Integrity Concept for Maritime Autonomous Surface Ships' Position Sensors.

The primary means for electronic position fixing currently in use in majority of contemporary merchant ships are shipborne GPS (Global Positioning System) receivers or DGPS (Differential GPS) and IALA (International Association of Lighthouse Authorities) radio beacon receivers. More advanced GNSS (Global Navigation Satellite System) receivers able to process signals from GPS, Russian GLONASS, Chinese Beidou, European Galileo, Indian IRNSS, Japan QZSS, and satellite-based augmentation systems (SBAS), are still relatively rare in maritime domain. However, it is expected that such combined or multi-system receivers will soon become more common in maritime transport and integrated with gyro, inertial, radar, laser, and optical sensors, and they will become indispensable onboard maritime autonomous surface ships (MASS). To be prepared for a malfunction of any position sensors, their state-of-the-art integrity monitoring should be developed and standardized, taking into account the specificity of MASS and e-navigation safety. The issues of existing requirements, performance standards, and future concepts of integrity monitoring for maritime position sensors are discussed and presented in this paper.


Introduction
It is expected that multi-system GNSS receivers together with GNSS-independent position systems and sensors will soon become common in maritime transport and indispensable onboard maritime autonomous surface ships (MASS) as they have already been onboard many vessels engaged in offshore work. To be prepared for a malfunction of any shipborne position sensors, their state-of-the-art integrity monitoring should be developed and standardized [1], taking into account the specificity of MASS navigation safety. The International Maritime Organization (IMO) took steps to address autonomous ships in 2018 and 2019 by adopting the definition of MASS, their four degrees of autonomy, and a framework for the regulatory scoping exercise [2].
IMO has defined a MASS as a ship which, to a varying degree, can operate independent of human interaction, and organized its degrees of autonomy as follows [2]: (1) Ship with automated processes and decision support: Seafarers are on board to operate and control shipboard systems and functions. Some operations may be automated and at times be unsupervised, but with seafarers on board ready to take control. (2) Remotely controlled ship with seafarers on board: The ship is controlled and operated from another location. Seafarers are available on board to take control and to operate the shipboard systems and functions. (3) Remotely controlled ship without seafarers on board: The ship is controlled and operated from another location. There are no seafarers on board.
(4) Fully autonomous ship: The operating system of the ship is able to make decisions and determine actions by itself.
To achieve safety of a MASS operation, redundant, multi-system receivers integrated with magnetometer, gyro, inertial, radar, laser and optical sensors will be necessary onboard these vessels on all four autonomy levels. However, there are still no IMO adopted integrity measures for contemporary maritime electronic position fixing systems (EPFS) such as GNSS, heading, radar or optical sensors. The current IMO performance specifications of Global Navigation Satellite System (GNSS) shipborne receivers are system-level specifications, which do not take into account threats to GNSS position-fixing that are local to the user (such as a reduced number of satellites in view due to signal obscuration, multipath, or radio interference). Furthermore, the GNSS user's receiver is not required to implement its own integrity algorithms. However, recommendations set out in IMO resolution A.915 (22) [3] together with established techniques of receiver autonomous integrity monitoring or fault-detection (RAIM, FD, FDE) can lead to construction of maritime continuity and integrity algorithms similar to the ones standardized for satellite based augmentation systems (SBAS) used in the aviation sector [4].
The aim of the work described in the paper is to develop a concept of MASS position sensors' integrity evaluation and its presentation for the human operator/navigator. The concept is based on monitoring of integrity risk of position and heading (attitude) data that takes into account not only EPFS point positioning but also propagation of position error to ship's body furthest points. Additionally, the idea of the presented concept is to conceptually split the integrity monitoring between two functions that, combined, could provide a modular and robust way of MASS positioning safety evaluation in line with the positioning, navigation and timing (PNT) data integrity concepts handled by IMO and other PNT working groups [3,5]: -Integrity positioning function whose goal is to obtain a positional error bound that guarantees, with a certain probability, that the ship is within specific boundaries. It measures the integrity of the positioning at user level. -Integrity operational navigation function which refers to how the position error bound (the protection level) is used from an operational perspective.

Related Work
There has been significant progress within the last decades in the development of Autonomous Surface Vehicles (ASV). The ASVs have been produced in a range from small "pocket" platforms that can be carried in the trunk of the car to larger units of a nearly seagoing range [6]. These vessels have been mostly used for hydrographic measurements in shallow waters or an area/environment monitoring close to shores or offshore structures. Sea or oceangoing vessels of sizes comparable to contemporary transport ships are usually not included in this group. The latter have been generally referred as MASS, following the research presented in [7][8][9][10][11][12].
The summary and conclusions from the findings of five EU projects considering the issue of MASS were presented in [8]. The big challenge envisioned for a future autonomous technology is to show that an unmanned system is at least as safe as a manned ship system, and to provide the shore control operators with adequate situation awareness. The taxonomy of MASS in terms of the operational scenario possibilities, in how the control problem is solved and how responsibilities are divided between humans and computer systems, was developed in [9]. It suggested building a standard based on autonomous cars; however, the main problem is that ships are larger and slower, but consequences of accidents may be more severe. The example research that focused on adaptive navigation of MASS in an uncertain environment was described in [7,13]. To achieve intelligent obstacle avoidance of MASS in coastal waters or a port, an autonomous navigation decision-making model based on dynamic programming method or hierarchical deep reinforcement machine learning was proposed. Correspondingly, the use of machine learning and deep learning artificial intelligence (AI) techniques as a means to integrate multiple sensor modalities into a cohesive approach to navigation Sensors 2020, 20, 2075 3 of 25 for autonomous ships was presented in [13]. Finally, a System-Theoretic Process Analysis (STPA) was applied in the research presented in [11] in order to develop and analyse a preliminary model of the unmanned shipping system and elaborate safety recommendations for future developers of the actual system. The conclusion was that STPA-like software is likely to have much greater influence on future autonomous ships' safety performance than it has on contemporary merchant vessels.
All this research stress that at some point the availability of GNSS or generally PNT data is crucial for safe MASS operations. In the case of small ASV, the risk evolving from faulty PNT data may be of relatively low significance, but in the case of MASS the consequences can be serious.
The solution to PNT data reliability in maritime domain can be derived from other transport domains. For example, reliable aircraft guidance is one of the main contributors to the high level of safety that is achieved today on modern aircraft. Especially during the landing phase, where aircraft are close to other surrounding traffic and ground obstacles, any undetected deviation from the desired flight path may lead to catastrophic consequences. An aviation low cost system that consisted of a classical GNSS/INS system augmented by an optical positioning system for integrity monitoring was described in [10]. Key differences between integrity monitoring scheme in aviation domain and urban transport field were addressed in [14,15]. The accuracy and integrity requirements, and the positioning system for no-fly zone unmanned aerial vehicle (UAV) management were specified in [16]. All these works, together with ICAO and IMO standards or guidelines, were a basis for the development of integrity concept for MASS' position sensors as presented further.

