GSM Concepts

Telecommunications
MSc in Software Development

© Dr. D H Pesch, CIT, 2000 1

 GSM Handover
• Handover is the process of switching a radio
connection from one BS to another in order to
maintain seamless radio connection during mobile
station movement
• Handover in GSM is implemented as Mobile Assisted
Handover (MAHO) and backward handover signalling
• GSM handover is hard handover as the old radio link
is released before the new radio link has been fully
established
→ due to non-synchronised BTSs

The overall handover process is implemented in the MS, BSS and MSC. Measurement of
radio subsystem downlink performance and signal levels received from surrounding cells,
is made in the MS. These measurements are signalled to the BSS for assessment. The
BSS measures the uplink performance for the MS being served and also assesses the
signal level of interference on its idle traffic channels. Initial assessment of the
measurements in conjunction with defined thresholds and handover strategy may be
performed in the BSS. Assessment requiring measurement results from other BTS or
other information resident in the MSC, may be performed in the MSC.

© Dr. D H Pesch, CIT, 2000 2

 Handover Process

• The handover process in GSM consists of the

following four steps
1. Measurements
2. Handover request
3. Handover decision
4. Handover execution

In any cellular mobile radio system handover is an essential part of radio link
maintenance. In order to maintain a radio link in the light of mobility it is essential for the
cellular system to be able to switch the radio link from one base station to another when
the radio link quality with the exisitng base station drops below an acceptable level and/or
the radio link quality with a target base station is better. The main input data into the
handover process are radio link quality measurements taken by mobile station and/or base
station. The handover decision can be made in the mobile station, in the base station or
somewhere else in the network.
The GSM handover process is divided into four parts as indicated in the slide above. In a
normal handover process, the handover request is generated by the BSC, and the
handover decision and the actual handover are the responsibility of the MSC. Depending
on the type of handover, functions 3 and 4 (see slide) can be implemented in the BSC.

© Dr. D H Pesch, CIT, 2000 3

 Handover Criteria
• Permanent data such as transmitter power of
– MS, BTS in supplying cell, BTSs in neighbour cells
• Results of real-time measurements by MS
– downlink signal quality (gross bit-error-rate) - RXQUAL
– downlink receive signal levelof current channel - RXLEV
– downlink receive signal levelfrom neighbour cells
(BCCHs)
• Results of real-time measurements by BTS
– uplink signal quality (gross bit-error-rate) - RXQUAL
– uplink receive signal levelof current channel - RXLEV
– uplink receive signal level from neighbour cells
• Traffic-oriented aspects (cell capacity, no. of free
channels, no. of new connections waiting for TCH)

Handover is initiated by the network based on radio subsystem criteria (RF level, quality,
distance) as well as network directed criteria (e.g. current traffic loading per cell,
maintenance requests, etc.). In order to determine if a handover is required, due to RF
criteria, the MS shall take radio measurements from neighbouring cells. These
measurements are reported to the serving cell on a regular basis. When a network
determines a need for a handover the procedures given in GSM 08.08 are followed.
Additionally, the handover decision by the network may take into account both the
measurement results from the MS and network directed criteria. The same decision
process is used to determine when to perform both the Intra-MSC and Inter-MSC
handover in all the procedures described in the following.

© Dr. D H Pesch, CIT, 2000 4

 Measurement Protocol
• Measurements on current radio channel
– measurement of signal strength and link quality of slot in
every frame (4.615ms measurement interval) → 100 samples
per reporting period of 480ms
– reporting of average values once or twice per second (one or
two 480ms SACCH blocks
• Measurement of channels in neighbour cells
– up to six neighbour cells are considered
– between UL and DL MS has about 2.3ms interval for
measurement of signal level from neighbour cells and 6.9ms
interval to scan for neighbour cell’s BCCH frequency
– MS can measure up to 100 signal level samples per 480ms
divided between the 6 strongest neighbour cells

© Dr. D H Pesch, CIT, 2000 5

 Measuring Neighbour Cell Signals

© Dr. D H Pesch, CIT, 2000 6

 Measurement Parameters
Signal Field Strength Signal Quality

dBm RXLEV Bit error [%] Average RXQUAL

… -110 0 … 0.2 0.14 0

-110 … -109 1 0.2 … 0.4 0.28 1
-109 … -108 2 0.4 … 0.8 0.57 2
-108 … -107 3 0.8 … 1.6 1.13 3
. . 1.6 … 3.2 2.26 4
. . 3.2 … 6.4 4.53 5
. . 6.4 … 12.8 9.05 6
-51 … -50 60 12.8 … 18.10 7
-50 … -49 61
-49 … -48 62
-48 … 63

