gala ref date - european gnss agency · gala ref : date : gala-sodeteg-apsys-dd0132 8/12/00 ram...

GALA REF :DATE :

GALA-SODETEG-APSYS-DD01328/12/00

RAM Analysis Final Report ISSUE : 4.0 PAGE: a

DOCUMENT INFORMATION SHEET

From : T. Morteveille, J. Trouilloud, M. Oberlé,Project Acronym : GALAProject Name : Galileo Overall Architecture DefinitionTitle : RAM Analysis Final ReportIssue : 4.0Reference : GALA-SODETEG-APSYS-DD0132Date : 8/12/00Pages Number : 154File : dd132vIssue : 4.0Classification : TBDWBS : TBDContract : TBDEmitting Entity : SODETEG/APSYSType of Document : TBDStatus : FR1Template Name : gala_aspi.dot (V1)

To :Internal Distribution

Service Name N° Ex. Service Name N° Ex.

SODETEG 1

APSYS 1

External Distribution

Company Name N° Ex. Company Name N° Ex.

ASPI P. Verschueren 1

GALA REF :DATE :


RAM Analysis Final Report ISSUE : 4.0 PAGE: B

THIS PAGE IS INTENTIONALLY LEFT BLANK

GALA REF :DATE :


RAM Analysis Final Report ISSUE : 4.0 PAGE: 1

Sustainable Mobility and IntermodalityPromoting Competitive and Sustainable Growth

Galileo Overall Architecture Definition

RAM Analysis Final Report

Written by Responsibility - Company Date Signature

T. Morteveille, J. Trouilloud,M. Oberlé

Verified by

J-F. Delaigue

Approved

M. Oberlé

Documentation Manager

WBS Code : TBDEmitting entity : SODETEG/APSYS

GALA REF :DATE :



CHANGE RECORDS

ISSUE DATE § : CHANGE RECORD AUTHOR

1 20/09/00 First issue

2 20/10/00 PDA synthesis, FDA (functional breakdown)

DRS DD-132V1-PVE-01 (Id. 1, 2 partially, 4, 5,6, 7, 8, 9, 10, 11, 12, 13, 14, 17, 18, 19, 20,22),

DRS MC/11.3-001 (Id. 1, 2, 3, 4, 5, 7, 8, 10),

mail from O. Taylor (WP1) (§5 modifications forapplications N°12, 14, 16, 69, 70, 71, 73, 74,93, 94 ,95)

3 16/11/00 � FDA tables (partial)

� DRS MC/GAST MC/11.3-002 dated2/10/00 (Id. 1, 5, 6, 7, 9)

� DRS Ch. Schäfer (Astrium GmbH) dated11/10/00 (Id. 1, 2)

SODETEG/APSYS

GAST

Astrium

4.1 8/12/00 � Section 6 : FDA tables completed

� Section 7 : Apportionment/demonstration ofGALILEO RAM requirements

� Open points answers included (mom 191,231)

SODETEG/APSYS

GALA REF :DATE :



TABLE OF CONTENTS

1 INTRODUCTION ......................................................................................................................... 7

2 REFERENCES............................................................................................................................... 8

2.1 DEFINITIONS........................................................................................................................... 82.2 ACRONYMS.............................................................................................................................. 82.3 APPLICABLE DOCUMENTS................................................................................................. 82.4 REFERENCE DOCUMENTS.................................................................................................. 8

3 GALILEO PRESENTATION AND CONTEXT...................................................................... 10

4 METHODOLOGY ...................................................................................................................... 11

4.1 GENERAL................................................................................................................................ 114.2 RAM PARAMETERS UNDER ANALYSIS......................................................................... 12

5 PRELIMINARY DEPENDABILITY ANALYSIS (PDA) ....................................................... 15

5.1 DEPENDABILITY ANALYSIS ON USER APPLICATION ............................................. 155.1.1 Safety of life and security applications...........................................................................16

5.1.1.1 Transportation of passengers and goods ...................................................................165.1.1.1.1 Commercial Air Transport IFR navigation [1]................................................165.1.1.1.2 Commercial Air Transport (surveillance) [2] ...................................................175.1.1.1.3 General Aviation (VFR) [3].................................................................................175.1.1.1.4 Deleted [4].............................................................................................................175.1.1.1.5 General Aviation (Surveillance) [5]...................................................................175.1.1.1.6 Train Control [6]..................................................................................................175.1.1.1.7 Train Supervision [7]...........................................................................................185.1.1.1.8 Energy Optimised Driving Style Manager [8]...................................................185.1.1.1.9 Fleet Management [9] ..........................................................................................185.1.1.1.10 Track Survey [10]..........................................................................................185.1.1.1.11 Passenger Information service [11] .............................................................185.1.1.1.12 Marine Navigation [12] & [13].....................................................................195.1.1.1.13 Marine surveillance [14] ...............................................................................195.1.1.1.14 Marine Engineering [15]...............................................................................195.1.1.1.15 Harbour Docking [16]...................................................................................19

5.1.1.2 Emergency services......................................................................................................205.1.1.2.1 Ambulance : Route Guidance [17] & Vehicle resources management[18] 205.1.1.2.2 Police /Fire : Route Guidance [19] - Vehicle resources management[20] & Pedestrian resource Management [21]...................................................................205.1.1.2.3 Police/ fire : Vehicle Tracking [22].....................................................................215.1.1.2.4 SAR : Alerting Beacons – Marine [23] & [25] – Air [24] – Personal[26] 215.1.1.2.5 SAR : Onboard Navigation of SAR units [27]...................................................215.1.1.2.6 General conclusion on emergency services........................................................21

5.1.1.3 Security .........................................................................................................................225.1.1.3.1 Personal protection: Lone Worker Protection [28] ..........................................225.1.1.3.2 Secured Data: Transport of Nuclear Waste [29]...............................................225.1.1.3.3 Secured Data: Dangerous and valuable loads tracking [30] ............................225.1.1.3.4 Traffic surveillance and monitoring...................................................................22

GALA REF :DATE :



5.1.1.3.4.1 Road Tolling [31] ...................................................................................225.1.1.3.4.2 Road surveillance and Regulatory Enforcement [32] ........................23

5.1.2 Mass Market.....................................................................................................................235.1.2.1 Land and River Navigation.........................................................................................23

5.1.2.1.1 Cars [33] to [35] - Truck and buses [36] to [38] - Light CommercialVehicles [40] to [42]..............................................................................................................23

5.1.2.1.1.1 Route Guidance [33, 36 & 40]...............................................................235.1.2.1.1.2 Information Services [34, 37 & 41] ......................................................235.1.2.1.1.3 Emergency call breakdown, Theft and recovery [35, 38 & 42] .........24

5.1.2.1.2 All road Vehicles : Advanced Driver Assistance Systems [39] ........................245.1.2.1.3 Inland Waterways [43] to [45] ............................................................................24

5.1.2.1.3.1 Vessel Navigation [43] ...........................................................................245.1.2.1.3.2 Vessel services [44] ................................................................................245.1.2.1.3.3 Dredging and maintenance [45] ...........................................................25

5.1.2.2 Personal Navigation [46] to [ 49] ................................................................................255.1.2.2.1 Personal Outdoor Recreation [46] to [48] : .......................................................255.1.2.2.2 Location based communication services [49] ....................................................25

5.1.3 Professional market .........................................................................................................255.1.3.1 Timing...........................................................................................................................25

5.1.3.1.1 Network synchronisation for Telecom [50], Power generation anddistribution [51], digital broadcasting [52]........................................................................255.1.3.1.2 Satellite monitoring / navigation (ground based) [53] ......................................265.1.3.1.3 Maintenance of international time standards [55]............................................265.1.3.1.4 Frequency/time calibration services [56] ...........................................................265.1.3.1.5 Time tagging for general user [57] .....................................................................26

5.1.3.2 Space .............................................................................................................................265.1.3.2.1 Space market [58, 59, 60, 61] ..............................................................................26

5.1.3.3 Scientific applications ..................................................................................................275.1.3.3.1 Geodesy applications [62, 63]..............................................................................275.1.3.3.2 Meteo forecasting ionosphere [64, 65, 67]..........................................................27

5.1.3.4 Precision surveying (Id 68)..........................................................................................275.1.3.5 Oil & Gas ......................................................................................................................28

5.1.3.5.1 [69,70,71,73,74].....................................................................................................285.1.3.5.2 FPSO positioning [72]..........................................................................................28

5.1.3.6 Vehicle control and robotics (Id 78, 79, 80) ...............................................................285.1.3.7 Construction and civil engineering [81, 82] ...............................................................295.1.3.8 Land survey and GIS mapping [83] ...........................................................................295.1.3.9 Fleet Management [84] ................................................................................................295.1.3.10 Asset management [85,86,87]..................................................................................295.1.3.11 Precision agriculture [88, 89, 90] ............................................................................305.1.3.12 Fisheries & Exclusive Economic Zone [91, 92] .....................................................305.1.3.13 Environment.............................................................................................................315.1.3.14 Mining.......................................................................................................................31

5.1.3.14.1 3D positioning of mine machinery [97] .......................................................315.1.3.14.2 Mine surveying [98].......................................................................................315.1.3.14.3 Autonomous mining vehicles [99] ................................................................315.1.3.14.4 Truck dispatch [100] .....................................................................................32

5.1.4 Synthesis of dependability analysis on user application...............................................475.1.4.1 Syntheses of application mapping according to dependabilityrequirements ............................................................................................................................475.1.4.2 Interface with Safety Classifications. .........................................................................495.1.4.3 Mapping application/service.......................................................................................49

GALA REF :DATE :



5.2 REFERENCE SCENARIO AND IDENTIFICATION........................................................ 505.2.1 Application user ...............................................................................................................505.2.2 Service subscriber ............................................................................................................505.2.3 Service provider ...............................................................................................................505.2.4 System operator................................................................................................................505.2.5 System designer................................................................................................................51

5.3 RAM RELEVANT INDICATORS DEFINITION............................................................... 515.4 TOP LEVEL HAZARDS IDENTIFICATION..................................................................... 525.5 PDA SYNTHESIS.................................................................................................................... 53

6 FUNCTIONAL DEPENDABILITY ANALYSIS (FDA) ......................................................... 55

6.1 GENERAL FDA PRESENTATION...................................................................................... 556.1.1 FDA methodology and used form...................................................................................556.1.2 General assumptions........................................................................................................56

6.2 RAM SEVERITY SCALE ...................................................................................................... 566.3 GALILEO FUNCTIONAL BREAKDOWN......................................................................... 576.4 FDA SYNTHESIS.................................................................................................................... 58

6.4.1 RAM Failure Condition Summary table .......................................................................586.4.2 Common general assumptions........................................................................................596.4.3 RAM Requirements.........................................................................................................606.4.4 RAM Recommendations .................................................................................................616.4.5 Open points.......................................................................................................................626.4.6 GALILEO Functions RAM severity ..............................................................................63

7 APPORTIONMENT/DEMONSTRATION OF GALILEO RAMREQUIREMENTS .............................................................................................................................. 65

7.1 AVAILABILITY BLOCK DIAGRAM METHODOLOGY ............................................... 657.2 PARTICULAR ASSUMPTIONS........................................................................................... 667.3 ORIGIN OF THE RETAINED INPUT DATA..................................................................... 667.4 GALILEO SYSTEM AVAILABILITY BLOCK DIAGRAMS .......................................... 67

7.4.1 Navigation service without integrity ..............................................................................677.4.2 Service with integrity – Global components ..................................................................677.4.3 Service with integrity – Global + regional components................................................687.4.4 TM/TC function ...............................................................................................................687.4.5 Orbit monitoring function...............................................................................................69

7.5 RESULTS ................................................................................................................................. 707.6 ANALYSIS OF THE RESULTS ............................................................................................ 707.7 AVAILABILITY APPORTIONMENT TO MEET THE REQUIREMENTS .................. 71

8 ANNEX :....................................................................................................................................... 72

8.1 PDA TABLES .......................................................................................................................... 728.2 FDA TABLES .......................................................................................................................... 798.3 AVAILABILITY COMPUTATION TABLES ................................................................... 150

8.3.1 Input data .......................................................................................................................1508.3.2 Services without Integrity .............................................................................................1518.3.3 Services with integrity –stand alone (global components) .........................................1528.3.4 Services with integrity (global + regional components)..............................................1538.3.5 TM/TC function .............................................................................................................1548.3.6 Orbit monitoring function.............................................................................................154

GALA REF :DATE :



LIST OF FIGURES

Figure 1 : RAM methodology.................................................................................................. 14

LIST OF TABLES

Table 1 :Maximum acceptable time......................................................................................... 15Table 2 : Maximum frequency................................................................................................. 16Table 3 : Proposed Availability Classification per application ............................................... 33Table 4 : Synthesis of availability classification per application............................................. 47Table 5 : RAM Status .............................................................................................................. 48Table 6 : Top level RAM hazards............................................................................................ 52Table 7 : RAM level allocation to Service levels .................................................................... 53Table 8 : severity scale ............................................................................................................ 56Table 9 : GALILEO system functional breakdown................................................................. 58Table 10 : Failure Conditions list ............................................................................................ 59Table 11 : RAM Assumptions from FDA (Ras)...................................................................... 59Table 12 : RAM requirements (Rrq)........................................................................................ 61Table 13 : RAM recommendations (Rrm) ............................................................................... 62Table 14 : RAM open points (Rop) ......................................................................................... 63Table 15 : GALILEO Function Criticality............................................................................... 64

GALA REF :DATE :



1 INTRODUCTION

This report constitutes the RAM analysis final report for the GALILEO system in the frameof GALA project.

The context to establish this RAM analyses is the following: after the Mid Term Review heldby the end of may 2000, it has been decided to perform deeper Top-down RAM analyses onGALILEO system with the objective to define RAM requirements for Galileo systemcomponents.

• The first step is to define the main missions of the GALILEO system and expressed themon RAM point of view when relevant. This characterisation can be expressed by definingtop level dependability hazards, which would affect the GALILEO missions success.

• a second step would be to derive these hazards and expressed them in term of qualitativeand quantitative Reliability and Availability parameters, which will constitutesrequirements for the system.

• In a third step these requirements will be derived and apportioned to clearly defined RAMrequirements at GALILEO system components level down to the appropriate levelsegments.

• The objective is in that frame to define clear and comprehensible RAM requirementsfully exploitable at system components level.

• The fourth step will then consists in assessing whether the proposed architecture complywith the specified requirements and to propose recommendations and improvementswhen necessary.

It is important to underline that the GALILEO system can be driven by several types ofRAMS requirements :� Those which are linked to safety considerations and are essentially dedicated to specific

users such as satellite navigation, search and rescue, ... ,� Those which are linked to the availability of the services offered by the GALILEO

system,� Those which are linked to security of the data supported by GALILEO (bank, ...), ...

Obviously, some users can expect simultaneously from GALILEO services severalrequirements expressed previously.

It raises the fact that Safety and RAM requirements are closely linked together in suchsystem. Moreover, Safety requirements can be derived, apportioned and traduced in somecases in RAM requirements (Reliability, maintainability or availability).It means that the whole RAM tasks will have to be performed in close collaboration with theSafety activities. The trade off between Safety and RAM requirements will have to be refinedto comply with both types.

In addition, the RAM activities are involved and contribute to the Risk management processof GALILEO program. It allows to periodically underline the potential risks and occurrenceconditions raised through the RAM analyses and identify the possible mitigation measures.

It is however important to underline that these RAM analyses are performed in the initialstages to give first relevant RAM indicators for system architecture purposes and cost relatedconcerns. They should be further developed and refined in the following GALILEO programphases.

GALA REF :DATE :



2 REFERENCES

2.1 DEFINITIONS

Availability, Continuity, ReliabilitySee GALILEO DEFINITIONS [DR6] issue from WP2.

RAM indicatorsStarting from general definitions, they are parameters that reflect the dependability attributesand are tailored to the GALA context. They must be understandable, relevant and measurable.

2.2 ACRONYMS

FDA Functional Dependability AnalysisFHA Functional Hazard AnalysisPDA Preliminary Dependability AnalysisPHA Preliminary Hazard AnalysisRAM Reliability Availability Maintainability

2.3 APPLICABLE DOCUMENTS

N/A

2.4 REFERENCE DOCUMENTS

DR1 Master list of GALILEO applications for phase 2 (WP1), Issue 3 Rev E,GALA-RACAL-TN-017

DR2 GALA-RACAL DD005 Issue 2, dated 12/10/00, Market research methodsand overall results

DR3 Architecture baseline definition, Issue 6.0, 1/12/00, GALA-ASPI-DD-027

DR4 Safety and Hazard analysis : Safety case Volume E :Safety assessmentGALA-APSYS-DD049, Issue 4, 30/11/2000

DR5 Synthesis on service definitionGALA-ASPI-TN011, Issue 2, 10/11/00

DR6 GALILEO DEFINITIONSGALA-ASPI-DD092, Issue 3, 16/11/00

DR7 Potential military applications and interest, Issue14, 15/07/00GALA-FDC-dd130

GALA REF :DATE :



DR8 Performance budget fileGALA-ASPI-DD036, Issue 3.0, 20/11/00

DR9 Mission Requirements SSSGALA-DD108, Issue 2.1, 21/11/00

GALA REF :DATE :



3 GALILEO PRESENTATION AND CONTEXT

Involving Europe in satellite navigation has been of prime interest for several years, given thesituation where US GPS and Russian GLONASS are the only existing systems, both beingmilitary owned, GPS ensuring to US a global leadership, including receiver manufacturing,and GLONASS having a future very uncertain.After sufficient analyses, a process was needed to allow Europe to take an actual decision,based on a large awareness of all potential European actors in the domain. This process wasstarted in January 1998 by the European Commission, which asked for adequate activities tobe realised in the short term to allow a decision to be taken by early 1999.This led to a communication from the European Commission issued on February 10th, 1999,where the main conclusions were drawn: strong recommendation for Europe to develop asatellite navigation system, called “Galileo”, independent but complimentary andinteroperable with US GPS and Russian GLONASS, integrating as far as possible EGNOSsystem currently under development, taking security issues into account, addressing the needsof all potential categories of users and allowing the building-up of a Public-PrivatePartnership (“PPP”).These conclusions were endorsed by European authorities, with the Council resolution ofJune 17th, 1999 on the involvement of Europe in a new generation of Satellite NavigationServices.This led to the preparation of the definition phase, which begins by end of 1999 with the aimto provide, by end of 2000, high quality and timely advice to the Galileo ProgramManagement Board and to the Galileo Steering Committee in order that Ministers may beprovided with a clear and detailed statement of Galileo on cost bounds, feasibility, benefits tousers and society including wealth creation, and technical, cost and timescale risks. Thisstatement should allow to take the decision for going ahead.The final objective of providing recommendations to European Institutions is devoted to a“central” study for the European Commission called GALA, under the leadership fromAlcatel Space Industries.

13 high level tasks have been identified in GALA. The present RAM analysis is performed inthe frame of the following one :

Task 6 – Overall system safety analysisThe methodology to be applied in the frame of GALILEO will be determined, and Reliability,Availability, Maintainability and Safety analyses will be performed. Evidence will beprovided, that specified requirements with regard to safety and reliability are met.

GALA REF :DATE :



4 METHODOLOGY

4.1 GENERAL

The methodology used is based on a top-down approach. Starting from preliminary userneeds, it intends to detect potential inconsistencies between real user needs and RAMobjectives, to define the RAM top levels feared events, the associated RAM requirements andto assess the GALILEO system architecture compliance through a functional mapping.

The figure 1 presents the main steps, which allow reaching the RAM analyses objectives.

Steps 1 : Preliminary Dependability AnalysisThis first step uses as input the user requirements applications as defined in WP11 activity, theservice levels identification and definition and the mapping between both.

The main tasks of the step one are the following :

• Reference scenarios identification : these scenarios allow to define the several RAMindicators used to identify the top level events

• RAM relevant indicators definition : these indicators have to be significant regarding theuser applications and the several view points (from users to designer)

• Hazards identification : associated to the reference scenario, notably they will allow todefine the severity scale used in the future RAM analyses

• RAM appraisal of the user needs leading to a classification of the applications (using adedicated RAM scale)

• Consistency check between RAM quantitative requirements assigned on services and userneeds (using the applications / service levels mapping).

Based on application definitions Safety of Life, Mass market, Professional Market (userneeds), the Dependability Analysis aims at deriving :• Which user applications have “RAM critical” constraints in term of availability / service

reliability,• Which user applications could become “Galileo project critical” if the RAM

performances are below user expectation.

The hazards are categorised by their consequences on various aspects : economic, Galileoimage and liability.

1 The WP1 activity does not take into account detailed GAS market/needs study. It is thereason why the GAS services is not analysed in the frame of this RAM analysis. Moreover,following the analysis of DR7, it is not possible to establish the mapping between the militaryapplications and the GAS services as performed in the frame of this document for the otherapplications. It appears however, that GAS service RAM requirements seem not to be morerestrictive that some other services already analysed in this document.

GALA REF :DATE :



Step 2 : Functional Dependability AnalysisThe baseline architecture definition is studied in this phase to build a functional modeldependability oriented. This model will then be used to analyse function failures and toevaluate possible strategies to maintain the RAM performances of the GALILEO systemservice. A close loop with safety analysis is necessary to avoid duplication of analysis and toensure consistency of requirements.This will lead to produce RAM requirements and check architecture constraints.

Step 3 : Apportionment of dependability requirements and assessment of the GALILEOsystem complianceThis step includes two tasks :• Starting from availability requirements and expected components reliability order of

magnitude an apportionment is made. For this task a rough modelling by FTA would beused. This step will produce dependability requirements at component level. In thisproject phase, the study will focus on availability requirements more than onmaintainability requirements.

Note :The Fault tree technique allows to build in a relative simple way a representative model easyto understand and validate. The quantitative treatment of the tree leads to apportion RAMperformances to detailed elements decomposed in the tree.

• A refinement of previous model will be made using architecture definition progress andtechnical data from for instance GALILEOSAT, Receiver concept, Station definition, etc.This will allow collecting data such as number of elements and preliminary reliabilityfigures for a first assessment loop. This task will be based on the performed fault treemodels taking the logical combinations between the events into account. However, due tothe nature of the GALILEO system and its behaviour (reconfiguration capabilities, timeaspects) and according to the combined performances under analysis (especiallyavailability and continuity), the possible use of other techniques (Petri nets for instance)may be envisaged.

This will lead to consolidate first evidences of GALILEO system compliance with RAMrequirements, to provide RAM drivers for further RAM analyses and RAM recommendations.

4.2 RAM PARAMETERS UNDER ANALYSIS

In the frame of this RAM analysis and as regard to the objectives of the herein system phase,the present RAM task is focussing on availability parameter. According to the definition ofthe availability in the frame of the GALILEO system, it includes also continuity and integrityperformances. It means that, when assessing the availability performance, continuity andintegrity constraints are considered.

Moreover, the availability parameter is a result of the reliability and maintainabilityparameters; availability assessment will allow then to size the reliability and maintainabilityparameters, as well as to integrate the logistic support parameters (maintenance concept,logistic delay time).

In addition, it has to be highlighted that even if the “time to fix” parameter could influence the“unavailability” time especially seen by the users, it is not detailed in the present assessment.