Evolution of IMO GNSS Integrity Concepts
IMO started work on the integrity of GNSS as part of worldwide radio navigation systems (WWRS) in the end of 1990s together with the International Civil Aviation Organization (ICAO). This was the time of satellite-based augmentation systems (SBAS) development whose signals could be used worldwide as external source of GNSS corrections and integrity data.
Resolution A.915 (22) [3] on revised maritime policy and requirements for a future GNSS was adopted by IMO in 2001. This resolution proposed, for the first time, internal (user-level or shipborne) and external (provided by external stations) integrity monitoring to maritime domain. Integrity monitoring was defined as the process of determining whether the system performance (or individual observations conducted by the system) allows its use for navigation purposes. Overall GNSS system integrity was described by three parameters: the threshold value or alert limit (AL), the time to alarm (TTA), and the integrity risk (IR). Definitions of the following terms were introduced to the maritime users: • Integrity: The ability to provide users with warnings within a specified time when the system should not be used for navigation.

•
Craft autonomous integrity monitoring (CAIM): this is a technique whereby various navigation sensor information available on the craft is autonomously processed to monitor the integrity of the navigation signals.

•
Receiver autonomous integrity monitoring (RAIM): A technique whereby the redundant information available at a GNSS receiver is autonomously processed to monitor the integrity of the navigation signals.

•
Continuity: The probability that, assuming a fault-free receiver, a user will be able to determine position with specified accuracy and is able to monitor the integrity of the determined position over the (short) time interval applicable for a particular operation within a limited part of the coverage area. • IR: The probability that a user will experience a position error larger than AL without an alarm being raised within the specified TTA at any instant of time at any location in the coverage area. • Coverage: The coverage provided by a radionavigation system is that surface area or space volume in which the signals are adequate to permit the user to determine position to a specified level of performance. • Latency: The time lag between the navigation observations and the presented navigation solution.

•
Chart error (CE): Position errors in the chart caused by inaccuracies in surveying and by errors in the reference geodetic system.

•
Navigation system error (NSE): The combined error of the GNSS position estimate (PE) usually referenced to a common consistent reference point (CCRP) and CE: (1) • Vessel Technical Error (VTE): This is the difference between the indicated craft position and the indicated command or desired position. It is a measure of the accuracy the craft is controlled with. Components are cross track error (XTE) and along track error (ATE).

