Integrity Support Message Architecture Designfor Advanced Receiver Autonomous Integrity

Monitoring

Ilaria Martini, Markus Rippl and Michael MeurerGerman Aerospace Center (DLR), Munich, Gemanny

email: Ilaria.Martini@dlr.de,

Markus.Rippl@dlr.de,Michael.Meurer@dlr.de

Abstract—In the near future of multiconstellation andmultifrequency GNSS signals, the users will experiencea significantly increased accuracy, thanks to the largernumber of satellites in view and to the ionosphere freeobservations. Integrity, continuity and availability require-ments will mainly drive the system performance. In thisscenario Advanced Receiver Autonomous Integrity Moni-toring (ARAIM) has attracted significant interest, since itcan provide aviation users with worldwide vertical guid-ance.

This paper aims to contribute to the on-going discus-sion on the ARAIM design analyzing the critical problemsand proposing recommendations for an Integrity SupportMessage (ISM) architecture satisfying the aviation integrityrisk requirement and at the same time maximizing avail-ability and continuity.

Several alternatives for different integrity risk allocationto the satellite, the GNSS ground, the ISM ground andthe user are discussed. In particular three contributionsare provided: an alternative approach for the overbound-ing method used to compute the integrity information,a ground monitoring algorithm for the estimation of theIntegrity Support Message (ISM) and an ISM content designcontaining information in the satellite domain (along-track,cross-track and radial) rather than in the range domain.The improvement in terms of integrity, availability andcontinuity are shown by means of simulations results. Inparticular the reduction of conservatism of the proposedsolution is presented.

BIOGRAPHIES

Ilaria Martini received the Master Degree in telecom-munication engineering and the Ph.D. in information tech-nology from the University of Florence, Italy. She was atthe Galileo Project Office of ESA/ESTEC in 2003, workingon the performance of the Galileo Integrity ProcessingFacility. She was research associate in 2004 at the Uni-versity of Florence and in 2005 at the Institute of Geodesyand Navigation of the Federal Armed Forces Germany inMunich. In 2006 she joined the navigation project depart-ment of Ifen GmbH in Munich. Since 2012 she worksas research associate in the Institute of Communicationand Navigation at the German Aerospace Center (DLR),Oberpfaffenhofen. Her main area of interest is GNSSIntegrity Monitoring.

Markus Rippl received his Diploma in Electrical Engi-neering and Information Technology from Technische Uni-versitt Mnchen (TUM) in 2007. Since then, he has been aresearch fellow with the Institute of Communications andNavigation (IKN) at the German Aerospace Center (DLR),in Oberpfaffenhofen near Munich. His field of work is theintegrity of GNSS-based navigation using receiver-sidealgorithms.

Michael Meurer received the diploma in electrical en-gineering and the Ph.D. degree from the University ofKaiserslautern, Germany. After graduation, he joined theResearch Group for Radio Communications at the Techni-cal University of Kaiserslautern, Germany, as a senior keyresearcher, where he was involved in various internationaland national projects in the field of communications andnavigation both as project coordinator and as technicalcontributor. From 2003 till 2005, Dr. Meurer was active asa senior lecturer. Since 2005 he has been an AssociateProfessor (PD) at the same university. Additionally, since2006 Dr. Meurer is with the German Aerospace Cen-ter (DLR), Institute of Communications and Navigation,where he is the director of the Department of Navigationand of the center of excellence for satellite navigation.

I. INTRODUCTION

The design of the Integrity Support Message (ISM) Ar-chitecture enabling the fulfilment of the aviation precisionapproach requirements for a standalone GNSS receiverwith Advanced Receiver Autonomous Integrity Monitoringtechniques is an interesting and challenging topic. Thispaper aims to contribute to the discussion providingguideline and recommendations for the optimum design.This introduction describes the context and identifies theproblems addressed by the approach proposed in thesecond section.

First of all a short description of the background isprovided. In particular the ICAO aviation integrity re-quirements, the ISM architecture design drivers and thepresent Advanced RAIM concept, are recalled. Secondlythe problem of the error overbounding method, whichimposes strict GNSS design requirements, is discussed.Finally the user point of view is analyzed with respect

to its need of relaxing requirements and simplifying thereceiver algorithms.

A. Context

1) Integrity Requirements for aviation users

The objective of the ARAIM concept is to providethe aviation users with vertical guidance up to preci-sion approach based on multiconstellation GNSS signals.Navigation systems supporting vertical guidance of air-crafts are subject to several requirements governing theirperformance. The requirements are standardized throughthe International Civil Aviation Organization (ICAO). Thetarget operation levels are LPV, LPV-200 and beyond,which are specified in the ICAO Standards And Recom-mended Practices SARPs [1], as follows:

• fault-free accuracy 4m at 95% and 10m at 10−7,

• faulty-case accuracy 15m at 10−5,

• integrity risk 2 · 10−7 per approach.

These represent the most strict requirements forGNSS applications at the present. They refer to smallpercentiles (10−7) and to short operation intervals (ap-proach duration of 150s), on which the user must bealerted within 6s when a failure condition occurs.

2) Advanced RAIM and ISM concept

The ARAIM concept was proposed within the U.S.GPS Evolutionary Architecture Study report [2]. Furtherevolution has been provided by the Working Group CARAIM Technical Subgroup Interim Report [4]. The pro-posed receiver algorithm is based on the Multiple Hypoth-esis Solution Separation method described by [13].

To clarify the notation used in the rest of the paper,the ISM definition is briefly recalled (for details refer to [4]and [13])

The ISM contains two sets of parameters, one todescribe overbounding distributions for integrity purposeand another to describe nominal performance for con-tinuity purpose. The content in particular refers to theUser Range Accuracy (URA) for GPS and to the SignalIn Space Accuracy (SISA) for Galileo, both contained inthe corresponding navigation message1. These valuesrepresent the standard deviations of the distribution over-bounding the satellite orbit and clock errors, i.e. the SignalIn Space Error (SISE). In particular the ISM for the ithsatellite contains:

• αi: scaling factor for the URAi(SISAi) to coverthe integrity requirements,

• βi: scaling factor for the URAi(SISAi) to coverthe continuity requirements,

• Bimax: the maximum bias value of SISE to cover

the integrity requirements,

1In case of GNSS system other than GPS and Galileo analogousvalues for URA(SISA), characterizing the satellite orbit and clockerrors, should be considered

• Binom: the nominal bias value of SISE to cover the

continuity requirements,

• P isat: probability of single satellite fault.

Beside for each constellation, the ISM contains the termPconst, i.e. the probability of constellation wide fault.

3) ISM Architecture Design Drivers

The new concept of ISM/ARAIM represents an in-teresting possibility to meet the strict LPV integrity re-quirements. At present the architecture design is an opentopic, containing several alternatives still to be screened.

Many aspects influence and determine the optimumdesign: liability constrains of the Aviation NavigationService Providers (ANSP) and GNSS Providers, politicagreement among states and certification-standardizationauthorities, economic aspects related to the need to reuseas much as possible existing infrastructure, etc. Thispaper will focus only on the technical aspects. The aimis to contribute to the ongoing discussion, providing amethodology to address the main performance driversand identifying guidelines and recommendations for thedesign.

The main ISM Architecture design drivers are thefollowings:

• the monitoring network in charge of collecting theobservables used to compute the ISM content.Its coverage might be global (e.g. GNSS sen-sor stations network or even an Inter SatelliteLink monitoring network), regional (e.g. SBASlike network) or local (e.g. GBAS like monitoringstations),

• the dissemination network in charge of sendingthe ISM to the final user. Its coverage might alsobe global (e.g. GNSS constellation or internetconnection), regional (GNSS constellation trans-mitting regional information, or subset of a GNSSconstellation, e.g. orbiting only on a specific re-gion, GEO satellites) or local (VHF data link likeVHF Data Brodcasting link of GBAS),

• the ISM latency, i.e. ”the time it takes for theground network to identify an issue in the spacesegment and alert the aircraft to that issue” [4].

Not all the combinations of the previous alternativesare feasible. Most of them do not provide the desiredperformance. The following sections analyze and identifytechnical constrains and guidelines for the optimization.

B. Relax GNSS architecture design requirements relatedto the error overbounding

One of the most critical issues of the GNSS integritymonitoring is estimating position error bounds coveringsmall percentiles. The challenge is finding the best trade-off between inflating the bound to be sufficiently safe andreach the required confidence level (i.e. 10−7) withoutdegrading excessively the continuity and availability. Thisproblem is faced by the user and above all by the ground

segment when trying to provide integrity information tothe user: either the GNSS ground monitoring in comput-ing URA(SISA) but also any other independent groundmonitoring. A previous design of the Galileo integrityservice showed in the past that the costs in terms ofground segment complexity are significant and should becarefully taken into account.

