ACP-WGF27-WP17_US-WGF-Sep2012-Doc6R1 (CNPC
advertisement
International Civil Aviation Organization
ACP-WGF27/WP-17
2012-09-11
AERONAUTICAL COMMUNICATIONS PANEL (ACP)
27th MEETING OF WORKING GROUP F
Montreal, Canada 17–26 September 2012
Agenda Item 4:
Development of material for ITU-R meetings
Availability and Continuity Performance of
UAS Control and Communications Satellite Links
(Presented by: Warren Wilson)
SUMMARY
This paper discusses the Required Communications Performance (RCP)
parameters of Availability and Continuity, and the factors that affect them for
an Unmanned Aircraft System (UAS) Control and Non-Payload
Communications (CNPC) link with emphasis on satellite operations.
ACTION
It is proposed that the working group take this information into account during
its deliberations on responding to the liaison statement from ITU-R WP5B
regarding the Availability requirements of satellite based CNPS links.
1.
INTRODUCTION
This paper addresses the factors affecting the Availability and Continuity of satellite-based beyond-lineof-sight (BLOS) links and then uses the principles developed for an example analysis of the overall
probability of communications success (Pr{Success}) of the end to-end-paths between the pilot, aircraft
,and air traffic control (ATC). Appendices show how Availability and Continuity are linked to Round
Trip Pr{Success} and provide examples of safety-oriented calculations that derive example levels of
Pr{Success}and hence Availability and Continuity that might be required.
-2-
ACP WG-F27/WP-17
2.
DISCUSSION
2.1
Contributions to Availability, Continuity, Recoverability, and Pr{Success}
The UAS Control and Non-Payload Communications (CNPC) Architectures, identified in
[1], consist of serially connected combinations of line-of-sight, beyond-line-of-sight
(supported by satellite) and terrestrial networks. From a link performance standpoint,
these architectures comprise a combination of hardware elements (system nodes
illustrated as ovals) plus RF and terrestrial network elements (connecting lines).
The overall end-to-end availability of any particular architecture will be driven by system
component/hardware element failures (characterized by their MTBFs and MTTRs) and
short term temporary outages dependent on the characteristics of the transmission
medium. Unlike wired networks, wireless links are characterized by temporary
interruptions to traffic flow that are “self-healing”; that is when the cause of the
interruption goes away, the wireless link will recover. These outages can range in
duration from milliseconds to seconds (and even minutes for rain-induced fading) but
will always self-heal. Even though they appear random in incidence and duration, their
statistics can be captured and adequately represented so as to provide the capability to
analyze their impact in terms of availability, continuity, recoverability, and
Pr{Success}(the probability that a telecommand and telemetry round trip will be
successful). The relationship between these parameters is discussed in appendix section
A.1.
Figure 2-1 shows an example of how these different elements build to an overall end-toend availability for the UAS CNPC system. As may be seen, an availability failure can
occur in two ways: a) a short-term temporary outage; or b) a system component failure.
Generally, short-term temporary outages are caused by non-hardware mechanisms such
as multipath fading, airframe blockage, interference, or possibly capacity overload. These
failure modes are considered self-healing over time, although it is the job of the system
architecture to ensure that the likelihood of such failure persisting for an unacceptable
period of time is low. In contrast, a system component failure can potentially result in a
sustained outage.
Overall
Unavailability
OR
System Component
Failure
Short Term
Temporary Outage
OR
OR
Propagation
Event
Interference
Event
Airframe
Obstruction
Capacity
Overload
Airborne CC
Failure
CS CC Failure
Satellite
Failure
Figure 2-1: Overall End-to-End UAS Unavailability
Network
Failure
-3-
ACP-WGF27/WP -17
Continuity and recoverability can be assessed by examining the distribution of “up
durations” and “down durations” for candidate communications architectures used in
representative environments. When combined with knowledge of link availability and the
proposed architecture, overall Pr{Success} can be determined.
The next step is to identify the mechanisms that can cause a temporary (until self-healed)
or permanent (until repaired) loss of link, determine the impact of these mechanisms on
availability, continuity, and recoverability, and determine if these loss mechanisms can be
mitigated to the extent necessary to achieve the required levels of system performance. It
should be recognized that the primary system-level performance metric is Pr{Success}
for a candidate communications transaction, but that this is closely related to availability
(ARCP) and continuity (CRCP), and that some systems can potentially exploit
recoverability to offer a moderate enhancement (see appendix section A.1).
