|
Development of a Secure GPS Flight Recorder for Gliding
David M. Ellis
Cambridge Aero Instruments
The Big Idea
Gliding is one more human activity which has already changed significantly with the advent of GPS navigation technology. By 1995 this was obvious to most glider pilots.
It is sometimes hard to remember that 5 years earlier we could only imagine the possibilities.
As instrument designers in 1990 we imagined glider pilots flying with navigational information such as position, and distance and bearing to the goal. We also got excited about providing the same information to our existing flight computers, thereby making them much more accurate.
But what about flight recording? As long as we were measuring the glider's location, why not keep a position log for post-flight analysis? That would be interesting, and maybe even useful. Everyone from beginners to competition pilots could evaluate their cross-country flying skills. Flights of two gliders on the same task could be compared. Flight logs would contain much more information than we get from barographs and cameras. In fact, flight logs could even score contests and validate badge and record flights!
Thus developed the Big Idea of 1990: "In-flight position recording with post-flight display and analysis will change the way achievement is measured in our sport." Cambridge Aero Instruments committed itself to the Big Idea. All we had to do was solve the technical problems and get these radical ideas approved by the rule-makers.
Early History
At the OSTIV conference in Uvalde, Texas in 1991, this author presented a paper suggesting the possibility of competition scoring using GPS-based evidence. Attending this conference were two delegates of the International Gliding Commission (IGC), the worldwide rule-making body for gliders and motorgliders. Bernald Smith from the USA, and John Roake from New Zealand expressed enthusiasm for the concept and encouraged further development.
In March of 1991 the IGC decided to hold the 1995 World Gliding Championships in New Zealand. The competition site on New Zealand's South Island has unique weather that makes for fabulous gliding. Lee waves from the Southern Alps enable cross country glider racing above 15,000 ft. Rules for this competition stated that the pilot must fly to within half a kilometer of a turnpoint to claim it. A conventional turnpoint photograph taken from an altitude of over 15,000 feet with a normal lens would be very hard to interpret to the required level of accuracy. We felt that GPS flight recording would be an ideal way to improve competition scoring under these conditions, and we decided to seek approval to score that contest. We also imagined that success at this competition would speed up FAI rule changes allowing GPS evidence for badge and record flights.
By February, 1992, we had tested a system using off-the-shelf GPS and computer hardware at a regional competition in New Zealand. It provided excellent recordings which encouraged both Cambridge and the competition organizers. The IGC formed a GPS sub-committee chaired by Bernald Smith. This committee suggested further trials at the pre-world competition in June, 1992 in Sweden. Three prototype systems were used to record 15 competition flights at Sweglide. These early flight logs showed, for the first time, differences in technique that distinguish winning pilots from the also-rans. During the rain days and short Swedish nights we hammered out the design of a commercial product.
Decisions, Decisions
Our goals were to improve flight validation for gliding competitions, simplify badge and record flight validation, optimize GPS navigation for cross country gliding, and improve glider pilot training. The product had to fit in existing gliders, be fully developed and tested for the pre-worlds in December, 1994, and be cost effective. To meet these goals we made several critical decisions during the summer of 1992.
Secure Flight Recording
It is more difficult to prevent cheating in badge and record flights than in competitions. "De-centralized" competition by individual pilots is also popular in Europe. This has security issues similar to badge flying. We could see no technical obstacles to validating FAI Badge and record attempts using evidence from GPS flight logs.
So, in parallel with our efforts to score competitions, we developed a security system which would allow flight validation for badges and records.
What exactly are the "security" problems? The two big ones are:
- An unscrupulous pilot disconnects the GPS receiver and inserts a phony sequence of fixes into the flight recorder (the "language" the receiver speaks is in the public domain).
- After the flight log is extracted from the recorder, it can be edited.
These are real problems which can be solved in two ways:
- The Official Observer is held responsible for placing a mechanical seal on the wires between the GPS receiver and the flight recorder, and is also required to be present at landing to take possession of the flight recorder and extract the flight log personally.
- The GPS receiver and flight recorder are placed in one box. The manufacturer can incorporate hardware and software features to effect an "electronic seal," and can provide verification programs which cannot be fooled by edited data.
