Transcript Validation of the WAAS MOPS Integrity Equation

Absolute Receiver Autonomous
Integrity Monitoring (ARAIM)
Todd Walter
Stanford University
http://waas.stanford.edu
Introduction
GPS is an important component of today’s
aviation navigation infrastructure
 Its role will continue to increase over the coming years
Future GNSS constellations will also
become important contributors
However, their incorporation must be done
with great care as the integrity
requirements for aircraft guidance are very
stringent
2
 Less than 10-7 probability of misleading information
 International standards define different types of GNSS
augmentations to achieve this level of integrity
Integrity Monitoring
Satellite-based and ground-based
augmentation systems provide
independent monitoring of the GPS signals
through calibrated ground monitors
Requires ground monitoring network
communication channel to aircraft
Receiver Autonomous Integrity Monitoring
(RAIM) compares redundant satellite range
measurements against each other to
identify and eliminate significant faults
3
Requires a greater number of ranging
measurements than SBAS or GBAS
ARAIM Protection Level
GPS
Compass
VPLVPLVPL
VPL
Galileo
GLONASS
4
RAIM vs. ARAIM
LNAV requirements are much less stringent
than LPV
Alert limit measure in nautical miles
Only real threat is a large clock error
For LPV MI is hazardous (vs. major)
Alert limit in tens of meters
Many sources of potentially significant errors
Two or more smaller errors may combine to
cause a large enough error
ARAIM needed to more carefully account
for all threats
5
Interoperability of Integrity
 Interoperability should be a goal not only for
GNSS signals, but also for integrity provision
 Augmentation systems already internationally
coordinated
 Open service signals should target
performance comparable to or better than
GPS L1 signals today
 Different service providers may make different
design choices and different assurances
6
 However, it is important to establish a common
understanding of how RAIM depends on GNSS
performance and how signals from different services
could be combined to improve RAIM
 Cooperation and transparency are essential
Benefits of MultiConstellation RAIM
 Combining signals from multiple constellations
can provide significantly greater availability
and higher performance levels than can be
achieved individually
Support for vertically guided approaches
 Potential to provide a safety of life service
without requiring the GNSS service provider to
certify each system to 10-7 integrity levels
 Creates a truly international solution
7
All service providers contribute
Not dependent on any single entity
Coverage is global and seamless
Service Commitment
Each service provider should provide
documentation of their service commitment
Encourage usage by other states
Allows planning of combined service level
Supports development of interface
specifications and user algorithms
Commitment should include details on:
8
Accuracy, continuity, availability, fault modes,
broadcast parameters, and other operating
characteristics
Assurances should be provided for minimum
commitments
Specification of Faults
Perform a fault modes and effects analysis
Understand and make transparent potential
faults and their effects
Assure low fault rates
Of order 10-5/SV/Hour
Assure low probability of simultaneous or
common mode faults
Ideally below 10-8/Constellation/Hour
Assure a short time to alert
Not longer than 6 hours
9
Maintain independence from other service
providers
Monitoring and Assurance
Methods for monitoring conformity of signal
properties relative to provided assurances
should be agreed upon mutually by service
providers and approval authorities
 Require clear unambiguous evaluations of assurances
 May be made by any potential approval authority
 Desirable to have a means to resolve potential
observations of non-conformity
Long-term monitoring by each sovereign
state is an important component of
establishing reliability
10
 Each constellation still cross-checked by others in user
avionics
Interface Specification
Each system may broadcast different
parameters or provide different levels of
assurance
However, a common understanding of how
each parameter is used must be reached
 The parameters must be combined into a single upper
bound for the joint position estimate
 The upper bound must be safe regardless of which
combinations of satellites are used
 Also able to account for potentially different properties
Requires a more advanced form of RAIM
than is used currently for LNAV
11
 Good candidates already exist
Summary
 RAIM allows for worldwide aviation navigation without
requiring additional ground infrastructure
 Additional GNSS constellations can significantly
improve performance and availability
 At a minimum, new GNSS constellations should assure
that their open service signals support existing LNAV
RAIM
 Should work together to specify a means to achieve
multi-constellation RAIM for vertical guidance
 International cooperation and coordination will be
essential to achieving this goal
12
Specification of Accuracy
 The dominant error sources should be understood
and characterized
 Satellite clock and ephemeris within constellation tied to
clear, stable, global, reference frames
 Code and carrier signals coherently derived from a
common source
 Well designed signals to reduce multipath, ionosphere,
and distortion effects
 International coordination already well-established
 Document how the expected performance level is
indicated to the user
 Should broadcast expected accuracy for a fault-free
ranging source
13
Specification of Availability &
Continuity
Description of constellation geometry
Number of satellites, planes, spacing, etc.
Assure minimum levels of operating
satellites
e.g. .99999 probability of at least 20 primary
slots occupied by satellites broadcasting valid
signals
Assure minimum levels of continuity
e.g. less than .0002 probability of unscheduled
interruption or fault of previously healthy signal
14
 Lesser minimums support multi-const. RAIM
even if they cannot support stand-alone
Fault Tree and Probability of
Hazardously Misleading Information
(PHMI)
Courtesy:
Juan Blanch
Any mode causes HMI
PHMI0
PHMIk
PHMI1
No failures/ rare
normal create HMI
failure of sat 1
causes HMI
Mode prior
probability = ~1
Mode prior probability = ~1e-4
…
failure of sat k
causes HMI
…
Mode prior probability = ~1e-4
• For each branch, a monitor mitigates the probability of HMI given the
failure
• In ARAIM, the monitors are formed by comparing subset solutions
15