Quantifying Integrity

Applications utilizing precise point positioning (PPP) have traditionally valued precision over integrity. Emerging autonomous applications will require both accuracy and integrity features such as protection levels in order to guarantee safe operation.

In 2016, Hexagon’s Positioning Intelligence division initiated a leading-edge research program to quantify and define error bounds and assure integrity in Global Navigation Satellite System (GNSS) measurements that are affected by faults and anomalous conditions.

Jonathan Auld, Vice President of Engineering and Safety Critical Systems at Hexagon PI, said, “This research leverages our safety-critical experience in aviation by bringing together a team of GNSS integrity experts that have already successfully solved the integrity challenge for aviation through their work with programs like the FAA’s [Federal Aviation Authority’s] Wide Area Augmentation System.”

The research, conducted by industry specialists at Stanford University, the Illinois Institute of Technology, and Virginia Polytechnic Institute and State University, updates and expands concepts for high integrity carrier phase algorithms, as well as threat models and safety monitors learned from civil aviation applications.

Early developments and demonstrations hold tremendous promise to achieve viable integrity risk probabilities for autonomous vehicle applications, including the ever challenging multipath condition.

Evaluating Integrity Risk

Integrity in the position domain involves computing and reporting an error bound along with the computed solution—essentially the measure of trust that the computed position is correct.

“Integrity is much more than reliability,” emphasizes Todd Walter, Director of the Wide-Area Differential GNSS Laboratory at Stanford University. “Quantifying GNSS integrity ensures the values derived are accurate in nominal and fault conditions, making sure that errors are not occurring more frequently than expected, and looking beyond the norm to determine probabilities of very rare events.”

High-integrity systems such as the Wide and Local Area Augmentation Systems (WAAS and LAAS, respectively) already exist, but are designed for aviation applications and may not provide sufficient accuracy for automated ground vehicle applications.

For example, for a category I precision approach in civil aviation the horizontal alert limit is 40 meters, while in ground vehicle applications the alert limits must be on the scale
of a roadway or lane. For precision approach, the integrity risk is specified as the probability of failure per approach; for ground vehicles which do not have a distinct approach operation, specifying risk in terms of failures per unit of time is more appropriate.

Augmentation systems for aviation have been extensively analyzed to ensure that these requirements can be met over the duration of an approach at the worst-case time and location in the area for which the service is claimed to be available. Error bounds are determined across all environmental and operational conditions under which the service will be used.

Walter adds, “We must do the same for autonomous ground vehicle systems. We must put an error bound around a given vehicle position that has a numerical guarantee that the error is no larger than that bound.”

For this study, the researchers used the accuracy benefits of PPP to develop an improved integrity monitoring algorithm, thus enabling its application to safety-critical solutions
while evaluating worst-case combinations. Along with the algorithm, the study is also focused on developing threat models for various scenarios such as multipath, ionosphere, interference, jamming and spoofing.

Multipath is among the most complex.

Resolving Multipath

To analyze the magnitude of multipath error in autonomous vehicle conditions and develop an integrity model, the team collected a dynamic dataset of navigation data under realistic driving conditions for a vehicle traveling in an urban canyon and on a highway with overpasses and road signs.

The vehicle was equipped with a truth system consisting of a PwrPak7® enclosure from NovAtel®, part of Hexagon’s Positioning Intelligence division, and an external tactical-grade Inertial Measurement Unit (IMU) to accurately observe the errors on the measurements. A static test was conducted in a controlled environment to precisely evaluate measurement errors under open-sky conditions, and then, to quantify the effect on the multipath error of a semi-truck next to an autonomous car equipped with a GNSS system. Static receivers with both commercial and automotive grade antennas were set up one lane’s width away from a semitruck, and data was collected over 24-hour periods in various orientations to capture the range of possible satellite geometries and multipath scenarios.

The research team initially built on ionosphere-corrected code-minuscarrier data provided by NovAtel to evaluate and quantify pseudorange and carrier phase signal tracking errors in L1 and L2 pseudorange (code) measurements individually. With the ionospheric delay estimated and removed using L1 and L2 carrier phase measurements, the remaining errors are dominated by the code multipath and code thermal noise errors, and therefore will be used to derive pseudorange receiver noise and multipath error models.

The preliminary results showed the truck induced approximately a 60% increase in ranging measurement errors due to multipath. As well, there were additional measurement errors associated with signals penetrating the truck’s trailer, which caused approximately a 20% increase in measurement error as compared to the open-sky case.