2.1.1
Short-Term Temporary Outages
The RF and wired network elements constituting the entire CNPC link can suffer shortterm temporary outages due to antenna shadowing, multipath fading, scintillation,
network congestion, interference, jamming, rain and handoff failure.1 These outages tend
to occur more frequently than hardware failures – in some cases many times per flight –
and typically lead to short-term outages with durations of fractions of a second to (rarely)
tens or hundreds of seconds (unless redundant links are available and not suffering
correlated failures). If these outages were all longer than a period that is considered to
impact safe operation, for example, one second in duration, link availability would be
equivalent to the operational Pr{Success} of the CNPC system; however, if outage
duration ranges from much less than a second to many seconds, and recovery is allowed,
then only outages longer than, in this example, one second in duration represent an
operational concern. Figure 2-2 is an illustrative time history of link margin on an RF link
subject to antenna airframe obstruction variability and multipath fading. The link is
assumed to have 10 dB of margin under nominal free-space conditions, so only fades
deeper than 10 dB represent an outage. The time axis is arbitrary; however, for the
example considered here, the first 100 samples of the figure highlights one short-term
outage, presumed to be less than one second in duration, and one longer-term outage
presumed to be longer than one second in duration. If link recovery is allowed, only the
longer-term outage is significant from the standpoint of CNPC operational Pr{Success}.
The identified short-term outage (and all the other outages in this example) may be
mitigated because the link is presumed to recover in time for delivery of safety-critical
data.
1
Random bit and word/block errors due to additive white Gaussian noise are assumed to be addressed within the
data link protocol, and are not considered a failure from the standpoint of availability or continuity analysis.
-4-
ACP WG-F27/WP-17
Short outage
Longer outage
Figure 2-2: Illustration of short-duration and longer-duration link outages due to
RF propagation
The distribution of outage durations depends on many factors, some of which are under
the control of human engineers and some of which are not. Rain outages on a single link
tend to be many seconds or minutes in duration and cannot be shortened by clever design.
In contrast, multipath outages tend to range from fractions of a second to seconds, and
can be reduced in magnitude and effective duration by many well-known and costeffective techniques (although it is still possible for a long-duration outage to occur).
2.1.2
System Component Failure
In addition to the short-term temporary outages discussed above, the hardware on the
ground and in the aircraft can suffer mechanical and electrical failure such as failure of
electronic components, loss of power, and mechanical destruction. From the standpoint of
mitigating such failures, three cases may be defined:
1. Active diversity redundancy. A hardware failure in one hardware path or element,
where a separate hardware path or element is already carrying the same data or
providing the same function, results in no operational loss.
2. Standby (backup path). SMEs have suggested that a standby can avoid a lost link, but
cannot be activated in less than one second. Achievable recovery periods for welldesigned standby systems are believed to be in the range of 5 to 10 seconds. This
paper will assume 10 seconds.
-5-
ACP-WGF27/WP -17
3. No backup. If there is no backup, a hardware failure will result in a lost link. This
should be a rare event by design. Standby systems that require more than 10 seconds
to recover could be conservatively grouped with full hardware failures (no backup)
for the purposes of availability calculation. This will result in a conservative bound
on expected system performance.
A hardware failure that is mitigated by a standby system (a backup) may be assumed to
incur an “exposure interval” of 10 seconds associated with the setup or switching time.
Consider a “danger hour” which contains an intruder that could result in a collision (such
an hour might for example occur once every 10,000 flight hours). We are interested in the
probability that this 10-second exposure interval overlaps, in any way, with the presumed
“intrusion event” which has a duration, for example, of 10-20 seconds. The conditional
probability of overlap, given that both occur during the hour, is Pr{overlap | both occur}
= (10 + 20) / 3600 ≈ 10-2. If this were the only contribution to link unavailability, a
system requirement of 99.8%, for example, would therefore require a failure rate (for
failures that are backed up by standby systems) no higher than (1 – 0.998)/(0.01) =
(0.002)/(0.01) = 0.2 failures/flight hour. However, since these types of hardware failures
should represent only a small fraction of the overall “unavailability budget,” it seems
reasonable to impose a requirement that such failures occur no more frequently than 0.01
times per flight hour. Thus, an example value to assess overall system feasibility,
hardware failures that can be backed up by a standby system will be assumed to occur no
more often than once every 100 flight hours. A similar analysis, where the system
requirement might be 99.999% for example, yields a maximum allowed failure rate, for
systems that can be reconstituted in 10 seconds or less, of (1 – 0.99999)/(0.01) =
(0.00001)/(0.01) = 0.001 failures per flight hour. Again this value should be reduced so
that such system component failures comprise only a small part of the overall
“unavailability budget.” Thus, an example value to assess overall system feasibility,
hardware failures that result in a temporary loss of communication, but can be backed-up
by a standby system within 10 seconds or less, will be assumed to occur no more often
than once every 10,000 flight hours.
A hardware failure that results in a lost link should be very rare by design. Even with
prompt alerting and notification, it may take several minutes from the onset of the failure
before ATC can “clear the airspace.” Assuming this exposure interval is 6 minutes (one
tenth of an hour). The conditional probability of overlap, given that a particular hour has
both an intrusion event and a lost link event, is Pr{overlap | both occur} = 610/3600 ≈
0.17. This leads to upper bounds on failure rate of 0.012 and 6 x 10-5 for the two
examples above and example design targets (lost link) of once per 1000 flight hours, and
once per 200,000 flight hours, respectively.
