Upload
idowu-ojo
View
118
Download
8
Embed Size (px)
DESCRIPTION
GSM Principles and Call Flow
Citation preview
1
Chapter 1 GSM Principles and Call Flow
1.1 GSM Frequency Band Allocation
GSM cellular system can be divided into GSM900M and DCS1800M according to frequency band, with carrier
frequency interval of 200 KHz and up and down frequencies as follows:
Table 1-1 GSM frequency allocation
Frequency
band(MHz)
Bandwidth(M
Hz)
Frequency
number
Carrier
frequency
number
(pair)
GSM900 Up 890–915
Down 935–960 25 1–124 124
DCS1800 Up 1710–1785
Down 1805–1880 75 512–885 374
“Up” and “down” are classified according to base station. Base station transmitting - mobile station receiving is
“down”; mobile station transmitting - base station receiving is up.
With the expanding services, GSM protocol adds EGSM(expanded GSM frequency band) and RGSM (expanded
GSM frequency band including railway service) to the original GSM900 frequency band. The frequency band
allocation is as follows:
Table 1-2 EGSM/RGSM frequency allocation
Frequency
band(MHz)
Bandwidth
(MHz)
Frequency
number
Carrier
frequency
number
(pair)
EGSM Up 880–915
Down 925–960 35
0–124
975–1023 174
RGSM Up 876–915
Down 921–960 40
0–124
955–1023 199
1.2 Multiple Access Technology and Logical Channel
1.2.1 GSM Multiple Access Technology
In cellular mobile communications system, since many mobiles stations communicate with other mobiles stations
through one base station, it is necessary to distinguish the signals from different mobile stations and base stations
for them to identify their own signals. The way to this problem is called multiple access technology. There are now
five kinds of Multiple access technology, namely: Frequency Division Multiple Access (FDMA), Time Division
Multiple Access (TDMA), Code Division Multiple Access (CDMA), Space Division Multiple Access (SDMA), and polar
division multiple access (PDMA).
GSM multiple access technology focuses on TDMA, and takes FDMA as complement. The following only introduces
FDMA and TDMA technologies.
2
I. FDMA
FDMA divides the whole frequency band into many single radio channels (transmitting and receiving carrier
frequency pairs). Each channel transmits one path of speech or control information. Any subscriber has access to
one of these channels under the control of the system.
Analog cellular system is a typical example of FDMA application. Digital cellular system also uses FDMA, but not the
pure frequency allocation. For example, GSM takes FDMA technology.
II. TDMA
TDMA divides a broadband radio carrier into several time division channels according to time (or timeslot). Each
subscriber takes one timeslot and sends or receives signals only in the specified timeslot. TDMA is applied in digital
cellular system and GSM.
GSM adopts a technology combined with FDMA and TDMA.
1.2.2 TDMA Frame
The basic conception of GSM in terms of radio path is burst. Burst is a transmission unit consists of over one
hundred of modulation bits. It has a duration limit and takes a limited radio frequency. They are exported in time
and frequency window which is called slot. To be specific, in system frequency band, central frequency of slot is set
in every 200 KHz (in FDMA). Slot occurs periodically in each 15/26 ms, which is about 0.577 ms (in TDMA).The
interval between two slots is called timeslot. Its duration is used as time unit, called burst period (BP).
Time/frequency map illustrates the concept of slot. Each slot is expressed as one little rectangle with 15/26ms
length and 200 KHz width. See Figure 1-1. Similarly, the 200 KHz bandwidth in GSM is called frequency slot, equal
to radio frequency channel in GSM protocol.
Burst represents different meaning in different situation. Sometimes it concerns time – frequency “rectangle” unit,
and sometimes not. Similarly, timeslot sometimes concerns time value, and sometimes means using one of every
eight slots periodically.
Using a given channel means transmitting burst with a particular frequency at particular time, that is, a particular
slot. Generally, the slot of a channel is not continuous in time.
Figure 1-1 Timeslot
Physical channel combines frequency division multiple access and time division multiple access together. It consists
of timeslot flow that connects base station (BS) and mobile station (MS).The position of these timeslots in TDMA
frame is fixed. Figure 1-2 shows the complete structure of TDMA frame, including timeslot and burst. TDMA frame
is a repetitive “physical” frame in radio link.
Frequency
200kHz
BP
15/26ms Slot
Time
3
One TDMA frame consists of eight basic timeslots, about 60/13≈4.615ms in total. Each timeslot is a basic physical
channel with 156.25 elements, coving 15/26≈0.557ms.
There are two kinds of multiframes, consisting of 26 and 51 continuous TDMA frames respectively. Multiframes are
applied when different logical channels are multiple used in one physical channel.
The 26 multiframe, with a period of 120 ms, is used in traffic channel and associated control channel. Among the
26 bursts, 24 are used in traffic and 2 are used in signaling.
The 51 multiframe, with a period of 3060/13≈235.385 ms, is specially used in control channel.
Many multiframes together form a super frame. Super frame is a continuous 51×26TDMA frame, that is to say, a
super frame consists of fifty-one 26 TDMA multiframes or twenty-six 51 TOMA multiframes. The period of super
frame is 1,326 TDMA frames, or 6.12 s.
Many super frames together form a hyper frame.
A hyper frame consists of 2,048 super frames with a period of 12,533.7s, or 3 hours and 28’ 53’’ 760’’’. It is used in
encrypted voice and data. Each period of hyper frame consists of 2,715,648 TDMA frames numbered from 0 to
2,715,648. The frame number is transmitted in sync channel.
The structure of GSM frame is shown in Figure 1-2.
Figure 1-2 Structure of TDMA frame
1.2.3 Burst
Burst is the message layout of a timeslot in TDMA channel, which means each burst is sent to a timeslot of TDMA
frame.
Different message in the burst determines its layout.
There are five kinds of bursts:
� Normal burst: used to carry messages in TCH, FACCH, SACCH, SDCCH, BCCH, PCH and AGCH channels
� Access burst: used to carry message in RACH channel
� Frequency correction burst: used to carry message in FCCH channel
0 1 2 3 2044 2045 2046 2047
0 1 2 3 48 49 5047
0 1 24 25
0 1 24 25 1 49 500
0 1 4 5 762 3
TB3
TB3
GP8.25 TB£ ºtail bits
TB3
TB3
GP8.25
GP£ ºguard periodTB3
TB3
GP8.25
TB3
TB3
GP 68.25
58 information bits 26 training sequency 58 information bits
constant bits 142
information bits 39extended training sequency64information bits 39
synchronization sequence 41information bits 36
Normal burst£ NB£ ©
Frequency correction burst£ FB£ ©
synchronized burst£ SB£ ©
Access burst£ AB£ ©
1 Hyper frame =2018 Super frames =2715648 TDMA frames (3Ð ¡Ê ±28· Ö53Ã ë760º ÁÃ ë)
1 Super frame =1326 TDMA frames £ 6.12 s£ ©
1 Multiframe =26TDMA frames£ 120 ms£ © 1 Multiframe =51 TDMA frames£ 3060/13ms£ ©
1 TDMA frame =8 time slots£ 120/26=4.615ms£ ©
1 time slot =156.25 bits duration£ 15/26=0.557ms£ ©£ 1bit duration£ º48/13=3.68us£ ©
BCCHCCCHSDCCH
TCHSACCH/TFACCH
4
� Synchronization burst: used to carry message in SCH channel
� Dummy burst: transmitted when no specific message transmission request from system (In cells, standard
frequency sends message continuously)
Each kind of burst includes the following elements:
� Tail bits: Its value is always 0 to help equalizer judge start bit and stop bit to avoid lost synchronization.
� Information bits: It is used to describe traffic and signaling information, except idle burst and frequency
correction burst.
� Training sequence: It is a known sequence, used for equalizer to generate channel model (a way to eliminate
dispersion). Training sequence is known by both transmitter and receiver. It can be used to identify the
location of other bits from the same burst and roughly estimate the interference situation of transmission
channel when the receiver gets this sequence. Training sequence can be divided into eight categories in
normal burst. It usually has the same BCC setting with cells, but when accessed to burst and synchronization
bust, training sequence is fixed and does not change with cells. For example, in access burst, training
sequence is fixed (occupying 41 bits). The 36-bit message digit of the random access burst includes BSIC
information of the cell. BSIC settings of the same BCCH should be different, in order to avoid mis-decoding of
random access burst from neighboring cells into local access.
