailable for most of users.
OP7OP18
2 -Detectionmeans(monitoringsystems oroperators)
The CAN is monitored by the SCF.
3- Correctiveaction andGALILEO systemresultingcondition
The CAN is a monitoring network and its failure must be without immediate impact on the services(the frequency for satellite house-keeping operation is more than 1 monitoring per day and 1orbit/attitude correction per year). Without SCC, the strategy must keep ULS working withsatellites (both in connected and autonomous modes) and GNCC. The TM/TC link betweensatellites and ULS must not be broken.
Rrq33
SeverityClassification
Major (minor if Rrq33 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 33
Rrm 9
Description:
CAN shall be non-real-time network : its failure shall be without immediate effect on operationalservice. Recovery time of a CAN failure shall be less than time leading to unacceptable servicedegradation.
The ground elements of the space segment are monitored by SCF. These monitoring datashould be reported to a higher level monitoring (for a global and coherent view of GALILEOsystem).
Galileo systemlevel FailureCondition
Ref:FC1
Title:Detected + world wide loss or degradation of the service with restoration in limited time(if Rrq33 : FC7)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 129
FUNCTION: Establish links between space segment ground elements XF1FUNCTIONAL FAILURE: Transmissions are corrupted between ground elements of space segment XF1B
SCENARIO: CAN erratic behaviour: error in dispatch, in scheduling, in message. XF1B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Several ULS receiving unexpected control messages can be placed in standby mode.ULS network capability to maintain link with connected satellites can be seriously degraded.Service is possibly unavailable for most of users of integrity added service.Navigation data in several autonomous satellites can be corrupted.Degradation of service performance for most of users.After some time, service is possibly unavailable for most of users.
OP3OP7
2 -Detectionmeans(monitoringsystems oroperators)
The control / command process of the SCF to check that ULS are in the right mode.
3- Correctiveaction andGALILEO systemresultingcondition
Even if the CAN is a non-real-time network, the SCF must check periodically the state of all theground elements of the space segment.
Rrq34
SeverityClassification
Severe (Minor if Rrq33/34 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 34
Rrq33
Description:
After a control command message sent by SCF to a ground element, the new status / mode ofthis element must be checked.
CAN shall be non-real-time network : its failure shall be without immediate effect on operational service.Recovery time of a CAN failure shall be less than time leading to unacceptable service degradation
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq34/33 : FC7)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 130
FUNCTION: Establish links between ground segment global components XF2FUNCTIONAL FAILURE: Interruption of links between global elements of ground segment XF2A
SCENARIO: GAN failure XF2A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Between GMS and GNCC:Effect same as GSF1A1 (GMF failure)
Between GNCC and ULS :Immediate reversion of connected satellites in autonomous mode (disconnection)Service is unavailable for all users of integrity added service.Navigation data in autonomous satellites is not updated: service without integrity is available up to
7 hrs (Tbc).After 7 hrs, degradation of service performance for users (up to 24 hrs Tbc).After such a time, service is unavailable for all users.
Rrm10
2 -Detectionmeans(monitoringsystems oroperators)
The GAN is monitored by the GNCF.
3- Correctiveaction andGALILEO systemresultingcondition
Redundancy of the network components to allow more than one way of success + avoid commonmode of failure.
Rrq35
SeverityClassification
Severe (Major if Rrq35 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 35
Rrm 10
Description:
No single failure, error, external event not shown extremely improbable shall lead to a loss oftransmission chain between GNCF and ULS.
If the link between GNCC and ULS is broken, the ULS should ask its connected satellites for adisconnection (which switch in autonomous mode).
Galileo systemlevel FailureCondition
Ref:FC3
Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq35 : FC1)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 131
FUNCTION: Establish links between ground segment global components XF2FUNCTIONAL FAILURE: Transmissions are corrupted between global elements of ground segment XF2B
SCENARIO: GAN erratic behaviour: error in dispatch, in scheduling, in message. XF2B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
If the value error is detected or if it is a time error (too late = no message), effect is same asabove: XF2A1.