GALA REF :DATE :



First of all, TTF is actually not an outage but is included in the operational process to start orrestart an element. It can be thus involved in the restarting phase following an outage. On asecond hand this parameter has to be considered on RAM point of view as an additional timefor unavailability of the services. In that way, it is possible to synthesise the different servicedown times as follows :� Parameters related to reparation of faulty element (related to maintainability aspects or

MTTR),� Parameters for logistic delays (related to logistic concerns),� Parameters for start or restart elements such as TTF (related to operational process).

Down time will have to include at least these three types of parameters. However, thisdetailed analysis will have to be performed further. It can however be notice that among theseparameters, TTF seems not to be the more sizing one. For instance, the size of the logisticdelays are about several ten hours, which is not the case for TTF.

GALA REF :DATE :



Preliminary Dependability Analysis (PDA) :- Reference scenarios identification for party involved

(from designer to users)- RAM relevant indicators definition

- Feared events identification (from designerto users)

- Mapping between users RAM requirements/service levels

- Checking the consistency between service levelsand users needs

- RAM qualitative requirementsapportioned at Galileo

functional level- Recommendations

(3)

Functional DependabilityAnalysis (FDA) :

- RAM Severity classification- Analysis of GALILEO mission consequences

through generic functional failure modes

Input data Analysis steps Main outcomes

Top level RAMHazards

(1)

Rationale for assigningRAM quantitative

requirements on services(2)

- Galileo functionalbreakdown

System Safety PHA, FHA

Mapping applications/Service levels

Validated (1)

- Mapping with GALILEOarchitecture

(2); (3)

Apportionment/demonstration of RAMrequirements at GALILEO system component

levels

- First evidence of GALILEOsystem compliance with RAM requirements- Requirements for further/lower level studies

- RAM drivers (technical, organisational,economical)

(4)

User Requirements/applications (WP1)

Service levels identificationand definition

Figure 1 : RAM methodology

GALA REF :DATE :



5 PRELIMINARY DEPENDABILITY ANALYSIS (PDA)

5.1 DEPENDABILITY ANALYSIS ON USER APPLICATION

General comment:

The objective is to check the consistency between the users RAM needs as expressed in DR 2and the RAM requirements allocated to the service levels as expressed in DR3.

A RAM appraisal of the user needs has been performed and leads to a classification of theapplications based on a dedicated RAM scale.

Two parameters have been defined to characterise the availability level of each application.Four levels of these parameters have been chosen with the objective to be progressive, simpleand meaningful from a user point of view.

1 - Maximum acceptable time – Tmax :It corresponds to the maximum acceptable time to have the service (available) when the usercalls it. It means that, if x is this maximum time, the user will accept to “wait” to access to thefull service (with its performances) in a period of time lower than x.

Note :This Tmax is linked to a dysfunctional case. So it has nothing to do with the Time To First Fix(TTFF) parameter, but it is close to the Service interruption threshold [DR5].

This Tmax includes the four following levels :

Category Tmax

VH (very High) 1 minuteH (High) 1 hourM (Medium) 1 day (24 hours)L (low) > 1 day

Table 1 :Maximum acceptable time

2 – Maximum frequency – Frmax

It corresponds to the Maximum acceptable frequency for a given time unit for the user to nothave the service when he calls it.

GALA REF :DATE :



This Frmax includes the four following levels :

Category FrmaxVH (very High) 1 time/yearH (High) 1 time/monthM (Medium) 1 time/weekL (low) 1 time/day

Table 2 : Maximum frequencyExample 1 :A given user classified in the VH category will refuse to not access to the service more thanone time per year.

Example 2 :A user application could be classified as L/L. It means that formally, in the worst case, theuser could never have the service. It indicates in fact that the GALILEO application is notessential for its activities.

When the consequence of an unpredictable SIS interruption is limited to the corporation or toa company, the economical effects are generally considered as Medium to High. Theassumption is that user will not claim about Galileo service in case of predicted andannounced SIS interruption.

When the consequence is immediately transferred to the customer of the corporation, theeconomical effects becomes of another order of magnitude. Then the dependabilityrequirements become High to Very High.The applications described in [DR1] have been scanned and assessed with due considerationto the above preliminary remarks.

5.1.1 Safety of life and security applications

5.1.1.1 Transportation of passengers and goodsThe applications described here are well concerned with safety of life as they transportcommercial passengers or crew.

5.1.1.1.1 Commercial Air Transport IFR navigation [1]2

All commercial air transport will rely on satellite navigation systems in the next future. Thedependability requirements are then very high for this application. For Safety reasonsoperators will not rely on a single source of signal, then Galileo dependability will affectoperational aspects and possibly flight delays according to aircraft MEL (MinimumEquipment List) status.

2 SAS-L is mapped on Civil Aviation in [DR9], but not on detailed applications. However, without thismapping, SAS-L has a RAM critical status (see § 5.5) : there is no impact on the final result.

GALA REF :DATE :



A interruption of service shorter than one hour should be acceptable assuming it does notoccur more frequently than once a year (for instance, the current French nominal regionaltracker system has an unavailability around 5minutes per year).

Conclusion :Failure of Galileo system to provide navigation data is classified H/VH.

5.1.1.1.2 Commercial Air Transport (surveillance) [2]

ATC being in charge of surveillance of the traffic, any loss of availability of aircraft’sposition, heading, speed and time will lead the controllers to revert to back-up procedureswith a significant increase of workload and associated delay in traffic flows (en route,approach and take off).Economical consequences can become rapidly very high for all the operators and customers.

Conclusion:Failure of Galileo system to provide navigation data is classified VH/VH.

5.1.1.1.3 General Aviation (VFR) [3]

Dependability requirements are similar to Commercial air transport [1] due to the customerstypology: business aviation, special air services, police…

Conclusion :Failure of Galileo system to provide navigation data is classified H/VH.

5.1.1.1.4 Deleted [4]

5.1.1.1.5 General Aviation (Surveillance) [5]

General aviation surveillance is considered as a part of the air traffic and it is assumed thandependability requirements are similar to commercial air traffic.

Conclusion :Failure of Galileo system to provide navigation data is classified VH/VH.

5.1.1.1.6 Train Control [6]

It is a traffic control application requiring dependable positioning and communicationresources. ERTMS is directly intended to train separation. Satellite positioning andcommunication resources could be useful as additional means, but it seems also realistic fortrains to experience frequent situations of masking or interference on their link with thesatellites. This application is directly related with safety of life but as it seems very dangerousto rely only on satellite resource. On dependability concern, the unavailability of theGALILEO service for this application leads directly to stop the train traffic with importantconsequences at least on regional area.

Conclusion :Failure of Galileo system to provide navigation data is classified VH/H.

GALA REF :DATE :



5.1.1.1.7 Train Supervision [7]

As described in the application, the train position information is intended to provide anoverlay to other traffic control means.Confidence in the system will be obtained if services interruption are in the same order ofmagnitude of all other sources of interruption and if the interruptions are not to frequent.However, GALILEO service is not sole mean for the train supervision application. Thedependability requirements can be relaxed compared to application 6.

Conclusion :Failure of Galileo system to provide navigation data is classified H/H.

5.1.1.1.8 Energy Optimised Driving Style Manager [8]

This application is intended to provide a scheduled “track plan” optimised from constraints astime of arrival and fuel consumption. It can be thought as a “driving aid” application and,since the driver remains “ in the loop” for monitoring purpose, it is not foreseen higheconomical consequences in case of service interruption.

Conclusion :Failure of Galileo system to provide navigation data is classified L/L.

5.1.1.1.9 Fleet Management [9]

In this application, the position information is collected for tasks as planning updates,maintenance, location of locomotives or rolling stock.An interruption of Galileo signal will delay commercial exchanges, will affect operationalperformance and could lead to customers’ claims.The requirements are high.


5.1.1.1.10 Track Survey [10]

This application is described as a typical civil engineering survey. In case of impossibility toreceive Galileo SIS, back up procedures can be used with little economic effects assuming itdoes not occurs more frequently than once a month. The economical effects are limited to thecompany in charge of track survey.

Conclusion :Failure of Galileo system to provide navigation data is classified M/H.

5.1.1.1.11 Passenger Information service [11]

Applications described here need intensive communication resources and good positioninginformation. Loss of information on train position, time and delays may affect users as they

GALA REF :DATE :



are more and more requesting to be informed in “real time”. Nevertheless the SIS is a smallpart of the information chain, the availability performance should be equally allocatedbetween all the parts (data collection, processing, communication, displays,…). It is assumedthat the requirement part allocated to Galileo is Low (TBC).


5.1.1.1.12 Marine Navigation [12] & [13]

For safety reasons, maritime community is currently using today different systems ofnavigation, avoidance and communication, and will probably not abandon them all in aforeseeable future. Reliable positioning for vessels cruising in shore is essential for safety,particularly for all weather operations. The requirement allocation to Galileo SIS is High.


5.1.1.1.13 Marine surveillance [14]

The loss of vessels position signal for the Surveillance team should become a problem if theduration of this loss leads to the impossibility to locate a vessel. According to the speed ofvessels, it can travel hundreds of miles in one day. Therefore the vessels concerned by thisapplication can not accept interruption time for one day.


5.1.1.1.14 Marine Engineering [15]

The effects of Galileo SIS will at worst ( if it is a sole mean) lead to a delay in work progresswith economical consequences for the company.

Conclusion :Failure of Galileo system to provide navigation data is classified M/M (tbd in relation withWP 1).

5.1.1.1.15 Harbour Docking [16]

In a near future, we can imagine computer aided docking systems using satellite-positioningservices. Major benefits of these systems would be economic, and a misleading positioninginput would have mostly economical consequences. But economic consequences could turn inhigh scale economic disasters. So, to be efficient, these systems would need dependablepositioning input.

Loss of navigation information could lead to a failure of autopilot for docking. This will notprevent hand-over by the pilot in command.

GALA REF :DATE :



Conclusion :Failure of Galileo system to provide navigation data is classified H/M.

5.1.1.2 Emergency services

Emergency services are “means oriented” and not “success oriented”. In other hand citizensare more and more demanding for the use of the most efficient means and is not ready totolerate failures or unavailability of emergency services.

Emergency services by themselves are not Safety Critical but their ability to react efficientlyon request makes them Safety Related.

In term of dependability they all require an good availability of service. But the availabilityof the SIS should be consistent with all other sources of interruption from other parts of theEmergency service and with the response time of the emergency means. Consequently mostof them are classified H/M or VH/M.

5.1.1.2.1 Ambulance : Route Guidance [17] & Vehicle resources management [18]

Galileo service is useful and can become strategic for ambulance applications due to theprecise localisation capability of the ambulance and to guide it to the point of intervention.

Safety of life can become affected if there is a delay introduced by Galileo Nav service dueeither by an erroneous localisation of intervention point or by ambulance position.Loss of information will prevent positioning and delay rescue service. If there is one person torescue, the consequences are considered MAJOR as it will affect safety margins for thepatient but cannot be considered as a direct cause of casualty.In case of numerous persons to rescue the consequences can be reassessed to SEVEREMAJOR, as the accidental event and a major disorganisation of ambulance services can resultfrom a common event.

On the other hand emergency/ambulances services are designed and trained to cope withemergency conditions using alternate and sound procedures, which helps to decrease thedependability requirements on Galileo dependability. (TBC)


5.1.1.2.2 Police /Fire : Route Guidance [19] - Vehicle resources management [20] &Pedestrian resource Management [21]

Galileo service is useful and can become strategic for police / fire applications due tocapability to locate precisely the resources and to guide it to the point of intervention. There isno direct economical consequence. The availability requirements must be balanced by all thepotential causes to loose SIS (masking, communication, …).

Classification is similar to ambulance service.

GALA REF :DATE :




5.1.1.2.3 Police/ fire : Vehicle Tracking [22]

Tracking service provide a mean for police services to track co-operative or non co-operativevehicles. This application is an help for police. There is no direct economical consequence.The availability requirements must be balanced by all the potential causes to loose SIS.(masking, communication, …)

Conclusion :Failure of Galileo system to provide navigation data is classified M/H or M/M (tbd inrelation with WP 1).

5.1.1.2.4 SAR : Alerting Beacons – Marine [23] & [25] – Air [24] – Personal [26]

This service provides a means for a person, a ship or aircraft in distress to send an emergencysignal to a SAR Service at a Rescue Co-ordination Centre (RCC)

This application is directly safety related. The key factors are real time precise positionlocation.

Loss of navigation information will prevent positioning and delay SAR service. Theconsequence is a reduction of safety margins for the people in distress but is not a direct causeof casualty.The dependability requirement shall be consistent with the response time of the completeSAR chain (from the beacon, to the rescue operation). Then a maximum average delay of onehour is not unrealistic.

Conclusion :Failure of Galileo system to provide navigation data for SAR is classified H/H.

5.1.1.2.5 SAR : Onboard Navigation of SAR units [27]

This application is related to the SAR units, which are 24H/24H. If they rely on Galileo signalto be guided to the rescue site a high dependability is expected.


5.1.1.2.6 General conclusion on emergency services.

The Emergency Service applications are Safety Related but not Safety Critical as stand aloneusers.The dependability requirements are High in term of access to the service, and Medium in termof frequency of unavailability.

GALA REF :DATE :



5.1.1.3 Security

5.1.1.3.1 Personal protection: Lone Worker Protection [28]

This application is close to SAR application as it is related to worker location and distresscall.The availability of the service is linked to economical constraints. If the service is notavailable, at least two workers are necessary to perform the task in order to be sure thatemergency services will be called in case of one worker problem. Then requirement for theresponse time to get the service is High and the frequency of unavailability is Medium


5.1.1.3.2 Secured Data: Transport of Nuclear Waste [29]

Monitoring transport of nuclear waste using Galileo data can be considered as inimprovement.A loss of navigation information continuity will not affect safety protections taken withregard to radiation. An interruption during one or several days of the localisation of thecontainers should not become a safety nor an economical problem.

Conclusion :Failure of Galileo system to provide navigation data is classified L/M.

5.1.1.3.3 Secured Data: Dangerous and valuable loads tracking [30]

As this application is described, failure to localise a dangerous or valuable load has noimmediate impact on safety of life or environment.This application could need continuity / availability for Governmental purposes (TBC). A lossof position during a period shorter than one hour seems acceptable, assuming the localisationbecomes possible after this period.The maximum acceptable loss frequency is estimated once a week.


5.1.1.3.4 Traffic surveillance and monitoring

5.1.1.3.4.1 Road Tolling [31]

The impossibility to locate and identify the vehicles on a toll road has direct economicaleffects on the company incomes. As it is assumed in the application that roadsideinfrastructure is eliminated there is no other way to collect toll fees. The economical effectsare limited to the company (users will certainly appreciate such failures, unless theeconomical risk is considered in the normal price).

GALA REF :DATE :



In a region a loss of service of one hour means that a large amount of vehicle will not becharged. This event should not appear more frequently than once a month.


5.1.1.3.4.2 Road surveillance and Regulatory Enforcement [32]

This application is a “surveillance” application and is more associated to social and legalobjectives than linked to economical objectives. A loss of service will reduce the capability ofthe regulatory authorities to perform their missions, but as the outlaw vehicles should not beaware of the system failure the risk is low as long as the failure is not long and not frequent.


5.1.2 Mass MarketMass market users are generally waiting for a high level of dependability for a new system.Their tolerance to system failure is generally low, then their requirements are generallyclassified H/H. That means they accept to wait for navigation data during one hour once amonth.

5.1.2.1 Land and River Navigation

5.1.2.1.1 Cars [33] to [35] - Truck and buses [36] to [38] - Light Commercial Vehicles [40]to [42]

5.1.2.1.1.1 Route Guidance [33, 36 & 40]This application is related to determine and optimise the route to reach a predetermineddestination.Success of the service will rely on user satisfaction. It is assumed they will accept to wait fornavigation data during one hour once a month.


5.1.2.1.1.2 Information Services [34, 37 & 41]Purpose of the application differs from route guidance, but user will have the samedependability requirements.


GALA REF :DATE :



5.1.2.1.1.3 Emergency call breakdown, Theft and recovery [35, 38 & 42]

This application is related to Emergency Calls, Breakdown Calls, vehicle recovery after theft.

The Emergency Call function is similar to SAR function. But the embedded system can beconsidered as an “added means” to reduce the rescue intervention delay in case of crash. Thisadded mean is not permanently monitored, is subjected to hidden failures, and cannot beefficient for all crashes scenarios. It is considered as Safety Enhanced. The availabilityrequirements for Galileo service should be consistent with the expected reliability of massmarket transponders, of GNSS sensors and with the probability of the initiating event whichrequires the application.


5.1.2.1.2 All road Vehicles : Advanced Driver Assistance Systems [39]

As far as navigation data is used to perform navigation and guidance functions, the worstconsequence associated to a loss of information should be minor because the driver remainsin the loop for vehicle control and collision avoidance. The dependability requirement is thendriven by user satisfaction to have an operational system (certainly a degraded performancecould be acceptable for him…).

Galileo navigation data can be used for car auto piloting only in combination withcomplementary sensors. If not, the navigation data becomes safety critical and will requirevery high dependability level.

Conclusion :Failure of Galileo system to provide navigation data is classified VH/VH if used a sole meanfor Vehicle auto piloting. Otherwise a classification VH/H could be acceptable.

5.1.2.1.3 Inland Waterways [43] to [45]

5.1.2.1.3.1 Vessel Navigation [43]

It is considered that in the future, the navigation system could change from an addition aid tothe skipper to a primary means. In case of loss of service, “classical” means of navigationmust be used, then increasing crew workload and possible delays with economical effects atthe company level.


5.1.2.1.3.2 Vessel services [44]

As far as dependability is concerned, it is assumed that Galileo provides only a vesseltracking service that helps the user for travel preparation, route guidance, and traffic controland information.

GALA REF :DATE :



A loss of service could lead to possible delays with economical effects at the company level.


5.1.2.1.3.3 Dredging and maintenance [45]

A loss of service could lead to possible delays with economical effects at the company level.Conclusion :Failure of Galileo system to provide navigation data is classified M/H.

5.1.2.2 Personal Navigation [46] to [ 49]

5.1.2.2.1 Personal Outdoor Recreation [46] to [48] :This application includes yachting, recreational aircraft, golf, hiking, rambling, cycling,marine leisure. The user confidence in the system will depend on their previous experiencesin similar systems (GPS, GSM…). At worst a temporary loss of signal will have detrimentalcommercial consequences. Then failure of Galileo system to provide navigation data isclassified H/M.

5.1.2.2.2 Location based communication services [49]

The scope of service is very wide. It is assumed that user will have similar requirements thanfor other mass market applications. (TBC)


5.1.3 Professional market

5.1.3.1 Timing

5.1.3.1.1 Network synchronisation for Telecom [50], Power generation and distribution[51], digital broadcasting [52]

This application intends to provide time tagging and conditioning of time and frequencyreferences for telecommunication network management systems (within wireless andwireline), reference for power network management systems, new digital broadcastingsystems.As it is not a real time application, the user who calls the service can accept to wait for theservice for one hour or, punctually, to not access to it without major impact on its applications(the time parameter for the user is not lost when the service is not available; indeed the timedrift in the user application is a slow process which does not preclude to use an application fora given time).

Conclusion :Failure of Galileo system to provide navigation data is classified H/L.

GALA REF :DATE :



5.1.3.1.2 Satellite monitoring / navigation (ground based) [53]GALILEO system is used here to disseminate timing signals for monitoring and tracking ofother satellite systems (ground based). Due to same considerations as applications 50, 51 and52, it is assume that the user can wait one hour to access the service. However, as it is use tomonitor and track ground based satellite systems, the loss frequency of the service needs to belower (1 per week maximum).


5.1.3.1.3 Maintenance of international time standards [55]GALILEO is used to the maintenance and development of international time standards (timetransfer between primary time standards).As the drift of the time parameter in the atomic clock is a very slow process, it is assumed thatthis application does not involved stringent constraints on RAM point of view. Indeed, in caseof non-access to the service or postponed access, the user does not lose its operationalapplications. He can wait and calls again the service without notable degradations of theperformances of its applications.


5.1.3.1.4 Frequency/time calibration services [56]GALILEO is used to disseminate time and information standards to secondary time/frequencystandards.Same comments than Id [55].


5.1.3.1.5 Time tagging for general user [57]GALILEO system is used to provide time stamps and/or clock synchronisation forprofessional stationary application (e-commerce, time stamping authorities, electronicbanking, traffic light regulation, quality assurance systems).For this type of applications, the service has to be available in a relative short period and thenon-access to the service can not be too frequent. Indeed, even if it is not real timeapplications, the impacts can be rapidly significant with impact (economically, legal,...) at aregional or national scale in case of unavailability of the service. It is assumed in this case thatthe maximum acceptable time to access the service is one hour with a frequency maximum tonot access it of one per month.

Conclusion :Failure of Galileo system to provide navigation data is classified H/H (tbc : DRS DD-132V1-PVE-01 id 15).

5.1.3.2 Space

5.1.3.2.1 Space market [58, 59, 60, 61]

GALA REF :DATE :



GNSS is used to position and to allow approach and docking of space vehicles, formationflying spacecraft, space stations. These missions can not be easily postponed and restartedwithout very important economical and technical impacts. Thus, when it is called, the servicehas to be available in a very short time (not exceeding 1 minute), with a very high probabilityto have it (maximum frequency to not have the service one per year). In this context theservice has to be provided with a high level of availability.


5.1.3.3 Scientific applications

5.1.3.3.1 Geodesy applications [62, 63]GALILEO will provide new sophisticated equipment for the scientific studies that willcomplement all other means. Geodesic applications use GALILEO signal either to have a co-ordinate reference system and for high precision measurement for regional and globalnetworks or to have precise position of geodetic sensors.

These applications require accuracy but are not time constrained, leaving time to cope with aloss of signal or to detect an erroneous data. However the loss of the GALILEO service canaffect in the first case regional or global networks; in the second case the sensors are installedon ships and aircraft for which the mission are time constrained.

Conclusion :Failure of Galileo system to provide navigation data is classified M/M.

5.1.3.3.2 Meteo forecasting ionosphere [64, 65, 67]These applications correspond to non-time constrained processes, which can accept to bepostponed without significant impact.

The application [67], which involves receiver on radiosonde, is a little bit more stringent duethe fact that the launch of a radiosonde corresponds to a period more time constrained. Thusthe dependability constraints are little bit more restrictive.

Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [64, 65] and M/L for[67].

5.1.3.4 Precision surveying (Id 68)

These applications are related to hydrographic survey.Thus it corresponds to no time constrained processes, leaving time to cope with non-access tothe service. The mission can be postponed and/or restarted without significant impact for theuser.Conclusion :Failure of Galileo system to provide navigation data is classified L/L (tbd in relation withWP 1).

GALA REF :DATE :



5.1.3.5 Oil & Gas

5.1.3.5.1 [69,70,71,73,74]These application are related to• Marine and land seismic acquisition,• Site survey,• Land and transition zone seismic exploration,• Rig Positioning and associated anchor vessels,• VSP operation positioning.

GALILEO system provides in this frame precise positioning and navigation information forvessels and vehicles. It seems that these applications involve a real time process (cf WP 1).Related to the mission time of these activities, it can be assumed that a frequency to not havethe service available not more than 1 time a week could be acceptable.


5.1.3.5.2 FPSO positioning [72]For this specific application which is directly linked to production activity, non-access to theGALILEO service can rapidly lead to unacceptable situation with economical consequences.The availability constraint is higher than the previous ones.


