Content uploaded by Busyairah Syd Ali
Author content
All content in this area was uploaded by Busyairah Syd Ali on Jul 19, 2017
Content may be subject to copyright.
Content uploaded by Thiam Kian Chiew
Author content
All content in this area was uploaded by Thiam Kian Chiew on Apr 15, 2017
Content may be subject to copyright.
ADS-B System Failure Modes
and Models
Busyairah Syd Ali
1
, Washington Ochieng
1
, Arnab Majumdar
1
,
Wolfgang Schuster
1
and Thiam Kian Chiew
2
1
(Imperial College London)
2
(University of Malaya, Malaysia)
(E-mail: b.syd-ali09@imperial.ac.uk)
Automatic Dependent Surveillance Broadcast (ADS-B) is envisioned to support seamless
aircraft surveillance and enhanced air-to-air and air-to-ground applications. ADS-B is an
integrated system, dependent on on board navigation systems to obtain aircraft state
information as well as a communication data link to broadcast this information to Air Traffic
Control (ATC) on the ground and other ADS-B equipped aircraft. To quantify system safety,
a good understanding of the potential failure modes of the system is vital. ADS-B system
failure modes include those from the communication and navigation systems and human and
environmental factors, as well as ADS-B-specific components. In this paper, potential failure
modes of the ADS-B system are identified using an approach developed in this paper. The
end output of the approach is an ADS-B failure mode register. However, the approach
is transferable to other ATC surveillance systems. The paper further provides the failure
classification and modelling, and also analyses the failure modes’impact on ATC operations
and finally proposes potential mitigations. It is important to note that the work carried out in
this paper is based on the assumption that the ADS-B operates as the primary surveillance
source for the ATC.
KEY WORDS
1. ADS-B. 2. Failure mode. 3. Failure model.
Submitted: 29 May 2013. Accepted: 13 May 2014. First published online: 17 June 2014.
1. I N T R O D U C T I O N . The Radio-Technical Commission for Aeronautics
(RTCA) (2002)defines ADS-B as a functionality, on an aircraft or a surface vehicle
operating within the surface movement area, that periodically broadcasts its state
vector and other information without knowing the recipients and without expecting
acknowledgements, as the system only supports one-way broadcasts. The ADS-B
system architecture can be divided into two subsystems, “ADS-B OUT”and “ADS-B
IN”. The International Civil Aviation Organization (ICAO) (2003a)defines the term
“ADS-B OUT”as the broadcast of ADS-B transmissions from the aircraft, without
the installation of complementary receiving equipment to process and display ADS-B
data on cockpit displays. The complementary subsystem is defined as “ADS-B IN”,
THE JOURNAL OF NAVIGATION (2014), 67, 995–1017. ©The Royal Institute of Navigation 2014
doi:10.1017/S037346331400037X
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
which provides air-air situational awareness to the pilots. ADS-B OUT has the
capability to operate independently to provide air-ground situational awareness to
the ATC. The implementation of ADS-B IN however requires fully operational ADS-
B OUT as a pre-requisite, in addition to the certification of cockpit displays, aircrew
training on the new interfaces on board and other activities which have a longer
deployment schedule. Hence ADS-B OUT must be fully deployed prior to ADS-B IN.
ADS-B is the key enabler for EUROCONTROL’s Single European Sky Air Traffic
Management (ATM) Research (SESAR) and the Federal Aviation Administration’s
(FAA) Next Generation Air Traffic Management (NextGen) modernization
programs. These aim to improve airspace capacity and safety without jeopardizing
the environment. To use ADS-B for aviation surveillance, the ICAO, in collaboration
with the RTCA, Air Services Australia, FAA and EUROCONTROL stipulated
various performance standards; Minimum Aviation System Performance Standards
For Automatic Dependant Surveillance Broadcast (RTCA, 2002), Minimum
Operational Performance Standards for 1090 MHz Extended Squitter Automatic
Dependent Surveillance (RTCA, 2011) and Surveillance Performance and
Interoperability Implementing Rule (EUROCONTROL, 2011b). These standards
include requirements for aircraft equipage, ground infrastructure and required
performance levels (i.e. accuracy, integrity, update-rate, availability and reliability)
for the different phases of flight.
Integrity is a crucial parameter to measure system safety. Integrity is defined as the
“level of trust that errors will be correctly detected while integrity risk is the
probability that an error larger than a given threshold goes undetected for longer than
a specified time to alert”(ICAO, 2006a). More specifically, ADS-B position integrity
can be defined as the level of trust in the navigation source and the communication
system to provide the required input to the ADS-B reported information. The
navigation source integrity level is represented by the integrity quality indicator
derived from the navigation system, included in the ADS-B message. Therefore, the
safety of ADS-B depends on the navigation and communication systems.
According to Bhatti and Ochieng (2007), failures can occur from the system
components, operational environment and human factors. It is important to note that,
for ADS-B, the analysis of failure modes should include failures of the system-specific
components and also of the integrated architecture that defines the whole system.
Prior research has characterised failure modes for ADS-B-based applications
(Hammer et al., 2007, Walala, 2008). However, it has not addressed failure modes
of the ADS-B system as a whole. Hammer et al. (2007) provide a method for the
analysis of ADS-B based on operational hazard identification and assessment. This
method identifies potential hazards and allocates safety requirements to ADS-B
ground and airborne functions. However, it is at a relatively high level of detail dealing
with systems and applications, and does not address the failure modes of the ADS-B at
the component level. Walala (2008) assesses the implementation of ADS-B for ground
operations at non-towered airports to prevent runway incursions. The author
identifies functional and general component failures that may potentially lead to
runway incursion. Walala’s(2008) approach focuses just on the ADS-B failures that
lead to only a particular type of incident i.e. runway incursion. Neither study
addresses ADS-B failure modes that will impact the system performance (particularly
integrity and hence safety) for both ground and airborne applications. The next
sub-section describes the various safety cases developed by EUROCONTROL,
996 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
NATS, FAA and AirServices Australia for the ADS-B system. These are used in this
paper to identify potential ADS-B failure modes.