� Guard period: It is a blank space. Since each carrier frequency can carry a maximum of eight subscribers, it is
necessary to guarantee the non-overlapping of each timeslot in transmission. Although timing advance
technology (introduced later) is used, bursts from different mobile stations still show little slips; therefore,
protection interval is adopted to allow transmitter to fluctuate in a proper range in GSM. On the other hand,
GSM requires protection bits to keep constant transmission amplitude of the effective burst (except
protection bits) and properly attenuate the transmission amplitude of mobile station. The amplitude
attenuation of two sequential bursts as well as proper modulation bit stream can reduce the interference to
other RF channels.
The following is a detailed introduction to the structure and content of burst:
� Access burst
It is used for random access (channel request from network and switchover access).
It is the first burst that the base station needs in uplink modulation.
Access burst includes a 41-bit training sequence, 36-information bit, and its protection interval is 68.25 bits. There
is only one kind of training sequence in access burst. Since the possibility of interference is rather little, it is
unnecessary to add extra kinds of training sequences. Both training sequence and protection interval are longer
than normal bursts in order to offset the bug of timing advance ignorance in the first access of mobile station (or
switch over to another BTS) and improve demodulation ability of the system.
� Frequency correction burst
It is used for frequency synchronization in mobile station, equal to an unmodulated carrier. This sequence has 142
constant bits for frequency synchronization. Its structure is pretty simple with all constant bits being 0. After
modulated, it becomes a pure sine wave. It is used in FCCH channel for mobile station to find and modulate
synchronization burst of the same cell. When mobile station gets the frequency through this burst, it can read the
information of following bursts (such as SCH and BCCH) in the same physical channel. Protection interval and tail
bit are the same with that of normal burst.
� Synchronization burst
5
With a 64-bit training sequence and two 39-bit information fields, synchronization burst is used for time
synchronization of mobile station in SCH channel. It belongs to downlink. Since it is the first burst required to be
modulated by mobile station, its training sequence is relatively long and easy to be detected.
� Normal burst
It has two 58-bit groups used in message field. To be more specific, two 58-bit groups are used to transmit
subscriber data or voice together with two stealing flags. Normal burst is used to describe whether the transmitted
is traffic information or signaling information. For example, to distinguish TCH and FACCH (when TCH channel is
used as FACCH channel to transmit signaling, the stealing flag of the 8 half bursts should be set to 1. It has no other
use in channels except in TCH channel, but can be regarded as the extension of training sequence and always set to
1.Normal burst also includes two 3-bit tails and a protection interval of 8.25 bits. The only bug is that the receiver
has to store the preceding part of burst before modulation. Normal burst has a total of 26 bits, 16 of which are
information bits. In order to get 26 bits, it copies the first five bits to the end of the training sequence and the last
five bits to the head of the training sequence. There are eight kinds of such training sequence (these eight
sequences have the least relevancy with each other). They correspond to different base station color code (BCC, 3
bits) respectively to distinguish the two cells using the same frequency.
� Dummy burst
This kind of bust is sometimes sent by BTS without carrying any information. Its format is the same with normal
burst. The encrypted bits are changed into mixed bits with certain bit model.
1.2.4 Logical Channel
In real networking, each cell has several carrier frequencies and each frequency has eight timeslots, proving eight
basic physical channels. Logical channel carries out time multiplexing in one physical channel. It is classified
according to the type of information in physical channel. Different logical channel transmits different type of
information between BS and MS, such as signaling and data service. GSM defines different burst type for different
logical channel.
In GSM, logical channel is divided into dedicated channel (DCH) and common channel (CCH), or traffic channel
(TCH) and control channel (CCH) sometimes.
I. TCH
TCH carries coded voice or subscriber data. It is divided into full rate TCH (TCH/F) and half rate TCH (TCH/H) with
22.8 bit/s information and 11.4 Kbit/s information respectively. Using half of the timeslots in TCH/F can get TCH/H.
A carrier frequency can provide eight kinds of TCH/F or sixteen kinds of TCH/H. Voice channel types are as follows:
� Enhanced full rate speech TCH (TCH/EFS)
� Full rate speech TCH (TCH/EFS)
� Full rate 9.6 Kbit/s TCH (TCH/F9.6)
� Full rate 4.8 Kbit/s TCH (TCH/F4.8)
6
� Full rate ≤2.4 Kbit/s TCH (TCH/F2.4)
II. CCH
CCH is used to transmit signaling or synchronous data. It mainly consists of broadcast channel (BCCH), common
control channel (CCCH), and dedicated control channel (DCCH).
III. BCCH
� Frequency Correction Channel (FCCH)
It carries the information for frequency correction in mobile station. Through FCCH, mobile station can locate a cell
and demodulate other information in the same cell, and recognize whether this carrier frequency is BCCH or not.
� Sync Channel (SCH)
After FCCH decoding, mobile station has to decode SCH information. This information contains mobile station
frame synchronization and base station identification. Base station identification code (BSIC) occupies six bits,
three of which are PLMN color codes ranging from zero to seven, and the other three are base station color codes
(BCCs) ranging from zero to seven.
Reduced TDMA frame (RFN) occupies 22 bits.
� BCCH
Generally, each BTS has a transceiver containing BCCH in order to broadcast system information to mobile station.
System information enables mobile station to work efficiently in null state.
IV. CCCH
� Paging Channel (PCH)
PCH is a downlink channel used to page mobile station. When the network wants to communicate with a certain
mobile station, it sends paging information marked as TMSI or IMSI through PCH to all the cells in LAC area
according to the current LAC registered in mobile station.
� Access Grant Channel (AGCH)
AGCH is a downlink channel used for base station to respond the network access request of mobile station, that is,
to allocate a SDCCH or TCH directly. AGCH and PCH share the same radio resource. Keep a fixed number of blocks
for AGCH or just borrow PCH when AGCH requires without keeping special AGCH block (AGB).
� Random Access Channel (RACH)
RACH is an uplink channel used for mobile station to request SDCCH allocation in random network access
application. The request includes the reason to build 3-bit (call request, paging response, location update request
and short message request) and 5-bit reference random number for mobile station to identify its own access grant
message.
V. DCCH
� Stand-alone Dedicated Control Channel (SDCCH)
SDCCH is a bi-directional dedicated channel used to transmit information of signaling, location update, short
message, authentication, encrypted command, channel allocation, and complementary services. It can be divided
into SD/8 and SD/4.
� Slow Associated Control Channel (SACCH)
SACCH works with traffic channel or SDCCH to transmit subscriber information and some specific information at
the same time. Uplink mainly transmits radio measurement report and the first layer head information; downlink
mainly transmits part system information and the first layer head information. The information includes quality of
communications, LAI, CELL ID, BCCH signal strength in neighboring cells, NCC limit, cell options, TA, and power
control level.
7
� Fast Associated Control Channel (FACCH)
FACCH works with TCH to provide signaling information with a rate and timeliness much higher than that provided
by SACCH.
There is another control channel called cell broadcast channel (CBCH) besides the three control channels
mentioned above. It is used in downlink and carries short message service cell broadcast (SMSCB) information.
CBCH uses a physical channel same as SDCCH.
VI. Channel Combination
Logical channel is mapped to physical channel according to certain rules. The channel combinations specified in
GSM protocol are as follows:
� TCH/F + FACCH/F + SACCH/TF
� TCH/H(0,1) + FACCH/H(0,1) + SACCH/TH(0,1)
� TCH/H(0,0) + FACCH/H(0,1) + SACCH/TH(0,1) + TCH/H(1,1)
� FCCH + SCH + BCCH + CCCH (main BCCH)
� FCCH + SCH + BCCH + CCCH + SDCCH/4(0..3) + SACCH/C4(0..3)(BCCH combination)
� BCCH + CCCH(BCCH extension)
� SDCCH/8(0. .7) + SACCH/C8(0. .7)
VII. Uncombined BCCH/SDCCH and Combined BCCH/SDCCH
Paging information transmits in the timeslot 0 of BCCH. Timeslot 0 has the following sub channels:
� Broadcast channel (BCH): FCCH, SCH, BCCH
� CCCH: PCH, AGCH
� DCCH (combined BCCH/SDCCH): SDCCH, SACCH, CBCH ( if using cell broadcast)
Physical channel timeslot 0 is made of multiframes logically. Each multiframe is 235.4 ms in length. Multiframe has
different channel configurations, such as combined BCCH/SDCCH and uncombined BCCH/SDCCH. Different
configuration has different paging capacity.