The idea at the present is that a third party can takepart of the integrity risk. This could be the role of theindependent ISM architecture. Through the provision ofan additional integrity message, it could relax contem-poraneously GNSS ground segment and user receiverrequirements.

On the other side, it is important to have a clear anda common understanding of the most critical aspects,because the ISM architecture will need to address andsolve the same problems of the GNSS ground monitoring.This section focuses in particular on the problems relatedto the overbounding method.

1) Overbounding concept

In many situations, the range error is difficult to bemodeled a priori (i.e. in case of strong multipath, whenonly the non line of sight signal can be received and noa priori information can be used). But many stochasticerrors are result of a combination of a large number ofeffects. For the central limit theorem the resultant statisticis Gaussian distributed. For this reason the overboundingis based on the Gaussian distribution model.

Another reason is that this distribution model simplifiesthe processing since the Gaussianity is conserved inlinear transformations: if the ranging errors satisfy theoverbounding in the range domain, the resultant positionerror will be Gaussian distributed with an overboundingstandard deviation given by the covariance propagationmethod. This is guaranteed thanks to the linearity of thegeometry transformation projecting the errors from therange to the user domain.

The overbounding concept allows deriving a conser-vative characterization of the position error from conser-vative models of the range error distributions.

Different definitions of Gaussian overbounding havebeen proposed in the past. ICAO defines the overbound-ing concept in [1] as follows:

If ∫ +∞

y

g1(x)dx ≤∫ +∞

y

g2(x)dx ∀y ≥ 0

and ∫ y

−∞g1(x)dx ≤

∫ y

−∞g2(x)dx ∀y ≤ 0

g2(x) ∼ N(0, σ) is a Gaussian distribution overbound-ing g1(x).

The ICAO concept, like the cumulative density functionoverbounding concept proposed by DeCleene in 2000 [6],is based on the assumption of zero-mean, symmetric, andunimodal distributions.

−5 0 50

0.2

0.4

0.6

Overbounding Pdf

x

Pro

babi

liy D

ensi

ty F

unct

ion

of x

g1 PDFg2 PDF

0 2 4 60

0.2

0.4

0.6

0.8

1

Symmetric Overbounding: sum of tail areas

← G2 overbounding G1

y

G=

1−

∫ y −y

g(x)dx

G1 CDFG2 CDF

Figure 1: Symmetric overbounding concept. The sum of the left andright tails of the overbounding distribution exceeds that of the targetdistribution.

It might be interesting, as discussed for Galileo, tryingto remove the symmetry assumption considering the sumof the tails, as shown in Figure 1, with the followingdefinition:

If ∫ y

−y

g2(x)dx ≤∫ y

−y

g1(x)dx ∀y ≥ 0

g2(x) ∼ N(0, σ) is a Gaussian distribution overbound-ing g1(x).

But in an equivalent way to [6], zero-mean and uni-modality are required.

−6 −4 −2 0 2 4 60

0.05

0.1

0.15

0.2

0.25

0.3

0.35Range error distribution at Worst User Location

Vertical position error (VPE) at WUL [m]

Pro

babi

liy D

ensi

ty F

unct

ion

of V

PE

WU

L

Figure 2: Statistic distribution of the vertical position error due to satelliteorbit and clock at the worst user location, that is the maximum value ofthe signal in space error on the satellite visibility area.This distribution isgenerated in case of instantaneous SISE monitoring where each epochthe SISE for the worst user location is considered. The probability ofSISE WUL being close to zero is also close to zero, in fact for any SISEvector its maximum projection in the range domain is always differentfrom zero.

The zero-mean assumption represents a strong limita-tion, in fact, as the experience with WAAS suggests, smallbiases are always present and cannot be removed (e.g.antenna biases, signal distortions, etc.): the presence ofbiases must be then included in the range measurementsmodel [2].

Besides also the unimodality and symmetry assump-tions are restrictive: in fact the ground monitoring mustconservatively protect the worst user location error, thatis the maximum projection of the range error within thesatellite footprint. This operation generates asymmetricand multimodal distributions like the one displayed inFigure 2, as described by [8].

Other concepts, proposed by [9], [10], [11], [12]overcome the mentioned limitations, because they allowasymmetry, multiple modes, and non-zero means. Butthese methods introduce a significant conservatism andgenerate large bound values which degrade continuityperformance, as described in [15].

This is complicated by the fact that unfortunatelythe true error distributions are not known. The groundmonitoring can only estimate them from a set of sampledata. And the sample size is mostly significantly small toreach the 10−7 integrity risk confidence level.

For example a global network of 30 sensor stationsneeds at least 3 years to collect 108 samples at 1Hzfrom a constellation of 27 satellites. Instead consideringan optimistic correlation time of 1 minute and a limitednetwork coverage, more than 10 years are needed!

The lack of historic data is a problem not only fornew GNSS systems, like Galileo, but also for existingsystems, like GPS and WAAS, which are going to face amodernization period with new signals, new satellites andnew error models (e.g. multipath error with dual frequencyobservations).

Furthermore the certification of the GNSS groundsegment is characterized by stringent safety standards(DAL Level B). They impose even stricter requirementson the error bound estimation, which must be extremelyaccurate in particular during the verification phase.

In conclusion, the high confidence level required bythe requirements, the lack of historic data and the conser-vatism of the overbounding methodologies are problemsto be addressed for the definition of the ISM integrityconcept, as it is described in the next.

2) Integrity Risk Allocation

This section describes the integrity risk allocation(for the notations refer to [1] and [14]) and presents inparticular the role of the different systems involved: GNSSground segment, ISM ground segment and user receiveralgorithm (ARAIM). The scope is to analyze the impactof the overbounding risk on the integrity risk probability.

The overall integrity risk, that is the probability ofhaving an Hazardous Misleading Information without analarm being issued in time, is indicated with PHMI . Ithas three main contributions: the fault free probability,PFFHMI , the narrow failure probability in case of failure

affecting independently each satellite 2, PNFHMI , and the

wide failure probability in case of simultaneous correlatedsatellite failures, PWF

HMI [4].

2Independent failures can affect more satellites simultaneously.

Overall Integrity Risk (PHMI)

Fault Free Integrity Risk (PHMI

FF)

IV,HPMDSV Clock Failure

Signal distortion

...

Narrow FailureIntegrity Risk

Wide FailureIntegrity Risk

POC

Faulty caseIntegrity Risk (PHMI

NF+PHMIWF)

IV,HPMDPOC

Narrow FailureIntegrity Risk

Wide FailureIntegrity Risk

Figure 3: Integrity Risk Allocation Tree

Different threats are identified accordingly to the kindof failure they can generate (narrow or wide). Figure3 shows an example of integrity risk tree, where onlysome threats are shown (satellite clock, satellite signaldistortion, etc.). The threats (wide failures) that affect thewhole constellation (i.e. earth rotation parameter failure[4]) are characterized by the constellation failure proba-bility, Pconst.

The overall integrity risk is given by the sum of thethree contributions:

PHMI = PFFHMI + PNF

HMI + PWFHMI . (1)

For the sake of simplicity in the next sections the focusof this analysis will be on the satellite failure probability,Psat, i.e. on the PNF . As described in [14], each integrityrisk final node contains the product of the failure occur-rence probability POC , the missed detection probabilityPMD and the failure impact on the vertical and horizontalposition error IV,H :

PHMI = POCPMDIV,H (2)

The probability of occurrence POC depends on thenumber of failing satellites f and on the total number ofsatellites N . POC follows a binomial distribution:

POC(f,N) =

(N

f

)(1 − Psat)

N−fP fsat (3)

Figure 4 shows that the occurrence probability of themultiple failure is smaller than twice the double failureone:

POC(f ≥ 2, N) =

N∑f=2

POC(f,N) ≤ 2POC(2, N) (4)

Then the following upper bound for the integrity riskcan be considered

PHMI ≤ PFFHMI + PNSF

HMI + 2PNDFHMI (5)

with PNDFHMI = POC(2, N).

0 10 20 30 40 50 600

0.5

1

1.5

2

2.5

3

3.5

4x 10−9

Multiple Failure vs Double Failure Prb with Psat

=10−6

N

Fai

lure

occ

urre

nce

prob

abili

ty, P

OC

2POC

(f=2,N),

POC

(f>=2,N)

Figure 4: Comparison of occurrence probabilities between multiplesatellite failure and double satellite failure case: POC(f ≥ 2, N) ≥2POC(2, N). A Psat = 10−6 was used for the simulation. An analogousbehavior is observed also for all Psat ∈ [10−4, 10−7].

