a comparative overview of the protection level concept for augmented gnss and loran stanford...

A Comparative Overview of the Protection Level Concept for

Augmented GNSS and LORAN

Stanford University GPS Laboratory Weekly Meeting

20 December 2002

Sam Pullen

Stanford [email protected]

20 December 2002 Sam Pullen 2

Aviation Requirements Definitions

• ACCURACY: Measure of navigation output deviation from truth, usually expressed as 1 (68%) or 2 (95%) error limits.

• INTEGRITY: Ability of a system to provide timely warnings when the system should not be used for navigation. INTEGRITY RISK is the probability of an undetected hazardous navigation system anomaly.

• CONTINUITY: Likelihood that the navigation signal-in-space supports accuracy and integrity requirements for the duration of the intended operation. CONTINUITY RISK is the probability of a detected but unscheduled navigation interruption after initiation of approach.

• AVAILABILITY: Fraction of time navigation system is usable (as determined by compliance with accuracy, integrity, and continuity requirements) before approach is initiated.


Summary of Aviation Requirements

Original Source: GPS Risk Assessment Study: Final Report. Johns Hopkins University Applied Physics Laboratory, VS-99-007, January 1999. http://www.jhuapl.edu/transportation/aviation/gps/

Integrity Availability Phase of Flight

Accuracy (95% Error)

Time to Alert

Alert Limit

Pr(MI) Continuity Pr(loss of

navigation) Threshold Objective

Oceanic Enroute

H: 12.4 nmi

2 min H: 12.4 nmi 10-7 / hour 10-5 / hour 0.99 0.999 – 0.99999

Domestic Enroute

H: 2.0 nmi 1 min H: 2.0 nmi 10-7 / hour 10-6 / hour 0.99 0.99999

Terminal Area

H: 0.4 nmi 30 sec H: 1.0 nmi 10-7 / hour 10-6 / hour 0.99 0.99999

Non-prec.

Approach

H: 220 m 10 sec H: 556 m 10-7 / hour 10-5 / hour 0.99 0.99999

LNAV/

VNAV

H: 220 m 10 sec H: 556 m

V: 50 m

10-7 / hour 5.5 × 10-5 /

approach

0.99 0.99999

LPV (APV

1.5)

H: 16 m

V: 20 m

10 sec H: 40 m

V: 50 m

2 × 10-7 /

approach

5.5 × 10-5 /

approach

0.99 0.99999

APV-2 H: 16 m

V: 7.6 m

6 sec H: 40 m

V: 20 m

2 × 10-7 /

approach

5.5 × 10-5 /

approach

0.99 0.99999

Cat. I Prec. Appch.

H: 16 m V: 4 7.6 m

6 sec L: 40 m V: 1012 m

2 × 10-7 / approac h

5.5 × 10-5 / approach

0.99 0.99999

Cat. II Prec. Appch.

H: 6.9 m V: 2.0 m

2 sec L: 17.3 m V: 5.3 m

2 × 10-9 / approach

4 × 10-6 / 15 sec

0.99 0.99999

Cat. III Precision

Appch.

H: 6.1 m V: 2.0 m

1 – 2 sec

L: 15.5 m V: 5.3 m

2 × 10-9 / approach

L: 2 × 10-6 / 30 sec

V: 2 × 10-6 / 15 sec

0.99 0.99999

Being reconsi-dered by

RTCA

WAAS

LAAS (LAAS

satisfies WAAS ops., within VDB coverage)

SPS/RAIM + INS


LPV (APV 1.5)350 ft DH

50 m VAL, 40 m HAL

Courtesy: FAA AND-730

Approach withVertical Guidance

(APV)CAT I

CAT II

CAT III200ft DH10m VAL 100ft DH

5.3m VAL0~100ft DH5.3m VAL

DH: decision heightVAL:vertical alert limitHAL: horizontal alert limit

Requirement: MoreAccuracy, Tighter Bounds

Benefit: L

ower D

HPrecision Approach Alert Limits


Protection Level Objectives

• To establish integrity, augmented GNSS systems must provide means to validate in real time that integrity probabilities and alert limits are met

