Final report v 3.0_07 _07_06 - CiteSeerX

QINETIQ/06/00039 30

6 Hardware and software development of the demonstrator system – (Work Package 5)

6.1 Overview

A key part of AMS project was the design and build of three demonstration units to de-risk key technologies that will be required for the final deployed system and for Ofcom to use for their own trials. The aim was to combine new technology with conventional features available in current systems.

Figure 6.1 The AMS demonstrator unit

As the AMS demonstrator system has been built as a proof of principal of the final system it was reasonable that it should be built with the same overall system layout. Hence the demonstrator is a “one box” design (refer to section 5.4 for discussion on the benefits).

QINETIQ/06/00039 Page 131

Figure 6.2, Demonstrator architecture

6.2 Component Layout

For portability and protection of the components the demonstrator was built into a transit case type 19” rack unit (see Figure 6.1. In order to keep the overall size small it was important to keep all components as compact and closely mounted as possible. The digitiser card chosen is a PCI device, so this fits directly into the pc. All other components, apart from the antennas, are within a custom made “RF tray”, designed and built by TRL.

GPS UNIT

(Trimble Thunderbolt)

ANTENNA SWITCH

PC

(AMC)

ADC CLOCK

TRL

COMMS

BROADBAND

DIGITISER

(Echotek GC314)

RECEIVER

(TRL MRX)

PCI

NETWORK

IF

RF

102MHz

10MHz

10MHz

LOW BAND ANTENNA

HIGH BAND ANTENNA

1pps


Figure 6.3, Internal Layout

6.3 Component parts

The following section discusses the design decisions and selection of the individual component parts that make up the AMS Demonstrator.

6.3.1 PC

A PC was required to process the data acquired by the digitiser and to act as a user interface. The two main requirements on the pc were sufficient processing power, and small size.

The actual processing requirements of the pc were still something of unknown. However, signal detection and modulation classification are both very processor intensive, so it was logical to get the fastest computers practical. At the time this suggested using a dual Xeon processors motherboard which could run at up to 3.6 GHz.

GPS UNIT

IF

RF 10MHz

1pps

PC

AMC

SINGLE TRL RECEIVER

ANTENNA SWITCH

10MHz

102MHz

LIGHTENING PROTECTION RF TRAY

ADC CLOCK

TRL

DIGITISER

PC

PC

AMC

PC MOTHERBOARD

NETWORK


The smallest computers that can still house the digitiser card are the so called “shoe box” computers. However, these tend to be of limited performance (laptop type processor rather than ATX), and have the added disadvantage that they are not designed for secure mounting within a rack. Hence these were not considered to be a viable option.

Conventional desktop computers were considered not suitable because of their size and the difficulty of securely mounting them.

This left us with the 19” rack mount computer. These come in a variety of sizes from numerous manufacturers. However, these were quickly cut down as most did not supply the dual Xeon motherboards. Two manufacturers offered promising looking solutions: Kontron and AMC (Advanced Modular Computers). The specification and price of each system was very similar. The main difference was in the size of the unit. AMC’s unit is only 14” long compared to Kontron’s 18” unit. As the PC is the largest component in the housing it means a significant saving in the overall size of the unit.

The following points summarise the specification of the AMC computer:

• AMC-236 2U Dual Xeon server with 460W power supply,

• Installed in the system is a dual Xeon motherboard with an Intel E7520 chipset, dual Ethernet port, 2xSATA ports, ATI graphics onboard,

• Installed on the board are 2 x 3.2 Xeon (800FSB) processors,

• Fitted with 1Gbyte of memory, DVD writer, 160 Gbyte hard disk drive.

Figure 6.4, AMC rack mount PC chassis


6.3.2 Receivers

The AMS receiver is required to provide wide frequency coverage, wide instantaneous bandwidth and fast tuning performance, both to accommodate wide bandwidth signals and to achieve a fast spectrum scan revisit time.

TRL’s MRX3500 receiver provides an input of 40MHz bandwidth to the ADC with an instantaneous two tone in-band dynamic range of 75dB, capable of operation with a total signal power of up to -40 dBm in the selected bandwidth at the antenna input. Once input signal power exceeds -40dBm, attenuators are automatically switched in to prevent overloading the ADC input. This reduces the sensitivity of the receiver by moving the available 75dB instantaneous dynamic range up to the level required to process the increased signal power. It is a compact, low power unit (Figure 6.5) that can easily be integrated into the RF tray.

• This receiver covers the frequency range 20MHz to 3000MHz and provides an instantaneous IF output of 40MHz bandwidth.

• The 10kHz to 30MHz band is amplified before being output for digital conversion in the first Nyquist zone of the ADC. In the 30MHz to 3.5GHz band the receiver outputs the selected 40MHz bandwidth to the second nyquist zone of the ADC. As the receiver is tuned across the band, switchable input pre-selection filters are automatically selected to provide protection against strong out of band signals.

• The receiver is controlled over an RS232 serial link operating in conjunction with discrete IO lines for high speed hopping synchronisation.

Figure 6.5, TRL MRX 3500


6.3.3 Digitiser

The digitiser captures IF signals from the receiver and converts them to a binary format for processing.

The digitiser is required to work in two modes. It needs to have a wideband mode for rapid scanning signal detection, and a narrowband mode for modulation identification and location processing.

The narrow band signal could be derived from a wideband signal by DSP on the computer, but this was not considered to be a good option as it would increase the work load on the PC, and would not be sustainable across the PCI bus for anything other than a very short sample.

The TRL receivers use an IF of 76.8MHz. To position this in the centre of the sampling band, the IF should be SR/4, 3SR/4, 5SR/4… etc where SR denotes the digitiser sampling rate. So, for this IF a sampling rate of approximately 102.4MHz is most appropriate.

The Echotek ECDR-GC314-FS-PCI (Figure 6.6) was the only digitiser identified to have this functionality. More specifically it was the only digitiser available than could simultaneously provide a wide band and a narrow band mode. A further advantage was that it has a wideband receiver module that will provide IQ data rather real data for the 40MHz bandwidth which helps to reduce the workload on the PC. Other key features include:

• Eight digital receiver channels,

• Graychip 4016, channels can be combined to give wider bandwidths,

• Two analogue inputs. Uses AD6645 (14bit, 105MHz),

• FIFO depth of 16k complex samples per receiver channel,

• Uses 64 bit PCI bus to maximise data throughput.


Figure 6.6, Echotek ECDR-314-FS-PCI

6.3.4 GPS

The key to successful TDOA processing is synchronising capture of data between the sensors. This means accurate timing, and an accurate frequency reference. GPS was the obvious way to achieve this.

The GPS supplies:

• a 10MHz reference to the receiver such that all system units measure the same frequency,

• a 10MHz reference to the digitiser ADC clock generator such that all units sample at the same rate,

• a 1 pulse per second (1pps) to allow all system units to perform data acquisition at the same time,

• unit positions for registration and location processing purposes.

A timing error of 20ns is achievable by reasonably priced COTS GPS units. This equates to a location error of approximately 10m. This was a reasonable level to aim for.

The Thunderbolt made by Trimble (Figure 6.7) meets this requirement, and has the necessary 10MHz and 1pps timing outputs. Furthermore it is a unit that has been used before within the department. It is controlled over RS232 using a binary message format.


Figure 6.7, Trimble Thunderbolt

A 102.4MHz sampling clock shall be incorporated within the RF tray, with emphasis on the extremely low jitter requirement of sub 0.5ps, which is needed to achieve the full dynamic range of the ADC’s of the interfacing equipment. The sampling clock output port will be matched to a 50Ω system.

6.3.5 ADC Clock

The ECDR-314-PCI does have an internal clock, but this is low quality, and cannot take an external reference. Hence an external clock source must be used to provide the digitiser with its sampling clock. To achieve full dynamic range of the 14 bit ADC at 102MHz the jitter should be below 0.5ps.The original design, as shown in the Ofcom proposal used an Atlantec synthesiser module. However, these were considered to be of insufficient quality to make best use of the ADC’s, so instead TRL have used their own clock based on a crystal controlled oscillator.

6.3.6 Device Control

Both the receiver and the GPS use RS232 for control and monitoring, Additionaly, the receiver uses TTL for triggering a retune when in scan mode, and for monitoring retune status.

To minimise the connections between the RF unit and the PC, and single USB cable was used, and the other standards were derived from this.

6.3.7 RS232

Easysync make a compact USB - two port RS232 adaptor (Figure 6.8). This comes with an instrument driver that maps the new ports onto a COMx port such that it can be controlled as if it is a standard port within the PC.


Figure 6.8, Easysync USB to RS232 adaptor

6.3.8 TTL

The receiver uses two TTL lines for controlling its scan mode. In addition, TTL lines are required for the antenna switch and for driving status LEDs on the front panel. TTL inputs have also been used for monitoring the status of the receivers, GPS, and clock. etc.

Figure 6.9 shows a suitable unit produced by Velleman.

Figure 6.9, USB digital input/output Card


6.4 The RF tray overview

The RF Tray mentioned in section 6.2 was designed and built produced by TRL Technology. The module comprises of a broadband receiver (MRX 3500), sampling clock generator, antenna lightning protection, antenna switching, off the shelf GPS receiver, off the shelf mains PSU. This module provides the RF front-end of the AMS unit and integrates with a ruggedised PC.

The core component of the unit (Figure 6.10) is the TRL MRX3500 receiver. Other components are a combination of COTS components described in the previous section and bespoke modules built by TRL.

Figure 6.10, RF Tray


Figure 6.11, RF Tray Layout

The block diagram (Figure 6.11) shows the modules within the RF tray. The key element is the MRX3500, which is the latest receiver tuner product from TRL Technology, building on 15 years experience designing high performance receivers for spectral monitoring systems. The miniature MRX3500A package


provides both the small size and low power consumption required for ESM and DF applications in man portable and UAV equipment. It is intended to drive the latest generation 14 bit analogue to digital converters (ADC) for spectral surveillance and software radio applications. There are further versions of the MRX3500 for stand-alone and rack use.

The receiver covers the frequency range 3MHz to 3.5GHz and provides an instantaneous IF output of 40MHz bandwidth. A performance compromise of 12dB noise figure and 75dB two tone spurious free dynamic range (SFDR) is provided for a power consumption of 8 watts in a package size of 135mm x 75mm x 35mm

The 3MHz to 30MHz HF band is amplified and filtered before being output for digital conversion in the first Nyquist zone. In the 30MHz to 3.5GHz V/UHF bands, the receiver outputs the selected 40MHz bandwidth to the second Nyquist zone of the ADC. As the receiver is tuned across the V/UHF bands, switched input pre-selection filters are automatically selected to provide protection against strong out of band signals.

The receiver is fully synthesised to an external 10MHz reference frequency, which enables multiple receivers to be used for phase coherent DF applications. Frequency steps of 5MHz are provided with a settling time of <1ms to within 1kHz of final frequency, enabling a frequency scanning rate in excess of 40GHz/s to be achieved. Receiver control is through a serial data link operating in conjunction with discrete control signals for high speed channel hopping synchronisation. The MRX3500A version is a plug-in module intended for use within an overall environmentally protected package and, as such, has only RF screens protecting the circuitry, resulting in a weight of less than 400gm.

The RF Distribution PCB is a bespoke design which routes the two receive antenna ports to the MRX 3500 input ports, under processor control. Switching allows one antenna to be routed to both ports for single antenna installations. Latest technology RF switches are employed to minimise degradation to sensitivity through switching losses, and maintain linearity.

This PCB also accommodates the DC regulation, BITE interface and 10MHz reference frequency distribution.

The Sample Clock (102.4MHz) is TRL designed. An extremely low jitter requirement of sub 0.5ps is needed to achieve full dynamic range of a 14-bit ADC. Latest technology RF switches will be employed to accommodate multiple antennas, minimise degradation to sensitivity through switching losses, and maintain linearity. COTS parts will be employed for the GPS receiver and the mains power supply.

Control between the PC and RF Tray is via a USB/serial data link and parallel I/O. All interfacing connectors are located on the back panel of the module. The front panel has an On/Off mains switch and indicator, together with BITE status LED’s for the MRX receiver, Clock generator & GPS.

The RF Tray achieves an input damage level +15dBm, with an operational level of < 0dBm. The overall Noise figure of the RF Tray is about 14dB below 2GHz,


which accounts for the MRX3500 performance and the insertion loss of the front-end cables/connectors, lightning protection and antenna switching i.e. 2dB degradation in sensitivity compared to the stand alone MRX3500. Loss due to lightning protection is 0.25dB, switching 1.25dB, cables & connectors 0.5dB. The Noise figure up to 3GHz degrades by a further 1dB.

6.5 Demonstrator network connectivity

6.5.1 Wireless solution

The original network configuration was intended to connect the Ofcom AMS sensors to the internet using 3G data-cards as shown in Figure 6.12. This would enable fast deployment of sensors and flexible baselines with reasonably large bandwidth (384kbs) internet connections for data interchange.

3G datalink

3G datalink

3G datali

nk

3G datalink

Figure 6.12, Wireless sensor connectivity

A tasking machine requests emission information from the sensors using Transmission Control Protocol/Internet Protocol (TCP/IP). The tasking machine can be any AMS sensor or remote laptop running the AMS GUI. The requested emission information is returned to the tasking machine to allow it to display real time spectrum information or to work out the emitter position. The position is then displayed on the tasking machines map display.

QINETIQ/06/00039 3

When an AMS sensor needs to post information to another sensor it prompts the 3G data card for a connection. The data card obtains an external IP address which is posted to the other sensors. An external IP address is assigned by Internet Assigned Numbers Authority (IANA) to Internet Service Providers (ISPs) and companies. This address is the access address to the internet, and is used to allow computers know where to send and receive data from other computers connected to the internet.

The sensors and remote monitoring laptops are connected to the internet directly making them susceptible to a number of IT security threats. Modern IT security threats come in a number of different forms (viruses, spy ware, denial of service, etc.). To protect the sensors and laptops as much as possible from these threats they use Windows firewall, virus protection and have the latest security patches installed. The firewall has to have three ports open for the AMS system to operate. An optional fourth port can be opened to enable remote desktop access.

Unfortunately the 3G coverage in the Malvern area is limited and obtaining a 3G connection at the QinetiQ Malvern site has proved difficult. Also during the trial period there were 3G network dropouts with our selected 3G provider. Whenever a 3G connection is not available it reverts to a General Packet Radio Service (GPRS) connection. A GPRS connection is only rated 64Kbs but this speed is rarely achievable. Typical GPRS connection speeds are around 56Kbs. Configuring the sensors to transfer minimum information and increasing the position fix calculation time on the tasking machine allows the system to still operate under these low bandwidth conditions but performance is reduced.

Although there are problems with this solution due to the limited 3G coverage in Malvern, this solution would operate effectively in urban areas where 3G coverage is greater, and indeed testing from a remote laptop in London has proved successful.

6.5.2 Wired solution

The limitations of the 3G data cards, particularly in the Malvern area due to poor network coverage and failures with the network, meant that an alternative solution had to be investigated and trialled.

The next solution was to use fixed wired broadband connections at sensor sites. This provides less flexible sensor deployment and more planning is required than a wireless solution, because broadband connections are only available at limited locations. The three selected sites for hosting a sensor and providing a suitable baseline for position fixing are, QinetiQ Malvern, QinetiQ Pershore and TRL’s head office in Tewksbury.