Summarizing the results for system component failure, example hardware failure rates
have been derived.2 These example hardware failure rates are intended to keep the
“hardware contribution” to unavailability small, so that the majority of the unavailability
budget can be allocated to fault-free communication losses (the Short Term Temporary
Outages shown in Figures 2-1 and 2-2). The example hardware failure rates are defined
for two safety levels, and for failures that can be resolved (backed-up) within 10 seconds,
as well as failures that cannot (thereby resulting in a lost link). For simplicity, in this
example, failures that can be resolved, but which require more than 10 seconds for
resolution, are grouped with lost-link events. These example failure rates are tabulated in
Table 2-1.
2
The hardware failures included in these allocations are those failures which result in at least a single lost message.
Hardware failure in one of a plurality of diversity paths, which does not result in any lost message, is excluded from
these allocations.
-6-
ACP WG-F27/WP-17
Example Hardware Failure Rates
Safety Level
0.998
0.99999
Assuming Man-On-The-Loop Operations Concept
Recoverable in 10 seconds
Not Recoverable (Lost Link)
100 flight hours
1000 flight hours
10,000 flight hours
200,000 flight hours
Table 2-1. Example Component System Failure Rates
2.2
BLOS Link Availability, Continuity and PR{SUCCESS}
BLOS link performance is driven by UA communications hardware availability and
intermittent link outages. UAS BLOS links are limited by the transmitter powers and
antenna sizes that can be supported by the aircraft and hence the ability of the system to
withstand fading. Even a large UA will find it difficult to accommodate an antenna with a
reflector or aperture larger than approximately four or five feet and a transmitter with a
power output significantly more than one hundred watts. Because satellites themselves
are similarly limited with respect to EIRP and G/T, satellite links are normally run with
little excess link margin so fading of only a few dB can have a significant impact on link
performance. Transmit powers are also limited (particularly with small aperture antennas)
so as to keep the levels of interference to adjacent satellites at acceptable levels. There
are so many geostationary satellites on orbit that they are now spaced only 2-3 degrees
apart. UA antennas of only a few feet diameter have similar 2-3 degree beam widths so
they do not provide much attenuation towards the adjacent satellite to the one being used
by the UA. The accuracy of the antenna pointing on the UA (particularly when it is
maneuvering) also has an impact on the adjacent satellite interference as well as the level
of signals on the link to the wanted satellite.
The most significant potential causes of link impairment and link loss on BLOS links are
antenna beam shadowing or obstruction by the airframe, rain attenuation (and other forms
of moisture), and ionospheric scintillation.3 These impairments are addressed below.
Attenuation due to rain and other forms of moisture, and ionospheric scintillation, are
included in the ITU models used to derive the link budgets in the following sections.
2.2.1
Airframe Blockage And Shadowing on BLOS links
Aircraft antenna obstruction is generally not a concern if the elevation angle to the
satellite is high (greater than 30 degrees for example) since in this case a normal
maneuver will not cause any occlusion or blockage of the antenna beam by the airframe.
3
Additional impairments, which can generally be discounted, are antenna misspointing (other than that caused by
hardware failure) and multipath fading. Antenna misspointing could theoretically occur due to very strong
turbulence; however, the antenna drive must be sufficiently precise to maintain pointing under all normal
operational circumstances, and responsive enough to accommodate very high role rates associated with aircraft
maneuvers. Hence, antenna misspointing is not viewed as a significant factor in link performance except following a
hardware failure. Ground-bounce multipath can also be discounted while the aircraft is in flight, since the aircraft
antenna is directive (pointed away from the ground) and operated at high altitude.
-7-
ACP-WGF27/WP -17
However, aircraft antenna obstruction can be a concern if the satellite is “low on the
horizon”. In this case, a tail surface or wing (during a banking maneuver) can cause
partial or complete blockage of the antenna beam leading to reduced margin or loss of
link. The satellite can appear to be “low on the horizon” if, for example, it has a large
longitudinal separation from the aircraft, or if it is a geostationary satellite and the aircraft
is flying at high latitudes. Fortunately, the impairment or loss is substantially predictable
since it is dependent on link geometry and the (presumed known) characteristics of the
aircraft. Mitigations include:
2.2.2
Selection of a satellite or satellites with high elevation angles throughout the
planned mission, so as to avoid obstruction, or handoff from one satellite to
another as required;
Active limitation on bank angle during periods of a turn maneuver when an
airframe structure is predicted to intersect the antenna beam;
Opportunistic message repetitions (time diversity) during periods of a turn
maneuver when an airframe structure is predicted to intersect the antenna beam –
especially if the predicted impairment or link loss is of short duration (seconds).
Opportunistic increase in signal strength, or reduction in data rate, to increase
nominal link margin.