5.1.3.6 Vehicle control and robotics (Id 78, 79, 80)

In this sector GALILEO system is intended to provide data for positioning of pilotless aerialplatform (including aeroplanes, helicopters, airship), autonomous underwater vehicles orenhanced vehicle control.These robots are performing laborious, tedious continuous and repetitive tasks in place ofhuman operator.

The related activities are time constrained and require high level of availability (shortresponse time) when the service is called. However, due to the mission profile which are morepunctually, it is assumed that the maximum acceptable non-access frequency to the service isaround 1 time per week.

Conclusion :Failure of Galileo system to provide navigation data is classified VH/M (tbc : DRS DD-132V1-PVE-01 id 16).

GALA REF :DATE :



5.1.3.7 Construction and civil engineering [81, 82]

A high level of accuracy is needed for these applications, but at the construction site scale,considering the environmental and operational process of the construction and civilengineering activities, one day as a maximum time to postpone a task or non-access to theservice one time per week is assumed to be acceptable for the user.


5.1.3.8 Land survey and GIS mapping [83]

Galileo positioning/ navigation service can be used to update or generate maps with variouslevels of accuracy depending on the final user of the map. Galileo provides a new tool formapping sector with potential high benefits.

Establishing sea charts cannot be done in a one-stream process from raw positioninginformation. It is the result of a complex process of correlation and comparison with previouscharts and data.The service unavailability at one-day scale or due to punctual non-access to the service isassumed not to lead to significant impacts for the user. No high availability constraint isrequired for these applications.

Conclusion :Failure of Galileo system to provide navigation data is classified L/L (tbd in relation withWP1).

5.1.3.9 Fleet Management [84]

The fleet management is based on positioning mobile vehicles and communicating theirposition to a management station.

As this application is directly linked to optimisation of fleet management, the availability ofthe GALILEO service is important for the user mission. Moreover, in case of failure ofGALILEO service, potentially regional or national consequences can be observed. Theavailability constraints are high.

Conclusion :Failure of Galileo system to provide navigation data is classified H/H

5.1.3.10 Asset management [85,86,87]

The asset management covers both mapping and locating fixed assets and tracking ofmovable assets (containers, trailers, vehicles for anti theft, livestock, weather balloons…).

GALA REF :DATE :



The first category, management of fixed assets, is not time-constrained application. Moreover,the failure of GALILEO service, the activity can be postponed without major impact at userlevel or community of users. The availability constraints are low.

Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [85].

For the intermodal cargo operation, the availability constraints can be considered as higherdue to relative short time transitory operations in the process, which can not be stoppedfrequently or for a long period without significant impact.

Conclusion :Failure of Galileo system to provide navigation data is classified H/M for [86].

Asset tracking application can be considered at the mid position between the two previousapplication.

Conclusion :Failure of Galileo system to provide navigation data is classified M/M for [87] (tbd inrelation with WP1).

5.1.3.11 Precision agriculture [88, 89, 90]

The applications described here are related to positioning of agricultural machine (combineharvester, tractor, spray control machine, fertiliser spreader apparatus, crop dusting aircraft) tocontrol chemicals.

Except for the crop dusting by aircraft which could be more restrictive on dependability pointof view, the two first activities are not significantly impacted in case of non-access or waitingof the GALILEO service. The missions can be postponed or reorganised.

Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [88, 89].

For crop dusting by aircraft, the mission may be considered more time constrained andrequires higher availability level.

Conclusion :Failure of Galileo system to provide navigation data is classified M/M for [90] (tbd inrelation with WP1).

5.1.3.12 Fisheries & Exclusive Economic Zone [91, 92]

It is assumed that these activities can accept to wait for the GALILEO service for a given time(around one day max) or to not access it one time per week without significant impact forusers or community of users. Indeed, the fishing campaign is delayed for one day but notcompletely lost with important economical consequences.

GALA REF :DATE :




5.1.3.13 Environment

These application are not time constrained but need GALILEO service available at time scalelower than one day without failure frequency of the service more than one time per week.Above these thresholds, economical impact at community level may be considered.

Conclusion :Failure of Galileo system to provide navigation data is classified H/M for [93, 94, 95].

For application [96] (animal tracking), it is considered that the impact in case of failure ofGALIEO service is less important (no economical consequences at community level).

Conclusion :Failure of Galileo system to provide navigation data is classified L/L for [96].

5.1.3.14 Mining

5.1.3.14.1 3D positioning of mine machinery [97]This application is involved in real time activity. Failure of GALILEO service impacts rapidlythe exploitation and thus has economical consequences.


5.1.3.14.2 Mine surveying [98]This application is not directly linked to real time activity. The max acceptable waiting timeto access to the service may be around one day without significant impact. However, the maxfrequency for non-access to the GALILEO service has not to be higher than one time permonth in order to not impact the mine surveying tasks.

Conclusion :Failure of Galileo system to provide navigation data is classified M/H (tbd in relation withWP1).

5.1.3.14.3 Autonomous mining vehicles [99]This application involves time positioning and velocity information. The access time to theservice has to be very short to fully answer to the application parameters. The acceptable maxfrequency for non-access to GALILEO service is one time per month to not lead to significantconsequences.

GALA REF :DATE :



Conclusion :Failure of Galileo system to provide navigation data is classified VH/H.

5.1.3.14.4 Truck dispatch [100]This application is a key element for the mining exploitation activity. The consequence iftruck dispatch is lost is significant especially economically speaking.


GALA REF :DATE :



Table 3 : Proposed Availability Classification per application

Availabilityclassification

Appl#

[DR2]

PDAchapter

Market Application ApplicationType

UserPriority[DR1]

PositionAvailability

[DR1](%)

∆∆∆∆t(continuity)

IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

Safety of Life and Security5.1.1.1 Transport of Passengers and Goods

1 5.1.1.1.1 Air CommercialAir Transport(IFR)

Navi. H 100 1 hr Y (H) SAS-GSAS-RSAS-RMEGNOS

H VH Pbe becauseCAT2 & 3added and

NonCompliance

2 5.1.1.1.2 CommercialAir Transport(Surveillance)

Separ H 100 1hr Y(H) SAS-GSAS-RSAS-RMEGNOS

VH VH

3 5.1.1.1.3 GeneralAviation(IFR)

Navi. TBC TBC TBC TBC SAS-GSAS-RSAS-RMEGNOS

H VH

4 5.1.1.1.4 Deleted byWP 1

5 5.1.1.1.5 GeneralAviation(Surveillance)

Separ. TBC TBC TBC SAS-GSAS-RSAS-RMEGNOS

VH VH

6 5.1.1.1.6 Rail Train Control Separ. H 99,98 TBD Y (H) SAS-L VH H7 5.1.1.1.7 Train

SupervisionSuperv. H 99,9 1 year Y (H) CAS1-G H H Not SC

(WP1)

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

8 5.1.1.1.8 Energyoptimiseddriving stylemanager

Manag. H 99,9 1 year Y (M) OAS-G1CAS-G ?

L L

9 5.1.1.1.9 FleetManagement

Manag. M 99 TBD N (L) CAS1-G H H Not SC(WP1)

10 5.1.1.1.10

Track survey Track. M 99,5 1 year N (L) CAS1-L3 M H

11 5.1.1.11.1

Passengerinformationservice

Info. L 98 1 year N (L) OAS-G2OAS-GH

L L

12 5.1.1.1.12

Maritime MarineNavigation(Unregulated)

Navi. M? 99,9 15 s Y (H) SAS-GSAS-RSAS-L ?

M/H H

13 5.1.1.1.12

MarineNavigation(Regulated)

Navi. H? 99,9 15 s Y (H) SAS-G,SAR-RSAS-L ?

H H

14 5.1.1.1.13

MarineSurveillance(Regulated)

Separ. H? 99,9 15 s Y (H) SAS-G,SAR-RSAS-L ?

M H

15 5.1.1.1.14

Engineering Posit. M 99,8 15 s N (L) CAS1-L3 M M

16 5.1.1.1.15

HarbourDocking

Separ. H 99,8 15 s Y (H) CAS1-L2CAS1-L3

H M(H)

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

5.1.1.2 Emergency Services17 5.1.1.2.1 Ambulances Route

GuidancePosit.SAR

TBC TBC TBD TBC GAS-GGAS-LCAS1-G

H M

18 5.1.1.2.1 VehicleResourceManagement

Manag. H 99 ? TBD Y (M) GAS-GGAS-LCAS1-G

H M

19 5.1.1.2.2 Police/Fire RouteGuidance

Posit. TBC TBC TBD TBC GAS-GGAS-LCAS1-G

H M

20 5.1.1.2.2 VehicleResourceManagement

Manag. H 99,9 TBD Y (M) GAS-GGAS-LCAS1-G

H M

21 5.1.1.2.2 PedestrianResourceManagement

Manag. H 99,9 TBD Y (M) GAS-GGAS-LCAS1-G

H M

22 5.1.1.2.3 VehicleTracking

Track. H 99 TBD Y (M) GAS-GGAS-LCAS1-G

M H(M)

23 5.1.1.2.4 Search &Rescue

Alert Beacons(MarineProfessional)

Posit.SAR

H 99 ? TBD Y (M)CAS1-GSAS-GGAS-G

H H

24 5.1.1.2.4 Alert Beacons(Air)

Posit.SAR

H 99 ? TBD Y (M) CAS1-GSAS-GGAS-G

H H

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

25 5.1.1.2.4 Alert Beacons(MarineRecreational)

Posit.SAR

H 99 ? TBD Y (M)CAS1-G

H H

26 5.1.1.2.4 Alert Beacons(Personal)

Posit.SAR

H 99 ? TBD Y (M)CAS1-G

H H

27 5.1.1.2.5 OnboardNavigation ofSAR units(Air & Sea)

Navi.SAR

H TBC TBD Y (M)SAS-GGAS-G

VH VH

5.1.1.3 Security28 5.1.1.3.1 Personal

ProtectionLone WorkerProtection

Posit.SAR

M 99 NA Y (M) CAS1-GS H M

29 5.1.1.3.2 Transport ofNuclearWaste

Navi. H 99,9 TBD Y (M) GAS-G L M

30 5.1.1.3.3

Secured Data

Tracking ofVeryValuable orDangerousGoods

Track. L 99 NA N (L) GAS-GGAS-L

H M

31 5.1.1.3.4.1

Road Tolling Manag. M 99 NA Y (M) CAS1-GCAS1-GH

H H

32 5.1.1.3.4.2

Trafficsurveillance& monitoring Road

SurveillanceandRegulatoryEnforcement

Separ. TBC TBC TBC TBC GAS-G

GAS-L

H H

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

Mass Market5.1.2.1 Land and River Navigation

33 5.1.2.1.1.1

RouteGuidance

Posit. M 99 NA N (L) OAS-GSOAS-GH

H H

34 5.1.2.1.1.2

InformationServices

Info. M 99 NA N (L) OAS-GSOAS-GH

H H

35 5.1.2.1.1.3

Cars,Motorcycles

EmergencyCallBreakdownTheft andRecovery

Posit. M 99 NA N (L) OAS-G1OAS-G2OAS-GH

H M

36 5.1.2.1.1.1

RouteGuidance

Posit. TBC TBC TBC TBC OAS-GSOAS-GHCAS1-GSCAS1-GH

H H CAS1 ifintegrityneeded

37 5.1.2.1.1.2

InformationServices

Info. TBC TBC TBC TBC OAS-GSOAS-GHCAS1-GSCAS1-GH


38 5.1.2.1.1.3

Trucks andBuses


Posit. TBC TBC TBC TBC OAS-G1OAS-G2OAS-GHCAS1-GSCAS1-GH

H M CAS1 ifintegrityneeded

39 5.1.2.1.2 Cars,Motorcycles

AdvancedDriverAssistanceSystem

Separ. H 99,9 TBD Y (H) CAS1-L1CAS1-GHSAS-L

VH VH

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

40 5.1.2.1.1.1

LightCommercialVehicles

RouteGuidance

Posit. H 99 TBD N (L) OAS-GSOAS-GHCAS1-GSCAS1-GH


41 5.1.2.1.1.2

InformationServices

Info. M 95 TBD N (L) OAS-G1OAS-GHCAS1-GSCAS1-GH


42 5.1.2.1.1.3


Posit. M 99 TBD N (L) OAS-G1OAS-GHCAS1-GCAS1-GSCAS1-GH


43 5.1.2.1.3.1

InlandWaterways

In-VesselNavigation

Navi. H 99,8 15 s Y (H) CAS1-GOAS-GSSAS-G

H H

44 5.1.2.1.3.2

VesselServices

Separ.Info.

M 99,8 TBD Y (M) CAS1-GS H M

45 5.1.2.1.3.3

Dredging andmaintenance

Posit. M 99 TBD N (L) NotMapped

M H TbdNew

application5.1.2.2 Personal Navigation

46 5.1.2.2.1 PersonalOutdoorRecreation

PersonalOutdoorRecreation(Hiking/Rambling/Cycling)

Posit.Navi.

L 99 NA N (L) OAS-GS H M

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

47 5.1.2.2.1 RecreationalFlying

Posit.Navi.

TBC TBC TBC TBC SAS-G H M

48 5.1.2.2.1 MarineLeisureVessels(Yachts &MotorVessels)

Posit.Navi.

L 99 NA N (L) SAS-G H M

49 5.1.2.2.2 Integration ofPersonalCom. & Nav.

LocationBasedCommunication Services

Posit. L 99 NA N (L) OAS-G1OAS-GHCAS1-G

H M CAS1 ifintegrityneeded

Professional Market5.1.3.1 Timing

50 5.1.3.1.1 Time NetworkSynchro forTelecom

Manag. TBC TBC TBC TBC SAS-RMGAS-G

H L

51 5.1.3.1.1 NetworkSynchro forPowergeneration &distribution


H L

52 5.1.3.1.1 NetworkSynchro forDigitalBroadcasting


H L

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

53 5.1.3.1.3 SatelliteMonitoring /Navigation(groundbased)

Superv.Navi.

TBC TBC TBC TBC SAS-G(tbc)

H M

APPLICATIONDELETED

55 5.1.3.1.3 MaintenanceofInternationalTimeStandards

Manag. TBC TBC TBC TBC GAS-G L L

56 5.1.3.1.4 Frequency /TimeCalibrationServices

Manag. M 99 TBD N (L)SAS-RM

L L

57 5.1.3.1.5 Time Taggingfor GeneralUser

Manag. TBC TBC TBC TBCOAS-G1

H H

5.1.3.2 Space58 5.1.3.2.1 Space Satellite

Attitude &OrbitDetermination

Posit.Navi.

M 99 NA N (L) NotMapped

VH VH TbdNew

application

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

59 5.1.3.2.1 Rendez-Vous& Docking ofSpaceVehicles

Separ. TBC TBC TBC TBC VH VH TbdNew

application

60 5.1.3.2.1 Non-militarySpaceLaunchers

Navi. TBC TBC TBC TBC VH VH TbdNew

application61 5.1.3.2.1 Remote

SensingPosit. TBC TBC TBC TBC VH VH Tbd

Newapplication

5.1.3.3 Scientific Applications62 5.1.3.3.1 Reference

FrameMaintenanceandDeformationMonitoring

Posit. L 99 TBD N (L) CAS1-L3(TBD)

M M

63 5.1.3.3.1

Geodesy

PrecisePositioningfor GeodeticSensors

Posit. L 99 TBD N (L) CAS1-L3 M M

64 5.1.3.3.2 MeteoForecastingIonosphere

Measurementof TotalElectronContent ofIonosphere

??? M 99 NA N (L) NotMapped

L L TbdNew

application

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

65 5.1.3.3.2 MeasurementAtmosph.Water Vapour

??? M 99 NA N (L) NotMapped

L L TbdNew

application66 ) Deleted by

WP 167 5.1.3.3.2 Radiosonde

TrackingPosit.Track.

TBC TBC TBC TBC NotMapped

M L TbdNew

application5.1.3.4 Precision Surveying

68 5.1.3.4 PrecisionSurveying

Hydrographicsurvey

Posit. M 99 TBD Y (M) CAS1-L3 L L

5.1.3.5 Oil & Gas69 5.1.3.5.1 Oil & Gas Marine

SeismicExploration

Posit.Navi.

H 99,9 TBD Y (M) CAS1-L1CAS1-L2

M M

70 5.1.3.5.1 HighResolutionSeismic SiteSurvey

Posit.Navi.

M 99,9 TBD Y (M) CAS1-L1CAS1-L2

M M

71 5.1.3.5.1 Land andTransitionzone SeismicExploration

Posit.Navi.

H 99,9 TBD Y (M) CAS1-L1CAS1-L2

M M

72 5.1.3.5.2 FPSOPositioning

Posit. H 99,9 TBD Y (M) CAS1-L1CAS1-L2SAS-L

H H

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

73 5.1.3.5.1 RigPositioning &AssociatedAnchorHandlingVesselPositioning

Posit. H 99,9 TBD Y (M) CAS1-L1CAS1-L2

M M

74 5.1.3.5.1 VSPOperations

Posit. H 99,9 TBD Y (M) CAS1-L1CAS1-L2

M M

5.1.3.6 Vehicle Control and Robotics78 5.1.3.6 Unmanned

AerialVehicles

Posit.Navi.

H 99,9 TBD N (L) CAS1-L1SAS-L

VH M

79 5.1.3.6 AutonomousLand-basedVehicles

Posit.Navi.

H 99,9 TBD Y (H) CAS1-L1SAS-L

VH M

80 5.1.3.6

VehicleControl &Robotics

AutonomousUnderwaterVehicles

Posit.Navi.

H 99,9 TBD Y (M) CAS1-L2CAS1-L1SAS-L

VH M

5.1.3.7 Construction and Civil Engineering81 5.1.3.7 Setting Out &

As-BuiltPosit. M 99 24 hr Y (M) CAS1-L3 M M

82 5.1.3.7

Constructionand civilengineering Mobile

StructurePositioning

Posit. M 99 24 hr Y (M) CAS1-L3 M M

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

5.1.3.8 Land Survey and GIS Mapping83 5.1.3.8 Land Survey

and GISMapping

Land &CadastralSurvey,Mapping andGIS

Posit. M 99 NA N (L)CAS1-L3

L L

5.1.3.9 Fleet Management84 5.1.3.9 Fleet

ManagementManagementof a Fleet ofBuses/taxies/trucks

Manag. M 99 ? NA N (L) OAS-GSOAS-GHCAS1-GS


5.1.3.10 Asset Management85 5.1.3.10 Mapping and

Locatingfixed Assets

Manag. L 95 NA N (L) CAS1-GS L L

86 5.1.3.10 IntermodalCargoOperation

Manag. L 99 NA N (L) CAS1-L1/L2

H M

87 5.1.3.10

AssetManagement

AssetTracking

Manag. L 95 NA N (L) CAS1-GS M M

5.1.3.11 Precision Agriculture88 5.1.3.11 Precision

AgricultureYieldMonitoring &ChemicalSpraying

Posit.Navi.

M 99 TBD N (L) CAS1-L1/L2

L L

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

89 5.1.3.11 Locating forSoil Samplingand Weed /PestInfestations

Posi. M 99 TBD N (L) CAS1-L1/L2

L L

90 5.1.3.11 Crop Dustingby Aircraft

Posit.Navi.

H 99 TBD N (L) CAS1-L1/L2

M M

5.1.3.12 Fisheries and EEZ91 5.1.3.12 Navigation

andMonitoring ofFishingVessels

Posit.Navi.

L 99 TBD N (L) CAS1-G M M

92 5.1.3.12

Fisheries andEEZ

MonitoringFishingApplications

Posit.Manag.

L 99 TBD N (L) CAS1-G M M

5.1.3.13 Environment93 5.1.3.13 Environment Land and

Environmental Mappingand Studies

Posti.Manag.


M M TbdNew

application

94 5.1.3.13 Oceanographic andCryosphericMapping forEnvironmental Studies

Posit.Manag.


M M TbdNew

application

GALA REF :DATE :




Appl#

[DR2]

PDAchapter


UserPriority[DR1]


[DR1](%)


IntegrityYes / No

(Priority)

Proposedservice

level Tmax Frmax

Comment

95 5.1.3.13 AtmosphericEnvironmental Studies

Posit. TBC TBC TBC TBC NotMapped

M M TbdNew

application96 5.1.3.13 Animal

TrackingTrack. TBC TBC TBC TBC Not

MappedL L Tbd

Newapplication

5.1.3.14 Mining97 5.1.3.14.

13DPositioning ofMineMachinery

Posit. H 99,9 TBD Y (M) CAS1-L3 H H

98 5.1.3.14.2

SiteSurveying

Posit. H 99,9 TBD N (L) CAS1-L3 M H

99 5.1.3.14.3

AutonomousMiningVehicles

Posit.Navi.

CAS1-L1(tbc)CAS1-L3

VH H

100 5.1.3.14.4

Mining

TruckDispatch

Manag. CAS1-L1(tbc)CAS1-L3

H H

GALA REF :DATE :



5.1.4 Synthesis of dependability analysis on user application

5.1.4.1 Syntheses of application mapping according to dependability requirements

The repartition of applications is illustrated in the following table.Fr VH H M L

TApplications Qté Applications Qté Applications Qté Applications Qté

2, 5, 27, 8 6, 99(tbc) 2 78, 79, 80, 3 - 039, 58(NM), (robotics)

VH 59(NM),60(NM),61(NM)

Applications Qté Applications Qté Applications Qté Applications Qté7, 9, 12, 13, 16, 17, 18,

1, 3 2 14, 23, 24, 24 19, 20, 21, 24 50, 51, 52 325, 26, 31*, 28, 30, 35, (timing)

H 32, 33, 34, 38, 44, 46,36, 37, 40, 47, 48, 49,41, 42, 43, 53(tbc), 69,57, 72, 84, 70, 71, 74,97, 100 86, 93(NM),

94(NM),95(NM)

Applications Qté Applications Qté Applications Qté Applications Qté

- 0 10, 22 4 15, 62(tbd), 10 67(NM) 145(NM), 63, 73

M 98 81, 82, 87,90, 91, 92

Applications Qté Applications Qté Applications Qté Applications Qté

- 0 - 0 29 1 8, 11, 55, 56, 1264(NM),

L 65(NM),68, 83, 85,88, 89, 96(NM),

NM: Not mapped

Table 4 : Synthesis of availability classification per applicationNote :This classification has been modified after being the subject of a first iteration with WP1(RACAL).

GALA REF :DATE :



It is reminded that the dependability classification has been set on economical consequencesat global country level for a group of users or at corporate /company level (several receivers)and not at individual level (one receiver – a group of users includes several individual users).

We have identified three dependability status :♦ Application RAM Critical♦ Application RAM Essential♦ Application RAM Non Essential.

T Fr V H1/yr

H1/m

M1/wk

L1/day

VH (1’) C C E N/AH (1hr) C E E N/A

M (1day) E E E NEL (>1day) N/A N/A NE NE

N/A : no application identified in these areas.

Table 5 : RAM Status

Each status can be defined as:

RAM CRITICALIncludes applications using SIS for real time control or surveillance. A loss of SIS leads tohigh direct economical consequences (direct economical consequences for users or indirecteconomical consequences for GALILEO system operator) on the user with direct collateraleffects on user’s customers.

The Dependability requirements are to be precise in § 5.6.

RAM ESSENTIALIncludes applications using SIS to :♦ Enhance user safety (SAR, Emergency call, Emergency services guidance)♦ improve company efficiency ( direct economical effects but limited to the company)♦ improve the individual comfort (consequences on service public image )

The Dependability requirements are to be precise in § 5.6.