1.1. Existing safety cases for ADS-B. EUROCONTROL has implemented
preliminary safety cases for the ADS-B system in radar and non-radar airspace
under the CASCADE programme. The programme coordinates the deployment
of initial ADS-B applications in Europe. The programme covers both ground
surveillance (i.e. “ADS-B OUT”) as well as airborne surveillance applications
(i.e. “ADS-B IN”/Air Traffic Situational Awareness (ATSAW)). The key deliverables
of the CASCADE programme are: standardisation, certification and integration
support for the applications as well as airborne and ground-based system components;
safety case activities; validation of ADS-B applications and systems; functional
performance analysis and, as necessary, support to the rectification of system
anomalies. In the context of the CASCADE program, a Preliminary Safety Case
(PSC) does not include implementation, transition and in-service related issues. It
includes design stages of the intended system, related requirements considering typical
operating environment characteristics such as traffic density and separation minima
to be applied. The various PSC relevant to this work are:
▪PSC for ADS-B in Non Radar Area (NRA) (EUROCONTROL, 2008)
▪PSC for ADS-B in Radar Area (RAD) (EUROCONTROL, 2010)
▪Review of PSC for ADS-B in Radar Area (RAD) (Eurocontrol Safety Regulation
Commission 2011)
▪PSC for ADS-B in Airport Surface Surveillance (APT) (EUROCONTROL,
2011a)
Airservices Australia has conducted an operational trial of ADS-B for ATC
surveillance in the Burnett Basin of Queensland. The safety case design and
implementation has been developed based on a comparison of ADS-B to radar
performance (ICAO, 2006a). The findings on the comparison study for ADS-B and
SSR conducted by Airservices Australia indicates that ADS-B tracks are solid and
without any significant multipath problems or gaps. The study also highlighted that
ADS-B coverage is very close to that of radar. The minor differences identified are due
to the antenna heights. In addition, the study also found that one particular aircraft
was using ADS-B in excess of 360 nautical miles (nm). According to Airservices
Australia if it is agreed that if ADS-B can be demonstrated to be as good as radar in
the relevant system performance measures, then it can be used to deliver the services
that radar currently supports. In December 2009, Airservices Australia commissioned
the ADS-B Upper Airspace Project (UAP), providing ADS-B coverage across the
whole continent. Since then, 29 ADS-B sites have been added, in addition to 14 sites in
Tasmania that are now fully operational. Aircraft avionics are being assessed and
approved for operational use. ADS-B data from non-approved aircraft is filtered out
at each site. Currently, over 1200 aircraft are approved and receiving the operational
and safety benefits of ADS-B services in Australia. Australia has also made ADS-B
equipage mandatory for all aircraft (domestic and foreign) operating at or above
FL290 as of December 2013 (SKYbrary, 2013).
ICAO has designed a generic safety case based on a safety case conducted by
Airservices Australia on the operational use of ADS-B in non-radar airspace (ICAO,
2003b). The safety case is based on the reference system approach (ICAO, 1998).
997
ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
The Federal Aviation Administration (FAA) has conducted a number of trials in
non-radar areas such as the Capstone project in Alaska. The Capstone project was
designed to identify safety and efficiency by ADS-B technology in Alaska and to
demonstrate its capabilities for use nationally. Alaska was chosen as the test-bed due
to its reliance on air transport more than other states, whereby only 10% of the state is
accessible by road. In addition, Alaska contributes 35% of the nation’s air transport
accidents due to the state’s mountainous terrain and extreme winter climate. A study
by MITRE and the University of Alaska found that from 2000 to 2004, the rate of
accidents for ADS-B-equipped aircraft was reduced by 47% (Federal Aviation
Administration, 2011). Therefore the Capstone project has demonstrated that ADS-B
would improve aviation safety in Alaska. Other trials for ADS-B demonstration are
also being conducted in Philadelphia and in the Gulf of Mexico, where the traffic has
grown at twice the rate in domestic airspace over the last decade (Esler, 2007). Radar
coverage is not possible over the Gulf of Mexico due to its geographical structure.
However, air traffic in the Gulf is approximately as busy as the traffic in the East Coast
Corridor, with 5000 to 9000 offshore platform helicopter operations daily and
commercial flights between the US, Mexico, and South America. Low altitude aircraft
are isolated and high altitude commercial aircraft are separated by 100 nm to ensure
safety due to unavailability of radar surveillance, lack of communication and weather
information. This leads to restricted capacity and inefficiency (Federal Aviation
Administration, 2011). Initial ADS-B surveillance in the Gulf began in December
2009. This enabled controllers to separate high-altitude ADS-B-equipped aircraft over
the Gulf, reducing the 100 nm separation to 5 nm in the trial. This also enabled low
altitude helicopters to receive air traffic services and weather information. The trial
has demonstrated significant improvement in the aviation operation in the Gulf.
However, in August 2010, an 11 hour ADS-B outage due to failure of the ground
station network without any backup affected air traffic control over the Gulf. The
outage also affected the FAA’s Surveillance Broadcast Services (SBS) which was in-
tended to monitor the ground station performance (Office of Inspector General, 2011).
Apart from that, the FAA, in collaboration with UPS Corporation, conducted
ADS-B terminal area proof of concept at the freight carrier’s hub in Louisville. This
trial was intended to increase airport capacity and address runway incursions at the
busy cargo hub (Esler, 2007).
Based on the various safety case reports reviewed, a number of failure modes for
ADS-B were identified and are further analysed in this paper.
This paper conducts an exhaustive search for potential failure modes that can affect
ADS-B performance using an approach developed in this paper (described in Section 2).
The approach further guides the analysis of the impact of the failure modes to ATC
operations and aircraft navigation based on the assumption that ADS-B operates
as the sole surveillance source. Finally the identified failure modes are mapped to its
corresponding mathematical model based on the failure mode characteristics.
2. ADS-B FAILURE MODE IDENTIFICATION APPROACH. A
failure mode is a description of a state that disables the ability to perform a required
function due to a certain event (Rausand and Høyland, 2004). Due to the complexity
and safety critical nature of the ADS-B system, a failure mode identification approach
is developed in this paper for the system. The approach focuses on identifying possible
998 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
failures in the system-specific components and its interaction and integration
with external systems (eg. navigation and communication) and external elements
such as human (controllers and pilots) and environmental factors. The approach is
complex due to the different nature of the elements that compose the overall ADS-B
system. The human element is identified as one of the failure modes for the ADS-B
system. For instance, failures induced by a pilot’s action (or inactions) may result in
the loss of the ADS-B service to controllers on the ground for ATC operations without
any alert. Such failures are analysed based on the outcome of the human actions to the
overall system performance. The existence of elements with unpredictable natures
increases the complexity of the system in addition to its highly integrated nature.
The failure identification approach is illustrated in Figure 1. The process comprises
the following tasks:
▪identify potential failure modes of the ADS-B system;
▪identify failure mode effects on the ADS-B system;
▪determine consequences of the failure effect on the overall ATC surveillance
operations;
▪determine failure hazards to ATC operations and aircraft navigation;
▪categorise failure modes; and
▪propose a mitigation approach for each failure mode.
The input for the processes is obtained from:
▪extensive literature review on each ADS-B specific component and the integrated
navigation and communication system components;
▪review of safety reports on ADS-B trials from various Air Navigation Service
Providers (ANSPs) worldwide including EUROCONTROL, FAA and Air
Services Australia;
▪analysis of ADS-B reports gathered from ADS-B ground stations and
corresponding positioning data from on board navigation system (Global
Positioing System - GPS) for 37 aircraft through collaboration with NATS
CRISTAL Project and British Airways;
▪input from Subject Matter Experts (with more than five years of experience
on ADS-B system design and trial implementation) from EUROCONTROL,
QinetiQ, Airbus and NATS via structured interviews; and
▪authors’understanding of the overall system architecture and functionalities.
