This paper presents the RF Signal-in-Space (SiS) Integrity capabilities developed for the GMV engineering model of the LEO-PNT Signal Generator within the framework of the LEOSG project, funded by the European Space Agency (ESA) in the frame of NAVISP program. The LEOSG initiative aims to design and prototype a next-generation LEO-based PNT signal generator capable of supporting enhanced navigation performance and resilient service provision. In this context, the development of robust Integrity functionalities is essential to ensure that the transmitted RF signal remains reliable, consistent, and aligned with mission safety requirements.
A key pillar of the LEOSG design approach is the systematic application of RAMS (Reliability, Availability, Maintainability and Safety) engineering processes. These processes have driven architectural decisions and implementation strategies to ensure both the reliability of the generator and the integrity of RF transmission. The paper provides a detailed overview of how the RAMS analysis has shaped the system design, including the identification of Feared Events, the derivation of safety and integrity requirements, and the definition of mitigation strategies. This Reliability-by-design approach is particularly well suited for preparing a smooth transition from an engineering model towards a EQM development.
Special emphasis is placed on the RF integrity monitoring capabilities embedded in the signal generator, as well as on its Built-In Test (BIT) functionalities. Together, these capabilities enable real-time detection, classification, and warning of anomalies that could compromise the Signal-in-Space, thus ensure timely reaction and preserve service trustworthiness. The paper also presents the preliminary qualification process, highlighting the verification activities and test campaigns performed to validate the integrity functions.

This work addresses the integrity of a navigation solution based on visual Simultaneous Localisation and Mapping (SLAM). Despite the significant advances in SLAM research, integrity monitoring remains a crucial aspect for safety-critical applications in the field of navigation. While some research has been conducted on Extended Kalman Filter (EKF)-based SLAM approaches, literature shows limited documentation of research towards integrity monitoring of graph optimization techniques. This work follows up on previous work on integrity monitoring for SLAM approaches where this gap is bridged[1].

This work investigates both the estimation of uncertainty of a visual odometry algorithm, building on existing literature [2], as well as the evolution of pose uncertainties in SLAM solutions based on Factor Graph Optimization (FGO). The structure of the factor graph is influenced by various aspects, such as the amount of fused sensors or the presence of loop closures, which in its turn highly affects the propagation of uncertainty along the trajectory. In SLAM problems, loop closures are exploited to correct for the position drift that builds up over time, which is inherent to all relative positioning solutions. Additionally, loop closures reduce the uncertainty on affected states due to the additional measurement information, overly constraining the factor graph. By analysing marginal distributions which reflect the uncertainty on state variables, protection levels can be calculated. Fusing visual SLAM with inertial measurements decreases the covariance of the marginal distributions on individual poses. This work demonstrates that combining sensor fusion with the impact of loop-closures for drift correction and uncertainty reduction allows for tighter protection levels, which subsequently increases an integrity monitoring algorithm’s capability to detect faulty GNSS measurements. This information is used to propose a Fault Detection & Exclusion (FDE) scheme designed for various spoofing scenarios and estimate minimal detectable spoofing effects. The FDE scheme is similar to an FGO-based integrity monitoring scheme based on GNSS only [3], but extends to incorporate visual and inertial measurements.

The effectiveness of the described approach is evaluated through simulated and real-world experiments, demonstrating the ability to accurately model the propagation of a visual SLAM system’s uncertainty over time. The influence of a loop closure on the uncertainty in the complete trajectory estimation is demonstrated, which leads to tighter protection levels. The results of this research contribute to the development of more robust and trustworthy SLAM systems, enabling their deployment in safety-critical applications and ensuring timely warning of users when integrity is lost.


[1] Bekkers, S.; Engwerda, H. A Framework for Integrity Monitoring for Positioning through Graph-based SLAM Optimization, in Proceedings of the European Navigation Conference 2025, Wrocław, 21–23 May 2025.

[2] Anderson, M; Willis, A; Brink, K. Real-Time Visual Odometry Covariance Estimation for Unmanned Air Vehicle Navigation, 2019, in Journal of Guidance, Control and Dynamics 42(4):1-17, DOI:10.2514/1.G004000.

