Integrity denotes the measure of trust placed in the correctness of the information provided by navigation systems. Safety critical applications require integrity measures to indicate with what level of confidence the navigation information may be used.
Integrity denotes the measure of trust placed in the correctness of the information provided by navigation systems. Safety critical applications require integrity measures to indicate with what level of confidence the navigation information may be used.
Although the existing protection level concept employed by satellite-based augmentation system (SBAS) combined with GPS provides one method to estimate this level of trust, the upcoming Galileo system will employ a different approach — computation of the integrity risk at the alarm limit. Thus, two different approaches will be available within the near future. However, neither the SBAS + GPS method nor the Galileo plan makes use of any additional information provided by other integrity data sources.
This column presents an algorithm and demonstration of a combined integrity approach using data from both integrity concepts. The algorithm is based on the integrity data available on the user side. The presentation will also explore practical implementation issues and the computation of protection levels for calculated integrity risks.
Visions of Integrity
Safety critical applications require consideration of the measure of trust for the position solution derived from the navigation solution. This measure of trust is known as integrity. Users may determine their integrity by receiver autonomous algorithms (RAIM), by using external integrity data sources such as SBAS, or by using integrity data provided within the navigation message as it will be provided by Galileo. This column is dedicated to considerations of the last two approaches, while it has to be pointed out that RAIM algorithms will be part of an overall integrity solution in all cases.
Currently, the SBAS + GPS integrity concept is the only existing source of integrity information for GNSS users on a regional basis. In the form of the Wide Area Augmentation System (WAAS) this concept has been successfully implemented in North America and will be available in Europe through the European Geostationary Navigation Overlay System (EGNOS) within the near future.
A second approach to provide integrity information is foreseen within the current Galileo baseline integrity concept, which is intended to work on a global basis. Both concepts provide different information and use different methods to calculate the integrity measure. The SBAS + GPS approach provides both a horizontal protection level (HPL) and a vertical protection level (VPL), while the Galileo approach calculates the overall integrity risk, PHMI.
Nevertheless, neither the SBAS + GPS integrity concept nor the Galileo integrity plan takes into account the integrity information provided by the other system. This has two consequences: Not incorporating additional information from the other system reduces the complexity of the integrity algorithms, and, as a result, simplifies the certification process because only the system itself has to be certified.
The main disadvantage of a “single system integrity algorithm” is that all modern GNSSs share most of their working principles and provide mostly equivalent measurement data, while at the same time suffering from similar propagation and measurement errors. As a result, the transmitted information needed for integrity assessment is comparable, similar, or even identical.
This system commonality does not justify neglect the additional data even if they are provided by different integrity sources, because the more measurements and integrity information are utilized the better the knowledge of the derived user integrity will be. The only remaining restriction is that the additional integrity source has to be trustworthy and certified.
In this column, after reviewing both integrity concepts in terms of similarities, differences, and basic definitions, we will present combined algorithms using simultaneous data from the SBAS + GPS and the Galileo integrity concept. As background to our discussion of these algorithms, the sidebar “User Integrity Concepts” discusses several key properties of the SBAS + GPS and Galileo integrity concepts.
In general both integrity concepts share basic principles such as signal-in-space (SIS) error and user-to-satellite geometry. Moreover, the fault-free allocation tree within the Galileo integrity concept is very similar to the SBAS + GPS integrity concept, except for (a) the representation of the final result, and (b) the non-fixed allocation for the different protection domains in Galileo.
In order to provide an adequate comparison, we describe the outcome of the SBAS + GPS algorithm in terms of integrity risks (IR) at the alarm limit (AL) and the outcome of the baseline Galileo integrity concept is described in terms of protection levels (PL) at given integrity risks.
Our analysis will demonstrate that protection levels and integrity risks at the alert limit are mathematically an inversion of the same concept but cannot be compared directly. Particularly, different allocations of horizontal and vertical integrity risks allow the user to obtain a family of inverse points to the given horizontal and vertical protection levels.
To facilitate the comparison between SBAS+GPS and Galileo integrity concepts, a numerical implementation is presented that transforms integrity risks into protection levels and vice versa.
In addition to the combined integrity algorithms, the current baseline for the Galileo integrity concept was reviewed carefully and also implemented stand-alone. An outcome of the conducted simulations shows that, up to now, a major point missing in the Galileo integrity concept is the sustained consideration of non–signal-in-space (SIS) errors.
Within publicly available studies only signal-in-space accuracy (SISA) and signal-in-space monitoring accuracy (SISMA) have been simulated and used to derive the theoretical performance of the Galileo integrity concept.
The column presents the integrity risk calculation regarding non-SIS failure sources because these error components are part of the final user integrity risk as well. The results of the tests carried out in this scope suggest that the fulfilment of the required system performance of the current Galileo baseline integrity concept will be challenging for the maximum allowed SISA, SISMA, and local error contributions.
Direct and Indirect Integrity Formulations
Within the following sections, the computation of integrity risks for a given user geometry and specific alarm limits will be denoted as the direct problem, whereas the computation of protection levels for a given user geometry and specific integrity risks will be denoted as the indirect problem.
The GPS + SBAS and Galileo integrity formulations are complementary. GPS + SBAS results in protection levels to given integrity risks, while the Galileo integrity formulation results in integrity risks for given alarm limits. The HPL specifies the maximum allowable horizontal deviation for which the a priori specified integrity risk can be granted and the VPL specifies the corresponding vertical value.
. . .