Regarding PMD, it is observed that in the fault freecase no failure has to be detected, that is PFF

MD = 1.

Besides for the failure cases the worst case is consid-ered where no failure detection is performed at receiverlevel, i.e. PNSF

MD = PNDFMD = 1 and all failure conditions

generate HMI events on the user position, i.e. IV,H = 1.This is a conservative approach, which has the scope tohighlight and isolate the impact of the Psat value on theintegrity risk in the worst case.

It results

PFFHMI = (1 − Psat)

NIV,H (6)

PNSFHMI = N(1− Psat)

N−1Psat (7)

PNDFHMI =

N(N − 1)

2(1− Psat)

N−2P 2sat (8)

Since Psat � 1, Taylor series approximations forPNSFHMI and PNDF

HMI can be used, obtaining

PNSFHMI � NPsat + o(P 2

sat) (9)

PNDFHMI � N(N − 1)

2P 2sat + o(P 3

sat) (10)

Finally, in the worst case conditions

PHMI ≤ (1−Psat)N IV,H+NPsat+N(N−1)P 2

sat+o(P 2sat)(11)

The resulting integrity risk allocation tree is shown inFigure 5.

The integrity risk in the narrow failure case is propor-tional to NPsat and is the most critical one. In fact tohave a PHMI smaller than the 10−7 value specified bythe integrity risk requirement, Psat must be in the sameorder of magnitude.

Since Psat is given by the contributions of the differentthreats, the design must identify for each threat withPOCIV,H > 10−7 a barrier with a sufficiently small PMD.

Whereas for most of the threats finding a barrier andtuning the relative PMD might be not critical, the risk

Overall Integrity Risk (PHMI)

Fault Free Integrity Risk (PHMI

FF)

IV,H

Narrow Single FailureIntegrity Risk PHMI

NFNarrow Multiple Failure

Integrity Risk PHMIWFPOC

Faulty caseIntegrity Risk (PHMI

NF+PHMIWF)

IV,HPMDPOC

NsatP1

NsatP11

IV,HPMDPOC

satNP 21 satPNN

Figure 5: Satellite failure probability impact on the integrity Risk Allo-cation Tree. For the sake of simplicity the different threat contributionsare not reported in the figure.

related to the overbounding remains problematic for allthe intrinsic limitations described in the previous section.

This paper focuses on reducing the impact of thisrisk through the ISM independent architecture, allowingan effective relaxation of the GNSS ground monitoringdesign requirements.

C. Relax receiver design requirements related to Time ToAlarm performance

The integrity risk requirements are expressed in termsof tail probability area. The user actually needs that eachinstantaneous position error does not generate an HMIevent. Unfortunately the stochastic processes are notstationary and any outlier must be monitored.

The detection of high dynamic error has been up tonow allocated to RAIM Fault Detection and Exclusiontechniques. For precision approach operations, their per-formances need to meet TTA and continuity requirementson short operation durations (150s). If ISM could monitoralso high dynamic error, the user requirement could besignificantly relaxed, reducing in particular the receiveralgorithm complexity.

More in details, the ISM design is based on thefollowing parameters:

• TIA (Time to ISM Alarm): interval between theISM reception time at the user receiver and thetime of failure occurrence,

• Tobs: duration of the interval on which the ISMground segment collects observations to computethe ISM content,

• Tdiss: duration of the interval between the ISMtransmission time and the ISM reception time atthe user receiver. The ISM computation durationis included in this term and can be considerednegligible.

• URISM : update rate of the ISM content

ISM Ground Monitoring Observations

22.01.2013 25.06.2013

01.02.2013 01.03.2013 01.04.2013 01.05.2013 01.06.2013

222222222222222000000000001111111111133333333333 -- 0000000000011111111111..00000000000000vvvvvvvvaaaaaallllllllllllllbbbbbbbeeeeeesssssscccccchhhhhhhrrrrrreeeeeeeeii

22.01.2013 25.06.2013

01.02.2013 01.03.2013 01.04.2013 01.05.2013 01.06.2013

13.02.2013 - 13.04.2013

Tidis

ISM Processing and Dissemination

ISM reception by user

000000000001111111111133333333333 -- 2222222222233333333333..000000000000000444.222000111333vvvvvaaaaaallllllllllllllbbbbbbbeeeeeesssssscccccchhhhhhhrrrrrreeeeeeeeiibbuunnggg

13.04.2013 - 23.04.201322

Ti+1dis

111333.000444.222222222222222000000000001111111111133333333333 -- 2222222222233333333333..0000000000000004IInntteerrvvvvvvvvrrrr aaaaaallllllllllllllbbbbbbbeeeeeesssssscccccchhhhhhhrrrrrreeeeeeeeii

111333.000222.222000111333 - 222333.000222.222000111333IInntteerrvrr aallllbbeesscchhrreeiibbunnggg

222444.000222.222000111333 - 111333.000444.222000111333IInntteerrvr aallllbbeesscchhrreeiibbunnggg

22.01.2013 25.06.2013

01.02.2013 01.03.2013 01.04.2013 01.05.2013 01.06.2013

22.00011.22222222000001111133333 - 0000011111..00000Inttteeerrvvvvvvvrrrr aaaallllllllllbbbbbeeeesssscccchhhhhrrrreeee

0SS1SS.0MM2MM.2MM01GG3GGti

0000011111..0000022222..22222000001111133333 - 0000022222..0000044444..22222000001111133333IIIIInnnnttttteeeerrrrvvvvrrrrr aaaallllllllllbbbbbeeeesssscccchhhhhrrrreeeeiiiiibbbbbuuuunnnngggg

01.02.2013 - 02.04.2013

Tiobs

0000022222..0000044444..22222000001111133333 - 0000033333..0000066666..22222000001111133333IIIIInnnnttttteeeerrrrvvvvrrrrr aaaallllllllllbbbbbeeeesssscccchhhhhrrrreeeeiiiiibbbbbuuuunnnngggg

0rrvvrr2vv.0vvaa4aa.2tt0iioo1oo3ooti+1

02.04.2013 - 03.06.2013

Ti+1obs

03.06.2013

ti+2

00000000000033333..0000066666..22222000001111133333 - 2222255555..0000066666..22222000001111133333IIIIInnnnttttteeeerrrrvvvvrrrrr aaaallllllllllbbbbbeeeesssscccchhhhhrrrreeeeiiiiibbbbbuuuunnnngggg

31.01.2013 - 02.04.2013

ISM applicability interval

222222..000111..222000111333 - 222555..000666..222000111333IInttteervrr aallllbbbeesscchhreeiibbbuungg

12.06.2013

ISMi+1

02.04.2013 - 03.06.2013

ISM applicability interval1ll2.04.2013

ISMi

Figure 6: Relationship between TIA, Tobs and Tdiss

Figure 6 shows the relationship between TIA, Tobsand Tdiss.

It is observed that TIAmax = Tobs + Tdiss. Besidesif no overlapping observation intervals are considered,as shown in the figure, URISM = 1

Tobs. Actually, as it

is discussed in the next, to monitor almost stationaryprocess and slow changing errors it is suggested toconsider overlapping intervals (long term monitoring).

Depending on the value of URISM , two types ofmonitoring can be identified as extreme cases. Then thefinal ISM could be any solution in between as well as acombination of both.

1) Long term monitoring

If ISM aims to monitor only the fault free nominalconditions (overbounding) or slow dynamic error for thefaulty case, the ISM does not need to have a high updaterate. In this case the ISM content must be a predictionof the error bound on the future before the next ISM isreceived. This means that the ISM ground monitoring canonly monitor almost stationary processes and/or detectsmall drifting errors, which might generate in the nextinterval an HMI event for the user.

ISM reception by user

2.01.2013 25.06.2013

01.02.2013 01.03.2013 01.04.2013 01.05.2013 01.06.2013

10.04.2013 - 11.06.2013

06.06.2013 - 16.06.2013

TTA

05.02.2013 - 10.04.2013

09.04.2013 - 16.06.2013

TIAi+1

222222.000111.222000111333 - 222555.000666.222000111333IInntteerrvvrrrr aallllbbeesscchhrreeiibbuunnggg

15.04.2013

ISMi

16.06.2013

ISMi+1

Figure 7: Long term monitoring: relationship between TIA versus TTA.In this case the ISM refers to the future

Figure 7 shows the meaning of the ISM, that is a

prediction on the future interval and its relationship withTTA.