RAM NON ESSENTIALIncludes applications which use SIS for measurements with low response time. They aretolerant to a loss of SIS. The choice of Galileo Service is mainly based on accuracyperformances, not on availability performance. These applications will use Galileo servicesdesigned for RAM Critical and/or RAM Essential applications and have no specificdependability constraints.

No specific Dependability Requirements are set for RAM Non Essential applications.

GALA REF :DATE :



5.1.4.2 Interface with Safety Classifications.

In the “Preliminary Hazard Analysis” a Safety status is identified for each application :♦ Safety Critical♦ Safety Related♦ Safety Enhanced♦ Non Safety.

A cross-check between Applications Safety status and RAM Status shows :♦ RAM Critical applications include most of the Safety Critical applications. (Air traffic,

train,…)♦ RAM Essential applications include Safety Related and Safety Enhanced Applications.

Some Safety Critical applications are mapped in RAM Essential ( 78: Uninhabitedaircraft, 79: Ground robotics, 16/43 : vessels control, 72: FPSO positioning, 47-recreational flying )

♦ RAM Non Essential applications are Non Safety applications.

From this analysis it appears a possible conflict between contradictory requirements :A high level of safety can only be obtained by adding features (integrity, redundancies,checks, votes,…) which may add failures causes and then may degrade the reliability andfinally the availability.

N.B. : For Applications linked to “security”, the previous remark applies for the featuresinstalled to protect against threats.

5.1.4.3 Mapping application/service

Using the mapping application/service, the results of the previous classification has beentransformed into an equivalent classification per service levels.The detailed tables are in appendix 8.1.This classification allows to allocate a RAM status (RAM critical or RAM essential) to theGALA service levels.A current result is presented in § 5.6.

GALA REF :DATE :



5.2 REFERENCE SCENARIO AND IDENTIFICATION

The RAM indicators definition could be expressed differently regarding :• The involved parties (view points) :

� Application user,� Service subscriber,� Service provider,� System operator,� System designer.

• The reference scenarios relevant for each involved parties.

The aim of this section is to express the Reference scenarios, which are the necessary workingassumptions for the RAM indicator definition.

5.2.1 Application userThis user corresponds to an end to end application. He perceives the dependability as a globalattribute of the Galileo system, including the receiver performance.

Its need is to have the service available each time he calls it, repeatedly during the missiontime.

5.2.2 Service subscriberHe subscribes a contract with the provider for a specific duration D, with specificperformances, including RAM performances. This duration D could be the time reference toassess the RAM indicator.

The receiver can be included or not in the system encompassed by the RAM indicator.

Remark : the subscriber could be the user.

5.2.3 Service providerHe sells the service and endorses contractual commitment to provide the subscriber with theexpected service with specific performances (including RAM).

He buys a global service (including a support service) for a long duration (~10 years). Thisduration could be the time reference to assess the RAM indicator.

Local or regional components could be under his responsibility

Remark : the provider could be the operator

5.2.4 System operatorHe sells a global service for a long duration to the provider. He buys the global system to thedesigner.

He is responsible for the system maintenance (excluding the receiver).

GALA REF :DATE :



There is probably a specific contract between the operator and the provider, includingpenalties if RAM requirements are not met (cost impact).

Remarks : - the operator could be the designer ;- the operator could be a local / regional operator.

5.2.5 System designerHe has a contract with the System operator on performances at the delivery date, includingdemonstration “a priori” that the RAM performances are met (schedule impact, technicalimpact, commercial impact, cost impact).

Remark : these performances are the RAM requirements we have to identify and allocate.Concerning operational behaviour, a specific contract between the designer and the operatoris possible, including penalties if RAM requirements are not met (cost impact).

5.3 RAM RELEVANT INDICATORS DEFINITION

This task is linked to work performed by other WP teams (definitions [DR6], modelling).The RAM indicators must be understandable, relevant and measurable (evaluation a priori,testable).

GALA REF :DATE :



5.4 TOP LEVEL HAZARDS IDENTIFICATION

The top level hazards identification is done cross checking several elements :� The impact at individual, company or corporate level ,� The parties involved.

Table 6 : Top level RAM hazards

User / Subscriber Provider / Operator Designer

Service outage leading to

a) User dissatisfaction, but theconsequences for hisbusiness or activity areacceptable

Galileo public image is not impaired. Money as compensation forconsequences could be negotiated.

b) Irreversible consequences forthe user activity (business,company, credibility...)

Galileo public image is impaired. The service provider could beinvolved in a lawsuit with the subscriber / user. The service providercould lose business / subscribers.

c) The paralysis of severalmajor user activities

High economical consequences for the Society ; those catastrophicconsequences could lead to the non continuation of the Galileooperation

Mis

sion

Repetitive System breakdownleading to too high operationcosts

d) RAM contractualcommitment lead to penalty

Prog

ram

me e) Inability to achieve (to

demonstrate) the specifiedRAM requirements :inadequacy with programmebudget ...

GALA REF :DATE :



5.5 PDA SYNTHESIS

A RAM status (RAM Critical or RAM Essential) has been allocated to each Service Level.RAM requirements (parameters and figures) will be associated to each RAM status.Currently this allocation is mapped with the Availability objectives in [DR5].Without tackling the question of the figures, the following table could justify the allocationperformed in [DR5], which allocates 2 levels of availability.

Service Level RAM Status Availability in [DR5]OAS-G1 Essential 99.0%OAS-G2 Essential 99.0%OAS-GS Essential 99.0%OAS-GL Essential not in [DR5]CAS1-G Essential 99.0%

CAS1-GS Essential 99.0%CAS1-L1 Critical 99.0%CAS1-L2 Essential 99.0%CAS1-L3 Critical tbdSAS-G Critical 99.9%

SAS-GS Not mapped 99.9%SAS-R Critical 99.9%

SAS-RM Critical 99.9%SAS-L Critical 99.9%

SAS-RG Critical not in [DR5]GAS-G Critical 99.9%

GAS-GS Not mapped 99.9%GAS-L Essential 99.9%

Table 7 : RAM level allocation to Service levels

CAS1-L1 is mapped with 2 applications RAM critical : [39] Advanced Driver AssistanceSystem (Cars & Motorcycles) and [99] Autonomous Mining Vehicles.GAS-L is not mapped with a RAM critical application.

Figures under discussion :For the asymptotic availability, 99% means that the system could be unavailable ~ 3,5 daysper year ; 99,9 % is similar to an unavailability of ~ 8,7 hours per year (or ~ 43 minutes permonth).

OASThe PDA shows that the availability need for OAS is higher than 99 % and is around 99,9 %.

CAS-1CAS1-L1 is mapped on the following applications, which require a very high level ofavailability :• [39] Advanced Driver Assistance System (Cars & Motorcycles), with a VH-VH

classification in the PDA,

GALA REF :DATE :



• [99] Autonomous Mining Vehicles, with a VH-H classification• [78, 79, 80] Vehicles Control & Robotics (Aerial, Land-based, Underwater), with a VH-M

classification.Without modifying the mapping between these applications and CAS1, the need foravailability is very high (around 99,999 %, meaning unavailable ~ 5 minutes per year).Suppressing CAS1 in the service mapping for these applications could help to reduce the needat a level close to the OAS one (99,9 %).

SASApplications which require high levels of availability are mapped with SAS services. Thehigh level of availability is around 99,999 %. As an indicative way, in the Air Traffic Controlfield, this is the requirement for a radar tracking application. From a RAM expertise point ofview, the requirement allocated to SAS services in [DR5] seems too low (~ 43 minutesunavailable per month).

GASToday, only one application mapped with a GAS requires a high level of availability :• [27] On board Navigation of SAR Units (Air & Sea), with a VH-VH classification.That is to say that GAS-G could have an availability requirement of 99,999 %. Without thisapplication, the requirement for GAS could fall at 99,9 %.

Note 1:More than 10 applications are not mapped with a service level. Four of these applications(Space) are classified VH-VH. Their further mapping on Galileo services may change theprevious synthesis.

Note 2:From a RAM point of view, it seems that SAS-R (SAS-RM) service is the more stressing forthe current (PM5) Architecture Baseline Definition.

GALA REF :DATE :



6 FUNCTIONAL DEPENDABILITY ANALYSIS (FDA)

6.1 GENERAL FDA PRESENTATION

6.1.1 FDA methodology and used form

The FDA is performed with the aim to be fully consistent with the FHA (Functional HazardAnalysis) detailed for safety GALILEO system concerns. It leads to strictly follow the FHAfunctional break down as well as the scenario developed when relevant. For RAM concerns,the FDA presents different scenarios when necessary to raise specific RAM aspects.

The retained process for the FDA includes the following four steps :� Identification of the GALILEO system functions,� Identification of the external functions, events and GALILEO system configurations,� Identification of failure conditions at GALILEO system level and analysis of their

repercussions,� Elaboration of RAM requirements, recommendations and justifications.

The FDA is performed through tables including the following headings :

� Function :name of the GALILEO system function under analysis as defined in the functionalbreakdown,

� Functional failure :qualification of the functional failure which can occurred; the retained functional failurein this frame are :

✓ Loss of functioning : complete or partial loss of the GALILEO system function,✓ Malfunctioning : production of erroneous misleading data for a GALILEO✓ Erratic functioning : production of erratic data leading to loss of continuity

� Scenario :define the context and the sources of observed functional failure,

� Description of the repercussions on GALILEO system mission :this section includes three main headings which characterise the functional failurescenario :

✓ Effect on the GALILEO services and on the operation,✓ Detection means (if any),✓ Corrective action and GALILEO system resulting condition,

� RAM severity classification according to the severity scale defined below,� RAM requirements, recommendations and assumptions which are derived from the

scenario and its repercussions detailed previously,� GALILEO system failure condition :

different scenarios associated with different functional failure leading to the same effectare grouped together under the same failure condition with a unique reference and title.

GALA REF :DATE :



6.1.2 General assumptionsThe functional architecture retained to perform the FDA is based on the PM5 GALILEOsystem architecture.

The GALILEO system is considered in a full operational phase (Full Operational Capability).The external systems are not included in the FDA. It means that the Failures from the externalsystems are considered only as potential causes of the failures considered in the analysis.

The consequences are distinguished per service when relevant, especially when impacts canbe different for integrity added services.

6.2 RAM SEVERITY SCALE

The RAM severity scale is established considering two criteria.

Criteria :

� Duration :Depending on the context and the sources of the degraded situations as well as on thepotential recovery means which can be carried out, the duration of the outage is ofdifferent orders. It constitutes a first parameter to graduate the severity of the outageeffects on GALILEO system mission.

� Size of the area/number of users affected :The second criterion is characterised by the size of either the area (in term ofgeographical zone) or the number of users affected by the outage (or both).

The combination of these two parameters is represented in the following tables

Service degradation/interruption Short LongLimited A BExtended B C

Thus, based also on the results of the PDA, the different degraded situations are grouped intothree severity classes as defined below:

Severity classes DefinitionA : Minor Service outage leading to user dissatisfactionB : Major Outage with irreversible impact on user activityC : Severe Major paralysis of users activities

Table 8 : severity scale

GALA REF :DATE :



6.3 GALILEO FUNCTIONAL BREAKDOWN

The following functional breakdown has been elaborated in coherence with the FunctionalHazard Analysis (Safety activities). This generic breakdown is built for the Safety and RAManalyses. A traceability matrix with the function list detailed in the GALILEO architecturedocuments is provided in the FHA (refer to DR4).

Fct ref Function Title Resources

SSF1 Schedule and broadcast navigation SIS (autonomousmode).

NAV/INT

SSF2 Synchronise and broadcast navigation/integrity compositeSIS (connected mode).

NAV/INT

SSF3 Receive access management messages. NAV/INT

SSF4 Set TM&TC link with satellite for house-keeping andnavigation messages

CUI, , USF, ULF,P/F

SSF5 Set uplinks to satellites for navigation/ integritycomposite messages

, USF, ULF, P/F

SSF6 Monitor and configure constellation SCF

SSF7 Receive and transmit SAR user signal. SAR

GSF1 Collect globally raw data for position/time parameters ofthe satellites

GMF

GSF2 Build navigation data from position/time parameters OSPF

GSF3 Build globally integrity data from position/timeparameters

GIPF/GCPF

GSF4 Schedule and transmit navigation and/or integritycomposite message

GUI

GSF5 Deliver access management messages. GNCF

GSF6 Monitor navigation global services GNCF

RSF1 Collect regionally raw data for SIS integrity RMF, RIMS

RSF2 Build regionally integrity data from position/timeparameters

RIPF/RCPF, CPF

RSF3 Transmit regional overlay integrity message RUI-USF-ULF,NLES

RSF4 Deliver access management messages. RNCF

RSF5 Monitor regional overlay services RNCF, CCF

CSF1 Transmit SAR centre message to constellation SUI, USF, ULF

KSF1 Build and transmit services access messages KMF-SC

XF1 Establish links between space segment ground elements CAN

XF2 Establish links between ground segment global elements GAN

GALA REF :DATE :



Fct ref Function Title Resources

XF3 Establish links between ground segment regionalelements

RAN

USF1 Process SIS and display position User terminal

USF2 Inform user on level of confidence of computed position User terminal

USF3 Broadcast SAR user signal. User terminal

USF4 Receive SAR centre message. User terminal

USF5 Receive access management information. User terminal

DSF1 Collect raw data for position/time parameters of the othernavigation system

External

DSF2 Build other navigation system integrity data External

DSF3 Interface with external time reference External

DSF4 Interface with external geodetic reference system andreference frame

External

DSF5 Interface with external navigation system External

DSF6 Interface with customer /agent /service provider. External

DSF7 Interface with SAR service External

Table 9 : GALILEO system functional breakdown

6.4 FDA SYNTHESIS

Refer to annex section 8.2 for detailed FDA tables.

6.4.1 RAM Failure Condition Summary tableFrom the functional failure analysis, it is possible to merge different failure scenarios havingsame consequences on system status/behaviour after failure.

These feared events, considered from their effects on GALILEO system, are summarised inFailure Conditions. This FDA process raises a Preliminary Failure Conditions list.

GALA REF :DATE :



FC Ref. FC classification FC title Class.FC1 Degradation or

loss of theservice

detected Restoration inlimited time

Worldwide

Detected + world wide loss ordegradation of the service withrestoration in limited time

Major

FC2 restricted Detected + restricted loss ordegradation of the service withrestoration in limited time

Minor

FC3 Long termrestoration

Worldwide

Detected + world wide loss ordegradation of the service withlong term restoration

Severe

FC4 restricted Detected + restricted loss ordegradation of the service withlong term restoration

Major

FC5 Undetected Long termrestoration

Worldwide

Undetected + world wide loss ordegradation of the service withlong term restoration

Severe

FC6 restricted Undetected + restricted loss ordegradation of the service withlong term restoration

Major

FC7 Degradation orloss ofmonitoringfunction

Loss or degradation ofmonitoring function

Minor

Table 10 : Failure Conditions listNote :� Restricted/world wide is relative to the size of the area or/and the number of users

affected.� When it is not detected, it is assumed that the restoration is long due to the non detection

and thus no possibility to initiate recovery actions.� In the FDA tables, the classification is given first according to the effect of failure

scenario without including mentioned requirement. Then, the FC classification is given inbrackets taking the RAM requirements into account. It allows to evaluate the impact ofthe requirements on the described Failure Condition.

6.4.2 Common general assumptions

Ref. Description Scenarioreference

Ras1 The applications users where availability requirement is expected are supposed tohave the RAIM function implemented in their terminal

SSF1B2,

Ras2 It is assumed that a satellite in connected mode which experiences a failure can notthen switch in autonomous mode.

SSF2A2, SSF2B2,SSF2A3

Ras3 It is supposed that when the TM/TC link with the satellite is lost, it is not possible tostart recovery action at satellite level

SSF4A1

Ras4 Adequate protections and fallback procedures are supposed to be implemented in thesatellite platform in case of detected interruption of communication means

SSF5A1

Ras5 GALILEO system must be designed to keep non integrity added service available incase of failure of GIPF/GCPF failure

GSF3A1, GSF3B1,GSF3B2

Ras6 The GIPF/GCPF function is world wild distributed in three sites due to TTAconstraint. Thus loss of GIPF/GCPF function could come from common mode/causeevent. If a failure on one site is considered, the loss of GIPF/GCPF function maypartial (degraded mode). However, there is no redundancy between the three sites

GSF3A1

Table 11 : RAM Assumptions from FDA (Ras)

GALA REF :DATE :



6.4.3 RAM RequirementsRef. Description Scenario

referenceRrq1 No common cause/common mode not shown extremely improbable would lead to

simultaneous failure on several satellitesSSF1A2, SSF1A3,SSF1B1, SSF1B2,SSF1B3, SSF2A1,SSF2A2, SSF2A3,SSF2B1, SSF2B2,SSF2B3, SSF2B4,SSF2B5, SSF4A1,SSF5A1

Rrq2 No common cause/common mode not shown extremely improbable would lead tosimultaneous failure on several ULS components

SSF4A1, SSF5A1,

Rrq3 Detection and reporting of any Failure of ULS components at maintenance entitylevel shall be performed to initiate recovery action

SSF4A1, SSF5A1,

Rrq4 Probability of satellite to broadcast misleading navigation/integrity compositemessage must be less than extremely improbable

SSF5B1

Rrq5 SCF failure shall be without immediate effect on operational service (necessity toexclude beam scheduling function).

SSF6A1, SSF6B1

Rrq6 Recovery time of SCF function shall be less than time leading to unacceptable servicedegradation

SSF6A1

Rrq7 SCF failure shall be detected and report at maintenance entity level to initiateimmediate recovery actions

SSF6A1

Rrq8 GALILEO monitoring system shall be able to test and detect SAR payload failure toinitiate recovery actions

SSF7A1

Rrq9 No common cause/common mode not shown extremely improbable should lead tosimultaneous failure on several SAR payloads

SSF7A1, SSF7B1

Rrq10 Detection and reporting of any GMF failure at maintenance entity level shall beperformed to allow recovery actions in time less than service degradation time leadingto loss of navigation service (alarm limits)

GSF1A1

Rrq11 No common cause/common mode not shown extremely improbable should lead tosimultaneous failure on several GMF

GSF1A1, GSF1B1

Rrq12 GALILEO system shall be robust against one GMF failure in GMS station GSF1B1Rrq13 Detection and reporting of any OSPF failure shall be performed at maintenance entity

level.GSF2A1

Rrq14 OSPF function recovery action shall be performed to allow recovery actions in timeless than service degradation time leading to loss of navigation service (alarm limits).

GSF2A1, GSF2B1

Rrq15 GALILEO system shall be able to localise erroneous navigation data computed byOSPF

GSF2B1,

Rrq16 Detection and reporting of any GIPF/GCPF failure shall be performed at maintenanceentity level

GSF3A1

Rrq17 Recovery actions shall be initiated upon detection of GIPF/GCPF failure to reduce theunavailability time for integrity added services

GSF3A1

Rrq18 No common cause/common mode not shown extremely improbable should lead tosimultaneous failure on several GIPF/GCPF

GSF3A1

Rrq19 GALILEO system shall be designed in order that false alarm due to erroneousintegrity monitoring data computation or alarm limit tuning does not lead tounacceptable unavailability level for integrity added services

GSF3B1

Rrq20 Probability that multiple failures at GIPF/GCPF level leading to integrity event andunavailability of the integrity added service shall be less than extremely improbable

GSF3B2

Rrq21 Detection and reporting of any GUI failure at maintenance entity level shall beperformed to allow recovery actions in time less than service degradation time leadingto loss of navigation service

GSF4A1, GSF4A2

Rrq22 No common cause/common mode not shown extremely improbable shall lead tosimultaneous failure on several GUI

GSF4A2,

Rrq23 Detection and reporting of any RMS failure at regional maintenance entity level shallbe performed to allow recovery actions in order that the unavailability of the servicesis less than TBD hours

RSF1A1

GALA REF :DATE :




Rrq24 No common cause/common mode not shown extremely improbable shall lead tosimultaneous failure on several RMS

RSF1A1,

Rrq25 Detection and reporting of any RIPF/RCPF failure shall be performed at regionalmaintenance entity level

RSF2A1

Rrq26 Recovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce theunavailability time for regional integrity added services

RSF2A1

Rrq27 Recovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce theunavailability time for regional integrity added services

RSF2A1

Rrq28 GALILEO regional component shall be designed in order that false alarm due toerroneous integrity monitoring data computation or alarm limit tuning does not lead tounacceptable unavailability level for regional integrity added services

RSF2B1

Rrq29 Probability that multiple failures at RIPF/RCPF level leading to integrity event andunavailability of the integrity added service shall be less than extremely improbable

RSF2B2

Rrq30 Detection and reporting of any RUI failure at regional maintenance entity shall beperformed to allow recovery actions in order that the unavailability of the services isless than TBD hours

RSF3A1

Rrq31 No common cause/common mode not shown extremely improbable shall lead tosimultaneous failure on several RUI

RSF3A1

Rrq32 For availability purpose, the integrity regional service shall be robust against one ULSsite failure

RSF3A1, CSF1A1

Rrq33 CAN shall be non-real-time network : its failure shall be without immediate effect onoperational service. Recovery time of a CAN failure shall be less than time leading tounacceptable service degradation.

XF1A1, XF1B1

Rrq34 After a control command message sent by SCF to a ground element, the new status /mode of this element must be checked

XF1B1

Rrq35 No single failure, error, external event not shown extremely improbable shall lead to aloss of transmission chain between GNCF and ULS

XF2A1

Rrq36 Transmission chain between GNCF and ULS must be protected from any single causeof undetected corruption of transmission.

XF2B1

Rrq37 No single failure, error, external event not shown extremely improbable shall lead to aloss of transmission chain between RNCC and ULS (IF is build in RNCC)

XF3A1

Rrq38 The availability / reliability performances of the encryption module shall not degradesignificantly the terminal ones

USF5A1

Rrq39 A RAM analysis shall be performed on time and geodetic references and the way theyare used in GALILEO system

DSF3A1, DSF4A1

Rrq40 A RAM analysis should be performed on the structure and functions of GALILEOmanagement and operating segment (service centre, ...).

DSF6A1

Table 12 : RAM requirements (Rrq)

6.4.4 RAM RecommendationsRef. Description Scenario

referenceRrm1 SCC would be able to initiate diagnosis and recovery actions at any time for any

satelliteSSF1A1, SSF1A2,SSF1B1, SSF2A1,SSF2A2, , SSF2B1,SSF2B2, SSF2B4

Rrm2 The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate(detection capability of SIS misbehaviour) must be relevant with the availabilityquantitative requirements.

SSF1B2; SSF1B3,SSF2B4, SSF2B5

Rrm3 For key management in degraded mode, system may implement an uncrypted mode asfallback

SSF3A1, GSF5A1,GSF5B1, KSF1B1

Rrm4 The satellites should be remained in autonomous mode as long as the degradation ofthe navigation signal is acceptable

SSF6A1, SSF6B1,RSF4B1,

Rrm5 SCF operator should have the capability to check the SCF output data SSF6B1, KSF1A1Rrm6 The opportunity that a RUI failure leads to interrupt all the connected links between

ULS and satellites has to be considered. It allows in that case to restore the links withanother ULS

RSF3A1

GALA REF :DATE :




Rrm7 The opportunity that a SUI failure leads to interrupt all the connected links betweenULS and satellites has to be considered. It allows in that case to restore the links withanother ULS

CSF1A1

Rrm8 The KMF monitoring data should be transmitted to a higher level monitoring (for aglobal and coherent view of GALILEO system).

