Back to Tutorials

Topic 9

GNSS Engineering and Integrity

9.1 Pseudorange, Carrier Phase, and Doppler: The Three GNSS Observables 9.2 Cycle Slips and Lock Time: The Silent Killers of High-Precision GNSS 9.3 RTCM and RINEX Explained: The Data Formats Behind Precision GNSS 9.4 Float vs Fixed RTK: Understanding Ambiguity Resolution 9.5 GNSS Integrity and Protection Levels: Can You Trust Your Position? 9.6 RAIM and ARAIM: How GNSS Detects Its Own Failures 9.7 LOS/NLOS and Urban Degradation Detection: Identifying Bad Signals 9.8 Base Station Setup and Troubleshooting: Getting the Foundation Right
All Topics
9.5 · Advanced

GNSS Integrity and Protection Levels: Can You Trust Your Position?

Introduction

In safety-critical GNSS applications - aviation, autonomous vehicles, precision approach procedures, and railway systems - accuracy alone is insufficient. A system can be accurate on average while occasionally producing errors of several metres with no warning. For applications where such errors could cause injury or loss of life, what matters is integrity: the system's ability to detect when its output cannot be trusted and alert the user in time to act. This lesson explains the distinction between accuracy and integrity, the concept of protection levels, and how they are used in practice.

Accuracy vs Integrity: A Critical Distinction

Accuracy describes the statistical distribution of position errors over many observations. A system quoted as having 1 m (95%) accuracy means that 95% of its position outputs are within 1 m of truth. But the remaining 5% - and potentially rare catastrophic outliers - are not bounded by that specification.

Integrity is the measure of trust that can be placed in the system's position output at any given instant. An integrity-aware system does not just compute a position - it also computes a bound on the position error with a stated probability. If the system detects that it cannot bound its error with sufficient confidence, it raises a flag or alert rather than silently outputting a position it cannot vouch for.

Key Concept: Accuracy tells you how often the system is correct on average. Integrity tells you whether the system knows when it is wrong - and whether it can detect this quickly enough to be useful. Safety-critical applications require both: high accuracy and high integrity.

Protection Levels

A protection level (PL) is a statistical upper bound on the position error for a given probability of failure. Protection levels are computed in real time by the navigation system using the current satellite geometry, signal quality, and fault models. They are not measurements of the actual error - they are mathematical bounds that the actual error must not exceed with a defined probability.

  • Horizontal Protection Level (HPL): The bound on horizontal position error. The true horizontal error must not exceed HPL with a probability greater than the target integrity risk (typically 10⁻⁷ per hour in aviation).
  • Vertical Protection Level (VPL): The equivalent bound on vertical error. VPL is typically larger than HPL because satellite geometry is inherently weaker in the vertical dimension.
TermDefinitionSet By
Alert Limit (AL)Maximum allowable position error for safe operationApplication / certification authority
Protection Level (PL)Statistical bound on actual position errorNavigation system in real time
Integrity RiskMaximum probability of undetected hazardous error per unit timeSafety standard (e.g., DO-229, DO-316)
Time to AlertMaximum allowed time between fault occurrence and user alertSafety standard

Alert Limits and System Availability

An alert limit (AL) is the maximum error that the application can tolerate without the navigation output becoming hazardous. For aviation precision approach, vertical alert limits are as tight as 10–35 metres depending on the approach category. For autonomous vehicles, lateral alert limits may be one to two lane widths.

The system is considered available when its protection level is below the alert limit: PL < AL. When PL > AL, the system must alert the user that the navigation output cannot be guaranteed within the required bounds, and the operation must be suspended or fall back to a different mode. The fraction of time that PL < AL at a given location is the system's integrity availability for that application.

Note: A GNSS system with excellent average accuracy can still have poor integrity availability if its protection levels are large relative to the alert limit - for example, in environments with poor geometry (high DOP) where protection levels widen significantly.

Integrity in Practice

Aviation integrity is provided by SBAS systems such as WAAS, EGNOS, and MSAS, which broadcast integrity-related correction data alongside differential corrections. Ground-based integrity monitoring networks assess the health of each GNSS satellite signal in real time and compute protection-level bounds for user aircraft. For ground and marine applications, integrity monitoring is increasingly embedded in multi-constellation GNSS receivers using Receiver Autonomous Integrity Monitoring (RAIM) algorithms, covered in the next lesson.

Vital Points

  • Accuracy describes average performance; integrity describes the system's ability to detect and bound errors in real time.
  • Protection levels are computed bounds on position error - when they exceed the alert limit, the system must alert the user rather than silently outputting an unverifiable position.
  • Safety-critical applications specify both accuracy and integrity requirements; meeting accuracy alone is not sufficient for certification.
  • Integrity availability - the fraction of time that protection levels are below alert limits - is the key performance metric for safety-rated navigation systems.
← Previous
9.4: Float vs Fixed RTK: Understanding Ambiguity Resolution
Next →
9.6: RAIM and ARAIM: How GNSS Detects Its Own Failures