2) Short term monitoring

ISM reception by user

2.01.2013 25.06.2013

01.02.2013 01.03.2013 01.04.2013 01.05.2013 01.06.2013

05.04.2013 - 04.06.2013

222222.000111.222000111333 - 222555.000666.222000111333IInntteerrvvrrrr aallllbbeesscchhrreeiibbuunnggg

05.04.2013 - 15.06.2013

TIAi+1

15.04.2013

ISMi

31.01.2013 - 05.04.2013

17.03.2013 - 15.06.2013

TTA

15.06.2013

ISMi+1

Figure 8: Short term monitoring: relationship between TIA versus TTA.In this case the ISM refers to the past (if TIA < TTA)

If ISM aims to address high dynamic failures, it couldbe interpreted as a bound on the past 6s, as displayedin Figure 8.

The ISM design requirements are in this case

• TIA < TTA,

• Tdiss � TTA,

• URISM > 1/TTA.

In this hypothetic extreme case the ISM must beupdated at least every 6s and above all the disseminationdelay must be significantly smaller than the TTA. Thissecond approach has the advantage to protect the useragainst large instantaneous failure, which must be oth-erwise detected by the user. This approach relaxes andsimplify the user integrity monitoring at receiver level.

On the other side the ARAIM concept is based onthe independence of the integrity service from the groundmonitoring. The possibility to provide a shorter term mon-itoring introduced in this paper refers to a short latencyhowever bigger than the 6s, e.g. in the order of minutes.A Fault detection and exclusion algorithm must be usedin any case by the user, because ISM would cover onlythe satellite and constellation failures. But the misseddetection requirements for the receiver algorithm wouldbe relaxed.

II. ISM GROUND MONITORING ALGORITHMS

This section contains the description of the ISM datacontent and the ISM ground monitoring algorithm able toovercome the problems described in the previous section.

The ISM computation algorithm is divided in two parts.

The first one is a long term monitoring aiming tocover the fault free integrity risk. It assesses the validityof the GNSS nominal performances represented by theURA(SISA) values. In case these values do not performa correct overbounding, inflation factors are estimatedand sent to the user through the ISM. This part impacts onthe ISM architecture design in particular on the monitoring

network. In fact its coverage must enable to reach therequired confidence level by collecting a sufficient amountof data.

The second part is a short term monitoring aiming tocover the faulty case integrity risk. This part strongly de-pends on the ISM update rate and consequently impactson the ISM architecture, i.e. on the dissemination networkcoverage.

A. ISM content and format

The bandwidth available to transmit the integrity infor-mation might be limited, as in the case of the URA(SISA)information sent through the GNSS navigation message.Although the satellite orbit and clock error (SISE) canbe estimated by the GNSS ground segment as vectorof three components (along-track, cross-track and radial[8]), the integrity information sent to the user through thenavigation message, URA(SISA), contains scalar valuesbounding the errors in the range domain.

The bounding in the range domain is more conserva-tive than that in the satellite domain. In fact, since anyuser in the satellite visibility area has to be protected, theintegrity bounds are inflated to protect an hypothetic userin the worst location. This might degrade significantly thecontinuity and availability, as it shown in the result section.

This paper suggests to send the vectors of valuesbounding the errors in the satellite domain (along-track,cross-track and radial) rather than the scalar ones in therange domain. The projection in the range domain is thenperformed by the user itself. This approach better fitswith the real user performance. Beside all the involvedalgorithm transformations are linear and the Gaussianstatistic properties are conserved after the convolution:the multimodal distribution effect, shown in Figure 2, isnot present anymore. The achievable improvements areshown in the result section.

The integrity concept proposed in this paper definesthe following ISM data content for the ith satellite:

• αi: vector of scaling factors for the standard de-viation of the along-track, cross-track and radialsatellite orbit and clock error components,

• Binom: vector of mean values of the along-track,

cross-track and radial satellite orbit and clockerror components,

• Bimax: vector of maximum values of along-track,

cross-track and radial satellite orbit and clockerror components.

• P isat: probability of single satellite fault

For the whole constellation, Pconst, i.e. the probability ofconstellation wide fault is contained in the ISM.

Table 1 compares the ISM parameters baseline ([4])and the one proposed in this paper. The proposed ISMcontent differs from the [4] for the following aspects:

Table 1: ISM content baseline versus the proposed one

ISM baseline ISM proposal

αi : scaling factor for theURAi/SISAi to cover the integrityrequirements

αi : vector of scaling factors for thestandard deviation of the along-track,cross-track and radial satellite orbitand clock error components

βi: scaling factor for theURAi/SISAi to cover thecontinuity requirements

-

- Bimax

: vector of maximum valuesof along-track, cross-track and radialsatellite orbit and clock error compo-nents

Binom: the nominal bias value of

SISE to cover the integrity require-ments

Binom

: vector of mean values ofthe along-track, cross-track and ra-dial satellite orbit and clock errorcomponents

P isat: probability of single satellite

faultP i

sat: probability of single satellitefault

Pconst: probability of constellationfault

Pconst: Probability of constellationwide fault

• the information are vectors of three componentsinstead of scalars (except the satellite and con-stellation failure probability, which are scalars inboth cases),

• the term βi is not included in the proposed ISM. Incase the ARAIM MHSS algorithm uses a distinc-tion between continuity and integrity parameters[4], a constant factor between αi and βi canbe used, as proposed in the GEAS report [2]:βi = 0.5αi,

• the Bimax term contains information on the er-

ror upper bound instead of the error distributionmean value. This allows a more effective failuredetection and integrity risk reduction, as explainedhereinafter,

• the Binom term contains the mean values of the

SISE components, whose confidence level ad-dresses the integrity performance and not thecontinuity ones.

Table 2: ISM latency

Parameter Monitoring type Latency

αi long weeks

Binom

long weeks

Psat long months

Pconst long months

Bimax

short seconds or minutes

Table 3: ISM maximum data rate at 0.2 Hz

Parameter Number of bits Data rate in bps

αi 5760 1152

Binom 5760 1152

Bimax

5760 1152

Psat 1920 384

Pconst 64 13

Total ISM 25024 5005

The ISM is constituted of two parts: the αi, Binom,

P isat and Pconst estimated by the long term monitoring,

which can and should have a long latency and the Bimax

estimated by the short term monitoring, which shouldhave a short latency, as shown in Table 2. This shortlatency content must not necessarily be updated every6s. The proposed approach can be applied also with asmaller update rate. Each region and ASNP can decideindependently and provide different services to the user.

The intent is to provide the user also with a shorterlatency monitoring, which enables on one side the es-timation of slow dynamic threats and on the other theestimation of the real satellite and constellation perfor-mance. In fact the integrity model of URA(SISA) is tooconservative and more realistic parameters, like URE orthose provided by a short term monitoring, are neededby the user.

Table 3 shows an estimation of the maximum ISMdata rate reached if hypothetically an ISM latency smallerthan 6s is used to transmit all the parameters (updaterate 0.2 Hz)3. This estimation is provided to assess in aworst case of a single dissemination link the maximumbandwidth needed. The maximum data rate would becirca 5 Kbps, which can fit in a local dissemination linklike the GBAS VHF Data Link (maximum datarate is 31Kbits/s [3]). In case of a global dissemination a satellitelink can sustain such a bit rate.

B. Long term integrity monitoring

The long term monitoring must

• verify whether the URA(SISA) navigation mes-sage information perform the overbounding and ifnecessary to compute the relative inflation factorsαi,

• assess the nominal bias of the signal in spaceerror, Bi

nom,

• eventually, estimate and adjust the Psat and Pconst

values specified by the GNSS providers.

Regarding the first point, the estimation of the stan-dard deviation, σ, overbounding a certain distribution, isusually performed estimating the sample standard de-viation and taking the upper limit of the correspondingconfidence level. In particular an unbiased estimator,used when the sample size is very large, is the standarddeviation of the sample, denoted by SN and defined asfollows:

SN =

√√√√ 1

N − 1

N∑i=1

(xi − x)2

where {x1, x2, ..., xN} are the observed values of thesample items and x is the sample mean value of theseobservations, while the denominator N stands for thesample size.

3A constellation of 30 satellites and 1 double for each parameter wereassumed

Since (N−1)S2N

σ2 follows a chi square distribution withN − 1 degrees of freedom, the following can be stated

P

((N − 1)S2

N

σ2≤ χ2

N−1,1−CL

)= 1− CL

where CL is the confidence level. Equivalently

P

(S

√N − 1

χ2N−1,1−CL

≤ σ

)= 1− CL

The value√

N−1χ2N−1,1−CL

is taken as inflation factor αi

for the standard deviation of the distribution overboundingthe true one.

