Galileo atomic clocks failed: What can we learn from it?
Galileo has been making headlines once again, and this time not for the right reasons. It was reported on January 18, 2017 that several of the atomic clocks responsible for the satellites’ ability to calculate precise time have failed.
Timing is everything in GNSS -- very precise time is required to calculate an accurate value of the delay in receiving signals that have been transmitted from a given satellite. This allows users to determine their position on Earth accurately. Also, many applications today take advantage of the very precise timing that GNSS can provide via the atomic clocks in use on the satellites.
The atomic clocks
Each Galileo satellite is equipped with four clocks. Two are Rubidium Atomic Frequency Standard (RAFS) clocks like those found in GPS and GLONASS satellites. The other two are the more accurate (and much more complex) Passive Hydrogen Maser (PHM) clocks that offer the Galileo constellation increased timing accuracy. Whilst only one clock in working order is required for each satellite, a minimum of two is required to provide redundancy.
A PHM clock uses the properties of the hydrogen atom to serve as a frequency reference. It is a complex and high cost device, but has a significantly higher precision than the Rubidium clock. Typically, PHM clocks are expected to have a 20-year lifetime.
An RAFS clock uses the transition of Rubidium 87 atoms as a frequency reference. RAFS clocks are less costly and more compact than PHM clocks, and have an expected lifetime of 12 years or more.
The six PHM clocks that failed are almost exclusively on the In-Orbit Validation satellites. According to a statement from the European Space Agency (ESA), the failure was "related to the fact that when some healthy [hydrogen maser] clocks are turned off for long periods, they do not restart due to a change in clock characteristics."
The ESA has since been able to remotely restart one of the failed PHM clocks, leaving only five PHM clocks offline.
Meanwhile four RAFS clocks have failed -- all of them on Full Operational Capability satellites. The ESA also stated the rubidium-based clock failures "all seem to have a consistent signature, linked to probable short circuits, and possibly a particular test procedure performed on the ground."
India has had the same experience with RAFS clocks -- it was announced that three clocks (one primary and two backups) on board satellite IRNSS 1a had failed.
The impact of satellite clock failures
Whilst a total of nine clocks have failed, so far, no more than two have failed in a single Galileo satellite. Provided each satellite has at least one clock remaining, they can continue to function as normal. For now, then, these clock failures won’t have a direct impact on the performance or stability of Galileo.
However, the impact to the IRNSS program is much more severe -- the failure of all three RAFS clocks mean that the satellite is totally unusable and will have to be replaced. India has already plans to do this later in 2017.
That said, the clock failures highlight a concern that all members of the GNSS community should share: failure can happen at any stage of a GNSS system -- from the satellite level, right down to the device or chipset firmware layer.
Detecting segment errors
Those involved in GNSS receiver design and integration need to be prepared to detect segment errors or failures at satellite level -- whilst they are less frequent, they do happen. The industry has already seen the effects of a major malfunction of the GLONASS system in April 2014, thought to have been caused by the upload of corrupted ephemeris data. And in January 2016, because of a satellite decommissioning, faulty timing data was transmitted by GPS satellites, which affected thousands of users world-wide.
Subsequently it was discovered that the incorrect timing data was flagged as being out of date. Receivers designed and tested to the GPS Open Service ICD rejected the incorrect data as being invalid and were not affected. It should concern the industry that many receivers accepted the incorrect data which was either 13 or 13.7 microseconds inaccuracy depending on the receiver’s use of the data.
No GNSS system is immune to software or hardware failures. Manufacturers of GNSS chipsets and location-aware devices need to know how their equipment will respond in the event of a system segment failure (software or hardware). In the case of the GPS timing issue of January 2016, thorough testing against the GPS Open Service ICD would have highlighted any problems with data associated with an expired date/time. In the case of the GLONASS event, testing the receiver’s response to corrupt or incorrect ephemeris data could have provided an additional level of assurance/protection.
If a receiver is unable to detect the difference between healthy and unhealthy satellite signals, it will appear to be operating as normal. But all the while it has the potential to output misleading positioning and timing data that could compromise business operations -- and in the most extreme cases even be hazardous to the end user. Blind trust in the integrity of all received GNSS signals can be dangerous -- it can leave the receiver open to being affected by a GNSS segment error and can also leave the receiver or system susceptible to deliberate spoofing attacks (a growing threat to GNSS users since the rise in popularity of Augmented Reality games such as Pokémon GO).
It is possible to simulate a variety of real-life hardware and software failure scenarios by making the most of modern GNSS simulation equipment and rigorous test plans. With these in place, it is possible understand how receivers and systems will react to errors from all components of a GNSS system, and see the potential issues before they disrupt the user experience.
The future of Galileo
Galileo is rightly being hailed as a major success story for Europe; Commissioner Elżbieta Bieńkowska, stated in December: "Galileo offering initial services is a major achievement for Europe and a first delivery of our recent Space Strategy. This is the result of a concerted effort to design and build the most accurate satellite navigation system in the world. It demonstrates the technological excellence of Europe, its know-how and its commitment to delivering space-based services and applications. No single European country could have done it alone."
The ESA and the European Commission have the required technical and programmatic expertise and knowledge to improve the situation with the Galileo clocks that will be onboard future satellites. Launching a new satellite navigation constellation is not a trivial undertaking and many important lessons have been learned by Europe on the pathway to making Galileo a valuable and sustainable global satellite navigation constellation.
Guy Buesnel, PNT security technologist, Spirent.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.
Photo Credit: Neo Edmund/Shutterstock