Autonomous Integrity - Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design

Autonomous Integrity

In trying to ensure integrity of GNSS navigation systems for civil aviation, various approaches have produced a range of different concepts, most of which assume the computation of a protection level. This computation is usually accomplished either autonomously (that is, entirely based on information gathered by the user receiver) or with some degree of external assistance.

In trying to ensure integrity of GNSS navigation systems for civil aviation, various approaches have produced a range of different concepts, most of which assume the computation of a protection level. This computation is usually accomplished either autonomously (that is, entirely based on information gathered by the user receiver) or with some degree of external assistance.

Such information may be provided by integrity augmentation systems (for example, space-based or ground-based augmentation systems — SBAS and GBAS). It may also be provided directly by the GNSS constellation, as it is foreseen with the future GPS III — remarkably enough, the GPS SPS Performance Standard already includes integrity performance specifications — and Galileo.

Autonomous protection-level computation techniques, however, have never been seriously considered as reliable sole means for ensuring integrity in safety-of-life (SoL) applications, not only because of the poor performances achieved, but also due to the somewhat delicate assumptions all of them rely upon. As a result, such techniques have mostly been considered as complementary to external integrity systems. One example: GPS+receiver autonomous integrity monitoring (RAIM) is not allowed as a primary navigation means for precision approach operations.

Recently, in regard of the improvements on accuracy and reliability expected from the future constellations GPS III and Galileo, new approaches have been proposed for the apportionment of integrity requirements. This is reflected, for instance, in the conclusions presented in the Phase I report of the USA GNSS Evolutionary Architecture Study (GEAS). The report suggests that the allocation of the burden for providing integrity should be balanced towards the user receiver, thus conferring user-based integrity (that is, receiver autonomous integrity) a higher responsibility.

User-based integrity is also gaining importance due to the emergence of a new field of GNSS applications, the so-called liability-critical applications (i.e., those where undetected GNSS large position errors can generate significant legal or economic negative consequences). Some leading examples of such applications are road tolling/congestion charging (both for highways and city areas), law enforcement (e.g., speed fining or surveillance of parolees) or “pay as you drive” insurance schemes.

Unlike air navigation, liability-critical applications often take place in harsh operating environments dominated by local effects such as multipath. Under such conditions these applications cannot always be monitored or aided by external (global, regional, or even local) augmentation systems.

Even in civil aviation, some landing operations could also be subject to large multipath that could put the navigation integrity at risk. For those scenarios the proposed technology would mitigate the associated risk.

One key assumption of conventional RAIM schemes is that simultaneous faulty measurements are extremely unlikely. This single-fault assumption, however, fails to hold in a typical liability-critical application scenario, where multipath is the primary source for large measurement errors and will quite frequently affect more than one measurement at a time. The single-fault assumption also fails to hold in the future air navigation scenario, where the large number of satellites made available by the joint use of several constellations (GPS/Galileo/GLONASS) will significantly increase the probability of multiple simultaneous faults.

Other assumptions common to all existing RAIM schemes include one or another statistical model of the individual measurement errors, trying in particular to bound the tails of their distributions. This sort of assumption is somewhat risky and difficult to verify, especially when the target confidence level is very high, as in the case of SoL applications such as civil aviation.

Moreover, under heavy multipath conditions most statistical assumptions of this nature just do not hold as errors caused by multipath are strongly dependent on the geometric characteristics of the local environment. (An especially acute example of this is non-line-of-sight (NLoS) multipath — that is, when a signal is tracked by GNSS equipment as it reflects from some surface despite the fact that a direct view of the satellite is occluded by some obstacle.) Hence, it is almost impossible to come up with a statistical characterization of such errors that can be used for integrity monitoring.

In this article we present a novel technique for autonomous computation of protection levels, the isotropy-based protection level concept, or IBPL for short. This technique makes no particular assumption on the statistics of individual measurement errors and provides coverage against multiple fault conditions. It takes advantage of a possible future multi-constellation scheme as its performance improves rapidly with the amount of satellites used for positioning.

