a comparative overview of the protection level concept for augmented gnss and loran stanford...
Post on 28-Dec-2015
232 Views
Preview:
TRANSCRIPT
A Comparative Overview of the Protection Level Concept for
Augmented GNSS and LORAN
Stanford University GPS Laboratory Weekly Meeting
20 December 2002
Sam Pullen
Stanford Universityspullen@relgyro.stanford.edu
20 December 2002 Sam Pullen 2
Aviation Requirements Definitions
• ACCURACY: Measure of navigation output deviation from truth, usually expressed as 1 (68%) or 2 (95%) error limits.
• INTEGRITY: Ability of a system to provide timely warnings when the system should not be used for navigation. INTEGRITY RISK is the probability of an undetected hazardous navigation system anomaly.
• CONTINUITY: Likelihood that the navigation signal-in-space supports accuracy and integrity requirements for the duration of the intended operation. CONTINUITY RISK is the probability of a detected but unscheduled navigation interruption after initiation of approach.
• AVAILABILITY: Fraction of time navigation system is usable (as determined by compliance with accuracy, integrity, and continuity requirements) before approach is initiated.
20 December 2002 Sam Pullen 3
Summary of Aviation Requirements
Original Source: GPS Risk Assessment Study: Final Report. Johns Hopkins University Applied Physics Laboratory, VS-99-007, January 1999. http://www.jhuapl.edu/transportation/aviation/gps/
Integrity Availability Phase of Flight
Accuracy (95% Error)
Time to Alert
Alert Limit
Pr(MI) Continuity Pr(loss of
navigation) Threshold Objective
Oceanic Enroute
H: 12.4 nmi
2 min H: 12.4 nmi 10-7 / hour 10-5 / hour 0.99 0.999 – 0.99999
Domestic Enroute
H: 2.0 nmi 1 min H: 2.0 nmi 10-7 / hour 10-6 / hour 0.99 0.99999
Terminal Area
H: 0.4 nmi 30 sec H: 1.0 nmi 10-7 / hour 10-6 / hour 0.99 0.99999
Non-prec.
Approach
H: 220 m 10 sec H: 556 m 10-7 / hour 10-5 / hour 0.99 0.99999
LNAV/
VNAV
H: 220 m 10 sec H: 556 m
V: 50 m
10-7 / hour 5.5 × 10-5 /
approach
0.99 0.99999
LPV (APV
1.5)
H: 16 m
V: 20 m
10 sec H: 40 m
V: 50 m
2 × 10-7 /
approach
5.5 × 10-5 /
approach
0.99 0.99999
APV-2 H: 16 m
V: 7.6 m
6 sec H: 40 m
V: 20 m
2 × 10-7 /
approach
5.5 × 10-5 /
approach
0.99 0.99999
Cat. I Prec. Appch.
H: 16 m V: 4 7.6 m
6 sec L: 40 m V: 1012 m
2 × 10-7 / approac h
5.5 × 10-5 / approach
0.99 0.99999
Cat. II Prec. Appch.
H: 6.9 m V: 2.0 m
2 sec L: 17.3 m V: 5.3 m
2 × 10-9 / approach
4 × 10-6 / 15 sec
0.99 0.99999
Cat. III Precision
Appch.