Rain Attenuation on BLOS links
Rain is not a large adverse factor below 5 GHz, but can significantly affect overall
availability in the 12/14 GHz and 20/30 GHz bands. As an example, Figure 2-3 below
shows the variation with time of rain rate measured on the ground, and the associated
excess attenuation on a 12/14 GHz band satellite path. The slowly changing attenuation
is dependent on the macroscopic rain rate integrated over a sliding time window along the
path of the radio beam through the rain. The short term variations are due to tropospheric
and ionospheric scintillation, and to a lesser extent, short-term variation in rain rate
experienced at the earth terminal itself.
ACP WG-F27/WP-17
-8-
Figure 2-3: BLOS path additional attenuation and rain rate
The event illustrated in Figure 2-3 is particularly severe and may be considered a rare
event. It would be difficult to design a satellite link with 12 dB to 15dB of excess margin
required to overcome this event, particularly with the limitations on antenna and
transmitter size and weight imposed by the UA airframe capacity. So achieving very high
levels of availability on a single link is not realistic. As an example in this paper an
Availability of 99.8% for a single BLOS link (see Appendix 2) is used. Higher levels, if
needed, may be achieved with dual links exhibiting uncorrelated statistics. For example
two independent links with uncorrelated statistics, each offering an availability of 99.8%,
would offer an availability of 99.999% when operated as a diversity pair. This could be
achieved, for example, with a 12/14 GHz or 20/30 GHz band BLOS link operated in
conjunction with a LOS link at lower frequency, or even an independent BLOS link
operating at 1.5 GHz or 5 GHz (i.e., so that rain attenuation is substantially mitigated).
When an aircraft is flying above the freezing layer, rain attenuation is nonexistent and a
single BLOS link can achieve higher levels of availability.
In order to achieve the example link availability of 99.8% on a UA link to a satellite,
there must be sufficient margin to overcome the expected amount of rain in the
anticipated operating region during the appropriate time of year. Figure 2-4 below, which
is related to the link budgets contained in [2], illustrates a typical example for a BLOS
link operating at 11.777 GHz, with a 20.1 degree elevation angle to the satellite, in a rain
region with a very high rain rate of 91 mm/hour exceeded only 0.01% of the time.
-9-
ACP-WGF27/WP -17
Figure 2-4: Typical 12/14 GHz band Yearly Outage Statistics Versus Fade Duration,
Parameterized by Link Margin (frequency = 11.777 GHz; elevation angle = 20.1
degrees; rain rate characterized by 91 mm/hour exceeded 0.01% of the time;
analysis based on methodology outlined in ITU-R P.1623-1)
This graph shows that short outages occur more frequently with longer outages occurring
less than once per year. For example, a 30-dB fade lasting more than 2500 seconds
should not occur more than once in 2500 years.
The fact that the curves asymptotically approach horizontal lines toward the left-hand
side of the graph, is a consequence of the “time integrating” nature of rain. Thus, while
short fades can occur, they are rare events that contribute little to the total unavailability
time over a year. Recognizing this asymptotic behaviour, we may conclude that the lefthand edge of the chart also represents all fades of any duration exceeding the
parameterized depth. Considering the 3 dB curve which is the pink curve second from the
top, the total fading time per year, for all fades of any duration exceeding a fade depth of
3 dB, is approximately 48,000 seconds. This yields an availability of approximately 1 –
(48,000)/(31,536,000) = 99.85%.
The other factor affecting Pr{Success}(see Appendix 1) is continuity and its dual,
recoverability. Here, it is necessary to consider the total number of fades greater than a
given depth, exceeding a time threshold Ti of “ignorability”, since even a short fade can
potentially disrupt an ongoing communication event. Continuing with the above example,
the threshold fade depth is taken to be 3 dB consistent with the desired link availability of
at least 99.8%. The “threshold of ignorability”, Ti, is taken as 0.1 ms, consistent with an
anticipated message duration (based on Method 2 in [3] of 6.7 ms (152 bits for a target
report transmitted at a link burst rate of 22.7 kbps). This threshold of 0.1 seconds is
roughly 2% of the message duration, and the FEC coding on the link is expected to be
able to overcome error bursts shorter than this duration. Hence, for this example, we have
a threshold fade depth and duration.
Figure 2-5 illustrates a graph of the number of fades per year, longer than D seconds,
parameterized by fade depth. Again, the asymptotic behaviour near the left-hand side of
- 10 -
ACP WG-F27/WP-17
the graph allows extrapolation to shorter fade durations. The graph indicates that about
507 fades with depth greater than 3 dB have a duration greater than 1 second in any given
year (for this rain region). Extrapolating backward to 0.1 ms, there are ≈ 5000 fades.
Figure 2-5: Typical Ku-band Yearly Fade Count Versus Fade Duration,
Parameterized by Link Margin (frequency = 11.777 GHz; elevation angle = 20.1
degrees; rain rate characterized by 91 mm/hour exceeded 0.01% of the time;
analysis based on methodology outlined in ITU-R P.1623-1)
The probability that any given fade, of sufficient depth and duration to cause a message
failure, will overlap a single 6.7 msec message, is
Pr{Overlap} = 0.0067 * 5000 / (31,536,000) = 1.06 x 10-6.
