Cover Image


View/Hide Left Panel

able operational conditions. To ensure that the integrity requirement would be met, the FAA formed the WAAS Integrity Performance Panel (WIPP). The role of the WIPP is to independently assess the safety of WAAS and to recommend system improvements. To accomplish these tasks for initial certification, the WIPP had to determine how to interpret the integrity requirement for WAAS, develop algorithms to meet this requirement, and ultimately validate them.


WAAS monitors the GPS and provides both differential corrections to improve the accuracy and associated confidence bounds to ensure the integrity. WAAS utilizes a network of precisely surveyed reference receivers located throughout the United States. The information gathered from these WAAS Reference Stations (WRSs) monitors GPS and its propagation environment in real-time. However, the WAAS designers had to be aware of the limitations of its monitoring. The measurements that it makes are corrupted by noise and biases causing certain fault modes to be difficult to detect. Because it is a safety-of-life system, WAAS must place rigorous bounds on the probability that it is in error, even under faulted conditions.

In late 1999, concerns arose over the original WAAS design and the process by which WAAS was to be proven safe. In response, the FAA created the WIPP. The WIPP is a body of GPS and system safety experts chartered to assess the system engineering and safety design of WAAS and recommend required changes. The WIPP consists of members from government (FAA, Jet Propulsion Laboratory), industry (Raytheon, Zeta, MITRE), and academia (Stanford University). They first convened in early 2000 to address the integrity and certification of WAAS.

Primarily WIPP quantified the degree to which WAAS mitigated the system vulnerabilities. Over its first two years, WIPP changed the design of several system components where the system could not satisfactorily demonstrate the required level of integrity. As each threat was addressed, WIPP built upon what it had learned.

Some of the main lessons that emerged from WIPP are:

  • The aviation integrity requirement of 10–7 per approach applies in principle to each and every approach. It is not an ensemble average over all conditions.
  • Validated threat models are essential both to describe what the system protects against and to quantitatively assess how effectively it provides such protection.
  • The system design must be shown to be safe against all fault modes including external threats, addressing the potential for latent faults just beneath the system’s ability to detect them. This approach is unlike

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement