Carl Milner ENAC ENAC 8 th March 2018 RAMS for GNSS Questions 2 How to relate the Tolerable Hazard Rate per hour to the positioning function per epochsampletest Correlation time impacts Fault Free case and Faulty case ID: 779332
Download The PPT/PDF document "Assistant Professor in the TELECOM Group" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Assistant Professor in the TELECOM Group
Carl
Milner
– ENAC
ENAC |8
th
March 2018
RAMS for GNSS
Slide2Questions
2
How to relate the Tolerable Hazard Rate per hour to the positioning function per epoch/sample/test?Correlation time impacts (Fault Free case and Faulty case)
What conditions may be defined around the use of GNSS in rail? Is there a known probabilistic distribution for them?
average riskIs there reasonable means to predict? specific riskHow to measure/ensure maintainability for GNSS applications?WP1 Brainstorming
Webex, 12/02/2018
Slide3RAMS vs GNSS SIS
3
Positioning, Navigation and Timing (PNT)
In aviation, the active Navigation System provides the primary guidance function. Navigation System Error (NSE) is then the difference between the true position and estimated position.
Signal-In-Space (SIS) performance requirements express the quality of a GNSS PNT service assuming a fault-free receiver, meaning one which is operating nominallySIS performance includes nominal errors which are local to the aircraft, namely multipath and receiver noise which have been modelled and validated by Boeing (Wozniak, 1997) and Airbus “3.7.2.4.1 The combination of GNSS elements and a fault-free GNSS user receiver shall meet the signal-in-space requirements defined in Table 3.7.2.4-1” (ICAO SARPS, 2010)
WP1 Brainstorming
Webex, 12/02/2018
Slide4RAMS vs GNSS SIS
4
WP1 Brainstorming
Webex
, 12/02/2018Safety RiskSafety Risk from Aircraft Failure
SIS Safety Risk
RX
Navigation System
Safety Risk
Slide5RAMS vs GNSS SIS
5
WP1 Brainstorming
Webex
, 12/02/2018Safety RiskSafety Risk from Aircraft Failure
SIS Safety Risk
RX
Navigation System
Safety Risk
Slide6RAMS vs GNSS SIS
6
SIS Requirements - Accuracy
(Absolute) Accuracy The degree of conformance between the estimated position and the true position of the aircraft at a given time (95% 2𝜎)
Most conservative/likely definitionPredictable Accuracy: The accuracy of a PNT systems position solution with respect to the charted solution Close to absolute Accuracy (could be used in rail)Repeatable Accuracy: The accuracy which a user can return to a location whose coordinate has been measured at a previous time Not to be usedRelative Accuracy: The accuracy with which a user can measure position relative to that of another user at the same time Unlikely but possible application in moving block (or more appropriately under virtual coupling)
WP1 Brainstorming
Webex, 12/02/2018
Slide7RAMS vs GNSS SIS
7
SIS / PNT RequirementsIntegrity
The measure of trust that can be placed in the information provided by the PNT system, including the ability to provide timely warnings when the system should not be usedTime-to-Alert Allowable time from the onset of an unsafe condition to the alarm indication
Integrity Risk The allowable probability of an undetected unsafe conditionSpecific Risk The probability of unsafe conditions subject to the assumption that all credible unknown events that could be known occur with a probability of one “The approach integrity requirements apply in any one landing and require fail- safe design. If the specific risk on a given approach is known to exceed this requirement, the operation should not be conducted” (DeCleene 2005)Average Risk The probability of unsafe conditions based upon the convolved estimated probabilities of all unknown eventsWP1 Brainstorming
Webex, 12/02/2018
e.g
.