Hence, the continuity for BLOS satellite communications (for this example) is on the
order of 99.9999% (six nines), and does not significantly affect Pr{Success}.
Recoverability with respect to rain attenuation may also be ignored. The mean duration of
all fades lasting longer than 1 second is Davg ~ (47,000)/507 ~ 93 seconds. So the
probability that a user is experiencing a BLOS fade (probability = 0.0015) at the start of a
communications event, and the fade terminates (and allows link recovery) in less than a
second, is on the order of 0.01. The associated contribution to Pr{Success} is only
(0.0015)(0.01) = 0.000015.
The foregoing analysis indicates that, in scenarios where the length of the typical
transaction is much shorter than the average duration of a rain outage, rain does not have
any significant effect on communications continuity or recoverability, and Pr{Success} is
driven by availability alone.
2.2.3
Link Budget Overview
Taking into account the effects mentioned above, the link-budget analysis found in [2]
has shown that UA can use GSO satellites operating in the 12/14 GHz and 20/30 GHz
- 11 -
ACP-WGF27/WP -17
bands and achieve 99.8% overall link availability under selected conditions depending on
the altitude of the aircraft and the rain rate region containing the operation. UA CS earth
station antenna size and/or transmit power can be used to accommodate rainfall rates at
the location of the UA CS earth station so the earth station to/from satellite link is not a
significant factor in the availability analysis. The limited size and power on the UA
platform dominates the overall link end-to-end availability and can limit the lowest
altitude and/or highest rain rate that the UA to/from satellite link can accommodate.
However, the analysis showed that the overall 99.8% ARCP can be achieved at both 12/14
GHz, and 20/30 GHz, with the nominal UA satellite communications terminal
assumptions, at 3 km altitude in all rain rate regions in CONUS (although spread
spectrum techniques, and increased transmit power at the UA and CS, are required to
increase available energy per bit). The 12/14 GHz system can also achieve 99.8% ARCP
all the way down to ground level, with the use of spread spectrum and a moderate
increase in the UA satellite communications terminal transmit power. For the 20/30 GHz
system, operation at lower altitudes can entail significant increases in required energy per
bit depending on the rain rate region involved. This may make it difficult to achieve the
necessary ARCP at all altitudes; however, lower-altitude operations, including operations
down to ground level, would be available in some regions of the country with
enhancements to the UA satellite communications terminal that may be considered
acceptable to the user community.
Furthermore, it should be noted that the large UA envisioned for satellite
communications support could also support a dual LOS system for low-altitude
operation, and transition to a LOS/BLOS system for higher-altitude operation (i.e., above
the rain layer). This might prove particularly beneficial and convenient in cases where
payload communications are also supported by the UA terminal operating in the same
band as the CNPC system, albeit in a different frequency channel.
3.
ACTION BY THE MEETING
It is proposed that the working group take this information into account during its deliberations.
4.
REFERENCES
[1] RTCA, SC203-CC014, “Candidate UAS Control and Communications Architectures,” Version D, 6
January 2010.
[2] ITU-R, Report M.2233, “Examples of technical characteristics for unmanned aircraft control and nonpayload communications links,” Appendix 4, 11/2011.
[3] ITU-R, Report M.2171, “Characteristics of unmanned aircraft systems and spectrum requirements to
support their safe operation in non-segregated airspace”, 12/2009.
[4] RTCA, DO-264, “Guidelines for Approval of the Provision and Use of Air Traffic Services by Data
Communications,” 14 December 2000.
[5] ICAO, Document 9869 AN/462, 2008, “ICAO Manual on Required Communications Performance.”
ACP WG-F27/WP-17
- 12 -
APPENDIX
A.1.1
Relationship of Pr{Success} to Availability, Continuity, and Recoverability
Aviation systems (among others) have traditionally used metrics of availability and
continuity to measure performance. RTCA DO-264 [4] defines the following measures
of a communications link performance (among others):
1. Availability (ARCP) – Probability that the communication system between two
parties is in service when needed.
2. Availability (AProvision) – Probability that communication with all aircraft in the
area is in service.
3. Continuity (CRCP) – Probability that the transaction will be completed before the
transaction expiration time, assuming that the communication system is available
when the transaction is initiated.
This paper focuses on ARCP and CRCP for the CNPC link. Further work will be required,
including a system safety analysis, to evaluate the AProvision level required.
Consider a communications link which is either “up” (functional) or “down” (nonfunctional) as illustrated graphically by the binary waveform in the upper part of Figure
A-1. One could empirically measure link availability by observing the link for a long
period of time, and calculating the fraction of time that the link is “up”. One could also
empirically measure link continuity by gathering statistics on the duration of the “up”
durations, and finding the likelihood that the link would remain functional for the
duration of a communications event (an information exchange) given that the link was
functional at the start. In the lower part of Figure A-1, several information exchanges (IE)
are illustrated, each with its own expiration time (ET). In a classical assessment, the first
two events would fail due to lack of availability at the start of the event, and the third
would fail due to lack of continuity during the event. The last two events would succeed.