Internet

Wired remote monitoring laptopOfcom 1 sensor

ADSL Router

Firewall

Hub

Ofcom 2 sensor

ADSL Router

Firewall

Hub

Ofcom 3 sensor

192.168.0.2

External IP address

External IP address

External IP address

192.168.1.2

192.168.1.1

External IP address192.168.0.1

Wireless remote monitoring laptop

Figure 6.13, Broadband wired connectivity solution

The wired solution introduced routers and hardware firewalls at the Pershore and Tewksbury locations. This infrastructure required changes in the AMS communications software to support internal and external IP addresses. External IP addresses are assigned by IANA to ISPs and companies, and provide a ‘real world’ address. Internal IP addresses are provided by Dynamic Host Configuration Protocol (DHCP) service on the router. The routers provide an additional security protection over software solutions and have been utilised to protect the sensors. They are configured to provide limited access to the sensors and the network. They are also configured to provide a limited internal IP address range so that only one individual sensor was supported by the router.

The DHCP internal IP address in the router is Media Access Control (MAC) locked, with the Network Interface Card (NIC) in every computer/sensor having a unique MAC address. When a connection is made between the NIC and the router, the MAC address of the NIC is passed to the router. If the MAC address does not match the one the router is expecting, the connection is rejected and no internal IP address is assigned. This is in order to prevent unauthorised computers gaining access to the switch and intercepting emission data. Computers that do not have the protection of hardware firewalls use the Windows software firewall. All firewalls require three ports to be opened to allow the system to operate. An optional fourth port can opened to allow remote desktop access.

Figure 6.13 shows the network configuration for the Ofcom demonstrator. The network consists of three Ofcom sensors networked together using broadband


connections to provide access to the internet. This enables a tasking machine to instruct the sensors to capture the required signal information in order to perform a position fix. In Figure 6.13 two laptops are connected to the internet directly, one via a fixed broadband connection and the other using wireless network access. The wireless connection can be provided by either WiFi or 3G, as mentioned earlier. The remote monitoring laptop allows a real-time view of the spectrum as received at each of the sensors. They also provide the tasking capability for position fixing selected emitters. Wireless access on the remote laptop provides greater flexibility by allowing remote monitoring of the sensor and geolocation on the move (e.g. on a train). Worldwide access by authorised users is also possible.

6.6 Software

6.6.1 Introduction

The Demonstration System software is written in C++ to execute under PC Windows XP. This provides a flexible upgrade path as PC processor speeds increase. The system has been designed as a software based architecture. That is, the hardware is generic and can support a wide range of functions and the intelligence is in the software. This leads to a very flexible system where extra functionality can be added by simply loading a new executable onto the computer.

The current processing tasks include:

• RF tray management,

• Command & control,

• Networking,

• Signal and spectral processing,

• Modulation classification,

• Location processing.

6.6.2 AMS GUI

The AMS GUI software application aims to extract the maximum usage information from the Radio Frequency environment. The software is designed for advanced wideband sensor systems with low, medium, or high data rate links connecting the sensors.

The GUI is based on software which has been under development at QinetiQ for approximately 6 years, and variants are used by a number of customers.

The basic capabilities of the application are:


• Analysis of Sensor Output. The application connects to a sensor over Ethernet and TCP/IP, producing easy to use real time animated displays, historical emitter and emission displays, as well as map displays and multiple overlays.

• Baseline Integration. The Application can request information from other sensors to achieve emitter and emission location.

• WYSIWYG. All displays within the application are ‘’What You See Is What You Get’. Icons on all displays can be selected via a right mouse click, resulting in ‘popup’ menus to allow emitter or network analysis, precision analysis tasking, reporting of the emitter or network, and simple filtering.

• Filters. The filtering capability within the application reduces the operator’s search time to find the emitters. Filters include map region, bearing, frequency, frequency band, unique identifier, signal type, name and modulation type. All the application data views are linked, such that a signal filter set in one view affects all.

• Multiple Workstation Integration. Multiple workstations can be used simultaneously and the functionality to share manually generated information has been added to improve information dissemination and reduce operator workload.

• Automation. The application is highly automated with most operator intensive tasks supported.

• Easy to Use. The application has been designed to be easy to use and to require minimal training. To this end the application always uses standard Microsoft application controls and a standard multiple document interface, resulting in most users instinctively understanding how the application functions.

6.6.3 AMS GUI Displays

The following section shows a number of typical displays from the AMS Demonstrator software. It is difficult to do the application justice with simple screen shots; a live demonstration to show the animated signals is recommended.

6.6.3.1. Real Time Display

Figure 6.14 shows the animated real time window that is displayed when a connection is made to a remote sensor.

The vertical axis as shown is amplitude. The horizontal axis is frequency. The green line at the bottom of the screen shows the intercepted spectrum. The red line indicates the signal detection threshold. Red crosses in the main display area indicate a currently transmitting signal, whereas a blue cross indicates a signal that has gone off.


Figure 6.14, Real Time Display

Crosses on the displays can be ‘right mouse clicked’ to bring up a popup menu, which allows the operator to:

• View emitter or network details (Figure 6.15),

• Rapidly apply simple filters.


Figure 6.15, Emitter and Network Dialog Boxes


6.6.3.2. Historical Display

A typical historical data display can be seen in Figure 6.16. The vertical axis can be either amplitude or frequency, and the horizontal axis is time. Within the historical view each emission is represented as a line. The colour of the line indicates the received signal amplitude and the length of the line indicates the duration of the emission. The window title bar indicates the number of emissions, as well as the time span of the data shown.

A real time and historical view can be displayed for every sensor the system is connected to.

Figure 6.16, Historical Data View


An unoccupied search facility exists within the historical display that allows the operator to find unused channels. In Figure 6.17 the green areas shows the unused channels

Figure 6.17, Unoccupied search facility


6.6.3.3. Maps

Maps are used both for sensor management (identifying locations of sensors, and as a means of connecting to sensors) and for displaying TDOA position fix results

The application supports both raster and vector mapping. The vector layers can be programmed to be displayed at different levels of zoom to prevent map clutter and excessive drawing when zoomed out. DTED is also supported.

Figure 6.18, shows a sample vector map. Vector maps have the advantage of being scalable, and will switch in different levels of detail as the map is zoomed so a significantly larger area can be shown without over complicating the display. Raster maps are good for showing detail when zoomed in to a small area.

The regional filtering (shown in Figure 6.21), allows specific countries or regional results only to be shown.

Figure 6.18, Vector Mapping


6.6.3.4. TDOA position fixing

The AMS system supports position fixing by TDOA. When requested to locate an emission (a red cross in the real time display) the requesting sensor and its two nearest neighbours are identified and tasked to simultaneously capture the signal. This is transferred back to a central point, correlated and mapped onto the ground to give a location. Figure 6.19 shows a map with multiple emitters located. The ellipses give an indication of the confidence, or accuracy of the locations.

Figure 6.19, TDOA position fix results

Toolbar buttons are provided that allow the operator to filter on the next frequency up, or down, from the currently selected frequency. This allows the operator to rapidly browse through the emitter networks.

An additional feature of the mapping functionality allows the user to input ground truth, either when the application is running or by a text file prior to run time. A text file would be generated with data from the licensed user data. This data can then be used to determine overall system location accuracy and to calculate and apply corrections.


6.6.3.5. Filtering

Figure 6.20 shows the filter dialog box. Using this dialog box it is possible for the operator to focus on signals of interest. This example shows a frequency band filter, which allows the operator to select frequency bands of interest. Multiple frequency band allocations have been pre-programmed allowing the operator to rapidly filter on critical frequency bands using the combo box at the bottom of the screen. These can be simply reprogrammed for any operating environment.

Figure 6.20, Filter dialogue box

The ability to include or exclude results on all views by their location is of particular interest to sensors with extended ranges or limited target areas. For example, the results of a sensor with extended range could be filtered to exclude emissions from particular regions, significantly reducing the operator workload.

An example of the regional filter can be seen in Figure 6.21. This filter when applied will eliminate all but the selected signals from the real time and historical views as well as the position fix view. Note that the filter can be a very complex shape and that multiple filters can be used.


Figure 6.21, Regional Inclusive Filter Example

The pink triangles within the figure are ground truth points. The icons used by QinetiQ have been chosen to stand out on multiple different map types and can be changed as required.

6.6.6.6. Management Information System

The AMS GUI application facilitates data sharing between workstations. The information that can be shared includes signal names, emitter prioritisations and library information.


7 Sensor performance and trials of the AMS – (Work Package 6).

7.1 Aim

Initial trials were carried out at Malvern and subsequently at Ofcom’s HQ in London to measure the sensitivity of the sensors, in particular to assess their performance in a high signal strength environment compared with that in more rural areas. Further trials have been carried out to test the communication across a networked demonstrator system and to assess the effectiveness of the AMS in being able to pinpoint and identify RF transmission sources in real time by TDOA (Time Difference of Arrival).

Previous experience testing location systems using different Angle of Arrival Direction Finding techniques as well as systems using TDOA and FDOA Techniques will allow the demonstration baseline to be fully assessed and the advantages and disadvantages of the approach taken to be analysed.

7.2 MRX Receiver sensitivity

7.2.1 Central London trials

Ofcom have long been concerned with the performance of any wideband system, such as the proposed AMS, operating in a densely populated urban environment with cluttered electromagnetic spectrum. Currently TRL are led to understand that Ofcom operate in these scenarios by only scanning narrow bands of interest on a complaint driven basis, rather than scanning the whole spectrum. Scanning is conducted over a relatively narrow band using very narrow band demodulating receivers. This makes it possible to operate in the presence of strong interfering signals whilst achieving optimum sensitivity but does not allow wideband monitoring.

To enable TRL to fully appreciate the problem and to ascertain the performance of the receiver under such conditions, testing at Ofcom Premises, Riverside House, London was conducted (23rd November, 2005). Signals were received using the QinetiQ low band discone antenna into the AMS equipment and also, for comparative purposes into a narrow band R&S EB200 receiver. The antennas were shielded to the south thus attenuating a number of signals including the main FM and TV transmitters at Crystal Palace and Croydon.


Figure 7.1 shows the trials antenna installed on the balcony outside the Board Room at Riverside House overlooking central London to the north.

Figure 7.1, Low and high band antennas installed at Ofcom's HQ in London

To establish the EM environment, the IF connection between the RF tray and the PC based digitiser was broken, and the output of the RF tray viewed directly on an HP8560 style spectrum analyser. Figure 7.2 shows a capture at the output of the receiver tuned to 98MHz and spanning the FM broadcast band. The screen represents the full 40MHz IF bandwidth of the receiver and clearly displays the cluttered Band II FM spectrum allocation. To avoid unacceptable distortion during the measurements the


receiver was configured with around 20dB of front end attenuation; thus the aggregate receiver path gain is around 20dB.

Figure 7.2, FM broadcast band

Analysis of the display shows a full spectrum of signals with typical power level of -5dBm at the receiver output with regular peaks up to 0dBm. This equates to signals ‘off-air’ peaking up to -20dBm. Figure 7.3 shows the BT national pager band, centred on 153MHz and covering the BT national pager band. The screen represents the full 40MHz IF bandwidth of the receiver, representing an equivalent input frequency range between 133MHz and 173MHz covering a multitude of licensed users.


Figure 7.3, BT pager band

Analysis of the display shows a nominal full power signal power level of -7dBm at the receiver output. Occasional peaks up to +10dBm occurred throughout the duration of the trial. This equates to signals ‘off-air’ peaking up to -10dBm. For the equipment to operate under these signal conditions, around 20dB of front end attenuation was required to prevent unacceptable inter-modulation distortion occurring within the receiver. A consequential effect of this attenuation is, as described earlier, to degrade the RF path noise figure and therefore sensitivity by a comparable 20dB. Results of these measurements indicate that in the chosen location, -20dBm is readily available ‘off air’ with occasional peaking up to -10dBm and above. Strong signals present different problems depending if they appear within the final IF band of the receiver or outside of the first IF band of the receiver. Signals occurring within the final IF and therefore processing and observation bandwidth of the receiver are processed with the full dynamic range of the ADC, this is achieved by controlling the gain of the RF circuits such that the aggregate power within the observation bandwidth is positioned at the top of the ADC voltage range; thus theoretically the full dynamic range of the ADC (80dB) is available to process smaller signals. The down side of this process is to degrade the noise figure of the receiver, consequently raising the noise floor in the observation bandwidth.


Results from the central London trials indicate that in practice the gain control and theoretical dynamic range has not been optimised. Post trials investigations have shown that the receiver is equipped with more RF gain than is necessary to achieve acceptable noise figure performance in the host system. Under increasing RF ‘off-air’ signal power, the gain control circuits are engaged earlier than is necessary causing premature degradation of the system noise floor and hence usable dynamic range. Analytical and experimental methods indicate the magnitude of the excess gain to be of the order of 14dB which maps directly to lost dynamic range under strong signal conditions. Signals occurring outside of the IF bandwidth and therefore outside of the observation bandwidth are processed with the gain control setting demanded by those signals that are within the final IF observation bandwidth; this may or may not be correct. Incorrectly setting the front end gain control circuits will result in severe distortion in the receiver front end. Results from the central London trials show that observation bands could be relatively easily selected to create this effect.

7.2.2 Possible Receiver Design enhancements

Over such a large bandwidth, with potentially a very high number of signals simultaneously present, maintaining the highest receiver fidelity possible will be essential for correct signal characterisation and avoidance of false alarms. Optimising the gain distribution throughout the RF signal path will yield better use of the available ADC dynamic range. This can be achieved with little or no additional cost to the current unit. The dynamic range of the receive circuits within the AMS can be improved to provide greater spurious free dynamic range and immunity to strong signals both within and outside of the selected digitisation bandwidth. The in-band intercept performance and spurious free dynamic range is most problematic. There are no known receiver systems currently available in the public domain capable of offering an in-band dynamic range performance 20dB greater than that of the AMS trials system. However a new receiver could be designed with alternative performance compromise; with increasing cost and DC power consumption, the in-band intercept of the RF circuits could be increased by around 5 to 10dB. Out of band intercept performance could also be improved by 15dB to 20dB albeit with associated increase in DC power consumption, but with relatively low cost impact. A receiver incorporating these design enhancements would provide the optimum performance, cost, power consumption and size compromise for a full AMS implementation.


7.3 Communications link between sensors

Communication between the sensors is essential. Although without a communication link the sensors can still perform spectrum monitoring individually, they are unable to work co-operatively to calculate locations, or to allow remote access to real time or historical data.

The aim with the demonstrator was to use 3G data cards (Figure 7.4) to provide the network capability. These offer a flexible solution using Vodafone’s 3G network which works alongside its well established GSM digital service and provides coverage across the UK. Although these provide a relatively low data rate (384kbits/s downlink, 64kbit/s uplink) these simplify setting up the sensors as network infrastructure is not required. As long as a 3G signal is available these can be used anywhere.

Figure 7.4, 3G data card

However, testing around the Malvern area has shown that, although publicised as being available, 3G coverage is very patchy. Furthermore, even in areas where it is available the service is unreliable. A connection may be available in the morning, but would frequently have been dropped by the afternoon.

It soon became clear that with the current level of coverage that this was not a viable option and further development was needed to allow networking over wired broadband connections. Although inherently a more straightforward option, broadband does normally operate via a router which adds an extra layer into the IP addressing. (see Section 6.4.1 for full discussion). This combined with dynamic IP address allocation by the ISPs (internet service provider) led to a challenging scenario. However, overall this has led to a much more flexible solution which should work with (almost) any type of internet connection.