The first scheme has been used in some competitions, where "officials" are plentiful. However, it adds responsibility to these officials, and the whole idea is to make life easier for pilots, contest organizers, and Official Observers. We chose the second scheme.
Barograph Function, Engine Run Detection, and Flight Declarations
Historically, pressure altitude barographs are used in badge and record flight claims. GPS altitude has excellent long-term stability and poor short term stability while pressure altitude has good short term stability but is subject to variations in barometric pressure and to sensor drift with time and temperature. The two measurements are complementary. We added a pressure sensor to the flight recorder since it raised cost less than 5 percent while completely replacing a separate barograph.
Most new gliders have engines available as an option. We sought a universal engine run sensor. External wires and engine detectors invite cheating, so we chose to measure ambient noise level with a calibrated microphone. This added less than 1 percent to production cost, so we decided to accept the high development and testing cost because we could see future perceived value.
Under FAI rules, certain badge and record flights must be declared before takeoff. Today this is done by writing the declaration on a sheet of paper, having the official observer sign it, and photographing the paper. But we were trying to do away with the turnpoint camera, so we decided to let pilots create and declare tasks in the flight log.
Because security is built into the basic instrument and software, putting barograph, engine run, and flight declarations in the flight log would also guarantee security of this important information. We felt this would simplify flight validation. It could also technically eliminate Official Observer functions before a badge or record flight. So we incorporated all these features in the standard product.
Navigation Point Database
Because flight logs would be viewed with a personal computer (PC), we decided to use the PC to manage a comprehensive, specialized gliding database. The PC organizes and stores data from multiple sites with up to 250 points per site. Points for only one site are transferred to the GPS Recorder. This allowed us to display much more data about each point than would otherwise be possible. By limiting the number of navigation points we could continuously update distance and bearing for all points in that site. This let us design a very simple, intuitive user interface for in-flight navigation.
Flight Log Memory
Contests can be scored with GPS data logged every 10 seconds. Badge and Record flights can be validated with 20 second logging intervals. But our early flight logs showed clearly that thermalling style and ridge flying technique are hidden with intervals greater than 4 seconds. We wanted each logged point to include lots of data, so short intervals implied up to 128 Kbytes of memory. We debated doubling that to 256 Kbytes. This much RAM is small for a PC but huge for a glider instrument! The larger memory was chosen because the impact on selling price was estimated at less than $50. In hindsight that was a very wise choice.
Physical Packaging
Racing gliders are not designed to accommodate a GPS navigation system. They have cramped cockpits with very little space for electronic equipment. Instrument panels are tiny and fully occupied. This situation led us to a GPS recorder design with two components; a miniature LCD Navigation screen shown in Figure 1, and a GPS receiver and self-powered recorder unit the size of a conventional Barograph shown in Figure 2. The GPS-NAV Model 10 Flight Recorder has an internal battery with capacity for 8 hours of operation as well as a connection to the gliders battery for extra reliability. A critical design goal was to make the flight recorder easy to take out of the glider. This way the secure flight log could be transferred to the PC at the competition scoring office or at the pilots home.
Figure 1. The GPS-NAV LCD Display Unit
Figure 2. The GPS-NAV Model 10 Flight Recorder
The Bid
A solicitation to provide GPS Recorders for the World Championships in New Zealand was sent to potential vendors in July, 1993. Ten proposals were received. Cambridge was selected because we promised further trials at our expense and inexpensive rentals to the national teams. We would actually be responsible for scoring a World Championships! A trial involving ten recorders at a regional New Zealand competition was completed successfully in November, 1993. The New Zealand pre-world Competition (Kiwiglide) was successfully scored using 31 recorders in January, 1994.
We knew we could score contests, so we moved on to challenge of badge and record flight validation.
Through three years of exhaustive testing and competition trials we continued to learn the great potential for GPS navigation and recording in gliding. Fortunately, modern instruments depend on software for much of their functionality. Thus we were able to revise and upgrade the product without changing the hardware design. Todays commercial product has features we didnt even dream of in 1992.
The Finished Product
The official name of the product is the "GPS Navigator and Secure Flight Recorder," or GPS-NAV for short. It actually consists of three components: Navigation Display, Flight Recorder, and Database management program for the PC, but we thought the name was long enough without mentioning the PC program.
