70 likes | 198 Views
DRAFT. ZETA ASSOCIATES. WAAS Integrity Resolution Process. Pat Reddan 22 June 2005. WIRP Objectives.
E N D
DRAFT ZETAASSOCIATES WAAS Integrity Resolution Process Pat Reddan 22 June 2005
WIRP Objectives “Purpose of the WIRP is to assess the validity of a threat against the fielded WAAS by providing an evaluation of the threat for the fault tree and, in the event that the probability exceeds the margin in the fault tree, determine an acceptable exposure time to the threat.” • The WAAS Integrity Resolution Process (WIRP) provides means to address integrity threats against fielded WAAS • Integrity threats assigned to nodes on fault tree • Mitigation of threat is lengthy, complex • All changes must adhere to WAAS Change Control Process (WCCP) • Evaluation of threats against operational system introduces complexity in PASS/FAIL criteria as well as action or response • Response options are Service shutdown, switch to emergency mode, place a GEO in test mode, revert to previous system build • Acceptable or tolerable exposure time is THE key factor in dealing with operational system • Focus of WIPP investigation of such threats is exposure time
WIRP • Process initiated by either Integrity Hazard Record or WAAS Integrity Problem Report • WAAS Safety Team reviews all hazard records & problem reports (WPRs) in context of fault tree • WIPP review determines whether hazard is an ‘acceptable risk’ & if not, performs hazard assessment analysis • ‘acceptable risk’ finding supported with WIPP assertion (used in HMI analysis document) that reflects characteristic of WAAS which is known to be true along with rationale • Hazard assessment determines a P(HMI) allocation for the threat & the exposure time • Result is an acceptable risk for a specific time period
Hazard Assessment Guidelines • Each integrity threat evaluated on case by case basis, NO definitive set of rules to be applied in Hazard Assessment • Models --- can base on empirical data (IOC 30-day HMI set, FLP HMI sets, offline monitoring data from FAATC, field data) • Level D generated results mean additional data necessary • Single fault at a time -- directly affects exposure time, should only be invoked for truly rare, random & uncorrelated events • Exposure time – set to zero UNLESS HMI analysis allocation has margin to accommodate the specific threat • WIPP collective judgment & rationale forms basis for non-zero exposure period on case by case basis
WIRP Example • Range Domain Monitor – algorithm equation error unearthed during review of changes associated with GIVE monitor • WAAS Integrity Fault Tress Resolution – node 10R, RDM Algorithm performance fails, cannot be justified • Temporary Assertion – probability of C&V CP L1/L2 bias or station clock error causing 5.33 sigma error is neglibile • WIRP Probability Allocation – 4.50E-8 • Rationale – actual range domain monitor threat not observed since RDM was fielded, analysis of this observed performance shows event likelihood of …. • Exposure Time – six months if RDM is needed to mitigate HMI