Between GMS and GNCC:Corrupted transmission will not be detected by the integrity monitoring service (GIPF/GCPF).
Users receive misleading integrity information. Facing the following one, this event has a verylow probability of occurrence.
Between GNCC and ULSIf corrupted transmission is misleading, users receive misleading integrity information.If this information does not reflect a real degradation of SIS, service is unavailable for a number of
users with RAIM like capability receivers.If receiver experience unsuccessful RAIM check, several users can receive misleading navigation
information (multiple failure).
2 -Detectionmeans(monitoringsystems oroperators)
No detection for a misleading transmission between GNCC and ULS.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action Rrq36
SeverityClassification
Severe (major if Rrq36 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 36
Description:
Transmission chain between GNCF and ULS must be protected from any single cause ofundetected corruption of transmission.
Galileo systemlevel FailureCondition
Ref:FC5
Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq36 : FC1)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 132
FUNCTION: Establish links between ground segment regional components XF3FUNCTIONAL FAILURE: Interruption of links between regional elements of ground segment XF3A
SCENARIO: RAN failure XF3A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Links between RNCC and RMS and/or between RNCC and ULS (RUI) are broken.Service is unavailable for all users of regional integrity added service (integrity channel
unavailable).
OP10
2 -Detectionmeans(monitoringsystems oroperators)
The RAN is monitored by the RNCF.In this case, RNCF will probably not be able to transmit this view to a higher level monitoring.
Rrm11
3- Correctiveaction andGALILEO systemresultingcondition
Redundancy of the network components to allow more than one way of success. Rrq37
SeverityClassification
Major (Minor if Rrq37 applied)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 37
Rrm 11
Description:
No single failure, error, external event not shown extremely improbable shall lead to a loss oftransmission chain between RNCC and ULS (IF is build in RNCC).
The regional elements are monitored by RNCF. These monitoring data should be transmitted toa higher level monitoring (for a global and coherent view of GALILEO system), using the GAN.
Galileo systemlevel FailureCondition
Ref:FC4
Title:Detected + restricted loss or degradation of the service with long term restoration(if Rrq37 : FC2)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 133
FUNCTION: Establish links between ground segment regional elements XF3FUNCTIONAL FAILURE: Transmissions are corrupted between regional elements of ground segment XF3B
SCENARIO: RAN erratic behaviour: error in dispatch, in scheduling, in message. XF3B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
If the value error is detected or if it is a time error (too late = no message), effect is same asabove: XF3A1.
Between RNCC and RMS :Corrupted transmission will be detected by the integrity monitoring service (RIPF/RCPF). IF is
flagged as been faulty (“Don’t use”).
Between RNCC and ULSIf corrupted transmission is misleading, users receive misleading regional integrity information.If this information does not reflect a real degradation of SIS, service is unavailable for a number of
users with RAIM like capability receivers.If receiver experience unsuccessful RAIM check, several users can receive misleading navigation
information (multiple failure).
OP10
2 -Detectionmeans(monitoringsystems oroperators)
No detection for a misleading transmission between RNCC and ULS.
3- Correctiveaction andGALILEO systemresultingcondition
tbd
SeverityClassification
Major
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrm 12
Description:
Transmission chain between RNCC and ULS may be protected from any single cause ofundetected corruption of transmission (IF is build in RNCC).
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 134
FUNCTION: Process SIS and display position USF1FUNCTIONAL FAILURE: Inability to display position from SIS USF1A
SCENARIO: Terminal failure USF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
The application user is supposed to have envisaged this event and have implemented appropriateoperational solution. Dependent on terminal manufacturing design or user system design.
Service is unavailable for the application user.
If failure resulting from design error (common cause), failure can have impact on a category ofusers in the same time.
Service can be unavailable for several users.