� Uncombined BCCH/SDCCH
Each frame of Uncombined BCCH/SDCCH can have nine paging blocks. The timeslot 0 of BCCH carrier frequency
does not have SDCCH channel or CBCH channel.
� Combined BCCH/SDCCH
Each multiframe of combined BCCH/SDCCH can have three paging blocks. The timeslot 0 of BCCH carrier frequency
contains four SDCCH subchannels (no CBCH) or three SDCCH and one CBCH subchannel.
The configuration of combined BCCH/SDCCH has a great influence on paging capacity. Each multiframe has only
three paging blocks instead of nine in uncombined BCCH/SDCCH, which means the paging capacity of cells with
combined BCCH/SDCCH is only one third of that of cells with uncombined BCCH/SDCCH.
1.3 Data Transmission
Radio channel has totally different characteristics from wired channel. Radio channel has a strong time-varying
characteristic. It has a high error rate when the signal is influenced by interferences, multipath fading, or shadow
fading. In order to solve these problems, it is necessary to protect the signals through a series of transformation
and inverse transformation from original subscriber data or signaling data to the information carried by radio wave
and then to subscriber data or signaling data. These transformations include channel coding and decoding,
interleaving and de-interleaving, burst formatting, encryption and decryption, modulation and demodulation. See
Figure 1-3
8
Figure 1-3 Forward and reverse data transmission process
1.3.2 Voice Coding
Modern digital communication system usually uses voice compression technology. GSM takes tone and noise from
human throat as well as the mouth and tongue filter effect of acoustics as voice encoder to establish a model. The
model parameters transmit through TCH channel.
Voice encoder is based on residual excited linear prediction encoder (REIP) and its compression effect is
strengthened through long term predictor (LTP). LTP improves residual data encoding by removing the vowel part
of voice.
Voice encoder divides voice into several 20 ms voice blocks and samples each block with 8 kHz, so each block has
160 samples. Each sample is quantified through frequency A 13 bits (frequency μ 14 bits). Since the compression
rates of frequency A and frequency μ are different, add three and two “0” bits to the quantification values
respectively, and then each sample gets 16 bits quantification value. Therefore, 128 Kbit/s data flow is obtained
after digitizing but before encoding. This data flow is too fast to transmit in radio path and has to be compressed in
encoder. With full speed encoder, each voice block is encoded into 260 bits to form a 13 Kbit/s source coding rate.
Next is channel coding. With 20 ms as a unit, 260 bits are output after compression encoding, so the encoding rate
is 13Kbit /s.
Compared with the direct coding transmission of voice in traditional PCM channel, the 13kbps voice rate of GSM is
much lower. More advance voice encoder can reduce the rate to 6.5kbps (half rate encoding).
1.3.3 Channel Coding
Channel coding is used to improve transmission quality and remove the influence of interferential factors on
signals at the price of increasing bits and information. The basic way of coding is adding some redundant
information to the original data. The added data is calculated on the basis of original data with certain rules. The
decoding process of receiving end is judging and correcting errors with this redundant bit. If the redundant bit of
received data calculated with the same way is different from the received redundant bit, errors must have occurred
in transmission. Different code is used in different transmission mode. In practice, several coding schemes are
9
always combined together. Common coding schemes include block convolutional code, error correcting cyclic code
and parity code.
In GSM, each logical channel has its own coding and interleaving mode, but the principle is trying to form a unified
coding structure.
� Encode information bit into a unified block code consisting of information bits and parity check bits.
� Encode block code into convolutional code and form coding bits (usually 456 bits).
� Reassemble and interleave coding bits and add a stealing flag to form interleaving bits.
All these operations are based on block. The block size depends on channel type. After channel coding, all channels
(except RACH and SCH) are made of 464-bit block, that is, 456 coded information bits plus 8-bit header (header is
used to distinguish TCH and FACCH). Then these blocks are reinterleaved (concerning channel).
In TCH/F voice service; this block carries one speech frame of information. In control channel, this block usually
carries one piece of information. In TCH/H voice service, speech information is transmitted by a block of 228 coded
bits block.
For FACCH, each block of 456 coded information bits is divided into eight sub blocks. The first four sub blocks are
transmitted by even bits of the four timeslots borrowed from the continuous frames of TCH, and the rest four sub
blocks borrows odd bits of the four timeslots from the four continuous frames delayed for two or four frames after
the first frame. Each 456 coded bit block has a stealing flag (8 bits), indicating whether the block belongs to TCH or
to FACCH. In the case of SACCH, BCCH or CCCH, this stealing flag is dummy.
The synchronous information in Downlink SCH and the random access information in uplink use short coded bit
blocks transmitted in the same timeslot.
In TCH/F, a 20ms speech frame is encoded into 456-bit code sequence. The 260 bits of the 13 Kbit/s 20ms speech
frame can be divided into three categories: 50 most import bits, 132 important bits and 78 unimportant bits. Add 3
parity check bits to the 50 most important bits, and these 53 bits together with 132 important bits and 4 tail bits
are convolutionally encoded ( with 1/2 convolutional coding rate ) into 378 bits, plus the 78 unimportant bits, and
the 456 bits code sequence is obtained.
In BCCH, PCH, AGCH, SDCCH, FACCH and SACCH, data is transmitted by Link Access Procedure on the Dm channel
(LAPDm). Each LAPDm frame has 184 bits, together with 40 bits error correcting cyclic code and 4 tail bits, through
1/2 convolutional coding rate, and the 456 bits code sequence is obtained.
Each SCH contains 25-bit message field. Among them, 19 bits are frame number and 6 bits are BSC number. These
25 bits plus 10 parity check bits and 4 tail bits are 39 bits. Through 1/2 rate convolutional coding, 78 bits are
obtained, which occupy an entire SCH burst. .
RACH message only has 8 bits, including 3-bit setup cause message and 5-bit discrimination symbol. On the basis
of these 8 bits, add 6 bits of color code (obtained through the MOD 2 of the 6-bit BSIC and 6-bit parity check
code), plus 4 tail bits to get 18 bits. Through 1/2 rate convolutional coding, 36 bits are obtained, which occupy an
entire RACH burst. 。
1.3.4 Interleaving
If speech signal is modulated and transmitted directly after channel coding, due to parametric variation of mobile
communication channel, the long trough of deep feeding will affect the succeeding bits, leading to error bit strings.
That is to say, after coding, speech signal turns into sequential frames, while in transmission, error bits usually
occur suddenly, which will affect the accuracy of continuous frames. Channel coding only works for detection and
correction of signal error or short error string. Therefore, it is hoped to find a way to separate the continuous bits
in a message, that is, to transmit the continuous bits in a discontinuous mode so as to change the error channel
into discrete channel. Therefore, even if an error occurs, it is only about a single or very short bit stream and will
not interrupt the decoding of the entire burst or even the entire information block. Channel coding will correct the
10
error bit under such circumstances. This method is called interleaving technology. Interleaving technology is the
most effective code grouping method to separate error codes.
The essence of interleaving is to disperse the b bits into n bursts in order to change the adjacent relationship
between bits. Greater n value leads to better transmission performance but longer transmission delay. Therefore,
these two factors must be considered in interleaving. Interleaving is always related to the use of channel. GSM
adopts secondary interleaving method.
After channel coding, The 456 bits are divided into eight groups; each group contains 57 bits. This is the first
interleaving, also called internal interleaving. After first interleaving, the continuity of information in a group is
broken. As one burst contains two groups of 57-bit voice information, if the two-group 57 bits of a 20 ms voice
block after first interleaving are inserted to the same burst, the loss of this burst will lead to 25% loss of bits for this
20 ms voice block. Channel coding cannot restore so much loss. Therefore, a secondary interleaving, also called
inter-block interleaving, is required between two voice blocks. The entire interleaving process is shown in Figure 1-
4.
Figure 1-4 Interleaving process
After internal interleaving, the 456 bits of a voice block B are divided into eight groups. Interleave the first four
groups of voice block B (B0, B1, B2, and B3) with the last four groups of voice block A (A4, A5, A6, and A6), and
then (BO, A4), (B1, A5), (B2, A6), and (B3, A7) form four bursts. In order to break the consistency of bits, put block
A at even position and block B at odd position of bursts, that is, to put B0 at odd position and A4 at even position.
