Conventionally, a vehicle, such as an aircraft, is located on the basis firstly of data provided by an on-board measurement unit (e.g. including an inertial unit and a barometric altimeter), and secondly from satellite data coming from a constellation of satellites in orbit around the Earth. Combined processing of this data makes it possible to obtain a position that is accurate, referred to below as the “reference” position, and that is close to the real position of the aircraft. The accuracy of the reference position is nevertheless very sensitive to a failure in the constellation of satellites, i.e. in the event of a satellite failing in such a manner as to transmit data that is not exact, but without the failure being detected, or in the event of simultaneous or consecutive failures of two satellites in the constellation (the risk of three satellites failing simultaneously is so low that it is generally ignored).
That is why it is usual practice to provide the pilot of the aircraft with a volume known as the “protection” volume and referred to below as the overall protection volume, that is centered on reference position and that is representative of the accuracy of the reference position, taking account of the risk of one or two satellites failing. The overall protection volume is a cylinder of vertical axis defined by its radius and its height that are usually referred to as HPL and VPL. Even if the real position of the aircraft does not coincide exactly with the reference position, it nevertheless has a probability of lying outside the overall protection volume that is equal to no more than some acceptable safety threshold (or integrity risk threshold).
The protection volume corresponding to each circumstance is calculated on the basis of the statistical distribution of position error. Calculating the overall protection volume assumes that it is possible to define the integrity risk by taking account of the probabilities of no failure, of the occurrence of one failure, and of the occurrence of two failures, and to determine the overall protection volume in such a manner that the integrity risk is at least equal to the probability of that the real position lies within the overall protection volume.
In the event of no failure, determining the statistical distribution, and thus calculating the protection volume, does not raise any problem. The position error distribution function is known and it is then possible to estimate the corresponding standard deviation. This estimate is valid only on the assumption that the position has been calculated without using any erroneous data.
The event of one satellite failing is more awkward, since it is not possible to determine validly the statistical distribution of the position error on any position that is affected by a failure of a satellite, however it is possible to escape from this difficulty by calculating as many secondary positions as there are satellites and by excluding from the calculation of each of the secondary positions, data provided by a respective one of the satellites so that at least one of the secondary positions is not affected by the failure of a satellite. The secondary position and the corresponding secondary protection volume giving the greatest overall protection volume is then retained.
The circumstance of two satellites failing requires considerable computation power and is generally ignored, on the view that the probability of it occurring is too low to justify taking it into account.
Document US-A-2004/239560 describes such a method of calculating the overall protection volume.
Attempts have also been made to find means that enable the two-failure circumstance to be made negligible. It is thus known to make use of an algorithm for detecting and isolating failures, thereby minimizing the risk that a simultaneous failure of two satellites goes undetected, and thus making it possible to ignore the possibility of simultaneous failure when calculating the protection volume. Nevertheless, such an algorithm requires a large amount of computation power on board the aircraft and lengthens the time taken to process the data. In addition, the method requires appropriate validation methodology that is difficult to put into place insofar as the performance of the algorithm for detecting and isolating failures has a direct bearing on the safety (or integrity) of the airplane, given that a failure that is not detected jeopardizes the safety of the aircraft.