GSM Concepts

Telecommunications
MSc in Software Development

Dr. D H Pesch, CIT, 2000

GSM Handover
Handover is the process of switching a radio
connection from one BS to another in order to
maintain seamless radio connection during mobile
station movement
Handover in GSM is implemented as Mobile Assisted
Handover (MAHO) and backward handover signalling
GSM handover is hard handover as the old radio link
is released before the new radio link has been fully
established
due to non-synchronised BTSs

The overall handover process is implemented in the MS, BSS and MSC. Measurement of
radio subsystem downlink performance and signal levels received from surrounding cells,
is made in the MS. These measurements are signalled to the BSS for assessment. The
BSS measures the uplink performance for the MS being served and also assesses the
signal level of interference on its idle traffic channels. Initial assessment of the
measurements in conjunction with defined thresholds and handover strategy may be
performed in the BSS. Assessment requiring measurement results from other BTS or
other information resident in the MSC, may be performed in the MSC.

Dr. D H Pesch, CIT, 2000

Handover Process
The handover process in GSM consists of the
following four steps
1. Measurements
2. Handover request
3. Handover decision
4. Handover execution

In any cellular mobile radio system handover is an essential part of radio link
maintenance. In order to maintain a radio link in the light of mobility it is essential for the
cellular system to be able to switch the radio link from one base station to another when
the radio link quality with the exisitng base station drops below an acceptable level and/or
the radio link quality with a target base station is better. The main input data into the
handover process are radio link quality measurements taken by mobile station and/or base
station. The handover decision can be made in the mobile station, in the base station or
somewhere else in the network.
The GSM handover process is divided into four parts as indicated in the slide above. In a
normal handover process, the handover request is generated by the BSC, and the
handover decision and the actual handover are the responsibility of the MSC. Depending
on the type of handover, functions 3 and 4 (see slide) can be implemented in the BSC.

Dr. D H Pesch, CIT, 2000

Handover Criteria
Permanent data such as transmitter power of
MS, BTS in supplying cell, BTSs in neighbour cells

Results of real-time measurements by MS

downlink signal quality (gross bit-error-rate) - RXQUAL
downlink receive signal levelof current channel - RXLEV
downlink receive signal levelfrom neighbour cells
(BCCHs)

Results of real-time measurements by BTS

uplink signal quality (gross bit-error-rate) - RXQUAL
uplink receive signal levelof current channel - RXLEV
uplink receive signal level from neighbour cells

Traffic-oriented aspects (cell capacity, no. of free

channels, no. of new connections waiting for TCH)

Handover is initiated by the network based on radio subsystem criteria (RF level, quality,
distance) as well as network directed criteria (e.g. current traffic loading per cell,
maintenance requests, etc.). In order to determine if a handover is required, due to RF
criteria, the MS shall take radio measurements from neighbouring cells. These
measurements are reported to the serving cell on a regular basis. When a network
determines a need for a handover the procedures given in GSM 08.08 are followed.
Additionally, the handover decision by the network may take into account both the
measurement results from the MS and network directed criteria. The same decision
process is used to determine when to perform both the Intra-MSC and Inter-MSC
handover in all the procedures described in the following.

Dr. D H Pesch, CIT, 2000

Measurement Protocol
Measurements on current radio channel
measurement of signal strength and link quality of slot in
every frame (4.615ms measurement interval) 100 samples
per reporting period of 480ms
reporting of average values once or twice per second (one or
two 480ms SACCH blocks

Measurement of channels in neighbour cells

up to six neighbour cells are considered
between UL and DL MS has about 2.3ms interval for
measurement of signal level from neighbour cells and 6.9ms
interval to scan for neighbour cells BCCH frequency
MS can measure up to 100 signal level samples per 480ms
divided between the 6 strongest neighbour cells

Dr. D H Pesch, CIT, 2000

Measuring Neighbour Cell Signals

Dr. D H Pesch, CIT, 2000

Measurement Parameters
Signal Field Strength
dBm

-110
-109
-108

-51
-50
-49
-48

.
.
.