TA ⋅ c ⋅ tbit TA ⋅ 3 ⋅108 m s ⋅ 3.69 ⋅10-6 s

Distance: dTA = = = TA ⋅ 554m
2 2

© Dr. D H Pesch, CIT, 2000 7

 Measurement Reports
• Measurement reports transmitted periodically every 480ms
interleaved over 4 SACCHs
• Measurements
– Signal field strength
• from -110dBm to -48dBm (RXLEV) with relative accuracy of 1dB
and absolute accuracy of 4dB (up to -70dBm) and 6dB
• Average calculated over SACCH multiframe (480ms)
• Measurement of RXLEV on the allocated TCH in every frame and
at least one neighbour per TDMA frame
– Signal quality
• measured in BER before channel decoding (based on training
sequence) and mapped onto RXQUAL levels with accuracy of
75% for RXQUAL=1 - 4 and 95% accuracy for RXQUAL=5 - 7
– Distance
• absolute distance based on TA value with ±0.5 bit accuracy
→ provides about 1km spatial resolution (not too useful)

© Dr. D H Pesch, CIT, 2000 8

 Measurement Result Message

© Dr. D H Pesch, CIT, 2000 9

 Handover Decision

• Handover decision and selection of target cell made

by either BSC or MSC depending on measurements
• BSC may decide to initiate handover itself by
sending HND_CMD message to BTS or to report to
MSC by sending HDN_RQD that a handover is
required
• In case of BSC deciding to handover, MSC is
informed with HND_PERF message

© Dr. D H Pesch, CIT, 2000 10

 Handover Scenarios

• Intra-BTS Handover
• Intra-BSC Handover
• Intra-MSC Handover
• Inter-MSC Handover
• Subsequent Handover

© Dr. D H Pesch, CIT, 2000 11

 Transmitter Power Control

• The purpose of power control is reduction of interference and

increase in MS battery working time
• Power control is mandatory for every MS, it is optional for a
BTS
• Depending on radio link quality, BSC requests adjustment of
transmitter power for MS and BTS
• Power adjustments are made over the SACCH every 480ms
• Maximum power is Pn, BTS adjustments are made relative to
Pn in 2dB steps over dynamic range of 30dB
• BCCH is always transmitted at Pn
• MS power settings are set in absolute values measured in
dBm (relative to 1mW)

© Dr. D H Pesch, CIT, 2000 12

 GSM MS Transmitter Power Levels
C ode G SM 900 G SM 1800 C ode G SM 900 G SM 1800
PC S1900 PC S1900
0 39 30 10 11 0
1 39 28 11 9 0
2 39 26 12 7 0
3 37 24 13 5 0
4 35 22 14 5 0
5 33 20 15 5 0
6 31 18 16 5 0
7 29 16 17 5 0
8 27 14 18 5 0
9 25 12 19 5 0
0A 23 10 1A 5 0
0B 21 8 1B 5 0
0C 19 6 1C 5 0
0D 17 4 1D 5 36
0E 15 2 1E 5 34
0F 13 0 1F 5 32

© Dr. D H Pesch, CIT, 2000 13

 MS and BTS Power Classes
GSM900 GSM1800 PCS1900

Class MS BTS MS BTS MS BTS

(W/dBm) (W/dBm) (W/dBm) (W/dBm) (W/dBm) (W/dBm)
1 -/- 320/55 1/30 20/43 1/30 20/43
2 8/39 160/52 0.25/24 10/40 0.25/24 10/40
3 5/37 80/49 4/36 5/37 2/33 5/37
4 2/33 40/46 -/- 2.5/34 -/- 2.5/34
5 0.8/29 20/43 -/- -/- -/- -/-
6 -/- 10/40 -/- -/- -/- -/-
7 -/- 5/37 -/- -/- -/- -/-
8 -/- 2.5/34 -/- -/- -/- -/-
Micro -/- 0.25/24 -/- 1.6/32 -/- 0.5/27
(M1)
Micro -/- 0.08/19 -/- 0.5/27 -/- 0.16/22
(M2)
Micro -/- 0.03/14 -/- 0.16/22 -/- 0.05/17
(M3)