Similarly, interleave the last four groups of block B with the first four groups of block C.
Therefore, a 20 ms speech frame is inserted into eight normal bursts after secondary interleaving. Theses eight
bursts are transmitted one by one, so the loss of one burst only affects 12.5% voice bits. In addition, as these
bursts have no relations with each other, they can be corrected by channel coding.
The secondary interleaving of control channel (SACCH, FACCH, SDCCH, BCCH, PCH, or AGCH) is different from voice
interleaving which requires three voice blocks. The 456-bit voice block is divided into eight groups after internal
interleaving (the same as that of voice block), and then the first four groups are interleaved with the last four
groups (the same interleaving method as that of voice block) to get four bursts.
Interleaving is an effective way to avoid interference, but it has a long delay. In the transmission of a 20 ms voice
block, the delay period is (9*8)-7=65 bursts (SACCH occupying one burst), which is 37.5 ms. Therefore, MS and
trunk circuit have echo cancellers added to remove the echo due to delay.
11
1.3.5 Encryption
Security is a very important feature in digital transmission system. GSM provides high security through
transmission encryption. This kind of encryption can be used in voice, user data, and signaling. It is used for
normal burst only and has nothing to do with data type.
Encryption is achieved by XOR operation of poison random sequence (generated through A5 algorithm of
encryption key Kc and frame number) and the 114 information bits of normal burst.
The same poison random sequence generated at receiving end and the received encryption sequence together
produce the required data after XOR operation
1.3.6 Modulation and Demodulation
Modulation and demodulation is the last step of signal processing. GSM modulation adopts GMSK technology with
BT being 0.3 at the speed of 270.833 Kbit/s and Viterbi algorithm. The function of modulation is to add a certain
feature to electromagnetic wave according to the rules. This feature is the data to transmit. In GSM, the phase of
electromagnetic field bears the information.
The function of demodulation is to receive signals and restore the data in a modulated electromagnetic wave. A
binary numeral has to be changed into a low-frequency modulated signal first, and then into an electromagnetic
wave. Demodulation is the reverse process of modulation.
1.4 Timing advance
Signal transmission has a delay. If the MS moves away from BTS during calling, the signal from BTS to MS will be
delayed, so will the signal from MS to BTS. If the delay is too long, the signal in one timeslot from MS cannot be
correctly decoded, and this timeslot may even overlap with the timeslot of the next signal from other MS, leading
to inter-timeslot interference. Therefore, the report header carries the delay value measured by MS. BTS monitors
the arrive time of call and send command to MS with the frequency of 480 ms, prompting MS the timing advance
(TA) value. The range of this value is 0–63(0–233 us), and the maximum coverage area is 35km. The calculation is
as follows:
1/2×3.7us/bit×63bit*c=35km
3.7us/bit is the duration per bit (156/577); 63bit is the maximum bit for time coordination; c is light velocity
(transmission rate of signal); 1/2 is related to the round-trip of signal.
According to the preceding description, 1bit to 554 m, due to the influence of multi-path transmission and the
accuracy of MS synchronization, TA error may be about 3 bits (1.6km).
Sometimes a greater coverage area is required, such as in coastal areas. Therefore, the number of channels that
each TRX contains must be reduced. The method is to bind odd and even timeslots, so there are only four channels
(0/1, 2/3, 4/5, and 6/7) for each TDMA frame in extended cell. Allocate channels 0, 2, 4, and 6 to MS. Within 35
KM around BTS, the TA value of MS is in the normal range 0-63; for the area beyond 35 KM, TA value stays at 63.
This technology is called extended cell technology. The maximum value of TA in BTS measurement report is
63+156.25=219.25 bit, so the maximum radius of coverage area is:
1/2×3.7us× (63+156.25) ×3×108m/s=120km
12
Figure 1-5 Principle of dual timeslot extended cell
The principle of dual timeslot extended cell is shown in Figure 1-5. In real scheme, in order to improve the
utilization of TRX, both common TRXs and dual timeslot TRXs can be included. BCCH must be in dual timeslot TRX
to receive random access from any area. The calls within 35 km are allocated to common TRX; the calls within 35
km–120 km and the switched in calls are allocated to dual timeslot TRX. If the system detects the switched in call is
within 35km, it will switch over this call to common TRX. If the MS in conversation goes beyond 35 km, an intra-cell
switchover will be carried out. Therefore, both the capacity requirement for remote areas and the coverage
requirement for local areas can be satisfied.
1.5 System Information
System information is sent to MS from network in broadcast form. It informs all the MSs within the coverage area
of location area, cell selection and re-selection, neighbor cell information, channel allocation and random access
control. By receiving system information, MS can quickly and accurately locate network resources and make full
use of all kinds of services that network provides. There are 16 types of system information: type1, 2, 2bis, 2ter, 3,
4, 5, 5bis, 5ter, 6, 7, 8, and 13.
System information is transmitted on BCCH or SACCH. MS receives system information in different mode from
different logic channel.
� In idle mode, system information 1– 4, 7, and 8 are transmitted on BCCH ;
� In communication mode, system information 5 and 6 are transmitted on SACCH;
The content of system information is as follows:
� System information 1:cell channel description + RACH control parameter, transmitted on BCCH
� System information 2: frequency description of neighbor cell + RACH control information + network color
code (NCC) permitted, transmitted on BCCH, used for cell re-selection
� System information 2bis: Extended neighbor cell BCCH frequency description + RACH control information,
transmitted on BCCH, used for cell re-selection.
13
� System information 2ter: Extended neighbor cell BCCH frequency description, transmitted on BCCH, used
for cell re-selection.
� System information 3: Cell identity + location area identity (LAI) + control channel description + cell
selection + cell selection parameter + RACH control parameter, transmitted on BCCH.
� System information 4: LAI + cell selection parameter + RACH control parameter + CBCH channel description
+ CBCH mobile configuration, transmitted on BCCH.
� System information 5: Neighbor cell BCCH frequency description, transmitted on SACCH channel, used for
cell handover.
� System information 5bis: Extended neighbor cell BCCH frequency description, transmitted on SACCH
channel, used for cell handover.
� System information 5ter: Extended neighbor cell BCCH frequency description, transmitted on SACCH
channel, used for cell handover.
� System information 6: Cell Global Identification (CGI) + cell option+NCC Permitted, transmitted on SACCH.
� System information 7: cell re-selection parameter
� System information 8: cell re-selection parameter
BCCH is a low-capacity channel, every 51 multiframes ((235 ms) have only four frames (one information block) to
transmit a 23 byte LAPDm message.
Each information unit contains:
� Cell channel description contains all the frequencies used in this cell.
� RACH control information contains parameters such as Max Retrans, TX_integer, CBA, RE, EC, and AC CN.
� Neighbor cell BCCH frequency description contains the BCCH frequency that the neighbor cell uses.
� Allowed PLMN is used to provide NCC Permitted that MS monitors on BCCH TRX.
� Control channel description contains parameters such as MS ATTACH/DEATTACH allowed Indicator ATT, BS-
AG-BLKS-RES, CCCH-CONF, BA-PA-MFRMS, and T3212.
� Cell selection contains parameters such as power control (PWRC) indication, discontinuous Transmission
(DTX) indication, and RADIO-LINK-TIMEOUT.
� Cell selection parameter contains parameters such as cell re-selection hysteresis, MS-TXPWR-MAX-CCH, and
RXLEV-ACCESS-MIN.
� CBCH channel description contains channel type and TDMA deviation (the combination mode of dedicated
channel), timeslot number (TN), training sequence code (TSC), hopping frequency channel indication H,
mobile allocation index offset (MAIO), hopping frequency sequence number (HSN) and absolute radio
frequency channel number ( ARFCN).
� CBCH mobile configuration contains the relationship between hopping channel sequence and cell channel
description.
� Cell re-selection parameter contains CELLRESELIND, cell bar qualify (CBQ), cell reselection offset (CRO),
temporary offset (TO), and penalty time (PT).
14
1.6 Cell Selection and Re-Selection
1.6.1 Cell Selection
When a MS is switched on, it tries to contact GSM PLMN that the SIM permits and select a proper cell to extract
control channel parameters and other system information. This process is called cell selection.