for 1 operation
e.g
. <
over many operations
Slide8RAMS vs GNSS SIS
8
SIS / PNT RequirementsContinuity
Continuity of a system is the ability of the system to perform its function without interruption during the intended operation i.e. the probability that the specified performance will be maintained for the duration of a phase of operation “The continuity requirement should be applied as applying the average risk of loss of service”
Availability The percentage of time that the services of a system are available (accuracy and integrity are met, in some interpretations also continuity)Reliability The probability that a system will perform its function within defined performance limits for a specified period of time (not the operation duration)WP1 BrainstormingWebex, 12/02/2018
Slide9RAMS vs GNSS SIS
9
WP1 Brainstorming
Webex
, 12/02/2018
Slide10RAMS vs GNSS SIS
10
RAMS
Reliability The probability that a system can perform a required function under given conditions for a given time interval
for an interval if failure rate is constant
MTTF Mean Time To Failure (MTTF) which for a constant rate is equal to
Maintainability The probability that a given active maintenance action, for an item under given conditions of use can be carried out within a stated time interval when maintenance is performed under stated conditions and using stated procedures
Mean
Time To
Repair
Availability
The
ability
of a
product
to
be
in a state to
perform
a
required
function
under
given
conditions at a
given
instant of time or over a
given
time
interval
(if constant rates)
WP1 Brainstorming
Webex
, 12/02/2018
Slide11RAMS vs GNSS SIS
11
RAMS
Safety Freedom from unacceptable
risk of harmRisk The probable rate of occurance of a hazard causing harm and the degree
of severity of harm
Safety
Integrity
Likelihood of a system satisfactorily performing the required safety functions
under all the stated conditions
within a stated period of time
Dependability Collective term used to describe the availability performance and its
influencing factors
Quality of Service
Eg
Percentage of trains arriving with delay less than X minutes as a result of the PNT function
WP1 Brainstorming
Webex
, 12/02/2018
Slide12RAMS vs GNSS SIS
12
WP1 Brainstorming
Webex
, 12/02/2018
Slide13RAMS vs GNSS SIS
13
What influences dependability/quality of service…?
ReliabilityMaintainabilityTime duration of operations
High High Many trains with small-medium delayLow Low
Few trains with long delays and cancellationsSimilar
availability Averaging instantaneous availability gives availability but loses information regarding reliability
WP1 Brainstorming
Webex
, 12/02/2018
Slide14RAMS vs GNSS SIS
14
System States
Available + Safe
‘Failed’/Unavailable/Outage
Available + Unsafe
Failure
Rate
Repair
Rate
<THR
WP1 Brainstorming
Webex
, 12/02/2018
?
Slide15RAMS vs GNSS SIS
15
First Mapping
WP1 Brainstorming
Webex, 12/02/2018
Slide16RAMS vs GNSS SIS
16
RAMS Safety Integrity vs PNT Integrity
SIL expressed by Tolerable Hazard RateHazard Rate may be averaged over the time interval? i.e.
Over 1 hour? Over all time? Over the Time-To-Alert period? Or must be met for any interval however small?Requirements at the algorithmic level are needed for each epochAviation integrity, the high-level requirement is for within the defined period of operatione.g. for SBAS when converted to a single epoch a number of independent samples is used
(operational level)
Correlation time of 360s (ionosphere driven)
(receiver level)
WP1 Brainstorming
Webex
, 12/02/2018
Slide17RAMS vs GNSS SIS
17
Alert Limit – no agreement:2.5m for track discrimination/station operations
20-25m for along-track positioningor might also be expressed as a function of speed
Time-to-alert – values between 1s and 5sWP1 BrainstormingWebex, 12/02/2018
Slide18RAMS vs GNSS SIS
18
What would be the response of the rail network to a ‘Predictable’ outage?