© Dr. D H Pesch, CIT, 2000 14

 Sample Algorithm (GSM 05.08) for
Handover and Power Control
• Averaging of measured values on UL and DL to reduce
short-term fading effect. Parameters
– HREQAVE: no. of reports averaged
– HREQT: no. of averaged values in HND_RQD message
• Calculation of power budget
PBGT(n)=[min(MS_TXPWR_MAX, P) - RXLEV_DL - PWR_C_D]
- [min(MS_TXPWR_MAX(n), P) - RXLEV_NCELL(n)]

© Dr. D H Pesch, CIT, 2000 15

 Power Control Levels

© Dr. D H Pesch, CIT, 2000 16

 Handover Decision Levels

© Dr. D H Pesch, CIT, 2000 17

 GSM Handover Threshold Values

© Dr. D H Pesch, CIT, 2000 18

 BSS Decision Algorithm

• When threshold value comparison yields handover required

→ send HND_RQD to MSC indicating conditions:
– RXLEV_NCELL(n) > RXLEV_MIN(n) + max(0,
MS_TXPWR_MAX(n) - P)
– PBGT(n) > 0
• Conditions must be met by neighbour cell to become target
cell
• Target cells are sorted by PBGT value and cell with highest
PBGT is selected for handover
• If handover is considered imperative, the list can also contain
neighbour cells with PBGT(n) < 0.
• If RXQUAL is low but RXLEV is fine, co-channel
interference is high and intra-BTS handover is performed

© Dr. D H Pesch, CIT, 2000 19

 GSM Power Budget Handover

© Dr. D H Pesch, CIT, 2000 20

 MSC Decision Algorithm

• MSC evaluates handover request based on criteria:

– Quality
– Signal level
– Distance
– Power budget
• There is also provision for giving individual cells
priority in order to distribute traffic load
– during congestion situations
– in hierarchical cellular systems for handover between cell
layers

© Dr. D H Pesch, CIT, 2000 21

 Problems of GSM Handover

• Ping-pong Effect
– HO_MARGIN = 5-10dB
– Large HO_MARGIN or averaging window to
avoid ping-pong handover → loss of power
budget handover or delayed handover
• Number of Handovers
– Due to complexity of handover protocol GSM
tries to avoid unneccessary handovers
– Due to shadow fading variations randomly
distributed handover points around best point and
can cause large number of handovers

© Dr. D H Pesch, CIT, 2000 22

 Proposed Improvements

• Handover considering evolution of signal strength

• Handover utilising level crossing rate of received
signals → provides estimation of MS speed
• MS speed and signal strength evolution can provide
more reliable handover decision to avoid ping-pong
effect → prediction based handover

© Dr. D H Pesch, CIT, 2000 23

 Mobile Identifiers

• GSM numbering follows the rules of ITU-T Rec.

E.164 for ISDN numbering
• MS numbers/identifiers
– MSISDN - Mobile Station ISDN Number
– IMSI - International Mobile Subscriber Identity
– MSRN - Mobile Station Roaming Number
– IMEI - International Mobile Equipment Identity
– TMSI - Temporary Mobile Subscriber Identity

© Dr. D H Pesch, CIT, 2000 24

 Mobile Identifiers
National
Country Destination
Code Code Subscriber Number

MSISDN
CC NDC SN
14 - 15 digits (7 - 7.5 octets)

Mobile Mobile
Country Network Mobile Subscriber
Code Code Identification Number
IMSI
MCC MNC MSIN

3 digits 2 digits 10 digits of less (≤ 5 octets)

© Dr. D H Pesch, CIT, 2000 25

 Mobile Identifiers
Visitor
Visitor National
Country Destination
Code Code VMSC = Visitor MSC

MSRN VCC VNDC SN (VMSC + VSN)

3 digits 2 digits 10 digits of less (≤ 5 octets)

Type Final
Approval Assembly Serial
Code Code Number Spare

TMSI TMSI IMEI TAC FAC SNR SP

4 octets 6 digits 2 digits 6 digits 1 digit

© Dr. D H Pesch, CIT, 2000 26

 Network Identifiers

• Mobile Network Code (MNC)

• Location Area Identity (LAI)
– MCC - Mobile Country Code, e.g. Ireland = 272
– MNC - Mobile Network Code, e.g. Eircell = 01
– LAC - Location Area Code (2 octets fixed code)
• Routing Area Identity (RAI) - similar to LAI
• Cell Identity (CI), 2 octets fixed length
• Global Cell Identity = LAI + CI