•
Total System Error (TSE): The overall navigation performance can be described by the TSE.
Assuming the contributions to TSE from NSE and VTE are random, the TSE can be described as: • Reliability of a position fix: A measure of the propagation of a non-detected gross error (outlier) in an observation to the position fix. This "external" reliability is usually expressed in terms of marginally detectable error.
The geometric interpretation of (2) is presented in the Figure 1.
Sensors 2020, 19, x FOR PEER REVIEW 4 of 24 • Latency: The time lag between the navigation observations and the presented navigation solution.
• Chart error (CE): Position errors in the chart caused by inaccuracies in surveying and by errors in the reference geodetic system. • Navigation system error (NSE): The combined error of the GNSS position estimate (PE) usually referenced to a common consistent reference point (CCRP) and CE: (1) • Vessel Technical Error (VTE): This is the difference between the indicated craft position and the indicated command or desired position. It is a measure of the accuracy the craft is controlled with. Components are cross track error (XTE) and along track error (ATE). • Total System Error (TSE): The overall navigation performance can be described by the TSE.
Assuming the contributions to TSE from NSE and VTE are random, the TSE can be described as: (2) • Reliability of a position fix: A measure of the propagation of a non-detected gross error (outlier) in an observation to the position fix. This "external" reliability is usually expressed in terms of marginally detectable error. The geometric interpretation of (2) is presented in the Figure 1. There were no additional explanations given to formulas (1) and (2), so for estimation purposes (1) should be treated conservatively as a sum of absolute values, or assuming random contributions from CE and PE, it should be transformed to the form of (2).
A.915 (22) also provided more detailed performance specifications to GNSS onboard equipment (service level parameters), but only as recommendations:  There were no additional explanations given to formulas (1) and (2), so for estimation purposes (1) should be treated conservatively as a sum of absolute values, or assuming random contributions from CE and PE, it should be transformed to the form of (2).
A.915 (22) also provided more detailed performance specifications to GNSS onboard equipment (service level parameters), but only as recommendations: Concluding, A.915 (22) gave grounds for the application of GNSS integrity concept in the maritime domain. Its definition of reliability of position fix was a precursor to the definition of circular protection level (PL) that was concurrently developed by ICAO and RTCA for aviation domain [4] as an upper confidence bound on the error in the position. In order to determine PL value, the 1σ circular bound on the error in the position is derived from augmentation data (assuming multivariate normal distribution) and multiplier of this bound (further called k-factor) is derived from the probability of fault-free missed detection [1, 3,17].
The relations among PL, AL, and PE could be interpreted in the Stanford diagram [4] (see the Figure 2). However, the resolution A.915 (22) has not addressed the issue of the PL algorithm for IR monitoring. (assuming multivariate normal distribution) and multiplier of this bound (further called k-factor) is derived from the probability of fault-free missed detection [1, 3,17]. The relations among PL, AL, and PE could be interpreted in the Stanford diagram [4] (see the Figure  2). However, the resolution A.915 (22) has not addressed the issue of the PL algorithm for IR monitoring. In 2006 the resolution MSC.233(82) [18] on performance standards for shipborne Galileo receiver equipment was adopted. According to this resolution the Galileo shipborne receiver equipment should indicate whether the performance of Galileo is outside the bounds of requirements for general navigation in the ocean, coastal, port approach and restricted waters, and inland waterway phases of the voyage as specified in either resolution A.953 (23) or Appendix 2 to resolution A.915 (22) and any subsequent amendments as appropriate. The receiver equipment should as a minimum: This resolution set the first standards of GNSS subsystem based on A.915 (22) and it has gone a step ahead of GPS and GLONASS performance standards. Nevertheless, it has left the problem of In 2006 the resolution MSC.233(82) [18] on performance standards for shipborne Galileo receiver equipment was adopted. According to this resolution the Galileo shipborne receiver equipment should indicate whether the performance of Galileo is outside the bounds of requirements for general navigation in the ocean, coastal, port approach and restricted waters, and inland waterway phases of the voyage as specified in either resolution A.953 (23) or Appendix 2 to resolution A.915 (22) and any subsequent amendments as appropriate. The receiver equipment should as a minimum: This resolution set the first standards of GNSS subsystem based on A.915 (22) and it has gone a step ahead of GPS and GLONASS performance standards. Nevertheless, it has left the problem of integrity monitoring and alerting algorithms unresolved. Even though in the norm IEC 61108-3:2010 based on MSC.233(82) was issued 2010, no maritime-specific Galileo receivers have been manufactured until now [19].
In 2007 the resolution MSC.252(83) [20] on revised performance standards for integrated navigation systems (INS) was adopted. This resolution stipulates that integrity of information should be checked by comparison of the data derived independently from at least two sensors or sources-if available-and an approved back-up should be available for the following INS sensors and sources: EPFS; heading measurement; speed measurement; radar; chart database. Data which does not pass the plausibility and validity checks with a positive result should not be used by the INS and should not affect functions that are not dependent on these data, unless the relevant performance standards specifically allow use of invalid data.
In 2011 the resolution A.1046(27) on worldwide radionavigation system [21] was adopted. It revoked previous resolution A.953(23) on IMO policy on the recognition and acceptance of suitable radionavigation systems intended for international use. A.1046 (27) contains system-level specifications and has not addressed any integrity algorithms. It also has not referred to A.915(22) explicitly but has implicitly changed the previously recommended 3 h continuity time-range to 15 min and 30 days availability time-range to an indefinite value.
In 2014 the resolution MSC.379(93) [22] on performance standards for shipborne Beidou receiver equipment was adopted. It follows provisions of MSC.233(82) for European Galileo with the exception of safety of life service, which is not provided by Beidou presently.
In 2015 the resolution MSC.401(95) [23] on performance standards for multi-system shipborne radionavigation receivers was adopted. Its aim is to ensure that ships are provided with resilient position-fixing equipment suitable for use with available radionavigation systems throughout their voyage. This resolution generalizes integrity monitoring again by stipulating that the radionavigation equipment should be designed to provide means of integrity monitoring for each position, velocity, timing (PVT) source employed (e.g., RAIM, CAIM); and multi-source autonomous integrity monitoring (envisioned to be a cross-check between independent PVT sources). Later, in 2017, this resolution was amended by MSC.432(98) [24]. The amendment was short but meaningful-referring performance standards to the resolutions on stand-alone shipborne radionavigation receivers: "Type-specific performance standards for stand-alone shipborne radionavigation receivers should be taken into account when conducting type approval for multi-system receivers in accordance with resolution MSC.401(95)." Nevertheless, the MSC 401(95) enabled the full use of relevant data originating from current and future radionavigation services; thus, it allowed SBAS augmentation data processing.
In 2017 Circular MSC.1/Circ.1575 [5] on Guidelines for Shipborne Position, Navigation and Timing Data Processing (PNT DP) was adopted. This circular recommends how PNT integrity should be monitored in the maritime PNT equipment. Firstly, methods and thresholds used by the PNT DP for integrity monitoring should be qualified to evaluate if the supported accuracy level of PNT output data has been achieved or not. Therefore, the accuracy level is proposed as intra-system AL or threshold value to differ between fulfilled and failed requirements on PNT data output. Secondly, the TTA should be the tolerated time span for accuracy evaluation by the PNT DP. Thirdly, it is recommended to manufacturers to predetermine the IR of the applied integrity monitoring methods, taking into account application-relevant time periods under nominal conditions, if practicable. If the PNT-DP supports a redundant provision of PNT and integrity data in relation to the same accuracy level, the IR should be pre-evaluated for application-relevant time periods and provided as configuration parameter to ensure that the most reliable PNT data are selected for output. MSC.1/Circ.1575 also proposed some concepts of: (1) Consistency tests using two sensors or model of ship's movement.
For example six position solutionsh can be determined with the five consistent ranges: the all-in-view solution (Pos AIV ) and the solutions achieved with any set of five ranges. The position error per solution depends on the expected standard deviation of position error and a k expansion factor. The largest distance of an estimated position error (for example σ 4 of the 4th position solution Pos 4 ) to the Pos AIV is determined as protection level: MSC.1/Circ.1575 has addressed the RAIM integrity concept (without delving into probability of different fault detections as elaborated in [25][26][27]) but not the SBAS one. SBAS, and in particular EGNOS capability, is already present in some shipborne receivers. Nevertheless, currently there are neither mature standards nor regulations to define how the vessel has to process SBAS data and in particular to use SBAS for integrity purposes. Non SOLAS (IMO Convention on Safety of Life at Sea, 1974) compliant SBAS-enabled receivers are not standardised, and they make use of SBAS open services with no guarantees. SOLAS ships should not rely on SBAS messages for either accuracy or integrity until the SBAS performance for maritime receivers is properly standardised.
In 2018 DNV GL released autonomous and remotely operated ship guidelines [28]. In appendix D of these guidelines the only stipulation, additional to current IMO regulations regarding EPFS is: "minimum two separate and independent EPFS based on different technologies, both suitable for the area of operations should be part of the grounding avoidance system." The questions that are still valid are: (1) Is that enough? (2) What EPFS integrity metrics should be used?

