1 / 24

A Comparative Overview of the Protection Level Concept for Augmented GNSS and LORAN

A Comparative Overview of the Protection Level Concept for Augmented GNSS and LORAN. Sam Pullen Stanford University spullen@relgyro.stanford.edu. Stanford University GPS Laboratory Weekly Meeting 20 December 2002. Aviation Requirements Definitions.

lenka
Download Presentation

A Comparative Overview of the Protection Level Concept for Augmented GNSS and LORAN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Comparative Overview of the Protection Level Concept for Augmented GNSS and LORAN Sam Pullen Stanford University spullen@relgyro.stanford.edu Stanford University GPS Laboratory Weekly Meeting 20 December 2002

  2. Aviation Requirements Definitions • ACCURACY: Measure of navigation output deviation from truth, usually expressed as 1s (68%) or 2s (95%) error limits. • INTEGRITY: Ability of a system to provide timely warnings when the system should not be used for navigation. INTEGRITY RISK is the probability of an undetected hazardous navigation system anomaly. • CONTINUITY: Likelihood that the navigation signal-in-space supports accuracy and integrity requirements for the duration of the intended operation. CONTINUITY RISK is the probability of a detected but unscheduled navigation interruption after initiation of approach. • AVAILABILITY: Fraction of time navigation system is usable (as determined by compliance with accuracy, integrity, and continuity requirements) before approach is initiated. Sam Pullen

  3. Summary of Aviation Requirements Phase of Accuracy Integrity Continuity Availability Flight (95% Pr(loss of Alert Pr(MI) Threshold Objective Time to Error) navigation) Limit Alert - 7 - 5 Oceanic H: 12.4 2 min H: 12.4 nmi 10 / hour 10 / hour 0.99 0.999 – Enroute nmi 0.99999 - 7 - 6 Domestic H: 2.0 nmi 1 min H: 2.0 nmi 10 / hour 10 / hour 0.99 0.99999 Enr oute - 7 - 6 Terminal H: 0.4 nmi 30 sec H: 1.0 nmi 10 / hour 10 / hour 0.99 0.99999 Area - 7 - 5 Non - prec. H: 220 m 10 sec H: 556 m 10 / hour 10 / hour 0.99 0.99999 Approach - 7 - 5 LNAV/ H: 220 m 10 sec H: 556 m 10 / hour 5 .5 × 10 / 0.99 0.99999 VNAV V: 50 m approach - 7 - 5 LPV (APV H: 16 m 10 sec H: 40 m 2 × 10 / 5 .5 × 10 / 0.99 0.99999 1.5) V: 20 m V: 50 m approach approach - 7 - 5 APV - 2 H: 16 m 6 sec H: 40 m 2 × 10 / 5 .5 × 10 / 0.99 0.99999 V: 7.6 m V: 20 m approach approach - 7 - 5 Cat. I Prec. H: 16 m 6 sec L: 40 m 2 × 10 / 5 .5 × 10 / 0.99 0.99999 ? ? Appch. V: 4 7.6 m V: 10 12 m approac h approach - 9 - 6 Cat. II Prec. H: 6.9 m 2 sec L: 17.3 m 2 × 10 / 4 × 10 / 15 0.99 0.99999 Appch. V: 2.0 m V: 5.3 m approach sec - 9 - 6 Cat. III H: 6.1 m 1 – 2 L: 15.5 m 2 × 10 / L: 2 × 10 / 0.99 0.99999 Precision V: 2.0 m s ec V: 5.3 m approach 30 sec - 6 Appch. V: 2 × 10 / 15 sec SPS/RAIM + INS WAAS LAAS (LAAS satisfies WAAS ops., within VDB coverage) Being reconsi-dered by RTCA Original Source: GPS Risk Assessment Study: Final Report. Johns Hopkins University Applied Physics Laboratory, VS-99-007, January 1999. http://www.jhuapl.edu/transportation/aviation/gps/ Sam Pullen

  4. Precision Approach Alert Limits Requirement: More Accuracy, Tighter Bounds Approach with Vertical Guidance (APV) CAT I CAT II Benefit: Lower DH CAT III 200ft DH 10m VAL 100ft DH 5.3m VAL 0~100ft DH 5.3m VAL LPV (APV 1.5) 350 ft DH 50 m VAL, 40 m HAL DH: decision height VAL:vertical alert limit HAL: horizontal alert limit Courtesy: FAA AND-730 Sam Pullen