• This cannot be done offline or solely within GNSS augmentation systems because:

– Achievable error bounds vary with GNSS SV geometry– Ground-based systems cannot know which SV’s a given user is tracking– Protecting all possible sets of SV’s in user position calculations is

numerically difficult

• Protection level concept translates augmentation system integrity verification in range domain into user position bounds in position domain


Key Assumptions in Existing Protection Level Calculations

• Distributions of range and position-domain errors are assumed to be Gaussian in the tails

– “K-values” used to convert one-sigma errors to rare-event errors are computed from the standard Normal distribution

• Under nominal conditions, error distributions have zero mean (for WAAS and LAAS)

• Under faulted conditions, a known bias (due to failure of a single SV or RR) is added to a zero-mean distribution with the same sigma

• Weighted-least-squares is used to translate range-domain errors into position domain

– Broadcast sigmas are used in weighting matrix, but these are not the same as truly “nominal” sigmas


LAAS Protection Level Calculation (1)

•Protection levels represent upper confidence limits on position error (out to desired integrity risk probability):

–H0 case:

–H1 case:

–Ephemeris:

N

iivertiffmdH sKVPL

1

22,0

1,, Hvertmdvertjj KBVPL

Nominal range error variance

Geom. conversion: range to vertical position (~ VDOP)

Nominal UCL multiplier (for

Gaussian dist.)

Vert. pos. error std. dev. under H1

H1 UCL multiplier (computed for Normal dist.)

B-value conver-ted to Vertical position error

SV index

N

kkkmd

j

ejj SK

R

MDExSVPLe

e1

22,3,3

From weighted p-inverse of user geometry matrix

Differential ranging error variance

Missed-detection multiplierLGF-user

baseline vector

SV index

N

kkkmd

j

ejj SK

R

MDExSVPLe

e1

22,3,3

From weighted p-inverse of user geometry matrix

Differential ranging error variance

Missed-detection multiplierLGF-user

baseline vector

(S index “3” = vertical axis)

(nominal conditions)

(single-reference-receiver fault)

(single-satellite ephemeris fault)


• Fault-mode VPL equations (VPLH1 and VPLe) have the form:

VPLfault

• LAAS users compute VPLH0 (one equation), VPLH1 (one equation per SV), and VPLe (one equation per SV) in real-time

– operation is aborted if maximum VPL over all equations exceeds VAL

– absent a fault, VPLH0 is usually the largest

• Fault modes that do not have VPL’s must:– be detected and excluded such that VPLH0 bounds

– residual probability that VPLH0 does not bound must fall within the “H2” (“not covered”) LAAS integrity sub-allocation

LAAS Protection Level Calculation (2)

Mean impact of fault on vertical position error

Impact of nominal errors, de-weighted by

prior probability of fault


Top-Level LAAS Signal-in-Space Fault Tree

Loss of Integrity (LOI)

Nominal conditions (bounded by PLH0)

Single LGF receiver failure

(bounded by PLH1)

All other conditions (H2)

2 10-7 per approach (Cat. I PA)

1.5 10-72.5 10-

8

2.5 10-

8

Single-SV failures

All other failures (not bounded by

any PL)

1.4 10-7 1 10-8

Ephemeris failures (bounded

by PLe)

2.3 10-8

Other single-SV failures (not

bounded by any PL)

1.17 10-7

Allocations to be chosen by LGF manufacturer (not in

MASPS or LGF Spec.)