The priority levels of cells include normal, low, and barred. Low priority level cell is selected when there is no
proper normal cell.
A proper cell means:
� The cell belongs to the selected network;
� The cell is not barred;
� The cell is not in the national prohibited roaming location area;
� The path loss between MS and BTS is under the limit set by network.
The priority level of a cell is determined by CELL_BAR_QUALIFY (CBQ) and CELL_BAR_ACCESS (CBA).
Table 1-3 Cell priority level
CBQ CBA Cell priority level Cell re-selection status
0 0 Normal Normal
1 1 Barred Barred
0 0 Low Normal
1 1 Low Normal
1.6.2 Cell Selection Process
To perform cell selection and re-selection, MS requires all the frequencies monitored to stay at the unweighted
average value of Relev RLA_C.
I. Cell Selection When MS Storing No BCCH Information
MS searches all RF channels (at least 30 channels for 900 M, 40 for 1800 M, and 40 for PSC1900) in the system to
obtain the Relev of each RF channel, and calculate the RLA_C based on at least five samples in three to five
seconds, and then arrange these levels in descending order to select the proper BCCH. MS selects the cells with
normal priority first. If the proper cells have low priority, MS will select the cell with the highest Relev. MS has
already decoded and identified all these frequencies by now. If there is no proper cell, MS will keep on searching. It
takes a maximum of 0.5 s to synchronize a BCCH TRX and 1.9 s to read the synchronized BCCH TRX data, except
that it takes n*1.9s(n>1)to obtain the system information.
II. Cell Selection When MS Storing BCCH Information
If MS stores the BCCH frequency list of the former selected networks, MS will perform measurement sampling
procedure (only for the stored BCCH TRX) according to this list. If the cell selection within this list fails, common cell
selection will be performed. If all the cells have low priority level, MS will select the cell with the highest Relev. MS
has already decoded and identified all these frequencies by now. When a 900 M MS enters the 900/1800 network,
MS will probably choose 900 M network and ignore the priority level, because the MS stores all the 900 M
frequency information in BCCH frequency list.
III. Cell Selection Criteria
Parameter C1 is the path loss criteria for cell selection, C1 of the service cell must exceed 0, the formula is as
follows:
15
C1= RLA_C - RXLEV_ACCESS_MIN- MAX ((MS_TXPWR_MAX_CCH- P), 0) (2-1)
For DCS 1800 cells:
C1 = RLA_C - RXLEV_ACCESS_MIN- MAX ((MS_TXPWR_MAX_CCH + POWER OFFSET- P), 0)
In the formula:
RLA_C: Average value of Relev
RXLEV_ACCESS_MIN: Minimum Relev that MS allows
MS_TXPWR_MAX_CCH: Maximum transmit power on control channel
P: Maximum transmit power of MS
POWER OFFSET:Power offset related to MS_TXPWR_MAX_CCH used by DCS1800 cells.
1.6.3 Down Link Failure
Downlink failure criteria are based on DSC. When a mobile phone stays in a cell, DSC is initialized to an integer
most close to 90/N ( N is BS_PA_MFRMS, range value: 2–9). Each time when mobile phone successfully decodes a
message on its paging subchannel, DSC increases by 1, but DSC cannot exceed the initial value; when decoding
fails, DSC decreases by 4. When DSC<=0, downlink failure occurs. Down signaling link failure will lead to cell re-
selection.
1.6.4 Cell Re-Selection Process
In cell re-selection, mobile phone will synchronize and read the information from six BCCH TRXs (in BA list) with
strongest signals outside the service area. For multi-frequency mobile phones, the TRXs with strongest signals may
be in different frequency bands.
In idle mode, mobile phone monitors all the BCCH TRXs in BA list and averages each Relev from BCCH TRX within 5
s to Max {5, ((5 * N + 6) DIV 7) * BS_PA_MFRMS / 4} s. N is the number of BCCH TRXs outside service area in BA list.
Each RLA_C requires at least five level measurement samples and has to be updated from time to time. Service
area samples the Relev at least once for each paging block to mobile. RLA_C is calculated by averaging the level
samples received from 5s to Max {5s, five consecutive paging blocks of that MS}.
Each RLA_C update is followed by the update of the six BCCH TRXs outside the service area in BA list. And the latter
update may be even faster.
Mobile phone decodes all the BCCH data in a service cell every other 30 s and the BCCH data blocks related to cell
re-selection parameters of the six BCCH TRXs with strongest signals every other five minutes. When the mobile
phone detects that a new BCCH TRX becomes one of the six TRXs with strongest signals, this BCCH TRX data should
be decoded within 30 s. Mobile phone checks the BSICs of the six BCCH TRXs with strongest signals to make sure
they are in the same cell. If the BSIC of a TRX is changed, the MS will regard the TRX as new TRX and reread the
BCCH data.
MS will re-select a neighbor cell as service cell under certain condition. This condition includes several factors, such
as RLA_C, cell restriction (decided by cell_bar and cell_bar_qualify), and access state of the neighbor cell.
Cell re-selection adopts C2 algorithm. The calculation formula is as follows:
� When PENALTY TIME is not 11111
C2=C1+CELL_RESELECT_OFFSET–TEMPORARY_OFFSET*H (PENALTY_TIME–T);
� When PENALTY_TIME is 11111
C2=C1-CELL_RESELECT_OFFSET.
When X>0, function H(x) =0; when X≤O, function H(x) =1.
16
T is a timer; its initial value is 0. When a cell is included in the six neighbor cells with strongest signals by MS, the
timer T of this cell begins to time; when a cell is excluded from the six neighbor cells with strongest signals by MS,
T will be reset.
CELL_RESELECT_OFFSET adjusts the value of C2.
After T starts, TEMPORARY_OFFSET will modify the C2 algorithm according to the defined value before the penalty
time in order to avoid a micro cell or a cell with small coverage area is selected by a fast moving MS. If the defined
penalty time is out, the temporary offset will be ignored. Penalty time can avoid the frequent cell re-selection in
those coverage areas like express highway.
These parameters in C2 algorithm works only when CELL_RESELECTION_INDICATION is activated. Otherwise, MS
will ignore the setting of CELL_RESELECT_OFFSET, TEMPORARY_OFFSET, and PENALTY_TIME, under such
circumstances, C2=C1.
Cell re-selection will be triggered under the following conditions:
� The C2 value of a certain cell (belonging to the same location area with the current cell) exceeds that of the
current cell by 5 seconds successively;
� The C2 value of a certain cell (belonging to different location area from the current cell) exceeds the sum of
the C2 value of the current service cell and cell selection hysteresis value by 5 seconds successively;
� The current service cell is barred;
� MS detects downlink failure;
� The C1 value of the service cell is less than 0 for 5 seconds successively.
1.7 Frequency Hopping
With the ever growing traffic volume and the limited frequency resource, frequency reuse is more and more
aggressive. Therefore, the problem of how to reduce frequency interference becomes more and more remarkable.
The essence of anti-interference is to fully utilize the current spectrum, time domain, and space resources. The key
measures include frequency hopping, discontinuous transmission (DTX), and power control. Frequency hopping
also can effectively reduce the influence of fast fading.
1.7.1 Types of Frequency Hopping
GSM radio interface uses slow frequency hopping (SFH) technology. The difference between slow frequency
hopping and fast frequency hopping is that the frequency of latter changes faster than frequency modulation. In
GSM, the frequency remains the same during burst transmission. Therefore, GSM frequency hopping belongs to
slow frequency hopping.
In frequency hopping, the carrier frequency is controlled by a sequence and hops with time. This sequence is
frequency hopping sequence. Frequency hopping sequence is a sequence of frequencies decided by hopping
sequence number (HSN), mobile allocation index offset (MAIO) and frame number (FN) through a certain
algorithm in the mobile allocation containing N frequencies. The N channels of different timeslots can use the
same hopping sequence. The different channels of the same timeslot in the same cell adopt different MAIO.
Frequency hopping can be divided into frame hopping and timeslot hopping according to time domain and RF
hoping and baseband hopping according to implementation mode.
� Frame hopping: the hopping frequency changes once in each TDMA frame period. Each TRX can be regarded
as a channel. The TCH of BCCH TRX cannot join in the frequency hopping in a cell. The hopping TRX should
have a different MAIO. Frame hopping is an exception of timeslot hopping.