7.3.1 Local testing

The requirement for a broadband connection reduced the number of sensor sites available to us in the Malvern area. Limited testing was still done using QinetiQ members of staff’s homes. This was however aimed at testing and optimising of networking, data transfers and system processes rather than testing of TDOA techniques.

7.4 TDOA location testing

7.4.1 Sensor locations

To properly test the location capability the sensors were re-located to more realistic separations. This involved moving one of the sensors to a QinetiQ site at Throckmorton, near to Pershore, and the other to the TRL site at Tewksbury. The final sensor was kept in Malvern. Figure 7.5 shows the locations.

Figure 7.5, Map of trials sites

The initial site of the Malvern sensor caused some un-expected results. Although some of the targets were located correctly, others, and in particular the signal transmitted from the Malvern town centre transmitter were located incorrectly.


Figures 7.6 - 7.8 show a snapshot of the spectrum as captured by each of the three sensors. The transmission from the Malvern transmitter (102.8MHz) is clearly distorted in Figure 7.6, despite its proximity to the source, but appears as expected on the other two sensors. Rotating the antenna through 90º and hence changing its polarisation gave a considerable improvement in the received signal strength.

Figure 7.6, Radio Wyvern, as seen by the Malvern sensor

Figure 7.7, Radio Wyvern, as seen by the Tewkesbury sensor

Figure 7.8, Radio Wyvern, as seen by the Pershore sensor

Although not obvious visually from the site, a close look at the map gives an explanation. The direct line between the transmitter and the sensor clips the side of the hill so there is virtually no direct path propagation. Instead the signal is either defracting around the side of the hill, or reflecting from some other object, possibly another part of the hill. This is adding a delay into the received signal which is causing the incorrect location.


Figure 7.9, Map showing path from Malvern transmitter to initial Malvern sensor location

Figure 7.10 shows the elevation profile of the land corresponding to the red line on the map and show more clearly how the signal path is obstructed by the side of the hill.

Figure 7.10, Elevation profile of the land between the Malvern transmitter and receiver

Moving the sensor to a new location on the top of a building within the QinetiQ site solved this problem.


7.4.2 Target frequencies

A number of candidate frequencies were identified by Ofcom around 166MHz and 459MHz as being transmitted from known locations within the local area.

In addition to these there are a number of local fm radio broadcast stations that can be used. Some of these are included in Table 7.1

For each location taken the signal parameters and measurements (including position) were recorded to allow error statistics to be calculated.

The received signal information at the sensors was recorded, including frequency, power radiated, time, duration, as well as the emitter location and the associated error probability ellipse.

During each day of the trials multiple measurements were taken. The large number of readings enabled a good statistical estimate of the error distribution to be found for each target.

Capture bandwidths and sample rates were matched to signal types, so for the local FM transmitters a sample rate of 100kHz was used, and for the pager and personal mobile radio type signals 20kHz was used.

7.5 TDOA performance results

7.5.1 100kHz Bandwidth results

The TDOA capability of the Ofcom monitoring system was tested using sensors located in Malvern, Pershore and Tewkesbury. These sensors form the corners of a triangle with sides of approximately 17km. Modelling work shows that the

Frequency Name Location NGR Power (kW)

102.8 Wyvern Malvern 1

102 Bear Stratford SP187426 3

100.7 Heart Sutton Coldfield

SK113003 11

102.4 Severn Sound Churchdown Hill

SO880188 2

103.1 Beacon The Wrekin SJ628082 2.7

95.6 BBC Radio WM

Sutton Coldfield

SK113003 11

Table 7.1, Local FM radio transmitters


accuracy of TDOA position fixes will be best within this triangle. 30 captures were taken against each of 13 signals from known transmitters. Most of these were FM broadcast radio stations and all of them had at least 100kHz of bandwidth. For each capture, each sensor recorded 16384 (214) points with a bandwidth of 100kHz. The TDOA was measured between Malvern and Pershore and between Malvern and Tewkesbury.

For each signal, Table 7.2 gives the expected TDOA on each baseline and the mean and standard deviation of the errors on the 30 measurements. For most of the signals, the mean error on each baseline has a slightly greater magnitude than the standard deviation, suggesting that there might be a systematic component to the error. However, this systematic error is not the same for different signals, even when they come from the same transmitting site.

A rough rule of thumb for interpreting these figures is that, with good geometry, a timing error of one nanosecond corresponds to a PF error of about one foot (30cm). The geometry was not good for many of the emitters used in the trial but it would be good for any emitter if the sensors formed a nationwide network.

Malvern – Pershore TDOA (ns)

Malvern – Tewkesbury TDOA (ns)

Transmitter

Freq (MHz)

Expected

Mean error

STD of error

Expected Mean error

STD of error

Ridge Hill 90.8 -61894 467 137 -30681 -231 273

Ridge Hill 93 -61894 50 139 -30681 -661 126

Ridge Hill 98.2 -61894 610 201 -30681 403 90

Great Malvern 104 -60632 340 951 -57694 -66 941

Great Malvern 102.8 -60632 141 19 -57694 202 31

Churchdown Hill

102.4 -14652 548 78 42335 837 135

Bredon Hill 950.8 27618 953 455 32837 439 530

Sutton Coldfield 90.5 39210 135 228 -17811 544 111

Sutton Coldfield 100.1 39210 238 108 -17811 153 188

Sutton Coldfield 92.7 39210 -288 148 -17811 -493 141

Beckley 91.7 47546 1275 496 54466 1214 304

Beckley 93.9 47546 1152 291 54466 -702 292

Lark Stoke 102 58986 -124 32 38597 -684 35

Table 7.2, TDOA errors for signals with at least 100 kHz bandwidth


The TDOA measurement errors are typically about 400 to 500ns. For an emitter within the sensor triangle, this would result in a position error of about 200m. Figure 7.11 shows one geolocation result for the 950.8MHz transmitter on Bredon Hill. The black dots represent the sensors. The red hyperbola is the locus of points which correspond to the observed TDOA between the Malvern and Pershore sensors. The green line is the TDOA hyperbola between the Malvern and Tewkesbury sensors. The TDOA between Pershore and Tewkesbury was calculated by subtracting one of the measured TDOA values from the other, and is shown by the blue line. This third line does not add anything to the geolocation result since it will always intersect the other two lines at the point where they intersect one another. The intersection is marked with a small open circle. The large black cross shows the true emitter location, while the smaller black crosses are emitters which were used for other captures during the trial. These ground truth positions came from a database of known emitters and could themselves have errors of up to 100 metres. The error on each TDOA measurement was of the order of 500ns, which results in a position error of less than 200m.

Figure 7.11, Geolocaton accuracy is good for emitters in the region of Bredon Hill, between the sensors


Figure 7.12 shows a geolocation of the Great Malvern transmitter. Again, the TDOA errors are of the order of 500ns but because the emitter is not within the sensor triangle, this now gives a geolocation error of about 400m. In this situation, the TDOA lines intersect in two places. The open circles mark the two possible positions. In order to determine which is the correct location, it would be necessary to use a fourth sensor.

Figure 7.12, The Great Malvern transmitter is in a worse location and gives ambiguous results


Figure 7.13 shows the Sutton Coldfield transmitter. As before, the TDOA errors are each about 500ns and it can be seen that the red and green lines each pass very close to the true emitter location. However, even these small TDOA errors are sufficient to ensure that the red and green lines do not quite intersect one another. This geometry is particularly bad because the emitter lies very close to an extension of the line jointing the Pershore and Tewkesbury sensors so that a slight measurement error results in a TDOA value which is greater than the maximum possible value for this pair of sensors. As a result, the TDOAs give the direction to the emitter but give very little range information.

Figure 7.13, With the same TDOA measurement error, no position fix is produced for Sutton Coldfield

Figure 7.14 shows the results of 390 captures (30 captures against each of 13 sensors). It is apparent how the geolocation errors are much greater for some emitters than others despite the TDOA measurement errors being similar for all


of them. This is because of the geometry. However, with a nationwide network of sensors, it should always be possible to select three sensors which surround the suspected emitter position. This trial shows that FM broadcast emitters can be received, with sufficient signal level for TDOA to be measured to within 500ns, from 100km away, which would suggest that if the sensors were moved apart to form a triangle with sides of 100km, it would be possible to locate any FM broadcast radio stations within the triangle to an accuracy of about 200m.

Figure 7.14, Results of 30 captures against each of 13 signals

7.5.2 20 kHz Bandwidth results

A list of targets for the trial was suggested by Ofcom. Some of these are around 160MHz while the rest are around 440MHz. The 160MHz emitters tend to only transmit for a few seconds at a time so, with the current software, it is difficult to task a capture on one before it turns off. However, it was possible to take 30 captures against each of 5 of the 440MHz emitters. These emitters have less


bandwidth than the FM broadcast stations; typically about 20kHz. A sampling rate of 20kHz was used and, as before, 16384 points were captured at each sensor. There is an inverse relationship between signal bandwidth and TDOA error so the TDOA errors for these emitters are of the order of 2500ns. The results are given in Table 7.3.

For comparison, also included are results obtained when the Bredon Hill transmitter is sampled at 20kHz, which simulates a reduction in signal bandwidth to 20kHz. At this lower sampling rate, the TDOA errors for Bredon Hill are similar to those for the 440MHz emitters. The TDOA errors for the Bredon Hill emitter are roughly five times greater when sampled at 20kHz than when sampled at 100kHz, confirming the model’s prediction that TDOA error, and therefore location error, is inversely proportional to bandwidth.

Malvern – Pershore TDOA (ns)

Malvern – Tewkesbury TDOA (ns)

Transmitter Freq/ MHz

Expected Mean error

STD of error

Expected Mean error

STD of error

Malvern 453.6 -63981 -2378 909 -57588 -4179 1032

Dudley 422.9125 22922 411 674 -30450 -269 1669

Dudley 440.8 27690 -102 1001 -26962 157 1608

Bromsgrove 440.0875 36533 104 237 -19368 -2170 895

Edgebaston 441.15 40447 -2939 702 -16507 2667 8577

Bredon Hill 950.8 27618 -1754 3543 32837 -1371 3684

Table 7.3, TDOA errors for some of the agreed targets

If the emitters were in the region between the sensors, these measurements would result in geolocation errors of about 1km. However, four of the emitters were in the Birmingham area and the fifth was close to the Malvern sensor, regions which have already been shown to give a poor geometry for TDOA. Figure 7.15 shows the real emitters as crosses and the position fixes as dots. A separate colour has been used for each emitter. As was the case for the Sutton Coldfield transmitter in the previous section, even though the geometry is poor and the bandwidth narrow the system still gives a line of possible positions for the emitter, similar to a conventional direction fix.


Figure 7.15, Very poor position results are given for the 440 MHz emitters, even though the TDOA errors are only about 2500 ns

7.5.3 Impact of sample length on accuracy

Increasing the number of points captured can improve TDOA accuracy but increases the requirement for a high-rate data link between the sensors. To investigate the relationship between the number of points and the error, 30 captures of the Bredon Hill emitter were taken by each sensor, with a sampling rate of 100kHz. First, TDOA values were produced for each capture using all 16384 points. Then another set of TDOA values were produced using just the first 8192 points, then just the first 4096 points and so on. The results are given in Table 7.4 and plotted in Figure 7.16.


Malvern – Pershore TDOA (ns) Malvern – Tewkesbury TDOA (ns) Number of points Mean error STD of error Mean error STD of error

16384 386 311 90 294

8192 421 301 111 286

4096 437 310 130 298

2048 422 354 117 348

1024 445 375 141 374

512 434 402 150 449

256 458 490 154 563

128 488 656 246 680

64 -9 1095 -146 1134

Table 7.4, The effects of changing the number of points captured

Figure 7.16, Variation of TDOA error with number of points for the Bredon Hill transmitter

It can be seen that the standard deviation of the errors, representing the spread of results, increases as the number of points drops, whereas the mean error, corresponding to a systematic offset, is largely unchanged.


Figure 7.17, Position fixes produced using different numbers of points.

Figure 7.17 plots the 30 position fixes obtained for each of five different file sizes. The size of the cluster increases as the number of points is reduced but the position on which it is centred does not move significantly. The size of the cluster is proportional to the random TODA measurement errors on individual captures, which depend on the SNR and the number of points. However, the error on the position of the cluster’s centre depends on systematic errors in the sensor positions and in synchronisation. While increasing the number of points reduces the cluster size, there is nothing to be gained from making the random errors significantly smaller than the systematic errors. For this signal, increasing the number of points above 1024 offers little improvement in accuracy.

7.6 Comparison with simulation

Modelling software described in Section 4.3 was used to predict the median Position Fix (PF) error as a function of emitter position for the sensor setup used in the trials. The model assumed that each emitter had a power of 100kW, each receiver had a noise figure of 14dB and the land type was “suburban”, which results in a contribution of 100ns to the TDOA error from multipath effects. The result is shown in Figure 7.18. The colour bar represents the expected position fix error on a logarithmic scale.


Figure 7.18, Predicted PF errors as a function of emitter position

The earlier plot summarising the results for the 100kHz captures is repeated (Figure 7.14) for ease of comparison.


Figure 7.19, Results of 30 captures against each of 13 signals

Comparing these plots (Figure 7.18 and Figure 7.19) shows a good correlation between the measured errors and predicted errors, and explains the differences we see in the location accuracy between the different transmitters.

Within the area enclosed within the triangle of the three sensors we expect to get the highest accuracy. Bredon Hill just about falls within the triangle and does as expected give the most accurate results. Moving out from the sides of the triangle gives a slow drop in accuracy with distance so Ridge Hill, Lark Stoke and Beckley are respectively becoming less accurate. The area surrounding the extension of the three lines joining up the sensors is the least accurate. The Malvern transmitter falls close to one of these lines, but due to its close proximity to the triangle it still gives a reasonably accurate result. Sutton Coldfield and Churchdown Hill however lie very close to this line and therefore give the lowest accuracy, and the greatest spread of measured locations in Figure 7.19.


It should be noted though, that:

• Although these regions give a poor position accuracy, the line of position is still accurate.

• That with a network of sensors rather than three, different sensors could be used to avoid these low accuracy regions.

The values plotted in Figure 7.18 are median errors; half of all PFs should be closer to the true emitter than the predicted value.

Table 7.5 and Figure 7.19 compare the values predicted for the seven emitters of interest with those measured in the trials. For two of the frequencies used, fewer than half of the captures gave PFs so it was not possible to quote a median error.

Transmitter Frequency (MHz)

Number of captures which gave a PF (out of 30)

Median of the 30 PF errors (m)

Median PF error predicted from model (m)

Ridge Hill 90.8 30 3200 600

Ridge Hill 93 30 1800 600

Ridge Hill 98.2 30 2500 600

Great Malvern 104 28 170 200

Great Malvern 102.8 30 430 200

Churchdown Hill 102.4 1 N/A 2000

Bredon Hill 950.8 30 280 30

Sutton Coldfield 90.5 30 24000 20000

Sutton Coldfield 100.1 15 31000 20000

Sutton Coldfield 92.7 3 N/A 20000

Beckley 91.7 16 330000 2000

Beckley 93.9 30 7600 2000

Lark Stoke 102 30 2000 400

Table 7.5, Comparison of median PF errors with those predicted by the model


Figure 7.19, Comparison of median PF errors with those predicted by the model

It can be seen that most of the geolocation errors are a few times larger than were predicted by the model. There are a number of factors that explain this:

• The transmit power of most of the targets is not as high as that used in the model. The model assumed an emitter power of 100 kW. The power of the Sutton Coldfield transmitter is close to this value, whereas Lark Stoke transmits only 3 kW and Bredon Hill only 300 W.

