Why a “correctable clock” matters more than a “perfect clock”

A ranging node converts RF detection events into hardware timestamps. The distance result inherits short-term jitter (timestamp noise) and long-term drift (temperature and aging). A clock strategy is strong when it provides stable behavior and a clear correction loop (evidence → estimate → small adjustment).

• Short-term: PLL phase noise and timestamp latch repeatability drive p95/p99 distance stability.
• Long-term: temperature drift and aging drive slow distance drift and device-to-device spread.
• Key point: MCU read latency does not change the latched timestamp; detection/latch stability does.

XTAL vs TCXO: choose by constraints (accuracy / boot time / power)

XTAL and TCXO are not “better vs worse”; they are different constraint optimizers. The selection should be driven by the target ranging stability, warm-up/lock time, and power budget for repeated measurements.

How CFO and drift still impact DS-TWR timestamps

DS-TWR combines multiple TX/RX timestamps to reduce clock-bias sensitivity, but residual CFO/drift still affects the effective timing of detection events and the stability of the timestamp counter. In field data this often shows up as: stable mean distance but degraded tail stability (p95/p99) and temperature-correlated drift.

• CFO residual: small frequency error that remains after estimation/correction; appears as slow drift or update-rate sensitivity.
• Temperature drift: distance slowly walks with temperature even when geometry is fixed.
• Aging: long-term shift that accumulates over months; shows as calibration “going stale”.

Node-local correction strategy (boot → temperature points → runtime trim)

A practical correction plan is layered, with explicit evidence and bounded adjustments. The goal is to improve repeatability without chasing noise.

• Boot calibration: establish a usable baseline after power-up; log the calibration version and environmental conditions.
• Temperature-point calibration: build a temperature-to-correction map; verify hysteresis and warm-up behavior.
• Runtime micro-trim: small, bounded updates using CFO evidence or statistical residuals; avoid large steps that amplify tails.

Debug table: field symptom → clock evidence → first action

Clock issues often masquerade as channel issues. The table below ties visible symptoms to evidence that should be logged, and a first corrective action that is safe and bounded.

Minimum “clock pack” to log per ranging exchange: temperature, correction version, CFO estimate/residual (if available), and timestamp variance proxy.

RF impact point: first-path detectability and CIR stability

UWB ranging is not “signal strength measurement”. It is dominated by whether the first path can be detected consistently. Any RF change that reshapes the pulse or shifts the detection threshold can move the detected first path, creating distance jumps or heavier tails.

• Evidence: first-path confidence, peak/first-path ratio, first-path index stability, retry/fail codes.
• Field signature: “mean looks OK” while p95/p99 breaks under NLOS/metal/human proximity.

Matching + bandwidth: why group delay ripple matters for pulses

A matching network can improve return loss, but the time-domain pulse can still be distorted when group delay ripple is large. Distortion broadens or shifts correlation peaks, making the detection point more sensitive to thresholds and multipath.

• Return loss: affects effective energy and SNR margin.
• Group delay ripple: reshapes pulses, changes correlation peak geometry, and affects first-path repeatability.

Antenna delay: why “fixed distance bias” appears after changes

Antenna delay is a hardware timing offset contributed by the antenna, feed structure, and the local reference environment. It often manifests as a nearly constant distance offset across the operating range. Changing antenna type, placement, enclosure spacing, or ground reference can shift this delay and therefore shift measured distance.

Enclosure, routing, and ground reference: how CIR gets reshaped

Metal proximity, cable routing, and ground reference changes can create additional reflections and modify the apparent first-path peak. The effect is visible in CIR signatures and first-path confidence collapse. RF co-existence issues that matter for ranging are the ones that move detection behavior or increase jitter, not generic EMC topics.

• Chassis proximity: can raise multipath components and shift first-path detectability.
• Digital noise coupling: can increase timestamp jitter proxies and reduce confidence.
• UWB-focused coexistence: look for neighbor activity correlated with confidence drops or retries.

Build rules: freeze variables that change delay and CIR

Repeatability requires assembly-level consistency. Freeze the variables that shift antenna delay or reshape the near-field environment.

• Antenna geometry: type, placement, keep-out, and reference ground layout.
• Feed & routing: length, bends, and proximity to noisy digital rails.
• Enclosure spacing: plastic thickness, metal clearance, and mechanical tolerance stack-up.
• Version control: lock RF BOM variants and record build identifiers in logs.