The next section describes the processes, input used and output in detail.
2.1. ADS-B Failure Identification Process. In the first step, various technical
documents of the ADS-B system requirements and system descriptions are reviewed to
gain a comprehensive understanding of the system architecture, functionalities and
operations.
In the second step, a high-level system architecture diagram (Figure 2), ADS-B
OUT functional block diagram (Figure 3) and ADS-B IN functional block diagram
(Figure 4) are developed based on input from a literature review and expert input
(particularly from Airbus, NATS and British Airways). The system architecture in
Figure 2 is divided into five levels: Level-0 indicates the Global Navigation Satellite
999
ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Start
Review
documentation
Categorise failure
modes
Develop failure
mode register
Propose mitigation
for failure modes
Determine
hazards to ATC
operations
Determine
consequence of
failure mode
effects to ATC
Determine failure
mode effects to
ADS-B system
Identify failure
modes
Produce functional
block diagram
Correction action
carried out
System
Requirements
System
Description
Literature review
of system design Experts Input
Safety Reports
Literature Review
of system
components
ADS-B track
performance
analysis
Safety Reports
RSP
Understanding of
system’s
components
interactions
Understanding of
surveillance
function in ATC
operations
Understanding of
surveillance
function in ATC
operations
Understanding of
failure mode
nature
Understanding of
ADS-B system
design
Understanding of
ATC Surveillance
system
requirements
Review Changes Corrective actions
Failure mode
register
YES
NO
Figure 1. ADS-B failure mode identification approach.
1000 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
System (GNSS) subsystem; Level-1 indicates ADS-B avionics, known as the on board
ADS-B OUT subsystem; Level-2 indicates the ADS-B IN specific subsystem; Level-3
indicates the ADS-OUT ground station subsystem and Level-4 indicates the controller
working positions on the ground. Figure 3 illustrates detailed components of the
ADS-B OUT functional block composed of the Message Generation Function which
obtains its input from external systems: on board navigation system, barometric
altimeter, pilot interface and Flight Management System (FMS), and then encodes
and assembles the message; and Transmit Message Exchange Function which
broadcasts the ADS-B message to the users (other ADS-B-equipped aircraft and to
ATC on the ground). Figure 4 illustrates detailed components of the ADS-B IN
functional block composed of Receive Message Exchange Function, which receives
the encoded message from Transmits Message Exchange Function (Figure 3); and
Report Assembly Function which decodes and feeds the ADS-B message to Client
applications: FMS, Traffic Collision Avoidance System (TCAS), Airborne Separation
Assistance System (ASAS) and Cockpit Display of Traffic Information (CDTI) for
aircraft navigation aids.
In the third step, ADS-B failure modes are identified from safety reports by ANSPs
on ADS-B trial implementations, an extensive literature review on the system
components and ADS-B report performance analysis. For further details of the ADS-
B report performance analysis, refer to (Ali et al., 2013c, Ali et al., 2013a)2013a). The
scope of the analysis in this paper is from Level-0 to Level-4 as shown in Figure 2.
Most of the failure modes in Level-0 (GNSS) included in the paper are adopted from
existing research (Bhatti and Ochieng, 2007, Ochieng and Sauer, 2003, The Royal
Academy of Engineering, 2011). Failures also result from interfaces between
Satellite 1
GPS Antenna
Satellite nSatellite 2
ADS-B Antenna
(Rx)
ADS-B Receiver
ATC Centre /
RCMS
Antenna
(bottom)
FMS
Control Panel
(Pilot Input)
Antenna (top)
ADS-B capable
Transponder
Barometric
Altimeter
GPS Receiver
Aircraft 1
Aircraft n
STCA
TIS-B Antenna
(Tx)
TIS-B
Transmitter
ACAS/TCAS
ASAS
CDTI
ATCo
Pilot
GPRS DL GPRS DLGPRS DL
DL Cable
DL Cable
DL Cable
DL Cable
DL Cable
DL Cable
DL Cable
DL Cable
DL Cable
1030MHz
1090MHz
1090MHz
1030MHz
Level 4 : ATC Applications
Level 0 : GNSS
Level 1 : ADS-B Avionics
Level 3 : Ground Station / ADS-B OUT
Level 2 : ADS-B IN
ADS-B Data
Decoding Module
Altimeter
Encoder
ADS-B Report
Development
Module
Figure 2. ADS-B High Level System Architecture.
1001ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
the components, human errors and environmental effects. The failure modes identified
are provided in Tables 1 to 5.
In the fourth step, the effects of each failure mode on the ADS-B system
performance are analysed based on the safety reports and understanding of the system
component interactions and functionalities.
In the fifth step, the consequence of the failure mode effects on ATC surveillance
operations and aircraft navigation are analysed by referring to the Required
Surveillance Performance (RSP) and understanding the required surveillance function
and level of performance for ATC operations.
In the sixth step, specific hazards to ATC operations are also determined due to the
failures based on the required surveillance functions.
In the seventh step, the characteristics of each failure mode are described and
categorised based on the failure model: step error, ramp error, random noise,
oscillation, or bias error by understanding the nature of the failure modes.
In the eighth step, mitigation for each failure mode identified is derived/proposed
based on the understanding of the ADS-B system design and ATC surveillance system
requirements.
In the last step, the list of identified failure modes is reviewed in an iterative
manner to revise and update the failure mode register. The failure mode register
is a living document that can be updated as more failures are discovered in the future.
Input interface
Message
Encoding
Subfunction
Message
Assembly
Subfunction
Navigation
System
(main)
Navigation
System
(backup)
Barometric
Altimeter
Pilot
interface
FMS
Transmitting Subsystem (ADS-B OUT)
Avionics Input
Bus
Data
Concentrator
Insert formatted
message to DF
= 17 interface of
transponder
BDS register
Radio
equipment
(modulator /
transmitter)
1090 MHz
transmitting
antenna
Message
broadcast
Message Generation Function
Transmit Message Exchange Function
External Input
Systems
Figure 3. ADS-B OUT Functional Block Diagram.
1002 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
3. A D S - B F A I L U R E M O D E S . ADS-B is a complex system dependent on
external systems, including navigation, communication and users. These systems are
integrated to ADS-B-specific components to build the complete system i.e. ADS-B
OUT and ADS-B IN sub-systems. There is potential for failure at any one of a number
of stages from production of aircraft state vector data (navigation system), upload and
processing in the ADS-B on board components, to their transmission (Figure 3),
reception (Figure 4) and processing at the ADS-B ground station for ATC use.
Failure modes for each component in Figures 2,3and 4are identified for ADS-B
OUT avionics, ADS-B OUT ground stations, ADS-B IN, the human element and
failures resulting from environmental effects, as shown in Tables 1 to 5respectively.