Navigation Functions
The display is separate from the flight recorder. It fits into a 57mm (small) instrument hole, and its purpose is to provide navigation information to the pilot. It is connected to the flight recorder via a thin cable. Its microprocessor contains most of the language seen on the LCD screen, so we now offer displays configured for German, French, or Italian. A second display can be installed in two-cockpit gliders.
The left and right keys on the display are used to select different screens, on which may be found the usual GPS information: next waypoint, previous waypoint, nearest airport, point marking, satellite information, etc. In addition, there are functions specific to gliding: multiple task definitions, declarations, thermal marking, nearest landable field, and the wind (found by measuring the drift while circling).
The up and down keys are used to scroll through lists of waypoints and to edit data on the screen. The GO key always brings you back to the "home" screen shown in Figure 1. The various screens are arranged in logical order, for quick familiarization. Only 3-5 screens are needed for basic operation. Clear labeling and consistent control actions make it easy to teach basic navigation functions to a pilot new to the system.
Flight Recorder Functions
The flight recorder contains the GPS receiver and the memory. It may be used with or without a display. It starts recording automatically at the onset of motion. The normal logging interval is every four seconds, and the data recorded include: date, time, position coordinates, position uncertainty, GPS altitude, altitude uncertainty, pressure altitude, and noise level.
After flying, the pilot brings the recorder to the PC, leaving the panel-mounted display in the glider. The flight log is transferred to the PC for evaluation. The security system allows this to be done by the pilot outside the presence of the Official Observer.
Transferred along with the flight log is a digital "signature," unique to that particular flight log. A PC program checks the correspondence of the log with the signature. If the flight log is altered, it will no longer correspond with the signature, and the security check will fail. It is not feasible to edit the flight log and the signature to fool the security check. If the box is opened, it will "forget" how to generate a valid signature, and must be returned to the factory for re-sealing. Flight logs that do not pass the security check are still available for evaluation and display by the computer.
PC Software functions
The flight recorder comes with a complete set of DOS-based database and flight evaluation programs. Precise turnpoint location, elevation of landable fields, and special information about field conditions are part of a custom designed database. Each point is assigned attributes which govern the behavior of the Navigation Display. The list of attributes includes: Turnpoint, Landable Field, Airport, Start Point, Finish Point, Home Point, Restricted Airspace Point, and User-defined Point. Pilot and glider information is kept in a separate PC database. This includes pilot preferences for units of measure such as statute or nautical miles.
A complete set of graphics programs displays overall, or detailed zoom views of the flight in plan and elevation views. A typical detail view is shown in Figure 3.
Figure 3. Copy of PC screen showing glider navigation around a turnpoint
Detailed information about each position fix, including graphical representation of fix accuracy can be shown. In this case the flight path is from the middle left side around the turnpoint. The information at the top of the figure is for the last displayed point at the lower left. The radius of each fix circle illustrates the uncertainty in position for that fix.
Another program shows an animated "playback" of multiple gliders flying the same task. Plan and elevation views are available. This is very helpful in analysis of competition strategy. We expect it will also be useful in glider pilot training at all levels.
Later History
In December, 1995 we arrived in Omarama, New Zealand for the World Gliding Championships. All competitors were required to carry the Cambridge GPS system. Photographic procedures were in place as a back-up in the event of GPS failure. Of the 91 gliders in the competition, only 20 had flight recorders pre-installed. Cambridge staff installed an average of three systems per day during December, 1994 and early January, 1995. Volunteers evaluated all 899 competition flights using a networked system of four IBM PC's. Competition scores for the day were available within 20 minutes of the last pilot's landing. There was one apparent failure which required a barograph trace to be used. Several pilots protested the GPS evidence and requested film development. However, when photos and GPS flight logs were compared, GPS evidence was found to be much more objective. Therefore, all flight validation was done using Cambridge GPS flight logs.
At its March, 1995 Annual Meeting in France, the IGC approved new rules permitting GPS evidence to be used for badge and record flights. The rules took effect on October 1, 1995. A committee was also established to evaluate manufacturers' GPS flight recorder designs. Procedures for use of each design will be provided by that committee. The Cambridge GPS-NAV was submitted for approval September, 1995 and approved in January, 1996. At the same meeting, a standard format for flight data files was approved. This standard was developed over a two year period by a group of gliding instrument manufacturers and independent software consultants with the guidance of the IGC GPS sub-committee. The data standard permits flight files made with one vendor's equipment to be evaluated with another vendor's PC program.