SBAS-Based Maritime Vessel Protection Area Concept
In 2017, a Maritime Vessel Protection Area (MVPA) concept was introduced by the info note to IMO Navigation, Communication, Search and Rescue Subcommittee [1]. The MVPA was developed from the Horizontal Protection Level (HPL) model defined within the Appendices A and J of the Minimum Operational Performance Standards (MOPS) for airborne equipment [4]. It was based on the broadcast of differential GPS corrections in message types MT1-5,7,9,17-18,24-26 and corresponding integrity data in MT2-6,10,24,26-28 by EGNOS geostationary satellites (PRN120, PRN124, and PRN126). In the present research such a concept has been adopted as well. The input quantities for the GNSS (systems other than GPS will be augmented by EGNOS in near future) integrity algorithm on the user side have been assumed as: (1) Geometry data of GNSS satellites in the form of geometry matrix G of size n × 4: · · · · · · · · · · · · − cos el n sin Az n − cos el n cos Az n − sin el n 1 where el i and Az i are the elevation and azimuth angles between the receiver antenna and the ith satellite (i = 1,2,...,n), and n is the number of visible satellites, respectively. where: σ i,multipath is the estimated multipath error [m] depending on ith satellite elevation el i ; the receiver's properties, and site-specific GNSS signal reflections, which must be locally evaluated (this alone variance cannot be derived from the SBAS message). The airborne reference model of this error can be found in [4] but a universal concept of multipath model in marine environment is still to be developed; σ i,divg is estimated error [m] induced by the steady-state effects (divergence) of shipborne receiver smoothing filter assumed to be equivalent to the one presented in [4]; σ i,noise is estimated error [m] associated with GPS receiver for ith satellite, including receiver noise, thermal noise, interference, inter-channel biases, extrapolation, time since smoothing filter initialization, and processing errors; assumed to be equivalent to the one presented in [4]; On the basis of the input quantities the weight matrix W is built under assumption of uncorrelated, EGNOS corrected measurements characterized by the inverse variances of the distances to the observed satellites. These variances are calculated according to: where, in (7): Finally, the point positioning covariance matrix is found: where: and, finally, the mixed terms (e.g., s EN , etc.) are the co-variances of respective measurements [m 2 ]. A "circular" assessment of the user positioning integrity is derived as the HPL: The rationale for the k coverage factor (or elliptical scale factor) in (10) comes from the assumption of uncertainty normal distributions in both the North and the East directions of position parameters and assumption of integrity risk value defined as the probability that the user will experience a true position outside the HPL and possibly AL without being informed within the TTA. In the simulation study described in the following sections of this paper the k for GNSS maritime equipment has been calculated according to (17) to achieve integrity risk value specific for the operation or area set in [3]. A method developed in [29] has been taken into account as well. In comparison the k for GNSS airborne equipment has been set by RTCA and adopted by ICAO as 6.18 for en-route lateral navigation (LNAV) and 6.0 for navigation with vertical guidance [4].
Such a "circular' HPL of fixed confidence (10) is compared with HAL as shown in Figure 3.
Sensors 2020, 19, x FOR PEER REVIEW 9 of 24 parameters and assumption of integrity risk value defined as the probability that the user will experience a true position outside the HPL and possibly AL without being informed within the TTA. In the simulation study described in the following sections of this paper the k for GNSS maritime equipment has been calculated according to (17) to achieve integrity risk value specific for the operation or area set in [3]. A method developed in [29] has been taken into account as well. In comparison the k for GNSS airborne equipment has been set by RTCA and adopted by ICAO as 6.18 for en-route lateral navigation (LNAV) and 6.0 for navigation with vertical guidance [4]. Such a "circular' HPL of fixed confidence (10) is compared with HAL as shown in Figure 3. The algorithm of the GNSS positioning integrity assessment in maritime domain has been further developed by inclusion of a protection ellipse (PEmr), which is specified by 4 parameters, i.e.,: 1) semi-major axis of the estimated position error ellipse da [m], 2) semi-minor axis of the error ellipse db [m], 3) orientation of the error ellipse Φ, and 4) coverage factor k (see Figure 4).  Figure 4). where: where Φ is a clockwise angle of rotation from North either of the semi-major ellipse's axis (if s E > s N ) or of the semi-minor axis (if s N > s E ); and atan2 is the directed angle arctangent function of arguments (y, x) in Cartesian reference frame. The algorithm of the GNSS positioning integrity assessment in maritime domain has been further developed by inclusion of a protection ellipse (PEmr), which is specified by 4 parameters, i.e.,: 1) semi-major axis of the estimated position error ellipse da [m], 2) semi-minor axis of the error ellipse db [m], 3) orientation of the error ellipse Φ, and 4) coverage factor k (see Figure 4).  The parameters of formulae (12), (13), and (14) are derived from the square root of eigenvalues of the covariance matrix (9) confined to: (14) is the direction of the eigenvector of (15). The probability that the user will experience a true position inside the protection ellipse is conservatively calculated using the addition theorem for the chi-square distribution: and the scale factor: For example, to create a 95% confidence HPL from the 1σ error circle a factor of k ≈ 2.45 (17) should be used; to get a 99.8% confidence HPL a factor of k ≈ 3.53 should be used, and so on. If error-correlation time of 150 s is assumed and treated as integrity epoch correspondingly to aviation standards [4], then a 3 h operation interval recommended by IMO in resolution A.915 [3] will contain 3 × 3600 s/150 s = 72 statistically independent epochs. This gives per-epoch integrity risk probability of: Sensors 2020, 20, 2075