• As the measurement errors become smaller, errors in the real transmitter position and sensor positions become more significant. The Bredon Hill transmitter gave the most accurate measurements, but the actual transmitter position is only known to approximately8 100m so the error could be less than the estimated 280m. The errors on the sensors’ own

8 Information was not available from the service provider and thus the position was estimated from an Ordnance Survey map.


positions are of the order of 10m so it is unlikely that any geolocation result will be more accurate than this.

• For some of the emitters, the performance was much worse than the model predicted. For Churchdown Hill and one of the Sutton Coldfield frequencies, hardly any of the captures gave a position fix. This is an effect of the emitter being in line with two of the sensors; in this scenario a timing error can mean that the equation for calculating the position is unsolvable. Similarly when geolocating the Beckley signal on 91.7MHz, only 16 of the 32 captures gave PFs. The average of the worst two of these 16 results, 330 km, was used as the median measurement error since 15 of the results were better than that and 15 were worse. Figure 7.20 illustrates why the predicted errors were not always accurate for this trial.

Figure 7.20, Illustration of why the PF errors are sometimes considerably larger than the model predicts


The predicted error is calculated by multiplying the median expected TDOA error by a factor which relates TDOA error to PF error in the region of the emitter. That factor is a function of position. The ellipse calculation algorithm assumes that the factor will be roughly constant across the region in which PFs might appear, which is not always the case.

In the diagram, it has been assumed for simplicity that the TDOA measurement between sensors 1 and 3, shown by the green line, is perfect and the only error is on the TDOA between sensors 1 and 2. For this pair of sensors, red lines have been drawn for TDOA error values from 0 to 2000ns in either direction, in steps of 400ns. The +400ns and -400ns lines intersect the green line 16km and 11km respectively from the true emitter position, showing that in the region of the emitter, a change of 1ns in TDOA corresponds to a change of about 35m in PF. This figure is used in the calculation of the size of the error ellipse so, if the TDOA errors are expected to be of the order of 1200ns, the predicted PF error would be about 42km. In reality however, a TDOA error of -1200ns results in a PF error of 24km while a TDOA error of +1200ns gives a PF error of 104km. Therefore, TDOA errors with a magnitude of 1200ns give, on average, PF errors of about 64km.

It can be seen that a TDOA error of +1600ns between sensors 1 and 2 would give a PF a very great distance from the emitter while an error of +2000ns would result in no PF being given at all. The region within which PFs might appear if the TDOA error on each baseline could have a value up to 2000ns would not be an ellipse but a shape which stretched to infinity. Ellipses are only an accurate representation of the distribution of errors when they are themselves small compared to the distances between the emitter and the sensors. If a large network of sensors was available so that three sensors could be chosen which surrounded the approximate emitter location, then the ellipses would normally be sufficiently small for the modelling to work well.

7.7 Conclusion

Results from the trials generally showed good consistency with the predictions of the modelling exercise. The choice of available targets within the “good” area enclosed within the triangle of the sensors was very limited, so many of the test emitters were in areas where an accurate location would not be expected. The emitters that were close to the triangle were located to an accuracy of 150-300m; this error may in fact have been less if more accurate positions for the emitters were known. Accuracy for the emitters further away from the triangle varied from 2km up to several hundred km. However in most cases the timing errors were still less than 1000ns when captured with 100kHz bandwidth and 3000ns when captured with a 20kHz bandwidth. It is hard to state how this would translate to a position error on the ground as the mapping is geometry dependent. Generally though, although the position may be out by a considerable amount, a line of position for the target can still be calculated to an accuracy of less than 1km and 3km respectively for the 100kHz and 20kHz cases. This means that even when


the geometry is poor, as is the case well outside of the triangle an accurate direction fix can still be calculated.

While increasing the number of capture points used for TDOA processing does improve TDOA accuracy, there is a maximum number of points above which other error sources dominate so further increases have little effect. For the FM broadcast signals, this optimum number of samples was about 1024. For signals with lower SNR, more points will be required to reach this limit. Increasing the number of points increases the amount of data to be transferred between sensors, hence increasing the loading on the network. For this reason the sample lengths should be kept to the minimum to achieve the required accuracy.

The model has shown good agreement with the trials results for predicting relative errors over an area of interest. This is a useful tool for predicting the areas where we can expect good or poor accuracy for a given layout of sensors. However, in some cases absolute accuracy has been observed to vary from the actual measurements. This is due to limitations of the model in the assumptions made on an elliptical error distribution, the generic propagation model which cannot accurately predict all real life situations, and errors on the real transmitter positions.

The modelling showed that location error is inversely proportional to the signal bandwidth so a 20kHz wide signal would give location errors of about 500 – 1000m. This has been supported by the trials results, eg measurements taken at 20kHz and 100kHz bandwidth have shown the expected improvement in accuracy as the bandwidth has increased.

Thus although at a first glance some of the measurements look poor, these are the ones that either fall well outside the triangle of the sensors or that lie in poor accuracy areas as predicted by the model. If there was a nationwide network of sensors it would always possible to select three sensors which surround the target. In this case it should be possible to position fix any of these emitters to within 100 – 200m.

These trials have been limited by the availability of transmitters in suitable locations. It is recommended that further trials be performed using transmitters under Ofcom control. Testing in alternative environments and with different sensor spacing would provide comparative data and will further enhance our understanding of the capability of the system.


8 Conclusions

The radio spectrum is an increasingly important national asset, and so efficient management of it is a high priority. Good spectrum management has direct benefits in terms of improved communications, but also in indirect terms as it supports a vital part of the country’s infrastructure. This report concludes a study on the design of an Unattended Automatic Monitoring Station (AMS) that could be deployed in large numbers to automatically detect, identify and locate the source of interfering radio signals over a large part of the UK.

The project was split into seven work packages:

• Work package 1 - A literature search that built on the consortium’s existing knowledge of the state-of-the-art in spectrum monitoring.

• Work package 2 - Arup Communications carried out a business case study by assessing the economic aspects of a deployed AMS system and completed a cost benefit analysis. This ran for the duration of the project and took input on costs and numbers from other packages.

• Work package 3 - A model was developed to establish the likely performance of the system.

• Work package 4 – Requirements for a final AMS system were assessed, and, together with the results of the modelling, these were used to generate a high level design for the final deployed system.

• Work package 5 - A ‘Proof of Principle’ demonstration system was designed, and three units were built and tested.

• Work package 6 – The demonstrator units were deployed around the Malvern area and tested against known targets. Further testing was carried out in London to assess the effect of a high signal strength environment.

• Work package 7 – The production of a Final Report and a Design File.

The project commenced with a study of commercial and research literature which identified that there are a wide range of automatic monitoring systems currently available or in use on a global basis. However, a closer inspection of the literature suggested that there are fewer than ten systems that could be considered to come close to Ofcom's requirements, and none that will meet them.

All of the automatic monitoring systems that were reviewed use signal location entirely based on direction finding (DF) techniques, which rely upon multi-element antenna arrays. These antenna arrays are generally large and bulky, particularly for operation at HF and VHF, and do not meet Ofcom's requirement for low profile antennas to meet planning permission requirements.


The monitoring capability of the commercially available automatic monitoring systems is generally provided by off-the-shelf spectrum analysers, rather than digitisers. While these instruments offer wide operational bandwidths, the instantaneous bandwidth is generally quite narrow if signals close to thermal noise levels need to be analysed. This affects the revisit time and reduces the ability of the monitoring system to intercept, analyse and classify transitory or sporadic interference. These off-the-shelf instruments are also designed for laboratory use and are generally bulky and expensive assets.

The survey also revealed that the commercially available automatic monitoring systems:

• have a limited capability against modern signal types such as TDMA and CDMA, where the signals can effectively be stacked on top of each other;

• exhibit particularly poor performance in multipath environments which limits their use in urban or metropolitan areas;

• cannot cope with co-channel signals and have limited classification capabilities in dense signal environments;

• will not support fast scan (sample) rates;

• require high signal levels (meaning limited receiver dynamic range), which limits operational range of the system;

• are based on large, calibrated antenna arrays, laboratory spectrum analysers and add-on signal classifiers that makes the systems high cost, high value assets.

Very few of the systems that were reviewed offer any integration with existing databases of license holders and license types. This is a useful feature as it will help operators to determine quickly whether particular transmissions are licensed or not. Otherwise, in a dynamic spectrum trading environment, it could be difficult for operators to determine the validity of unusual transmissions.

It is believed that to fully meet Ofcom's requirements and budget that a purpose designed system based on TDOA techniques should be pursued.

The modelling work package aimed to determine the accuracy to which an interfering signal can be located and the detection range of an AMS. Two location techniques were considered: Direction Finding (DF) based on multi-element arrays and Time Difference of Arrival (TDOA). Direction Finding was discounted at an early stage as both the accuracy and more importantly the sensitivity are greater for the TDOA system. Furthermore the antennas required for the former would not meet Ofcom's requirements for small inconspicuous installations.

TDOA is based on the principle that distance/range is related to velocity and time. The distance between an emission/signal source and the position of a sensor can be calculated if the velocity of the signal is known and the time taken for the signal to travel that distance. A model has been developed to determine


the range at which a signal could be detected and the accuracy to which it can be located using a TDOA based system. The modelling was restricted to TDOA by three monitoring stations to estimate emitter position. The principle outputs were a plot of geolocation error for a regular grid of points within a defined rectangular region, and an estimate of the range at which a signal could be detected.

The modelling of a particular scenario was undertaken in two stages - firstly the calculation of propagation loss as a function of distance, secondly the calculation of geolocation error based on that propagation loss profile. The main limitations of the model are associated with the former, especially with respect to the effect of multi-path. It predicts geolocation accuracy for a typical area of the defined type ('open', 'suburban' etc.). Much more detailed modelling would be required in order to predict accuracy for a specific scenario.

In order to calculate the required number of monitoring stations to provide an effective nationwide system the total area of the UK was divided into types according to propagation conditions, for example rural and urban. This data was provided by Arup. Exemplar transmitter types were then used to calculate the maximum detection range that the monitoring station would have. This enabled the required density to be calculated and from that the number of stations required to give nationwide coverage.

Predicted detection ranges vary from 0.4km for a GSM mobile in an urban environment to 100km for a pager base station in a rural area. These figures are scaled by the amount of each area type (dense urban – remote rural) to obtain an estimate of the number required to cover the country. The estimates vary between 13 for pager base stations and 26000 for GSM mobiles. As the latter figure is an unrealistic number of sensors to deploy, a reasonable compromise is thought to be to use between 982 and 1200 based on 3G base stations and PMR mobiles. The 3G figure of 982 has been used in the business case study (Section 3).

Another phase of the modelling allowed geolocation accuracy to be plotted graphically for a predefined sensor configuration and transmitter characteristics using a colour scale on a rectangular grid. This enables different sensor layouts to be tested, and good / bad location areas to be assessed. This is a useful tool for assessing the accuracy that can be expected for a practical sensor layout. For the sensor layout used during the trials around Malvern TDOA location accuracy of between 30m and 100m is predicted for the area enclosed by the sensors.

This model allowed analysis of the effect of varying the number of captured data points on TDOA accuracy. This affects the amount of data to be transferred between the sensors, and hence the network requirements. Again there was a large variation in results for the different transmitter types, but in almost all situations under 105 points are sufficient, and more typically under 104 points are required. Even on a dial-up type connection one sensor’s data could be transferred in 5 seconds.

The modelling suggests that a system based on TDOA would meet the requirements of the AMS.


After the modelling had been completed the project split into two strands, one to design an AMS that could be taken forward to form a nationwide system and secondly to build a demonstrator that would de-risk elements of the final system design and allow trials to take place to assess its effectiveness.

The primary purpose of the AMS system would be to automatically detect, identify and locate the source of interfering radio signals over a large part of the UK. The first stage of the system design was to carry out a requirements analysis. This took into account the results of the earlier work packages and was largely fed by discussions with Ofcom. However, Arup have now identified a number of different potential beneficiaries of an AMS system and a more detailed requirements analysis should be undertaken with consultations with these users/beneficiaries. This would further refine the requirements identified in this project and may impact the proposed system design.

A proposed outline design which best meets these requirements is detailed within Section 5 of this report together with discussion and justification as appropriate for the choice of architectures and components. The solution comprises a large quantity of monitoring stations which are to be networked for control, data correlation, and reporting purposes and the system will be capable of fully automatic operation or manual control.

Since the modelling study concluded that TDOA was the preferred option this method of geolocation forms the basis of the system proposed. The design comprises antennas to capture the signals, receivers for down-conversion to IF, ADC for digitising the signals and high specification computers for processing. Additionally, a GPS is included for timing and an oscillator to provide an accurate clock to ADC.

A ‘one–unit’ design will be used with all of the components mounted in an environmentally sealed outdoor enclosure which can be mounted on a mast or outside of a building. This avoids the problems of interference on long IF cables, but also has the advantage of simplified installation procedures and less stringent site requirements. It was identified however that challenges exist in thermal management, environmental considerations and RFI design.

The choice of antenna is important for both detection sensitivity and location accuracy. However, performance must be balanced against the need for robustness and small size. Tests on a number of options were carried out and it was concluded that two antennas should be used to give an acceptable performance across the 20MHz – 3GHz band. Above 600MHz a compact discone such as the AOR DA5000 gives excellent performance with a compact form factor. At the low frequencies a ruggedised version of the Scanking Royal discone would give good performance for a reasonable size, but in areas with strict planning permission rules a compromise in performance might have to be accepted to reduce the size.

To reduce overall power consumption, and more importantly the associated heat dissipation within the unit it is recommended that FPGA or DSP are used on the digitiser to reduce the work load on the PC’s processor. However, the


advantages must be carefully balanced against the increased development costs and more complex upgrade path.

Communication between the sensors is critical to its operation, and will be based on TCP/IP across the internet. There will be a variety of network media available to a system deployed nationwide and the individual sensors are likely to use a variety depending on what medium is locally available. Wired broadband is the preferred option and should be used wherever possible. However, mobile phone or even WiFi might be economical in more remote areas where laying new cables is not practical.

The sensors will register their position, status and most importantly external IP address with a central communications service to allow all other sensors and control consoles access and up-to-date information.

QinetiQ have a strong track record in developing software applicable to spectrum monitoring, signal detection and classification, and location techniques. The features of the software include: determining the presence of emissions in the environment and relating them to emitters using matched filtering techniques, displaying sensor results and logging them to hard disk, and managing the transfer of information between sensors and streaming of data between sensors for optimal location of emitters TDOA techniques will enable position fixes to be calculated and these can be shown on a digital map. It is recommended that the QinetiQ software be incorporated in the fielded system to make best use of this experience.

Three demonstrator units based on COTS components were built to allow further assessment of the system and to de-risk elements of the final design. To replicate the final design as much as possible the same overall system layout was used and thus it was based on a 'one-box' design. It was built into a 19" rack unit and the RF tray was custom made by TRL. Real-time communications between the units was a challenge. The system was developed to use a 3G service to provide networking but poor coverage and an unreliable service meant that this was not a viable option and changes were made to allow connections over wired broadband. The value of 3G however should not be dismissed as remote control of deployed sensors has been achieved using GPRS and 3G when available both from Ofcom's HQ in London and a moving train travelling through Oxfordshire, thus proving that a variety of media can be employed concurrently. It is however recommended that broadband be used as a first choice medium where possible.