Continuity in aviation is a safety issue vs. Reliability in RAMS is notReliability and Availability are directly linked in RAMS
The PNT service is available in civil aviation even if an aircraft experiences a loss of continuity (standard interpretation)Predictable outages are not continuity risks (not universal agreement on interpretation, depends upon system developmentNavigation systems may be sole/primary/supplemental meansMitigations for loss of serviceSince global availability and probability of a down state switch depend upon many factors (including the solution proposed), the requirement used for detection thresholds (continuity) should be set lateWP1 Brainstorming
Webex, 12/02/2018
Slide19RAMS vs GNSS SIS
19
Loss of Reliability (Failures)Immobilising
ServiceMinor
WP1 BrainstormingWebex, 12/02/2018
Slide20RAMS vs GNSS SIS
20
WP1 Brainstorming
Webex
, 12/02/2018
Slide21RAMS vs GNSS SIS
21
Loss of Availability/ContinuityPredictable
Slow geometry change increased protection level (or real time integrity risk)
unavailable time repairSatellite loss passing horizon increased protection level unavailable time repairSatellite loss due to planned manoeuvre/maintenance (NANU warning) increased protection level unavailable time control
repairMasking loss of tracking geometry change increased protection level unavailable location user
repair
UnpredictableFalse alarm
failed exclusion unavailable
time repair
Satellite failure correct detection
failed exclusion
unavailable time control
repair
Ionosphere gradient
c
orrect detection
failed exclusion
unavailable
time
repair
Extreme multipath
c
orrect detection
failed exclusion
unavailable
time
repair
Interference
loss of tracking
geometry change
increased protection level
unavailable
time
repair
Jamming
loss of tracking
geometry change
increased protection level
unavailable
time security
repair
Scintillation loss of tracking geometry change increased protection level
unavailable
time
repair
Shadowing loss of tracking geometry change increased protection level
unavailable
time user
repair
Change in error models (i.e. from DGNSS) increased protection level
unavailable
time user
repair
WP1 Brainstorming
Webex
, 12/02/2018
Slide22RAMS vs GNSS SIS
22
Instantaneous Availability (Up-State vs. Down-State)
where:
is the true train location
and
is the time (and constellation phasing state)
is the set of satellites (all sets are numerated by
up to
)
is the availability function given the geometry defined by
and other parameters which may modify the requirement such as speed
where:
is the state probability of satellite set
being available for positioning as a result of phenomena indexed by
depending upon the assessment methodology (probabilistic simulation of the environment?)
may be influenced by deterministic changes of
(e.g. predictable masking)
WP1 Brainstorming
Webex
, 12/02/2018
Slide23WP1 RAMS vs SIS/PNT
23
The
are for most not under the control of the (rail PNT system) designer
In the case of false alarm/correct detection and failed exclusion events, the probabilities are. However, under this formulation, the thresholds are set in order to meet availability targetsGiven values for each sub-condition event probabilities (i.e. probability of ionosphere gradient
etc) the availability function is well-defined
To assess through simulation
WP1 Brainstorming
Webex
, 12/02/2018
Slide24WP1 RAMS vs SIS/PNT
24
(Operational/Signal Environment) Reliability and Maintainability would then be products
of the Availability function and not the reverse.For example, given either a route for an operation:
Where:
is the repair rate from
to
for outage reason
Also may be assessed through simulation either over an ‘average’ 1 hour period and track or more locally
Must loop over constellation
WP1 Brainstorming
Webex
, 12/02/2018
Slide25WP1 RAMS vs SIS/PNT
25
Reliability (defined this way) may learn from aviation’s
Continuity however.Continuity allocated amongst cases by considering impact upon number of aircraft i.e.
With an allocation of
and a maximum of 100 aircraft impacted then if
the user receiver
requirement would be
rather than
if only a single aircraft be impacted
Domino effect for a rail GNSS outage under moving block – should reliability account for this?
Does reliability already consider differently failures which impact the multiple vehicles and those that
Impact just a single one?
WP1 Brainstorming
Webex
, 12/02/2018
Slide26This project has received funding from the European Union’s Horizon 2020 research and innovation
programme
under Grant Agreement No 777561
Call identifier: H2020-S2RJU-2017
Topic: S2R-OC-IP2-01-2017 – Operational conditions of the
signalling
and automation systems;
signalling
system hazard analysis and GNSS SIS characterization along with Formal Method application in railway field