� Timeslot hopping: the timeslot frequency of each TDMA frame changes once. The TCH of BCCH TRX can join
in the frequency hopping, which happens in baseband hopping.
� RF hopping: both transmission and reception of TRX join in the frequency hopping. The number hopping
frequencies can exceed the number of TRXs in the cell.
17
� Baseband hopping: each transceiver works at a fixed frequency. TX does not join in frequency hopping.
Frequency hopping is performed through the handover of banseband signal. Therefore, the number of
hopping frequencies cannot exceed the number of TRXs in the cell.
The two frequency hopping modes above are based on BTS. As for MS, since each MS has only one TRX unit, RF
hopping is the only mode.
I. Baseband Hopping
The system has multiple baseband and TRX processing unit. Each TRX processing unit has a fixed working
frequency; each baseband processing unit processes one line of service information and sends the processed
information to the TRX unit with bus topology in time sequence according to frequency hopping rule. This kind of
frequency hopping is called “baseband hopping”.
In baseband hopping, each transceiver works with a fixed frequency. The bursts on the same speech path are sent
to each transceiver. Baseband hopping is based on the handover of baseband signals. Since the transceiver of each
BTS has a fixed working frequency, both broadband combiner and cavity combiner can be adopted. The number of
TRXs decides the maximum number of frequency hopping. The problem for baseband hopping is that if one TRX
board fails, the corresponding code word will be lost, thus affecting all the calls under hopping mode in the cell.
Figure 1-6 Baseband hopping
II. RF Hopping
Under this mode, each line of service information is processed by fixed baseband unit and frequency band unit.
The working frequency of frequency band unit is provided by frequency combiner. Under the control of control
unit, frequency can be changed according to certain rules. In RF hopping, the frequencies used by a TRX to handle
all the bursts of a call come from the frequency change of combiner, instead of the handover of baseband signals.
The number of TRXs is not limited by carrier frequency. As the working frequency of TRX changes, which means the
frequency of the input port to combiner changes, only broadband combiner can be adopted. This kind of
broadband combiner leads to about 3dB insertion loss in two-in-one combination and the loss is greater in the link
insertion of multi-combiner. GSM protocol does not specify which kind of frequency hopping is used in GSM BTS.
The mode of frequency hopping can be decided by operators according to the equipments.
18
Figure 1-7 RF hopping
1.7.2 Frequency Hopping Algorithm
The parameters related to frequency hopping algorithm are as follows:
� CA: cell allocation, the collection of frequencies used by a cell
� FN: TDMA frame number, broadcasted on sync channel. FN (0–2715647) synchronizes BTS with MS
� MA: mobile allocation, the collection of radio frequencies used for MS frequency hopping. It is a subset of CA.
MA contains N frequencies, 1≤N≤64.
� MAIO: mobile allocation index offset, (0–N-1). During communication, the radio frequency at air interface is
an element of MA. Mobile allocation index (MAI, 0–N-1) is used to determine the element of MA. That is to
say, the actual frequency used is decided by MAI. MAIO is the initial offset of MAI and it is used to avoid the
contention of frequency by several channels at the same time.
� HSN: hopping sequence number (0–63). It determines that the hopping sequence with concentrated
frequencies is adopted in frequency hopping. When HSN=0, the hopping is cyclic hopping; when HSN≠0, the
hopping is random hopping.
The proper setting of parameters is based on the understanding of the use of each parameter in hopping algorithm
and the hopping theory. The proper setting ensures the healthy working state of the system. Figure 1-8 is the flow
chart of frequency hopping algorithm.
19
FN
T2(0¡«25)
FN
T3(0¡«50)
MAI
(m0¡«mN-1)
MAIO
(0¡«N-1)
Represent
in 7 bits
T1R=
T1 MOD 64
Exclusive OR
FN
T1(0¡«2047)
HSN
(0¡«63)
Addition
Look-up table
Addition
M'=M mod 2^NBINT=T3 mod
2^NBIN
M'<N
S=M'S=(M'+T) mod N
MAI=(S+MAIO) mod N
RFCN=MA£¨MAI£©
7bits
5bits11bits
6bits
6bits
7bits
7bits
8bits
6bits6bitsNBIN bits
NBIN bits
YN
NBIN bits
NBIN bits
NBIN bits
Figure 1-8 Frequency hopping algorithm
In Figure 1-8:
Mod: modular arithmetic
^: power arithmetic
NBIN: number of bits required to represent N = INTEGER (log2 (N) +1)
According to GSM protocol 0502:
For cyclic hopping (HSN = 0):
MAI, integer (0 ... N 1) : MAI = (FN + MAIO) modulo N (2-2)
Otherwise, see Figure 1-8:
M, integer (0 ... 152) : M = T2 + RNTABLE((HSN xor T1R) + T3)
S, integer (0 ... N 1) : M' = M modulo (2 ^ NBIN)
T' = T3 modulo (2 ^ NBIN)
If M' < N:
S = M'
Otherwise:
20
S = (M'+T') modulo N
MAI, integer (0 ... N 1) : MAI = (S + MAIO) modulo N (2-3)
Remarks: For the cyclic hopping in discontinuous transmission (DTX), the number of hopping frequencies should
avoid N mod 13 = 0, because under such condition, the probability of transmission and measurement of SACCH
frame at the same frequency is rather high, and the harms are obvious. See the description of DTX in section 1.8
RNTABLE is a function with the parameters from integer 0 to 113, GSM protocol defines its values as shown in
Table 1-4:
Table 1-4 RNTABLE(X)
The following conclusion can be used in the rough estimate of whether inter-frequency or intra-frequency collision
exists:
MAI=(S+MAIO) MOD N
RFCHN=MA (MAI);
When HSN=0, S equals the frame number, in other cases, S is only related to frame number and frequency hopping
number. When HSN is fixed and frame number is the same, S must be the same. Therefore, as the TRXs of each
sync cell have the same frame number, different hopping groups in sync cells can adopt the same HSN. A proper
configuration of MAIO can avoid the inter-cell or intra-cell frequency collision within the same BTS. The aggressive
frequency reuse adopts this theory.
1.7.3 Benefits of Frequency Hopping
In GSM, frequency hopping has two benefits: frequency diversity and interference averaging.
I. Frequency Diversity
Frequency hopping can reduce the influence of signal strength change due to multipath transmission. This effect
equals that of frequency diversity. In mobile communications, Rayleigh fading leads to the great change of radio
signal in a short time. This kind of change is related to frequency: a more independent fading accompanies a
greater frequency difference. The 200 KHz interval generally ensures the independence of inter-frequency fading,
while the 1 MHz interval can fully guarantee this kind of independence. Through frequency hopping, all the bursts
containing the code word of the same speech frame are protected from the damage of Rayleigh fading in the same
way. See Figure 1-9.
21
Figure 1-9 Fading
Statistics shows that frequency hopping gain is related to environmental factors, especially to the moving speed of
MS. When the MS moves at a high speed, the location difference between two bursts on the same channel is also
affected by other kinds of fading. The higher the speed is, the lower the gain will be. Frequency diversity benefits a
lot to a large number of MSs moving at low speed.
Frequency hopping gain is also related to the number of frequencies. When the number of frequencies decreases,
the hopping gain falls. The relationship between the number of frequencies and hopping gain can be explained in
this way: frequency hopping is pseudo spectrum spread, and the hopping gain is the processing gain after
transmission frequency band spread. The basic way to test frequency hopping gain is to calculate the differences
between different C/I at different hopping frequencies under the same FER. These C/I differences are the
frequency hopping gain.
The relationship between the number of frequencies and frequency hopping gain is shown in Table 1-5. (The actual
gain may be affected by environment)
Table 1-5 The relationship between the number of frequencies and frequency hopping gain
Number of TRXs in
frequency hopping
Gain of frequency diversity(dB)
〈=1 0
2 3
3 4
4 5
5 5.5
6 6
7 6.3
8 6.5
9 6.8
10 6.9
>=11 7
22
II. Interference Averaging
Frequency hopping provides the diversity of interference on transmission channel, so that all the bursts containing
the code word of the same speech frame are protected from the damage of interference in the same way. Through
error correction coding and interleaving of the system, the original data can be restored from the rest part of the
received flow. The hopping gain is obtained only when the interference is in narrowband distribution. If the
interference is in broadband distribution, all the bursts will be destroyed and the original data cannot be restored.