OP12
2 -Detectionmeans(monitoringsystems oroperators)
No detection means. Rrm13
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:Rrm 13
Rrm 14
Rrm 15
Description:The terminal HMI could have quality indicators of the SIS reception, helping the user to diagnose
terminal failure (from SIS discontinuity). In order to discriminating terminal failures frominsufficient SIS information (terminal external causes), for instance the two indicators could be:SIS/no SIS and Solution/no Solution.
For an user, the availability of a service includes the terminal availability. This availabilityrequirement shall be budgeted. In case of RAM contractual commitments, the SIS availability(measurable) will be distinguished from the terminal one (dependent on operating conditions).
Users have to be warned of all operating conditions within their responsibility which could impairnominal functioning of the terminal: environment parameters, antenna position, user systeminterference, multipath , key validation/activation, etc…(TBD).
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 135
FUNCTION: Process SIS and display position USF1FUNCTIONAL FAILURE: Erroneous position displayed USF1B
SCENARIO: Terminal misbehaviour USF1B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
The application user is supposed to have envisaged this event and have implemented appropriateoperational solution. Dependent on terminal manufacturing design or user system design.
Service is misleading for the application user (SIS is available with the Integrity Flag flagged as“OK”).
If failure resulting from design error (common cause), failure can have impact on a category ofusers in the same time.
Service can be misleading for several users. OP12
2 -Detectionmeans(monitoringsystems oroperators)
No detection means
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrm15
Description:
Users have to be warned of all operating conditions within their responsibility which could impairnominal functioning of the terminal: environment parameters, antenna position, user systeminterference, multipath , key validation/activation, etc…(TBD).
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 136
FUNCTION: Inform user on level of confidence of computed position USF2FUNCTIONAL FAILURE: Inability to inform user on level of confidence of computed position USF2A
SCENARIO: Terminal failure USF2A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
The application user is supposed to have envisaged this event and have implemented appropriateoperational solution. Dependent on terminal manufacturing design or user system design.
Integrity added service is unavailable for the application user (loss of integrity monitoring service).Service without integrity is available for the application user.
If failure resulting from design error (common cause), failure can have impact on a category ofusers in the same time.
Integrity added service can be unavailable for several users. OP12
2 -Detectionmeans(monitoringsystems oroperators)
No detection means
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action Rrm16
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrm 16
Description:
User terminal of integrity added service has to implement means to give a comprehensive andconvenient information on confidence margin of the computed position with regard to the alarmlevels set by user. It has also to give a projection of this information for the immediate future ofuser's application.
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 137
FUNCTION: Inform user on level of confidence of computed position USF2FUNCTIONAL FAILURE: Erroneous information on level of confidence of computed position USF2B
SCENARIO: Terminal misbehaviour USF2B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
The application user is supposed to have envisaged this event and have implemented appropriateoperational solution. Dependent on terminal manufacturing design or user system design.
Service without integrity is available for the application user.
Two cases for integrity added service :• Service is misleading for the application user without a satisfactory level of confidence.• Service is unavailable (SIS is available but the Integrity Flag is misinterpreted as “Don’t use”);
the position isn’t displayed.
If failure resulting from design error (common cause), failure can have impact on a category ofusers in the same time.
Service can be misleading for several users.
2 -Detectionmeans(monitoringsystems oroperators)
No detection means
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrm15
Rrm 17
Description:
Users have to be warned of all operating conditions within their responsibility which could impairnominal functioning of the terminal: environment parameters, antenna position, user systeminterference, multipath , key validation/activation, etc…(TBD)
Regarding the user application, the concept design of the terminal could be different. For a MassMarket terminal, the position will be always displayed, even if the level of confidence isunsatisfactory (availability concept). For a Safety of Life application, in doubt no position will bedisplayed (safety concept) (tbc).