Deriving Integrity Risks for GPS + SBAS Measurements
As already mentioned the formulation of the integrity risk at the alarm limit is referred to as the direct problem. For reasons of comparability, this section will summarize how to express the protection level formulation of GPS + SBAS into integrity risks at the alarm limit. Different assumptions for, respectively, en route nonprecision approach and precision approach lead to two different formulations.
. . .
Combined Use of Integrity Information
When considering the combined use of integrity information provided by SBAS + GPS and Galileo, one could think of using only SISA within the SBAS + GPS integrity concept by exploiting the similarities leading to (11). This approach would neglect SISMA, because there is no similar parameter within the SBAS + GPS integrity concept on the user side. In any case, this approach is faulty by design due to fundamental system definitions.
. . .
Combined Algorithm
A combined integrity algorithm can be formed by using the data provided by the SBAS satellites within the Galileo integrity equations. SISMA provides the only data not available to the user from the SBAS satellites compared to the integrity information from the Galileo satellites. Within the current baseline Galileo integrity concept, SISMA is needed for the calculation of the “faulty” mode allocation tree.
On the other hand, according to the RTCA MOPS, the SBAS + GPS integrity concept states that all GPS satellites that are spuriously considered healthy by the SBAS ground segment only cause a fixed, geometry-independent integrity risk.
. . .
Integrity Simulation Tool
To be able to estimate the performance of a combined GPS+SBAS and Galileo integrity algorithm, an Integrity Simulation Tool (IST) was developed and implemented in C++ with a platform-independent design in order to accommodate several working tasks.
. . .
Simulation Results
Based on Monte Carlo simulations using the IST the combined integrity algorithm’s performance was validated. All simulations used several basic settings, held constant within the scope of each simulation. The simulation duration is 10 days for each timeline scenario. The simulated Galileo satellite constellation uses a 27/3/1 Walker constellation, while the GPS satellite constellation incorporates real ephemeris data gathered in November 2008.
. . .
Conclusions
The simulations and analyses presented in this column show that the planned performance parameters of the Galileo system now under development are challenging and highly dependent on the clock and orbit accuracy.
Inverting strategies for shifting protection level formulations to integrity risk formulations provide a better comparability of Galileo integrity with SBAS + GPS integrity. Using the most simple inversion strategy — inversion with fixed allocations — one has to pay the price of gradually reduced system availability. Inverting strategies with variable allocations show better results.
The conservative joint of the different integrity risk allocation trees results in an additional additive and geometry-independent integrity risk component for all GPS satellites. The simulation results demonstrate that this additive term in the combined algorithm does not deplete the geometry and redundancy induced advantages. Consequently, combined use of integrity information outperforms either single system used alone.
Beginning October 2009, the EGNOS open service was declared to be operational. Although it provides the same information compared to the future EGNOS SoL service, the EGNOS open service definition document underscores the fact that SoL users should not use EGNOS for safety critical purposes, until the EGNOS SIS and its operator are certified for SoL purposes.
The EGNOS certification process will be closed out mid-year, not allowing until this time the possibility to define SBAS procedures in Europe. This demonstrates the discrepancy between provided and certified integrity data. The combined use of different integrity sources presented in this column shows that enhancements in both availability and achievable protection levels can be expected.
Nevertheless it is the solely decision of all involved service providers to jointly define and certify combined integrity processing schemes, combined equipment regulatory and combined procedures. Also, the providers have to jointly keep the liability for the combined system.
For the complete story, including figures, graphs, and images, please download the PDF of the article, above.
Acknowledgments
The presented work was done within the framework of the UniTaS IV project founded by the Bundesministerium für Wirtschaft und Technologie (BMWi) administered by the Agency of Aeronautics of the DLR in Bonn (FKZ 50 NA 0734). Additionally the authors would like to thank José-Angel Ávila-Rodríguez and Hans Trautenberg.
Additional Resources
[1] Anghileri M., et al, Performance Evaluation of a Multi-frequency GPS/Galileo/SBAS Software receiver, Proceedings ION GNSS 2007, Fort Worth (TX), September 2007
[2] European Comission, EGNOS Service Definition Document, EGN-SDD OS V1.0, October 2009
[3] Lawrence, D., and D. Bunce, N.G. Mathur, and C.E. Sigler, Wide Area Augmentation System (WAAS) – Program Status, Proceedings ION GNSS 2007, Fort Worth, Texas, USA, September 2007
[4] Oehler, V. (2006), and H.L. Trautenberg, J.M. Krueger, T. Rang, F. Luongo, J.P. Boyereo, J. Hahn, and D. Blonski, “Galileo System Design & Performance,” Proceedings ION GNSS 2006, Fort Worth, Texas, USA, September 2006
[5] Oehler, V. (2005), and F. Luongo, H. L. Trautenberg, J.-P. Boyero, J. Krueger, and T. Rang, “The Galileo Integrity Concept and Performance,” Proceedings ENC GNSS 2005, Munich, Germany, July 2005
[6] Oehler V. (2004), and F. Luongo, J.-P. Boyero, R. Stalford, and H. L. Trautenberg, “User Integrity Risk Calculation at the Alert Limit without Fixed Allocations,” Proceedings ION GNSS 2004, Long Beach, California, USA, September 2004
[7] Radio Technical Commission For Aeronautics, Minimum Operational Performance Standards For Global Positioning System/Wide Area Augmentation System Airborne Equipment, RTCA DO-229C, November 2001
[8] Radio Technical Commission For Aeronautics, Minimum Operational Performance Standards For Global Positioning System/Wide Area Augmentation System Airborne Equipment, RTCA DO-229D, December 2006