Tosho-U GPS Symposium Presentation

1
A Comparative Overview of the Protection Level
Concept for Augmented GNSS and LORAN
Sam Pullen Stanford University spullen_at_relgyro.sta
nford.edu
Stanford University GPS Laboratory Weekly
Meeting 20 December 2002
2
Aviation Requirements Definitions

• ACCURACY Measure of navigation output
  deviation from truth, usually expressed as 1s
  (68) or 2s (95) error limits.
• INTEGRITY Ability of a system to provide
  timely warnings when the system should not be
  used for navigation. INTEGRITY RISK is the
  probability of an undetected hazardous navigation
  system anomaly.
• CONTINUITY Likelihood that the navigation
  signal-in-space supports accuracy and integrity
  requirements for the duration of the intended
  operation. CONTINUITY RISK is the probability of
  a detected but unscheduled navigation
  interruption after initiation of approach.
• AVAILABILITY Fraction of time navigation
  system is usable (as determined by compliance
  with accuracy, integrity, and continuity
  requirements) before approach is initiated.

3
Summary of Aviation Requirements
SPS/RAIM INS
WAAS
LAAS (LAAS satisfies WAAS ops., within VDB
coverage)
Being reconsi-dered by RTCA

Original Source GPS Risk Assessment Study
Final Report. Johns Hopkins University Applied
Physics Laboratory, VS-99-007, January 1999.
http//www.jhuapl.edu/transportation/aviation/gps/

4
Precision Approach Alert Limits
5
Protection Level Objectives

• To establish integrity, augmented GNSS systems
  must provide means to validate in real time that
  integrity probabilities and alert limits are met
• This cannot be done offline or solely within GNSS
  augmentation systems because
• Achievable error bounds vary with GNSS SV
  geometry
• Ground-based systems cannot know which SVs a
  given user is tracking
• Protecting all possible sets of SVs in user
  position calculations is numerically difficult
• Protection level concept translates augmentation
  system integrity verification in range domain
  into user position bounds in position domain

6
Key Assumptions in Existing Protection Level
Calculations

• Distributions of range and position-domain errors
  are assumed to be Gaussian in the tails
• K-values used to convert one-sigma errors to
  rare-event errors are computed from the standard
  Normal distribution
• Under nominal conditions, error distributions
  have zero mean (for WAAS and LAAS)
• Under faulted conditions, a known bias (due to
  failure of a single SV or RR) is added to a
  zero-mean distribution with the same sigma
• Weighted-least-squares is used to translate
  range-domain errors into position domain
• Broadcast sigmas are used in weighting matrix,
  but these are not the same as truly nominal
  sigmas

7
LAAS Protection Level Calculation (1)

• Protection levels represent upper confidence
  limits on position error (out to desired
  integrity risk probability)
• H0 case
• H1 case
• Ephemeris

Nominal range error variance
(nominal conditions)
Geom. conversion range to vertical position (
VDOP)
Nominal UCL multiplier (for Gaussian dist.)
Vert. pos. error std. dev. under H1
(single-reference-receiver fault)
B-value conver-ted to Vertical position error
H1 UCL multiplier (computed for Normal dist.)
(single-satellite ephemeris fault)
(S index 3 vertical axis)
8
LAAS Protection Level Calculation (2)

• Fault-mode VPL equations (VPLH1 and VPLe) have
  the form
• VPLfault
• LAAS users compute VPLH0 (one equation), VPLH1
  (one equation per SV), and VPLe (one equation per
  SV) in real-time
• operation is aborted if maximum VPL over all
  equations exceeds VAL
• absent a fault, VPLH0 is usually the largest
• Fault modes that do not have VPLs must
• be detected and excluded such that VPLH0 bounds
• residual probability that VPLH0 does not bound
  must fall within the H2 (not covered) LAAS
  integrity sub-allocation

Impact of nominal errors, de-weighted by prior
probability of fault
Mean impact of fault on vertical position error
9
Top-Level LAAS Signal-in-Space Fault Tree
Loss of Integrity (LOI)
2 ? 10-7 per approach (Cat. I PA)
1.5 ? 10-7
2.5 ? 10-8
2.5 ? 10-8
Nominal conditions (bounded by PLH0)
Single LGF receiver failure (bounded by PLH1)
All other conditions (H2)
1.4 ? 10-7
1 ? 10-8
Allocations to be chosen by LGF manufacturer (not
in MASPS or LGF Spec.)
All other failures (not bounded by any PL)
Single-SV failures
2.3 ? 10-8
1.17 ? 10-7
Ephemeris failures (bounded by PLe)
Other single-SV failures (not bounded by any PL)
10
WAAS Protection Level Calculation
User Supplied
Courtesy Todd Walter, SU WAAS Lab
Message Types 2-6, 24
Message Types 10 28
User Supplied
MOPS Definition
MOPS Definition
MOPS Definition
Message Type 26
This VPLH0 is the only protection level defined
for WAAS. Errors not bounded by it must be
excluded within time to alert, or s must be
increased until this VPL is a valid bound.
11
Top-Level WAAS Signal-in-Space Fault Tree
Hardware faults (not covered by PL) 1e-8

• 90 of total 10-7 integrity risk reqt. falls
  within domain of H0 (actually H_all)
  protection level calculation
• Remaining 10 allocated to WAAS hardware faults
  not covered by PL
• UDRE and GIVE set based on the maximum of
  bounding sigmas for nominal and faulted
  conditions (after SP monitoring)
• Fault cases not represented in tree must have
  negligible probability