Discussion in this article will show that asymptotic performance of the IBPL with respect to the number of satellites is comparable to that obtained with SBAS protection levels. This fact makes the IBPL a very promising technique, not only for liability-critical applications (the framework where it was born) but also, and very particularly, for SoL applications. We believe that IBPL fits remarkably well in the scheme proposed by the GEAS panel mentioned earlier, which recommends a shift of the integrity responsibility towards the on-board equipment.

Furthermore, as a fully autonomous method, the IBPL-based approach does not require integrity information to be transmitted on the GNSS or SBAS signal in space. This dramatically simplifies the interoperation of multiple GNSS constellations for integrity purposes, avoiding the problem of combining different integrity concepts from the various constellations or augmentation systems.

Autonomous Integrity: Two Approaches
For liability-critical applications, particularly in urban areas, local effects such as multipath — especially NLoS multipath — are by far the main source of errors and, consequently, the main threat to accuracy and integrity. In this framework, the conventional notion of faulty measurement as a large measurement error caused by a satellite malfunction is no longer useful.

. . .

IBPL: the Concept
The IBPL algorithm does not implement measurement rejection techniques but rather computes a protection level based on the all-in-view least squares solution. Of course, other IBPL solutions are possible, for instance, when different subsets of measurements are used and the one with smallest IBPL is selected. However, in its simplest form (as described in this article), this algorithm is a strict ECA concept implementation. On the other hand, this does not exclude the possibility that some refinements can be made for open-sky applications by including some kind of fault detection/exclusion mechanism.

. . .

Validating IBPL Integrity
Of course, we need to validate this new protection level concept and its underlying isotropy assumption in terms of the achieved integrity, and that must be done by experimentation with real data. We have to show that the theoretical confidence level of the isotropy-based protection level is satisfied in real life. Our discussion here cannot be considered as a full validation of the IBPL concept, but it provides significant information about the validity of the proposed algorithms.

. . .

IBPL Performance Results
From the same open-sky test run for IBPL integrity validation we derive performance figures in the form of accumulated histograms of protection level sizes.

. . .

Asymptotic Convergence of IBPL to SBAS PL
Another remarkable property of the IBPL concept is its convergence to the definition of PL currently used in SBASs (see Annex J of RTCA/DO-229D cited in the Additional Resources section at the end of this article).

. . .

About the Isotropy Assumption
Once the isotropy assumption has been accepted, the level of integrity achieved with the IBPL concept can be proven mathematically, and is therefore incontrovertible. The only controvertible point of the method is the isotropy assumption itself, or, more precisely, the extent to which this assumption represents the real world.

. . .

The isotropy-based protection level concept arose as the result of investigations concerning GNSS liability critical applications, in particular in urban environments. The authors found, however, that this notion also shows a great availability performance in open-sky environments and could therefore become a major breakthrough in open-sky SoL applications such as civil aviation. Isotropy-based protection levels are completely autonomous, are easily computable in real time, and rely on a single, quite verisimilar and verifiable hypothesis.

Unlike other approaches for integrity being defined as part of the GEAS initiative, the IBPL method does not require, in principle, any ground monitoring, though detection and exclusion of faulty satellites by the ground segment would help guarantee isotropy, leaving the protection level computation to the user — through the IBPL — and thus simplifying ground segment design.

IBPL’s sensitivity to the number of satellites becomes a clear advantage in open sky. With currently no more than 10 satellites in view on average (GPS only) and 20 or even more when considering either GLONASS or the future European Galileo system, this PL concept will predictably yield great performances, with smaller protection levels than those achieved nowadays by existing SBASs such as the U.S. Federal Aviation Wide Area Augmentation System or the European Geostationary Navigation Overlay Service.

For the complete story, including figures, graphs, and images, please download the PDF of the article, above.

Additional Resources
[1] Cosmen-Schortmann, J., and M. Martínez-Olagüe, M. Toledo-López, and M. Azaola-Saenz, “Integrity in Urban and Road Environments and Its Use in Liability Critical Applications,” Proceedings of the Position Location and Navigation Symposium (PLANS) 2008, Monterey, California, May 6–8, 2008
[2] GNSS Evolutionary Architecture Study, Phase I – Panel Report, February, 2008, available on-line at <>
[3] RTCA Inc., RTCA/DO-229D, “Minimum Operational Performance Standards for Global Positioning System/Wide Area Augmentation System Airborne Equipment,” 2006