  5. Protection Level Objectives • To establish integrity, augmented GNSS systems must provide means to validate in real time that integrity probabilities and alert limits are met • This cannot be done offline or solely within GNSS augmentation systems because: • Achievable error bounds vary with GNSS SV geometry • Ground-based systems cannot know which SV’s a given user is tracking • Protecting all possible sets of SV’s in user position calculations is numerically difficult • Protection level concept translates augmentation system integrity verification in range domain into user position bounds in position domain Sam Pullen

  6. Key Assumptions in Existing Protection Level Calculations • Distributions of range and position-domain errors are assumed to be Gaussian in the tails • “K-values” used to convert one-sigma errors to rare-event errors are computed from the standard Normal distribution • Under nominal conditions, error distributions have zero mean (for WAAS and LAAS) • Under faulted conditions, a known bias (due to failure of a single SV or RR) is added to a zero-mean distribution with the same sigma • Weighted-least-squares is used to translate range-domain errors into position domain • Broadcast sigmas are used in weighting matrix, but these are not the same as truly “nominal” sigmas Sam Pullen

  7. LAAS Protection Level Calculation (1) • Protection levels represent upper confidence limits on position error (out to desired integrity risk probability): • H0 case: • H1 case: • Ephemeris: Nominal range error variance (nominal conditions) Geom. conversion: range to vertical position (~ VDOP) Nominal UCL multiplier (for Gaussian dist.) Vert. pos. error std. dev. under H1 (single-reference-receiver fault) B-value conver-ted to Vertical position error H1 UCL multiplier (computed for Normal dist.) (single-satellite ephemeris fault) (S index “3” = vertical axis) Sam Pullen

  8. LAAS Protection Level Calculation (2) Impact of nominal errors, de-weighted by prior probability of fault Mean impact of fault on vertical position error • Fault-mode VPL equations (VPLH1 and VPLe) have the form: VPLfault= + • LAAS users compute VPLH0 (one equation), VPLH1 (one equation per SV), and VPLe (one equation per SV) in real-time • operation is aborted if maximum VPL over all equations exceeds VAL • absent a fault, VPLH0 is usually the largest • Fault modes that do not have VPL’s must: • be detected and excluded such that VPLH0 bounds • residual probability that VPLH0 does not bound must fall within the “H2” (“not covered”) LAAS integrity sub-allocation Sam Pullen

  9. Top-Level LAAS Signal-in-Space Fault Tree Loss of Integrity (LOI) 2  10-7 per approach (Cat. I PA) 1.5  10-7 2.5  10-8 2.5  10-8 Single LGF receiver failure (bounded by PLH1) Nominal conditions (bounded by PLH0) All other conditions (H2) 1.4  10-7 1  10-8 Allocations to be chosen by LGF manufacturer (not in MASPS or LGF Spec.) All other failures (not bounded by any PL) Single-SV failures 2.3  10-8 1.17  10-7 Ephemeris failures (bounded by PLe) Other single-SV failures (not bounded by any PL) Sam Pullen

  10. WAAS Protection Level Calculation User Supplied Courtesy: Todd Walter, SU WAAS Lab Message Types 2-6, 24 Message Types 10 & 28 User Supplied MOPS Definition MOPS Definition MOPS Definition Message Type 26 This “VPLH0” is the only protection level defined for WAAS. Errors not bounded by it must be excluded within time to alert, or s must be increased until this VPL is a valid bound. Sam Pullen

  11. Top-Level WAAS Signal-in-Space Fault Tree Hardware faults (not covered by PL) 1e-8 • 90% of total 10-7 integrity risk req’t. falls within domain of “H0” (actually “H_all”) protection level calculation • Remaining 10% allocated to WAAS hardware faults not covered by PL • UDRE and GIVE set based on the maximum of bounding sigmas for nominal and faulted conditions (after SP monitoring) • Fault cases not represented in tree must have negligible probability Based on maximum of nominal and faulted conditions Courtesy: Todd Walter, SU WAAS Lab Sam Pullen

  12. LORAN Horizontal Protection Level • Provide user with a guarantee on position • Horizontal Protection Level > Horizontal Position Error • ai is the standard deviation of the normal distribution that overbounds the randomly distributed errors • bi an overbound for the correlated bias terms • gi an overbound for the uncorrelated bias terms => Biases are to be treated as part of the nominal error distribution Courtesy: Sherman Lo, SU LORAN Project Sam Pullen

  13. LORAN Integrity Fault Tree Phase Error Cycle Error Courtesy: Sherman Lo, SU LORAN Project Sam Pullen

  14. Threshold and MDE Definitions 0 10 Thresh. -2 10 -4 10 Nominal Faulted Probability Density -6 PMD 10 PFFA -8 10 MDE -10 10 -6 -4 -2 0 2 4 6 8 10 12 14 16 KFFA KMD Test Statistic Response (no. of sigmas) Failures causing test statistic to exceed Minimum Detectable Error (MDE) are mitigated such that both integrity and continuity requirements are met. Sam Pullen