of 25
IR can be relaxed for 15-minute operation interval, as proposed in [21]: It can also be treated conservatively, assuming an error correlation time equivalent to a position update time of 2 s [21] and critical operation time of 3 h: An initial assessment the k factor of 5.62 has been suggested. This corresponds to the integrity risk given by (18).
The "elliptical" presentation of a protection area provides navigator with the extra benefit coming from knowledge of N-E variances and their covariance resulting in changes of the ellipse's orientation and shape. That is why the concept of MVPA has been further developed for Electronic Chart Data Information System (ECDIS) where a vessel is shown as a 2-dimensional spatial object (a model of ship's hull contour) [17]. The detailed mathematical model is as follows.
A geometry of the vessel's contour in the ECDIS display is expressed by the following two observation equations: where: x j , y j are the calculated coordinates of consecutive j points of ship's contour in the body-fixed reference frame (this is fixed to the vessel at the common reference point of aft perpendicular with positive x axis to fore, y axis to starboard, following the convention used in maritime craft hydrodynamics -(see Figure 5); x GPS , y GPS are the coordinates (offsets from 0 at aft perpendicular) of EGNOS augmented GPS receiver antenna in the body-fixed reference frame; x j,N , y j,E are the calculated coordinates of consecutive j points of ship's contour in the local reference frame (ENU); x N , y E are the recorded positions of EGNOS augmented GPS receiver antenna in the local reference frame (ENU); ψ is the heading of vessel counted clockwise from North in the local reference frame (ENU); d j is the jth distance between GPS antenna and jth point of ship's contour; and α j is the jth angle between GPS antenna and jth point of ship's contour counted clockwise from x-axis in the body-fixed reference frame.
xN, yE are the recorded positions of EGNOS augmented GPS receiver antenna in the local reference frame (ENU); ψ is the heading of vessel counted clockwise from North in the local reference frame (ENU); dj is the j th distance between GPS antenna and j th point of ship's contour; and αj is the j th angle between GPS antenna and j th point of ship's contour counted clockwise from x-axis in the body-fixed reference frame. The errors of data in Equations (21) and (22) propagate into the final MVPA according to the Gauss's Error Propagation Law. The systematic errors of xGPS, yGPS, dj, and αj can be minimized to a negligible magnitude by a precise dimensional control. Therefore, only the propagation of other parameters' errors (xN, yE, ψ) is taken into account in the MVPA determination according to the formula: where: Cj,PA is the covariance matrix of derived quantities: The errors of data in Equations (21) and (22) propagate into the final MVPA according to the Gauss's Error Propagation Law. The systematic errors of x GPS , y GPS , d j , and α j can be minimized to a negligible magnitude by a precise dimensional control. Therefore, only the propagation of other parameters' errors (x N , y E , ψ) is taken into account in the MVPA determination according to the formula: where: C j,PA is the covariance matrix of derived quantities:  (21) and (22), excluding x GPS , y GPS due to their negligible errors: C O is the covariance matrix of observations: where: s 2 ψ is the marine vessel heading variance, relevant to the marine-specific attitude/heading equipment (the typical values for marine gyros in transport vessels are in range 0.5-1 • ); and: J j T is the transposed Jacobian matrix (27).
Estimated error of each jth ship's contour point involves the errors of two jointly distributed variables of x j,N and y j,E coordinates. Thus, the positional error follows a bivariate normal distribution. Taking above into account, to fully describe the estimated error of each jth point, it is necessary to determine the orientation Φ j and lengths of the semi-major d j,a and semi-minor axes d j,b of the jth error ellipses according to the formulas analogical to (12)- (14): where Φ j is a clockwise angle of rotation from the ship's body-fixed x-axis either of the semi-major ellipse's axis (if s j,E >s j,N ) or the semi-minor axis (if s j,E <s j,N ). Each of the determined j ellipses are further enlarged to the established confidence level by multiplying d j,a and d j,b by a coverage factor k (17).
Knowing the parameters of uncertainty ellipses (29)-(31) centred in j points of ship's contour the next step is to find the extreme outer points of these ellipses in order to construct the boundary of MVPA ( Figure 6). The algorithm is as follows: The angle βj of the line leading through j and j+1 points (j = 1 is set as j+1 in case of max. j achieved) counted clockwise from x-axis in body-fixed reference frame are determined according to the formula: Tangent points of ellipses with lines of slope βj are determined according to the formulas: The algorithm is as follows: The angle β j of the line leading through j and j+1 points (j = 1 is set as j+1 in case of max. j achieved) counted clockwise from x-axis in body-fixed reference frame are determined according to the formula: Tangent points of ellipses with lines of slope β j are determined according to the formulas: y j,tp x j,tp y j,tn x j,tn = T j, 3 (1, 1) + y j T j, 3 ( where: Φ j,c is the counter-clockwise angle of the jth ellipse rotation to x-axis in standard Cartesian 0xy reference frame, x j,tp , y j,tp, x j,tn , y j,tn are the coordinates [m] of consecutive j tangent points in body-fixed reference frame, the extreme outer points are either x j,tp , y j,tp if β j > 0 or x j,tn , y j,tn if β j ≤ 0. The MVPA is constructed by linear connection of the resultant tangent points as in Figure 7. This way the boundary spline representing the furthest points of ellipses in respect to the ship's hull is found. In order to minimize the linear spline approximation error, the number of tangent points can be increased adding extra tangent lines of slope angles in the range between β j and β j+1 (see Figure 6).