Signal Quality

RXLEV
-110
-109
-108
-107

0
1
2
3
.
.
.
60
61
62
63

-50
-49
-48

Distance:

Dr. D H Pesch, CIT, 2000

dTA =

Bit error [%]

0.2
0.4
0.8
1.6
3.2
6.4
12.8

0.2
0.4
0.8
1.6
3.2
6.4
12.8

Average

RXQUAL

0.14
0.28
0.57
1.13
2.26
4.53
9.05
18.10

0
1
2
3
4
5
6
7

TA c tbit TA 3 108 m s 3.69 10-6 s

=
= TA 554m
2
2

Measurement Reports
Measurement reports transmitted periodically every 480ms
interleaved over 4 SACCHs
Measurements
Signal field strength
from -110dBm to -48dBm (RXLEV) with relative accuracy of 1dB
and absolute accuracy of 4dB (up to -70dBm) and 6dB
Average calculated over SACCH multiframe (480ms)
Measurement of RXLEV on the allocated TCH in every frame and
at least one neighbour per TDMA frame
Signal quality
measured in BER before channel decoding (based on training
sequence) and mapped onto RXQUAL levels with accuracy of
75% for RXQUAL=1 - 4 and 95% accuracy for RXQUAL=5 - 7
Distance
absolute distance based on TA value with 0.5 bit accuracy
provides about 1km spatial resolution (not too useful)

Dr. D H Pesch, CIT, 2000

Measurement Result Message

Dr. D H Pesch, CIT, 2000

Handover Decision
Handover decision and selection of target cell made
by either BSC or MSC depending on measurements
BSC may decide to initiate handover itself by
sending HND_CMD message to BTS or to report to
MSC by sending HDN_RQD that a handover is
required
In case of BSC deciding to handover, MSC is
informed with HND_PERF message

Dr. D H Pesch, CIT, 2000

10

Handover Scenarios

Intra-BTS Handover
Intra-BSC Handover
Intra-MSC Handover
Inter-MSC Handover
Subsequent Handover

Dr. D H Pesch, CIT, 2000

11

Transmitter Power Control

The purpose of power control is reduction of interference and
increase in MS battery working time
Power control is mandatory for every MS, it is optional for a
BTS
Depending on radio link quality, BSC requests adjustment of
transmitter power for MS and BTS
Power adjustments are made over the SACCH every 480ms
Maximum power is Pn, BTS adjustments are made relative to
Pn in 2dB steps over dynamic range of 30dB
BCCH is always transmitted at Pn
MS power settings are set in absolute values measured in
dBm (relative to 1mW)

Dr. D H Pesch, CIT, 2000

12

GSM MS Transmitter Power Levels

C ode

G SM 900

0
1
2
3
4
5
6
7
8
9
0A
0B
0C
0D
0E
0F

39
39
39
37
35
33
31
29
27
25
23
21
19
17
15
13

Dr. D H Pesch, CIT, 2000

G SM 1800
PC S1900
30
28
26
24
22
20
18
16
14
12
10
8
6
4
2
0

C ode

G SM 900

10
11
12
13
14
15
16
17
18
19
1A
1B
1C
1D
1E
1F

11
9
7
5
5
5
5
5
5
5
5
5
5
5
5
5

G SM 1800
PC S1900
0
0
0
0
0
0
0
0
0
0
0
0
0
36
34
32

13

MS and BTS Power Classes

GSM900
Class

GSM1800

PCS1900

MS
BTS
MS
BTS
MS
BTS
(W/dBm) (W/dBm) (W/dBm) (W/dBm) (W/dBm) (W/dBm)
-/320/55
1/30
20/43
1/30
20/43

8/39

160/52

0.25/24

10/40

0.25/24

10/40

5/37

80/49

4/36

5/37

2/33

5/37

2/33

40/46

-/-

2.5/34

-/-

2.5/34

0.8/29

20/43

-/-

-/-

-/-

-/-

-/-

10/40

-/-

-/-

-/-

-/-

-/-

5/37

-/-

-/-

-/-

-/-

-/-

2.5/34

-/-

-/-

-/-

-/-

Micro
(M1)
Micro
(M2)
Micro
(M3)

-/-

0.25/24

-/-

1.6/32

-/-

0.5/27

-/-

0.08/19

-/-

0.5/27

-/-

0.16/22

-/-

0.03/14

-/-

0.16/22

-/-

0.05/17

Dr. D H Pesch, CIT, 2000

14

Sample Algorithm (GSM 05.08) for

Handover and Power Control
Averaging of measured values on UL and DL to reduce
short-term fading effect. Parameters
HREQAVE: no. of reports averaged
HREQT: no. of averaged values in HND_RQD message