The tables provide lists of ADS-B failure modes captured from existing literature, and
augmented with new modes identified in this paper. Each failure mode is assigned a
unique identification (ID). The ID is used later in the paper to facilitate grouping of
failure modes, so that error type models can be specified for each group as shown in
Table 6. In the second column of the tables, causes of the failures are described. This is
followed by a description of the failure characteristics based on the actual surveillance
data performance and the nature of its occurrences (component level). The next
column provides the failure impact on the relevant ATC or aircraft navigation
operations (functional level) based on the observable ADS-B surveillance data
presented to the users. The nature of the impact is characterised by the type of the
failure identified in Table 6. Impacts due to each error type are described in Section 4.
Column five proposes mitigation measures for each failure in the next column.
Receiving Subsystem (ADS-B IN)
1090 MHz receiving
antenna
Radio equipment
(receiver /
demodulator)
Report Assembly
Subfunction
Output interface sub-
function
Control Interface (to
filter required output
for specific client
applications on-board)
Airborne Separation
Assistance System
(ASAS)
Traffic Collision
Avoidance System
(TCAS)
Flight Management
System (FMS)
Message Tracking
Subfunction
Message Decoding
Subfunction
Receive Message Exchange Function Report Assembly Function
Client Applications
Cockpit Display of
Traffic Information
(CDTI)
Figure 4. ADS-B IN Functional Block Diagram. * shaded boxes indicate software modules.
1003ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Table 1. ADS-B OUT avionics failure modes.
ID Cause Characteristics Impact/Remark Mitigation
User
Detection
AOA1 Deterioration of aircraft
equipment accuracy
performance
Loss of positional accuracy of
reported position. This failure is
difficult to detect due to equipment
aging and may contribute a small
constant error.
Possible error in the displayed
position of the aircraft therefore
could lead to a breakdown in
separation. This will affect
particular aircraft.
ADS-B position accuracy quality
indicator (NAC) will alert the
controller of the hazard. Routine
aircraft avionics maintenance and
testing is required.
No
AOA2 Fault in GPS receiver unit Corrupted position data sent to ADS-
B emitter. This failure can propagate
over a long period due to lack of
calibration/maintenance.
Possible error in the displayed
position of the aircraft could lead
to a breakdown in separation. This
will affect particular aircraft.
Provision of redundant GPS receiver
as a backup, in the case of single
receiver failure.
No
AOA3 Failure of GPS Time
system
Failure of GPS time input to ADS-B
track processor will cause loss of
time synchronisation unexpectedly
without notification.
Could lead to incorrect intent data
without the controller being aware.
This will affect all aircraft.
Intent data verification mechanism
needs to be implemented.
No
AOA4 ADS-B OUT antenna
deterioration
Incorrect data broadcast. This failure
is difficult to detect due to equipment
aging and may contribute a small
constant error.
Error in the reported data without
controller awareness could lead to a
breakdown in separation. This will
only affect particular aircraft.
ADS-B data integrity validation
mechanism required at the ADS-B
ground station/on board receiving
equipment. Flight plan can be
utilized to conduct the verification
on the ground and TCAS data for
on board verification.
No
AOA5 Incorrect data broadcast
due to data corruption
during transmission
Significant random error in the
displayed aircraft position.
Could lead to a breakdown in
separation without controller
awareness. This will affect all
aircraft in the region.
ADS-B data integrity validation
mechanism required at the ADS-B
ground station/on board receiving
equipment.
No
AOA6 Intentional or
unintentional RF
interference
Signal interruption and noise may
cause data distortion.
Error in the reported position
without controller/pilot awareness
could lead to a breakdown in
separation. This affects all aircraft
in the region.
ADS-B data integrity validation
mechanism required at the ADS-B
ground station/on board receiving
equipment.
No
1004 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
AOA7 Fault in ADS-B emitter/
transponder
Significant error in the displayed
position of the aircraft. This failure
can propagate over a long period due
to lack of calibration/maintenance.
Could lead to a breakdown in
separation without controller
awareness. This affects particular
aircraft.
ADS-B data integrity validation
mechanism required at the ADS-B
ground station/on board receiving
equipment.
No
AOA8 Error in Figure of Merit
(FOM) transmitted by
ADS-B emitter
ADS-B data with incorrect integrity
level will be broadcast to ATC or
other aircrafts. This failure can last
for a long period if undetected.
Could lead to a breakdown in
separation without controller
awareness. This affects particular
aircraft.
ADS-B data integrity validation
mechanism required at the ADS-B
ground station/on board receiving
equipment. Proposed by author in
(Ali et al., 2013b).
No
AOA9 Failure of altitude sensing Corrupted altitude data transmitted
to ADS-B emitter. This failure can
propagate over a long period due to
lack of calibration/maintenance.
Could lead to a breakdown in
separation without controller
awareness. This affects particular
aircraft.
Altitude quality indicator will alert
the controller of the hazard.
Routine aircraft avionics
maintenance required.
No
AOA10 Altitude encoder
malfunction
Incorrect altitude data transmitted to
ADS-B emitter. The system attitude
instability may introduce significant
random error to the altitude data.
Could lead to a breakdown in
separation without controller
awareness. This affects particular
aircraft.
Altitude quality indicator will alert
the controller of the hazard.
Routine aircraft avionics
maintenance and testing is
required.
No
AOA11 Altimetry System Error - Blocked static port
- Damage to port and pitot tube
- Pressure leaks in pitot/static pipes
- Air Data computer out of
tolerance
- Poor paint finish static port
sensitive areas. This failure can
propagate over a long period due to
lack of calibration/maintenance.
Incorrect altitude data transmitted
to ADS-B emitter. This affects
particular aircraft.
Altitude quality indicator will alert
the controller of the hazard.
Routine aircraft avionics
maintenance and testing is
required.
No
AOA12 Stuck bit in altitude
encoder
Incorrect altitude data transmitted to
ADS-B emitter due to stuck bit in
altitude encoder. This failure leads to
unexpected error without
notification.
Could lead to a breakdown in
separation without controller
awareness. This only affects
particular aircraft.
Altitude quality indicator will alert
the controller of the hazard.
Routine aircraft avionics
maintenance and testing is
required.
No
1005ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Table 1. (Cont.)
ID Cause Characteristics Impact/Remark Mitigation
User
Detection
AOA13 Error in the data encoding
process in the ADS-B
emitter
Incorrect data broadcast by the ADS-
B emitter due to data corruption.
The error is difficult to detect.
Could lead to a breakdown in
separation without controller
awareness. This only affects
particular aircraft.
ADS-B software module testing and
debugging to identify and resolve
bug causing data error.
No
AOA14 Jamming of GPS
transmission from the
satellite due to deliberate
or non-deliberate actions
Loss of ADS-B position data to ADS-
B emitter. Emitter will stop squitting
ADS-B data. This may impact all
aircraft within the region. The failure
is abrupt without notification.
Loss of situational awareness.
Increase in workload due to
requirement to transition back
to procedural control.
Provision of backup navigation
system on board - e.g. Inertial
Navigation System (INS).
Yes
AOA15 Loss of geometry from the
satellite
Possible loss of ADS-B service. The
failure is abrupt without notification.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This will affect particular aircraft.
Provision of backup navigation
system on board - e.g. Inertial
Navigation System (INS).
Yes
AOA16 Satellite Failure - Predicted
(NANU)
Possible loss of ADS-B service. The
failure is abrupt.
ADS-B tracks will not be displayed
on the ATC console therefore will
cause an increase in workload due
to the requirement to transition
back to procedural control. This
will affect all aircraft in the region.
Provision of backup navigation
system on board - e.g. Inertial
Navigation System (INS).
Yes
AOA17 Satellite Failure -
Unpredicted-Yes
Possible loss of ADS-B service. The
failure is abrupt without notification.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This will affect all aircraft in the
region.
Provision of backup navigation
system on board - e.g. Inertial
Navigation System (INS).
Yes
1006 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
AOA18 Satellite Failure -
Unpredicted-No
Possible loss of ADS-B service. The
failure is abrupt.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This will affect all aircraft in the
region.
Common Failure mode - no
mitigation.
Yes
AOA19 Satellite Failure -
Unpredicted-Undeclared
Possible loss of ADS-B service. The
failure is abrupt without notification.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This will affect all aircraft in the
region.
Common Failure mode - no
mitigation.
Yes
AOA20 GPS receiver malfunction No position data sent to ADS-B
emitter. The failure is abrupt without
notification.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This will affect particular aircraft.
Provision of backup navigation
system on board - e.g. Inertial
Navigation System (INS) or
redundant GNSS receiver.
Yes
AOA21 SBAS inaccuracy Reduced accuracy position sent to
ADS-B emitter. This failure can
propagate over a long period due to
lack of calibration/maintenance.
Possible error in the displayed
position of the aircraft could lead
to a breakdown in separation. This
will affect all aircraft in the region.
ADS-B emitter will reject corrupted
position data based on position
accuracy indicator (HFOM) from
GNSS.
Yes
AOA22 SBAS failure Reduced accuracy & integrity
position sent to ADS-B emitter. The
error is difficult to detect.
Possible error in the displayed
position of the aircraft could lead
to a breakdown in separation. This
will affect all aircraft in the region.
GNSS receiver autonomous integrity
monitoring (RAIM) with fault
detection and exclusion (FDE) is
required for all IFR aircraft.
Yes
AOA23 Failure to detect aircraft in
manoeuvring
Sudden delayed aircraft position
updates without any notification.
If the position error between updates
is larger than the separation
standard, this could lead to a
breakdown in separation. This will
affect particular aircraft.
Need to check and verify GPS
antenna sensitivity.
Yes
AOA24 GPS antenna failure
causing the transponder
to stop squitting when
data is not refreshed every
2 seconds.
Loss of ADS-B position data affecting
the controller. The error slope is
large enough to be detected.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This will affect particular aircraft.
Provision of backup navigation
system on board - e.g. Inertial
Navigation System (INS).
Yes
1007ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Table 1. (Cont.)
ID Cause Characteristics Impact/Remark Mitigation
User
Detection
AOA25 ADS-B OUT antenna
malfunction
Loss of ADS-B data affecting
controller .The error slope is large
enough to be detected.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This will affect particular aircraft.
Enable antenna sharing with TCAS
antenna as a backup.
Yes
AOA26 RF jamming of ADS-B
transmissions due to
deliberate or non-
deliberate actions
Sudden loss of ADS-B data to
controller without notification.
Loss of situational awareness.
Increase in workload due to
requirement to transition back to
procedural control. This affects all
aircraft within the specific airspace.
This is a security concern that needs
to be addressed before fully
implementing the system.
Yes
AOA27 Failure of ADS-B
transponder /emitter on
the aircraft
Loss of ADS-B data affecting
controller. The error slope is large
enough to be detected.
Loss of situational awareness.
Increase in controller workload due
to requirement to revert back to
procedural control. This affects
particular aircraft.
Provision of redundant ADS-B
transponder or emitter.
Yes
AOA28 Altimeter malfunction No altitude data transmitted to ADS-
B emitter. The failure is abrupt
without notification.
No altitude transmitted. ATC
should fall back to procedural
control. This affects particular
aircraft.
Geometric height from GPS can be
used as backup information.
Yes
AOA29 Failure of connection
between navigation source
and Mode-S ES
transponder/UAT box
Loss of ADS-B positional data to
ADS-B emitter. Emitter will stop
squitting ADS-B data. The failure is
abrupt without notification.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
This only affects particular aircraft.
Routine aircraft avionics
maintenance and testing is
required.
Yes
1008 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Table 2. ADS-B OUT ground station failure modes.
ID Cause Characteristics Impact/Remark Mitigation
User
Detection
AOG1 Fault in the ADS-B receiver
at the ground station.
Incorrect data displayed to
controller due to corruption of data
by the ground station. The errors
last over a long period.
Could lead to a breakdown in separation
without controller awareness. This may
affect all aircraft tracked by the station.
Routine ADS-B ground station
maintenance and testing is
required.
No
AOG2 Unstable sensitivity of the
ground sensor.
Tracks dropping in and out of
coverage in the control area.
The error portrays the system
instability.
Loss of situational awareness. Increase in
workload due to transitioning back to
procedural control and reassessment
of traffic. This may affect all aircraft.
Routine antenna maintenance
and calibration are required.
Yes
AOG3 Failure of ADS-B ground
station power supply.
Unexpected loss of ADS-B data
affecting the controller.
Loss of situational awareness. Increase in
workload due to transitioning back to
procedural control and reassessment
of traffic.
Provision of backup
Uninterrupted Power Supply
(UPS).
Yes
AOG4 Failure of data links
between ADS-B ground
stations and Controller
Working Position (CWP).
Sudden loss of ADS-B data affecting
the controller.
Loss of situational awareness. Increase in
workload due to transitioning back to
procedural control and reassessment
of traffic.
Provision of redundant data
link of different nature, for
example fibre optic or lease
line.
Yes
AOG5 Error in the ground station
data links.
Incorrect data displayed to
controller due to corruption of data
by the unstable attitude of ground
station data links.
Could lead to a breakdown in separation
without controller awareness. This may
affect all aircraft.
Routine data link testing and
maintenance required.
No
AOG6 Error in the data decoding
process (report assembly
module) at the ground
station.
Position of aircraft may be incorrect
when the range exceeds a certain
distance due to the decoding
process.
Could lead to a breakdown in separation
without controller awareness. This may
affect all aircraft.
ADS-B software module
testing and debugging to
identify and resolve bug
causing data error.
No
1009ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Table 3. ADS-B IN failure modes.
ID Cause Characteristics Impact/Remark Mitigation
User
Detection
AI1 ADS-B IN (receiving) antenna
deterioration.