KSF1A1

Rrm9 The ground elements of the space segment are monitored by SCF. These monitoringdata should be reported to a higher level monitoring (for a global and coherent view ofGALILEO system).

XF1A1

Rrm10 If the link between GNCC and ULS is broken, the ULS should ask its connectedsatellites for a disconnection (which switch in autonomous mode)

XF2A1

Rrm11 The regional elements are monitored by RNCF. These monitoring data should betransmitted to a higher level monitoring (for a global and coherent view of GALILEOsystem), using the GAN

XF3A1

Rrm12 Transmission chain between RNCC and ULS may be protected from any single causeof undetected corruption of transmission (IF is build in RNCC).

XF3B1

Rrm13 The terminal HMI could have quality indicators of the SIS reception, helping the userto diagnose terminal failure (from SIS discontinuity). In order to discriminatingterminal failures from insufficient SIS information (terminal external causes), forinstance the two indicators could be: SIS/no SIS and Solution/no Solution

USF1A1

Rrm14 For an user, the availability of a service includes the terminal availability. Thisavailability requirement shall be budgeted. In case of RAM contractual commitments,the SIS availability (measurable) will be distinguished from the terminal one(dependent on operating conditions).

USF1A1

Rrm15 Users have to be warned of all operating conditions within their responsibility whichcould impair nominal functioning of the terminal: environment parameters, antennaposition, user system interference, multipath , key validation/activation, etc…(TBD)

USF1A1, USF1B1,USF2B1

Rrm16 User terminal of integrity added service has to implement means to give acomprehensive and convenient information on confidence margin of the computedposition with regard to the alarm levels set by user. It has also to give a projection ofthis information for the immediate future of user's application

USF2A1

Rrm17 Regarding the user application, the concept design of the terminal could be different.For a Mass Market terminal, the position will be always displayed, even if the level ofconfidence is unsatisfactory (availability concept). For a Safety of Life application, indoubt no position will be displayed (safety concept) (tbc).

USF2B1

Rrm18 The terminal should be able to display that the SAR signal had been sent. Thissending acknowledgement could impact the survival choice of the user

USF3A1

Rrm19 A strategy should be defined for the SMCC (MEO LUT ?) in case of overcrowdingSAR signal

USF3B1

Rrm20 Errors issued by a SUI misbehaviour should be confined : without consequences onthe elaboration of the navigation message

DSF7A1

Table 13 : RAM recommendations (Rrm)

6.4.5 Open pointsAs the RAM and Safety analyses have been performed on the same basis with the objective tokeep consistency and presents fully complementary results, the numbering of RAM openpoints follows the numbering of the Safety open points. The safety open points are relevantfor the RAM concerns.

GALA REF :DATE :




Rop19 Possible use of back up key or old keys SSF3A1Rop20 What is the element which can flag the GIPF/GCPF failure (as the GIPF/GCPF are

responsible for the monitoring integrity data) ?GSF3A1, RSF2A1

Rop21 What redundancy can be considered between GIPF/GCPF and RIPF/RCPF GSF3A1, RSF2A1Rop22 Combination of RIPF integrity data and GIPF integrity data to be precise RSF1B2Rop23 RAM user needs have to be defined for the SAR service (allocation on the SMCC, on

the ULS, on the terminal)USF3A1, USF3B1

Table 14 : RAM open points (Rop)

6.4.6 GALILEO Functions RAM severity

Fct ref Function Title RAM status Severity

SSF1 Schedule and broadcast navigation SIS (autonomous mode). Critical Severe

SSF2 Synchronise and broadcast navigation/integrity composite SIS (connected mode). Critical Severe

SSF3 Receive access management messages. Critical Severe

SSF4 Set TM&TC link with satellite for house-keeping and navigation messages Essential Major

SSF5 Set uplinks to satellites for navigation/ integrity composite messages Essential Major

SSF6 Monitor and configure constellation Non essential Minor

SSF7 Receive and transmit SAR user signal. Essential Major

GSF1 Collect globally raw data for position/time parameters of the satellites Essential Major

GSF2 Build navigation data from position/time parameters Essential Major

GSF3 Build globally integrity data from position/time parameters Critical Severe

GSF4 Schedule and transmit navigation and/or integrity composite message Tbd Tbd

GSF5 Deliver access management messages. Tbd Tbd

GSF6 Monitor navigation global services Tbd Tbd

RSF1 Collect regionally raw data for SIS integrity Essential Major

RSF2 Build regionally integrity data from position/time parameters Essential Major

RSF3 Transmit regional overlay integrity message Essential Major (tbc)

RSF4 Deliver access management messages. Essential Major (tbc)

RSF5 Monitor regional overlay services Tbd Tbd

CSF1 Transmit SAR centre message to constellation Tbd Tbd

KSF1 Build and transmit services access messages Critical Severe

XF1 Establish links between space segment ground elements Non essential Minor

XF2 Establish links between ground segment global elements Essential Major

XF3 Establish links between ground segment regional elements Essential Major

USF1 Process SIS and display position Tbd Tbd

USF2 Inform user on level of confidence of computed position Tbd Tbd

USF3 Broadcast SAR user signal. Tbd Tbd

USF4 Receive SAR centre message. Tbd Tbd

USF5 Receive access management information. Tbd Tbd

GALA REF :DATE :



Fct ref Function Title RAM status Severity

DSF1 Collect raw data for position/time parameters of the other navigation system Tbd Tbd

DSF2 Build other navigation system integrity data Tbd Tbd

DSF3 Interface with external time reference Tbd Tbd

DSF4 Interface with external geodetic reference system and reference frame Tbd Tbd

DSF5 Interface with external navigation system Tbd Tbd

DSF6 Interface with customer /agent /service provider. Tbd Tbd

DSF7 Interface with SAR service Tbd Tbd

Table 15 : GALILEO Function Criticality

GALA REF :DATE :



7 APPORTIONMENT/DEMONSTRATION OF GALILEORAM REQUIREMENTS

7.1 AVAILABILITY BLOCK DIAGRAM METHODOLOGY

Computation of availability has been achieved at each GALILEO service using theavailability block diagram technique and the mathematical underlying expressions. Thistechnique widely used in RAMS studies is briefly reminded:

A availability block diagram may be considered as a functional logic chart, which, by meansof the arrangement of blocks and lines, depicts the effect of failure of equipment subdivisionson the equipment’s functional capability. Items whose failure causes equipment failure areshown in series with other items. Items whose failure causes equipment failure only whensome other item has also failed are drawn in parallel with the other items.Systems constituted of n elements or subsystems, of which only k is required to be operationalfor system success can also be depicted as a k-out-of n configuration.

Whatever the configuration used (series, parallel, k-out-of n configurations or a combinationof all of them), elements are considered stochastically independent toward the failure and therestoration. This means that failure rates are much smaller than repair rates, which is the casefor most practical purpose.

This method includes the 3 following steps :• Step1 : a system functional breakdown into functional blocks at subsystem level.• Step2 : based on this decomposition, identification of the system architecture

underlining the serial and/or redundancy configuration.• Step3 : the representation architecture using the availability block diagrams

methodology.

The availability block diagram method is based on serial and parallel elements representation.In serial configuration :

Afunction = Π AiIn parallel configuration :

Afunction = 1 - Π [1-Ai]

Where A is the availability of the element i.

GALA REF :DATE :



7.2 PARTICULAR ASSUMPTIONS

A1 : The functional breakdown used for the availability study shows the functional blocks,which are necessary to carry out the service defined in nominal mode.

A2 : Services are modelled with an user view point (1 terminal),A3 : Power supply function is considered as redundant and not included in this first

assessment (unavailability = 1,9 10-6 similar to 4 outage of 15 sec per yearA4 : Key management is not taken into account : the elements of the key management

chain are considered to not impair the services (ratio 100 between the unavailabilityof this chain and the unavailability of the preponderant element for the service)

A5 : GALIEO system is robust to one ULS (respectively GMS) site failure with a 2/3redundancy

A6 : The beam scheduling function implemented in the SCC : for the Nav/Int services,SCF and CAN must be available.

7.3 ORIGIN OF THE RETAINED INPUT DATA

Since similarities exist between GALILEO system and EGNOS system, in this preliminaryassessment, the retained input data are issued from the EGNOS collected data.

In addition, to complete and check the consistency of the necessary used data, some otherrelevant data are extracted from analyses of similar ground systems in the area of spaceapplications.

The availability of the GALILEO MEO constellation (99 %) is taken from performancesbudget [DR8].

At this stage (feasibility phase), it is important to keep in mind that only the orders ofmagnitude of the used data have to be relevant. It is not necessary to focus on detailed datawhich will be defined and developed in the following phases.

The used data are given in appendix 8.3.

GALA REF :DATE :



7.4 GALILEO SYSTEM AVAILABILITY BLOCK DIAGRAMS

7.4.1 Navigation service without integrity

7.4.2 Service with integrity – Global components

Galileo MEO

Constellation

User

TerminalULSCANGMS GAN

ULS

ULS

GMS

GMS

GNCC SCC

OSPFGNCF SCF

k/nk/n

NAV/INTP/L

GIPFGCPF

GUIUSFULF

CUIGMF C

GMF BGMF A

k/n

Galileo MEO

Constellation

User


ULS

ULS

GMS

GMS

GNCC SCC

GUIUSFULF

OSPFGNCF SCF

k/nk/n

GMF CGMF B

GMF A

NAV/INTP/L

k/n

CUI

GALA REF :DATE :



7.4.3 Service with integrity – Global + regional components

7.4.4 TM/TC function

Galileo MEO

Constellation

User


ULS

ULS

GMS

GMS

GNCC SCC

GCPF SCF

k/nk/n

NAV/INTP/LGIPF GNCF

GUIUSFULF

RUI

RMS RAN

RMS

RMS

k/n

RNCC

RNCFRIPFRCPF

GNCC

OSPF

CUI

GMF CGMF B

GMF Ak/n

GMF CGMF B

GMF Ak/n

• TC generation and up-link chain via ULS

• TM acquisition and processing

Galileo MEO

ConstellationULSCAN

ULS

ULS

SCC

CUIUSF

ULF

SCF

k/n

P/L

GALA REF :DATE :



7.4.5 Orbit monitoring function

GMF CGMF B

GMS GAN

GMS

GMS

SCCGalileo MEO

ConstellationGNCC

OSPFGNCF SCF

k/n

GMF A

NAV/INTP/L

k/n

GALA REF :DATE :



7.5 RESULTS

The following table presents in a synthetic form the results of the availability computation :

Availability results Availabilityrequirements

Navigation service without integrity 98,32 % 99 %

Service with integrity (stand-alone) 98,16 % 99,9 %

Service with integrity (Global + Region components) 98,27 % 99,9 %

TM / TC function 98,68 % /

Orbit monitoring function 98,55 % /

The detailed results are presented in appendix 8.3.

7.6 ANALYSIS OF THE RESULTS

As a preamble, it is important to stress on the fact that the availability computationsperformed in the framework of this RAM analysis do not take completely the maintenanceand logistics aspects into consideration. The present results would probably be degraded bythe complementary logistical support scenarios (unavailability of spare parts, of maintenanceoperators, …).

The service availability requirements are not met, but as :• The availability budgeted for the MEO constellation is taken as an input data of

these computations ;• The availability budgeted for the MEO constellation is 99 % ;• The MEO constellation is in serial element with all the availability block

diagrams,the availability results can not be better than 99 %.

The sensitivity studies highlighted the preponderant components on the global results :• The weight of the MEO constellation on the global availability is 54 % to 75 %;• The WAN (GAN, CAN) are the ground components which have a strong impact

on the global availability (around 12 % for each WAN) ;• The GNCC has also a strong weight (from 9 % to 15 %), which could be reduced

by design solution (introducing internal redundancies);• The SCC contribution should be reduced by following the FDA requirements

(SCC shall have only monitoring functions, “beam scheduling” excluded);• The station (ULS, RMS) are not preponderant at this level, if the FDA

requirement, asking for “a service robust to one station site failure”, is met.

GALA REF :DATE :



7.7 AVAILABILITY APPORTIONMENT TO MEET THEREQUIREMENTS

Non integrity service :To meet the 99 % availability requirement of the non integrity services, it would be necessaryto increase the availability performances of the main sizing elements :For instance :

• MEO constellation : 99,5 %• WAN (GAN, CAN): 99,9 %

In that case, the availability performances of the other elements are sufficient.

Integrity added services :The 99,9 % availability requirements can be meet only in the case where every elementavailability is one order higher than 99,9 %.As it seems for the MEO constellation not economically and technically realistic, a mitigateway could be to apportion it the objective (99,9 %) and increase at a higher level theavailability of the ground segment.For instance,

• MEO constellation : 99,9 %• Ground segment : 99,995

would lead to an availability performances of GALILEO system around 99,89 %.It is equivalent to have a complete redundancy of the GS.In that case, the availability of the non integrity service will be over specified at the samelevel (99,89 %).

GALA REF :DATE :



8 ANNEX :

8.1 PDA TABLES

The following tables of this annex are the detailed availability classification using mappingapplication/service and the syntheses of this classification for each service level.

GALA REF :DATE :



Fr VH H M L T

Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty QtyOAS-G1 OAS-G1 OAS-G1

2, 5, 27, 8 OAS-G2 6, 99(tbc) 2 OAS-G2 78, 79, 80, 3 OAS-G2 - 039, 58(NM), OAS OAS-GS OAS OAS-GS OAS OAS-GS OAS59(NM), OAS-GL OAS-GL OAS-GL60(NM), OAS-GH OAS-GH OAS-GH61(NM) CAS1-G CAS1-G CAS1-G

CAS1-L1 1 CAS1-L1 1 CAS1-L1 3CAS1 1 CAS1-L2 CAS1 1 CAS1-L2 CAS1 3 CAS1-L2 1 CAS1

CAS1-L3 CAS1-L3 1 CAS1-L3VH CAS1-GS CAS1-GS CAS1-GS

SAS-G 3 SAS-G SAS-GSAS-R 2 SAS-R SAS-R

SAS 4 SAS-L 1 SAS 1 SAS-L 1 SAS 3 SAS-L 3 SASSAS-RM 2 SAS-RM SAS-RMGAS-G 1 GAS-G GAS-G

GAS 1 GAS-L GAS GAS-L GAS GAS-L GASApplications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty

OAS-G1 OAS-G1 3 OAS-G1 31, 3 2 OAS-G2 7, 9, 12, 13, 24 OAS-G2 16, 17, 18, 24 OAS-G2 2 50, 51, 52 3

OAS OAS-GS 14, 23, 24, OAS 10 OAS-GS 7 19, 20, 21, OAS 4 OAS-GS 1 OASOAS-GL 25, 26, 31*, OAS-GL 28, 30, 35, OAS-GLOAS-GH 32, 33, 34, OAS-GH 8 38, 44, 46, OAS-GH 3CAS1-G 36, 37, 40, CAS1-G 9 47, 48, 49, CAS1-G 6CAS1-L1 41, 42, 43, CAS1-L1 1 53(tbc), 69, CAS1-L1 6

CAS1 CAS1-L2 57, 72, 84, CAS1 17 CAS1-L2 1 70, 71, 74, CAS1 14 CAS1-L2 6 CAS1CAS1-L3 97, 100 CAS1-L3 3 86, 93(NM), CAS1-L3

H CAS1-GS CAS1-GS 6 94(NM), CAS1-GS 3SAS-G 2 SAS-G 6 95(NM) SAS-G 3SAS-R 2 SAS-R 3 SAS-R

SAS 2 SAS-L SAS 7 SAS-L 4 SAS 3 SAS-L SAS 3SAS-RM 2 SAS-RM SAS-RMGAS-G GAS-G 3 GAS-G 6

GAS GAS-L GAS 3 GAS-L 1 GAS 6 GAS-L 6 GAS 3

GALA REF :DATE :



Fr VH H M L T

Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty QtyOAS-G1 OAS-G1 OAS-G1

- 0 OAS-G2 10, 22 4 OAS-G2 15, 62(tbd), 10 OAS-G2 67(NM) 1OAS OAS-GS 45(NM), OAS OAS-GS 63, 73 OAS OAS-GS OAS

OAS-GL 98 OAS-GL 81, 82, 87, OAS-GLOAS-GH OAS-GH 90, 91, 92 OAS-GHCAS1-G CAS1-G 1 CAS1-G 2CAS1-L1 CAS1-L1 CAS1-L1 2

CAS1 CAS1-L2 CAS1 3 CAS1-L2 CAS1 10 CAS1-L2 2 CAS1CAS1-L3 CAS1-L3 2 CAS1-L3 5

M CAS1-GS CAS1-GS CAS1-GS 1SAS-G SAS-G SAS-GSAS-R SAS-R SAS-R

SAS SAS-L SAS SAS-L SAS SAS-L SASSAS-RM SAS-RM SAS-RMGAS-G GAS-G 1 GAS-G

GAS GAS-L GAS 1 GAS-L 1 GAS GAS-L GASApplications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty Qty Applications Qty Qty

OAS-G1 OAS-G1 OAS-G1- 0 OAS-G2 - 0 OAS-G2 29 1 OAS-G2 8, 11, 55, 56, 12

OAS OAS-GS OAS OAS-GS OAS OAS-GS 64(NM), OAS 2OAS-GL OAS-GL OAS-GL 65(NM),OAS-GH OAS-GH OAS-GH 68, 83, 85,CAS1-G CAS1-G CAS1-G 88, 89, CAS1-L1 CAS1-L1 CAS1-L1 96(NM),

CAS1 CAS1-L2 CAS1 CAS1-L2 CAS1 CAS1-L2 CAS1 6CAS1-L3 CAS1-L3 CAS1-L3

L CAS1-GS CAS1-GS CAS1-GSSAS-G SAS-G SAS-GSAS-R SAS-R SAS-R

SAS SAS-L SAS SAS-L SAS SAS-L SAS 1SAS-RM SAS-RM SAS-RMGAS-G GAS-G GAS-G 1

GAS GAS-L GAS GAS-L GAS 1 GAS-L GAS 1NM: Not Mapped

GALA REF :DATE :



OAST / Fr VH H M L

VH 0 0 0 0H 0 10 4 0M 0 0 0 0L 0 0 0 2

OAS-G1 OAS-G2T / Fr VH H M L T / Fr VH H M L

VH 0 0 0 0 VH 0 0 0 0H 0 3 3 0 H 0 0 2 0M 0 0 0 0 M 0 0 0 0L 0 0 0 1 L 0 0 0 1

OAS-GS OAS-GLT / Fr VH H M L T / Fr VH H M L

VH 0 0 0 0 VH 0 0 0 0H 0 7 1 0 H 0 0 0 0M 0 0 0 0 M 0 0 0 0L 0 0 0 0 L 0 0 0 0

OAS-GHT / Fr VH H M L

VH 0 0 0 0H 0 8 3 0M 0 0 0 0L 0 0 0 1

GALA REF :DATE :



CAS1T / Fr VH H M L

VH 1 1 3 0H 0 17 14 0M 0 3 10 0L 0 0 0 6

CAS1-G CAS1-L1T / Fr VH H M L T / Fr VH H M L

VH 0 0 0 0 VH 1 1 3 0H 0 9 6 0 H 0 1 6 0M 0 1 2 0 M 0 0 2 0L 0 0 0 1 L 0 0 0 2

CAS1-L2 CAS1-L3T / Fr VH H M L T / Fr VH H M L

VH 0 0 1 0 VH 0 1 0 0H 0 1 6 0 H 0 3 0 0M 0 0 2 0 M 0 2 5 0L 0 0 0 2 L 0 0 0 2

CAS1-GST / Fr VH H M L

VH 0 0 0 0H 0 6 3 0M 0 0 1 0L 0 0 0 1

GALA REF :DATE :



SAST / Fr VH H M L

VH 4 1 3 0H 2 7 3 3M 0 0 0 0L 0 0 0 1

SAS-G SAS-RT / Fr VH H M L T / Fr VH H M L

VH 3 0 0 0 VH 2 0 0 0H 2 6 3 0 H 2 3 0 0M 0 0 0 0 M 0 0 0 0L 0 0 0 0 L 0 0 0 0

SAS-L SAS-RMT / Fr VH H M L T / Fr VH H M L

VH 1 1 3 0 VH 2 0 0 0H 0 4 0 0 H 2 0 0 3M 0 0 0 0 M 0 0 0 0L 0 0 0 0 L 0 0 0 1

GALA REF :DATE :



GAST / Fr VH H M L

VH 1 0 0 0H 0 3 6 3M 0 1 0 0L 0 0 1 1

GAS-G GAS-LT / Fr VH H M L T / Fr VH H M L

VH 1 0 0 0 VH 0 0 0 0H 0 3 6 3 H 0 1 6 0M 0 1 0 0 M 0 1 0 0L 0 0 1 1 L 0 0 0 0

GALA REF :DATE :



8.2 FDA TABLES

FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Loss of capability to schedule or broadcast SIS SSF1A

SCENARIO: Recoverable loss of Payload on one satellite SSF1A1

Description of repercussions: X-Ref

1- Effect on theGALILEOservices and onthe operation

Navigation payload on one satellite is temporarily inoperative.No SIS transmitted in autonomous mode. Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the

required performance, navigation service can be interrupted for some users.Possible loss of continuity for some users.After recovery (4 hours TBC), system is fully operational.Service outage leading to dissatisfaction for limited duration for a limited number of users.

2 -Detectionmeans(monitoringsystems oroperators)

Situation is monitored by ground system. Status of satellites is propagated to all users throughintegrity messages and almanac.

If monitoring of satellite is permanent, recovery action can start without delay.

3- Correctiveaction andGALILEO systemresultingcondition

No corrective action

SeverityClassification

Minor

RAM-Requirements(Rrq)

Recommendations(Rrm)

Assumptions(Ras)

Ref.Rrm 1

DescriptionSCC would be able to initiate diagnosis and recovery actions at any time for any satellite.

Galileo systemlevel FailureCondition

Ref.:FC2

Title:Detected + restricted loss or degradation of the service with restoration in limited time

GALA REF :DATE :




SCENARIO: Irrecoverable loss of Payload in some satellites SSF1A2



Navigation payload on some satellites is irrecoverably lost.No SIS transmitted in autonomous mode. Some satellites can have stopped transmission in the

same time by coincidence or by a common cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the

required performance, navigation service can be interrupted for several users.Possible loss of continuity for several users.If spare in orbit satellites can be positioned to restore the geometric availability, service can be

restored within 7 (TBC) days.Irreversible impact on operations for a number of users.






Major.



Assumptions(Ras)

Ref.Rrm1

Rrq 1


No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.

Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.


Ref.FC4

Title:Detected + restricted loss or degradation of the service with long term restoration

GALA REF :DATE :




SCENARIO: Irrecoverable loss of payload in several satellites SSF1A3



Navigation payload on several satellites is inoperativeNo SIS transmitted in autonomous mode. Several satellites can have stopped transmission in the

same time by coincidence or by a common cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the

required performance, navigation service can be interrupted for a number of users.Possible loss of continuity for a number of users.No sufficient spare in orbit satellites to restore the geometric availability. Service is interrupted for

duration greater than 4 (TBC) months.Possible major paralysis of users activities.