Several IGC delegates and officials contributed to the quick adoption of the major new rules changes. John Roake played a pivotal role with his enthusiastic support of this new technology. Bernald Smith possessed the long range vision and political savvy to keep the regulatory process moving forward. Ian Strachan took on the task of re-writing Section 3 of the FAI Sporting Code with the support of IGC rules committee chairman Tor Johannessen and IGC chairman Peter Ryder.
In April, 1995, Cambridge began shipping the GPS-NAV Models 20 and 25 shown in Figure 4. These units use a new, smaller GPS receiver and surface mount electronic technology. They have the same features as the Model 10, but cost less. Because they have no internal battery, size has been reduced to that of a 35 mm camera, making them easy to mount .
 
Figure 4. GPS-NAV Models 20 and 25
The Future
The Big Idea of 1990 is now a reality. Contest scoring by GPS is here to stay. As a result of the successes in New Zealand, the decision was made to score the 1997 World Gliding Championships in St. Auban, France with IGC-approved GPS flight recorders. Although they could have returned to photograph/barographic procedures, the organizers have decided that GPS flight evaluation is a real improvement over the earlier system.
SSA competition rules have been changed to permit GPS evaluation of turnpoints. National competitions are required to have both photo and GPS evaluation systems in place for the 1996 competition season.
Major European competitions are also moving toward GPS for flight verification. An example of this is the 1996 European Championships to be held this summer in Finland. In this competition, which attracts 100 top pilots, IGC-approved GPS flight recorders are mandatory for flight validation.
With new IGC rules, pilots flying with approved GPS Recorders will have a much easier time submitting badge and record claims. Hopefully this will lead to an increase in such claims. Other branches of sport aviation as governed by the FAI are also expected to start utilizing GPS flight recordings as evidence of aviation achievement.
Back to Top
OBSERVATION ZONES FOR GPS-BASED GLIDER FLIGHT VALIDATION
Submitted to various IGC Delegates in January, 1997.
Their responses were neutral to negative.
I believe they do not yet understand the revolution.D. Ellis
December, 1997
ABSTRACT
The history of soaring flight validation and the origins of the present FAI Sector Observation Zone are reviewed. The requirement to fly through the FAI Sector complicates GPS-based navigation. It is assumed that the achievement is flying the declared distance, not the execution of an artificially imposed maneuver at the turn point. A simple, circular Observation Zone is highly compatible with GPS navigation. It is proposed that the FAI Sporting code be amended to allow use of a circular Observation Zone for badge and record flights validated by GPS flight logs.
INTRODUCTION
Soaring flight has always been challenging. Where there is challenge there is also a natural human desire to respond to that challenge. And so, in gliding we have competitions, badges and records. With a defined challenge, the pilot must prove successful achievement. Altitude has, since World War II, been recorded by mechanical barographs. The original way to prove that a glider went to a distant point was to station an official observer at that point.
Flight distances increased with the development of more efficient gliders. As understanding of weather patterns improved, competition tasks could be directed in the area of best expected weather. Also, the turn points assigned or declared could be changed only minutes before takeoff. These factors made it impractical to station observers at distant turn points.
Photography solved most of these problems. Examination of a sequence of pictures could validate the flight. Over the years, a set of rules for use of cameras and barographs has been developed. The FAI Sporting Code Section 3 contains these rules. One rule defines how a photograph must be take in order to assure that the pilot actually flew further than the distance defined by the turn point locations. Specifically, the photograph must be taken in such a way that the distance flown is known to be greater than the perimeter of the polygon defined by straight lines connecting the turn points.
Position and time data recorded from the Global Position System (GPS) permits detailed examination of an entire glider flight. The IGC has defined standards for both data security and format. GPS evidence is now approved by the FAI for badge and record flights. As usual, this new technology presents new problems and choices. IGC approved GPS Flight Recorders are expensive but they have the potential of reducing both pilot and Official Observer workload, and of making badge and record flying more enjoyable.
The sporting code has been extended to include GPS evidence. Unfortunately the rules have also become more complicated. The intent of this proposal is to simplify the rules in a way that takes full advantage of GPS evidence.