Galileo systemlevel FailureCondition
Ref:FC6
Title:Undetected + restricted loss or degradation of the service with long term restoration
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 138
FUNCTION: Broadcast SAR user signal USF3FUNCTIONAL FAILURE: Unable to broadcast SAR signal USF3A
SCENARIO: Terminal failure USF3A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
User terminal does not provide intended service.(tbd)
Rop23
2 -Detectionmeans(monitoringsystems oroperators)
No direct detection meansThe application user will desperately wait for the SAR acknowledgement. Rrm1
8
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Tdb
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rop23
Rrm 18
Description:
RAM user needs have to be defined for the SAR service (allocation on the SMCC, on the ULS,on the terminal).
The terminal should be able to display that the SAR signal had been sent. This sendingacknowledgement could impact the survival choice of the user.
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 139
FUNCTION: Broadcast SAR user signal USF3FUNCTIONAL FAILURE: Inopportune SAR signal broadcasting USF3B
SCENARIO: Terminal misbehaviour USF3B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
A false alarm is transmitted to rescue centre.Rescue centre efficiency could be impaired by false alarms overcrowding.Ttbd
2 -Detectionmeans(monitoringsystems oroperators)
No detection means
3- Correctiveaction andGALILEO systemresultingcondition
Strategy in the SMCC (+ MEO LUT) to face an alarms overcrowding (filter)
SeverityClassification
TBD
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rop23
Rrm 19
Description:
RAM user needs have to be defined for the SAR service (allocation on the SMCC, on the ULS,on the terminal).
A strategy should be defined for the SMCC (MEO LUT ?) in case of overcrowding SAR signal.
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 140
FUNCTION: Receive SAR centre message. USF4FUNCTIONAL FAILURE: Inability to receive SAR acknowledgement message. USF4A
SCENARIO: Terminal failure USF4A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Function implemented to improve efficiency of alert service.The application user will repeatedly send a new SAR message.It is not foreseen additional risk for life from failure or misbehaviour of this function.
2 -Detectionmeans(monitoringsystems oroperators)
No detection means
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
tbd
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 141
FUNCTION: Receive access management information. USF5FUNCTIONAL FAILURE: Loss of capability to receive (or erroneous reception of) access management
message.USF5A
SCENARIO: Encryption module or terminal HMI failure. USF5A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Assessment pending refined definition of key management process.Service (if using encryption process) could be unavailable for the application user.
2 -Detectionmeans(monitoringsystems oroperators)
No detection means
3- Correctiveaction andGALILEO systemresultingcondition
Tbd
SeverityClassification
Tbd
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 38
Description:
The availability / reliability performances of the encryption module shall not degrade significantlythe terminal ones
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 142
FUNCTION: Collect raw data for position/time parameters of the other navigationsystem
DSF1
FUNCTIONAL FAILURE: Other navigation system raw data incomplete or missing. DSF1A
SCENARIO: Other navigation system failed. DSF1A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Integrity information computed by integrity monitoring network for this navigation system reflectsimmediately the failure.
Service is unavailable for users of combined integrity added service.
2 -Detectionmeans(monitoringsystems oroperators)
For integrity added service, Integrity Flag is flagged as being faulty.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Tbd
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 143
FUNCTION: Collect raw data for position/time parameters of the other navigationsystem
DSF1
FUNCTIONAL FAILURE: Other navigation system raw data misleading. DSF1B
SCENARIO: Other navigation system misbehaviour. DSF1B1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
If integrity information computed by integrity monitoring network for this navigation system detectsimmediately the failure, this scenario is similar to DSF1A1 and service is unavailable for users ofcombined integrity added service.
If not, this is a case of hidden failure where GALILEO system is not able to deliver a correctintegrity information. This misleading information is due to an external failure and isn’t compliantwith the state of the other navigation system).
OP14
2 -Detectionmeans(monitoringsystems oroperators)
No detection means.