However, it is also clear that the second illustrated event (yellow) could potentially be
counted as a “success” even though the link is unavailable at the start, since the link
becomes available with sufficient time to transmit the message (if a delayed message start
time can be accommodated). Hence, it is clear that the overall probability of success
depends on average availability, the distribution of “up durations” and “down durations”
(defined by continuity), and whether or not “link recovery” is allowed in the analysis.
- 13 -
ACP-WGF27/WP -17
Figure A-1: Graphical Model Of Link Availability And Continuity
Based on the above, Pr{Success} is related to ARCP and CRCP through the formula
where recoverability, R, is the probability that the link will recover in time to complete
the transaction within the transaction expiration time, given that the link is “down” when
initially called upon to deliver service. If recovery (possibly including retransmission) is
not allowed, R = 0 and Pr{Success} is simply ARCP CRCP . However, even if recovery
(retransmission) is allowed, Pr{Success} is close to ARCP CRCP under many conditions of
practical interest since (1 - ARCP) is generally small.
It may be observed that continuity is related to the distribution of “up durations” while
recoverability is related to the distribution of “down durations”. Both of these
distributions express behavior of a common underlying process. In the case of rain
attenuation on a BLOS link, outages tend to be infrequent but of long duration when they
occur. If the link is functional at the start of the communications event, it is almost certain
to remain functional for the duration of the event because rain outages occur very
infrequently. Conversely, if the link is non-functional at the start, it is very unlikely to
recover (because the outages tend to be long compared to the expiration time).
A.1.2
Effect of Correlation on the Round-Trip Success Probability of BLOS Links
Message success rate analyses often focus on one-way communications; however, it may
be that a round-trip analysis is more relevant to UAS-mission success. For example, in
an architecture that requires acknowledgments of each received message, a message is
not considered successful until such an acknowledgment is received by the original
sender. In that case it is the round-trip success probability that matters.
In this appendix BLOS links, as depicted in Figure A-2, are examined. If there were no
correlations, calculating the round-trip success probability would be relatively simple;
however, there is a strong possibility that links 1 and 4 are correlated and that links 2 and
3 are correlated since they follow nearly identical propagation paths. How these
correlations affect the overall success rate depends on whether the satellite has a “bent
pipe” transponder or on-board processing.
- 14 -
ACP WG-F27/WP-17
Satellite
2
1
4
3
UA
Pilot
Figure A-2. Satellite Round Trip
A.1.2.1
Bent-Pipe Satellite Case
Most satellites are equipped with bent-pipe transponders. That means they receive a
certain bandwidth centered on one frequency and retransmit an amplified version on a
different frequency. If signals from many sources converge on the satellite, then they all
compete for the available transmit power. To a reasonable approximation, the
transmitted power for any given signal is proportional to its received power. In that case
the overall excess loss from ground station to UA is the sum of the losses over paths 1
and 2 (measured in decibels). This can be written as follows:
Similarly, the excess loss for the path from UA to ground station can be written as:
If the probability distribution of
is given by
given by the following convolutions:
, then the one-way probabilities are
If there were no correlations the combined probability would be the product of these two
expressions:
More generally, this would be written as follows:
where
are bivariate distributions. The round-trip success probability is
- 15 -
ACP-WGF27/WP -17
then given by
The integration limits, u12,max and u34,max, are based on the maximum received signal
strengths. Without explicit knowledge of the joint probability distributions (based on
empirical measurements), all one can say on the basis of individual link measurements
(and the assumption of reciprocity) is
]
with
The upper limit pertains when the correlations equal unity, and the lower limit pertains
when there is no correlation.
A.1.2.2
Processing Satellite Case
If the satellite processes the signals, the individual transmissions are demodulated on the
satellite. Subsequently, the messages are modulated again and transmitted downward on
a different frequency. If so, one can show (using the notation of the previous section)
that
If the two bivariate distributions are unknown and only the one-link loss distributions are
available, then limits on performance are given by the following:
]
]
with
Again, the upper limit pertains when the correlations equal unity, and the lower limit
pertains when there is no correlation.
ACP WG-F27/WP-17
A.2 1
- 16 -
Examples of Availability and Continuity Requirements
This section of the paper focuses on the Availability and Continuity elements of Required
Communications Performance (RCP) of a CNPC link used for safety-critical
communications between an Unmanned Aircraft (UA) and its associated Control Station
(CS). The operational scenario is a collision avoidance encounter with man-in-the-loop or
man-on-the-loop decision-making.