Severe



Assumptions(Ras)

Ref.Rrq1

DescriptionNo common cause/common mode not shown extremely improbable would lead to simultaneous

failure on several satellites.Remark : Common cause and common mode analysis (including external events and other

GALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration

GALA REF :DATE :



FUNCTION: Schedule and broadcast navigation SIS SSF1FUNCTIONAL FAILURE: Erroneous scheduling or broadcast of SIS SSF1B

SCENARIO: Detected payload misbehaviour on satellites SSF1B1



SIS broadcast by satellite is misleading.Some satellites can experience misbehaviour in the same time by coincidence or by commoncause.Detection by integrity monitoring network. The misleading data detection is transmitted throughthe integrity flags. The integrity added service users are warned. If remaining healthy satellites inview are not sufficient to compute a position solution with the required performance, navigationservice can be interrupted for some users.Possible loss of continuity for some users.Service outage leading to user dissatisfaction.

The detection by ground system allows to monitor the situation and carry out corrective measuresto recover the nominal state or put the system in an acceptable state for all users.

Remark : For not integrity added service users, possible detection by terminal RAIM function.






Minor



Assumptions(Ras)

Ref:Rrm1

Rrq1

Description:SCC would be able to initiate diagnosis and recovery actions at any time for any satellite




Ref:FC2


GALA REF :DATE :




SCENARIO: Undetected payload misbehaviour on some satellites SSF1B2



SIS broadcast by satellite is misleading.Some satellites can experience misbehaviour in the same time, by coincidence or by a commoncause.The ground system does not detect the misleading data transmission (double failure or satellitenot monitored).The application users where availability requirement is expected are supposed to have the RAIMfunction implemented in their terminal.In the case where only few satellites are affected, possible detection by the RAIM terminal

function.If remaining healthy satellites in view are not sufficient to compute a position solution with therequired performance, navigation service can be interrupted for few users.Possible loss of continuity for few users.

Ras1


RAIM terminal function in the case where only some satellites are affected.




Major



Assumptions(Ras)

Ref:Rrq1

Rrm 2

Ras1

Description:No common cause/common mode not shown extremely improbable would lead to simultaneous



The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements.The application users where availability requirement is expected are supposed to have the RAIMfunction implemented in their terminal


Ref:FC6

Title:Undetected + restricted loss or degradation of the service with long term restoration

GALA REF :DATE :




SCENARIO: Undetected payload misbehaviour on several satellites SSF1B3



SIS broadcast by satellite is misleading.Several satellites can experience misbehaviour in the same time, by coincidence or by a common

cause.The ground system does not detect the misleading data transmission (double failure or satellite

not monitored).The RAIM function does not detect the misleading data transmission. The users continue to use

misleading information.

If for the users, the services seems to be available, they can experience important consequenceson their applications leading to outage with paralysis of their applications.


No detection mean




Severe



Assumptions(Ras)

Ref:Rrq1

Rrm2




The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements.


Ref:FC5

Title:Undetected + world wide loss or degradation of the service with long term restoration

GALA REF :DATE :



FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Loss of capability to synchronise or broadcast composite SIS SSF2A

SCENARIO: Recoverable loss of Payload on one or some satellites SSF2A1



Navigation payload on one or some satellites is temporarily inoperative.Some satellites can have stopped transmission in the same time by coincidence or by common

cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the

required performance, navigation service can be interrupted for some users.The detection by the ground system allows to switch the concerned satellites from connected

mode to autonomous mode.In that case the satellites could transmit the navigation message without the integrity data. The

not integrity added service could have the service available after the switching of the satellites.Users of integrity added services experience loss of continuity.Possible loss of continuity for some users which can be of different duration according to the

considered service level.After recovery of the system (4 hours TBC), system is fully operational.Service outage leading to user dissatisfaction for limited duration.



If monitoring of satellite is permanent, recovery action can start without delay.




Minor



Assumptions(Ras)

Ref.Rrm1

Rrq1





Ref:FC2


GALA REF :DATE :




SCENARIO: Irrecoverable loss of Payload in some satellites SSF2A2



Navigation payload on some satellites is irrecoverably lost.Some satellites can have stopped transmission in the same time by coincidence or by common


required performance, navigation service can be interrupted for some users.Possible loss of continuity for some users.It is assumed that a satellite in connected mode which experiences a failure can not then switch in

autonomous mode.If spare in orbit satellites can be positioned to restore the geometric availability, integrity added

services can be restored within 7 (TBC) days.Irreversible impact on operations for a number of users.

Ras2


Situation is monitored by ground system.




Major



Assumptions(Ras)

Ref:Rrm1

Rrq1

Ras2

descriptionSCC would be able to initiate diagnosis and recovery actions at any time for any satellite.


Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.It is assumed that a satellite in connected mode which experiences a failure can not then switchin autonomous mode.


Ref:FC4

Title:Detected + restricted loss or degradation of the service with long term restoration

GALA REF :DATE :




SCENARIO: Irrecoverable payload failed on several satellites SSF2A3



Navigation payload on several satellites is irrecoverably lost.Satellites can have stopped transmission in the same time by coincidence or by common cause.Immediate detection by user terminal.If remaining healthy satellites in view are not sufficient to compute a position solution with the

required performance, navigation service can be interrupted for a number of users.Possible loss of continuity for a number of users.It is assumed that a satellite in connected mode which experiences a failure can not then switch in

autonomous mode.No sufficient spare in orbit satellites to restore the geometric availability. Integrity added services

are interrupted for duration greater than 4 (TBC) months.

Ras2






severe



Assumptions(Ras)

Ref.Rrq1

Ras2

DescriptionNo common cause/common mode not shown extremely improbable would lead to simultaneous



It is assumed that a satellite in connected mode which experiences a failure can not then switchin autonomous mode


Ref:FC3


GALA REF :DATE :



FUNCTION: Synchronise and broadcast navigation/integrity composite SIS SSF2FUNCTIONAL FAILURE: Erroneous synchronisation or broadcast of composite SIS SSF2B

SCENARIO: Payload misbehaviour on satellites SSF2B1/2B2/2B3



SIS retransmission is erratic, unsynchronised and misleading.Possible detection by terminal RAIM function. Immediate detection by integrity monitoring

network.Immediate detection at ULS. Uplink SIS is stopped.Satellite payload is deactivated.Some satellites can have stopped transmission in the same time by coincidence or by a common


required performance, navigation service can be interrupted for some users.In the case where the erroneous synchronisation or broadcast of composite SIS is detected, the

same scenarios than the loss context is experienced. It leads to distinguish the three samescenarios.

SSF2B1 : Recoverable detected misbehaviour on some satellites : refer to SSF2A1.SSF2B2 : Irrecoverable detected misbehaviour on some satellites: refer to SSF2A2SSF2B3 : Irrecoverable detected misbehaviour on several satellite : refer to SSF2A3


SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3


SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3


SSF2B1 : refer to SSF2A1 - SSF2B2 : refer to SSF2A2 - SSF2B3 : refer to SSF2A3



Assumptions(Ras)

Ref: Description:SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3


Ref: Title:SSF2B1 : refer to SSF2A1SSF2B2 : refer to SSF2A2SSF2B3 : refer to SSF2A3

GALA REF :DATE :




SCENARIO: Undetected payload misbehaviour on few or some satellites SSF2B4



SIS broadcast by satellite is misleading.Some satellites can experience misbehaviour in the same time, by coincidence or by a commoncause.The ground system does not detect the misleading data transmission.In the case where only few satellites are affected, possible detection by the RAIM terminal

function.In this case, if remaining healthy satellites in view are not sufficient to compute a position solutionwith the required performance, navigation service can be interrupted for some (?) users.Possible loss of continuity for some users.Service outage leading to user dissatisfaction.As failure is not detected by ground system, potential recovery solutions are not carried out.

Possible degradation leading to outage with irreversible impact on user operation or business.


RAIM terminal function detection in the case where only some satellites are affected.




Major



Assumptions(Ras)

Ref:Rrm1

Rrq1

Rrm2

Description:SCC would be able to initiate diagnosis and recovery actions at any time for any satellite.



The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements.


Ref:FC6


GALA REF :DATE :




SCENARIO: Undetected payload misbehaviour on several or more satellites SSF2B5



SIS broadcast by satellite is misleading.Several satellites can experience misbehaviour in the same time, by coincidence or by a commoncause.The ground system does not detect the misleading data transmission (double failures).The RAIM function does not detect the misleading data transmission. The users continue to usemisleading information.

If for the users, the services seems to be available, they can experience important consequenceson their applications leading to outage with major paralysis of user activities.


No detection mean




Severe



Assumptions(Ras)

Ref:Rrq1

Rrm2

Description:No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several satellites.Remark : Common cause and common mode analysis (including external events and otherGALILEO segments) will have to be performed as it has a direct impact on spare dimensioningand redundancies.

The ground monitoring system (GMF/GNCC respectively RMF/RNCC) coverage rate (detectioncapability of SIS misbehaviour) must be relevant with the availability quantitative requirements


Ref:FC5


GALA REF :DATE :



FUNCTION: Receive access management messages SSF3FUNCTIONAL FAILURE: Error in reception or process of protection keys. SSF3A

SCENARIO: Corruption or misuse of coding keys in payload. SSF3A1



Failure can interrupt normal TM&TC transactions with satellite.Final resulting state is supposed to be a stop of SIS transmission. Satellite is inoperative.Failure can interrupt normal encoding of encrypted signal (SAS). Immediate detection by

monitoring system. Final resulting state is supposed to be a satellite payload stopped ordeclared unhealthy. Satellite is inoperative.

No undetectable corruption in retransmission of navigation and integrity messages due toencoding/decoding process in satellite payload is foreseen (in connected mode).

Geographic deactivation/denial of service is supposed not to make use of satellites depending oftheir position in orbit.

In case of failure due to common cause or common mode, several satellites are affected.Loss of service for most of the users leading to major paralysis of their activities.

OP3

OP4

OP5OP6


Immediate detection by GNCC. Possible use of back up key or old keys. ROP19


For key management, system may implement an uncrypted mode as fallback. Rrm3


Severe



Assumptions(Ras)

Ref:Rrm 3(Rec12)

Rop19

DescriptionFor key management, in degraded mode system may implement an uncrypted mode as

fallback.

Possible use of back up key or old keys


Ref:FC3


GALA REF :DATE :



FUNCTION: Set TM&TC link with satellite for housekeeping and navigationmessages

SSF4

FUNCTIONAL FAILURE: Loss of transmission means SSF4A

SCENARIO: Failure on TM&TC chain: CUI, USF, ULF, P/F SSF4A1



Failure interrupts normal TM&TC transactions with satellite.If failure on P/F. Immediate detection by ULS. The satellite is not monitored. The status of the

satellite is transmitted to the users. Several satellites may experience the failure in the sametime by coincidence or by common cause.

In that case, if remaining satellites in view are not sufficient to compute a position solution with therequired performance, navigation service can be interrupted for some users.

Possible loss of continuity for some users.(It is supposed that as the TM/TC link with the satellite is lost, it is not possible to start recovery

action at satellite level).If spare in orbit can be positioned to restore the lost satellites, full service can be restored within 7

(tbc) days. Irreversible impact on operations for a number of users.

If failure on one of the elements of the ground “segment” chain, immediate detection at GNCClevel. Possible use of another ULS to recover the TM/TC link with the satellite. Several ULScomponents could experience the failure in the same time by coincidence of common cause. Inthat case recovery action by use of another ULS could be not possible. In that case (worst case),the system could be partially (or totally) inoperative during the ULS components necessaryrecovery time.Outage with irreversible impact on user activity.

Ras 3


ULS can detect the P/F failure.GNCC can detect the ULS component failures.


In case of failure on satellite P/F, the status of the satellite is transmitted to the users.In case of ULS components failure, possible use of another ULS to set TM/TC link with the

satellite. The recovery action on the faulty ULS component is initiated after detection andreporting at maintenance entity level.

Rrq3


Severe (worst case) – (Major if Rrq3 applied)



Assumptions(Ras)

Ref:Rrq1

Rrq 2

Rrq 3

Ras3


failure on several satellites.

No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several ULS components

Detection and reporting of any Failure of ULS components at maintenance entity level shall beperformed to initiate recovery action.

It is supposed that when the TM/TC link with the satellite is lost, it is not possible to start recoveryaction at satellite level


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration(FC4 if Rrq applied)

GALA REF :DATE :



FUNCTION: Set TM&TC link with satellite for housekeeping and navigationmessages

SSF4

FUNCTIONAL FAILURE: Undetected erroneous transmission SSF4B

SCENARIO: TM&TC chain misbehaviour SSF4B1



TBDCorruption of navigation message must be assessed during transmission and in satellite and

ground buffers.

OP3




TBD



Assumptions(Ras)

Ref: Description:


Ref: Title:

GALA REF :DATE :



FUNCTION: Set uplinks to satellites for navigation/ integrity composite messages SSF5FUNCTIONAL FAILURE: Loss of transmission means SSF5A

SCENARIO: Failure on uplink chain: USF, ULF, P/F SSF5A1



Failure interrupts connected mode with satellite.Adequate protections and fallback procedures are supposed to be implemented in the platform in

case of detected interruption of communication means.Current resulting satellite state is supposed to be autonomous mode.ULS detects the satellite failure to initiate the recovery actions. After recovery (4 hours TBC),

satellite P/F is operative.Several satellite payloads may be stopped in the same time by coincidence or by common cause.If no sufficient active satellites in view, integrity monitoring service can be discontinued for some

users.Possible loss of continuity for some users of integrity added services. The other services (non

integrity added services) does not experience effect. In that case, outage leading to userdissatisfaction.

If failure on one of the elements of the ground “segment” chain, immediate detection at GNCClevel. Possible use of another ULS to recover the uplink function with the satellite. Several ULScomponents could experience the failure in the same time by coincidence of common cause. Inthat case recovery action by use of another ULS could be not possible. In that case (worst case),the system could be partially (or totally) inoperative during the ULS components necessaryrecovery time for the integrity added services.Outage with irreversible impact on user activity.

OP3


ULS can detect the P/F failure.GNCC can detect the ULS component failures.


In case of failure on satellite P/F, Satellite switches in autonomous mode.In case of ULS components failure, possible use of another ULS to set uplink with the satellite.

The recovery action on the faulty ULS component is initiated after detection and reporting atmaintenance entity level.

Rrq3


Minor (P/F failure)Severe (ULS chain – worst case) – Major if Rrq applied



Assumptions(Ras)

Ref:Rrq1

Rrq2

Rrq3

Ras4


failure on several satellites.

No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several ULS components

Detection and reporting of any Failure of ULS components at maintenance entity level shall beperformed to initiate recovery action

Adequate protections and fallback procedures are supposed to be implemented in the satelliteplatform in case of detected interruption of communication means.


Ref:FC2FC3

Title:Detected + restricted loss or degradation of the service with restoration in limited time (P/F)Detected + world wide loss or degradation of the service with long term restoration (ULS chain)(FC4 if Rrq applied)

GALA REF :DATE :



FUNCTION: Set uplinks to satellites for navigation/ integrity composite messages SSF5FUNCTIONAL FAILURE: Undetected erroneous uplink transmission SSF5B

SCENARIO: Uplink chain misbehaviour SSF5B1



TBDIf misbehaviour is originated by GUI, USF or ULF, it can affect most of the satellites in link.Navigation integrity composite messages are misleading.Possible detection by GIC (tbc)Possible detection by RAIM function (tbc)Capability for user terminal to discriminate information from different sources ?Loss of continuity of service ? (false alarm)Loss of integrity of service ?

OP3

OP15OP10


TBD


If ULF system has capability to directly monitor signal broadcast by satellite in connection, it canimmediately stop connected mode in case of discrepancy.


TBD



Assumptions(Ras)

Ref:Rrq 4

Description:Probability of satellite to broadcast misleading navigation/integrity composite message must be

less than extremely improbable


Ref:TBD

Title:TBD

GALA REF :DATE :



FUNCTION: Monitor and configure constellation status (housekeeping) SSF6FUNCTIONAL FAILURE: Loss of capability to monitor or configure constellation SSF6A

SCENARIO: SCF failed SSF6A1



Satellites remain active for a moment.GNCF is supposed to keep control on satellites operating in connected mode.No monitoring of satellites status, ULS status and CAN status. No capability to reconfigure them.No capability to reconfigure satellite in connected mode. Satellites in connected mode revert

progressively in autonomous mode.No capability to update navigation tables in payloads operating in autonomous mode (beam

scheduling is SCF function).Navigation signal degrades progressively.The satellites should be remained in autonomous mode as long as the degradation of the

navigation signal is acceptable.If detected, possible reconfiguration without impact on the non integrity services.Otherwise service is discontinued for most of users.For integrity added services, loss of service.

OP7

Rrm4


Possible detection by operators (tbc)


SCF failure shall be without immediate effect on operational serviceRecovery time of SCF function shall be less than time leading to unacceptable service

degradation.

Rrq5Rrq6


Severe – (Minor if Rrq5 applied; Major if Rrq6 applied)



Assumptions(Ras)

Ref:Rrq 5

Rrq 6

Rrq 7

Rrm 4

Description:SCF failure shall be without immediate effect on operational service (necessity to exclude beam

scheduling function).

Recovery time of SCF function shall be less than time leading to unacceptable servicedegradation

SCF failure shall be detected and report at maintenance entity level to initiate immediaterecovery actions

The satellites should be stayed in autonomous mode as long as the degradation of thenavigation signal is acceptable


Ref:FC3FC7FC1

Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq5 : FC7;if Rrq6/7 : FC1)

GALA REF :DATE :



FUNCTION: Monitor and configure constellation status (housekeeping) SSF6FUNCTIONAL FAILURE: Undetected error in monitoring or configuring constellation SSF6B

SCENARIO: SCF misbehaviour SSF6B1



Unpredictable behaviour of SCF with regard to satellites status, ULS status or CAN status.As relation between SCF and ULS network is hierarchical, repercussions could be to lock most of

ULS functions on several or more stationsGlobal and regional integrity added services could be impaired or interrupted.Service possibly discontinued for most of users of services with integrity function.Satellites are supposed to remain active for a moment.Possible incapacity to update navigation tables in autonomous mode.Navigation signal degrades progressively.The satellites should be remained in autonomous mode as long as the degradation of the

navigation signal is acceptableService is discontinued for most of users.

OP7

Rrm4


SCF operator should have the capability to check the SCF output data. Rrm5


SCF failure shall be without immediate effect on operational service Rrq5


Severe (Minor if Rrq5 applied)



Assumptions(Ras)

Ref:Rrq5

Rrm 5

Rrm4

Description:SCF failure shall be without immediate effect on operational service (necessity to exclude beam

scheduling function).SCF operator should have the capability to check the SCF output data

The satellites should be remained in autonomous mode as long as the degradation of thenavigation signal is acceptable


Ref:FC5

Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq5 : FC7)

GALA REF :DATE :



FUNCTION: Receive and transmit SAR user signal SSF7FUNCTIONAL FAILURE: Loss of capability to receive or retransmit SAR user signal SSF7A

SCENARIO: SAR payload failure on several satellites. SSF7A1



Risk to discontinue SAR service for some users (from common cause).Outage with irreversible impact on user activity.

OP8


GALILEO monitoring system shall be able to test and detect SAR payload failure to initiaterecovery actions

Rrq8




Severe (Major if Rrq8or9 applied; Minor if Rrq8+9 applied)



Assumptions(Ras)

Ref:Rrq 8

Rrq 9

Description:GALILEO monitoring system shall be able to test and detect SAR payload failure to initiate

recovery actions

No common cause/common mode not shown extremely improbable would lead to simultaneousfailure on several SAR payloads.


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq8 :FC1; if Rrq9 : FC4; if Rrq8+9 : FC2)

GALA REF :DATE :



FUNCTION: Receive and transmit SAR user signal SSF7FUNCTIONAL FAILURE: Undetected error in transmitted SAR user signal SSF7B

SCENARIO: SAR payload misbehaviour. SSF7B1



Risk to discontinue SAR service for some users (from common cause). OP8




Severe (major if Rrq9 applied)



Assumptions(Ras)

Ref:Rrq9


failure on several SAR payloads


Ref:FC5


GALA REF :DATE :



FUNCTION: Collect globally raw data for position/time parameters of the satellites GSF1FUNCTIONAL FAILURE: Loss of capability to provide raw data for position & time parameters. GSF1A

SCENARIO: All GMF in several stations fail to provide intended data GSF1A1



Failure can come from common cause/mode failure.GIPF/GCPF/OSPF do not receive intended dataInability to compute valid integrity information for several satellites.Integrity added service is discontinued for a number of users.OSPF do not receive intended data.Inability to update navigation data for most of the satellites.After some time (TBD) the failure leads to a general decrease of SIS accuracy and degradation of

service for most of users.When alarm limits rise up, navigation service is discontinued for users.Detection at maintenance entity level allows to initiate the recovery actions. If recovery actions are

performed in a time less than the degradation of service leading to loss of navigation service(alarm limits), the non integrity added navigation service is degraded for most of users. Integrityadded service is lost for most of users.

Outage with irreversible impact on user activity for integrity added services.Service outage leading to user dissatisfaction for non integrity added services (if Rrq

applied).

OP1

Rrq10


Immediate detection at GNCC.


Recovery actions (operational and maintenance) can be initiated to recover the nominal operatingstate (without service loss for non integrity added services).


Severe (Major if Rrq10 or 9 applied; Minor if Rrq9+10 applied)



Assumptions(Ras)

Ref:Rrq 10

Rrq 11

Description:Detection and reporting of any GMF failure at maintenance entity level shall be performed to

allow recovery actions in time less than service degradation time leading to loss of navigationservice (alarm limits)

No common cause/common mode not shown extremely improbable should lead to simultaneousfailure on several GMF


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq10 : FC4; if Rrq9 : FC1 for integrity added service – no effect on other services; if Rrq9+10: FC2 for integrity added services)

GALA REF :DATE :



FUNCTION: Collect globally raw data for position/time parameters of the satellites GSF1FUNCTIONAL FAILURE: Undetected erroneous raw data is provided GSF1B

SCENARIO: Undetected loss of synchronisation for all GMF in several stations GSF1B1



Failure can come from common cause/mode failureOSPF will compute navigation solution from erroneous data and may be misled.After some time (TBD) this erroneous navigation data is transmitted to the satellites.Possible loss of SIS/SISA accuracy for a number of users.Users can receive misleading navigation information.Possible outage leading to major paralysis of users activities.

OP13


TBD


If GMS network has capability to fully backup a failed GMS, the system is still operative.System can be designed as a misleading information from one GMS can not degrade significantlythe service.





Assumptions(Ras)

Ref:Rrq11

Rrq 12

Description:No common cause/common mode not shown extremely improbable should lead to simultaneous

failure on several GMF

GALILEO system shall be robust against one GMF failure in GMS station


Ref:FC5


GALA REF :DATE :



FUNCTION: Build navigation data from position/time parameters GSF2FUNCTIONAL FAILURE: Loss of capability to compute navigation data GSF2A

SCENARIO: Navigation data processing function failed GSF2A1



Navigation data can not be computedNavigation data in all satellite navigation payloads are not updatedAfter some time (TBD) the failure leads to a general decrease of SIS/SISA accuracy.General degradation of service for the users.When alarm limits rise up, service is discontinued for users.Detection at GNCC level (tbd).Immediate loss of integrity added serviceDegradation of non integrity added service.