3- Correctiveaction andGALILEO systemresultingcondition
No corrective action
SeverityClassification
Tbd
RAMRequirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 144
FUNCTION: Build other navigation system integrity data DSF2FUNCTIONAL FAILURE: Other navigation system raw data misleading DSF2A
SCENARIO: Discrepancies with reference models of other navigation system DSF2A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Beside “other navigation system raw data misleading” (DSF1), the capability of GALILEO systemto build integrity information for other navigation system could be impaired by somediscrepancies issued from different use of reference models (time reference, terrestrial framereference, kinematic parameters).
2 -Detectionmeans(monitoringsystems oroperators)
Tbd
3- Correctiveaction andGALILEO systemresultingcondition
Tbd
SeverityClassification
Tbd
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref: Description:
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 145
FUNCTION: Interface with external time reference DSF3FUNCTIONAL FAILURE: Tbd DSF3A
SCENARIO: Tbd DSF3A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Note :GALILEO system time shall track TAI/UTC. This point is not encompassed by the GALA studies.The way this reference will be distributed and used has a direct contribution to the service
availability : it will have to be analysed from a RAM point of view.
Rrq39
2 -Detectionmeans(monitoringsystems oroperators)
Tbd
3- Correctiveaction andGALILEO systemresultingcondition
Tbd
SeverityClassification
Tbd (Could be severe for Time applications)
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 39
Description:
A RAM analysis shall be performed on time and geodetic references and the way they are usedin GALILEO system.
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 146
FUNCTION: Interface with external geodetic reference system and reference frame DSF4FUNCTIONAL FAILURE: Tbd DSF4A
SCENARIO: Tbd DSF4A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Note :GALILEO reference frame shall be related with ITRF. This point isn’t encompassed by the GALA
studies.The way this reference will be distributed and used could have a direct contribution to the service
availability : it will have to be analysed from a RAM point of view.ITRF models for past movements of Earth will be extrapolated by GALILEO system.
Rrq39
2 -Detectionmeans(monitoringsystems oroperators)
Tbd
3- Correctiveaction andGALILEO systemresultingcondition
Tbd
SeverityClassification
Tbd
RAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq39
Description:
A RAM analysis shall be performed on time and geodetic references and the way they are usedin GALILEO system.
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 147
FUNCTION: Interface with external navigation system DSF5FUNCTIONAL FAILURE: DSF5A
SCENARIO: DSF5A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Concern of DSF5 is to investigate consequences on GALILEO system of any inappropriate inputfrom other navigation system (GPS, GLONASS, LORAN-C, …).
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassificationRAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref: Description:
Galileo systemlevel FailureCondition
Ref: Title:
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 148
FUNCTION: Interface with customer / agent / service provider DSF6FUNCTIONAL FAILURE: TBD DSF6A
SCENARIO: DSF6A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Concern of DSF6 is to investigate consequences on GALILEO system of any inappropriate inputfrom customer, agent or service provider.
Note :The structure and functions of GALILEO management and operating segment are currently under
investigation.As they will have a direct contribution to the service availability perceived by the customer (Key
generation for instance), they will have to be analysed from a RAM point of view.
Rrq40
2 -Detectionmeans(monitoringsystems oroperators)
3- Correctiveaction andGALILEO systemresultingcondition
SeverityClassificationRAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrq 40
Description:
A RAM analysis should be performed on the structure and functions of GALILEO managementand operating segment (service centre, ...).
Galileo systemlevel FailureCondition
Ref: Title:
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 149
FUNCTION: Interface with SAR service DSF7FUNCTIONAL FAILURE: DSF7A
SCENARIO: DSF7A1
Description of repercussions: X-Ref
1- Effect on theGALILEOservices and onthe operation
Concern of DSF7 is to investigate consequences on GALILEO system of any inappropriate inputform elements of SAR service that are outside GALILEO system.
Could the SMCC degrade the SUI behaviour by inopportune transmission (overcrowding of SUIby SAR acknowledgement messages) ?