ACHIEVEMENT IN SOARING FLIGHT
There are four fundamental types of achievement in gliding: flight duration, altitude gained or reached, distance flown, and speed around a fixed course. We shall discuss only the third type. Historically, the glider pilot declares the course in advance of the flight, attempts the task, and presents evidence of success following the flight. A course consists of flight around a sequence of geographical points. Historically, the points were required to be photographically obvious. This rule has been relaxed with the advent of GPS recording. Points can now be defined by coordinates alone. This means GPS turn points over featureless sand or water are allowed.
The declared distance is defined as the sum of straight line distances between the declared course points. The pilot is required to fly a distance greater than or equal to that declared. Thus, at the turn points, the pilot must fly outside the polygon defined by the lines between turn points. Showing that a photograph was taken from outside the polygon required careful definition of "outside", and this led to the "FAI Sector Observation Zone".
THE SECTOR OBSERVATION ZONE -- DEFINITION
The FAI Sporting Code (SC3-1.71),defines the Sector Observation Zone as follows:
"The Observation Zone for turn points for gliders is the airspace above a quadrant (90° sector) on the ground with its apex at the turn point and orientated symmetrically to and remote from the two legs meeting at the turn point."
Section SC3-1.6.3 of the Sporting Code also defines the event of reaching a turn point. "A turn point is reached when the entire aircraft is proved to have entered a designated sector outside the angle made by the adjacent legs of the course. The designated sector is the Observation Zone."
A turn point photograph can be compared to known geographic features of the point. The photo interpreter can thus determine if the photograph was taken from within the Sector Observation Zone.
THE CIRCULAR OBSERVATION ZONE -- DEFINITION
The circular Observation Zone is just a circle of pre-determined radius around the turn point. One GPS logged position fix within the circle signifies that the pilot has "reached" the turn point.
GPS NAVIGATION TO A TURN POINT
GPS Navigation simplifies cross country glider flight. Turn point coordinates are stored in the GPS receiver. Distance and bearing to a turn point are continuously available to the pilot. Navigation is simple; fly towards the GPS-defined point. This is done by matching the bearing to point with the glider's track and watching the distance count down to zero. Progress towards the turn point can be seen at a glance on a well designed GPS Navigation display. Compared with reading a map in a small cockpit, GPS navigation leaves more time for safe and enjoyable flying.
GPS POSITION ACCURACY
A Personal Computer (PC) screen showing a glider flying within 50 metres of a turn point suggests absolute GPS position errors of less than 50 metres. This is not so. The pilot navigates to a point defined within the GPS receiver. The distance display reads zero when there is a match between the GPS-defined glider position and the receiver-defined turn point position. If the computer used for flight validation uses the same latitude and longitude for the turn point, then the flight log will pass directly over the turn point. However this does not mean the glider actually flew directly over the physical turn point.
GPS receivers are remarkably accurate, but they are not perfect. GPS errors have many origins. Some position error is deliberately introduced for military security reasons. The basic accuracy of a civilian (C/A code) GPS receiver with Selective Availability (SA) is 100 metres. Additionally, position accuracy is diluted by satellite geometry and atmospheric refraction. Some GPS receivers compute a position error estimate for each computed position. Cambridge Aero Instruments has a database of over 1500 flight logs collected under a variety of circumstances with 3 generations of GAMIN GPS receivers. For good antenna placement, we find typical estimated errors for straight flight are 60 metres. For circling flight, typical error estimates are 120 metres. Poor antenna placement can double these errors.
Thus, a total position error estimate assuming a well placed GPS antenna and circling flight is about 100 metres + 120 metres = 220 metres. The choice of satellites used used by the GPS receiver depends on antenna placement. Each satellites has a different SA clock offset and thus creates a different SA position errors. This means two gliders at a GPS-defined turn point could be physically separated by as much as 440 metres. A typical value might be 100 metres. It is thus clear that correspondence between GPS and physical position is less perfect than suggested by alignment of a GPS-computed position with a GPS receiver's internally stored turn point coordinates.
