Case Study: Significance of Precision Timing in PNT GPS/GNSS Navigation
Global Positioning Systems (GPS) and Global Navigation Satellite Systems (GNSS) are everywhere today, powering applications from drones and humanoid robots to industrial cobots and autonomous vehicles. The growing need for accurate positioning and navigation in harsh conditions—extreme temperatures, high vibration and acceleration—pushes equipment limits and relies on precise timing. Timing is the “T” in Positioning, Navigation and Timing (PNT) which is the backbone of modern connectivity, enabling location, movement guidance and time synchronization.
PNT systems, especially those critical to safety, use technologies to maintain accuracy during GPS/GNSS outages. This capability, called holdover, is vital for autonomous vehicles, drones and robotics among many other applications. Holdover performance depends on timing precision—tiny clock errors can cause significant navigation drift over time.
OneNav, a startup based in Sunnyvale, California, has developed L5-Direct, a revolutionary GNSS receiver that operates exclusively on the modern L5 frequency used across all GNSS systems. It completely eliminates the dependence on the old L1 signals, more prone to interference and multi-path errors. Thanks, in part, to SiTime’s ultra-stable, low-power Endura® super temperature compensated oscillator (Super-TCXO®), ENDR-TTT, OneNav delivers the first commercially viable ASIC that can quickly acquire the vastly more complex L5 signals in challenging environments. It accomplishes this at low power and low cost.
Below, Paul McBurney, a veteran in the GPS/GNSS industry and CTO, Co-Founder of OneNav, explains this technology and the benefits of SiTime’s ENDR-TTT Super-TCXO in their system:
Jamming and spoofing are the Achilles heel of all radio navigation systems, including the workhorse GNSS systems of GPS, Galileo, Beidou, Quasi-Zenith Satellite System (QZSS) that both military and civilian infrastructure have become dependent on.
Spoofing GNSS is relatively easy because nearly all GNSS receivers must first acquire a 50-year-old signal called the L1-coarse acquisition signal (L1 C/A) to obtain a position fix. Spoofers exploit this single point of failure by broadcasting a stronger replica of this simple signal. In doing so, they prevent modern receivers from using other available modernized signals.
Unlike the US M-Code signals that are encrypted, L5 signals can still be spoofed, albeit the spoofer requires 20x the bandwidth and transmission power compared to an L1 C/A spoofer. OneNav has combined its L5-Direct technology along with the advanced Micro-Electro-Mechanical Systems (MEMS) precision of SiTime’s ENDR-TTT Super-TCXO as well as a leading MEMS Inertial Measurement Unit (IMU) to demonstrate a significant improvement in anti-spoofing capability.
OneNav tested this capability recently in a United States Navy test bed, and the spoofing attack was unable to capture the receiver; the receiver fixed with high accuracy and availability during the spoofing attack. Figure 1 below shows the true and measured vehicle trajectory of a boat on the Chesapeake Bay. The lower portion had a series of maneuvers to calibrate the IMU using GNSS.
Spoofing attacks are generally preceded by a jamming attack to cause the receiver to stop tracking GNSS signals and return to a re-acquisition phase where it is most vulnerable. The longer the attack, the larger the search space in time and frequency the receiver must perform to find the signals. The spoofer captures the receiver by being the strongest signal inside the search space. Figure 2 shows a magnified view of the calibration area and the part of the trajectory during the GPS/GNSS spoofing attack. The solid portion is the calibration, and the dashed portion is the jamming attack. The green curve is the true trajectory, and the blue curve is the estimate using the combined L5-direct and IMU fused solution. The top portion shows where the jamming attack ends. The receiver quickly re-acquires so that the position is on top of the truth. The spoofing is present when the jamming ends but was unable to capture the receiver due to the narrow search window.
Figure 3 provides the validation of jamming and spoofing observed by the receiver radio frequency (RF) front end and analog-to-digital converter (ADC). The blue curve shows an increase in the noise level during the jamming and spoofing. The normal root mean square (RMS) value is around 3. The jamming raises the floor by a factor 10, even with the gain reduction (AGC) active as shown in the orange curve. The spoofer still raises the noise floor above the normal level by a factor of 3.
The dead reckoning position error during the GPS/GNSS spoofing attack grows slowly but quickly returns to nominal as shown in the Figure 4 below. The error would have grown much larger if the spoofer had succeeded in capturing the receiver. It is expected that the true receiver has a bias of approximately 6 meters.
The combination of the SiTime ENDR-TTT Super-TCXO and IMU yielded a narrow enough search space to avoid the spoofing signals, even though the spoofer had knowledge of the vehicle’s location. In one particular 4.5 minute jamming attack, the SiTime ENDR-TTT frequency stability was better than 0.1 parts per billion (PPB) so that search window component due to the ENDR-TTT was less than 10 meters. This is even smaller than ½ an L5 code chip for the 10.23MHz code division multiple access (CDMA) chipping frequency.
During an GPS/GNSS spoofing attack, the CDMA code search window grows according to the sum of the uncertainty. This uncertainty is due to the vehicle dynamics and receiver clock bias change. The clock bias change is dominated by frequency change from the oscillator phase noise, temperature and shock sensitivity. With the SiTime ENDR-TTT, the clock bias uncertainty was expanded at a 3-sigma rate of 0.6 m/s (2.4 PPB at L5). Figure 5 shows that pseudo-range uncertainty is the sum of the vehicle and clock dynamics. During the jamming attack, the uncertainty due to the clock grows only to 113m, contributing only 15%, and the total uncertainty is dominated by the vehicle dynamics and the IMU uncertainty (85%).
If a conventional quartz-based TCXO were used instead of the SiTime ENDR-TTT Super-TCXO, the 3-sigma clock bias uncertainty due to similar factors of phase noise, temperature and shock needs to be increased by a factor of 10 to 6m/s (24 PPB at L5). In this case, the clock uncertainty grows to 1130m, or 63% of the total position uncertainty. Now the clock uncertainty is larger than the vehicle’s position IMU uncertainty. The total search window’s growth is now 1800m which is a factor of 2.2 larger than using the SiTime ENDR-TTT Super-TCXO as shown in Figure 6 below.
The SiTime ENDR-TTT provides more than 100% reduction in the probability of being captured by the spoofer. As IMU technology improves, the factor will be even larger.
Due to spoofer complexity, it is envisaged that L5 spoofing will be performed using L5 re-broadcast methods, called meaconing. Once again, SiTime’s total frequency stability was measured less than 0.10 PPB, thus providing a critical advantage in anti-spoofing capability. This is because the spoofer’s reference oscillator error will be easily detectable in the GNSS receiver if it is using a stable frequency similar to the SiTime’s ultra-stable ENDR-TTT Super-TCXO.
Learn more about ENDR-TTT or request samples. See the ENDR-TTT press release.