2 -Detectionmeans(monitoringsystems oroperators)
TBD
3- Correctiveaction andGALILEO systemresultingcondition
TBD
SeverityClassificationRAM-Requirements(Rrq)
Recommendations(Rrm)
Assumptions(Ass)
Ref:
Rrm 20
Description:
Errors issued by a SUI misbehaviour should be confined : without consequences on theelaboration of the navigation message.
Galileo systemlevel FailureCondition
Ref:tbd
Title:tbd
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 150
8.3 AVAILABILITY COMPUTATION TABLES
8.3.1 Input data
Unit Name Unit MUT (Hours)
Unit MDT (Hours)
Unit unavailability (Probability)
ULS Site componentULF 6000 36 6,00E-03USF 26 000 36 1,38E-03GUI 26 000 36 1,38E-03RUI 26 000 36 1,38E-03CUI 26 000 36 1,38E-03SUI 26 000 36 1,38E-03ULS LAN 50 000 36 7,20E-04GNCCGNCF 26 000 16 6,15E-04OSPF 26 000 16 6,15E-04GIPF 26 000 16 6,15E-04GCPF 26 000 16 6,15E-04GNCC LAN 50 000 16 3,20E-04GMSGMF 26 000 36 1,38E-03GMS LAN 50 000 36 7,20E-04RMSRMF 26 000 36 1,38E-03RMS LAN 50 000 36 7,20E-04RNCCRNCF 26 000 16 6,15E-04RIPF 26 000 16 6,15E-04RCPF 26 000 16 6,15E-04RNCC LAN 50 000 16 3,20E-04SCCSCF 26 000 16 6,15E-04SCC LAN 50 000 16 3,20E-04User TerminalUser Terminal 50 000 16 3,20E-04GALILEO MEO Constellation
1,00E-02NetworkGAN 2,00E-03CAN 2,00E-03RAN 2,00E-03
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 151
8.3.2 Services without Integrity
Unit Name Unit MUT (Hours) l (h-1)
Unit MDT (Hours) m (h-1)
Unit unavailability (Probability)
Redundancy System Availability weight
ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03 1 out-of 1USF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1GUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1RUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1CUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1ULS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
1,23E-022 out-of 3 1,56E-06 0,01%
GNCCGNCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1OSPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GNCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
1,55E-031 out-of 1 1,55E-03 9,23%
GMSGMF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 3 2,65E-09GMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
7,20E-042 out-of 3 1,56E-06 0,01%
SCCSCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1SCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
9,35E-041 out-of 1 9,35E-04 5,56%
User TerminalUser Terminal 50 000 0,00002 16 0 3,20E-04 1 out-of 1 3,20E-04 1,90%GALILEO MEO Constellation
1,00E-02 1 out-of 1 1,00E-02 59,49%NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 11,90%CAN 2,00E-03 1 out-of 1 2,00E-03 11,90%
1,68E-02 100,00%98,32%
Service without integrity
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 152
8.3.3 Services with integrity –stand alone (global components)
Unit Name Unit MUT (Hours) l (h-1)
Unit MDT (Hours) m (h-1)
Unit unavailability (Probability)
Redundancy System Availability weight
ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03 1 out-of 1USF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1GUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1CUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1ULS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
1,09E-022 out-of 3 3,56E-04 1,94%
GNCCGNCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1OSPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GIPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GCPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GNCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
2,78E-031 out-of 1 2,78E-03 15,12%
GMSGMF 26 000 3,8462E-05 36 0 1,38E-03 2 out-of 3 5,75E-06GMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
7,26E-042 out-of 3 1,58E-06 0,01%
SCCSCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1SCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
9,35E-041 out-of 1 9,35E-04 5,09%
User TerminalUser Terminal 50 000 0,00002 16 0 3,20E-04 1 out-of 1 3,20E-04 1,74%GALILEO MEO Constellation