PROBLEMS WITH GPS NAVIGATION TO THE FAI SECTOR
Flying correctly around the turn point through the FAI sector is more difficult than simply flying to the turn point itself. At a speed of 100 kph with a logging interval of 10 seconds, the glider must fly around the turn point at a distance of at least 0.1 km to record one perfect GPS log data point in the FAI sector. However, GPS position can jump around during the circling maneuver at the turnpoint. This can easily add another 0.1 km of position uncertainty, so a safe distance would be 0.2 km. An optimum maneuver is to fly directly towards the turn point down to distance of 0.5 km, and then execute a left or right turn while keeping the distance from the turn point greater than 0.2 km.
This maneuver is not too difficult in zero wind, but it is very tricky with a 30 kph headwind. The reason is that when wind strength is a significant fraction of glider airspeed, the relationship between track and heading is non-linear. Without reference to the ground, one executes a maneuver based on heading rather than track. So it is quite easy to fall short of the FAI sector.
It is much easier in a headwind or crosswind situation to continue flying on a straight course towards the turn point. The circular Observation Zone permits this. The real point is that the FAI Sector maneuver is unnecessary since the pilot has essentially "reached" the turn point without the maneuver.
VISUAL NAVIGATION TO A TURN POINT VALIDATED BY A GPS FLIGHT LOG
A simple, low cost GPS Flight Recorder might have no navigation capability. The pilot navigates visually. Because of SA and satellite constellation geometry, position errors can be up to 0.2 km. In this case the pilot must navigate > 0.3 km beyond the turn point into the FAI sector to guarantee a valid GPS flight log.
The situation does not improve if the pilot flies with one GPS receiver for navigation and a separate GPS receiver for flight recording. This is because the two receivers may use different satellite constellations. One pilot in the 1996 European Competition in Finland fell from 6th to 10th place on the last competition day. The flight trace in the navigation computer showed the turn point was achieved while the "blind" flight recorder showed the flight path missing the turn point.
EXPERIENCE AT INTERNATIONAL COMPETITIONS
Competitions are not bound to use the Sector Observation Zone as defined in the Sporting Code. Competitions in the USA, Australia, and New Zealand have long used a "Turn Point -- Photo Target" system. The pilot flies to a designated turn point (Typically a circle of 0.5 km radius) and photographs a target at a distance of typically 1 km from the turn point. Leg distances are measured between turn points.
The KiwiGlide pre-world competition in January, 1994 used the 0.5 km circular Observation Zone centered on the turn point for GPS validation. This was a natural extension of pre-existing photographic procedures used in New Zealand. Since both photography and GPS flight logs were used during this contest, turn point validation rules did not favor either technology.
Remarkably few turn point penalties were given and pilots were very positive about GPS validation. The decision was made to use the same 0.5 km radius circular Observation Zone in the 1995 World Gliding Championships. Again, this resulted in happy pilots with very few turn point penalties. Based in part on these results, 1996 European Competition in Finland decided to use the same Observation Zones. During practice days for this contest, team coaches voted to modify the shape slightly. The "Thistle" Observation was an attempt to make the rules fair for both photographic and GPS validation. GPS validation was used for 99% of flights in this competition, so the utility of the "Thistle" extension to the circular Observation Zone has not been proven.
The Lavender Glide pre-world competition in St. Auban in June, 1996 reverted to FAI sectors for both starts and turn points. In addition, competition organizers discouraged use of GPS navigation coupled with Flight Recording. The result was not satisfactory for many reasons. It is believed that the organizers have decided to use the "Thistle" Observation Zone for the 1997 World Gliding Championships.
If World class competition pilots find circular turn point Observation Zones easier to use than traditional FAI sectors, why not extend this opportunity to less experienced pilots attempting their first 300 km flight?
DISTANCE MEASUREMENT BY THE PERIMETER METHOD
Flights of 50, 300, 500, 1000, and 2000 km are part of the requirements for various FAI badges. If the sum of distances between turn points is exactly 300 km, for example, then the pilot could fly slightly less than 300 km and be given credit towards the badge when a circular Observation Zone is used. For an out-and-return flight using 0.5 km radius Observation Zones for start, turn point, and finish, the pilot could fly only 298 km and still get the badge leg.
GPS flight validation is done with a general purpose computer (PC). The computer can calculate leg distances to the perimeter rather than the center of the circular Observation Zone. This means both the pilot and the GPS flight analyst charged with validating the flight can use perimeter leg distances. PC Software is available which computes both distances. For a typical 300 km badge flight with two turn points, the difference between center and perimeter distances is 1.7 km.