WAAS Protection Level Calculation

VPLWAAS KV,PAd3,3

i2 i,flt

2 i,UIRE2 i ,air

2 i,tropo2

d GT WG 1

i, tropo2 0.12m( iE ) 2

m(E i) 1.001

0.002001 sin2 (E i)

flt UDRE UDRE fc rrc ltc er

UIRE2 Fpp

2 UIVE2

UIVE2 Wn xpp , ypp n,ionogrid

2

n1

4

Fpp 1 Re cosE

Re hI

2

1

2

ionogrid GIVE iono

Message Types 2-6, 24 Message Types 10 & 28

MOPS Definition

Message Type 26

MOPS Definition MOPS Definition

W 1

12 0 0

0 22 0

0

0 0 0 n2

UserSupplied

UserSupplied

This “VPLH0” is the only protection level defined for WAAS. Errors not bounded by it must be excluded within time to alert,

or must be increased until this VPL is a valid bound.

Courtesy: Todd Walter, SU WAAS Lab


Top-Level WAAS Signal-in-Space Fault Tree

Courtesy: Todd Walter, SU WAAS Lab

•90% of total 10-7 integrity risk req’t. falls within domain of “H0” (actually “H_all”) protection level calculation

−Remaining 10% allocated to WAAS hardware faults not covered by PL

−UDRE and GIVE set based on the maximum of bounding sigmas for nominal and faulted conditions (after SP monitoring)

•Fault cases not represented in tree must have

negligible probability

Hardware faults (not covered by

PL) 1e-8

Based on maximum of nominal and

faulted conditions


LORAN Horizontal Protection Level

• Provide user with a guarantee on position– Horizontal Protection Level > Horizontal Position Error

• i is the standard deviation of the normal distribution

that overbounds the randomly distributed errors

• i an overbound for the correlated bias terms

• i an overbound for the uncorrelated bias terms

i i i i i ii i i

HPL K K K

=> Biases are to be treated as part of the nominal error distribution

Courtesy: Sherman Lo, SU LORAN Project


LORAN Integrity Fault Tree

Probability (HPE >HPL) > 10-7/hour

All CyclesCorrect

At least 1Cycle

Incorrect

+

One CycleIncorrect

Two or MoreCycles Incorrect

+

All Unbiased &IndependentRange Errors

i > i

All CompletelyCorrelated

Range Errorsi > i

All PotentiallyUncorrelated

or BiasedErrorsi > i

+

TransmitterPropagationInterferenceat Receiver

+ + +



Phase Error Cycle Error

Courtesy: Sherman Lo, SU LORAN Project


Threshold and MDE Definitions

Test Statistic Response (no. of sigmas)

10

10

10

10

10

10

-10

-8

-6

-4

-2

0

Pro

babi

lity

Den

sity

Nominal Faulted

PFFA

Thresh.

MDE

PMD

KFFA KMD

-6 -4 -2 0 2 4 6 8 10 12 14 16

Failures causing test statistic to exceed Minimum Detectable Error (MDE) are mitigated such that both integrity and continuity requirements are met.


MDE Relationship to Range Domain Errors

MDE L m on T min

k ffd ( k ffd + k md )

MERR

PRE air

0

0

2 2 33 * 5 . UIVE PP UDRE F

test

User PRE Performance Margin

Monitor Performance Margin

MONITOR DOMAIN MEASUREMENTS

USER RANGE DOMAIN MEASUREMENTS

PRE air

PRE mon

test test

Courtesy: R. Eric Phelts, SU GPS Lab

• MDE in test domain corresponds to a given PRE in user range domain depending on differential impact of failure source

• If resulting PRE MERR (required range error bound), system meets requirement with margin

• If not, MDE must be lowered (better test) or MERR increased (higher sigmas loss of availability)


Reasons for Sigma Inflation

• We cannot prove that the tails of LAAS/WAAS error distributions are Gaussian

– Theoretical error analyses suggest Gaussian (noise, diffuse multipath) or truncated (specular multipath) distributions, but analysis alone cannot be relied upon to validate a 10-7 or lower probability.