The software installed on the demonstrator system is representative of the way it would work in an operational deployment. It is recognised that some low risk, but none-the-less essential features have not been included (for example voice demodulation), but the software based architecture means that these could easily be included. The functionality meets with the AMS requirements as currently identified and its effectiveness has been explored in trials in the Malvern area and will be subject to further trials under Ofcom's direction in the forthcoming months.


Initial trials were carried out at Malvern and subsequently at Ofcom's HQ in London to measure the sensitivity of the sensors, in particular to assess their performance in a densely populated and high signal strength environment. Further trials have been carried out to test the communication across a networked demonstrator system and to assess the effectiveness of the AMS in being able to pinpoint and identify RF transmission sources in real time by TDOA.

The sensors were set up in a triangular configuration in Malvern, Tewkesbury and Pershore. A number of candidate frequencies from known emitters were used, including local FM radio broadcast stations, mobile phone base stations, PMRs and pager signals. During each day of the trials multiple measurements were taken. The large number of readings enabled a good statistical estimate of the error distribution to be found for each target. The TDOA measurement errors are typically about 400 to 500ns. For an emitter within the sensor triangle, this would result in a position error of about 200m. Transmitter to sensor geometry means that geolocation errors were much greater for some emitters than others despite the TDOA measurement errors being similar for all of them. Predictions from the model matched up well with the measurements, and clearly show areas where the measurements would be good or poor. With a nationwide network of sensors it should always be possible to select three sensors which surround the suspected emitter position to keep the geometry favourable. This trial shows that FM broadcast emitters can be received, with sufficient signal level for TDOA to be measured to within 500ns at a range of 100km.This would suggest that if the sensors were moved apart to form a triangle with sides 100km, it would be possible to locate an FM broadcast stations anywhere within the triangle to an accuracy of about 200m. The trials have also shown the expected improvement in accuracy as the captured bandwidth increases.

Where the emitters were outside the triangle, geolocation errors increased as the modelling predicted. However a good line of position can be achieved similar to a conventional direction fix. Increasing the number of points captured can improve TDOA accuracy and sensitivity but increases the requirement for a high-rate data link between the sensors.

In parallel with the technical programme, Arup produced a Business Case. The costs of commissioning and operating an effective and inclusive AMS system are significant. With a likely capital cost of tens of millions of pounds, and an ongoing operational expenditure of millions of pounds, it would represent a clear step-change from the current UMS and DF operations undertaken from Baldock. These costs could be financed in several ways. Alternatives to standard procurement routes could include a wholly commercial venture, a PFI type approach and outsourcing. Potential savings could be made from partnerships with site or infrastructure owners.

However, the benefits of an operational and fully-featured AMS system are considerable. Specific benefits have been quantified above by assessing the willingness of the relevant parties to pay for the information that an AMS system


would produce; these benefits amount to £12.75 million every year. The capital cost of the system is estimated at £36.6 million over four years, with an annual running cost thereafter of £6.5 million at current prices. Based on these estimates, the project has a positive net present value in excess of £42 million.

If benefits of the scale estimated could be captured as revenue, whether by Ofcom or by a commercial enterprise, then a national AMS system could be deployed on a self-sustaining basis. This may not be possible. Accordingly, a range of ways in which the AMS system could be funded and operated have been explored.

The project therefore has concluded that whilst there are a number of automatic monitoring systems currently available they would not fulfil the full requirements of the system that Ofcom wish to implement. Modelling of the TDOA method of geolocation has confirmed that this is an appropriate approach and that it has many advantages over the more traditional DF method. A demonstrator system has been built and trialled and the results were consistent with expectations from the modelling. This has de-risked elements of a final design and provided confidence that the design would meet the requirements that have currently been identified. Finally the cost/benefit analysis carried out by Arup has shown that whilst the costs of implementing a nationwide system are high, so too are the benefits and there are a number of options for financing both the installation and running costs of an AMS system.


9 Recommendations

The following recommendations are made which will further our understanding of the requirements for a full network and will enhance the demonstrator system to further de-risk the design of an AMS unit:

• That further consultation takes place with potential users and beneficiaries of an AMS system and that the requirements be further analysed in view of the results.

• That further trials using the demonstrator system take place to assess sensitivity and accuracy in different locations, and for different sensor spacings. This should include an extended period in a realistic operational type environment for side by side comparison with the existing systems.

• That up to 50 further demonstrator units are built to allow a network of sensors to be set up. This will allow a full evaluation of the concept of real time networked sensors.

• That the requirement should be clarified as to what types of emitter need to be located as the required sensor spacings are dependent on the type of signal to be located. The number of sensors could be reduced if low power transmitter types are not required.

• That the receiver requirements are reviewed. This could lead to a handoff receiver capability being added to the system.

• That a voice demodulation capability is added to the demonstrator with the current receiver configuration. This would demonstrate a networked real time capability and advanced playback features.

• That the advantages of a larger network of sensors is demonstrated by the addition of more than three sensors to the demonstrator system.

• That a review of software features and techniques is carried out to take into account feedback from Ofcom as they gain familiarity with the operation of the demonstrator.

• That an interface is added to the demonstration system to allow comparison with the Ofcom database of licensed users and transmitters.

• That features are added to the demonstration system that will enhance autonomous operation. For example, system ‘health’ report, automatic restart and remote reboot.


10 References

10.1 References made in the text of this report:

[1] Edmonds P.R., A review of current state-of-the-art automatic interference monitoring systems, QINETIQ/S&E/SPS/CR050854/1.0 Issue 2.1, April 2005

[2] K Kilfedder, Identification and Analysis of System Benefits, Arup Communications, March 2006

[3] M. Hata, Empirical formula for the propagation loss in land mobile radio services, IEEE Transaction on Vehicular Technology, vol. VT-29, no. 3, August 1980, pp. 317-325.

[4] Prediction methods for the terrestrial land mobile service in the VHF and UHF bands, ITU-R Recommendation P.529-3, 1999.

[5] Damosso E., Evolution of Digital Mobile Radio: COST 231 View on the Evolution towards 3rd Generation Systems, Springer-Verlag, 1996.

[6] A Report on Technology Independent Methodology for the Modelling, Simulation and Empirical Verification of Wireless Communications System Performance in Noise and Interference Limited Systems Operating on Frequencies between 30 and 1500MHz, TIA TR8 Working Group, IEEE Vehicular Technology Society Propagation Committee, May 1997.

[7] Ulman R.J. and Geraniotis E., Wideband TDOA/FDOA Processing Using Summation of Short-Time CAFs, IEEE Transactions on Signal Processing, Vol 47, No 12, December 1999, 3193-3200

[8] AMS Design File, QINETIQ/D&TS/SS/CR0600318, May 2006

10.2 Sources used during the literature survey:

http://www.winradio.com/home/ms-systems.htm

http://www.sat.com/products/terrestrial/sigmon_options/sigmon_1000/


http://www.codem.com/content/datasheets/sigint/eaglenet.pdf

http://www.aselsan.com.tr/msting/trrs_eng.htm

http://www.tcibr.com/PDFs/715webs.pdf

http://www.spectrummonitoring.rohde-schwarz.com

http://www.tadsys.com

http://www.thalesgroup.com/land-joint/portfolio/pdf/esmeralda_ag.pdf

http://www.newsbytes.com

http://www.dielectric.com/broadcst/newsstory.asp?ID=63

http://www.criltelecon.com/newsdocuments/023026_wpc_final_gb.pdf

http://www.jamaicaobserver.com/magazines/Business/html

http://www.dielectric.com/broadcast/news_story.asp?ID=63

http://www.3g.co.uk/PR/Nov2005/2201.htm

10.3 Sources for Business Case:

1. Office of the Deputy Prime Minister

Urban and Rural Definitions: A User Guide

http://www.odpm.gov.uk/stellent/groups/odpm_control/documents/contentservertemplate/odpm_index.hcst?n=3331&l=2

Accessed August 2005.

2. Office of National Statistics

Population Density, 2002

http://www.statistics.gov.uk/StatBase/ssdataset.asp?vlnk=7662&Pos=1&ColRank=1&Rank=272


3. Office of National Statistics

Area Classification for Statistical Wards, 2001

http://www.statistics.gov.uk/about/methodology_by_theme/area_classification/wards/cluster_summaries.asp



11 Abbreviations

3G 3rd Generation (mobile telephony) A/D Analogue/digital ADC Analogue to digital converter AM Amplitude modulation AMC Advanced modular computers AMS Automatic monitoring station ASK Amplitude shift keying AUT Antennas under test AVD Automatic violation detection BITE Built in test BPSK Binary phase shift keying BT British Telecom BTA Botswana Telecommunications Authority BW Bandwidth CAF Cross ambiguity function CDMA Code division multiple access CDPD Cellular digital packet data CEE Central and Eastern European CEP Circular error probable COMINT Communications intelligence COTM Communications on the move COTS Commercial off the shelf CPU Central processing unit CRLB Cramer-Rao lower bound CTCSS Continuous tone-coded squelch system CTS Cril Telecom software CW Carrier wave dB deciBel DC Direct current DF Direction finding DHCP Dynamic Host Configuration Protocol DOD Department of Defence DPA Defence Procurement Agency DSB Double sideband DSB-SC Double sideband suppressed carrier DSP Digital signal processing Dstl Defence Science and Technology Laboratory DTED Terrain data ECAC Electromagnetic Compatibility Analysis Center EM Electromagnetic EMC Electomagnetic compatibility


ES&CM Electronic Surveillance and Countermeasures EU European Union FDOA Frequency difference on arrival FFT Fast Fourier Transform FM Frequency modulation FPGA Field programmable gate array FSK Frequency shift keying GCHQ Government Communications Headquarters GHz Giga-Hertz GPRS General packet radio service GPS Global positioning satellite GSM Global system for mobile communication GUI Graphical user interface HAAT Height above average terrain HF High frequency HM Her Majesty's HQ Headquarters HSCSD High speed circuit switched data HSDPA High speed downlink packet access HTML Hypertext mark up language IANA Internet Assigned Numbers Authority IF Intermediate frequency IP Internet protocol ISP Internet service provider IT Information technology ITS Institute of Telecommunications Sciences ITT Invitation to tender ITU International Telecommunications Union JSC Joint Spectrum Center km Kilometre LAN Local area network LEDs Light emitting diode LoB Line of bearing LSB Least significant bit MAC Media Access Control MOD Ministry of Defence MPSK M-ary phase shift keying MSAM LMS Microcomputer Spectrum Analysis Models Land Mobile ServicesMSK Minimal shift keying NIC Network Interface Card NATO North Atlantic Treaty Organisation NTIA National Telecommunications and Information Administration OHD Okumura Hata-Davidson OSM Office of Spectrum Management PC Personal computer PCI Peripheral computer interface


PF Position fix PFI Private Finance Initiative PMC PCI mezzanine card PMR Personal mobile radio PSK Phase shift keying QAM Quaternary phase shift keying RAM Random access memory RF Radio frequency RMDF Remote monitoring and direction finding RTTY Remote tele-type SES Spectrum Efficiency Scheme SIGINT Signals Intelligence SMA Sub Miniature version A SMA Spectrum Management Authority (US) SNR Signal to noise ratio SPX SPX Corporation SSB Single side band SSL Single station location SWAP Size, weight and power TCII TCI International TCP/IP Transmission control protocol/internet protocol TDMA Time division multiple access TDOA Time Difference of Arrival TETRA Terrestrial trunked radio TRL TRL Technology Ltd TRRS Transportable regional remote station TT&C Tracking, telemetry and command TV Television UDP User datagram protocol UHF Ultra high frequency UK United Kingdom UMS Unattended monitoring station UMTS Universal mobile telecommunications system URL Uniform resource locator US United States of America USB Universal serial bus VHF Very high frequency VSAT Very small aperture terminal WYSIWYG What you see is what you get


Appendix A. Literature study – system details

A.1 Codem Systems

Codem Systems is a leading provider of innovative engineered solutions for Communications and Surveillance applications. Codem is headquartered in Merrimack, New Hampshire, approximately 35 miles north of Boston.

The Company's expertise spans the entire systems software and hardware development life-cycle from the design and development of new technologies to the production and implementation of complex systems, to the training of end-users. Specifically, Codem's employees possess deep domain and operational experience in the following functional areas:

1. Signals (SIGINT) . Codem designs and develops advanced systems that intercept, monitor, and locate radio and wireless signals and maintains a global market-leading capability in High Frequency ("HF") tactical SIGINT systems. The Company's solutions are employed in a variety of mission critical applications including Communications Intelligence, Electronic Warfare, Spectrum Management, and signal geolocation. Codem combines its core strength in systems engineering with an established software framework to create customized SIGINT solutions that meet unique customer requirements. Codem's SIGINT customers consist of domestic intelligence agencies as well as international military, intelligence, and regulatory agencies.

2. Antenna & Wireless . Codem designs and manufactures high performance antenna controllers, stabilized antenna gimbals, and ground station monitor and control software. The Company's solutions can be used in conjunction with new antenna systems, or to modernize existing terminals, and are used in a wide range of applications including: satellite communications; remote sensing; tracking, telemetry and command ("TT&C"); broadband wireless systems; and terrestrial spectrum monitoring. Codem is recognized for its control full motion antennas, sophisticated system modelling, advanced control techniques, and stabilized gimbals for military “Communications On The Move” ("COTM") applications.

3. Network Systems . Codem provides base band level network access products that directly support the U.S. military's transformation to a network-centric architecture. These products enable interoperability between modern network technologies and legacy military transmission and switching networks. Codem's deep understanding of proprietary military protocols has enabled the Company to become a leading provider of military "last mile" network access equipment including modems, protocol converters, and voice and data multiplexers.

4. Spectrum management. Codem supplies turnkey spectrum management and monitoring systems for regulatory and law enforcement agencies providing licensing, ITU compliance and location of interfering signals.

5. EagleNet Spectral Monitoring & Location System . The Codem EagleNet Spectral Monitoring & Location System is a networked V/UHF (with optional HF) collection and direction finding (DF) system that provides a geographically distributed system capability for Spectrum Monitoring and Management.


The system consists of a central control site, and any number of regional nodes each consisting of multiple remote fixed and mobile asset sites with connectivity via TCP/IP networking protocol.

DF assets can be remotely monitored using a web based graphical user interface (browser) that allows equipment to be configured, events to be scheduled and results to be analysed.

DF results, spectrum analyser output and live audio are collected locally and can be streamed back in near real-time to any nodal or master systems across the network for immediate processing or playback at a later time. Fixed and mobile interferers can be detected, geo-located and plotted on a detailed map.

6. Directly-Support Regulatory Functions. By enabling V/UHF and HF collection, the system can support the compilation of channel occupancy information that is useful to identify regularly underused or congested regions of the spectrum. Future decisions on licensing for these portions of the spectrum can be supported by these data. However, for maximum efficiency, direct comparison to the expected channel occupancy or permitted channel occupancy would be more useful.

The availability of DF and audio collection is only useful where particular transmitters are being reviewed, perhaps as a result of a license-holder’s complaint.

Figure A.1


A.2 TCI Spectrum monitoring and management

1. About TCI . TCI is a company consisting of two product groups:

The Broadcast and Communications Group of TCI offers high-power MF and HF broadcasting antennas as well as HF antennas for military and civilian communications. TCI's high power MF systems operate at power levels up to 10 million Watts. TCI's high power HF log-periodic and dipole curtain arrays operate at power levels up to 2 million Watts. The TCI HF communications antenna product line offers a large variety of log-periodics, broadband dipoles, and receiving loop arrays.