H: 6.1 m V: 2.0 m
1 – 2 sec
L: 15.5 m V: 5.3 m
2 × 10-9 / approach
L: 2 × 10-6 / 30 sec
V: 2 × 10-6 / 15 sec
0.99 0.99999
Being reconsi-dered by
RTCA
WAAS
LAAS (LAAS
satisfies WAAS ops., within VDB coverage)
SPS/RAIM + INS
20 December 2002 Sam Pullen 4
LPV (APV 1.5)350 ft DH
50 m VAL, 40 m HAL
Courtesy: FAA AND-730
Approach withVertical Guidance
(APV)CAT I
CAT II
CAT III200ft DH10m VAL 100ft DH
5.3m VAL0~100ft DH5.3m VAL
DH: decision heightVAL:vertical alert limitHAL: horizontal alert limit
Requirement: MoreAccuracy, Tighter Bounds
Benefit: L
ower D
HPrecision Approach Alert Limits
20 December 2002 Sam Pullen 5
Protection Level Objectives
• To establish integrity, augmented GNSS systems must provide means to validate in real time that integrity probabilities and alert limits are met
• This cannot be done offline or solely within GNSS augmentation systems because:
– Achievable error bounds vary with GNSS SV geometry– Ground-based systems cannot know which SV’s a given user is tracking– Protecting all possible sets of SV’s in user position calculations is
numerically difficult
• Protection level concept translates augmentation system integrity verification in range domain into user position bounds in position domain
20 December 2002 Sam Pullen 6
Key Assumptions in Existing Protection Level Calculations
• Distributions of range and position-domain errors are assumed to be Gaussian in the tails
– “K-values” used to convert one-sigma errors to rare-event errors are computed from the standard Normal distribution
• Under nominal conditions, error distributions have zero mean (for WAAS and LAAS)
• Under faulted conditions, a known bias (due to failure of a single SV or RR) is added to a zero-mean distribution with the same sigma
• Weighted-least-squares is used to translate range-domain errors into position domain
– Broadcast sigmas are used in weighting matrix, but these are not the same as truly “nominal” sigmas
20 December 2002 Sam Pullen 7
LAAS Protection Level Calculation (1)
•Protection levels represent upper confidence limits on position error (out to desired integrity risk probability):
–H0 case:
–H1 case:
–Ephemeris:
N
iivertiffmdH sKVPL
1
22,0
1,, Hvertmdvertjj KBVPL
Nominal range error variance
Geom. conversion: range to vertical position (~ VDOP)
Nominal UCL multiplier (for
Gaussian dist.)
Vert. pos. error std. dev. under H1
H1 UCL multiplier (computed for Normal dist.)
B-value conver-ted to Vertical position error
SV index
N
kkkmd
j
ejj SK
R
MDExSVPLe
e1
22,3,3
From weighted p-inverse of user geometry matrix
Differential ranging error variance
Missed-detection multiplierLGF-user
baseline vector
SV index
N
kkkmd
j
ejj SK
R
MDExSVPLe
e1
22,3,3
From weighted p-inverse of user geometry matrix
Differential ranging error variance
Missed-detection multiplierLGF-user
baseline vector
(S index “3” = vertical axis)
(nominal conditions)
(single-reference-receiver fault)
(single-satellite ephemeris fault)
20 December 2002 Sam Pullen 8
• Fault-mode VPL equations (VPLH1 and VPLe) have the form:
VPLfault
• LAAS users compute VPLH0 (one equation), VPLH1 (one equation per SV), and VPLe (one equation per SV) in real-time
– operation is aborted if maximum VPL over all equations exceeds VAL
– absent a fault, VPLH0 is usually the largest
• Fault modes that do not have VPL’s must:– be detected and excluded such that VPLH0 bounds
– residual probability that VPLH0 does not bound must fall within the “H2” (“not covered”) LAAS integrity sub-allocation
LAAS Protection Level Calculation (2)
Mean impact of fault on vertical position error
Impact of nominal errors, de-weighted by
prior probability of fault
20 December 2002 Sam Pullen 9
Top-Level LAAS Signal-in-Space Fault Tree
Loss of Integrity (LOI)
Nominal conditions (bounded by PLH0)
Single LGF receiver failure
(bounded by PLH1)
All other conditions (H2)
2 10-7 per approach (Cat. I PA)
1.5 10-72.5 10-
8
2.5 10-
8
Single-SV failures
All other failures (not bounded by
any PL)
1.4 10-7 1 10-8
Ephemeris failures (bounded
by PLe)
2.3 10-8
Other single-SV failures (not
bounded by any PL)
1.17 10-7
Allocations to be chosen by LGF manufacturer (not in
MASPS or LGF Spec.)
20 December 2002 Sam Pullen 10
WAAS Protection Level Calculation
VPLWAAS KV,PAd3,3
i2 i,flt
2 i,UIRE2 i ,air
2 i,tropo2
d GT WG 1
i, tropo2 0.12m( iE ) 2
m(E i) 1.001
0.002001 sin2 (E i)
flt UDRE UDRE fc rrc ltc er
UIRE2 Fpp
2 UIVE2
UIVE2 Wn xpp , ypp n,ionogrid
2
n1
4
Fpp 1 Re cosE
Re hI
2
1
2
ionogrid GIVE iono
Message Types 2-6, 24 Message Types 10 & 28
MOPS Definition
Message Type 26
MOPS Definition MOPS Definition
W 1
12 0 0
0 22 0
0
0 0 0 n2
UserSupplied
UserSupplied
This “VPLH0” is the only protection level defined for WAAS. Errors not bounded by it must be excluded within time to alert,
or must be increased until this VPL is a valid bound.
Courtesy: Todd Walter, SU WAAS Lab
20 December 2002 Sam Pullen 11
Top-Level WAAS Signal-in-Space Fault Tree
Courtesy: Todd Walter, SU WAAS Lab
•90% of total 10-7 integrity risk req’t. falls within domain of “H0” (actually “H_all”) protection level calculation
−Remaining 10% allocated to WAAS hardware faults not covered by PL
−UDRE and GIVE set based on the maximum of bounding sigmas for nominal and faulted conditions (after SP monitoring)
•Fault cases not represented in tree must have
negligible probability
Hardware faults (not covered by
PL) 1e-8
Based on maximum of nominal and
faulted conditions
20 December 2002 Sam Pullen 12
LORAN Horizontal Protection Level
• Provide user with a guarantee on position– Horizontal Protection Level > Horizontal Position Error
• i is the standard deviation of the normal distribution
that overbounds the randomly distributed errors
• i an overbound for the correlated bias terms
• i an overbound for the uncorrelated bias terms
i i i i i ii i i
HPL K K K
=> Biases are to be treated as part of the nominal error distribution
Courtesy: Sherman Lo, SU LORAN Project
20 December 2002 Sam Pullen 13
LORAN Integrity Fault Tree
Probability (HPE >HPL) > 10-7/hour
All CyclesCorrect
At least 1Cycle
Incorrect
+
One CycleIncorrect
Two or MoreCycles Incorrect
+
All Unbiased &IndependentRange Errors
i > i
All CompletelyCorrelated
Range Errorsi > i
All PotentiallyUncorrelated
or BiasedErrorsi > i
+
TransmitterPropagationInterferenceat Receiver
+ + +
TransmitterPropagationInterferenceat Receiver
TransmitterPropagationInterferenceat Receiver
Phase Error Cycle Error
Courtesy: Sherman Lo, SU LORAN Project
20 December 2002 Sam Pullen 14
Threshold and MDE Definitions
Test Statistic Response (no. of sigmas)
10
10
10
10
10
10
-10
-8
-6
-4
-2
0
Pro
babi
lity
Den
sity
Nominal Faulted
PFFA
Thresh.
MDE
PMD
KFFA KMD
-6 -4 -2 0 2 4 6 8 10 12 14 16
Failures causing test statistic to exceed Minimum Detectable Error (MDE) are mitigated such that both integrity and continuity requirements are met.
20 December 2002 Sam Pullen 15
MDE Relationship to Range Domain Errors
MDE L m on T min
k ffd ( k ffd + k md )
MERR
PRE air
0
0
2 2 33 * 5 . UIVE PP UDRE F
test
User PRE Performance Margin
Monitor Performance Margin
MONITOR DOMAIN MEASUREMENTS
USER RANGE DOMAIN MEASUREMENTS
PRE air
PRE mon
test test
Courtesy: R. Eric Phelts, SU GPS Lab
• MDE in test domain corresponds to a given PRE in user range domain depending on differential impact of failure source
• If resulting PRE MERR (required range error bound), system meets requirement with margin
• If not, MDE must be lowered (better test) or MERR increased (higher sigmas loss of availability)
20 December 2002 Sam Pullen 16
Reasons for Sigma Inflation
• We cannot prove that the tails of LAAS/WAAS error distributions are Gaussian
– Theoretical error analyses suggest Gaussian (noise, diffuse multipath) or truncated (specular multipath) distributions, but analysis alone cannot be relied upon to validate a 10-7 or lower probability.