Measurability first: the hidden cost of “aggressive” settings

An aggressive configuration can look great in average throughput but fail in the field because retries, missed detections, and tail instability dominate power and latency. A robust profile maximizes successful exchanges and keeps quality metrics interpretable.

Preamble length: reliability margin vs duty-cycle efficiency

Preamble is a practical knob for detection margin. Longer preambles usually improve robustness under weak links, body blockage, or metal-rich multipath, while shorter preambles reduce air-time but tighten the detection margin.

• Longer preamble: more correlation energy → fewer misses → better p95/p99 stability under stress.
• Shorter preamble: higher potential update rate, but missed detections and retries can erase gains.
• Logging cue: track retry rate and first-path confidence when changing preamble.

PRF: multipath separability and first-path behavior (not just “resolution”)

PRF changes the timing structure that the receiver uses to detect and correlate signals. In practice it influences how multipath components appear in CIR and how stable the first-path decision becomes across environments.

• Multipath-rich scenes: PRF interacts with correlation behavior and can change peak/first-path ratios.
• Threshold sensitivity: a “marginal” setting can turn small CIR changes into large first-path jumps.
• Do not tune alone: validate PRF together with preamble and SFD/STS settings to keep metrics comparable.

Data rate: update rate is only real when detection success stays high

Higher data rate reduces packet time, but also tightens the margin for reliable detection and CIR capture. When the channel degrades, aggressive data rate often shifts the failure mode from “slightly noisy” to “missed or repeated”.

• High data rate: less air-time per exchange, but tails often worsen in weak links and NLOS.
• Moderate data rate: better measurability; logs remain stable and comparable across deployments.
• Proof point: compare p95/p99 distance and retry rates, not only mean update rate.

SFD and STS: stable timestamp points + a bridge to secure ranging

SFD is where practical timestamp capture becomes stable. STS (Scrambled Timestamp Sequence) reinforces measurability by supporting trustworthy timestamp sequences and enabling secure-ranging hooks. This chapter only covers the node-visible effects and logging requirements—security protocol details belong to later chapters.

• SFD role: a consistent detect event supports repeatable timestamp latching.
• STS role: ties to secure ranging; changing STS behavior should be versioned and logged.
• Logging cue: record STS enable state, error codes, and quality flags for each exchange.

Node-side CIR quality metrics (only what the node can compute)

Choose a small set of CIR-derived indicators that remain stable across builds. These metrics should explain failures and correlate with field symptoms without requiring a full RTLS engine.

Production consistency: define and freeze a default profile

A production profile should keep quality metrics comparable and reduce “mystery variability”. Freeze what changes measurability, guard what can be tuned, and leave only bounded adaptivity.

Why add IMU at all: three node-local roles

A ranging node benefits from IMU information even without any localization engine. The value is practical: reduce wasted exchanges, improve interpretability, and gate unstable conditions.

• Trigger: motion or shock interrupts can start short ranging bursts instead of always-on updates.
• State: a simple motion-state machine informs duty-cycle and “trust level” tags.
• Hint: provide flags that help upper layers filter out events likely degraded by rapid motion.

Trigger strategy: bounded bursts instead of constant ranging

Use IMU interrupts and thresholds to gate ranging. The policy should be predictable, bounded, and versioned. A safe design uses a small set of trigger reasons and a strict ceiling for maximum burst rate.

Node-local time alignment: IMU interrupt timestamp vs UWB timestamp

IMU events are timestamped in the MCU domain, while UWB timestamps are captured in the UWB timebase. The goal is not global absolute time—it is a bounded, observable alignment error that upper layers can trust.

• Record offsets: measure and record a stable mapping offset between MCU-time and UWB-time domains.
• Expose confidence: publish an alignment_quality flag so consumers know if alignment is tight or coarse.
• Avoid overreach: do not introduce network timing or multi-node sync here.

Minimal consumable interface: what upper layers should receive

Keep the interface small and stable. The node should output a minimal set that upper layers can consume without binding to a specific localization engine.

Complexity control: three rules that prevent “system blow-up”

IMU hooks are valuable only when they remain predictable and bounded. These rules keep integration stable across firmware releases.

• Rule 1: IMU changes duty-cycle and flags, not the definition of the PHY profile itself.
• Rule 2: every policy has hard bounds (max burst time, max update rate, max power).
• Rule 3: every state transition is logged (reason + version) for post-mortem analysis.

Why “encrypted packets” can still produce fake distance

Encryption protects confidentiality and integrity of messages. Distance fraud attacks can still succeed if an attacker can replay old valid exchanges, relay challenges to a real device, or force a downgrade to weaker ranging settings. Secure ranging requires binding the ranging-critical fields to freshness and authenticated state.