– Some degree of “mixing” is unavoidable in practice

• Error distribution mean, sigma, and correlation estimates have statistical noise due to limited number of independent samples.

• Inflating sigma inputs to PL is a convenient way to account for integrity monitor limitations when no PL is defined for a particular fault case.


Theoretical Impact of Sampling “Mixtures” on Tails of Gaussian Distributions

Normalize by theoretical sigma

Normalize by actual sigmas

Normalize by imperfect sigmas


Error Estimates from LAAS Test Prototype (9.5 – 10.5 degree SV elevation angle bin)

70+ days of data: June 1999 – June 2000200 seconds between samples

Significant tail inflation

observed

Source: John Warburton, FAA Technical Center (ACT-360)


Error Estimates from LAAS Test Prototype (29.5 – 30.5 degree SV elevation angle bin)

70+ days of data: June 1999 – June 2000200 seconds between samples

Tail inflation is less

pronounced, most likely due

to reduced multipath

variation within this bin (i.e., less

“mixing”)

Source: John Warburton, FAA Technical Center (ACT-360)


Potential for Excessive Conservatism

• Each error/anomaly source that contributes to sigmas in PL calculations has some degree of magnitude and/or distribution uncertainty

• Traditional approach of “upper bounding” each uncertainty element may lead to excessive conservatism in the final sigma once conservative sigmas for each error source are convolved

• Avoiding this by creating less conservative bounds on each sigma element means giving up on the idea of protection levels “proving” system safety

• Clear trade-off exists between degree of conservatism/“provability” and system availability, which has its own safety impact


Solution: “Keep Two Sets of Books”

Uncertain Parameters

Detailed Study and Probability Modeling

TEP (primary due to engineer

and DM acceptance)

PRA/DA (backup –

less detailed)

Compare and Contrast

Alert DM if Significant Discrepancy

(Add detail and re-

compare)

Uncertainty Bounding

Deterministic Assessment /

Sensitivity Studies

Optimal Action (risk avoidance within

tech./cost/schedule constraints)

DA Utility Modeling

Probabilistic Risk Assessment

Decision Tree Resolution Optimal

Action


WAAS Vertical Performance at Queens, NY WRS Site

Note that VPL’s imply much larger

errors than are actually observed

– significant sigma inflation is

evident.

For Phase 1 WAAS, GIVE (Grid

Ionosphere Vertical Error) is

the dominant contributor to

VPL.


Impact of Sigma Inflation on Category I LAAS Availability

Category I PA Availability Simulation:10 user locations (6 US, 4 Europe), 5o mask angle

Cycle through all 22-of-24 GPS SV Outage Cases (276)

Service Availability Maximum Service Outage

Max

imum

Ser

vice

Out

age

(min

)

Normalized Inflation Factor (1 = AD curve value)

Best location

Worst location

Mean

Normalized Inflation Factor (1 = AD curve value)

Ava

ilab

ilit

y

Worst location

Best location

Mean

1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.60.95

0.955

0.96

0.965

0.97

0.975

0.98

0.985

0.99

0.995

1

B3/B

C3/B

1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.60

20

40

60

80

100

120

140

160

180

200

B3/B

C3/B

Best location

Worst location

Mean


Summary

• Protection Levels provide the means for users to translate range-domain integrity assurance from WAAS/LAAS/etc. into real-time safety assessments

• Protection Levels are defined to bound errors due to nominal conditions and specific failure modes

– Failure modes not covered by specific PL’s must be overbounded by nominal PL or assigned a separate P(HMI) allocation within system level fault tree

• Broadcast sigma inputs to PL’s are a key design parameter and will be conservative in practice

• Protection levels are very useful but should not be misconstrued as an inherent safety guarantee

– PL’s are highly dependent on assumptions on inputs– Try to avoid excessive conservatism in pursuit of a “provable” overbound

a comparative overview of the protection level concept for augmented gnss and loran stanford...

Documents