Calculation of power budget

PBGT(n)=[min(MS_TXPWR_MAX, P) - RXLEV_DL - PWR_C_D]
- [min(MS_TXPWR_MAX(n), P) - RXLEV_NCELL(n)]

Dr. D H Pesch, CIT, 2000

15

Power Control Levels

Dr. D H Pesch, CIT, 2000

16

Handover Decision Levels

Dr. D H Pesch, CIT, 2000

17

GSM Handover Threshold Values

Dr. D H Pesch, CIT, 2000

18

BSS Decision Algorithm

When threshold value comparison yields handover required
send HND_RQD to MSC indicating conditions:
RXLEV_NCELL(n) > RXLEV_MIN(n) + max(0,
MS_TXPWR_MAX(n) - P)
PBGT(n) > 0

Conditions must be met by neighbour cell to become target

cell
Target cells are sorted by PBGT value and cell with highest
PBGT is selected for handover
If handover is considered imperative, the list can also contain
neighbour cells with PBGT(n) < 0.
If RXQUAL is low but RXLEV is fine, co-channel
interference is high and intra-BTS handover is performed

Dr. D H Pesch, CIT, 2000

19

GSM Power Budget Handover

Dr. D H Pesch, CIT, 2000

20

MSC Decision Algorithm

MSC evaluates handover request based on criteria:

Quality
Signal level
Distance
Power budget

There is also provision for giving individual cells

priority in order to distribute traffic load
during congestion situations
in hierarchical cellular systems for handover between cell
layers

Dr. D H Pesch, CIT, 2000

21

Problems of GSM Handover

Ping-pong Effect
HO_MARGIN = 5-10dB
Large HO_MARGIN or averaging window to
avoid ping-pong handover loss of power
budget handover or delayed handover

Number of Handovers
Due to complexity of handover protocol GSM
tries to avoid unneccessary handovers
Due to shadow fading variations randomly
distributed handover points around best point and
can cause large number of handovers

Dr. D H Pesch, CIT, 2000

22

Proposed Improvements
Handover considering evolution of signal strength
Handover utilising level crossing rate of received
signals provides estimation of MS speed
MS speed and signal strength evolution can provide
more reliable handover decision to avoid ping-pong
effect prediction based handover

Dr. D H Pesch, CIT, 2000

23

Mobile Identifiers
GSM numbering follows the rules of ITU-T Rec.
E.164 for ISDN numbering
MS numbers/identifiers

MSISDN - Mobile Station ISDN Number

IMSI - International Mobile Subscriber Identity
MSRN - Mobile Station Roaming Number
IMEI - International Mobile Equipment Identity
TMSI - Temporary Mobile Subscriber Identity

Dr. D H Pesch, CIT, 2000

24

Mobile Identifiers
National
Country Destination
Code
Code
Subscriber Number
MSISDN

CC

NDC

SN
14 - 15 digits (7 - 7.5 octets)

Mobile Mobile
Country Network Mobile Subscriber
Code
Code
Identification Number
IMSI

MCC MNC

MSIN

3 digits 2 digits

10 digits of less ( 5 octets)

Dr. D H Pesch, CIT, 2000

25

Mobile Identifiers
Visitor
Visitor National
Country Destination
Code
VMSC = Visitor MSC
Code
MSRN

VCC VNDC

SN (VMSC + VSN)

3 digits 2 digits

10 digits of less ( 5 octets)

Type
Final
Approval Assembly Serial
Number Spare
Code
Code

TMSI

TMSI
4 octets

Dr. D H Pesch, CIT, 2000

IMEI

TAC FAC SNR

SP

6 digits 2 digits 6 digits 1 digit

26

Network Identifiers
Mobile Network Code (MNC)
Location Area Identity (LAI)
MCC - Mobile Country Code, e.g. Ireland = 272
MNC - Mobile Network Code, e.g. Eircell = 01
LAC - Location Area Code (2 octets fixed code)