This paper proposes another method, called quantilemethod and described hereafter. The improvement interms of reduced inflation factors is presented in the resultsection.

1) Overbounding risk as threat

−6 −4 −2 0 2 4 60

0.1

0.2

0.3

0.4

0.5

Overbounding Risk as Threat

N(0,URA/SISA) with probability 1−G

1−G

x [m]

Pro

babi

lty D

ensi

ty F

unct

ion N(0,URA/SISA) with probability 1−G

1−G

y−y

Figure 9: The sample size N used to assess a certain empiricaldistribution identifies a maximum interval [−y, y] for which the over-bounding can be estimated. Only the following assertion can be done:P (|xi| < y) = 1− G. Outside the interval, the lack of information andthe degraded test accuracy don’t allow to perform any assessment.

As described in the first section, the ground moni-toring, both the GNSS than the ISM one, has a limitedsample size available to assess the small percentiles ofthe nominal distribution. Overbounding can be estimatedonly for a certain maximum percentile, depending on thesample size N . If the maximum percentile which can beassessed with enough accuracy is indicated with G, it canbe argued only that with probability 1−G, the sample xibelongs to the central area of the Gaussian distributioncharacterized by the URA(SISA). As shown in Figure 9,only the following assertion can be done:

P (|xi| < y) = 1−G

On the tails of smaller percentiles, no assertion canbe done, since not enough information is available.

This has an impact on the satellite failure probabil-ity, Psat. In fact this value is the result of all possiblefailure probabilities. It is based on design requirements,assessed by the GNSS provider and verified by the ISMsystem provider. The overbounding risk, that is the risk

that the xi belongs to the tails, should be defined as threatand be included in the Psat probability, as follows

Psat =

Nthreats∑j=0

P jthreat +G

This approach allows avoiding the use of overbound-ing methodologies which introduce conservative inflationfactors, degrading significantly the continuity and avail-ability performance and based in any case on unveri-fiable assumptions. And at the same time, it can sig-nificantly relax the ground segment requirements, whichdoes not need anymore to guarantee bounding till smallpercentiles.

2) Quantile Methodology

The methodology proposed to assess this long termstatistic is based on an hypothesis testing approach usingquantile estimation. The algorithm takes also into accountthe estimation accuracy related to the limited sample size.

The objective is to assess whether the URA(SISA)value performs the overbounding of the SISE distribu-tion. This is done observing the empirical distribution ofthe SISE estimations.

The following notation is used: SISE is the scalarvalue containing the satellite orbit and clock error in therange domain and SISE is the vector containing thesame error in the satellite domain (i.e. long-track, across-track and radial components)4.

The computation of the empirical distribution is basedon the samples collected on a certain long batch. Theoverbounding of the URA(SISA) is assessed with anhypothesis testing methodology estimating the quantiles.This method allows to take a margin to control the riskof erroneous failure of the assessment (the ground mon-itoring assessment is wrong due to statistical uncertaintyalthough overbounding in terms of probability indeedwas given). This is important above all when sampledistribution are generated with small sample size.

The samples are generated by the ground monitoringby assessing the satellite orbit and clock failure errorvector, SISE. In particular several GSS observations arecollected by in the ground segment, pre-processed, cor-rected for the network synchronization error, and finallya least square estimation based on the GNSS residualsis performed [8]. The algorithm considers separately thethree components of the estimated SISE and for eachof them verifies the overbounding.

URA(SISA) performs the overbounding of the truedistribution for any boundary y if the following conditionsare satisfied 5

Gl(y) ≤ Gl(y)∀y ≥ 0 (12)

4The satellite clock is modeled in the radial component in order toreduce the number of unknowns and take advantage of the redundancy.

5The ICAO overbounding definition is considered as reference [1]

andGr(y) ≤ Gr(y)∀y ≥ 0 (13)

where the left and right tail weights of the real distributionwith probability density function g(x) are

Gl(y) =

∫ −y

−∞g(x)dx (14)

Gr(y) =

∫ ∞

y

g(x)dx (15)

and the left and right tail weight of the nominal distributionwith probability density function g(x) are

Gl(y) =

∫ −y

−∞g(x)dx (16)

Gr(y) =

∫ ∞

y

g(x)dx (17)

with g = N(0,URA(SISA)).

The probabilities Gl and Gr cannot be exactly de-termined. They can be estimated by determining thefrequency of samples that are respectively less than yand greater than +y:

Gl(y) =nl,y

N(18)

andGr(y) =

nr,y

N(19)

where nl,y is the number of samples xj with xj < −y,nr,y is the number of samples xj with xj > y and N totalnumber of samples. To simplify the algorithm, the SISEsamples xj are normalized with respect the URA(SISA)values to be verified. With this normalization the tail areascan be compared directly with standard normal tails.

This estimation is repeated for different y values andperformed separately for each error component6.

The method considers separately the verification ofthe left and right tail and then combine the inflation factorstaking the maximum of both. Hereafter the algorithm forthe left tail, for one percentile and one error componentis explained.

An hypothesis test method is used, defining the fol-lowing hypothesis:

H0 : Gl(y) ≤ Gl(y)

H1 : Gl(y) > Gl(y)(20)

The important assumption is taken that the observedsamples are mutually uncorrelated. The correlation timeis assumed known ”a priori”, provided by the GNSSsystem provider or estimated during a preliminary ground

6Since URA(SISA) refers to the norm of the SISE vector, ascaling factor (1/

√3) should be included in the normalization. But the

URA(SISA) values bound the vector projection and not the vectornorm. Then for safety reason the scaling factor is not included. Never-theless for algorithm tuning, this aspect should be taken into accountand eventually the scaling factor included.

monitoring initialization phase. The correlation time mustbe taken into account for the sampling rate.

The number of tail samples nl,y follows a binomialdistribution:

P (nl,y = x) =

(N

x

)(1− p)N−xpx, (21)

where p = Gl(y).

In order to guarantee a certain α-risk, that is theprobability of erroneously rejecting the H0 hypothesis, thethreshold xT for this binomial distribution is computed forwhich

P (nl,y > xT ) ≤ α (22)

where

P (nl,y > xT ) = 1−xT∑n=0

(N

n

)(1− p)N−npn (23)

and p = Gl(y).

The corresponding threshold for the sample frequencyis given by

pl,T (y) = xT /N (24)

It is observed that with this test threshold, for anyvalue of Gl for which Gl(y) < Gl(y), the probability oferroneously rejecting H0 is smaller than the α-risk, asshown in Figure 10.

0 G0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

G =nL,y

Ns

Bin

omia

l Dis

trib

utio

n

N = 1e+04, GL= 1e−03

Sample Distribution

pT=X

T/N

α risk

Figure 10: Hypothesis Testing Threshold

The overbounding is verified, if for each consideredboundary y the observed frequency of samples biggerthan y is less or equal to the corresponding threshold.

Gl(y) ≤ pT (y) (25)

In case the overbounding test is not passed, an in-flation factor Kl(y) is computed. In particular for each y,the minimum inflation factor Kl(y) is found, for which thenumber of samples nK

l,y, for which xi

Kl(y)≤ y satisfies

GKl (y) =

nKl,y

N= pT (y) (26)

Afterwards the maximum is taken among different y

Kl = maxy

Kl(y) (27)

and between the left and right tail inflation factors:

K = max(Kl,Kr) (28)

Table 4: Hypothesis Test Thresholds and minimum detectable tail withN = 1000, α = 10−3 and β = 10−2

y Standard TailG(y)

Left/Right Tail Thresh-old pT (y)

Minimum DetectableTail GMD(y)

0.5 0.3085 0.3540 0.3902

1.0 0.1586 0.1950 0.2258

1.5 0.0668 0.0920 0.1154

2.0 0.0227 0.0390 0.0556

2.5 0.0062 0.0150 0.0265

3.0 0.0013 0.0060 0.0145

3.5 0.0002 0.0030 0.0100

The overbounding test thresholds, given a certain α-risk, are computed offline and a lookup table is used toperform the test. An example is provided in Table 4.

The algorithm is performed and repeated separatelyfor each satellite and error component and provides thevalues of αi, that is the estimated K factors.

It is possible to characterize the test accuracy ob-serving the algorithm resolution shown in Table 4. In factgiven a certain hypothesis test threshold, a β-risk canbe defined and the relative minimum detectable tail areaidentified. GMD is the minimum value of G > G for whichthe probability of erroneously deciding for H0 is smallerthan β-risk.