As illustrated in Figure A.2-1, two aircraft (at least one of which is unmanned) are on a
collision course. It is assumed that the UA must transmit a surveillance track report to the
ground-based UA pilot, and the UA pilot must transmit an avoidance maneuver
command to the UA, in order to avoid a collision. The timeline of the illustrated
encounter will depend on closing speed and detection range; however, there is a general
consensus that the timeline is fairly stringent with the “conflict avoidance period” and the
“collision avoidance period” each comprising only 5 to 10 seconds. The assumed SenseAnd-Avoid (SAA) architecture involves a UA-based surveillance system with target
reports generated at a nominal 1 Hz rate. While a typical collision avoidance scenario
will involve a timeline spanning tens of seconds, and multiple reports of the intruder
aircraft transmitted on the downlink, it is clearly advantageous for the system to reliably
deliver the first report of the intruder as sensed by the UA. It is also advantageous for the
system to reliably deliver the pilot’s avoidance command on the first attempt.
Figure A.2-1: Generic Collision Avoidance Scenario
Relative to a manned aircraft, the decision-making process for a UA with man-in-theloop or man-on-the-loop decision-making is marginally restricted by the latency of the
CNPC link. Round-trip latency depends on the system architecture, but is upper-bounded
by a latency of 1.1 seconds associated with an architecture incorporating a BLOS link
and a nationwide ground infrastructure to connect the CS to the satellite earth station
(ES). [1] In order to conserve pilot response time, it is further assumed that the safety
communications transaction(s) must satisfy a “transaction expiration time” on uplink and
downlink of 1 second exclusive of the link latency.
- 17 -
ACP-WGF27/WP -17
We are interested in the probability of success, Pr{Success}, of delivering a target report
on the downlink, and of delivering an avoidance maneuver command on the uplink,
within the allowed transaction expiration time. Intuitively, this probability must be
relatively high (close to 1). The following analysis (including the appendix) derives an
estimate of required Pr{Success} and relates this value to traditional concepts of
availability and continuity.
A.2.1.1
Estimated System Level Requirement For Pr{Success}
A rough estimate of the system-level requirement for CNPC Pr{Success}, in the absence
of systems for autonomous separation assurance and collision avoidance, can be derived
via two methods that yield roughly equivalent results:
Method 1: Target Midair Collision Rate. This method relies on a target midair
-7
collision rate based on existing manned aircraft – approximately 4 x 10 midair
collisions per flight hour for Part 91 operations, and approximately 2.5 x 10-9
midair collisions per flight hour for Part 121 operations. These historical data
can be combined with an estimate of the likelihood that an intruder aircraft will
enter an “own ship” separation assurance volume on a collision course (unless
properly mitigated by pilot action). This likelihood has been estimated by
Subject Matter Experts at roughly 10-4 per flight hour.4 In order to achieve the
target midair collision rates (based on historical precedent), in the face of the
-4
estimated “threat rate” of 10 /hour, the combination of the SA and CNPC
subsystems must be designed to “allow” no more than (for Part 91 analysis) 4 x
10-3 collisions per flight hour. If this budget is allocated equally to the SA and
CNPC subsystems, the CNPC subsystem must “allow” no more than 2 x 10-3
collisions per flight hour. For Part 121 aircraft, the equivalent analysis leads to
an “allowance” or “budget” of 1.25 x 10-5 collisions per flight hour. These
thresholds may be characterized as the Pr{Failure} allowed to the CNPC
subsystem, where Pr{Failure}is the probability that the CNPC subsystem is
temporarily unable to support traffic for longer than the transaction expiration
time. Pr{Success} is 1 minus these values, or 99.8% for Part 91 equivalent
operations and 99.99875% (approximately five nines) for Part 121 equivalent
operations.
It should be noted that overall CNPC success in the collision avoidance scenario
actually requires two separate “technical successes” -- a successful downlink
transmission and a successful uplink transmission. If one direction (uplink versus
downlink) is significantly more robust than the other, then only the “less robust”
link needs to be considered. If the performance statistics on uplink and downlink
are roughly equal and uncorrelated, a conservative analysis would sub-allocate
the allowed failure probability – perhaps equally – to the uplink and downlink.
This would lead to more stringent limits on Pr{Failure}, for the uplink and
downlink considered separately, than the aggregate figures indicated above;
however, under no circumstances would the required Pr{Failure}differ from the
above values by more than a factor of 2. An example of a system with
uncorrelated uplink and downlink statistics would be a LOS system using spatial
At least one SME has observed that the likelihood of a “potential collision encounter” may be substantially lower
for small UA given the smaller cross-sectional area of these aircraft. This may introduce additional design flexibility
for the CNPC architecture as a whole and small UA in particular.
4
ACP WG-F27/WP-17
- 18 -
and frequency diversity to mitigate antenna shadowing and multipath. In such a
system, the performance statistics are essentially uncorrelated and the uplink and
downlink systems should be designed to achieve more stringent performance
levels – perhaps assigning a required Pr{Success} of 99.9% for uplinks and
downlinks associated with Part 91 aircraft and 99.9995% for Part 121 operations.