Routing Area Identity (RAI) - similar to LAI

Cell Identity (CI), 2 octets fixed length
Global Cell Identity = LAI + CI

Dr. D H Pesch, CIT, 2000

27

Network Identities
Base Station Identity Code (BSIC)
6 bit number consisting of
Network Colour Code - NCC, 3 bits
Base Station Colour Code - BCC, 3 bits

allows MS to distinguish between neighbour base stations

Regional Subscription Zone Identifier (RSZI)

consists of CC, MNC, ZC (2 octets fixed size)

Dr. D H Pesch, CIT, 2000

28

SIM Card

Microcontroller based smart card

MS = SIM + ME (mobile equipment)
SIM card personalises the mobile equipment
Two types of SIM
credit card size - ISO SIM
plug-in SIM (usually comes as an ISO from which its popped out)

SIM architecture
Controller + RAM of 256 - 512 Byte, will to grow to
2KB (2000), several OS are in use
ROM - 16 - 24kB (1997), will to grow to 64kB (2000)
EEPROM - 16kB (1997), will grow to 64KB (2000)
I/O ports
SIM power and clock supplied by ME

Dr. D H Pesch, CIT, 2000

29

SIM Card Types

Dr. D H Pesch, CIT, 2000

30

SIM Card Data Organisation

SIM card data structured in Master File (MF) and
Dedicated Files (DF)
Dedicated files, which are actually directories
DFGSM - GSM related data
DFTELECOM telecommunication services related data

Elementary Files (EF) hold the actual data

One record EF to hold IMSI for example
Multiple record EF to hold phone book for example

SIM contains security features to protect data in EF

Dr. D H Pesch, CIT, 2000

31

SIM Card Functions

SIM card holds user and network related data
SIM card is involved in GSM security
holds the PIN
computes SRES and Kc based on algorithms A3 and A8, which are
stored in SIMs ROM

SIM card holds data about subscriptions of services in EFSST

(service table)
SMS, Last Number Dialled, AoC, CB Message Identifier, Service
provider name, etc

SIM card holds access level information EFACC, which

determines access restriction to the network
Stores current location information
Holds account and charge information (for prepaid SIM card)

Dr. D H Pesch, CIT, 2000

32

Example SIM Card Elementary Files

Dr. D H Pesch, CIT, 2000

33

Location Management
GSM is a cellular system and as such divided into location
areas to facilitate efficient paging
Location areas are identified by the LAI
LAI is broadcast within SYSTEM-INFO message on BCCH
Size of a location area depends on expected subscriber
penetration and PCH capacity
Every time MS detects a change of LAI, that is the LAI
temporarily stored in the SIM is different to LAI in
SYSTEM_INFO message, location update is performed
Upon power up of the MS, a location registration procedure is
performed of which the user is oblivious

Dr. D H Pesch, CIT, 2000

34

GSM Security Management

Four basic security services provided by GSM
Anonymity: TMSI assignment upon location
registration/update
Authentication
Signalling data and user information protection through
encryption
SIM module identifying user and IMEI identifying ME
independently

GSM algorithms for authentication and encryption

are strictly confidential and not publicly available

Dr. D H Pesch, CIT, 2000

35

Authentication
Authentication is required in every mobile radio system
to establish the authenticity of a user/equipment
establish whether the user is allowed to access the service

Authentication consists of a challenge and a response

network provides a challenge in form of a random number
RAND
response SRES is derived based on algorithm A3 from
challenge (RAND), authen-tication key Ki and IMSI
MS replies to challenge by sending SRES back to network,
which then compares MSs SRES with its own SRES

Dr. D H Pesch, CIT, 2000

36

Generation of Authentication Challenge

Dr. D H Pesch, CIT, 2000

37

Authentication Process

Dr. D H Pesch, CIT, 2000

38

Encryption
Protecting analogue information against eavesdropping is not
easy but digital transmission allows for excellent level of
protection
Encryption is the process where a series of bits are
transformed by mathematical or logical functions into another
series of bits
GSM cipher algorithm A5/n uses a cipher key Kc that is
generated during authentication process and stored in SIM
Kc is generated from RAND by algorithm A8 driven by Ki
Kc is 64 bits in length
Ciphering is periodic based on TDMA frame number
(periodic with length of hyper frame)

Dr. D H Pesch, CIT, 2000

39

Encryption Process

Dr. D H Pesch, CIT, 2000

40