The differenceGMD −G

G

represents the relative test resolution and provides ameasurement of the algorithm accuracy for which themissed detection capability is guaranteed.

3) Algorithm

The long term ISM ground monitoring aims checkingwhether URA(SISA) performs the overbounding and ifnot, it computes inflation factors for URA(SISA) andsend them to the user through the ISM. The algorithmoutputs are the αi vector for each satellite, given as inputthe samples of the estimated SISE components andthe URA(SISA) navigation message information. Thealgorithm steps, for satellite i and each error component,SISEj of the SISE vector, are the following:

1) For each y value in the Table 4,a) Compute the N samples

xt =SISEj,t

σ

with σ = URA for GPS, σ = SISA forGalileo satellite and t = 1...N ,

b) Compute the relative frequency

Gl(y) =nl

N

where nl is the number of samples xt forwhich xt < −y,

c) Compare the relative frequency Gl(y)with pl,T corresponding to current y con-tained in Table 4,

d) If Gl(y) > pl,T , find iteratively the mini-mum Kl(y) value for which

GKl (y) =

nKl

N≤ pl,T

where nKl is the number of samples xt

for which xt

Kl(y)< −y,

e) If Gl(y) ≤ pl,T , set Kl(y) = 1,2) Compute the Kl = max

yKl(y),

3) Compute the inflation factor Kr for the rightdistribution tail analogously to the left tail one,Kl,

4) Compute αi,j = max(Kl,Kr).

Besides, the mean value of each SISE componentand for each satellite is assessed as follows

Bnom,j =1

N

∣∣∣∣∣∣N∑j=0

SISEj

∣∣∣∣∣∣+tc,N−1σ√

N

where σ = αi,jURA for GPS and σ = αi,jSISA forGalileo and tc,N−1 is the percentile value of a t-Studentdistribution with N − 1 degrees of freedom relative to theconfidence level c. The confidence level is derived bythe maximum y value verifiable with the available samplesize, N .

Finally the Psat and Pconst can be verified. In partic-ular these probabilities can be assessed evaluating therelative frequency of respectively the satellite and constel-lation failures on the whole available data history. Theseestimations are compared with the values specified by theGNSS providers and/or eventually conservatively updatedthrough the ISM.

It is in any case suggested to use for Psat and Pconst,the values specified by the GNSS providers. Their estima-tion at ISM should be discarded due to the no stationarityof the processes involved and to the long observationperiod required to reach a significant confident estimation.

C. Short term integrity monitoring

The possibility to introduce also a short term mon-itoring has the scope to characterize more closely theconstellation and satellite performance and cover part ofthe integrity risk for the faulty case. This is performedby computing the error parameters, Bi

max, which containupper bounds of the signal in space errors.

[2] and [4] indicate that the Bimax values represent a

conservative estimation (maximum) of the mean valuesof the SISE distribution.

This paper proposes to use this term in order tocover high dynamic failures and relax the receiver FDErequirements. To cover the failure condition, the Bi

maxvalue should provide information on the tail area, morethan on the mean value [5]. This is done by fixing a priori acertain risk probability γ and observing each satellite errorcomponent, SISEj , on a certain interval. The SISEj

upper limit, Bmax,j , is then computed, in order to have

P (∣∣SISEi

j

∣∣ ≥ Bimax,j) ≤ γ

To relax the user requirements for the instantaneousfailure detection, the short term monitoring should ideallybe updated at least every 6s (TTA). In this way the ISMground monitoring could compute the maximum value ofthe SISE on intervals of 6s. This value is then inflatedto take into account the ground estimation accuracy pro-vided by the inverse diluition of precision and the sensorstations range noise. The obtained value would representthe Bi

max value. But this approach would represent aSBAS-like integrity service. And for ARAIM it is intendedto have an ISM latency bigger than the TTA.

With TIA > TTA (or TIA TTA), the ISM groundmonitoring can still detect slow dynamic errors, i.e. smalldrifting errors. For a given short term TIA, the specific er-ror dynamic detectable by the ISM short term monitoringmust be identified. The ISM short term monitoring canaddress only the identified errors characterized by the apriori model. To this purpose, it can estimate the errordrift corresponding to the model, predict the error on thefuture interval and detect possible HMI event. The Bi

max isthen a prediction with confidence level γ of the maximumerror during the next operation interval. This covers onlythe errors with the dynamic identified a priori. It does notexclude the occurrence of big outliers generated by higherdynamic errors.

In this case the integrity risk allocation must distin-guish between slow dynamic and high dynamic threatsand identify separately the detection strategy. With TIA >TTA, part of the detection of high dynamic failures mustbe allocated to the user ARAIM algorithm.

The short term monitoring should be in charge alsoto flag a satellite as unhealthy (by setting for examplethe Bi

max parameters to invalid value, e.g. -1) in case oflarge and persistent errors. The user can then discard thesatellites declared unhealthy by the ISM ground monitor-ing.

Since Bimax contains the three vector components,

the unhealthy flag should be set independently for eachof them, allowing a selection strategy at receiver level,depending on the specific geometry and requirement. Forexample a user interested only on lateral guidance (e.g.a ship or an aircraft not in a final approach phase, etc.)might in any case want to use satellites at zenith withradial SISE component flagged as unhealthy.

D. User algorithm

The user algorithm which mostly suits the short la-tency approach is similar to the integrity risk algorithms,

proposed by Oehler [7] and that proposed by Mach [5] forGalileo. The most important advantage of this concept isthat the integrity risk allocation is not fixed among verticaland horizontal components, as in [4]. The user does notcompute a protection level, but calculates directly theintegrity risk at alert limit level ([7]).

But the proposed algorithm has the following importantdifferences:

• for the fault free mode the signal in space er-ror distribution to be considered is not a zeromean Gaussian distribution with standard devi-ation URA(SISA), N(0, URA(SISA)), but threebiased Gaussian distributions for the along-track,cross-track and radial signal in space errorwith inflated standard deviations N(Bi

nom,j , αij ·

URA(SISA)),

• for the faulty mode the signal in space error mustbe considered bounded by Bi

max,j with a riskprobability γ ([5]),

• multiple failures are included in case the oc-currence failure probability is not negligible withrespect to the integrity risk.

The user estimates the overall integrity risk by addingseveral contributions, from fault free to single and multiplefailure cases. Each contribution is given by the tail areadelimited by the alert limit. Each faulty case should beincluded only if the relative probability of occurrence POC

is not negligible with respect to the integrity risk.

−8 −6 −4 −2 0 2 4 6 8 100

0.05

0.1

0.15

0.2

0.25

Vertical position error (VPE) [m]

Pro

babi

tity

Den

sity

Fun

ctio

n

User Integrity Algorithm model

Fault free VPE pdfFaulty case VPE pdf

AL

N(μFF

,σFF

) N(μNF

,σNF

)

μNF

Figure 11: User integrity algorithm: vertical position error distributionsfor the integrity risk user algorithm.

Figure 11 shows the vertical position error distributionsconsidered for the integrity risk computation. In the plotonly the fault free case and the narrow single faultycase are displayed. The user algorithm considers also,if needed, the multiple failure case.

Before starting with the integrity risk computation,the user has to project the signal in space vectorialinformation (α, Bnom and Bmax) into the range domain(α, Bnom and Bmax).

The vertical position error distribution is a Gaus-sian distribution, whose mean value μFF and the

standard deviation σFF are obtained considering forall range errors the fault free Gaussian distributionN(Bnom,

√ασ2

sv + σ2tropo + σ2

user), with σsv = URA forGPS and σsv = SISA for Galileo. Estimation models ofthe tropospheric and receiver local error, i.e. σtropo andσuser , are provided in [4].

The faulty case mean value μNF and the stan-dard deviation σNF are obtained considering forall fault-free range errors the Gaussian distributionN(Bnom,

√ασ2

sv + σ2tropo + σ2

user) and for the faulty range

error the distribution N(Bmax,√σ2tropo + σ2

user). In factthe satellite orbit and clock error contributions are alreadycontained in the inflation of Bmax,j and its correspondingrisk probability γ.

The fault and detection exclusion algorithm based onthe solution separation method proposed by the MHSSalgorithm [4] must be used in both cases to have thenecessary failure detection capability at receiver level.

III. RESULTS

This section presents the performance of the pro-posed integrity concept and the ISM processing algo-rithms by means of Monte Carlo simulations.

A. ISM content in the satellite domain

If ISM contains vectors bounding the single errorcomponents instead of scalars, integrity, continuity andavailability performance are improved. This section showsthe improvement in term of reduction of the ISM param-eters.