Sensors 2020, 19, x FOR PEER REVIEW 14 of 24
Φj,c is the counter-clockwise angle of the j th ellipse rotation to x-axis in standard Cartesian 0xy reference frame, xj,tp, yj,tp, xj,tn, yj,tn are the coordinates [m] of consecutive j tangent points in body-fixed reference frame, the extreme outer points are either xj,tp, yj,tp if βj > 0 or xj,tn, yj,tn if βj ≤ 0. The MVPA is constructed by linear connection of the resultant tangent points as in Figure 7. This way the boundary spline representing the furthest points of ellipses in respect to the ship's hull is found. In order to minimize the linear spline approximation error, the number of tangent points can be increased adding extra tangent lines of slope angles in the range between βj and βj+1 (see Figure 6). The example of MVPA presented in Figure 7 was based on the following construction data : • Vessel dimensions and 2D contour: derived from shipyard data of m/v "Nawigator XXI", MMSI 261187000; LOA=60.21m, B=10.5m. • Heading: ψ=45°, heading error estimate: sψ=2° (1σ), EGNOS based error estimates of common reference point position of GNSS antenna in fore part: sE=1m, sN=2m, sEN=0.8m 2 ; integrity risk expansion factor k=5.67. In addition to MVPA construction, the most conservative value of HPL is calculated taking into account ship's heading and its uncertainty based on (25), (26), and (29) Example calculation of HPL based solely on GNSS (10) and HPLMVPA (41) for various values of heading error estimations sψ and data as used in Figure 7 is shown in Table 1. The example of MVPA presented in Figure 7 was based on the following construction data : In addition to MVPA construction, the most conservative value of HPL is calculated taking into account ship's heading and its uncertainty based on (25), (26), and (29): Example calculation of HPL based solely on GNSS (10) and HPL MVPA (41) for various values of heading error estimations s ψ and data as used in Figure 7 is shown in Table 1.  3 11.52 11.82 1. 4 11.52 11.89 1. 5 11.52 11.98 1. 6 11.52 12.08 1. 7 11.52 12.21 1. 8 11.52 12.37 1.9 11.52 12.55 2.0 11.52 12.77