THE OPTIMUM RADIUS OF THE CIRCULAR OBSERVATION ZONE
Either fixed or variable radius Circular Observation Zones can be considered for a new Sporting Code rule. Accuracy of distance flown implies a small radius, while GPS accuracy considerations suggest a larger radius. For distances achieved in gliding and GPS position accuracies, a fixed 0.5 km radius is a simple compromise.
The Silver Badge requires a flight of 50 km. 1 km is 2% of the distance, so a goal point more than 51 km from the start point can be chosen when simplistic GPS flight validation is used. There is no actual flight distance penalty when perimeter distance flight validation is used. For flight of 300 km and above, a turn point Observation Zone radius of 0.5 km implies less than 1% modification in actual distance flown.
Worst case GPS position accuracies of 0.2 km coupled with the need to be within the circle for a few seconds implies a minimum radius of 0.3 km when visual navigation is used. Extending this to 0.5 km for an additional margin seems prudent.
PROPOSED WORDING FOR A FAI RULE AMENDMENT
The wording in the Sporting Code is not easily amended to include the circular Observation Zone. The problem even extends to wording in the General Section of the Code (SC1). The section of the Code dealing with Distance Measurement (2.1.13) probably needs fundamental revision in light of GPS technology and Personal Computers. The following is an attempt to amend the code with minimum structural impact.
1.6.3 Reaching the Turn Point:
A turn point is reached when the entire aircraft is proved to have entered the Observation Zone for that turn point.
1.7.1 Observation Zone for Turn Points.
1.7.1.1 Observation Zone for Photographic Validation
The Photographic Observation Zone for turn points for gliders is the airspace above a quadrant (90° sector) on the ground with its apex at the turn point and orientated symmetrically to and remote from the two legs meeting at the turn point.
1.7.1.2 Observation Zone for GPS Flight Log Validation
The Observation Zone for turn point validation using GPS Flight Logs is a circle of 0.5 km radius having its center at the turn point.
2.2.12 Calculations for Distance and Speed.
For calculation of distances, the distance flown is deemed to be the length of the arc of the great circle joining the departure point and the finish point or, if there are turn points, the sum of the great circle arcs for each leg of the course. Distance and speed performances are to be determined using distance calculations performed using one of the following methods.
2.2.12.1 Great circle distances. --
2.2.12.2 Geographical co-ordinates of points. --
2.2.12.2.1 Map scales. --
2.2.12.2.2 Records. --
2.2.13 Exact Distance Calculations for FAI Purposes. --
2.2.13.1 Exact Distance Calculations for GPS Flight Log Validation
When the circular Observation Zone is used for validating a flight using GPS evidence, the distance between points shall be calculated in the following manner:
a. Connect the sequence of points with lines passing through the points.
b. At each point, construct a radial line bisecting the incoming and outgoing course lines
c. Connect the sequence of points with lines joined at the intersection of the circle and the bisecting radial line.
d. The distance between two points is the length of the line defined in c. above.
[End of Document]
Back to Top
THE CAMBRIDGE GPS-NAV SECURITY SYSTEM
This information was sent to the GFAC committee of the IGC in November 1997. It is the Cambridge response to their request for more information about techniques used by each manufacturer to guarantee authenticity of Flight Log files.
Dear GFAC,
You requested more information about the Cambridge GPS-NAV security system. I am pleased to respond to your request. There are two aspects of a GNSS Flight Recorder system that invite cheating:
1. A GPS receiver transmits position and time data to the Flight Recorder in the public standard NMEA-0183 format. A GNSS Flight Recorder stores this information (the flight log) for later transfer to a PC. It is very easy to create NMEA-0183 data in a PC and send it to the Flight Recorder memory. In this way, a pilot could easily "Stretch" or otherwise alter a flight log within the GNSS Flight Recorder. When the Flight Recorder is presented to an Official Observer, the altered flight log would be transmitted in the normal way to a PC, and the attempt to cheat would be undetectable. The only known way to prevent this is to deny the potential cheater access to the wires carrying NMEA-0183 data.
2. Examination of a .IGC flight log reveals a standardized but very boring text file. Any text processor could easily be used to modify this file. In the absence of security measures the modifications would be undetectable.