The TCI Signal Processing Group designs and manufactures spectrum monitoring, direction finding, and signal collection products and systems for regulatory authorities and military and intelligence organizations. Its products consist of specialized application and database software and proprietary monitoring, measurement, and direction finding hardware that operates from 10 kHz to 3 GHz. TCI's ITU compliant spectrum monitoring systems address the needs of regulatory authorities around the world who must manage their country's frequency spectrum and comply with international treaties concerning frequency usage. The military and intelligence systems have greater capabilities than the commercial spectrum monitoring systems, and are sold to both US and certain non-US customers.

The Signal Processing group offers specialized systems for radio signal intercept, collection and direction finding covering the frequency range from 0.1 MHz to 3 GHz. The group also designs and manufactures receivers and processors using DSP techniques for use in such systems.

The Signal Processing group products are used by military and intelligence organizations and civilian radio regulatory agencies.

2. COMINT/DF. TCI COMINT systems provide the means to intercept, locate, record and analyze signals of interest to military and intelligence agencies. COMINT systems covering the HF (0.1 – 30 MHz) range feature multi-channel DF for rapid and accurate results and Single-Station-Location (SSL) capabilities with real-time ionospheric sounding.

COMINT systems covering 30 – 3000 MHz feature fast scan with DF operation in a compact design allowing mobile installations with immediate deployment availability.

TCI has supplied COMINT systems for strategic and tactical operations, including extensive database management and analysis facilities.


3. Spectrum Monitoring and Management. TCI is the only U.S. supplierof integrated Spectrum Management and Monitoring solutions for agencies to plan, administer and control the use of rapidly expanding radio and wireless services in an increasingly congested spectrum.

TCI systems for national radio regulatory agencies comply with the latest International Telecommunications Union (ITU) recommendations and integrate Management and Monitoring functions.

They provide the tools necessary for administration and planning with the means to verify that users comply with the approved standards of their licenses and concessions, and to detect violations and track down illegal operators.

4. Scorpio Spectrum monitoring system . The TCI 715 ("Scorpio") Spectrum Monitoring System provides coverage of the 0.1 – 3000MHz. range. It is based on Signal Measurement (including DF) Servers using wide-band digital receivers and modern Digital Signal Processing (DSP) techniques. The Measurement Servers provide signal parameter measurements and DF, digital recording, fast spectrum scan and channel occupancy analysis in a single, compact unit.

The TCI 715 uses a single, compact antenna array covering 20 – 3000 MHz (Model 641) suitable for fixed and mobile stations. A feature of the mobile stations is their ability to maintain operations (including DF) "on-the-move" then elevate the antenna (self-supporting mast to 8 meters) when stationary without further assembly. For HF operations (0.1 – 30 MHz.) special antenna arrays are

Figure A.2


provided for fixed and transportable applications. HF operations are supported with a multi-channel DF processing technique providing accurate and consistent bearings.

The TCI 715 Servers can be accessed from any workstation running the TCI Scorpio Client application over line or wireless links. Client workstations may operate the Server directly in real-time or establish "missions" which the Server will execute on a scheduled basis and report the results to the requesting Client. Integration with the Management system also allows for Automatic Violation Detection (AVD) where a Server is tasked to survey a specific frequency band (or bands) and report on occupancy showing any violations or illegal use of the spectrum.

TCI can undertake the design, integration, installation and commissioning of Spectrum Management and Monitoring systems with fixed and mobile stations and associated communications and computer networks to meet specific customer requirements.

5. “Directly-Support Regulatory Functions”. By enabling V/UHF and HF collection, the system can support the compilation of channel occupancy information that is useful to identify regularly underused or congested regions of the spectrum.

Future decisions on licensing for these portions of the spectrum can be supported by these data.

Users can additionally configure particular parameters which the system can compare with its observations to generate automatic reports on violations of licences or illegal use of the spectrum. However, to be maximally useful in a dynamic, spectrum trading environment, the establishment of these parameters would be better achieved through integration with an existing, definitive database of licenses.

The availability of DF and audio collection is only useful where particular transmitters are being reviewed, perhaps as a result of a license-holder’s complaint. The DF functions are currently used in this way at Ofcom’s Baldock Radio Station. However, the DF results are usually such that significant field operations are required to track down the infringing transmitter.


A.3 Communications Research Centre, Canada

1. Integrated Spectrum Monitoring Solution . The Communications Signal Processing group performs leading-edge research and development in signal processing aspects (e.g. modulation, error control coding, multiple access and synchronization) of data transmission via satellites.

2. Communications Signal Processing Research Progra m. The Communications Signal Processing research program provides advice, guidance and expertise primarily on signal processing algorithms and techniques for the digital transmission of services via satellite and other radio channels, but also on other signal processing intensive areas of interest to Canadian industry and to the Government, such as spectrum monitoring techniques, measurement and modeling of mobile satellite channel impairments, and electronic compass applications. While longer-term research is maintained, this program emphasizes client-driven research and development, with clients being from both the government and private sectors. The resulting knowledge, analysis tools, and new techniques are used to support small and medium-sized Canadian high technology companies, and to provide advice and support to our government clients, Industry Canada, Department of National Defence, and the Canadian Space Agency.

The research program encompasses five fields: signal processing and design, computer modeling and simulation, mobile satellite systems, DSP algorithm design and implementation, and system development. The program's activities include:

• Long-term theoretical research. These activities have often been in collaboration with Canadian universities (e.g., through joint supervision of graduate student thesis research or by hosting a sabbatical professor) or with other internationally renowned research teams,

• Algorithm development, systems analysis, and computer simulation. Over the years, the program has developed an extensive set of analysis and simulation skills and tools for the evaluation of data transmission over satellite and other wireless links. This has lead to an on-going series of contracting-in opportunities with international organizations such as Inmarsat and ESA, sometimes as a major sub-contractor to a Canadian high technology company.

• Proof-of-concept system and subsystem implementation. The program is recognized both nationally and internationally as leading experts in the DSP implementation of modems and error control codecs for mobile satellite applications, and is frequently requested to license some of its technology to Canadian high technology companies. It also is receiving a high level of support from National Defence and Industry Canada for its modular spectrum monitoring system development, and on-going industrial interest in its self-calibrating electronic compass technology.

3. Spectrum Explorer® Wireless. Communication signal environments have become highly complex, and monitoring the radio spectrum requires a set of correspondingly powerful tools. Spectrum Explorer ® is a flexible software application running on a Windows NT TM workstation, combined with high


performance receiver and digital interface hardware, resulting in a software radio receiver capable of sophisticated spectrum monitoring measurement and analysis.

Spectrum Explorer ® can be controlled, and data can be accessed, by any of a number of PCs over a TCP/IP network. It is designed to operate with state-of-the-art high-speed sampling and digitization hardware, allowing it to process many Megahertz of spectrum simultaneously.

The wideband measurements include:

• Channel detection and occupancy;

• Signal power and frequency characterization;

• Automatic estimation of the background noise floor level;

• Database recording;

• and several display windows.

As an option, Spectrum Explorer ® includes a Communications Signal Analyzer to identify, in real-time, individual signals parameters such as modulation and the underlying communication system format. Demodulation of specific signals is also possible, with Spectrum Explorer ® controlling one or several intercept receivers. Another option is the Wideband Direction Finding application, which instantaneously estimates the angle-of-arrival of all detected signals.

The options, together with Spectrum Explorer ®, constitute an integrated sensor solution, making use of a single software and hardware platform, and addressing the most demanding spectrum monitoring problems.

Figure A.3, Spectrum Explorer ®


4. Spectrum Explorer ® and its Hardware Components .

Figure A.4, Spectrum Explorer ® and its Hardware Components

The Spectrum Explorer ® software follows a modular object-oriented approach, which allows the straightforward use of a large number of hardware components. Spectrum Explorer ® runs under MS Windows NT TM (2000 & XP).

The following hardware configurations have been used for development and testing. Other possibilities exist.

• PC Dual 550 MHz Pentium III Xeon (512 kB cache) with 512 MB RAM

• Hardware configurations supported by Spectrum Explorer ®:


o Tuner Digitizer Bus

o AG E6500 AG E1437 VXI

o WJ 8621 AG E1437 Firewire

o WJ 8621 ICS 652 PCI

o Virtual Tuner (HF only) ICS 652 PCI

o AG E2730A AG E1439B Firewire

5. Spectrum Explorer ® and its Software Components

Figure A.5, Spectrum Explorer® and its Software Components

• The Main Features are:

• Digital Spectrum Analyzer

• Scheduler and resource manager

• Control and usage by multiple users through TCP/IP

• Wideband Spectrum Monitoring

• Ultra fast parallel channel scanning

• Channelized and unchannelized signal detection

• Discrepancy list between assigned and measured channel lists

• Channel occupancy

• Automatic noise floor estimation (patent pending)

• Constant false alarm or SNR thresholds


• Signal bandwidth and centre frequency

• Signal capture and measurement storage

• Display

• Channel power

• Spectrum

• Adaptive threshold

• Averaging

• I/Q in time

• I/Q in polar form

• The Options are:

• Wideband Direction Finding

• Communication Signal Analyzer

• Demodulation of Signals

• GPS Module

• Geographical Information System

Figure A.6, A typical GUI display


5. Digital Spectrum Analyzer . The Digital Spectrum Analyzer is a software module used to observe up to 4.5 MHz of bandwidth on a PC. It features standard functions like zooming, markers, averaging, capture, capture on alarm, etc. It also includes advanced functionalities like automatic noise floor estimation, control of the Communication Signal Analyzer, control by the Wideband Spectrum Monitoring software, and multi-user capability using the Scheduler and Resource Manager (several spectrum analyzers using the same equipment over the network).

6. Scheduler & Resource Management for Multiple Us er Access. The Resource Manager in this system is a powerful and innovative concept for gate keeping and hardware resource access control. It has a layered COM/DCOM architecture.

The Scheduler constitutes the top layer and has the following features:

• User access control based on accounts, privileges, and time/day credits,

• Sophisticated job scheduling and data delivery mechanism,

• Network/remote access,

• Modeled for distributed processing environments,

• Activity logging.

The Resource Manager constitutes the second layer also called the Hardware abstraction layer. It offers the following features:

• Hardware abstraction model and editor used to dynamically add, remove or modify the system's hardware layout and functionality,

• Session partitioning and queuing which takes advantage of multi-tasking and multi-threading operating systems such as Windows NT,

• Activity logging.

The Resource Manager triggers the Session Queue. The Session Queue constitutes the third layer. It offers the following features:

• High speed asynchronous and de-coupled data return path to the end user,

• Uses CRC proprietary high performance pipe communication system,

• Priority driven statistical pre-emptive circular queuing algorithm,

• Optimal multi-user concurrent resource sharing with non coherent operating parameters.

7. Wideband Spectrum Monitoring . This core application is intended for spectrum regulators who want to ensure proper usage of the spectrum, and to organizations that need to know how the radio spectrum is being used. A priori information can be compared with measured spectrum data, and different bands


of interest can be monitored to obtain information about the spectrum activity. Several parameters can be measured, and the operator can obtain valuable information about the activity within a few seconds.

Figure A.7

8. Wideband direction finder. The Wideband Direction Finder provides the capability to quickly estimate the angle-of-arrival of all detected signals in a given spectrum band of interest. It is designed to give the system operators the functionality and flexibility needed to identify and locate the signals with specific desired characteristics. As an option of Spectrum Explorer ®, the integrated object oriented software and modular hardware provides the customer with a complete solution and an upgrade path for specific or next generation communication systems.

The main characteristics of the Wideband Direction Finder with Spectrum Explorer ® are:

• DF scanning speed up to 20 000 channels/s,

• High sensitivity signal detection with noise floor estimation,

• Concurrent spectrum monitoring,

• Large choice of resolution bandwidth,

• Signal capture, measurement azimuth and confidence storage,

• Network scheduler and resource manager.


• Manually or automatically cue the Communication Signal Analyzer,

• Manually or automatically cue intercept receivers,

• Display,

o Cartesian angle vs. frequency,

o Single channel polar azimuth with confidence band,

o Multiple channel polar azimuth.

9 Communications Signal Analyser The Communication Signal Analyzer is a unique software application allowing the real-time analysis of intercepted signals. Powerful digital signal processing is used in the framework of the Spectrum Explorer® to analyze individual channels and evaluate their characteristics. The Communication Signal Analyzer provides online vital information about a captured signal. Its main characteristics are modulation recognition.

The algorithm can automatically recognize a large variety of digital and analog modulated signals. These include:

• Carrier Wave (CW),

• Amplitude Modulation (AM),

• Double Sideband Suppressed Carrier (DSB-SC),

• Frequency Modulation (FM),

• Frequency Shift Keying (FSK),

• Binary Phase Shift Keying (BPSK),

• Quaternary Phase Shift Keying (QPSK),

• pi/4-shifted QPSK,

• M-ary Phase Shift Keying (MPSK) signals and estimation of technical parameters.

• Noise segments.

Due to the algorithm's precision and computational efficiency, most signals of interest to government regulators and defence signal intelligence can be recognized by analyzing signal segments of less than 40 msec. This allows online real-time analysis of off-the-air signals at a speed larger than 25 decisions/s.

An efficient carrier frequency estimator is included, and very large carrier frequency errors can be corrected. The modulation recognition algorithm is insensitive to carrier phase errors. It is also very robust to variations in the sampling times of digitally modulated formats, and does not require symbol timing recovery for modulation recognition.

Specific communication systems are recognized, including:


• North American Analog Cellular (AMPS)

• US Digital Cellular (IS-54/IS-136)

• GSM system

• Commercial AM and FM

Many useful technical parameters are estimated, and the standard deviation for each measurement is provided. The displayed parameters include:

• Centroid frequency of the input signal power spectrum

• Precise carrier frequency estimation according to the modulation type

• Input signal bandwidth, according to two different ITU criteria

"x dB" bandwidth method and Power ratio method, as defined in the ITU Spectrum Monitoring Handbook, 1995

• The signal-to-noise ratio within the input signal estimated bandwidth

10 “Directly-Support Regulatory Functions” By enabling V/UHF and HF collection, the system can support the compilation of channel occupancy information that is useful to identify regularly underused or congested regions of the spectrum. Future decisions on licensing for these portions of the spectrum can be supported by these data.


The availability of DF and audio collection is only useful where particular transmitters are being reviewed, perhaps as a result of a license-holder’s complaint. The DF functions are currently used in this way at Ofcom’s Baldock Radio Station. However, the DF results are usually such that significant field operations are required to track down the infringing transmitter.


A.4 SAT SigMon

1. About SAT Corporation . SAT is a worldwide supplier of automated RF signal monitoring systems for satellite and terrestrial spectrum management applications. These systems are communication management tools for commercial network owner/operators and telecommunications service providers to guarantee and maintain the quality of service they provide to their customers. The systems are used by:

• Satellite Owners/Operators

• Teleport and Gateway Earth Station Operators

• Communication Service Providers and Users

• Government Regulatory and Security Agencies

SAT is a leading system integrator of RF monitoring systems and has systems installed in approximately 50 countries. SAT systems are usually offered in a variety of standard configurations with optional extra capabilities available as add-ons, but customized systems with special capabilities are also available. A Cost-Benefit analysis will quickly identify the most appropriate configuration for a user's initial and/or ultimate set of requirements. Users range from global satellite network operators to International Common Carriers, down to small private networks that use a partial transponder.