Alert Limit Decision Model-Operational Shipborne Position Sensors' Integrity Concept
The proposed shipborne position sensors' integrity concept uses both adaptive safety margins and navigation warning lights concept. Taking this into account, the proposed models are based on the following two assumptions: (1) Protection levels are calculated over time period up to some probability, thus the vessel's body position (unknown true horizontal position of ship's hull whose parameters are latitude, longitude and true heading) is located in an area with a certain confidence (integrity risk). This safety region (MVPA) could provide key support information to the navigator or captain to perform safer operations. (2) VTE estimations and resultant safe manoeuvring area are calculated for specific hydro-meteorological conditions (or their safety-critical limits) on the basis of knowledge of historical statistics of various ships' motion (mean and standard deviation of ship's contour distance from the set route segment or a centre of the fairway coming from simulation studies, automatic identification system AIS or analytical models) in relation to the available water area (safety isobaths or their tangent approximations constructing a virtual adaptive approach channel VAAC).
The methodology of maritime navigation channels parameters determination, which could be directly followed in order to estimate VTE boundary of MASS (either steered remotely or via autopilot), was presented in [30] (Figure 8).
automatic identification system AIS or analytical models) in relation to the available water area (safety isobaths or their tangent approximations constructing a virtual adaptive approach channel VAAC). The methodology of maritime navigation channels parameters determination, which could be directly followed in order to estimate VTE boundary of MASS (either steered remotely or via autopilot), was presented in [30] (Figure 8). Monitoring of ship's position in relation to assumed VTE limit (VTEL) can be treated as verification of ship's proper manoeuvring behaviour. The ship that crosses VTEL misbehaves in Monitoring of ship's position in relation to assumed VTE limit (VTEL) can be treated as verification of ship's proper manoeuvring behaviour. The ship that crosses VTEL misbehaves in terms of conformance to the statistically significant majority of manoeuvres. Since MVPA bound based on GNSS HPL evolves over time, it can be also seen as an adaptive safety margin concept if assessed in relation to assumed VTEL and VAAC (AL). Additionally the system can raise an alarm when the navigation system is providing a solution whose position error bound exceeds certain thresholds (AL) and compromises the safety of ship's operation. The idea of this is that certain alarms/warnings can be triggered either in relation with different AL or service levels linked with IMO A.915 (22) or adaptively as AL changes during route monitoring (VTEL in relation to VAAC, the distance between two never less than AL limits).
In order to determine the minimum and maximum distances of the MVPA to the boundary lines (VTEL and VAAC), the distance d Bj,k to the rectangular projection of the selected MVPA point on the straight line containing the kth section of the boundary line is determined.
where: Because boundary lines are represented in the electronic navigation chart data as an array of points Pk(xk, yk), the coordinates of the rectangular projection point P Bk (x Bk , y Bk ) are found as a result of solving the system of equations: To determine whether the P Bk point found is actually contained in the kth segment, and not only in the straight line passing through it, the following condition is checked: When conjunction of the alternative (44) is false, the correct kth section of the boundary line and P Bk have been found. Otherwise, calculations are made for the next k + 1 segment. The formulae (42)-(45) can be followed accordingly in case of other distances calculation (between lines of VTEL and VAAC, two VAACs etc.).
The following six situations can occur depending on HPL MVPA and AL values, and MVPA position in relation to VTEL and VAAC during passage of one way water channel. In all these situations AL is set adaptively as the lowest distance between VTEL and VAAC predicted ahead in time range up to 6min. The 6min value has been based on expert knowledge as advised in [20].
(1) Safe operation with green light: HPL < AL, MVPA inside VTEL. This is a situation where a ship can safely follow her planned route (Figure 9). Both GNSS and the ship's heading data can be trusted, and their accuracy is contained within the safety limit (no HPL alert), and ship's manoeuvring / technical error is contained within safety limit (no VTE alert, d Bk > 0) as well. HPL alert), and ship's manoeuvring / technical error is contained within safety limit (no VTE alert, dBk > 0) as well. Figure 9. Safe operation in a one-way waterway, conceptual presentation in ECDIS.
(2) A warning is raised by yellow/orange light named HPL: HPL ≥ AL.
There is not any VTE alert (dBk>0) but HPL is triggered due to its high value exceeding AL. A vessel should steer with utmost caution as GNSS positioning-although available-is not reliable enough ( Figure 10). Other means of positioning should be used. (2) A warning is raised by yellow/orange light named HPL: HPL ≥ AL.
There is not any VTE alert (d Bk > 0) but HPL is triggered due to its high value exceeding AL. A vessel should steer with utmost caution as GNSS positioning-although available-is not reliable enough ( Figure 10). Other means of positioning should be used. Figure 9. Safe operation in a one-way waterway, conceptual presentation in ECDIS.
(2) A warning is raised by yellow/orange light named HPL: HPL ≥ AL. There is not any VTE alert (dBk>0) but HPL is triggered due to its high value exceeding AL. A vessel should steer with utmost caution as GNSS positioning-although available-is not reliable enough ( Figure 10). Other means of positioning should be used. (3) A warning is raised by yellow/orange light named VTE: MVPA outside VTEL. VTE alert is triggered (dBk≤0) while HPL is within AL. The navigator is warned that he/she steered the vessel outside the path followed by other similar ships. He/she can expect only small (3) A warning is raised by yellow/orange light named VTE: MVPA outside VTEL.
VTE alert is triggered (d Bk ≤ 0) while HPL is within AL. The navigator is warned that he/she steered the vessel outside the path followed by other similar ships. He/she can expect only small safety margin coming from the AL value, but the situation can evolve to the one numbered 5). A vessel should steer to the route centred inside VTEL as soon as practically possible ( Figure 11).
Sensors 2020, 19, x FOR PEER REVIEW 18 of 24 safety margin coming from the AL value, but the situation can evolve to the one numbered 5). A vessel should steer to the route centred inside VTEL as soon as practically possible ( Figure 11). Figure 11. Warning of VTE raised, conceptual presentation in ECDIS.
(4) An alarm is raised by a red light: HPL ≥ AL, MVPA outside VTEL. Both VTE (dBk≤0) and HPL alerts are triggered. Further operation (proceeding via fairway based on GNSS) is not permitted (Figure 12). Other means of positioning should be used and then the vessel should steer back to route inside VTEL as soon as practically possible. (4) An alarm is raised by a red light: HPL ≥ AL, MVPA outside VTEL.
Both VTE (d Bk ≤ 0) and HPL alerts are triggered. Further operation (proceeding via fairway based on GNSS) is not permitted (Figure 12). Other means of positioning should be used and then the vessel should steer back to route inside VTEL as soon as practically possible. Figure 11. Warning of VTE raised, conceptual presentation in ECDIS.
(4) An alarm is raised by a red light: HPL ≥ AL, MVPA outside VTEL. Both VTE (dBk≤0) and HPL alerts are triggered. Further operation (proceeding via fairway based on GNSS) is not permitted (Figure 12). Other means of positioning should be used and then the vessel should steer back to route inside VTEL as soon as practically possible. (5) An alarm is raised by a red light: MVPA outside VTEL, and distance between MVPA and VTEL exceeds AL. VTE alert is triggered (dBk≤0) and |dBk≥AL|. The vessel should steer back to route inside VTEL immediately as there is no safety margin left several minutes ahead. Situation can become critical in     During passage of two-way water channel the proposed user integrity concept uses the adaptive safety margins and the navigation traffic lights concept in analogy to a one-way waterway, but taking into account individual VAACs and VTELs specific to each vessel (see Figure 15). For passing ships an additional safety distance is considered -minimum distance between their specific VAACs (dVAAC). The total available water area is equal to the sum of two VAACs widths and a minimum distance between those.
In Figure 15 situation where two passing ships can follow safely their planned routes is presented. In such a case extra distance of dVAAC in the waterway straight segment (designed for passing manoeuvres) is taken into account (calculated according to (41)-(44) of minimum value as advised in [30])). During passage of two-way water channel the proposed user integrity concept uses the adaptive safety margins and the navigation traffic lights concept in analogy to a one-way waterway, but taking into account individual VAACs and VTELs specific to each vessel (see Figure 15). For passing ships an additional safety distance is considered -minimum distance between their specific VAACs (dVAAC). The total available water area is equal to the sum of two VAACs widths and a minimum distance between those.
Sensors 2020, 19, x FOR PEER REVIEW 20 of 24 Figure 15. Safe operation in a two way waterway, conceptual presentation in ECDIS.

Simulation Tests
Two simulation scenarios were developed in order to determine the impact of the integrity concept for MASS position sensors on the safety of navigation.
Scenario 1: Operational passage of container vessel through a straight line section and a bend of a fairway in fixed hydrometeorological conditions. Navigation is based on standard ECDIS functionalities. Position errors are forced at the passage start: systematic directional error of position is continuously increased. Simulation of steady position drift in one direction. Scenario 2: Operational passage of container vessel through a straight line section and a bend of a fairway in fixed hydrometeorological conditions corresponding to scenario 1. Navigation is based on ECDIS with all position integrity functionalities enabled. Position errors are forced at the passage start: systematic directional error of position is continuously increased. Simulation of steady position drift in one direction.
Both scenarios tested the performance of MASS remote operator/controller in group of 20 experienced navigators (master mariners and pilots) during evolving GNSS signal degradation that could be expected as a result of propagation problems in restricted water areas or even deliberate In Figure 15 situation where two passing ships can follow safely their planned routes is presented. In such a case extra distance of dVAAC in the waterway straight segment (designed for passing manoeuvres) is taken into account (calculated according to (41)-(44) of minimum value as advised in [30])).