We cannot prevent the alteration of data either before it enters the Flight Recorder memory, or when it is in a PC file. The best we can do is to detect when alteration has occurred. The Cambridge GPS-NAV system employs specific techniques to detect each class of data alteration.
1. Electronic FR sealing prevents access to NMEA-0183 GPS data
Alteration of GPS-NAV memory contents can be detected if access to the wires carrying NMEA-0183 data can be detected. This is done by putting both GPS receiver and data memory in one enclosure, and by electronically sealing the enclosure. Here is the technique used by Cambridge to electronically seal our Secure Flight Recorders:
Static RAM (SRAM) memory loses data when power is removed. A lithium back-up battery powers the SRAM when the equipment is turned off. Voltage to one of two SRAM chips in the recorder is routed through a micro-switch that grounds the chip when the case is opened. Grounding the SRAM chip causes loss of stored information.
The SRAM contains a "Seal" word that is different for each Flight Recorder. At power-on, the recorder firmware generates the "Seal" word and compares it to the "Seal" word stored in SRAM. If the recorder has been opened the two "Seal" words will not match. This is noted on the GPS-NAV display and is made part of the flight log.
"Secret1" is used to seal a GPS-NAV Secure Flight Recorder by creating the SRAM "Seal" word. "Secret1" is kept at the Cambridge factory. Three Cambridge employees know how to use "Secret1". Only two individuals know how to generate "Secret1". A Cambridge Agent can call the factory for instructions on sealing a given flight recorder. Here is how the process works.
Using a PC, the Cambridge agent displays a 12-digit number generated by the Flight Recorder. The number will be different each time it is requested. The agent sends the Flight Recorder serial number and the 12-digit number to the Cambridge factory. Using "Secret1", the factory sends the agent another 12-digit number that the agent types into the PC and sends to the Flight Recorder. This 12-digit number cannot seal that recorder again, and it cannot be used to seal another recorder. A fax is often used to send the 12-digit numbers. The fax paper need not be destroyed since it will be useless in any future attempt to seal a recorder.
2. Flight Log signature detects attempts to alter the PC data file.
Flight Log data is not encrypted in either .CAI or .IGC format. Upon request Cambridge will furnish .CAI file formatting to co-developers and other interested parties.
Flight log files in .CAI format include a Signature. The Signature is a digest of the flight log. It is constructed so that any alteration of the flight log also changes the Signature. Cambridge PC software compares the Signature included with the flight log to the Signature generated within the PC software. If the two Signatures match, the flight log is authentic. In other words, the flight log has not been altered since the original Signature was created within the GPS-NAV Secure Flight Recorder.
Cambridge "Secret2" is used to construct the Signature. Without such a secret, anyone could create the correct Signature for an altered document. Cambridge "Secret2" exists in the GPS-NAV Secure Flight Recorder. "Secret2" is different for each GPS-NAV serial number.
Part of "Secret2" is contained within the production release of the Cambridge PC software. This partial secret is used to check the signature of Cambridge Secure Flight Logs. Cambridge has not released the complete "Secret2". It is theoretically possible to discover the partial secret by reverse engineering (de-compiling) the PC software. However, Cambridge designed both the Signature generating algorithm and the PC program to make this as difficult as possible. If both the flight log and the Signature are altered in such a way that the flight log passes the production software signature test, the full signature test can be applied. If this is suspected, the NAC or FAI can send the flight log to Cambridge for a signature test using the full "Secret2". Only three individuals know the algorithm for "Secret2".
There is a third way to cheat with a GNSS Flight Recorder. It is possible to simulate the actual GNSS satellite constellation and send radio frequency signals into the GNSS Flight Recorder antenna. We consider this cheating technique to be prohibitively expensive and cumbersome. The Cambridge GPS-NAV does not detect this cheating technique. It is important to view security issues in relative rather than absolute terms. Our goal has always been to provide a system of flight evidence that was at least as secure and much more convenient than the existing camera/barograph system. We have tried to make cheating difficult. We assume that a cheater will follow the path of least resistance. If we have done our job well, that path should lead him away from the Flight Recorder system towards the camera/barograph system.
I hope this brief document adequately explains the security principles used in the Cambridge GPS-NAV Secure Flight Recording System.
Back to top
|
® CAMBRIDGE Aero Instruments 