[3] Xia, X; Wen, W; Hsu, L. Integrity-constrained Factor Graph Optimization for GNSS Positioning in Urban Canyons, in NAVIGATION: Journal of the Institute of Navigatoin, September 2024, 71 (3) navi.660; DOI:10.33012/navi.660

This work extends the scope of a Multi-Layer PNT tool to cover new techniques, with focus on spoofing detection and mitigation. More specifically, the support of OSNMA and ACAS, the implementation of cross-checks for PVT assurance on three different levels and implementation of a new module called Spoofing Emulation and Impact Evaluation Tool (SEIT).
The Multi-Layer PNT (MLPNT2) is an ESA development framework for the implementation and assessment of advanced and robust PVT engines, solutions and/or techniques representative of mass-market receivers, focusing on the operation in harsh propagation conditions. The MLPNT2 tool is used to give the user insight into the effect of different estimator settings on the PVT accuracy. This tool is the starting point from which new functionality is based, summarized as follows:

The OSNMA service, if and when the satellites support it, is used continuously to provide authentication to the navigation messages.

The Assisted Commercial Authentication Service (ACAS) has been implemented in a snapshot manner, generating measurements directly from recordings, and a PNT solution can be computed using only encrypted PRNs.

Multiple methods have been considered and implemented to shield the PVT solution against meaconing or spoofing attacks, consisting of a few cross-checks at signal level, measurement level, and PVT level. There are a few cross-checks contained on each of the three categories.

A powerful spoofing emulation tool has been implemented to give the user the ability to modify and/or generate observables at will, consistent with a desired trajectory, emulating a spoofing attack with high flexibility.

Finally, an impact evaluation module was created, powering the creation of a comprehensive report in PDF format containing the results of the scenario/simulation and many PVT metrics.

These newly implemented features (OSNMA, ACAS, Cross-checks and SEIT module) have been tested on a few different scenarios, including some of the companion test scenarios already included with the tool, and some new ones created with the specific purpose of testing the new functionality.

One of the most remarkable results was that the cross-checks were able to reject spoofed measurements and compute the correct trajectory in spite of spoofing being present on all bands and signals, based on a spoofing scenario created using SEIT with a very smooth position drift.

GNSS spoofing attacks, once considered to be unlikely, are now becoming more commonplace. Legacy GNSS signals are particularly vulnerable, as they are completely defined by their respective Interface Specification (IS) documents and can be fully reproduced by a sufficiently capable attacker.
This vulnerability can be significantly reduced by the introduction of unpredictable but verifiable elements into the signals. Galileo has already introduced the Open Service Navigation Message Authentication (OSNMA) service, which generates authentication tags for parts of the Galileo navigation message stream and transmits them in the E1 I/NAV message.
Galileo is also in the process of implementing the Signal Authentication Service (SAS). SAS operates by fully encrypting the Galileo E6C pilot signal. With this encryption it becomes impossible for an attacker to generate the authentic E6C signal in advance. However, it is also impossible for any user without the private key used in the encryption process to verify that the signal is authentic. In other words, the unpredictability has been obtained, but how to manage verifiability? This problem has been solved in SAS by the provision of so-called Re-Encrypted Code Sequences (RECS), which are sub-sequences of the future encrypted E6C spreading code, i.e. Encrypted Code Sequences (ECS), that are re-encrypted with a future OSNMA TESLA key that will be broadcast after the ECS. SAS operates by sharing these RECS in advance of the broadcast of the associated ECS. The user receiver must then perform the following steps:
1) Obtain the desired RECS
2) Record snapshots of the received signal corresponding to the time periods during which the encrypted chip sequences (ECS) from which the RECS are derived are transmitted
3) Upon receipt of the corresponding TESLA key, decrypt the RECS, correlate the resulting ECS with the stored snapshot and detect (or not) the presence of these authenticated ECS in the received signal.
On December 3rd 2025, the first steps towards the implementation of Galileo SAS in the signal in space were taken, when the E6C signals of both PRN 14 and PRN 18 were permanently encrypted. In parallel, it is planned to operate an implementation of the RECS generation facility to enable live-sky testing of the SAS concept using these satellites. While the RECS generation facility is not yet active, this is expected to change by Q1 2026.
Once the RECS become available, a test campaign is planned using the Nautilus navigation authentication platform, originally developed under contract to the European Space Agency (ESA). This platform is capable of performing all the SAS operations in real time.
The accuracy and stability of the snapshot synchronization to the GNSS measurements has already been evaluated, and the entire chain has been tested using mock RECS data. Once access to the real RECS becomes available, then test campaigns are planned, including static open sky and vehicular scenarios. The paper will describe in detail the processing strategy employed, observations on the storage and processing requirements needed to implement SAS within the Nautilus platform and an analysis of the signal authentication results obtained.