Therefore, no hopping gain is obtained. The common interference after frequency hopping can be regarded in
narrowband distribution.
In frequency hopping, error rate tends to increase in the test, but we feel the conversation quality improves. It is
because although the error rate increases, the influence of interference is homogenized in frequency hopping, the
speech restoring ability improves because of the interleaving and de-interleaving before. In GPRS data services,
frequency hopping can be harmful when the data rate is rather high (CS4).
1.8 Discontinuous Reception and Discontinuous Transmission
1.8.1 Discontinuous Reception and Paging Channel
In idle mode, if MS selects a cell as its service cell, it begins to receive the paging information from this cell. But in
order to reduce power consumption, discontinuous reception (DRX) is introduced in GSM. Each user (IMSI) belongs
to a paging group and each paging group corresponds to a paging subchannel. MS can calculate which group it
belongs to based on the last three digits of its IMSI and the configuration of paging channel in this location area,
and then locate the paging subchannel of this paging group. In fact, in idle mode, MS just listens to the paging
information from the system on its subchannel (MS also monitors the Relev of BCCH carrier frequency in non-
service area during this period of time) and ignores the information on other paging subchannels. Some of the
hardware equipments are even switched off to save the power of MS. But MS must complete the required task of
network information measurement within a specified time.
Through DRX, MS can receive the broadcast short messages that the users want to know with less power
consumption, thus extending the service time. BSC has to send scheduling messages to support DRX at MS. One
scheduling message contains lots of broadcast short messages to be sent soon. The time that all broadcast short
messages of a scheduling information takes is a scheduling cycle. Scheduling information contains the description
of all short messages to be broadcast in order and also indicates the position of the messages in scheduling cycle.
Through scheduling messages, MS can find the broadcast short messages it wants quickly so as to reduce its power
consumption.
The number of paging subchannels of each cell can be calculated based on the configuration type of CCCH,
BS_AG_BLKS_RES (the number of blocks belonging to AGCH in 51 multiframe), and BS_PA_MFRMS (the number of
51 multiframes used as one paging subchannel cycle).
When there are three CCCHs in a 51 multiframe, the number of paging subchannels is (3- BS_AG_BLKS_RES)
×BS_PA_MFRMS
When there are nine CCCHs in a 51 multiframe, the number of paging subchannels is (9-
BS_AG_BLKS_RES)×BS_PA_MFRMS
In addition, the configuration of CCCH parameters has the following principles:
� The greater the parameter BS_PA_MFRMS, the more the paging subchannels, and the less the users of each
paging subchannel, but the total capacity of the system remains the same, because the average delay of the
paging information on radio channel increases. When the ratio of retransmission waiting is relatively high,
BS_PA_MFRMS should be improved to increase the paging subchannels; when the ratio of retransmission
waiting is relatively low, BS_PA_MFRMS should be reduced to shorten the paging delay.
� The capacities of paging subchannels of all cells in a location area should be the same, because the paging
message of a location area must be sent in all the cells of this location area at the same time.
23
� The longer the cycle of paging channel, the less power the MS in this service area takes. For example, in cities,
this cycle can be defined as 2, which means MS listens to paging messages once for every 102 frames. In rural
areas, this cycle can be defined as 4 or 6. The MS with the paging channel cycle of 6 consumes 18% less
power than the MS with the paging channel cycle of 2. After measuring the system information, MS enters
the rest state and listens to the paging information in the specified paging blocks only and measures the Relev
of BCCH of neighbor cells at the same time. After 30 s, MS will listen to system information again to judge the
cell re-selection process.
� In GSM, CCCH mainly includes AGCH and PCH. Its primary function is to transmit immediate assignment
messages and paging messages. CCCH can be one or several physical channels and it can also share a physical
channel with SDCCH. The combination mode of CCCH depends on the parameter CCCH_CONF. The
configuration of CCCH_CONF must be consistent with the actual configuration. It is recommended that when
there is only one TRX in a cell, the configuration of CCCH can be a physical channel shared with SDCCH (3
CCCH information blocks).
� When the traffic volume is extremely large, in case one physical timeslot is not enough, GSM specification
allows the configuration of multiple CCCH channels on the TRX besides BCCH, but these channels must be
used in timeslot 0, 2, 4, and 6.
� When CCCH_CONF is confirmed, parameter BS_AG_BLKS_RES actually decides the ratio of AGCH and PCH on
CCCH. It is recommended that this parameter be configured as little as possible in order to reduce the
response time of MS to paging.
1.8.2 DTX
I. DTX Overview
During communication, only 40% time is used for conversation; no useful information is transmitted during the rest
60% time. If all the information is transmitted to network, many of the system resources will be wasted, in
addition, the interference will aggravate. In order to solve this problem, GSM adopts DTX technology to stop signal
transmission when there is no voice signal. Therefore, the interference level is reduced and the system efficiency is
improved.
There are two kinds of transmission modes in GSM: normal mode and discontinuous transmission (DTX) mode. In
normal mode, noise and voice have the same transmission quality. In DTX mode, the transmission of unuseful
messages is prohibited. MS only sends man-made noise signals that are tolerable, which means this noise will not
annoy the listeners nor affect the conversation. This kind of noise is called comfort noise. In DTX mode, 260-bit
code is transmitted in every 480 ms; in normal mode, 260-bit code is transmitted in every 20 ms.
Whether the downlink DTX is adopted or not is controlled by network operators of the exchange part. This kind of
control is based on BSC. The control information is transmitted to baseband processing part through dedicated
signaling channel, and then arrives at TC through the inband signaling of TRAU frame to indicate whether downlink
DTX is adopted. For some vendors, the downlink DTX can be configured on the basis of cell.
Uplink DTX is configured by network operators of the radio part. The parameter DTX in system information consists
of 2 bits. Its coding scheme is shown in Table 1-6:
Table 1-6 Value range of DTX
DTX Meaning
00 MS can use DTX
01 MS must use DTX
10 MS is not allowed to use DTX
11 Reserve
24
Parameter DTX is contained in “cell option” of information unit and transmitted periodically in the system
information of each cell broadcast. MS decides whether to start DTX function based on this information.
DTX can be used for voice signal transmission and nontransparent data transmission. BCCH TRX does not use this
technology. The benefits of DTX are listed below:
� Uplink DTX can save MS batteries and reduce interference.
� Downlink DTX can save BTS power consumption and reduce interference and intra-BTS intermodulation.
� Uplink DTX and downlink DTX used together can improve the intra-frequency ratio of the system. This kind of
improvement, when used in aggressive-frequency-reuse cell planning, especially when used with frequency
hopping, can greatly expand the system capacity.
II. Voice Activity Detection
For voice activity detection (VAD), the source must indicate when the transmission is required. When DTX mode is
activated, the encoder must detect the signal is voice or noise. Therefore, the VAD is required. VAD can
differentiate voice from noise through calculating some signal parameters and threshold values. This kind of
differentiation is based on an energy rule: the energy of noise is always lower than that of voice.
VAD generates a group of threshold value in every 20 ms to judge whether the next 20ms block is voice or noise.
When the background noise is too loud, the noise signal will be regarded as voice signal to transmit.
III. Silence Indicator
The coding procedure of noise is the same as that of voice. After sampling and quantification, a noise block will be
produce by encoder in every 20ms. Like voice block, the coded noise block also contains 260 bits, which forms a
SID frame. The SID frame will go through channel coding, interleaving, encryption and modulation and finally be
sent by eight continuous bursts.
On TCH, a complete SACCH information block has four 26 muliframe cycles (480 ms). In order to differentiate voice
frame and SID frame, these eight continuous bursts are arranged at the beginning of the third multiframe. During
other time of the 480 ms, no information is transmitted except SACCH timeslot. The SID frame made from the 20
ms noise block is interleaved with the preceding frame and the following frame; the first SID frame is interleaved
with the preceding voice frame and the following SID frame.
IV. Measurement
Uplink DTX and downlink DTX are two irrelevant procedures that are activated by system parameters respectively.
There are two kinds of measurement in GSM: full measurement and sub measurement.