– Some degree of “mixing” is unavoidable in practice
• Error distribution mean, sigma, and correlation estimates have statistical noise due to limited number of independent samples.
• Inflating sigma inputs to PL is a convenient way to account for integrity monitor limitations when no PL is defined for a particular fault case.
20 December 2002 Sam Pullen 17
Theoretical Impact of Sampling “Mixtures” on Tails of Gaussian Distributions
Normalize by theoretical sigma
Normalize by actual sigmas
Normalize by imperfect sigmas
20 December 2002 Sam Pullen 18
Error Estimates from LAAS Test Prototype (9.5 – 10.5 degree SV elevation angle bin)
70+ days of data: June 1999 – June 2000200 seconds between samples
Significant tail inflation
observed
Source: John Warburton, FAA Technical Center (ACT-360)
20 December 2002 Sam Pullen 19
Error Estimates from LAAS Test Prototype (29.5 – 30.5 degree SV elevation angle bin)
70+ days of data: June 1999 – June 2000200 seconds between samples
Tail inflation is less
pronounced, most likely due
to reduced multipath
variation within this bin (i.e., less
“mixing”)
Source: John Warburton, FAA Technical Center (ACT-360)
20 December 2002 Sam Pullen 20
Potential for Excessive Conservatism
• Each error/anomaly source that contributes to sigmas in PL calculations has some degree of magnitude and/or distribution uncertainty
• Traditional approach of “upper bounding” each uncertainty element may lead to excessive conservatism in the final sigma once conservative sigmas for each error source are convolved
• Avoiding this by creating less conservative bounds on each sigma element means giving up on the idea of protection levels “proving” system safety
• Clear trade-off exists between degree of conservatism/“provability” and system availability, which has its own safety impact
20 December 2002 Sam Pullen 21
Solution: “Keep Two Sets of Books”
Uncertain Parameters
Detailed Study and Probability Modeling
TEP (primary due to engineer
and DM acceptance)
PRA/DA (backup –
less detailed)
Compare and Contrast
Alert DM if Significant Discrepancy
(Add detail and re-
compare)
Uncertainty Bounding
Deterministic Assessment /
Sensitivity Studies
Optimal Action (risk avoidance within
tech./cost/schedule constraints)
DA Utility Modeling
Probabilistic Risk Assessment
Decision Tree Resolution Optimal
Action
20 December 2002 Sam Pullen 22
WAAS Vertical Performance at Queens, NY WRS Site
Note that VPL’s imply much larger
errors than are actually observed
– significant sigma inflation is
evident.
For Phase 1 WAAS, GIVE (Grid
Ionosphere Vertical Error) is
the dominant contributor to
VPL.
20 December 2002 Sam Pullen 23
Impact of Sigma Inflation on Category I LAAS Availability
Category I PA Availability Simulation:10 user locations (6 US, 4 Europe), 5o mask angle
Cycle through all 22-of-24 GPS SV Outage Cases (276)
Service Availability Maximum Service Outage
Max
imum
Ser
vice
Out
age
(min
)
Normalized Inflation Factor (1 = AD curve value)
Best location
Worst location
Mean
Normalized Inflation Factor (1 = AD curve value)
Ava
ilab
ilit
y
Worst location
Best location
Mean
1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.60.95
0.955
0.96
0.965
0.97
0.975
0.98
0.985
0.99
0.995
1
B3/B
C3/B
1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.60
20
40
60
80
100
120
140
160
180
200
B3/B
C3/B
Best location
Worst location
Mean
20 December 2002 Sam Pullen 24
Summary
• Protection Levels provide the means for users to translate range-domain integrity assurance from WAAS/LAAS/etc. into real-time safety assessments
• Protection Levels are defined to bound errors due to nominal conditions and specific failure modes
– Failure modes not covered by specific PL’s must be overbounded by nominal PL or assigned a separate P(HMI) allocation within system level fault tree
• Broadcast sigma inputs to PL’s are a key design parameter and will be conservative in practice
• Protection levels are very useful but should not be misconstrued as an inherent safety guarantee
– PL’s are highly dependent on assumptions on inputs– Try to avoid excessive conservatism in pursuit of a “provable” overbound
top related