  15. MDE Relationship to Range Domain Errors • MDE in test domain corresponds to a given PRE in user range domain depending on differential impact of failure source • If resulting PRE  MERR (required range error bound), system meets requirement with margin • If not, MDE must be lowered (better test) or MERR increased (higher sigmas  loss of availability) Courtesy: R. Eric Phelts, SU GPS Lab Sam Pullen

  16. Reasons for Sigma Inflation • We cannot prove that the tails of LAAS/WAAS error distributions are Gaussian • Theoretical error analyses suggest Gaussian (noise, diffuse multipath) or truncated (specular multipath) distributions, but analysis alone cannot be relied upon to validate a 10-7 or lower probability. • Some degree of “mixing” is unavoidable in practice • Error distribution mean, sigma, and correlation estimates have statistical noise due to limited number of independent samples. • Inflating sigma inputs to PL is a convenient way to account for integrity monitor limitations when no PL is defined for a particular fault case. Sam Pullen

  17. Theoretical Impact of Sampling “Mixtures” on Tails of Gaussian Distributions Normalize by actual sigmas Normalize by theoretical sigma Normalize by imperfect sigmas Sam Pullen

  18. Error Estimates from LAAS Test Prototype (9.5 – 10.5 degree SV elevation angle bin) 70+ days of data: June 1999 – June 2000 200 seconds between samples Significant tail inflation observed Source: John Warburton, FAA Technical Center (ACT-360) Sam Pullen

  19. Error Estimates from LAAS Test Prototype (29.5 – 30.5 degree SV elevation angle bin) 70+ days of data: June 1999 – June 2000 200 seconds between samples Tail inflation is less pronounced, most likely due to reduced multipath variation within this bin (i.e., less “mixing”) Source: John Warburton, FAA Technical Center (ACT-360) Sam Pullen

  20. Potential for Excessive Conservatism • Each error/anomaly source that contributes to sigmas in PL calculations has some degree of magnitude and/or distribution uncertainty • Traditional approach of “upper bounding” each uncertainty element may lead to excessive conservatism in the final sigma once conservative sigmas for each error source are convolved • Avoiding this by creating less conservative bounds on each sigma element means giving up on the idea of protection levels “proving” system safety • Clear trade-off exists between degree of conservatism/“provability” and system availability, which has its own safety impact Sam Pullen

  21. Solution: “Keep Two Sets of Books” Detailed Study and Probability Modeling Uncertain Parameters TEP(primary due to engineer and DM acceptance) PRA/DA (backup – less detailed) DA Utility Modeling Uncertainty Bounding Probabilistic Risk Assessment Deterministic Assessment / Sensitivity Studies Decision Tree Resolution  Optimal Action Optimal Action (risk avoidance within tech./cost/schedule constraints) Compare and Contrast (Add detail and re-compare) Alert DM if Significant Discrepancy Sam Pullen

  22. WAAS Vertical Performance at Queens, NY WRS Site For Phase 1 WAAS, GIVE (Grid Ionosphere Vertical Error) is the dominant contributor to VPL. Note that VPL’s imply much larger errors than are actually observed – significant sigma inflation is evident. Sam Pullen

  23. Impact of Sigma Inflation on Category I LAAS Availability 1 200 0.995 180 0.99 160 0.985 140 0.98 120 0.975 100 0.97 80 0.965 60 0.96 40 0.955 20 0.95 1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6 0 Category I PA Availability Simulation: 10 user locations (6 US, 4 Europe), 5o mask angle Cycle through all 22-of-24 GPS SV Outage Cases (276) Maximum Service Outage Service Availability Worst location Worst location Best location C3/B Mean B3/B Mean Worst location B3/B Best location Mean Maximum Service Outage (min) Availability Best location C3/B 1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6 Normalized s Inflation Factor (1 = AD curve value) Normalized s Inflation Factor (1 = AD curve value) Sam Pullen

  24. Summary • Protection Levels provide the means for users to translate range-domain integrity assurance from WAAS/LAAS/etc. into real-time safety assessments • Protection Levels are defined to bound errors due to nominal conditions and specific failure modes • Failure modes not covered by specific PL’s must be overbounded by nominal PL or assigned a separate P(HMI) allocation within system level fault tree • Broadcast sigma inputs to PL’s are a key design parameter and will be conservative in practice • Protection levels are very useful but should not be misconstrued as an inherent safety guarantee • PL’s are highly dependent on assumptions on inputs • Try to avoid excessive conservatism in pursuit of a “provable” overbound Sam Pullen

More Related