Within the context of the present invention, the term passivation is defined as searching for an erroneous order (or value) amongst a plurality of orders, isolating if applicable an erroneous order, and only transmitting a valid order to user systems.
Although not exclusively, the present invention more particularly applies to air operations requiring a navigation and guidance performance guarantee, and including to Required Navigation Performance with Authorization Required (“RNP AR”), of the RNP AR type. These RNP AR operations are based on a surface navigation of the aRea NAVigation (“RNAV”) type and on required navigation performance operations of the Required Navigation Performance (“RNP”) type. They have the particular feature of requiring a special authorization for being implemented on an aircraft.
Surface navigation of the RNAV type allows an aircraft to fly from a waypoint to another waypoint and not from ground stations (radio-navigation means of the NAVAID type) to other ground stations.
As known, the RNP concept corresponds to a surface navigation, for which (on board the aircraft) monitoring and warning means are added, allowing to ensure that the aircraft remains in a corridor, referred to as RNP, around a reference trajectory and authorizing taking into consideration curved trajectories. Outside this corridor, potentially relief or other aircrafts could be present. The performance required for a RNP operation type is defined by a RNP value representing half the width (in nautical miles: NM) of the corridor around the reference trajectory, in which the aircraft should remain 95% of the time during the operation. A second corridor (around the reference trajectory) of half a width twice the RNP value is also defined. The probability that the aircraft goes out of this second corridor should be lower than 10−7 per hour of flight.
The concept of RNP AR operations is still even more stringent. The RNP AR procedures are indeed characterized by:                RNP values:                    being lower than or equal to 0.3 NM in approach, and that could go down to 0.1 NM; and            being strictly lower than 1 NM at start and upon a throttling up, and that could also go down to 0.1 NM;                        a final approach segment that could be curved; and        obstacles (mountains, traffic, . . . ) that could be located at twice the RNP value with respect to the reference trajectory, while for usual RNP operations, an additional margin with respect to obstacles is provided.        
The air authorities have defined a target level of safety TLS of 10−7 per operation, whatever the type. In the case of RNP AR operations, as the RNP values can go down to 0.1 NM and the obstacles could be located at twice the RNP value of the reference trajectory, this objective results in a probability that the aircraft goes out of the half-width corridor D=2*RNP that should not exceed 10−7 per procedure.
The equipment embedded on board aircrafts (flight management system, inertial unit, means for updating GPS data and means for guiding the autopilot), as well as the usual architecture, do not allow the target level of safety to be reached, if operational mitigation means are not provided, including for detecting and managing possible breakdowns. This is why a special authorization is required for this type of operation, so as to ensure that the operational procedures and the pilots' training allow the target level of safety to be reached. Moreover, as the crew should take charge in some breakdowns, the aircrafts are today not able to guarantee a RNP value of 0.1 NM in a breakdown situation, as the crew are not able to meet the performance requirements in manual piloting.
As set forth previously, the current aircrafts are not able to guarantee a RNP value of 0.1 NM in a breakdown situation and the crew should be trained specially for flying the RNP AR procedures. The crew should, indeed, be able to detect and process adequately breakdowns being able to compromise the ongoing operation.
The objective for future aircrafts is to be able to fly RNP AR procedures with RNP values up to 0.1 NM, and this without restriction (in a normal situation and in the case of a breakdown) in start, approach and throttling up phases. To this end, the crew should no longer be considered as the main means for detecting and processing breakdowns.
As set forth above, an aircraft is generally provided with a guidance system comprising at least one calculation stage for guidance orders, being intended to a flight control system of the aircraft. Now, for the aircraft to have the ability to fly particular procedures and including RNP AR procedures, it is necessary to be able to remove from the guidance loop an erroneous source of calculation of guidance orders, so as to counteract its possible effects on the trajectory of the aircraft. Moreover, the solution being implemented should be reactive enough so as to counteract the effect of an erroneous order on the guidance of the aircraft in a transparent and immediate way.