Du et al. Satell Navig             (2021) 2:3                                           Page 12 of 22





            carrier-phase observation residuals for monitoring sta-  large variances, which is impractical for PPP (Teunis-
            tions to  validate  orbit and clock  corrections,  regional   sen 1990; Wieser 2004), and thus may not be sensitive to
            tropospheric corrections, and regional ionospheric   some faults in the dynamic model (see Appendix–Exam-
            corrections (Weinbach et  al.  2018). A two-step integ-  ple 2). On the other hand, snapshot PLs cannot protect
            rity monitoring procedure, i.e. pre-broadcast and post-  against the undetected faults in historical observations or
            broadcast integrity monitoring, is adopted to detect and   in the predicted states.
            fag out-of-tolerance corrections and to generate timely   Additionally,  as  discussed  previously,  the  traditional
            alarms to users. Te integrity information is provided as   RAIM methods cannot handle multiple faults correctly,
            Quality Indicators (QI) with the correction data; how-  which have a high probability when carrier-phase meas-
            ever, how to calculate PLs using QIs was not mentioned.   urements are used, especially for multiple GNSS constel-
            Tere is little literature that discusses the quality control   lations. In contrast to the above research, Gunning et al.
            procedures which can be used to check the integrity of   (2018) adopted the well-founded models of ARAIM for
            PPP corrections, e.g. FCB/IRC estimation (Cheng et al.   civil aviation for PPP integrity monitoring. Tey applied
            2017), orbit and clock corrections (El-Mowafy 2018), and   an ARAIM-like methodology and algorithms of both
            the combined corrections of satellite clocks, ionospheric   residual-based (Chi-square) and solution-separation test
            parameters and ambiguity solutions (Khodabandeh et al.   statistics to determine the PLs in PPP, enabling initial
            2019). Tese quality control procedures can perform   integrity monitoring for a foat-PPP position solution.
            FDE and the analysis of diferent faults, as well as their   Teir method (or a similar one) was later evaluated with
            impacts on the PPP solutions.                     IGS tracking data, fight data and driving data, using GPS
              Current user-level integrity algorithms for PPP are   broadcast ephemeris and real-time corrections, including
            still very preliminary, hence not well-accepted in mod-  SBAS corrections (Gunning et al. 2019a, b; Norman et al.
            els and methods. Te Spanish company GMV devel-   2019; Phelts et al. 2020). However, a bank of parallel fl-
            oped their own integrity concept for their PPP solution,   ters was used, as in Brenner (1996), for the Kalman flter
            known as magicPPP (Romay and Lainez 2012; Navarro   to account for historical faults, based on an assumption
            et al. 2015). Teir integrity concept was a little diferent   that all faults will exist continuously for a period of time.
            from that developed in the aviation feld as they were   Such a method has a high computational cost. More
            not restricted to system-level only or user-level only   importantly, the nominal error model and threat model
            integrity, but focused on “most favourable combination   are very preliminary for complex urban environments. To
            of signifcant indicators” which they assess (Romay and   provide PLs for PPP in challenging environments, Blanch
            Lainez 2012). In the PPP-Wizard software developed by   et  al. (2020) refned the threat model and accordingly
            CNES, two FDE mechanisms are implemented, namely   adapted the FDE algorithm, considering the efect of
            “Simple FDE” with post-ft residuals screened one by   Kalman fltering time updates, to address potential faults
            one against empirical thresholds and “Advanced FDE”   in urban and suburban areas.
            testing all the combinations of observations to fnd one
            with all post-ft residuals below the threshold values   Open research issues on PPP vulnerabilities
            (Laurichesse and Privat  2015). Te software can also   and integrity for ITS applications
            provide an integrity indicator for each solution. How-  Tere are many problems to be addressed for PPP integ-
            ever, the  FDE  methods  and  the integrity indicator in   rity in ITS applications. One of the prerequisite issues
            PPP-Wizard are not statistically sound (for example   is the determination and standardisation of specifc
            P , i.e. the probability of false alert is not specifed)   integrity requirements for various ITS applications and
             FA
            (see Appendix–Example 1).                         diferent levels of automation, without which the cor-
              Jokinen et al. (2011, 2013) and Seepersad and Bisnath   responding integrity monitoring methods cannot be
            (2013) adopted the traditional RAIM algorithms in PPP   properly  evaluated.  Another  challenging  problem  is
            processing to enable FDE and PL computation. Tey   that stochastic models of diferent errors must be clari-
            directly performed snapshot RAIM at each separate   fed, e.g. ambiguity errors, non-Gaussian range errors, as
            epoch even though Kalman flters were used. On the one   well as the error correlations amongst the measurements
            hand, the fault detection statistics used by them were the   and over time (Bryant 2016, 2019). It is also important,
            weighted sum of squares of post-ft measurement residu-  though challenging, to develop a representative threat
            als. Tis kind of test is based on the assumption that the   model for integrity risk evaluation and PL computation
            dynamic model is absent or predicted states have very   (Gunning et al. 2018). Te threat model, which is a list of