GLS provides angular deviations and metric guidance along an aircraft approach trajectory towards a runway of an airport of sufficient quality to allow automatic landing and rollout of the aeroplane in near-zero visibility conditions.
These guidance deviations are calculated from a three-dimensional positioning of the aircraft obtained by using a differential GNSS (Global Navigation Satellite System) system of GBAS (Ground Based Augmentation System) type. The positioning provided by the GBAS system is referred to the three-dimensional ideal trajectory that should be followed by the aeroplane in order to bring it to the runway.
Several categories of approach procedures are defined, as a function of the visibility level on landing. A so-called category I approach does not enable touchdown but enables to reach the landing zone up to a so-called decision height of 100 feet. A category I approach has safety requirements quantified by a risk of providing undetected erroneous outputs of less than 10−7 per hour.
Conversely, for a so-called category III approach, proceeding in proximity to the ground, and in visibility conditions which may be much reduced, the GLS system must guarantee a rate of undetected erroneous outputs of less than 10−9 per hour. Outputs is understood to mean all of the guidance deviation measurements provided by a GLS system for aiding navigation in the approach phase.
There therefore exists a need to design a GLS system with very high guaranteed integrity level so as to be compatible with the needs of a category III approach phase.
The known solutions for designing GLS systems are usually compatible only with the category I approach procedures, that is to say they do not make it possible to guarantee a sufficiently low rate of undetected output errors.
Two known types of architecture of GLS systems may be distinguished. A first type of architecture, based on a single-channel GNSS receiver, is represented in FIG. 10 1. It consists essentially of a GNSS receiver 101, for example of GPS or GPS/SBAS (Satellite Based Augmentation System) type linked on the one hand, by way of amplifying and filtering means 103, to an antenna 102 for receiving GPS or GPS/SBAS satellite-based radio-navigation signals, and on the other hand to a decoder 105 of VDB (VHF Data Broadcast) type which receives, by way of a VHF antenna 104, signals of 15 GBAS (Ground Based Augmentation System) type emitted by a ground station. The VDB decoder 105 transmits a set of corrections, also called augmentation data, to the GNSS receiver 101 which make it possible to improve the reliability of the GNSS signals moreover received via the antenna 102. The GNSS receiver 101 carries out, on the basis of the GNSS signals and of the GBAS corrections, on the one hand a navigation 20 function 111 and on the other hand an approach function 112 as well as a monitoring function 113. The navigation function 111 delivers as output a set of measurements 121 of Position, Velocity and Time allowing navigational aid.
The approach function 112 delivers as output a set of similar measurements 122 or deviations allowing landing aid in the approach phase.
Finally, the monitoring function 113 is used to guarantee an integrity risk adapted to operations with limited criticality, for example operations of “Major” type for navigation or “Hazardous” type for approach. For operations of this type, the integrity risk related to a hardware fault of the receiver must be limited to 10−7/h as explained hereinabove.
A single-channel solution of the type of that represented in FIG. 1 does not enable to meet the safety requirements of the operations whose integrity risk level is more constraining, for example operations classed “catastrophic” for which the integrity risk must be less than 10−9/h. Indeed, to attain such safety requirements, it is necessary that the probability that a simple fault gives rise to an integrity defect be negligible with respect to the integrity risk of 10−9/h. By taking a factor of 1000, the probability of occurrence of a simple fault impacting integrity ought to be less than 10−12/h, this not being attainable. The solutions based on the use of a single channel are not protected against a simple fault since they do not define any external monitoring means enabling to detect this fault. Category III approaches are classed “catastrophic” and may not therefore be implemented by this type of single-channel solution.
A second type of architecture, based on a dual-channel mechanism for GNSS modules is represented in FIG. 2. The elements identical to the architectures of FIGS. 1 and 2 are identified by the same references.
A second GNSS module 201, also called a second channel, is associated with the first GNSS receiver 101 so as to improve the overall integrity. Accordingly, a cross-comparison of the outputs of each approach function 112,212 is carried out via two comparators 211,213. A simple criterion enables to invalidate the measurements of guidance deviations which are too dissimilar between the two channels. Light monitoring 214,215 is implemented in each GNSS module 101,201 but enables to ensure a suitable integrity risk only for category I operations.
The second channel 201 constitutes a mechanism for external monitoring of the first channel 101, however this solution does not guarantee the independence of the two channels. Indeed, placing two channels in parallel without being certain of their dissimilarity protects only from integrity defects related to variability in manufacture and in reliability of the components but does not guarantee detection of integrity defects related to design errors revealed by one and the same external event. As examples of external events not detected by the solution of FIG. 2 the following may be cited:                Failure of electronic components, related to a specific environment in terms of vibration, acceleration or temperature: in GNSS receivers, the filters, oscillators, amplifiers are sensitive to these phenomena and may give rise to integrity defects,        Failure of the power supply functions, related to disturbed operation of the primary supply stages powering the two receivers 101,201,        Failure of the GNSS functions, related to a specific configuration unexpected by the receiver of the GNSS system, for example relating to the modulation of the signal, the Doppler perceived by the receiver, the specific geometry of the constellation or a particular instant of reception of the signals,        Failure of the GNSS functions, related to a specific configuration unexpected by the receiver of the aeroplane        Failure of the GNSS functions, related to a specific environment (dynamics, attitude, position, current time, etc.) unexpected by the receiver of interference and/or of multipaths,        Failure of the approach functions, related to a specific configuration unexpected by the receiver of the ground station and corrections emitted (identification, authentication, approach segment (FAS), corrections emitted, etc.).        
For all the examples given above, a single event may reveal one and the same design defect in the two channels 101,201, rendering the comparison functions completely inoperative, since the two channels may produce an integrity defect which is very similar and consequently undetectable by a single comparator.
This weakness is not acceptable for category III approach operations classed “Catastrophic” for two reasons. Firstly, a simple fault may give rise to an undetected error at the output of the dual channel. Moreover, the dependency of the two channels with common faults considerably limits the reachable improvement in the integrity risk and does not enable to reach the expected rate of undetected faults of 10−9/h.
This problem may be illustrated by the following equation, and by introducing the following variables:                HMI the integrity risk ensured,        HMIc the integrity risk common to the two receivers, related to design defects,        HMIRx1 the integrity risk specific to the first receiver 101,        HMIRx2 the integrity risk specific to the second receiver 201,        P the probability of non-detection of an integrity defect by comparing the results provided by the two receivers 101,201,We have:HMI=HMIc+P·(HMIRx1+HMIRx2+HMIRx1·HMIRx2)The above equation outlines the fact that the dual-channel principle enables to reduce only the integrity risks HMIRx1, HMIRx2 which are independent between the two receivers 101,201 by acting on the probability P. On the other hand the integrity risks which are common HMIc cannot be removed.        
Thus, the existing solutions do not enable to limit the integrity risk to the safety level necessary for the category III approach operation.