Detection at GNCC level (tbd).Detection and reporting of any OSPF failure shall be performed at maintenance entity level. Rrq13


If failure detected and reported, OSPF function recovery action shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service(alarm limits).

Rrq14


Severe (Major if Rrq13+14 applied)



Assumptions(Ras)

Ref:Rrq 13

Rrq 14

Description:Detection and reporting of any OSPF failure shall be performed at maintenance entity level.

OSPF function recovery action shall be performed to allow recovery actions in time less thanservice degradation time leading to loss of navigation service (alarm limits).


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration(If Rrq13+14 : FC1) (if Rrq14 : no effect on non integrity added service)

GALA REF :DATE :



FUNCTION: Build navigation data from position/time parameters GSF2FUNCTIONAL FAILURE: Computation of erroneous navigation data GSF2B

SCENARIO: Navigation data processing function misbehaviour GSF2B1



Note : if detected same as GSF2A1OSPF will compute erroneous navigation dataAfter some time (TBD) this erroneous navigation data is transmitted to the constellationLoss of SIS/SISA accuracy for navigation SIS.Users can receive misleading navigation information.When alarm limits rise up, service is discontinued for most of users, but source of the

misbehaviour is not identified. Localisation problem).


GALILEO system shall be able to detect erroneous navigation data computed by OSPF. Rrq15


OSPF function shall have redundancy allowing OSPF function back up without loss of service ortemporarily service degradation.

Rrq14


Severe (Major if Rrq 14+15 applied)



Assumptions(Ras)

Ref:Rrq 15

Rrq14

Description:GALILEO system shall be able to localise erroneous navigation data computed by OSPF

OSPF function recovery action shall be performed to allow recovery actions in time less thanservice degradation time leading to loss of navigation service (alarm limits).


Ref:FC5

Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq14+15 : FC1)

GALA REF :DATE :



FUNCTION: Build globally integrity data from position/time parameters GSF3FUNCTIONAL FAILURE: Loss of capability to compute integrity data GSF3A

SCENARIO: GIPF or GCPF have failed GSF3A1



Global integrity information is no more updated.

Service is discontinued for most of users of services with integrity function.Services without integrity function are not impacted.

Remark :The GIPF/GCPF function is world wild distributed in three sites due to TTA constraint. Thus loss

of GIPF/GCPF function could come from common mode/cause event. If a failure on one site isconsidered, the loss of GIPF/GCPF function may partial (degraded mode). However, there is noredundancy between the three sites.

OP10

Ras6


Detection at GNCC level (tbd).Detection and reporting of any GIPF/GCPF failure shall be performed at maintenance entity level Rrq16


Recovery actions shall be initiated upon detection of GIPF/GCPF failure to reduce theunavailability time for integrity added services.

GALILEO system must be designed to keep non integrity added service available in case offailure of GIPF/GCPF failure

Rrq17

Ras5


No effect for services without integrity functionSevere for services with integrity function (Major if Rrq16/17or18 applied; Minor if Rrq16/17/18 applied)



Assumptions(Ras)

Ref:Rrq 16Rrq 17

Rrq 18

Ras5

Rop20

Rop21Ras6

Description:Detection and reporting of any GIPF/GCPF failure shall be performed at maintenance entity levelRecovery actions shall be initiated upon detection of GIPF/GCPF failure to reduce the

unavailability time for integrity added services.No common cause/common mode not shown extremely improbable should lead to simultaneous

failure on several GIPF/GCPFGALILEO system must be designed to keep non integrity added service available in case of

failure of GIPF/GCPF failureWhat is the element which can flag the GIPF/GCPF failure (as the GIPF/GCPF are responsible

for the monitoring integrity data) ?What redundancy can be considered between GIPF/GCPF and RIPF/RCPF ?The GIPF/GCPF function is world wild distributed in three sites due to TTA constraint. Thus loss

of GIPF/GCPF function could come from common mode/cause event. If a failure on one site isconsidered, the loss of GIPF/GCPF function may partial (degraded mode). However, there is noredundancy between the three sites


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration (for int. Add.Services)(if Rrq16+17 : FC1; if Rrq18 : FC4; if Rrq16+17+18 : FC2)

GALA REF :DATE :



FUNCTION: Build globally integrity data from position/time parameters GSF3FUNCTIONAL FAILURE: Computation of erroneous integrity monitoring data GSF3B

SCENARIO: GIPF or GCPF compute an undue degradation of navigation data. GSF3B1



Global integrity information is updated with flagged integrity or not monitored status for several ormore satellites.

Service is discontinued for a number of users of services with integrity function.

OP10


No detection means




No effect for services without integrity functionSevere for services with integrity function (No effect if Rrq19 applied)



Assumptions(Ras)

Ref:Ras5

Rrq 19

Description:GALILEO system must be designed to keep non integrity added service available in case of

failure of GIPF/GCPF failureGALILEO system shall be designed in order that false alarm due to erroneous integrity

monitoring data computation or alarm limit tuning does not lead to unacceptable unavailabilitylevel for integrity added services


Ref:FC5

Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq19 : No effect (TBC))

GALA REF :DATE :



FUNCTION: Build globally integrity data from position/time parameters GSF3FUNCTIONAL FAILURE: Computation of erroneous integrity monitoring data GSF3B

SCENARIO: GIPF and GCPF compute integrity data that do not reflect a real degradation ofnavigation data (multiple failures).

GSF3B2



Safety related scenario : integrity eventGlobal integrity information is updated with integrity status that do not reflect a real degradation of

service for several or more satellites. Users are not informed.Service is discontinued for a number of users with RAIM like capability receivers.Several users can receive misleading navigation information. These users would have

experienced multiple failures:� SISA values computed by OSPF for some satellites would not reflect a degradation of SIS

- not caused by artificial interference or multi-path effect –� GIPF/GCPF would fail to detect this degradation from relevant information provided by

GMS network.� User receiver would experience an unsuccessful RAIM check.

On RAM point of view and risk project, this scenario when detected afterwards by users couldimpact seriously the GALILEO system program even if the nominal state has been recovered. Itcorresponds for the integrity added services to an unavailability time during the degraded states.Outage leading to major paralysis of user activities for integrity added services.No impact on user activities for non integrity added services.


TBD


TBD


Severe for integrity added servicesNo impact for non integrity added services



Assumptions(Ras)

Ref:Rrq 20

Ras5

Description:Probability that multiple failures at GIPF/GCPF level leading to integrity event and unavailability

of the integrity added service shall be less than extremely improbable.GALILEO system must be designed to keep non integrity added services available in case of

failures of GIPF/GCPF failure


Ref:FC5


GALA REF :DATE :



FUNCTION: Schedule and transmit navigation and/or integrity compositemessage

GSF4

FUNCTIONAL FAILURE: Reduction of GUI capability to transmit navigation data GSF4A

SCENARIO: One or some GUI failed GSF4A1



One or some GUI have failed and can not transmit navigation data to the target satellite payloadsAll satellites impacted remain or revert to autonomous mode.Navigation data in several or more satellite navigation payloads are not updated in due time.After some time (TBD) the failure can lead to a general decrease of SIS accuracy.Possible degradation of service for a number of users.Non integrity added services remain operational for a given time.


GUI Failure is detected by GNCF.


Detection and reporting of any GUI failure at maintenance entity level shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service.

Rrq21


Major (Minor if Rrq21 applied)



Assumptions(Ras)

Ref:Rrq 21

Description:Detection and reporting of any GUI failure at maintenance entity level shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service


Ref:FC4

Title:Detected + restricted loss or degradation of the service with long term restoration(if Rrq21 : FC2)

GALA REF :DATE :




GSF4

FUNCTIONAL FAILURE: Reduction of GUI capability to transmit navigation data GSF4A

SCENARIO: Several or more GUI failed GSF4A2



One or some GUI have failed and can not transmit navigation data to the target satellite payloads

Several GUI can experience failure in the same time, by coincidence or by a common modecause.

All satellites impacted remain or revert to autonomous mode.Service is discontinued for a number of users of services with integrity function.Navigation data in most of the satellite navigation payloads are not updated in due time.After some time (TBD) the failure leads to a general decrease of SIS accuracy.Degradation of service for a number of users.Immediate loss of continuity for integrity added services.Non integrity added services remain operational for a given time.


GUI Failure is detected by GNCF.


Detection and reporting of any GUI failure at maintenance entity level shall be performed to allowrecovery actions in time less than service degradation time leading to loss of navigation service.

Rrq21


Severe (Major if Rrq21or22 applied; Minor if Rrq21+22 applied)



Assumptions(Ras)

Ref:Rrq21

Rrq 22

Description:Detection and reporting of any GUI failure at maintenance entity level shall be performed to allow

recovery actions in time less than service degradation time leading to loss of navigation service.

No common cause/common mode not shown extremely improbable shall lead to simultaneousfailure on several GUI


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq21 : FC1; if Rrq22 : FC4; if Rrq21+22 : FC2)

GALA REF :DATE :




GSF4

FUNCTIONAL FAILURE: Undetected corruption in transmission of message for GUI GSF4B

SCENARIO: GUI misbehaviour. GSF4B1



Message passing through GUI may experience corruption of data or error in dispatch.Situation can result in some satellites to revert in autonomous mode or transmit misleading

integrity messages.Service can be discontinued for a number of users of services with integrity function.

OP2OP9


TBD


TBD


Severe/major TBD



Assumptions(Ras)

Ref: Description:


Ref:FC5/FC6(Tbd)

Title:Undetected + world wide loss or degradation of the service with long term restoration/Undetected + restricted loss or degradation of the service with long term restoration

GALA REF :DATE :



FUNCTION: Deliver access management messages GSF5FUNCTIONAL FAILURE: Loss of capability in dispatching and scheduling protection keys. GSF5A

SCENARIO: GNCF failure GSF5A1



Renewal of encoding and decoding keys will be partially completed or not performed.Risk of interruption of related services for a number of users.TBD

OP5OP6


At global level, completeness of delivery process can be verified by GNCC.At user level, receiver can advise in case of inability to process with the next decoding key.TBD


For key management, in degraded mode, system may implement an unencrypted mode asfallback mode

Rrm3


Severe (TBD)



Assumptions(Ras)

Ref:Rrm3

Description:For key management, in degraded mode, system may implement an unencrypted mode as

fallback mode.


Ref:FC5/FC3(Tbd)

Title:Undetected + world wide loss or degradation of the service with long term restoration/ Detected +world wide loss or degradation of the service with long term restoration

GALA REF :DATE :



FUNCTION: Deliver access management messages GSF5FUNCTIONAL FAILURE: Misleading dispatching or scheduling of protection keys. GSF5B

SCENARIO: GNCF misbehaviour GSF5B1



Supposed risk of interruption of related services for categories of users. OP4OP5OP6


TBD


If system (TBD ) has capability to detect abnormal dispatching or processing of key management,it could deactivate encryption.

Rrm3


TBD



Assumptions(Ras)

Ref:Rrm3


fallback mode.


Ref:FC5(Tbd)

Title:Undetected + world wide loss or degradation of the service with long term restoration (tbd)

GALA REF :DATE :



FUNCTION: Monitor navigation global services GSF6FUNCTIONAL FAILURE: Loss of capability for monitoring global services. GSF6A

SCENARIO: GNCF failure. GSF6A1



Strategy for connected/autonomous modes sharing.Monitoring and configuration strategy of GAN.TBD

OP2




TBD



Assumptions(Ras)

Ref: Description:


Ref: Title:

GALA REF :DATE :



FUNCTION: Monitor navigation global services GSF6FUNCTIONAL FAILURE: Misleading monitoring of global services. GSF6B

SCENARIO: GNCF misbehaviour. GSF6B1



Strategy for connected/autonomous modes sharing.TBD




TBD



Assumptions(Ras)

Ref: Description:


Ref: Title:

GALA REF :DATE :



FUNCTION: Collect regionally raw data for SIS integrity RSF1FUNCTIONAL FAILURE: Loss of capability to provide raw data for SIS integrity RSF1A

SCENARIO: All RMF in several stations fail to provide intended data RSF1A1



Failure can come from common cause/mode failureRIPF/RCPF do not receive intended data.Inability to compute valid integrity information for several satellites.If remains no sufficient active satellites in view, integrity monitoring service is discontinued for a

number of users.No effect on non integrity added services.


Immediate detection at RNCC.


If RMS network has sufficient redundancy, other stations can fully backup the failed ones.Recovery actions can be initiated to recover the nominal operating state Rrq23





Assumptions(Ras)

Ref:Rrq 23

Rrq 24

Description:Detection and reporting of any RMS failure at regional maintenance entity level shall be

performed to allow recovery actions in order that the unavailability of the services is less thanTBD hours.

No common cause/common mode not shown extremely improbable shall lead to simultaneousfailure on several RMS


Ref:FC4


GALA REF :DATE :



FUNCTION: Collect regionally raw data for SIS integrity RSF1FUNCTIONAL FAILURE: Undetected erroneous raw data for SIS integrity RSF1B

SCENARIO: RMF in one or some stations transmit data related to an undue degradation of SIS RSF1B1



RIPF/RCPF can be misled and detect undue regional degradation of navigation SIS for several ormore satellites.(false alarm)

RIPF/RCPF will alert with the integrity flag, which does not reflect current performance for thesesatellitesIf safety user terminal has sufficient remaining active satellites in view, position can be computedwith guaranteed integrity performance.If no sufficient active satellites in view, integrity monitoring service is discontinued for a number of

users.Possible outage with irreversible impact on user activities.


No detection means (TBD)




Major



Assumptions(Ras)

Ref: Description:


Ref:FC6


GALA REF :DATE :



FUNCTION: Collect regionally raw data for SIS integrity RSF1FUNCTIONAL FAILURE: Undetected erroneous raw data for SIS integrity RSF1B

SCENARIO: RMF in one or some stations transmit data that do not reflect a real degradation ofSIS (double failure).

RSF1B2



RIPF/RCPF can be misled and not detect degradation of SIS performance.RIPF/RCPF will transmit a normal integrity message not reflecting the real degradation of

navigation SIS for these satellites.If safety user terminal has sufficient remaining active satellites in view to compute a valid RAIMsolution rejecting this erroneous information, position can be computed with guaranteed integrityperformance.In all other cases, users receive misleading navigation information.Loss of integrity of service for several users.

Combination of RIPF integrity data and GIPF integrity data to be precise Rop22


User terminal RAIM function.


TBD


Major



Assumptions(Ras)

Ref:Rop22

Description:Combination of RIPF integrity data and GIPF integrity data to be precise


Ref:FC6


GALA REF :DATE :



FUNCTION: Build regionally integrity data from position/time parameters RSF2FUNCTIONAL FAILURE: Loss of capability to compute integrity data RSF2A

SCENARIO: RIPF/RCPF failed RSF2A1



Integrity monitoring service is discontinued for all users in the region. OP10


Detection at RNCC level (tbd)Detection and reporting of any RIPF/RCPF failure shall be performed at regional maintenance

entity levelRrq25


Recovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce theunavailability time for integrity added services.

Rrq26

Rrm6


Major (Minor if Rrq25+26 applied)



Assumptions(Ras)

Ref:Rrq 25

Rrq 26

Rrq 27

Rop20

Rop21

Description:Detection and reporting of any RIPF/RCPF failure shall be performed at regional maintenance

entity levelRecovery actions shall be initiated upon detection of RIPF/RCPF failure to reduce the

unavailability time for regional integrity added servicesNo common cause/common mode not shown extremely improbable should lead to simultaneous

failure on several RIPF/RCPFWhat is the element which can flag the GIPF/GCPF failure (as the GIPF/GCPF are responsible

for the monitoring integrity data) ?What redundancy can be considered between GIPF/GCPF and RIPF/RCPF ?


Ref:FC4

Title:Detected + restricted loss or degradation of the service with long term restoration(if Rrq25/26 : FC1)

GALA REF :DATE :



FUNCTION: Build regionally integrity data from position/time parameters RSF2FUNCTIONAL FAILURE: Undetected erroneous computation of integrity data RSF2B

SCENARIO: RIPF/RCPF compute data related to an undue degradation of SIS. RSF2B1



Erroneous SIS integrity data for several satellites is broadcast to all users of regional service.If safety user terminal has sufficient remaining active satellites in view, position can be computedwith guaranteed integrity performance.If no sufficient active satellites in view, integrity monitoring service is discontinued for a number of

users.

OP10


No detection means.


No corrective action.


Major (no RAM effect if Rrq28 applied)



Assumptions(Ras)

Ref:Rrq 28

Description:GALILEO regional component shall be designed in order that false alarm due to erroneous

integrity monitoring data computation or alarm limit tuning does not lead to unacceptableunavailability level for regional integrity added services


Ref:FC6

Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq28 : no effect (tbc))

GALA REF :DATE :



FUNCTION: Build regionally integrity data from position/time parameters RSF2FUNCTIONAL FAILURE: Undetected erroneous computation of integrity data RSF2B

SCENARIO: RIPF/RCPF compute data that do not reflect a degradation of SIS (double failure). RSF2B2



RIPF/RCPF will compute a normal integrity message not reflecting the real degradation ofnavigation SIS for these satellites.

If safety user terminal has sufficient remaining active satellites in view to compute a valid RAIMsolution rejecting this erroneous information, position can be computed with guaranteed integrityperformance.In all other cases, users receive misleading navigation information.Loss of integrity of service for several users.On RAM point of view and risk project, this scenario when detected afterwards by users couldimpact seriously the GALILEO system program even if the nominal state has been recovered. Itcorresponds for the integrity added services to an unavailability time during the degraded states.

OP10


User terminal RAIM function.Integrity information provided by global system.


tbd


Major



Assumptions(Ras)

Ref:Rrq 29

Description:Probability that multiple failures at RIPF/RCPF level leading to integrity event and unavailability

of the integrity added service shall be less than extremely improbable.


Ref:FC6


GALA REF :DATE :



FUNCTION: Transmit regional overlay integrity message RSF3FUNCTIONAL FAILURE: Reduction of capability to transmit regional overlay integrity message. RSF3A

SCENARIO: One or some RUI failed RSF3A1



Service is supposed to be discontinued for several users of services with regional integrityfunction.

Possible several RUI failure due to common cause/mode event.

OP9OP10


RNCF has information of RUI failure.


Detection and reporting of any RUI failure at regional maintenance entity shall be performed toallow recovery actions in order that the unavailability of the services is less than TBD hours.

Rrq





Assumptions(Ras)

Ref:Rrq 30

Rrq 31

Rrq 32

Rrm 6

Description:Detection and reporting of any RUI failure at regional maintenance entity shall be performed to

allow recovery actions in order that the unavailability of the services is less than TBD hours.No common cause/common mode not shown extremely improbable shall lead to simultaneous

failure on several RUIFor availability purpose, the integrity regional service shall be robust against one ULS site failure.

The opportunity that a RUI failure leads to interrupt all the connected links between ULS andsatellites has to be considered. It allows in that case to restore the links with another ULS.


Ref:FC4(tbd)


GALA REF :DATE :



FUNCTION: Transmit regional overlay integrity message RSF3FUNCTIONAL FAILURE: Undetected corruption in transmission of regional overlay integrity message. RSF3B

SCENARIO: RUI misbehaviour. RSF3B1



Message passing through RUI may experience corruption of data or error in dispatch.Situation can result in some satellites to revert in autonomous mode or transmit misleading

integrity messages.Service can be discontinued for a number of users of services with integrity function.TBD

OP2OP9




Major (TBC)



Assumptions(Ras)

Ref: Description:


Ref:FC6

Title:Undetected + restricted loss or degradation of the service with long term restoration (tbc)

GALA REF :DATE :



FUNCTION: Deliver access management messages RSF4FUNCTIONAL FAILURE: Loss of capability in dispatching and scheduling protection keys. RSF4A

SCENARIO: RNCF failure RSF4A1



Renewal of encoding and decoding keys will be partially completed or not performed.Risk of interruption of related services for a number of users.TBD

OP4




Major (TBC)



Assumptions(Ras)

Ref: Description:


Ref:FC6


GALA REF :DATE :



FUNCTION: Deliver access management messages RSF4FUNCTIONAL FAILURE: Misleading dispatching or scheduling of protection keys. RSF4B

SCENARIO: RNCF misbehaviour RSF4B1



Supposed risk of interruption of related services for categories of users.TBD

OP4OP5OP6



Rrm3


Major (TBC)



Assumptions(Ras)

Ref:Rrm3


fallback mode.


Ref:FC6


GALA REF :DATE :



FUNCTION: Monitor regional overlay services RSF5FUNCTIONAL FAILURE: Loss of capability for monitoring regional services. RSF5A

SCENARIO: RNCF failure. RSF5A1



Assessment pending refined definition of RNCF functions TBD




TBD



Assumptions(Ras)

Ref: Description:


Ref:FC7(tbd)

Title:Loss or degradation of monitoring function (tbd)

GALA REF :DATE :



FUNCTION: Transmit SAR centre message to constellation CSF1FUNCTIONAL FAILURE: Inability to transmit SAR acknowledgement message CSF1A

SCENARIO: SUI failure CSF1A1



Assessment pending refined definition of SAR message path (SUI ). OP11




TBD



Assumptions(Ras)

Ref:Rrq32

Rrm 7

Description:For availability purpose, the integrity regional service shall be robust against one ULS site failure

The opportunity that a SUI failure leads to interrupt all the connected links between ULS andsatellites has to be considered. It allows in that case to restore the links with another ULS


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Build and transmit service access messages. KSF1FUNCTIONAL FAILURE: Loss of capability to build or transmit coding keys. KSF1A

SCENARIO: KMF failed. KSF1A1



Assessment pending refined definition of key management process. OP5OP6


KMF is monitored by (tbd)


Without KMF, the strategy must keep operational facilities (processing GALILEO products)working together. For instance, if KMF is inoperative Galileo system can be reverted tounencrypted mode of operation

OP4Rrm3


TBD



Assumptions(Ass)

Ref:

Rrm5

Rrm 8

Description:

For key management, in degraded mode system may implement an uncrypted mode as fallback.

The KMF monitoring data should be transmitted to a higher level monitoring (for a global andcoherent view of GALILEO system).


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration (tbd)

GALA REF :DATE :



FUNCTION: Build and transmit service access messages. KSF1FUNCTIONAL FAILURE: Undetected error in set of coding keys. KSF1B

SCENARIO: KMF misbehaviour. KSF1B1



Assessment pending refined definition of key management process. OP5OP6


No detection for a misleading KMF transmission.


KMF misbehaviour must similar to a KMF failure ; the strategy must keep operational facilities(processing GALILEO products) working together (how to detect a KMF error in order to avoidthe unavailability of all user terminals ?).

OP4


Severe



Assumptions(Ass)

Ref:

Rrm3

Description:

For key management, in degraded mode system may implement an uncrypted mode as fallback.


Ref:FC5(tbd)

Title:Undetected + world wide loss or degradation of the service with long term restoration (tbd)

GALA REF :DATE :



FUNCTION: Establish links between space segment ground elements XF1FUNCTIONAL FAILURE: Interruption of links between ground elements of space segment XF1A

SCENARIO: CAN failure XF1A1



Transmissions between space segment ground elements are not impaired.For several ULS and satellites, neither control nor monitoring is available.Navigation data in several autonomous satellites can be not updated (beam scheduling is a SCF

function).Degradation of service performance for most of users.After some time, some ULS waiting for control messages can revert in standby mode (tbc).ULS capability to maintain link with connected satellites can be seriously degraded.Service becomes unavailable for most of users.