Conversely, if the uplink and downlink performance statistics are perfectly
correlated (i.e., so that success on one implies success on the other), no further
allocation is required. For example, in the case of a BLOS CNPC system, outages
are driven primarily by antenna pointing errors and rain. These considerations
affect the uplink and downlink in a highly correlated manner, so no further
allocation is required.
Method 2: Use FAA AC 23/25.1309. This method applies the probability of
catastrophic failures noted in AC 23.1309 for Class I and Class III aircraft. Class
I (Single Reciprocating engine, Gross Weight < 6000 pounds) is used as a
surrogate for smaller UA (Part 91 equivalent operations in Method #1). Class III
(Single or multi-engine, reciprocating or turbine, Gross Weight > 6000 pounds)
is used as a surrogate for large UA (Part 121 equivalent operation in Method #1).
For Class I, the probability of catastrophic failure due to system elements is
-6
bounded by 10 per flight hour. As with Method #1, assume the likelihood that
an intruder aircraft will enter an “own ship” separation assurance volume on a
collision course (unless properly mitigated by pilot action) is roughly 10-4 per
6
flight hour. Thus, for every catastrophic event (one per 10 flight hours), there
are 100 “encounters” of which 99 are “mitigated” by pilot action supported by
the SA and CNPC subsystems. SMEs from RTCA SC203 WG3 have estimated
that the total conflict avoidance plus collision avoidance period is 10 to 20
6
seconds. Thus, in every 10 flight hours, there will be 100 potential collisions
with a total accumulated event time of 1000 to 2000 seconds. A worst-case
analysis assumes that a 1 second outage during this accumulated event time of
1000 to 2000 seconds will result in a catastrophic collision. Hence, the tolerable
Pr{Failure} is between 1- (999/1000) = 10-3, and 1 – (1999/2000) = 5 x 10-4.
This is roughly the same order of magnitude as the Part 91 analysis using Method
#1. For Class III aircraft, the probability of catastrophic failure is 10-8 (one
collision per 108 flight hours). Over this period of time, there are 10,000
potential “encounters” of which 9,999 are mitigated by pilot action and other
means. Total accumulated encounter duration is 105 to 2x105 seconds. This
leads to a tolerable Pr{Failure} between 10-5, and 5 x 10-6. Again, this is roughly
in line with the analysis according to Method #1.
Recognizing that further refinement will be needed for actual rulemaking, the values
derived above are sufficiently consistent to offer a basis for further analysis with the aim
of determining conceptual feasibility. These values are interpreted as the required
probability of successfully completing an uplink or downlink transaction within a
transaction expiration time of 1 second, for a UAS with man-in-the-loop or man-on-theloop separation assurance and collision avoidance function. For simplicity, the uplink and
downlink transactions are considered to be independent with the indicated performance,
and may be spaced apart in time.
Some of the factors that could affect the values discussed above are listed below in Table
A.2-1.
- 19 -
ACP-WGF27/WP -17
Factors That Could Lead To More
Stringent Requirements
Factors That Could Lead To More
Relaxed Requirements
Refinement of estimated risk of
intrusion (to a higher probability)
Refinement of estimated risk of
intrusion (to a lower probability)
More complex CNPC architecture
with larger number of serial links
Autonomous separation assurance
and/or collision avoidance
Table A.2-1. Additional Factors Affecting CNPC Pr{Success}
A.2.3
ICAO Manual on Required Communications Performance
ICAO has recently released guidance on recommended RCP levels for pilot-to-controller
voice and data communications [5].
ICAO safety-based analysis shows availability requirements for different traffic
separation levels. Any UAS CNPC link supporting voice and data communications
would need to support these levels of performance. As can be seen from the table A.2-2,
the ARCP values listed range from 0.999 to 0.99998. The ICAO-recommended value.es
are very similar to the availability levels estimated by the two methods described earlier
in this section. However, it should be recognized that the ICAO requirements are for
controller/pilot voice and data communications, rather than situational awareness and
aircraft control and have transaction times that are long compared to the conflict
avoidance timelines discussed above. As a consequence, the ICAO requirements are
generally less stringent than the requirements derived earlier in this paper specifically for
UA collision avoidance.
RCP Type Transaction Continuity Availability Integrity per
Time (secs) per flight hr per flight hr
flight hr
Usage
RCP 10
10
0.999
0.99998
10-5
RCP 60
60
0.999
0.9999
10
-5
Controller routine communication in a 5nm radius environment - data
RCP 120
120
0.999
0.9999
10
-5
Controller intervention supporting separation assuarance in a 15nm radius environment
RCP 240
240
0.999
0.999
10
-5
Controller intervention supporting separation assuarance in a 30/50m radius environment
RCP 400
400
0.999
0.999
10
-5
Controller intervention supporting separation assuarance outside a 30/50m radius environment
Controller voice intervention supporting separation assurance in a 5nm radius environment
Table A.2-2. ICAO-Recommended RCP Types for Voice and Data Communications