Threat model (node-centric): what can happen even with crypto

Secure ranging is about the attacker’s ability to affect the time-of-flight decision. The most common classes below should be treated as distinct engineering problems, each with different evidence signals.

• Replay: old valid messages are injected again. Symptoms: repeated counters/nonces, “valid decode” but stale session.
• Relay (mafia fraud): challenges are forwarded to a real device. Symptoms: timing consistency anomalies and unusual processing gaps.
• Impersonation: a fake node claims a valid identity. Symptoms: auth failures, key-version mismatch, STS validation errors.
• Downgrade: the link is forced into weaker settings (e.g., STS disabled). Symptoms: config negotiation changes and “compat mode” counters.

Engineering landing zone: STS + challenge/response (freshness binding)

Practical secure ranging uses two anchors: freshness (nonce/counter) and binding (ranging-critical fields are authenticated under the session state). STS supports trustworthy timestamp sequences and reduces the chance that a distance is accepted without a valid, session-bound signal structure.

Identity and keys (minimal set, ranging-related only)

Keep the node implementation minimal but robust. The goal is not a full enterprise PKI stack; it is a small, versioned set of identity and key state that can prevent replay and downgrade at ranging time.

• device_id / peer_id: stable identifiers used to bind sessions and logs.
• session_id: short-lived session context; every ranging exchange references it.
• key_version: supports rotation; reject stale versions and log mismatches.
• anti-rollback: prevent firmware/config from reverting to weaker security levels; keep monotonic version evidence.

Performance impact: latency, power, and configuration complexity

Security typically adds steps and compute. The right engineering move is to treat security level as a profile dimension: measure the cost in extra air-time, CPU cycles, and state transitions, then cap the complexity with a frozen default and bounded policies.

• Latency: extra handshake steps reduce achievable update rate under tight duty-cycle limits.
• Power: compute + air-time increase; the average can rise sharply in burst-heavy modes.
• Complexity: more configurations require versioning and logs to keep diagnosis possible.

Decision table: Threat → Protection → Cost (plus evidence)

Use a simple engineering table to decide what to enable by default and what to guard. The evidence column is critical: without logs and flags, secure ranging failures look like “random link issues”.

Make battery life a policy: three knobs that stay measurable

A practical node design controls lifetime via three measurable knobs: interval (how often ranging runs), burst window (how long high-rate updates last), and event triggers (when to wake for ranging).

Duty-cycling modes: interval, burst, and event-driven scheduling

Use a small set of modes that can be reasoned about and logged. The most reliable field behavior comes from bounded policies rather than ad-hoc adjustments.

• Interval mode: predictable updates; easiest to budget.
• Burst mode: short high-rate window for interaction; must have a strict ceiling.
• Event mode: wake on IMU/button/external interrupt; best for low average power.

Energy budgeting that works in practice: “energy per exchange”

The most transferable budgeting method is to treat each ranging exchange (or burst) as a repeatable energy event. Once measured, lifetime becomes a controllable parameter: reduce exchange energy, reduce exchange count, or both.

• Measure: record active window duration and a representative current profile for the exchange.
• Count: log how many exchanges happen per hour/day, including retries.
• Control: tie policy to quality flags so retries do not silently dominate energy.

Peak current and power integrity: how droop turns into timestamp anomalies

Voltage droop during high-current TX/RX or compute windows can destabilize detection and timestamp capture. In the field, this often presents as “random distance jumps” or “unexplained retries” unless power evidence is logged.

• Droop → detect instability: SFD/STS decisions become threshold-sensitive; first-path becomes less stable.
• Droop → digital upset: timebase or state machines can reset/timeout, causing missing or inconsistent timestamps.
• Key separation: power issues must be proven via brownout/reset evidence, not guessed from link behavior.

Evidence logging: the minimum set to distinguish power vs channel vs policy

A small, consistent evidence set prevents “mystery bugs”. These fields should be logged alongside ranging quality flags and policy context, so failures can be bucketed correctly.

Minimal state machine (node-only): predictable scheduling and traceability

A minimal state machine makes behavior stable across releases and enables traceability. Each transition should be logged with a reason code, so the duty-cycle policy remains inspectable in real deployments.

• Sleep → Wake: by trigger_reason (IMU/button/interrupt) or interval timer.
• Wake → Burst: bounded by ceilings; exits on time or quality decline.
• Burst → Cooldown → Sleep: enforce minimum cool-down to avoid thermal/power stress.