Position of aircraft may be
incorrect. The error is a small
constant and difficult to detect.
False situational awareness and
error in the navigational aids
provided by the ADS-B IN
application.
Routine maintenance and
calibration is required.
No
AI2 Error in the ADS-B report assembly
module.
Position of aircraft may be incorrect
due to the error in the assembly
process. The error may last over long
period.
False situational awareness and
error in the navigational aids
provided by the ADS-B IN
application.
ADS-B software module testing
and debugging to identify and
resolve bug causing data error.
No
AI3 Connection failure between ADS-B
receiver box and the application
systems (e.g. CDTI, ASAS).
No aircraft track will be displayed to
the pilot. This will affect particular
aircraft. The error is abrupt without
notification.
Reduced situational awareness
affecting pilot.
Routine aircraft avionics
maintenance and testing
is required.
Yes
AI4 CDTI display failure. System hangs due to insufficient
memory to accommodate incoming
data. The failure is of sudden nature.
Reduced situational awareness
affecting pilot.
Restart system. Increase system
memory capacity.
Yes
AI5 Inadequate pilot knowledge/
experience about the system
functionalities, HMI, new
procedures (e.g. CDTI, ASAS).
Ineffective use of the ADS-B IN
application systems. The failure is
associated with human error.
Can lead to undesirable events. Provide comprehensive training
to flight crew.
Yes
AI6 ADS-B IN (receiving) antenna
malfunction.
Sudden loss of ADS-B data to ADS-B
IN application.
Reduced situational awareness. Routine aircraft avionics
maintenance and testing
is required.
Yes
AI7 Failure of ADS-B receiver on the
aircraft
Sudden loss of ADS-B data affecting
ADS-B IN application.
Reduced situational awareness. Provision of redundant ADS-B
receiver on-board.
Yes
1010 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Table 4. Human error.
ID Cause Characteristics Impact/Remark Mitigation
User
Detection
H1 Transponder on wrong mode
-Pilot
No data broadcast from aircraft.
The failure will remain until the pilot
notices or is informed by the ATC.
Loss of situational awareness.
Increase in workload due to
transitioning back to procedural
control and reassessment of traffic.
Provision of reminder on
aircraft navigation document/by
co-pilot.
No
H2 Altitude incorrect and not
checked
Different altitude displayed in the
cockpit and on the ATC screen
whenever the aircraft initially enters
either ADS-B or radar airspace.
The failure will remain until the pilot
notices or is informed by the ATC.
If separate pressure settings are
used for the ADS-B and SSR
transponders, the aircraft altitude
source depends on type of
surveillance being used.
Standardise aircraft avionics and
procedures.
No
H3 Wrong pressure adjust value
given by ATC
Pilot will key in wrong pressure adjust
on the altimeter before take-off. The
failure will remain until the aircraft
enters another transition altitude.
Loss of track of the actual aircraft
flight level. May lead to collision
either in the air or on the ground.
The error can be mitigated if the
pilot repeats the value to the
controller and with experience the
controller may realize the mistake.
No
H4 Error in altimeter setting
by pilot
Pilot keys in wrong pressure adjust
on the altimeter before take-off.
The failure will remain until the pilot
notices or is informed by the ATC.
Loss of track of the actual aircraft
flight level. May lead to collision
either in the air or on the ground.
Re-checking the altimeter setting
should be a practise for the cockpit
crew.
No
H5 Mishear the pressure adjust
value from ATC during
radio-communication
Pilot keys in wrong pressure adjust
on the altimeter before take-off. The
failure will remain until the aircraft
enters another transition altitude.
Loss of track of the actual aircraft
flight level. May lead to collision
either in the air or on the ground.
The error can be mitigated if
the pilot repeats the value to
the controller.
No
H6 Inadequate knowledge about
the ADS-B system
functionalities, HMI and new
procedures (Pilot and
Controllers)
Introduces a hazard to the operations.
The same failure may be repeated on
every flight until the knowledge is
upgraded via attending courses or on
job training. Hence the nature of the
failure will not increase or reduce
over time.
Increases the probability of loss
of separation.
Provision of training on the new
systems.
Yes
H7 Incorrect Callsign in FMS –
input by Pilot
Incorrect coupling with Flight Plan.
The failure will remain until notified
by ATC.
May lead to incorrect data
broadcast by ADS-B emitter.
Provision of reminder on aircraft
navigation document/by co-pilot.
Yes
1011ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
Table 4. (Cont.)
ID Cause Characteristics Impact/Remark Mitigation
User
Detection
H8 Incorrect Callsign in Flight
Plan-input by ATC
Label will be attached to the wrong
aircraft. The failure will remain until
notified by pilot.
Incorrect coupling will increase the
controller workload.
Counter check flight plan data
by controller.
Yes
H9 Coupling and decoupling
parameters
Coupling and decoupling occur
differently from radar and may
confuse controllers. The failure will
remain until the knowledge is
upgraded on the new system
graphical user interface (GUI).
There is a difference in coupling
requirements between ADS-B and
radar.
Training on ADS-B system
functionality and display features.
Yes
H10 Mixed operating environment-
ADS-B and Radar tracks
The system will introduce an
additional track (ADS-B) to the
current environment that will
introduce a risk that the controller
may inadvertently apply radar or
ADS-B separation standard to the
Flight Plan track. The failure will
remain until the knowledge is
upgraded on the new system
graphical user interface (GUI).
Potential for incorrect separation
standard applied to the Flight
Plan track.
ADS-B mandate and training on
ADS-B system functionality and
display features.
Yes
H11 Confusion affecting controller
due to different altitude
source display (barometric
and geometric levels)
Possibility of controllers confusing
barometric and geometric levels on
display. The failure will remain until
the knowledge is upgraded on the
new system graphical user interface
(GUI).
Geometric level is displayed if the
aircraft is at or below the transition
altitude AND either barometric
level is not or the aircraft is not in a
QNH defined area.
ADS-B mandate and training on
ADS-B system functionality and
display features.
Yes
H12 Track couples to wrong Flight
Plan
An aircraft’s ADS-B track may couple
to the wrong flight plan. The failure
will remain until noticed.
Could be a result of an aircraft
substitution that is not followed by
cancellation and re-issue of flight
plan.
Counter check flight plan data by
controller.
Yes
1012 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
The mitigations are proposed based on the understanding of the ADS-B functional-
ities and architecture (obtained from literature, expert input and ADS-B data analysis,
collected from NATS UK ADS-B ground stations under the CRISTAL UK project
(NATS, 2011). The last column determines user capability to detect the failure
modes in terms of the observable manifestation of the failures. The failure
detectability is determined based on the failure characteristics in column two. The
degree of the detectability is also influenced by the failure type. This is explained
in detail in Section 4 for each failure type.
4. F A I L U R E M O D E L S . To assess the system integrity performance, the
failure modes are modelled mathematically. The first step in the modelling process
Table 5. Environmental effects.
ID Cause Characteristics Impact/Remark Mitigation User
E1 Deterioration of
ground outdoor
and aircraft
external equipment
Corrupted ADS-B data
transmitted to
controllers or other
ADS-B equipped
aircraft. The error may
propagate over a long
period.
Possible error in the
displayed data of the
aircraft could lead to
a loss of separation
or navigation
Routine
maintenance
and calibration
is required.
No
Table 6. Failure mode classification, groups and models.
Error Type Related Codes Failure Model
Step Error AOA14, AOA3, AOA16, AOA17,
AOA18, AOA19, AOA20, AOA23,
AOA12, AOA26, AOA28, AOA29,
AOG3, AOG4, AI3, AI4, AI5,AI6,
AI7, H1-H12
f(t) = A μ(t−t
0
)
where A is the magnitude of the fault, μ(t) is the
unit step function and t
0
is the onset time of the
failure.
Ramp
Error
AOA15, AOA22, AOA24, AOA25,
AOA27, AOA13,
f(t) = R(t −t
0
)μ(t −t
0
)
where R is the slope of the fault, μ(t) is the unit
step function and t
0
is the onset time of the failure.
Random
Noise
AOA5, AOA6, AOA10, AOG2,
AOG5, AOG6
f(t)=Akμ(t−t0)
where
Ak
N(0,Σk)k,t0
N(η(k,t0),Σk)k5t0
where N(mV) describes a Gaussian distribution
with mean m, ηis the mean value of the fault, V the
variance, μ(t) is the unit step function and t
0
is the
onset time of the failure.
Oscillation AOA2 AOA21 AOA7 AOA8 AOA9
AOA11 AOG1AOG2 AI2
f(t) = A sin(t−θ)μ(t −t
0
)
A is the magnitude of the fault, θis the phase
difference, μ(t) is the unit step function and t
0
is
the onset time of the failure.
Bias AOA1 AOA4 AI1 E1 f(t)= B μ(t −t
0
)
where B is the magnitude of the fault, μ(t) is the
unit step function and t
0
is the onset time of the
failure.
1013ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
is to analyse the error type based on the failure mode characteristics in the third
column of Tables 1 to 5. The second step is to group the failure modes based on the
error nature; the error groups are then mapped to their corresponding mathematical
function. Table 6 summarises the failure mode classification based on the error type
and corresponding failure model. The error type classification is adopted from Bhatti
and Ochieng (2007) on the classification of GPS and INS failure modes. This
classification approach is adopted for the work in this thesis, for two main reasons: the
characteristics of ADS-B system failure modes are found to be similar to the GPS
failure modes; and the GPS system feeds the ADS-B system with the aircraft
positioning information; and hence contributes to the ADS-B failures. Based on the
failure mode analysis, five types of errors were identified: step, ramp, random noise,
oscillation and bias. A description of each error type including nature of the
occurrence and possible causes are given in Figure 5.
5. D I S C U S S I O N . The main novelties in this paper are a comprehensive
failure mode register for ADS-B and an approach for ADS-B failure mode
identification. The failure mode register is a living document that can be populated
to assist system maintenance; docket logging and most importantly to support
Step Error
Ramp Error
Random Noise
Oscillation Error
Bias Error
This type of error includes an abrupt change
without notification, when there is a sudden
failure associated with an indicator, a sudden
jump in the signal, unavailability of the data link
connection and human errors.
This type of error is the most difficult to detect
when the slope is small (Bhatti and Ochieng,
2007). This category covers aging of equipment,
motion and low availability of signal. The error
increases with time.
This error is a random fluctuation in an electrical
signal. It may be caused by external interruptions
such as interference, multipath, signal jamming,
and system attitude instability.
In navigation equations, oscillatory behaviour
results from the modelling of the Earth’s
dynamics, reaction effect of initial conditions and
calibration errors (Bhatti and Ochieng, 2007).
The error propagates over a long period of time.
Bias is a small constant error, less than the
threshold. Therefore it cannot be detected unless
simultaneous multiple failures occur. Ageing of
equipment can contribute to this type of failure
(Bhatti and Ochieng, 2007).
Figure 5. ADS-B error types.
1014 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
incident investigations. The approach includes various types of data sources including
literature, safety reports, subject matter expert input and ADS-B track analysis. In
addition, it also takes into account failure modes induced by the human element and
environmental factors.
Based on the findings in this paper, a safety advantage of ADS-B over the radar
system is that there is the potential for coverage in those areas that currently lack radar
coverage. This assumes that GNSS meets the required performance, as the ADS-B
relies on it. Failure to meet the requirements (e.g. due to satellite or ionospheric
induced failures) presents the problem of a single point of failure capable of affecting
ATC surveillance over a given region. Research is underway to address these types
of GNSS vulnerabilities to develop effective mitigation measures. Furthermore, it is
also important to note that the largest risk in GPS-based positioning is actually
GPS nominal performance (i.e. accuracy issues rather than integrity). The tail errors
of GPS pose a more serious problem for approach and surface operations than many
of the failure modes. In addition, the availability of several ADS-B ground stations
reduces the probability of failure of ground-based ADS-B systems to capture ADS-B
data from aircraft. On the other hand, a radar system failure in the regions that lack
coverage redundancy would cause a complete surveillance breakdown. This would
force controllers and flight crew to engage in procedural control for ATC operations
(ICAO, 2007;2006b) for all aircraft within the sector.
The findings indicate that some of the failure modes only affect one aircraft.
However, loss of ADS-B data from one aircraft will impact the reliability of airborne
applications such as ASAS, CDTI and various other future air navigation
applications, such as situational awareness, conflict detection, conflict resolution,
separation assistance or trajectory prediction. In the cases where the failure modes
are not detected, this may lead to safety risks. The degree of failure detectability
is dependent on the failure type. Ramp error is most difficult to detect when
the error slope is small. Most of the errors categorised under this error are found to be
undetectable by the users. Step error that includes human error is also difficult to
detect e.g. failures HI-H5 in Table 5. Mitigations proposed in Tables 1 to 5address
how these can be resolved according to the specific failure modes.
The ADS-B failure mode register is not limited to that developed in this study. It is
expandable based on daily ADS-B operational experiences by ANSPs or airline
operators. The mitigations proposed in this paper are not tested in real time
operations. It is solely developed based on the authors’understanding of the ADS-B
system functions, architecture and ATC system operations; and input from experts.
Therefore it should be tested by ANSPs and airline operators. The use of the register
also depends on the architecture of the surveillance system in the ANSP’s operational
environment. The register developed in this paper is based on the assumption that
ADS-B is operating as the sole surveillance system. Hence, some of the failure modes
may be complemented with the supplemental surveillance system where they exist.