Simulation Tests
Two simulation scenarios were developed in order to determine the impact of the integrity concept for MASS position sensors on the safety of navigation.
Scenario 1: Operational passage of container vessel through a straight line section and a bend of a fairway in fixed hydrometeorological conditions. Navigation is based on standard ECDIS functionalities. Position errors are forced at the passage start: systematic directional error of position is continuously increased. Simulation of steady position drift in one direction. Scenario 2: Operational passage of container vessel through a straight line section and a bend of a fairway in fixed hydrometeorological conditions corresponding to scenario 1. Navigation is based on ECDIS with all position integrity functionalities enabled. Position errors are forced at the passage start: systematic directional error of position is continuously increased. Simulation of steady position drift in one direction.
Both scenarios tested the performance of MASS remote operator/controller in group of 20 experienced navigators (master mariners and pilots) during evolving GNSS signal degradation that could be expected as a result of propagation problems in restricted water areas or even deliberate spoofing. An increasing error in north direction was simulated. Figure 16 shows the real position of the ship (green outline) and the calculated position that was presented to the navigator (blue outline). Each case resulted in ship's grounding when system without functionalities of PNT data integrity was used (position marked in red). Figure 15. Safe operation in a two way waterway, conceptual presentation in ECDIS.

Simulation Tests
Two simulation scenarios were developed in order to determine the impact of the integrity concept for MASS position sensors on the safety of navigation.
Scenario 1: Operational passage of container vessel through a straight line section and a bend of a fairway in fixed hydrometeorological conditions. Navigation is based on standard ECDIS functionalities. Position errors are forced at the passage start: systematic directional error of position is continuously increased. Simulation of steady position drift in one direction. Scenario 2: Operational passage of container vessel through a straight line section and a bend of a fairway in fixed hydrometeorological conditions corresponding to scenario 1. Navigation is based on ECDIS with all position integrity functionalities enabled. Position errors are forced at the passage start: systematic directional error of position is continuously increased. Simulation of steady position drift in one direction.
Both scenarios tested the performance of MASS remote operator/controller in group of 20 experienced navigators (master mariners and pilots) during evolving GNSS signal degradation that could be expected as a result of propagation problems in restricted water areas or even deliberate spoofing. An increasing error in north direction was simulated. Figure 16 shows the real position of the ship (green outline) and the calculated position that was presented to the navigator (blue outline). Each case resulted in ship's grounding when system without functionalities of PNT data integrity was used (position marked in red). When the ECDIS with PNT integrity functionalities was used it presented MVPA and warnings calculated in real time ( Figure 17). As a result, the navigator was informed when the position error was too large, and the safe navigation was no longer possible. In this case an emergency stop manoeuvre had to be performed ( Figure 18) and the passage could only be continued when the quality of GNSS signal improved. When the ECDIS with PNT integrity functionalities was used it presented MVPA and warnings calculated in real time ( Figure 17). As a result, the navigator was informed when the position error was too large, and the safe navigation was no longer possible. In this case an emergency stop manoeuvre had to be performed ( Figure 18) and the passage could only be continued when the quality of GNSS signal improved. Figure 16. Example of 4 passages of the MASS with simulated GNSS signal deterioration -without integrity data presentation in ECDIS.
When the ECDIS with PNT integrity functionalities was used it presented MVPA and warnings calculated in real time ( Figure 17). As a result, the navigator was informed when the position error was too large, and the safe navigation was no longer possible. In this case an emergency stop manoeuvre had to be performed ( Figure 18) and the passage could only be continued when the quality of GNSS signal improved.   When the ECDIS with PNT integrity functionalities was used it presented MVPA and warnings calculated in real time ( Figure 17). As a result, the navigator was informed when the position error was too large, and the safe navigation was no longer possible. In this case an emergency stop manoeuvre had to be performed ( Figure 18) and the passage could only be continued when the quality of GNSS signal improved.

Conclusions
The SBAS based model of MASS position sensors data integrity has been elaborated in the paper. The proposed concept of PNT integrity data presentation uses both adaptive safety margins and navigation warning lights. It is based on horizontal protection level model after its modification to elliptical representation and taking into account ship's dimensions, heading and their accuracy. Vessel technical error limits and virtual approach adaptive channel, whose methodology was based

Conclusions
The SBAS based model of MASS position sensors data integrity has been elaborated in the paper. The proposed concept of PNT integrity data presentation uses both adaptive safety margins and navigation warning lights. It is based on horizontal protection level model after its modification to elliptical representation and taking into account ship's dimensions, heading and their accuracy. Vessel technical error limits and virtual approach adaptive channel, whose methodology was based on [30], complement this concept. The first tests confirmed usefulness of the developed methodology. It was proved that in case of the slow deterioration of position accuracy the activation of warning informing about abnormal functioning of position system/sensors would assist navigators in effective actions to avoid grounding.
It is anticipated that such functionalities as GNSS integrity monitoring will soon become compulsory on maritime vessels approved for electronic navigation in coastal waters, narrow passages, harbour approaches, port and limited depth areas and they will be embedded in next generation autonomous surface ships (MASS). However, monitoring of position sensors integrity becomes necessary even nowadays on board classic transport vessels as deliberate spoofing or intentional and incidental jamming is quite probable. Because of these identified vulnerabilities and users' needs for more reliable position the maritime GNSS integrity standards should be developed taking into account specifics of the elaborated concept. The potential of presented solutions for navigation safety improvement coming from navigator's better situation awareness (especially for operations performed in restricted visibility) seems to be evident.
The future research should prove benefits of the presented shipborne position sensors' integrity concept either via further simulation trails in full mission bridge simulator with SBAS functionality [31] or real test-beds.