1,00E-02 1 out-of 1 1,00E-02 54,36%NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 10,87%CAN 2,00E-03 1 out-of 1 2,00E-03 10,87%
1,84E-02 100,00%98,16%
Service with integrity (stand-alone)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 153
8.3.4 Services with integrity (global + regional components)
Unit Name Unit MUT (Hours) l (h-1)
Unit MDT (Hours) m (h-1)
Unit unavailability (Probability)
Redundancy System Availability weight
ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03 1 out-of 1USF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1GUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1RUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1CUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1ULS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
1,23E-022 out-of 3 4,53E-04 2,62%
GNCCGNCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1OSPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GNCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
1,55E-031 out-of 1 1,55E-03 8,98%
GIPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GCPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1
1,23E-031 out-of 1 1,23E-03
RMSRMF 26 000 3,8462E-05 36 0 1,38E-03 2 out-of 3 5,75E-06RMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
7,26E-042 out-of 3 1,58E-06
RNCCRNCF 26000 3,8462E-05 16 0 6,15E-04 1 out-of 1RIPF 26000 3,8462E-05 16 0 6,15E-04 1 out-of 1RCPF 26000 3,8462E-05 16 0 6,15E-04 1 out-of 1RNCC LAN 50000 0,00002 16 0 3,20E-04 1 out-of 1
2,17E-031 out-of 1 2,17E-03
RMS + RNCC + RAN 4,17E-03Redundancy (GIPF+GCPF) // (RMS + RNCC + RAN)
5,13E-06 0,03%GMSGMF 26 000 3,8462E-05 36 0 1,38E-03 2 out-of 3 5,75E-06GMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
7,26E-042 out-of 3 1,58E-06 0,01%
SCCSCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1SCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
9,35E-041 out-of 1 9,35E-04 5,42%
User TerminalUser Terminal 50 000 0,00002 16 0 3,20E-04 1 out-of 1 3,20E-04 1,85%GALILEO MEO Constellation
1,00E-02 1 out-of 1 1,00E-02 57,92%NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 11,58%CAN 2,00E-03 1 out-of 1 2,00E-03 11,58%RAN 2,00E-03 1 out-of 1 2,00E-03
1,73E-02 100,00%98,27%
Service with integrity (Reg. compon.)
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 154
8.3.5 TM/TC function
8.3.6 Orbit monitoring function
Unit Name Unit MUT (Hours) l (h-1)
Unit MDT (Hours) m (h-1)
Unit unavailability (Probability)
Redundancy Function unavailability weight
ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03USF 26 000 3,8462E-05 36 0 1,38E-03CUI 26 000 3,8462E-05 36 0 1,38E-03ULS LAN 50 000 0,00002 36 0 7,20E-04
9,49E-032 out-of 3 2,71E-04 2,05%
SCCSCF 26 000 3,8462E-05 16 0 6,15E-04SCC LAN 50 000 0,00002 16 0 3,20E-04
9,35E-041 out-of 1 9,35E-04 7,08%
GALILEO MEO Constellation1,00E-02 1 out-of 1 1,00E-02 75,72%
NetworkCAN 2,00E-03 1 out-of 1 2,00E-03 15,14%
1,32E-02 100,00%98,68%
TM / TC function
Unit Name Unit MUT (Hours) l (h-1)
Unit MDT (Hours) m (h-1)
Unit unavailability (Probability)
Redundancy Function unavailability weight
GNCCGNCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1OSPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GNCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
1,55E-031 out-of 1 1,55E-03 10,70%
GMSGMF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 3 2,65E-09GMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1
7,20E-042 out-of 3 1,56E-06 0,01%
SCCSCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1SCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1
9,35E-041 out-of 1 9,35E-04 6,46%
GALILEO MEO Constellation1,00E-02 1 out-of 1 1,00E-02 69,02%
NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 13,80%
1,45E-02 100,00%98,55%
Orbit monitoring function
GALA REF :DATE :
GALA-SODETEG-APSYS-DD01328/12/00
RAM Analysis Final Report ISSUE : 4.0 PAGE: 155
END OF DOCUMENT