2. SigMon Overview. SAT SigMon® systems are commercial off-the-shelf (COTS) spectrum monitoring systems that excel at detecting and analyzing intermittent radio and microwave interference. SigMon® systems deliver economical and efficient signal monitoring and interference resolution to wireless operators, government regulatory agencies, hospitals and civil and military aviation. Sophisticated and user-friendly MS-Windows®-based software makes SigMon systems powerful, yet easy to use.

SigMon® task scheduling systems deliver high operator productivity that allows unattended monitoring for profile compliance or signal searches. Programmable alarms notify users of exceptional conditions in real-time.

Automatic spectral occupancy statistics are provided to survey spectrum usage. A wide variety of report templates are available to save analysis time.

SigMon systems can be configured to solve a wide variety of problems. Multiple user, remote access enables deployment of a coordinated network of monitoring sites.

3. SigMon® Options . A minimal SigMon® site is composed of a PC, an instrument and an antenna. A wide variety of options are available for each of these components, and a SigMon® site may have multiple instruments and antennas. For reference, a block diagram is shown below of a full-featured SigMon® system.


• Instruments . A SigMon system is generally designed around the set of instruments needed to make the required measurements. Two basic approaches are available, and may be mixed within one system: Time domain Digitizers and frequency domain Spectrum Analyzers.

• Spectrum Analyzer . SigMon can incorporate any model of Agilent spectrum analyzer, from 30Hz up to 50GHz and above. Specifications of Agilent Spectrum Analyzers may be obtained from the Agilent web site: www.agilent.com

• Digitizer and DSP . SAT can provide a state-of-the-art digital signal processing solution. All measurements that can be made with a Spectrum Analyzer (Signal Logging, Occupancy and Carrier measurements) can also be made using the DSP algorithms. In addition, digital signals may be automatically examined to determine parameters such as modulation type and symbol rate to help identify them.

• Receiver Option . SAT can provide a variety of Analog Receivers that can be used for listening to and recording the audio of analogue signals. A variety of models are available with frequency ranges from 9 kHz to 4 GHz.

4. Antennas.

• Omni-Directional Antennas . SAT offers a variety of omni-directional antennas over virtually any frequency range and polarization and can supply custom-built antennas.

Figure A.8, Block diagram of SigMon® system


• Directional Antenna Systems. SAT offers a variety of directional and direction finding antennas over virtually any frequency range and can supply custom-built solutions. The accuracy of any DF system depends strongly on the local terrain, nearby metallic structures, and any buildings that would cause blockage or multi-path reception.

• Adcock Antenna Array (20 MHz – 1 GHz) Direction-Finding and Omni-directional functions from 20 MHz to 1 GHz are available with an Adcock Array. This type of DF is rapid and accurate, providing an azimuth bearing in a fraction of a second.

• Two Adcock antenna array options are available, monopole (for mobile applications) and dipole (tower mounted for fixed or transportable systems).

Figure A.9


• Antenna Array (2 MHz – 3 GHz). Omni-directional and Direction-Finding functions from 2 MHz to 3 GHz are available with a compact antenna array that can be mounted onto the surface of any land, sea or air vehicle.

• Moving Dish Solutions. A general purpose directional solution for the highest frequencies is to mount a dish and antenna on a mechanical positioner. A variety of dish and positioner components can be optimized for the requirements of a specific system. The positioner may be azimuth only, or may be an azimuth and elevation positioner.

The SAT DF dish systems can receive Horizontal and Vertical linear polarizations, as well as RHCP and LHCP.

5. Interactive Monitoring. SigMon® systems can perform both interactive and automated measurements. Interactive measurements allow the operator to investigate signals rapidly. Users may control the spectrum analyzer and other instruments and observe multiple bands in multiple formats.

6. Band Definition SigMon® systems are shipped with several predefined bands containing recommended settings for common communications bands. Users may modify these bands and create any number of named, custom bands. To simplify configuration, users may configure SigMon® to automatically

Figure A.10


select RBW, VBW and/or sweep time, optimized for the selected frequency span.

7. RF Path Management SigMon® systems include two important system capabilities for calibrated power measurements: path control and amplitude correction.

Path control may be manual or automatic. SigMon® systems configured with RF switches add automated path control.

An RF path is a combination of an antenna, cables, optional amplifiers, optional switches and an instrument. SigMon® systems can automatically cycle through multiple paths to make measurements in a monitoring plan.

Amplitude correction is accomplished with a user-defined table of electrical loss/gain factors and antenna factors versus frequency. This allows measurements to be calibrated for the effects of cable losses, filter attenuation and preamplifier gain as well as the actual performance of the monitoring antenna. Amplitude correction may be applied to all measurements and displays or deactivated for simpler, relative signal measurements. A separate amplitude correction is available for each path.

8. Interactive Control Window. The interactive control window is a tool for manual spectrum observation. Any number of interactive control windows can be open simultaneously to display multiple bands by time-sharing the spectrum analyzer.

Band sweeps can be displayed in three different formats: trace, waterfall, and spectrogram. The trace format is a good choice for seeing the power of time-invariant signals like broadcast signals. The trace display is an amplitude-corrected spectrum analyzer display. In addition, the interactive control window adds capabilities to interactively recall, edit, and save band definitions. Users may tune a receiver directly from a frequency selected on the interactive trace window.

Waterfall and spectrogram displays are useful for viewing time-variant signals such as paging signals or two-way radios. The spectrogram display is an excellent tool to observe time durations of complex transmissions. The spectrogram below shows an 802.11b wireless LAN file transfer starting at the top, later interrupted by a microwave oven operating in the next room. The microwave interference is characterized by the delta wave and occasional broadband energy seen spread all the way to the left side. As can be clearly seen in the spectrogram, the file transfer is blocked except for brief yet unsuccessful retransmission attempts.


Figure A.11

Figure A.121


9. Automated Measurements. SigMon® users may make a variety of automated measurements, either individually or as part of an automated monitoring plan. Measurement results are stored in a database in a ring buffer configuration that keeps the latest data available. The ring buffers use a finite, configurable amount of disk space and require no maintenance to purge old data.

All measurements can be used as high performance data loggers, recording all spectral traces, or a configured percentage of traces. Spectrum traces are saved with date-time stamps and can be manually analyzed hours or days after a mysterious event. SigMon can store millions of traces. Saved traces can be played back at variable speeds in trace, waterfall and spectrogram formats using the archived trace viewer.

Many measurements are made in reference to a threshold. Thresholds are displayed on the measurement trace window. A sophisticated set of automatic and fixed threshold types are supported.

Signal logging is a tool that is used for automatically searching for interesting signals. Signal power and centre frequency can be logged to the hard disk along with the time the signal was detected. The signal logging process can be coupled with the alarm process so that intermittent signals can be captured.

Masking, an aid to the signal logging process, can ignore signals known not to be of interest.

Carrier measurements can be performed either manually or automatically. These measurements can also occur as the result of an alarm condition. Carrier measurements record the following parameters:

• Centre Frequency

• Maximum and Average Power

• Signal-to-Noise Ratio

• Occupied Bandwidth

• Profile Compliance

Modulation Analysis: When SigMon® is configured with a DSP instrument, several parameters of a digital signal can be measured, including modulation type and symbol rate. IQ and Constellation plots can be used to examine digital signal quality.

The channel occupancy feature provides information on long-term usage of the spectrum. These measurements are particularly useful for allocating frequencies for best spectral economy or for verifying that reserved bands are indeed free from interference. An example of a running occupancy report is shown below.


Figure A.13

Channelized power statistics can be used to characterize the noise floor for channelized communications like analogue cellular or TDMA and noise-sensitive communications like CDMA. Minimum, maximum and average power can be plotted by channel or exported to a spreadsheet with values for each user-defined time interval.

Once an interesting signal or troublesome source of interference is detected and characterized, it may be useful to automatically determine the location of the transmitter. SigMon may be configured with a variety of direction finding antennas and processors, chosen to fit the frequency range of interest.


A.5 InterConnect Communications

1. Introduction . InterConnect Communications are a consulting organisation providing services to the telecoms sector. Their portfolio of services includes assisting spectrum management organisations with the establishment of regulatory regimes, spectrum management and monitoring functions, national frequency allocation tables, policies and procedures, licensing activities, staffing and training activities, and the design, specification, procurement and implementation of spectrum management and monitoring systems.

Clients for these services in recent years have included the spectrum management organisation in the following countries:

• Russia,

• Romania,

• Egypt,

• India,

• Pakistan,

• Nepal,

• Bangladesh,

• Botswana.

In addition they carried out a study on behalf of the European Commission to review the spectrum management and monitoring organisations though-out 13 CEE (central and Eastern European) accession countries in order to make recommendations on improvements in the institutional arrangements and tools available and to carry out a detailed comparison of spectrum allocations with those of EU countries.

The services offered by InterConnect Communications include:

• Preparation of technical specifications and tender documentation,

• Evaluation of offers,

• Contract negotiation,

• Management of delivery, instillation and commissioning processes,

• Implementation of spectrum policies,

• National planning of usage and assignment of frequencies,

• Creation of spectrum re-farming plans,

• Creation of operational systems and processes and institutional development.

2 Spectrum Management and Monitoring Systems . InterConnect Communications’ multi-disciplined team has extensive experience of the development and modernisation of spectrum management and monitoring organisations and systems for regulators and administrations in countries across the globe.


These systems vary from straightforward databases of spectrum usage / licences and hand held measuring tools, to more complex systems which can automate not just the handling of licence applications but also the actual assignment of frequencies based on operator entered criteria. The complexity of the system to deploy is driven by issues such as:

Spectrum policy (handling of licence applications and number of organisations responsible for issuing licences)

• Available budget (initial and ongoing),

• Operator skill level,

• Number of licence applications,

• Geographic coverage required,

• Range of frequencies to be monitored,

• Hours of operation,

• Is control centralised or regionalised?

• Available staff levels and location.

InterConnect’s experience working with regulator and administrators in other countries can provide experience of similar situations and suggest appropriate solutions to the problem. They are one of the world’s leading independent experts, with knowledge of the capabilities of all manufacturers in the field.


A.6 Rohde and Schwarz – Argus

1. About Rohde and Schwarz . Rohde & Schwarz is a company with an international presence in the fields of test and measurement, information technology and communications. They develop, produce and market a wide range of electronic products for the capital goods sector.

Founded in 1933, the company is headquartered in Munich. They have 6150 employees worldwide and subsidiaries in over 70 countries, including Rohde and Schwarz UK Ltd, based in Fleet and Manchester. Approximately 78% of their annual turnover is outside Germany.

2. Competence in spectrum monitoring . Rohde & Schwarz provides variable solutions for radio-monitoring and spectrum management tasks - from stand-alone systems to completely automated nationwide networks. They provide a modular solution that can be adapted to meet requirements.

Being an ITU member, Rohde & Schwarz is well informed on future developments, and are prepared to work out solutions that will fully meet the customers' future requirements.

3. ARGUS-IT. ARGUS-IT is a spectrum monitoring and management system and is equipped with different software packages for complex radio-monitoring tasks.

More than 700 R&S ARGUS-IT software packages are installed in 68 countries and 14 of these countries have a nationwide monitoring system installed.

Figure A.14, Example of bearing measurement mode with ARGUS software


4. Key Facts

• Reliable solution for monitoring, management, direction finding and measurements according to ITU recommendations for stationary, transportable and mobile applications.

• Compact system design.

• Easy operation via intuitive graphical user interface.

• Easily upgradeable.

• Attractive price.

• Service throughout the whole life cycle,

o Advice on the optimal adaptation of the system design to customer-specific tasks,

o On-site selection of suitable locations for the fixed stations,

o Acquisition, supply and installation of complete fixed stations with air conditioning, racks, alarm system and uninterruptible power supply,

o Acquisition, supply and installation of antenna masts,

o Vehicle acquisition and fitting with air conditioning, racks and masts,

o Acquisition and integration of devices from other suppliers,

o On-site installation and integration test of the system,

o System operator training,

o Special training courses, e.g. relating to the operating system or to database applications,

o Customer-specific support and maintenance concept for hardware and software,

• Controlled via Monitoring Software R&S ARGUS ArgusMon and ArgusEval form the core of the software.

5. Basic system . The core of every R&S ARGUS-IT system is a set of antennas for the whole frequency range to be monitored, connected to a receiver or spectrum analyzer via an antenna selector switch. All hardware is operated by a system controller (PC or laptop) running Monitoring Software R&S ARGUS.

These measurement stations can be fixed, transportable or mobile.

R&S ARGUS-IT can also be used as a multistation system. Monitoring stations (fixed, transportable or mobile) can be unattended and remote-controlled.

For data communication, the R&S ARGUS software uses the standard TCP/IP protocol. The applications therefore use the network in a totally transparent way and independent of the network equipment.

A multistation system with at least two direction finders can be used for triangulation with results displayed on digital maps created by the Geographic


Information Software R&S MapView. With a multistation system, radio- and audio-monitoring of remote stations is possible.

A nationwide spectrum monitoring and management system can easily be configured by connecting several locally installed systems. A nationwide R&S ARGUS-IT network for spectrum monitoring and management can comprise one central control station (CCS), several regional control stations (RCS), remote-controlled fixed monitoring stations (RMS), mobile monitoring stations (MMS) and transportable monitoring stations (TMS).

Figure A.15, Example of Spectrum Monitoring and Management System R&S ARGUS-IT

6. Instruments. The system is designed to work with its own modular instruments and components, some of which are listed here.

Monitoring Receiver R&S ESMB

ITU-compliant measurements from 9 kHz to 3 GHz

• Test Receivers

o ESIB7 (20Hz to 7GHz),

o ESIB26 (20Hz to 26.5GHz),

o ESIB40 (20Hz to 40GHz).

The upper frequency limit of the ESIB26 and ESIB40 can be extended up to 110GHz by means of external mixers (option FSE-B21).

All three models are characterized by:

o High sensitivity,


o Excellent large-signal immunity,

o Low measurement uncertainty,

o High measurement speed.

• Spectrum Analysers

o Spectrum Analyzer R&S FSP,

o General-purpose Spectrum Analyzer,

o Spectrum Analyzers R&S FSE,

o Highend Spectrum Analyzer up to 40GHz,

o Direction finders,

o Digital HF/VHF/UHF Search Direction Finder R&S DDF® 0xA,

o 0.3MHz bis 3000MHz,

o Digital HF/VHF/UHF Monitoring Direction Finder R&S DDF®0xE,

o 0.3MHz to 3000MHz,

o Direction Finder R&S DDF® 195.

o 0.5MHz to 3GHz,

o VHF-UHF Direction Finder PA 1555,

o Mobile compact system for use in adverse environments.

Figure A.16, User interface of DDF0xE


• Antennas

Antennas for all frequency ranges and tasks can be combined.

Some examples are shown below:

Figure A.17, Antennas

1. R&S HE309: 20 MHz to 1300 MHz, vertical 2. R&S HE010: 10 kHz to 80 MHz, vertical 3. R&S HK014: 80 MHz to 1600 MHz 4. R&S HF902: 1 GHz to 3 GHz, horizontal and vertical 5. R&S HE314A1: 20 MHz to 500 MHz, horizontal 6. R&S HF214: 500 MHz to 1300 MHz, horizontal 7. R&S HUF-Z1: 20 MHz to 80 MHz 8. R&S HE500: 20 MHz to 3000 MHz, vertical 9. R&S AC004R1 (left): 18 GHz to 26 GHz 10. R&S AC004R2 (right): 26 GHz to 40 GHz 11. R&S HL007A2: 80 MHz to 1300 MHz, horizontal and vertical 12. R&S HFH2-Z2: 9 kHz to 30 MHz 13. R&S HL040: 0.4 GHz to 3 GHz

• ARGUS-FMTV

This is a vehicle mounted system utilising much of the ARGUS-IT software and technology. It comprises:

o Measurement of frequency occupancy to document the current scenario,

o Measurement of transmitter coverage Determination of optimum frequency for a planned transmitter,

o Determination of the coverage of a planned transmitter and of its interference effect on an existing coverage area with the aid of current transmitter data and real measurement results,

o Measurements to check test equipment and propagation conditions,


Figure A.18

By enabling V/UHF and HF collection, the system can support the compilation of channel occupancy information that is useful to identify regularly underused or congested regions of the spectrum. Future decisions on licensing for these portions of the spectrum can be supported by these data.