© Dr. D H Pesch, CIT, 2000 27

 Network Identities

• Base Station Identity Code (BSIC)

– 6 bit number consisting of
• Network Colour Code - NCC, 3 bits
• Base Station Colour Code - BCC, 3 bits
– allows MS to distinguish between neighbour base stations
• Regional Subscription Zone Identifier (RSZI)
– consists of CC, MNC, ZC (2 octets fixed size)

© Dr. D H Pesch, CIT, 2000 28

 SIM Card
• Microcontroller based smart card
• MS = SIM + ME (mobile equipment)
• SIM card personalises the mobile equipment
• Two types of SIM
– credit card size - ISO SIM
– plug-in SIM (usually comes as an ISO from which its popped out)
• SIM architecture
– µController + RAM of 256 - 512 Byte, will to grow to
2KB (2000), several OS are in use
– ROM - 16 - 24kB (1997), will to grow to 64kB (2000)
– EEPROM - 16kB (1997), will grow to 64KB (2000)
– I/O ports
– SIM power and clock supplied by ME

© Dr. D H Pesch, CIT, 2000 29

 SIM Card Types

© Dr. D H Pesch, CIT, 2000 30

 SIM Card Data Organisation

• SIM card data structured in Master File (MF) and

Dedicated Files (DF)
• Dedicated files, which are actually directories
– DFGSM - GSM related data
– DFTELECOM telecommunication services related data
• Elementary Files (EF) hold the actual data
– One record EF to hold IMSI for example
– Multiple record EF to hold phone book for example
• SIM contains security features to protect data in EF

© Dr. D H Pesch, CIT, 2000 31

 SIM Card Functions
• SIM card holds user and network related data
• SIM card is involved in GSM security
– holds the PIN
– computes SRES and Kc based on algorithms A3 and A8, which are
stored in SIM’s ROM
• SIM card holds data about subscriptions of services in EFSST
(service table)
– SMS, Last Number Dialled, AoC, CB Message Identifier, Service
provider name, etc
• SIM card holds access level information EFACC, which
determines access restriction to the network
• Stores current location information
• Holds account and charge information (for prepaid SIM card)

© Dr. D H Pesch, CIT, 2000 32

 Example SIM Card Elementary Files

© Dr. D H Pesch, CIT, 2000 33

 Location Management

• GSM is a cellular system and as such divided into location

areas to facilitate efficient paging
• Location areas are identified by the LAI
• LAI is broadcast within SYSTEM-INFO message on BCCH
• Size of a location area depends on expected subscriber
penetration and PCH capacity
• Every time MS detects a change of LAI, that is the LAI
temporarily stored in the SIM is different to LAI in
SYSTEM_INFO message, location update is performed
• Upon power up of the MS, a location registration procedure is
performed of which the user is oblivious

© Dr. D H Pesch, CIT, 2000 34

 GSM Security Management

• Four basic security services provided by GSM

– Anonymity: TMSI assignment upon location
registration/update
– Authentication
– Signalling data and user information protection through
encryption
– SIM module identifying user and IMEI identifying ME
independently
• GSM algorithms for authentication and encryption
are strictly confidential and not publicly available

© Dr. D H Pesch, CIT, 2000 35

 Authentication

• Authentication is required in every mobile radio system

– to establish the authenticity of a user/equipment
– establish whether the user is allowed to access the service
• Authentication consists of a challenge and a response
– network provides a challenge in form of a random number
RAND
– response SRES is derived based on algorithm A3 from
challenge (RAND), authen-tication key Ki and IMSI
– MS replies to challenge by sending SRES back to network,
which then compares MS’s SRES with it’s own SRES

© Dr. D H Pesch, CIT, 2000 36

 Generation of Authentication Challenge

© Dr. D H Pesch, CIT, 2000 37

 Authentication Process

© Dr. D H Pesch, CIT, 2000 38

 Encryption

• Protecting analogue information against eavesdropping is not

easy but digital transmission allows for excellent level of
protection
• Encryption is the process where a series of bits are
transformed by mathematical or logical functions into another
series of bits
• GSM cipher algorithm A5/n uses a cipher key Kc that is
generated during authentication process and stored in SIM
• Kc is generated from RAND by algorithm A8 driven by Ki
• Kc is 64 bits in length
• Ciphering is periodic based on TDMA frame number
(periodic with length of hyper frame)

© Dr. D H Pesch, CIT, 2000 39

 Encryption Process

© Dr. D H Pesch, CIT, 2000 40