α β Emax

Emin

Er

R

Worst User Location

Best User Location

Figure 12: Signal In Spacer Error vector projected within the satellitefootprint. The worst user location (WUL) and the best one (BUL) areidentified. In the figure r = 6371km, R = 26600km and α = 13.86.The user masking angle is assumed zero.

Different Signal In Space Errors, E in Figure 12,have been generated and their projections in the satellitevisibility area have been analyzed. In particular the ratiobetween the minimum and the maximum projections hasbeen observed. The goal is estimating the degradationexperienced by a user located in the best user positionwhen applying the error of the worst user location. Figure12 shows the geometry of the problem.

Figure 13 shows the ratio between the minimum andthe maximum projection for different angles β,

0 50 100 150 2000

0.2

0.4

0.6

0.8

1Ratio between minimum and maximum projection

β [°]

(Em

in/E

max

), α

max

= 1

3.86

°

(Emin

/Emax

)

Figure 13: Ratio between the maximum and the minimum SISEprojection in the satellite visibility area versus the angle β.

R(β) =

∣∣∣∣Emin

Emax

∣∣∣∣

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.2

0.4

0.6

0.8

1Comparison of minimum and maximum error projection

Emin

/Emax

Cum

ulat

ive

Den

sity

His

togr

am

Cdf of Emin

/Emax

P(Emax

≥2Emin

)=0.37

Figure 14: Cumulative distribution of the ratio R(β) =∣∣EminEmax

∣∣and Figure 14 the relative cumulative density his-

togram. Both plots show that there are many cases,where a user located in the best position can experiencean inflation factor bigger than twice the one he wouldactually need to meet the integrity risk requirements. Inparticular in 35% of the cases the minimum error canbe smaller than half the maximum and in 60% of thecases smaller than 1.5 the maximum. These factors areproportionally degrading the protection level. Sending theintegrity information in the satellite domain, allows to re-move the conservatism of the worst user location conceptand improve continuity and availability performance.

B. Quantile method with respect to sample standarddeviation method

This section shows the performance of the quantilemethod described in the second section with respect tothe sample standard deviation method.

Figure 15 shows, for a specific value of G = 10−4, αand β risk, the quantile method accuracy, i.e.

GMD −G

G

Increasing the sample size N with respect to tail per-centile G, the method accuracy increase and the mini-mum detectable tail gets closer to the nominal one, as itis shown in Figure 16.

0 GL T Gmd0

0.05

0.1

0.15

G = nl,y/N

Bin

omia

l Dis

trib

utio

n

Ns = 1e+04, G

L = 1e−03

Sample DistributionMinimum Detectable

Figure 15: Estimation accuracy of the quantile method based onhypothesis testing. In this case G = 10−4 and N = 104

10 100 10000

0.5

1

1.5

2

2.5

N*G(G

md−

G)/

G

Quantile method accuracy, Alpha Risk = 1e−04, Beta Risk = 1e−01

Test Accuracy = (Gmd

−G)/G

Relative accuracy 0.5

Figure 16: Quantile method estimation accuracy versus NG

In particular it is shown that to have a relative accuracyof 0.5 at least 100

Gsamples are required. This represents a

general rule of thumb for the minimum number of samplesneeded to have acceptable long term monitoring accu-racy. Usually it is commonly assumed that the minimumsample size needed to estimate a tail area G is N = 1

G .But actually a factor 100 is needed (N = 100

G ) to have asufficient estimation accuracy, as shown in Figure 16.

Figure 17 and Figure 18 shows that the quantilemethod provides a smaller inflation factor overall (exceptfor percentiles smaller than 0.5 which are not relevant forintegrity purpose). For y = 2 the inflation factor of thesample standard deviation method is even twice that ofthe quantile method.

C. Upper bound instead of mean value for the short termmonitoring

This section describes the comparison between thevertical protection levels computed with the MHSS ap-proach proposed in [4] with that proposed in this paperwith a short latency ISM.7.

The following parameters were used:

• PHMI = 2 · 10−7,

• user grid masking angle 5

7The new user algorithm would foresee an estimation of the integrityrisk instead of the protection level. In order to compare the twoalgorithms the protection level approach was used for the new useralgorithm.

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 50

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1Symmetric Overbounding Tails

y

nominalstandard deviation methodquantile method

Figure 17: Comparison of sample standard deviation method versusthe quantile method in terms of inflation factors of URA(SISA). Forthe sake of simplicity for the overbounding the sum of the left and righttails are displayed in the results, although the quantile method foreseesthe verification separately of the left and right tails.

0 0.5 1 1.5 2 2.5 30.5

1

1.5

2

2.5

3

3.5Sample standard deviation method versus quantile method

y

IFS

ampl

e S

tand

ard

Dev

iatio

n/IFQ

uant

ile

Figure 18: Ratio between the inflation factor of the sample standarddeviation method and that of the quantile method

• Psat = 10−5,

• 24 GPS and 24 Galileo satellites8,

• γ = 10−2 for the short term monitoring risk(KISM = 2.5),

• SISE ∼ N(0.1m, 0.5m),

• standard deviation of the sensor station measure-ment noise (Gaussian distributed): 0.5m,

• URE = 0.5m for GPS and URE = 0.67m forGalileo,

• URA = 0.75m for GPS and URA = 0.957m forGalileo,

• Bnom = 0.1m for GPS and Bnom = 0.1m forGalileo,

• Bmax = 0.75m for GPS and Bmax = 0.75m forGalileo.

Figure 19, Figure 20 and Figure 21 show the compar-ison between the protection level computed with the tra-ditional MHSS approach and that proposed in this paper.

8A smaller-than-nominal constellation was chosen to allow for bettervisibility of the performance difference between the algorithms.

Figure 19: Comparison of MHSS versus New Protection Level

0.5 1 1.5 2 2.50

0.005

0.01

0.015

0.02

0.025

VPLMHSS_PRED

/VPLNEW

VPLMHSS_PRED

/VPLNEW

PD

F o

f VP

L MH

SS

_PR

ED/V

PL N

EW

Figure 20: Probability Density Function of the ratio between the MHSSProtection Level and the New one

The user algorithm proposed by the paper improves theavailability and continuity by providing smaller protectionlevels.

The results depends on the simulation scenario usedand in particular on the risk allocated to the long andto the short term monitoring and on the ISM groundmonitoring geometry. In the specific simulation scenario,80% of the cases present a smaller protection level ifcomputed with the new approach.

Figure 22 and Figure 23 show also the improvementof the proposed approach in terms of availability map.

D. ISM Architecture comparison

This section describes how the integrity risk is sharedamong the different systems involved (GNSS, ISM anduser). In particular shows the impact of the proposedintegrity concept and methods on the integrity risk tree.The overall tree is illustrated in Figure 24.

First of all, the result of the combination of GNSS andISM long term monitoring on the failure occurrence proba-bility Psat is analyzed. It is observed that the ISM shouldperform a verification of the GNSS information with anindependent methodology. It should not repeat the samesatellite orbit and clock error estimation performed by theGNSS ground segment, otherwise there is no effectiverisk reduction. In fact the goal of the ISM monitoring isto generate a probability PMD multiplying the POC . Thisrequires an independent method, aiming to verify ratherthan to repeat the process.

0.5 1 1.5 2 2.50

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

VPLMHSS_PRED

/VPLNEW

VPLMHSS_PRED

/VPLNEW

CD

F o

f VP

L MH

SS

_PR

ED/V

PL N

EW

Figure 21: Cumulative Density Function of the ratio between the MHSSProtection Level and the New one

99.5% VPL: 19.19 m avg., 35m avail = 100.00%< 10 < 15 < 20 < 25 < 30 < 35 < 40 < 50 > 50

Longitude (deg)

Lat

itu

de

(deg

)

GPS+Galileo: VPL for URA = [0.75 0.96]m, bmax

= [0.75 0.75]m, PFAULT

=10−5, PCONST

= 0

−150 −100 −50 0 50 100 150−80

−60

−40

−20

0

20

40

60

80

Figure 22: MHSS availability map

For example the sample standard deviation methodperforms an overbounding estimation analogous to theGNSS ground monitoring estimation. The two corre-sponding risks cannot be multiplied, in fact the GNSSand the ISM observes two representations of the samestochastic process.

That is why the proposed quantile method has a differ-ent purpose: it verifies the validity of the GNSS estimationwith an independent method. To perform that, it fixesa priori a false alarm probability (α-risk), and a misseddetection probability (β-risk). These values are then usedto compute the satellite failure probability resulting fromthe combination of GNSS and ISM monitoring.