OP7OP18


The CAN is monitored by the SCF.


The CAN is a monitoring network and its failure must be without immediate impact on the services(the frequency for satellite house-keeping operation is more than 1 monitoring per day and 1orbit/attitude correction per year). Without SCC, the strategy must keep ULS working withsatellites (both in connected and autonomous modes) and GNCC. The TM/TC link betweensatellites and ULS must not be broken.

Rrq33


Major (minor if Rrq33 applied)



Assumptions(Ass)

Ref:

Rrq 33

Rrm 9

Description:

CAN shall be non-real-time network : its failure shall be without immediate effect on operationalservice. Recovery time of a CAN failure shall be less than time leading to unacceptable servicedegradation.

The ground elements of the space segment are monitored by SCF. These monitoring datashould be reported to a higher level monitoring (for a global and coherent view of GALILEOsystem).


Ref:FC1

Title:Detected + world wide loss or degradation of the service with restoration in limited time(if Rrq33 : FC7)

GALA REF :DATE :



FUNCTION: Establish links between space segment ground elements XF1FUNCTIONAL FAILURE: Transmissions are corrupted between ground elements of space segment XF1B

SCENARIO: CAN erratic behaviour: error in dispatch, in scheduling, in message. XF1B1



Several ULS receiving unexpected control messages can be placed in standby mode.ULS network capability to maintain link with connected satellites can be seriously degraded.Service is possibly unavailable for most of users of integrity added service.Navigation data in several autonomous satellites can be corrupted.Degradation of service performance for most of users.After some time, service is possibly unavailable for most of users.

OP3OP7


The control / command process of the SCF to check that ULS are in the right mode.


Even if the CAN is a non-real-time network, the SCF must check periodically the state of all theground elements of the space segment.

Rrq34


Severe (Minor if Rrq33/34 applied)



Assumptions(Ass)

Ref:

Rrq 34

Rrq33

Description:

After a control command message sent by SCF to a ground element, the new status / mode ofthis element must be checked.

CAN shall be non-real-time network : its failure shall be without immediate effect on operational service.Recovery time of a CAN failure shall be less than time leading to unacceptable service degradation


Ref:FC5

Title:Undetected + world wide loss or degradation of the service with long term restoration(if Rrq34/33 : FC7)

GALA REF :DATE :



FUNCTION: Establish links between ground segment global components XF2FUNCTIONAL FAILURE: Interruption of links between global elements of ground segment XF2A

SCENARIO: GAN failure XF2A1



Between GMS and GNCC:Effect same as GSF1A1 (GMF failure)

Between GNCC and ULS :Immediate reversion of connected satellites in autonomous mode (disconnection)Service is unavailable for all users of integrity added service.Navigation data in autonomous satellites is not updated: service without integrity is available up to

7 hrs (Tbc).After 7 hrs, degradation of service performance for users (up to 24 hrs Tbc).After such a time, service is unavailable for all users.

Rrm10


The GAN is monitored by the GNCF.


Redundancy of the network components to allow more than one way of success + avoid commonmode of failure.

Rrq35


Severe (Major if Rrq35 applied)



Assumptions(Ass)

Ref:

Rrq 35

Rrm 10

Description:

No single failure, error, external event not shown extremely improbable shall lead to a loss oftransmission chain between GNCF and ULS.

If the link between GNCC and ULS is broken, the ULS should ask its connected satellites for adisconnection (which switch in autonomous mode).


Ref:FC3

Title:Detected + world wide loss or degradation of the service with long term restoration(if Rrq35 : FC1)

GALA REF :DATE :



FUNCTION: Establish links between ground segment global components XF2FUNCTIONAL FAILURE: Transmissions are corrupted between global elements of ground segment XF2B

SCENARIO: GAN erratic behaviour: error in dispatch, in scheduling, in message. XF2B1



If the value error is detected or if it is a time error (too late = no message), effect is same asabove: XF2A1.

Between GMS and GNCC:Corrupted transmission will not be detected by the integrity monitoring service (GIPF/GCPF).

Users receive misleading integrity information. Facing the following one, this event has a verylow probability of occurrence.

Between GNCC and ULSIf corrupted transmission is misleading, users receive misleading integrity information.If this information does not reflect a real degradation of SIS, service is unavailable for a number of

users with RAIM like capability receivers.If receiver experience unsuccessful RAIM check, several users can receive misleading navigation

information (multiple failure).


No detection for a misleading transmission between GNCC and ULS.


No corrective action Rrq36





Assumptions(Ass)

Ref:

Rrq 36

Description:

Transmission chain between GNCF and ULS must be protected from any single cause ofundetected corruption of transmission.


Ref:FC5


GALA REF :DATE :



FUNCTION: Establish links between ground segment regional components XF3FUNCTIONAL FAILURE: Interruption of links between regional elements of ground segment XF3A

SCENARIO: RAN failure XF3A1



Links between RNCC and RMS and/or between RNCC and ULS (RUI) are broken.Service is unavailable for all users of regional integrity added service (integrity channel

unavailable).

OP10


The RAN is monitored by the RNCF.In this case, RNCF will probably not be able to transmit this view to a higher level monitoring.

Rrm11


Redundancy of the network components to allow more than one way of success. Rrq37





Assumptions(Ass)

Ref:

Rrq 37

Rrm 11

Description:

No single failure, error, external event not shown extremely improbable shall lead to a loss oftransmission chain between RNCC and ULS (IF is build in RNCC).

The regional elements are monitored by RNCF. These monitoring data should be transmitted toa higher level monitoring (for a global and coherent view of GALILEO system), using the GAN.


Ref:FC4


GALA REF :DATE :



FUNCTION: Establish links between ground segment regional elements XF3FUNCTIONAL FAILURE: Transmissions are corrupted between regional elements of ground segment XF3B

SCENARIO: RAN erratic behaviour: error in dispatch, in scheduling, in message. XF3B1



If the value error is detected or if it is a time error (too late = no message), effect is same asabove: XF3A1.

Between RNCC and RMS :Corrupted transmission will be detected by the integrity monitoring service (RIPF/RCPF). IF is

flagged as been faulty (“Don’t use”).

Between RNCC and ULSIf corrupted transmission is misleading, users receive misleading regional integrity information.If this information does not reflect a real degradation of SIS, service is unavailable for a number of

users with RAIM like capability receivers.If receiver experience unsuccessful RAIM check, several users can receive misleading navigation

information (multiple failure).

OP10


No detection for a misleading transmission between RNCC and ULS.


tbd


Major



Assumptions(Ass)

Ref:

Rrm 12

Description:

Transmission chain between RNCC and ULS may be protected from any single cause ofundetected corruption of transmission (IF is build in RNCC).


Ref:FC6


GALA REF :DATE :



FUNCTION: Process SIS and display position USF1FUNCTIONAL FAILURE: Inability to display position from SIS USF1A

SCENARIO: Terminal failure USF1A1



The application user is supposed to have envisaged this event and have implemented appropriateoperational solution. Dependent on terminal manufacturing design or user system design.

Service is unavailable for the application user.

If failure resulting from design error (common cause), failure can have impact on a category ofusers in the same time.

Service can be unavailable for several users.

OP12


No detection means. Rrm13




TBD



Assumptions(Ass)

Ref:Rrm 13

Rrm 14

Rrm 15

Description:The terminal HMI could have quality indicators of the SIS reception, helping the user to diagnose

terminal failure (from SIS discontinuity). In order to discriminating terminal failures frominsufficient SIS information (terminal external causes), for instance the two indicators could be:SIS/no SIS and Solution/no Solution.

For an user, the availability of a service includes the terminal availability. This availabilityrequirement shall be budgeted. In case of RAM contractual commitments, the SIS availability(measurable) will be distinguished from the terminal one (dependent on operating conditions).

Users have to be warned of all operating conditions within their responsibility which could impairnominal functioning of the terminal: environment parameters, antenna position, user systeminterference, multipath , key validation/activation, etc…(TBD).


Ref:FC6


GALA REF :DATE :



FUNCTION: Process SIS and display position USF1FUNCTIONAL FAILURE: Erroneous position displayed USF1B

SCENARIO: Terminal misbehaviour USF1B1




Service is misleading for the application user (SIS is available with the Integrity Flag flagged as“OK”).


Service can be misleading for several users. OP12


No detection means




TBD



Assumptions(Ass)

Ref:

Rrm15

Description:

Users have to be warned of all operating conditions within their responsibility which could impairnominal functioning of the terminal: environment parameters, antenna position, user systeminterference, multipath , key validation/activation, etc…(TBD).


Ref:FC6


GALA REF :DATE :



FUNCTION: Inform user on level of confidence of computed position USF2FUNCTIONAL FAILURE: Inability to inform user on level of confidence of computed position USF2A





Integrity added service is unavailable for the application user (loss of integrity monitoring service).Service without integrity is available for the application user.


Integrity added service can be unavailable for several users. OP12


No detection means


No corrective action Rrm16


TBD



Assumptions(Ass)

Ref:

Rrm 16

Description:

User terminal of integrity added service has to implement means to give a comprehensive andconvenient information on confidence margin of the computed position with regard to the alarmlevels set by user. It has also to give a projection of this information for the immediate future ofuser's application.


Ref:FC6


GALA REF :DATE :



FUNCTION: Inform user on level of confidence of computed position USF2FUNCTIONAL FAILURE: Erroneous information on level of confidence of computed position USF2B





Service without integrity is available for the application user.

Two cases for integrity added service :• Service is misleading for the application user without a satisfactory level of confidence.• Service is unavailable (SIS is available but the Integrity Flag is misinterpreted as “Don’t use”);

the position isn’t displayed.


Service can be misleading for several users.


No detection means




TBD



Assumptions(Ass)

Ref:

Rrm15

Rrm 17

Description:

Users have to be warned of all operating conditions within their responsibility which could impairnominal functioning of the terminal: environment parameters, antenna position, user systeminterference, multipath , key validation/activation, etc…(TBD)

Regarding the user application, the concept design of the terminal could be different. For a MassMarket terminal, the position will be always displayed, even if the level of confidence isunsatisfactory (availability concept). For a Safety of Life application, in doubt no position will bedisplayed (safety concept) (tbc).


Ref:FC6


GALA REF :DATE :



FUNCTION: Broadcast SAR user signal USF3FUNCTIONAL FAILURE: Unable to broadcast SAR signal USF3A




User terminal does not provide intended service.(tbd)

Rop23


No direct detection meansThe application user will desperately wait for the SAR acknowledgement. Rrm1

8




Tdb



Assumptions(Ass)

Ref:

Rop23

Rrm 18

Description:

RAM user needs have to be defined for the SAR service (allocation on the SMCC, on the ULS,on the terminal).

The terminal should be able to display that the SAR signal had been sent. This sendingacknowledgement could impact the survival choice of the user.


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Broadcast SAR user signal USF3FUNCTIONAL FAILURE: Inopportune SAR signal broadcasting USF3B




A false alarm is transmitted to rescue centre.Rescue centre efficiency could be impaired by false alarms overcrowding.Ttbd


No detection means


Strategy in the SMCC (+ MEO LUT) to face an alarms overcrowding (filter)


TBD



Assumptions(Ass)

Ref:

Rop23

Rrm 19

Description:

RAM user needs have to be defined for the SAR service (allocation on the SMCC, on the ULS,on the terminal).

A strategy should be defined for the SMCC (MEO LUT ?) in case of overcrowding SAR signal.


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Receive SAR centre message. USF4FUNCTIONAL FAILURE: Inability to receive SAR acknowledgement message. USF4A




Function implemented to improve efficiency of alert service.The application user will repeatedly send a new SAR message.It is not foreseen additional risk for life from failure or misbehaviour of this function.


No detection means




tbd



Assumptions(Ass)

Ref: Description:


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Receive access management information. USF5FUNCTIONAL FAILURE: Loss of capability to receive (or erroneous reception of) access management

message.USF5A

SCENARIO: Encryption module or terminal HMI failure. USF5A1



Assessment pending refined definition of key management process.Service (if using encryption process) could be unavailable for the application user.


No detection means


Tbd


Tbd



Assumptions(Ass)

Ref:

Rrq 38

Description:

The availability / reliability performances of the encryption module shall not degrade significantlythe terminal ones


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Collect raw data for position/time parameters of the other navigationsystem

DSF1

FUNCTIONAL FAILURE: Other navigation system raw data incomplete or missing. DSF1A

SCENARIO: Other navigation system failed. DSF1A1



Integrity information computed by integrity monitoring network for this navigation system reflectsimmediately the failure.

Service is unavailable for users of combined integrity added service.


For integrity added service, Integrity Flag is flagged as being faulty.




Tbd



Assumptions(Ass)

Ref: Description:


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Collect raw data for position/time parameters of the other navigationsystem

DSF1

FUNCTIONAL FAILURE: Other navigation system raw data misleading. DSF1B

SCENARIO: Other navigation system misbehaviour. DSF1B1



If integrity information computed by integrity monitoring network for this navigation system detectsimmediately the failure, this scenario is similar to DSF1A1 and service is unavailable for users ofcombined integrity added service.

If not, this is a case of hidden failure where GALILEO system is not able to deliver a correctintegrity information. This misleading information is due to an external failure and isn’t compliantwith the state of the other navigation system).

OP14


No detection means.




Tbd

RAMRequirements(Rrq)


Assumptions(Ass)

Ref: Description:


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Build other navigation system integrity data DSF2FUNCTIONAL FAILURE: Other navigation system raw data misleading DSF2A

SCENARIO: Discrepancies with reference models of other navigation system DSF2A1



Beside “other navigation system raw data misleading” (DSF1), the capability of GALILEO systemto build integrity information for other navigation system could be impaired by somediscrepancies issued from different use of reference models (time reference, terrestrial framereference, kinematic parameters).


Tbd


Tbd


Tbd



Assumptions(Ass)

Ref: Description:


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Interface with external time reference DSF3FUNCTIONAL FAILURE: Tbd DSF3A

SCENARIO: Tbd DSF3A1



Note :GALILEO system time shall track TAI/UTC. This point is not encompassed by the GALA studies.The way this reference will be distributed and used has a direct contribution to the service

availability : it will have to be analysed from a RAM point of view.

Rrq39


Tbd


Tbd


Tbd (Could be severe for Time applications)



Assumptions(Ass)

Ref:

Rrq 39

Description:

A RAM analysis shall be performed on time and geodetic references and the way they are usedin GALILEO system.


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Interface with external geodetic reference system and reference frame DSF4FUNCTIONAL FAILURE: Tbd DSF4A

SCENARIO: Tbd DSF4A1



Note :GALILEO reference frame shall be related with ITRF. This point isn’t encompassed by the GALA

studies.The way this reference will be distributed and used could have a direct contribution to the service

availability : it will have to be analysed from a RAM point of view.ITRF models for past movements of Earth will be extrapolated by GALILEO system.

Rrq39


Tbd


Tbd


Tbd



Assumptions(Ass)

Ref:

Rrq39

Description:

A RAM analysis shall be performed on time and geodetic references and the way they are usedin GALILEO system.


Ref:tbd

Title:tbd

GALA REF :DATE :



FUNCTION: Interface with external navigation system DSF5FUNCTIONAL FAILURE: DSF5A

SCENARIO: DSF5A1



Concern of DSF5 is to investigate consequences on GALILEO system of any inappropriate inputfrom other navigation system (GPS, GLONASS, LORAN-C, …).



SeverityClassificationRAM-Requirements(Rrq)


Assumptions(Ass)

Ref: Description:


Ref: Title:

GALA REF :DATE :



FUNCTION: Interface with customer / agent / service provider DSF6FUNCTIONAL FAILURE: TBD DSF6A

SCENARIO: DSF6A1



Concern of DSF6 is to investigate consequences on GALILEO system of any inappropriate inputfrom customer, agent or service provider.

Note :The structure and functions of GALILEO management and operating segment are currently under

investigation.As they will have a direct contribution to the service availability perceived by the customer (Key

generation for instance), they will have to be analysed from a RAM point of view.

Rrq40





Assumptions(Ass)

Ref:

Rrq 40

Description:

A RAM analysis should be performed on the structure and functions of GALILEO managementand operating segment (service centre, ...).


Ref: Title:

GALA REF :DATE :



FUNCTION: Interface with SAR service DSF7FUNCTIONAL FAILURE: DSF7A

SCENARIO: DSF7A1



Concern of DSF7 is to investigate consequences on GALILEO system of any inappropriate inputform elements of SAR service that are outside GALILEO system.

Could the SMCC degrade the SUI behaviour by inopportune transmission (overcrowding of SUIby SAR acknowledgement messages) ?


TBD


TBD



Assumptions(Ass)

Ref:

Rrm 20

Description:

Errors issued by a SUI misbehaviour should be confined : without consequences on theelaboration of the navigation message.


Ref:tbd

Title:tbd

GALA REF :DATE :



8.3 AVAILABILITY COMPUTATION TABLES

8.3.1 Input data

Unit Name Unit MUT (Hours)

Unit MDT (Hours)

Unit unavailability (Probability)

ULS Site componentULF 6000 36 6,00E-03USF 26 000 36 1,38E-03GUI 26 000 36 1,38E-03RUI 26 000 36 1,38E-03CUI 26 000 36 1,38E-03SUI 26 000 36 1,38E-03ULS LAN 50 000 36 7,20E-04GNCCGNCF 26 000 16 6,15E-04OSPF 26 000 16 6,15E-04GIPF 26 000 16 6,15E-04GCPF 26 000 16 6,15E-04GNCC LAN 50 000 16 3,20E-04GMSGMF 26 000 36 1,38E-03GMS LAN 50 000 36 7,20E-04RMSRMF 26 000 36 1,38E-03RMS LAN 50 000 36 7,20E-04RNCCRNCF 26 000 16 6,15E-04RIPF 26 000 16 6,15E-04RCPF 26 000 16 6,15E-04RNCC LAN 50 000 16 3,20E-04SCCSCF 26 000 16 6,15E-04SCC LAN 50 000 16 3,20E-04User TerminalUser Terminal 50 000 16 3,20E-04GALILEO MEO Constellation

1,00E-02NetworkGAN 2,00E-03CAN 2,00E-03RAN 2,00E-03

GALA REF :DATE :



8.3.2 Services without Integrity

Unit Name Unit MUT (Hours) l (h-1)

Unit MDT (Hours) m (h-1)


Redundancy System Availability weight

ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03 1 out-of 1USF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1GUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1RUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1CUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1ULS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1

1,23E-022 out-of 3 1,56E-06 0,01%

GNCCGNCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1OSPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GNCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1

1,55E-031 out-of 1 1,55E-03 9,23%

GMSGMF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 3 2,65E-09GMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1

7,20E-042 out-of 3 1,56E-06 0,01%

SCCSCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1SCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1

9,35E-041 out-of 1 9,35E-04 5,56%

User TerminalUser Terminal 50 000 0,00002 16 0 3,20E-04 1 out-of 1 3,20E-04 1,90%GALILEO MEO Constellation

1,00E-02 1 out-of 1 1,00E-02 59,49%NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 11,90%CAN 2,00E-03 1 out-of 1 2,00E-03 11,90%

1,68E-02 100,00%98,32%

Service without integrity

GALA REF :DATE :



8.3.3 Services with integrity –stand alone (global components)





ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03 1 out-of 1USF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1GUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1CUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1ULS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1

1,09E-022 out-of 3 3,56E-04 1,94%

GNCCGNCF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1OSPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GIPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GCPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GNCC LAN 50 000 0,00002 16 0 3,20E-04 1 out-of 1

2,78E-031 out-of 1 2,78E-03 15,12%


7,26E-042 out-of 3 1,58E-06 0,01%


9,35E-041 out-of 1 9,35E-04 5,09%


1,00E-02 1 out-of 1 1,00E-02 54,36%NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 10,87%CAN 2,00E-03 1 out-of 1 2,00E-03 10,87%

1,84E-02 100,00%98,16%

Service with integrity (stand-alone)

GALA REF :DATE :



8.3.4 Services with integrity (global + regional components)





ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03 1 out-of 1USF 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1GUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1RUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1CUI 26 000 3,8462E-05 36 0 1,38E-03 1 out-of 1ULS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1

1,23E-022 out-of 3 4,53E-04 2,62%


1,55E-031 out-of 1 1,55E-03 8,98%

GIPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1GCPF 26 000 3,8462E-05 16 0 6,15E-04 1 out-of 1

1,23E-031 out-of 1 1,23E-03

RMSRMF 26 000 3,8462E-05 36 0 1,38E-03 2 out-of 3 5,75E-06RMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1

7,26E-042 out-of 3 1,58E-06

RNCCRNCF 26000 3,8462E-05 16 0 6,15E-04 1 out-of 1RIPF 26000 3,8462E-05 16 0 6,15E-04 1 out-of 1RCPF 26000 3,8462E-05 16 0 6,15E-04 1 out-of 1RNCC LAN 50000 0,00002 16 0 3,20E-04 1 out-of 1

2,17E-031 out-of 1 2,17E-03

RMS + RNCC + RAN 4,17E-03Redundancy (GIPF+GCPF) // (RMS + RNCC + RAN)

5,13E-06 0,03%GMSGMF 26 000 3,8462E-05 36 0 1,38E-03 2 out-of 3 5,75E-06GMS LAN 50 000 0,00002 36 0 7,20E-04 1 out-of 1

7,26E-042 out-of 3 1,58E-06 0,01%


9,35E-041 out-of 1 9,35E-04 5,42%


1,00E-02 1 out-of 1 1,00E-02 57,92%NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 11,58%CAN 2,00E-03 1 out-of 1 2,00E-03 11,58%RAN 2,00E-03 1 out-of 1 2,00E-03

1,73E-02 100,00%98,27%

Service with integrity (Reg. compon.)

GALA REF :DATE :



8.3.5 TM/TC function

8.3.6 Orbit monitoring function




Redundancy Function unavailability weight

ULS Site componentULF 6 000 0,00016667 36 0 6,00E-03USF 26 000 3,8462E-05 36 0 1,38E-03CUI 26 000 3,8462E-05 36 0 1,38E-03ULS LAN 50 000 0,00002 36 0 7,20E-04

9,49E-032 out-of 3 2,71E-04 2,05%

SCCSCF 26 000 3,8462E-05 16 0 6,15E-04SCC LAN 50 000 0,00002 16 0 3,20E-04

9,35E-041 out-of 1 9,35E-04 7,08%

GALILEO MEO Constellation1,00E-02 1 out-of 1 1,00E-02 75,72%

NetworkCAN 2,00E-03 1 out-of 1 2,00E-03 15,14%

1,32E-02 100,00%98,68%

TM / TC function




Redundancy Function unavailability weight


1,55E-031 out-of 1 1,55E-03 10,70%


7,20E-042 out-of 3 1,56E-06 0,01%


9,35E-041 out-of 1 9,35E-04 6,46%

GALILEO MEO Constellation1,00E-02 1 out-of 1 1,00E-02 69,02%

NetworkGAN 2,00E-03 1 out-of 1 2,00E-03 13,80%

1,45E-02 100,00%98,55%

Orbit monitoring function

GALA REF :DATE :



END OF DOCUMENT

gala ref date - european gnss agency · gala ref : date : gala-sodeteg-apsys-dd0132 8/12/00 ram...

Documents