The system can automatically establish an expected noise floor level, which might be useful in identifying unusual transmissions. However, for maximum efficiency, direct comparison to permitted channel occupancy would be more useful, since portions of the normal “noise-floor” may be due to regular, infringing transmissions and the “unusual” transmissions could be perfectly legal.


The system is used by Canada to support their spectrum regulation functions, which include the levying of license fees. The system is also used by Canadian law enforcement bodies to monitor the spectrum during inter-governmental conferences and similar high-security events.


A.7 Transportable Regional Remote Station

1. Introduction. Transportable Regional Remote Station (TRRS) is a compact, modular, state-of-the-art radio spectrum measurement and monitoring system mounted on a 4x4 drive Mercedes lorry. It has been developed by ASELSAN, the leading multi-product electronics company of Turkey.

Figure A.19, TRRS

2. Operation. TRRS can be operated locally or remotely. Quick relocation is guaranteed by the help of the pneumatic antenna mast, which is integral to the vehicle.

Measurement, monitoring and direction finding is possible within the 20MHz - 2500MHz frequency band.

Two principle modes of operation are available:

• Operator Interactive Mode: Spectrum Analysis function is used to scan the frequency band for surveillance purposes or for obtaining band occupancy. Measurement function is used to measure frequency, frequency offset, field strength, modulation depth and frequency deviation, bandwidth, line of bearing of individual signals under operator control.

• Automatic /Autonomous Mode: The TRRSs carry out assigned tasks autonomously and either generates alarm or report the results of analysis to a remote or local operator. Scanning functions and channel analysis functions are carried exclusively in this mode.


3. Features .

• lnterferometric DF principle,

• Ability to intercept and DF state-of-the-art frequency hopping and burst emissions,

• Better than 1000 MHz/sec scan speed with DF,

• Netted operation for location fixing,

• Monitoring and recording facility,

• High Gain Monitoring Antenna,

• Computer controlled modular system architecture,

• Ability to operate with external AC and internal DC sources,

• Built in GPS receiver,

• Built-in self-test (BIT) capability, ease of maintenance,

• Color graphical and list format data presentations,

• Fully remote controlled by VSAT link

4. Functions.

• TRRS performs the following functions automatically:

• Spectrum Occupancy,

• Modulation Measurements

• Analysis of Signals

• Measurement of Frequencies

• Measurement of Signal Level

• Measurement of Bandwiths,

• Line of Bearing of Signal,

• Detection of illegal Signals,

• Audio Recording,

• Call Sign Decoding, (ZVEI1,ITU-R, etc)

• Spectrum Analysis,

• Alarm Generation for Illegal transmitters or license violation


5. “Directly-Support Regulatory Functions ”. By enabling V/UHF and HF collection, the system can support the compilation of channel occupancy information that is useful to identify regularly underused or congested regions of the spectrum. Future decisions on licensing for these portions of the spectrum can be supported by these data.




A.8 Tadiran Electronic Systems

1. Introduction . Part of the Elisra group, Tadiran Electronic Systems is an Israel based company that specializes in turnkey EW, C4I, Homeland Security and spectrum control solutions.

Their turnover in 2000 was $90 million, and they have 350 employees. They are a world leader in tactical and civilian communications, specialising in the development, manufacture and supply of state Command, Control, Communications, Computers and Intelligence (C4I) systems. Their products are used by the armed forces of nations such as U.S.A., Switzerland, Israel and countries in Latin America and Asia.

2. Spectrum control. Tadiran has over 30 years experience in spectrum control.

Tadiran was recently awarded a $2.5 million contract to implement the first phase of a nationwide spectrum management system in Panama

Systems are designed with built in flexibility and modularity, and based on common, high end commercial hardware and software platforms with proprietary algorithms.

3. IRIS. IRIS is a spectrum management system that complements operation of monitoring systems. It enables administrations, operators and service providers to optimize utilisation and control of the electromagnetic spectrum. It generates spectrum management reports and assigns tasks to monitoring stations.

IRIS supports planning and optimal allocation of frequencies to users. Additionally, it handles all licensing stages and supports fee collection for

Figure A.20, Geographical location of Tadrian customers


spectrum usage. Iris maintains the national database of licensed, approved equipment and assures adherence to national and international regulations.

IRIS spectrum management tasks include:

• Frequency assignment,

• Resolving interference problems,

• Collecting and maintaining data on spectrum use,

• Licensing and fee collection,

• Spectrum engineering, RF analysis, frequency planning,

• Standardisation,

• ITU notifications,

• Border and satellite coordination,

• Reports and other administrative functions,

• Multilingual possibilities.

4. Spectrum monitoring. Tadiran describe themselves as “your single source for all Spectrum Monitoring needs: from individual, mobile systems to more complex configurations designed for countrywide coverage.” Their spectrum monitoring systems are designed to be used as input to the IRIS spectrum management system. Spectrum monitoring tasks covered include

• Parameters transmission measuring,

• Channel occupancy assessment,

• Effective frequency assignment,

Figure A.21


• Locating and resolving interference problems,

• RF emission surveillance,

• Actual coverage measurement,

• Service quality verification,

• Results logs and reports generation,

• Spectrum monitoring products.

These products are taken from Tadiran’s online advertising and are compatible with each other.

5. TSR-2020 surveillance receiver . The TSR-2020 is a high performance HF/VHF/UHF Digital Signal Processor receiver suitable for surveillance and monitoring of communication signals.

The board covers 9 kHz to 3000 MHz. This is achieved by four separate receivers mounted on the board. Features include:

• 18 digital intermediate frequency filters,

• High dynamic range,

• Compact single board PC compatible receiver,

• Separate or combined HF and V/UHF inputs,

• Built-in signal measurement according to ITU-R requirements,

• Two parallel audio outputs,

• Transfer of signal samples, I/Q and FFT results to the host PC,

• Multi-receiver configuration within one PC,

• Optional external reference input,

Figure A.22, TSR-2020 surveillance receiver


• Optional built in signal classifier,

• Built in test (BIT).

The Receiver and measurements specifications are given in the following table:

Parameter HF V/UHF

Frequency Range 9 kHz – 30 MHz 20 MHz – 3000 MHz

Noise figure 14 dB 8 dB

Image rejection >85 dB >85 dB

IF rejection >90 dB >90 dB

IP2 80 dBm 60 dBm

IP3 30 dBm 17 dBm

Scanning rate 300 channels / sec 2000 channels / sec

Field strength measurement accuracy

±2 dB ±3 dB

Signal frequency measurement resolution

±1 Hz ±10 Hz

Demodulation AM, FM, SSB, CW

Analog IF bandwidth @ -3 dB 340 kHz min, others optional

Digital IF bandwidth 18 digital IF filters (0.1 – 340 kHz)

IF shape factor (60 – 6 dB) 1.5:1

IF sensitivity: AM (1 kHz, 50%) FM (1 kHz, 5kHz deviation)

1 µV for SNR of 10dB @ 6kHz bandwidth 1 µV for SNR of 17dB @ 15kHz bandwidth

Signal frequency measurement accuracy

±0.5 ppm (or per ITU-R 377.3)

Bandwidth measurement accuracy (x dB method at 6dB and 26 dB)

±2%

Modulation measurement accuracy: AM depth FM deviation

±5% max ±5% max

Table A.1, TSR 2020 Receiver and measurement specifications

6. TDF-2020 direction finding system . The TDF-2020 is designed for spectrum monitoring applications according to ITU-R recommendations. It is capable of measuring direction to fixed frequency, frequency hopping, CDMA and burst transmissions, and is suitable for fixed, sheltered, transportable or mobile (light vehicle) platforms. It comprises an antenna array, an RF unit and three PC boards (including two TSR-2020 boards) installed in a PC compatible computer.

The TDF-2020 is based on a weighted beam-forming direction finding technique using wide aperture antennas. Several units are required for location


determination. The system has built-in test (BIT), an optional direction finding antenna simulator, and simultaneous direction finding and monitoring capability.

The direction finding scan reports the direction, quality, signal level and frequency. The specification of the TDF-2020 is given in the following table:

Parameter Specification

Azimuth coverage 360˚

Instrumental accuracy 0.8˚ RMS

Bearing resolution 0.1˚

Field bearing accuracy (ITU class A)

Fixed / sheltered

Mobile

V/UHF 1˚ RMS 2.5˚ RMS HF 1.5˚ RMS 3˚ RMS

Sensitivity 1 – 20 µV/m

Minimum signal duration 5 ms

Maximum scan speed with direction HF V/UHF

200 channels/sec 1000 channels/sec

Operating temperature range Outdoors Indoors

-30˚C to 65˚C 0˚C to 50˚C

Relative humidity Outdoors Indoors

0 to 100% 95% non-condensing

Table 11.2, Specification of TDF-2020

7. “Directly-Support Regulatory Functions” . By enabling V/UHF and HF collection, the system can support the compilation of channel occupancy information that is useful to identify regularly underused or congested regions of the spectrum. Future decisions on licensing for these portions of the spectrum can be supported by these data.

The IRIS module has been developed to support many of the roles of a traditional spectrum regulator. In particular, it maintains the database of licensed equipment, not just as an aid to detecting unlicensed transmissions, but so to support planning and allocation of frequencies, fee collection and other administrative needs. These functions are best suited to traditional regulators- it is used in Panama and Kenya for example.


Figure A.23, ESMERALDA

A.9 Thales

1. Introduction. Established in France more than a century ago, Thales is a global electronics company serving Aerospace, Defence, and Security & Services markets worldwide, with operations in more than 30 countries. Its experience in spectrum monitoring includes installing and implementing the automatic spectrum monitoring system for France’s Agence Nationale des Fréquencies (ANFR).

2. ESMERALDA. ESMERALDA is designed to be in total compliance with the latest ITU Recommendations and European Directives. It is an integration of an efficient monitoring receiver, a fast and accurate direction finder and tools for analysis and identification of signals, with the capability to be operated as an autonomous spectrum monitoring station or incorporated into regional, national or international monitoring networks using TCP/IP interfaces.

The standard configuration uses a measurement receiver coupled to a radio direction finder, using two channel direction finding. A third reception channel allows wideband signal analysis up to 20 MHz, direction finding synchronization for GSM signals, and cellular networks analysis.

3. Capability . ESMERALDA is capable of the following spectrum monitoring functions:

• Interceptor / fast direction finder

• High performance digital receiver

• Spectrum analyser

• Spectrum occupancy analyser

• Real time decoder for data transmissions


• Frequency meter

• Field strength analyser

• Modulation analyser

• Signal vector analyser

• Wide band interference analyser

• Audio recorder

• Wide Band digital RF signal recorder

• TV demodulation and display

• Report editing

4. Configurations

• Fixed stations:

o HF / VHF / UHF

o Uses wide base correlative interferometry direction finding.

o Provides Single Station Location (SSL) for HF, limiting the number of fixed HF stations necessary.

Figure A.24, ESMERALDA High level system design


• Mobile and / or semi fixed stations:

o HF uses Watson Watt direction finding, VHF/UHF uses wide base corrective interferometry direction finding.

o Can be integrated into a wide range of vehicles (4 wheel drive vans etc).

• Transportable stations:

o VHF / UHF.

o Hardened casing for equipment and antenna for easy transportation and frequent hoisting / dismantling.

o Wide base interferometry direction finding, measurements of vertically polarised transmissions.

5. Software. A suite of software is available for the system, including operation software for digital receivers and direction finders, and software for location processing (digital cartography), identification and complex digital signals analysis. The software is for the Windows NT or Windows 2000 environment, and uses multiple tasks and windows features.


Appendix B. Communications options available within the UK

Technology Common Name Coverage (L/M/H)

Speed (bits per second)

Latency (L/M/H)

Mobile (Y/N)

Install cost per sensor (approx)

Running costs (approx)

Future?

Telephone line

Standard modem High 56k Low No £20 £450/year or better based on 5p per hour.

Good

CDPD on GSM

Cellular Digital Packet Data, also known as GSM Data and Circuit Switched Data

High 9.6k Medium Yes <£100 10p per connection. Being overtaken by 3G.

HSCSD High Speed Circuit Switched Data.

9.6k – 57.6k Being overtaken by 3G.

GPRS General Packet Radio Service

High Realistic bit rate for packet switched data is 30-70k.

Medium Yes <£300 £1 per Mbit

Becoming cheaper.

Being overtaken by 3G.

3G (3GPRS) 3rd Generation GPRS, also known as 3GSM

Low-Medium

384k download

64k upload

Medium Yes <£300 £75 per month unlimited.

Coverage improving (see later)

Bluetooth >100m 1M Not suitable.

IrDA

Infra-Red VERY local

< 1 metre

16M Low No Nil Not suitable.

802.11 Wi-Fi Various

< 1 km Up to 54M Low Yes £50 Nil Good.

802.16a Long range Wi-Fi or WiMax

30 miles >1M Low Yes Not yet available.


Technology Common Name Coverage (L/M/H)

Speed (bits per second)

Latency (L/M/H)

Mobile (Y/N)

Install cost per sensor (approx)

Running costs (approx)

Future?

GSM Telemetry

Usually using SMS High Very low Unpredictable

Yes £250 N/A Not suitable.

Broadband Only available where copper phone wires are in place.

To 6km from exchange

2M+ Low No £60 £700 Liable to be overtaken by WiMax, but probably has several years to go.

Satellite High 9.6k – 144k High Yes >£1000 Claims to be cheaper than GPRS.

Use as a last resort.


Report documentation page Originator’s Report Number QINETIQ/06/00039

Originator’s Name and Location Sue Madsen, BLB 118, QinetiQ Malvern, St Andrews Road, Malvern, Worcs WR14 3PS

Customer Contract Number and Period Covered

Ofcom contract No: C31400/008 (Jan 05 – Jan 06)

Customer Sponsor’s Post/Name and Location

Dr J Butler, OFCOM, 2a Riverside House, Southwark Bridge Rd, London, SE1 9HA

Report Protective Marking and any other markings

Date of issue Pagination No. of references

None July 2006 Cover +237 8

Report Title;

Ofcom AMS Final Report

Translation / Conference details (if translation give foreign title / if part of conference then give conference particulars)

N/A

Title Protective Marking N/A

Authors PR Edmonds, B Ashforth, DI Elliner, S Madsen, D Harvey, R Allan, S Clover, B Laidlaw, K Kilfedder

Downgrading Statement N/A

Secondary Release Limitations N/A

Announcement Limitations N/A

Keywords / Descriptors AMS, TDOA, Spectrum Monitoring,

Abstract None

Abstract Protective Marking: N/A

This form meets DRIC-SPEC 1000 issue 7

Final report v 3.0_07 _07_06 - CiteSeerX

Documents

Transcript of Final report v 3.0_07 _07_06 - CiteSeerX