For the overbounding methodology defined in theprevious section, given a certain sample size N only amaximum percentile y corresponding to the tail area Gcan be verified. The relationship between GGNSS andGISM depends on the corresponding sample size.

If NISM ≥ NGNSS, the ISM ground monitoring canverify with enough accuracy the maximum percentileyGNSS referred by URA(SISA). In this case the over-bounding risk of the inflated URA (or SISA) is given byGGNSSβISM where βISM is the hypothesis testing β riskof the long term monitoring.

It is important for the quantile method to have enoughaccuracy and tune properly the different risk probabilities.In fact, as displayed in Figure 15, for all the tail areasbetween G and GMD the missed detection probability (βrisk) cannot be guaranteed. It is then important to keepthis interval sufficiently small. A rigorous mathematical

99.5% VPL: 14.27 m avg., 35m avail = 100.00%< 10 < 15 < 20 < 25 < 30 < 35 < 40 < 50 > 50

Longitude (deg)

Lat

itu

de

(deg

)

GPS+Galileo: VPL for URA = [0.75 0.96]m, bmax

= [0.75 0.75]m, PFAULT

=10−5, PCONST

= 0

−150 −100 −50 0 50 100 150−80

−60

−40

−20

0

20

40

60

80

Figure 23: New approach availability map

Overall Integrity Risk (PHMI)

Fault Free Integrity Risk (PHMI

FF)

IV,H Narrow Single FailureIntegrity Risk PHMI

NFNarrow Multiple Failure

Integrity Risk PHMIWF

POC

Faulty caseIntegrity Risk (PHMI

NF+PHMIWF)

IV,HPMD

POC

IV,H

PMD

POC

NISMISMsat

GNSSsat PP },max{1

ISMISMsat

GNSSsat PPN },max{

ISM

2},max{1 ISMISMsat

GNSSsat PPNN

2ISM

Figure 24: Integrity risk allocation tree with ISM integrity monitoring

approach would require to consider for each tail areain between the corresponding missed detection value,defining the function of the missed detection probabilityversus the threat magnitude, as proposed in [14]. To keepthe approach simple, it is suggested to tune the algorithmparameters and define a small interval GMD −G/G (e.g.0.05). Then the corresponding β risk value can be usedin the integrity tree, as shown in Figure 24.

In case instead NISM ≤ NGNSS, the maximum ISMpercentile is smaller than the GNSS one: yISM ≤ yGNSS.The conclusion is that

GGNSS+ISM∼= max(GGNSS , GISM )βISM

From this relationship, it can be concluded that theISM long term monitoring leads to an appreciable integrityrisk reduction if GISM ≤ GGNSS , i.e. if the ISM samplesize is larger than the GNSS one. The realization of thismight face feasibility problems.

The short term monitoring however has a differenteffect. In fact the γ risk, defined in the short term monitor-ing, directly multiplies the GGNSS+ISM risk and the riskreduction can be more effective.

In both cases it is shown how the real added valuein terms of risk reduction results by ISM ground monitor-ing methods which verify the GNSS performance more

than repeat an analogous monitoring. This leads to riskprobability reduction through probability multiplication.

IV. CONCLUSION

The design of an ISM architecture enabling the fulfill-ment of the ICAO precision approach requirements witha stand alone GNSS receiver is an interesting topic, whileits details are challenging due to ambitious goals.

First of all the overbounding methodology has to meetthe integrity risk requirements expressed in terms ofsmall probabilities with a limited amount of data. Severalmethods have been investigated in the past, but they havestrict assumptions and are extremely conservative.

This paper uses a different approach. It fixes the over-bounding risk as the maximum tail area estimable with theavailable sample size, defining it as threat and modelling itin the satellite failure probability Psat. This allows to relaxthe GNSS ground monitoring design requirements andconsequently the number of needed sensor and uplinkstations.

Besides it proposes two ISM ground monitoring algo-rithms: a long term monitoring covering the fault free caseusing a quantile method based on an hypothesis testingapproach. This method improves continuity and avail-ability through reduced ISM inflation factors with respectto usual sample standard deviation method. Secondly ashort term monitoring is proposed, where the maximumSignal In Space errors rather than conservative meanvalues are estimated. This additional monitoring allowsto relax the receiver design requirements and to havesimple user algorithms. Finally a different ISM contentwith respect to the present definition is proposed. Thecombination of these proposals improve the continuityand availability performances providing reduced protec-tion levels.

The overall study provides guidelines and recommen-dations for an optimum ISM architecture design, in orderto have an efficient and effective integrity risk reductionboth for the GNSS ground segment and for the user.The best ISM performance can be reached if the ISMlong term monitoring system uses a longer observationinterval than the GNSS ground segment. This mightbe unfeasible due to the lack of historic data. On theother side the short term monitoring can also providean effective and significant risk reduction. The paperprovides methodologies to quantify the ISM monitoringperformance and compute the architecture design param-eters.

A potential improvement of the system performancewith respect to present algorithms is demonstrated bymeans of Monte Carlo simulations. The validation of thisactivity with real data is ongoing. In particular a globalmonitoring network of around 15 stations, available atDLR (EVnet and Congo), will be used to characterizeGNSS constellation threats, estimate ISM and investigateARAIM algorithms. The user ARAIM algorithm perfor-mance will be then finally verified during a flight cam-paign.

REFERENCES

[1] ICAO, Annex 10, Aeronautical Telecommunications, Volume 1,Amendment 84, published 20 July 2009. GNSS standards andrecommended practices (SARPs) in Section 3.7 and subsections,Appendix B, and Attachment D.

[2] Phase II of the GNSS Evolutionary Architecture Study, February2010. 〈http://www.faa.gov/about/office org/headquarters offices/ato/service units/techops/navservices/gnss/library/documents/media/GEASPhaseII Final.pdf〉

[3] RTCA DO-246D, December 16, 2008, ”GNSS-Based Precision Ap-proach Local Area Augmentation System (LAAS) Signal-In-SpaceInterface Control Document (ICD)”, Section 2.1. ”RF TransmissionCharacteristics”

[4] GPS-Galileo Working Group C ARAIM Technical Subgroup InterimReport (Issue 1.0, 19 December 2012) http://www.gps.gov/policy/cooperation/europe/2013/working-group-c/ARAIM-report-1.0.pdf

[5] J. Mach et al. ’Making GNSS Integrity Simple and Efficient A NewConcept Based on Signal-in-Space Error Bounds’, in Proceedingsof the ION GNSS 2006, Forth Worth, TX

[6] DeCleene B (2000) ’Defining Pseudorange Integrity Overbound-ing’, in Proceedings of the ION GPS 2000, 1916-1924.

[7] Oehler V et al., ’The Galileo Integrity Concept’, in Proceedings ofthe ION GNSS 2004, Long Beach CA

[8] Carlos Hernandez Medel et al., ’The Galileo Ground Segment In-tegrity Algorithms: Design and Performance’, International Journalof Navigation and Observation, Volume 2008, Article ID 178927

[9] Schempp, T. R. and Rubin, A. L., ’An Application of GaussianBounding for the WAAS Fault-Free Error Analysis’, in Proceedingsof the ION GPS meeting, Portland, OR, 2002.

[10] Rife J, Pullen S, Pervan B, and Enge P., ’Paired overbounding andapplication to GPS augmentation’, in Proceedings IEEE Position,Location and Navigation Symposium, Monterey, California, April2004.

[11] Rife J, Pullen S, Pervan B, and Enge P., ’Core overbounding andits implications for LAAS integrity’, in Proceedings of ION GNSS2004, Long Beach, California, September, 2004.

[12] Rife J, Walter T, and Blanch J, ’Overbounding SBAS and GBASerror distributions with excess-mass functions’, in Proceedingsof the 2004 International Symposium on GPS/GNSS, Sydney,Australia, 6-8 December, 2004.

[13] Blanch at al., ’An Optimized Multiple Solution Separation RAIMAlgorithm for Vertical Guidance’, in Proceedings of the ION GNSS2007, Forth Worth, TX, September 2007

[14] F. Amarillo, P. D’Angelo, ’New Developments for the user IntegrityProcessing with Galileo Implementation and Testing of Galileouser Integrity Algorithms’, in Proceedings of the 22nd InternationalMeetingof the Satellite Division of The Institute of Navigation,Savannah, GA, Semptember 2009

[15] Blanch at al., ’Understanding PHMI for Safety of life applicationin GNSS’, in Proceedings of the ION NTM 2007, San Diego,California, January 2007