6. C O N C L U S I O N . This paper has presented the potential failure modes of the
ADS-B system. The results include description of the failure mode occurrence causes,
failure characteristics and their impacts affecting ATC operations and aircraft
navigation. In addition, potential mitigation for each failure is proposed and the
capability of the users to detect the failures is also determined. Finally, the failure
1015
ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
modes are grouped into specific error types and the failure model for each group is
presented. The contribution in this paper is relevant for the safety assessment of the
ADS-B system implementation by the ANSPs and also airline operators. It is also
applicable for post implementation activities that include system maintenance, failure
troubleshooting and incident investigation due to the failure of the surveillance
system. The mathematical models for the failure mode classes are crucial for
developing techniques or mechanisms for failure detection, identification, exclusions
or even potentially correction. Future work will build on these models to develop
measures to mitigate failures that arise to improve ADS-B system availability.
It should be noted also that this paper has focused on the identification and impact
analysis of ADS-B specific failures. Future work will identify and analyse failure
modes that arise from the integration of the ADS-B system with other independent
systems such as safety nets, radar and multi-lateration.
REFERENCES
Ali, B. S., Majumdar, A., Ochieng, W. Y. and Schuster, W. (2013a). ADS-B: The Case for London Terminal
Manoeuvring Area (LTMA), in Tenth USA/Europe Air Traffic Management Research and Development
Seminar (ATM2013), Chicago, USA.
Ali, B. S., Schuster, W., Ochieng, W., Thiam, Kian Chiew and Majumdar, A. (2013b). Framework for
ADS-B Performance Assessment: the London TMA Case Study, Journal of the Institute of Navigation.
Ali, B. S., Schuster, W., Ochieng, W. Y. and Majumdar, A. (2013c). A Study of ADS-B Data Evaluation
and Related Problems, in 2013 International Technical Meeting, Institute of Navigation, San Diego,
Calfornia, USA.
Bhatti, U. I. and Ochieng, W. Y. (2007). Failure Modes and Models for Integrated GPS/INS Systems,
Journal of Navigation,60, 327–348.
Esler, D. (2007). ADS-B’s Impact on Business Aviation, Business and Commercial Aviation,101(5), 68–81.
EUROCONTROL (2008). Preliminary Safety Case for Enhanced Air Traffic Services in Non-Radar Area
using ADS-B Surveillance, European Organization for the Safety of Air Navigation, (1.1).
EUROCONTROL (2010). Preliminary Safety Case for Air Traffic Control Service in Radar Areas using
ADS-B Surveillance, [online], available: http://www.eurocontrol.int/sites/default/files/content/documents/
nm/surveillance/cascade/surveillance-preliminary-safety-case-enhanced-air-trafffic-services-non-radar-areas-
using-ads-b-surveillance-20101214.pdf
EUROCONTROL (2011a). Preliminary Safety Case for ADS-B in Airport Surface Surveillance (APT)
[online], available: http://www.eurocontrol.int/sites/default/files/publication/files/surveillance-cascade-pre-
liminary-safety-case-for-airports-surface-surveillance-applications-201111.pdf
EUROCONTROL (2011b). Surveillance Performance and Interoperability Implementing Rule (SPI-IR)
[online], available: http://eur-lex.europa.eu/legal-content/EN/ALL/;jsessionid=QcYRTxbZk87bQks5dZt-
Twvc5zSqF1gM1bvRN1CyQVpJ1tFFnrnfk!-2081994908?uri=CELEX:32011R1207
Eurocontrol Safety Regulation Commission (2011). Review of the Preliminary Safety Case for Air Traffic
Service in Radar Areas using Automatic Dependent Surveillance –Broadcast, SRC Position Paper
[online], available: http://www.eurocontrol.int/sites/default/files/article/content/documents/single-sky/src/
position-papers/src-pos-ads-b-rad-e1.0.pdf
Federal Aviation Administration (2011). ADS-B Implementation, [online], available: http://www.faa.gov/
nextgen/implementation/portfolio/trans_support_progs/adsb
Hammer, J., Calgaris, G. and Llobet, M. (2007). Safety Analysis Methodology for ADS-B Based
Surveillance Applications, 7th USA/Europe Air Traffic Management R&D Seminar.
ICAO (1998). Manual on Airspace Planning Methodology for the Determination of Separation Minima,
Doc-9689.
ICAO (2003a) Automatic Dependant Surveillance-Broadcast (ADS-B) Study and Implementation Task
Force, Brisbane Australia.
ICAO (2003b). Operational Use of ADS-B In Non-Radar Airspace Generic Design Safey Case, ICAO
Separation and Airspace Safety Panel (SASP), (SASP_WGWHL4_WP27A).
1016 BUSYAIRAH SYD ALI AND OTHERS VOL. 67
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
ICAO (2006a). Assessment of ADS-B to Support Air Traffic Services and Guidelines for Implementation,
Cir 311 AN/177.
ICAO (2006b). Procedures for air navigation services –aircraft operations (PAN-OPS), Doc 8168 OPS/611.
ICAO (2007). Air Traffic Management (ATM), Doc-4444.
NATS (2011) CRISTAL RAD HD, Issue 1, NATS UK.
Ochieng, W. and Sauer, K. (2003). GPS Integrity and Potential Impact on Aviation Safety, Journal of
Navigation,56,51–65.
Office of Inspector General (2011). FAA Oversight Is Key for Contractor-Owned Air Traffic Control
Systems That Are Not Certified, [online], available: http://www.oig.dot.gov/sites/dot/files/Final%
20Report%20NAS%20Cert_0.pdf
Rausand, M. and Høyland, A. (2004). System Reliability Theory: Models, Statistical Methods, and
Applications, 2nd ed., John Wiley & Sons.
RTCA (2002). Minimum Aviation System Performance Standards For Automatic Dependant Surveillance
Broadcast (ADS-B), (DO-242A).
RTCA (2011). Minimum Operational Performance Standards for 1090 MHz Extended Squitter Automatic
Dependent Surveillance –Broadcast (ADS-B) and Traffic Information Services –Broadcast (TIS-B),
DO-260B.
SKYbrary (2013). Automatic Dependent Surveillance Broadcast (ADS-B), Air Ground Communication
[online], available: http://www.skybrary.aero/index.php/Automatic_Dependent_Surveillance_Broadcast_
(ADS-B)
The Royal Academy of Engineering (2011) Global Navigation Space Systems: reliance and vulnerabilities,
ISBN 1-903496-62-4, London SW1Y 5DG: Royal Academy of Engineering.
Walala, M. (2008). A System Safety Study Using Analytical Tools and Techniques Evaluating the
Implementation of ADS-B Technology for Aircraft Ground Operations at Non-towered Airports,
unpublished thesis Embry Riddle Aeronautical University.
1017ADS-B SYSTEM FAILURE MODES AND MODELSNO. 6
at https://www.cambridge.org/core/terms. https://doi.org/10.1017/S037346331400037X
Downloaded from https://www.cambridge.org/core. IP address: 110.159.88.43, on 19 Jul 2017 at 05:10:28, subject to the Cambridge Core terms of use, available