If multipath regions due to the truck are isolated, then the error models for the truck multipath can be evaluated. Since this was a controlled experiment with known truck and antenna geometry, the researchers decided to use the truck geometry to isolate several multipath regions.

They then carried out a correlation time constant analysis to show that, as expected, the multipath error time constant is lower in the dynamic case (when the car is moving) than for the static case (when the car isn’t moving).

Walter confirms, “Assuming that an automotive navigation system is not aware whether a received GNSS signal has penetrated or has been reflected off of a surrounding object (like a truck trailer), we must use an overbounding standard deviation for pseudorange receiver noise and multipath errors that works for either case or create a method to distinguish between them.”

Error model refinement can be achieved considering higher-rate data in the static test, which will facilitate the distinction between thermal noise and slow multipath errors. Anomalous conditions, including excessive multipath due to circumstances not measured in the tests, will have to be analyzed separately to ensure navigation system integrity.

Inertial Advantage

Another important tool for high integrity navigation is inertial sensors. IMUs are especially useful for autonomous vehicle applications because they continue to provide a navigation solution even when satellites are obstructed, increasing the availability of the solution in poor environments.

IMUs are also a great addition from an integrity standpoint because they are not affected by the external failure modes that impact GNSS, making them very effective for detecting faults in the GNSS observations.

Consider the multipath challenge. As a vehicle enters an environment with many obstructions, some signals will be blocked and some will be acquired as non-line of sight reflections only. When these measurements are combined with the information from the inertial measurements, it is possible to detect and exclude these faulted measurements, thus potentially avoiding misleading information and allowing the system to reach a higher integrity risk.

The Tree of Truth

In parallel to the development of the algorithms, the team is developing a fault tree that breaks down how much risk is acceptable from each source. A fault tree categorizes and a locates risk, breaking down the probability that a fault or position error occurs over a given interval, such as a minute or hour.

Sam Pullen, Senior Research Engineer in the Aeronautics & Astronautics Department at Stanford University, said, “A fault tree is a break down from system to subsystem to component level of the possible failures in a system to determine the probability of losing integrity, given the algorithms developed to mitigate a defined risk.”

Figure 1 is a sample integrity fault tree that outlines the various possible fault types, e.g., atmospheric, user environment, satellite faults, corrections and user processing. Each element of the fault tree reflects the probability of a specific fault type as well as the probability of not detecting this fault from all monitors put together.

Figure 2 is representative of a detailed breakdown of a fault due to loss of satellite and the reasons for that loss and the various methods of mitigation. For example, is the failure caused by one satellite or multiple satellites simultaneously? The fault tree must further break down the reasons for integrity loss due to a satellite fault, in the case of the example, Type A, with an assessment of the probability of fault occurrence and an evaluation of assessment of system- and user-level
monitoring.

Thus, if the prior probability of a satellite fault is 1 0–5 per unit time, the probability of not detecting it at the system level is 0.01, and the probability of not detecting it at the user level is also 0.01, the resulting integrity risk from this fault type is 1 0–5 × 0.01 × 0.01, or 10–9 per unit time.

As well, the multipath study (referenced in the previous section) characterizing the behavior of the failure will become part of the fault tree, as will atmospheric anomalies and correction generation. Each of these failure conditions and the available monitors must be analyzed to ensure the total integrity risk meets the target for the system.

Analysis of the contributions of the correction service in the fault tree is another area where Hexagon PI has an advantage. Lance de Groot, Geomatics Software Team Lead at Hexagon PI, explained, “Because Hexagon PI is providing both the corrections and the user algorithm, we are able to ensure proper allocation of risk between the two parts of the solution.” The user algorithm can include monitors against faults that the correction service cannot observe easily, and vice versa. Engineering the positioning algorithms and the correction services in conjunction allows for a thorough understanding of the rate of faults arising in the correction service itself, which allows Hexagon PI to ensure the contribution of these faults does not exceed the overall integrity risk.

Risk and Rewards

The integrity study will continue through 2019 with analysis of various error conditions, as well as investigating a high integrity inertial fused position solution—with the goal of delivering some of the industry’s first error bounds and numerical guarantees with assigned probabilities.

Further, Hexagon PI is currently testing a prototype of a high integrity PPP solution and aims to complete development and testing in time for the first generation of vehicle autonomy features designed to leverage high integrity GNSS solutions.