Based on maximum of nominal and faulted conditions
Courtesy Todd Walter, SU WAAS Lab
12
LORAN Horizontal Protection Level

• Provide user with a guarantee on position
• Horizontal Protection Level gt Horizontal Position
  Error
• ai is the standard deviation of the normal
  distribution that overbounds the randomly
  distributed errors
• bi an overbound for the correlated bias terms
• gi an overbound for the uncorrelated bias terms

gt Biases are to be treated as part of the
nominal error distribution
Courtesy Sherman Lo, SU LORAN Project
13
LORAN Integrity Fault Tree
Phase Error
Cycle Error
Courtesy Sherman Lo, SU LORAN Project
14
Threshold and MDE Definitions
Test Statistic Response (no. of sigmas)
Failures causing test statistic to exceed Minimum
Detectable Error (MDE) are mitigated such that
both integrity and continuity requirements are
met.
15
MDE Relationship to Range Domain Errors

• MDE in test domain corresponds to a given PRE in
  user range domain depending on differential
  impact of failure source
• If resulting PRE ? MERR (required range error
  bound), system meets requirement with margin
• If not, MDE must be lowered (better test) or MERR
  increased (higher sigmas ? loss of availability)

Courtesy R. Eric Phelts, SU GPS Lab
16
Reasons for Sigma Inflation

• We cannot prove that the tails of LAAS/WAAS error
  distributions are Gaussian
• Theoretical error analyses suggest Gaussian
  (noise, diffuse multipath) or truncated (specular
  multipath) distributions, but analysis alone
  cannot be relied upon to validate a 10-7 or lower
  probability.
• Some degree of mixing is unavoidable in
  practice
• Error distribution mean, sigma, and correlation
  estimates have statistical noise due to limited
  number of independent samples.
• Inflating sigma inputs to PL is a convenient way
  to account for integrity monitor limitations when
  no PL is defined for a particular fault case.

17
Theoretical Impact of Sampling Mixtures on
Tails of Gaussian Distributions
Normalize by actual sigmas
Normalize by theoretical sigma
Normalize by imperfect sigmas
18
Error Estimates from LAAS Test Prototype (9.5
10.5 degree SV elevation angle bin)
70 days of data June 1999 June 2000 200
seconds between samples
Significant tail inflation observed
Source John Warburton, FAA Technical Center
(ACT-360)
19
Error Estimates from LAAS Test Prototype (29.5
30.5 degree SV elevation angle bin)
70 days of data June 1999 June 2000 200
seconds between samples
Tail inflation is less pronounced, most likely
due to reduced multipath variation within this
bin (i.e., less mixing)
Source John Warburton, FAA Technical Center
(ACT-360)
20
Potential for Excessive Conservatism

• Each error/anomaly source that contributes to
  sigmas in PL calculations has some degree of
  magnitude and/or distribution uncertainty
• Traditional approach of upper bounding each
  uncertainty element may lead to excessive
  conservatism in the final sigma once conservative
  sigmas for each error source are convolved
• Avoiding this by creating less conservative
  bounds on each sigma element means giving up on
  the idea of protection levels proving system
  safety
• Clear trade-off exists between degree of
  conservatism/provability and system
  availability, which has its own safety impact

21
Solution Keep Two Sets of Books
Detailed Study and Probability Modeling
Uncertain Parameters
TEP (primary due to engineer and DM acceptance)
PRA/DA (backup less detailed)
DA Utility Modeling
Uncertainty Bounding
Probabilistic Risk Assessment
Deterministic Assessment / Sensitivity Studies
Decision Tree Resolution ? Optimal Action
Optimal Action (risk avoidance within
tech./cost/schedule constraints)
Compare and Contrast
(Add detail and re-compare)
Alert DM if Significant Discrepancy
22
WAAS Vertical Performance at Queens, NY WRS Site
For Phase 1 WAAS, GIVE (Grid Ionosphere Vertical
Error) is the dominant contributor to VPL.
Note that VPLs imply much larger errors than are
actually observed significant sigma inflation
is evident.
23
Impact of Sigma Inflation on Category I LAAS
Availability
Category I PA Availability Simulation 10 user
locations (6 US, 4 Europe), 5o mask angle Cycle
through all 22-of-24 GPS SV Outage Cases (276)
Maximum Service Outage
Service Availability
Worst location
Worst location
Best location
C3/B
Mean
B3/B
Mean
Worst location
B3/B
Best location
Mean
Maximum Service Outage (min)
Availability
Best location
C3/B
1
1.2
1.4
1.6
1.8
2
2.2
2.4
2.6
Normalized s Inflation Factor (1 AD curve value)
Normalized s Inflation Factor (1 AD curve value)
24
Summary

• Protection Levels provide the means for users to
  translate range-domain integrity assurance from
  WAAS/LAAS/etc. into real-time safety assessments
• Protection Levels are defined to bound errors due
  to nominal conditions and specific failure modes
• Failure modes not covered by specific PLs must
  be overbounded by nominal PL or assigned a
  separate P(HMI) allocation within system level
  fault tree
• Broadcast sigma inputs to PLs are a key design
  parameter and will be conservative in practice
• Protection levels are very useful but should not
  be misconstrued as an inherent safety guarantee
• PLs are highly dependent on assumptions on
  inputs
• Try to avoid excessive conservatism in pursuit of
  a provable overbound