Global measurement is the average of the level and quality of the 104 timeslots in a measurement cycle (four 26
multiframes); local measurement is the average of level and quality of 12 timeslots, including eight continuous TCH
bursts (for TCH/F, 0-103 TDMA frames as a cycle. The frame numbers of these eight bursts are 52, 53, 54, 55, 56,
57, 58, and 59. when no voice or signaling is transmitted, the descriptor of comfort noise they contain is called SID)
and four SACCH bursts (0-103 TDMA frames as a cycle, for timeslot 0, the frame numbers of these four bursts are
12, 38, 64, and 90; for timeslot 1, the frame number is that of timeslot 0 plus 13. similarly, the frame numbers that
the eight timeslots correspond to can be obtained in this way). In order to achieve uniformity, no matter the uplink
DTX or downlink DTX is activated or not, BTS and MS must complete these two kinds of measurement. Each SACCH
measurement report of BTS and MS indicates whether DTX is used in last measurement report time. BSC choose
one of the two kinds of measurement based on this indication.
1.9 Power Control
1.9.1 Power Control Overview
Power control is to change the transmission power of MS or BTS (or both) in radio mode within certain area. Power
control can reduce the system interference and improve the spectrum utilization and prolong the service time of
25
MS battery. When the Relev and quality is good, the transmission power of the peer end can be reduced to lower
the interference to other calls.
In GSM, power control can be used in uplink and downlink respectively. The power control range for uplink MS is
20 dB–30dB. Based on the power class of MS (most MSs belongs to class 4, which means the maximum
transmission power is 33 dbm), each step can change 2 dB. The downlink power control range is decided by
equipment manufacturer. Although whether to adopt uplink or downlink power control function is decided by
network operators, all MSs and BTS equipments must support this function. BSS manages the power control in the
two directions.
To facilitate BCCH frequency pull-in and the measurement of Relev (including the Relev of neighbor cell BCCH
frequency), GSM protocol specifies that no power control is allowed for the timeslots in the downlink of BCCH TRX.
1.9.2 MS Power Control
The power control of MS includes two adjustment stages: stable adjustment stage and initial adjustment stage.
Stable adjustment is the common way to implement power control algorithm. Initial adjustment is used at the
beginning of call connection. When a connection occurs, MS sends signals with nominal power (before receiving
power adjustment commend, the nominal transmission power of MS is the maximum transmission power on BCCH
of the cell. If MS does not support this power level, it will adopt other power level most close to this level, such as
the maximum power level supported by the classmark of MS in indication message establishment). Therefore, MS
accesses to network through RACH with the maximum power broadcast on BCCH. When MS power is lower than
this value, it will transmit with its maximum transmission power. The system specifies that the power level of the
first message that MS sends on DCH is also this value. The system control begins after MS receives the power
control command in SACCH information block from SDCCH or TCH.
Since BTS can support multi-call at the same time, the Rxlev should be quickly reduced in the new connection.
Otherwise, other calls supported by this BTS will deteriorate and the calls in other cells will also be affected. The
purpose of initial adjustment stage is to quickly reduce the transmission power of MS to get the stable MR, so MS
can be adjusted according to stable power control algorithm.
The required parameters in uplink power control, the expected uplink Rxlev, and the uplink received quality can be
adjusted according to the situation of the cell. After receiving a certain number of uplink MRs, the system
compares the actual uplink Rxlev and received quality obtained by interpolation, filtering, and other methods with
the expected values and calculate the power level that the MS should be adjusted to through power control
algorithm. If the calculated power level differs from the output power level of MS and meets certain limit
conditions (such as step limit of power adjustment and range limit of MS output power), the system will send
power adjustment command.
The command of changing MS power and the required time advance will be sent to MS in the layer 1 header of
each downlink SACCH information block. MS will configure the power level it uses now in its uplink SACCH
information block and send it to BTS in measurement report. This level is the power level of the last burst in the
previous SACCH measurement cycle. When MS receives the power control information in SACCH information block
from DCH, it will transmit with this power level. One power control message does not make the MS switch to the
required level immediately. The maximum change rate of MS power is 2 dB for every 60 ms. For 12 dB, before MS
receives the next power control message, it will not end as one SACCH measurement cycle takes 480 ms. In
addition, it takes three measurement cycles to send power control message and execute the command. Therefore,
the power control cycle should not be too short in order to ensure its accuracy. See Figure 1-10.
26
Figure 1-10 Execution of power control command
The purpose of uplink power control adjustment is to minimize the difference between the actual uplink Rxlev and
received quality and the expected uplink Rxlev and received quality. The purpose of interpolation and filtering is to
process the lost measurement reports and remove temporary nature to ensure the stability of power control
algorithm.
The difference between initial adjustment and stable adjustment is that the expected uplink Relev and received
quality and the length of filter in initial adjustment are different from that of stable adjustment, and the initial
adjustment only has downlink adjustment.
1.9.3 BTS Power Control
BTS power control is an optional function. It is similar to MS power control, but it only uses stable power control
algorithm. The required parameters are Rxlev threshold (lower limit), and the maximum transmission level can be
received (upper limit). The Relev is divided into 64 levels ranging from 0 to 63. Level 0 is the lowest Rxlev; level 63
is the highest Rxlev.
BTS power control is divided into static power control and dynamic power control. Dynamic power control is the
fine tuning based on static power control. There are six steps (2 dB/step) of static power control according to
Protocol 0505. If the maximum output power is 46 dBm (40W), the step 6 is 34 dBm.
Static power control step is defined in the cell distributes list of data management system, which specifies the
maximum output power (suppose this value is Pn) of static power control. For step 15 of dynamic power control,
the corresponding value range is Pn dB–Pn-30dB. When the maximum power control still cannot satisfy the
requirement, adjust static power control step to improve the maximum output power of dynamic power control
Pn.
1.9.4 Power Control Processing
I. Measurement Report Interpolation
Each measurement report has a sequence number. If network detects incontinuous sequence numbers, it means
some of the measurement reports are missing. The network will complete the reports based on interpolation
algorithm.
As shown in Figure 1-11, the network receives measurement reports n and n+4. It detects the sequence numbers
are not continuous, so it uses an algorithm to add n+1, n+2, and n+3 (yellow) to complete the reports.
27
The purpose of measurement report interpolation is to avoid call loss when the power is too low.
Figure 1-11 Measurement report interpolation
II. Measurement Report Filtering
Network will not judge the state of MS based on only one measurement result, because that is too
incomprehensive, in addition, the MS may be fluctuating. Therefore, filtering is required. Filtering combines several
continuous measurement results together to determine the state of MS during this period of time. In Figure 1-12,
the network uses four measurement reports (yellow).
TA has filters for Rxlev and received quality of uplink and downlink
The purpose of measurement report filtering is to remove temporary nature and ensure the algorithm stability.
Figure 1-12 Measurement report filtering
III. Power Control Adjustment
Calculate the power adjustment value based on the difference between the Rxlev and the expected value.
� Power control adjustment based on Rxlev
Power control module compares the estimate value of Rxlev obtained through pre-processing of measurement
report with the expected value, and calculates the step length of adjustment. In power control algorithm, variable
step is often used for quick power control.
� Power control adjustment based on received quality
Power control module compares the estimate value of received quality obtained through pre-processing of
measurement report with the expected value, and calculates the step length of adjustment. When the received
quality is bad, improve the transmit power; when the received quality is good, reduce the transmit power. This
kind of power control adopts fixed step.
� Comprehensive decision for power control
Consider both Rxlev and received quality and adopt different power control strategies in different conditions to
keep the stability and efficiency of power control algorithm.
28
Table 1-7 Comprehensive decision for power control
Relev power control
adjustment
Received quality power
control adjustment
Comprehensive power
control adjustment
Reduce TP Reduce TP Reduce transmit power
Reduce TP Improve TP No action
Reduce TP No action Reduce TP
Improve TP Reduce TP Improve TP
Improve TP Improve TP Improve TP
Improve TP No action Improve TP
No action Reduce TP Reduce TP
No action Improve TP Improve TP
No action No action No action
Note:
TP = transmit power
Table 1-7 shows how comprehensive decision for power control works. When the received quality requires the
improving of transmit power while the Rxlev requires the reducing of it, the system will make a comprehensive
decision to perform no power control adjustment, because bad received quality and good Rxlev represent strong
network interference. Under such circumstances, improving transmit power will further increase the interference.
1.10 Immediate Assignment Procedure
The purpose of immediate assignment is to establish a radio connection (RR connection) between MS and system
at Um interface.
1.10.1 Network Access License and Random Access Request
The request of MS for channel assignment is controlled by its own access level and the access grant level broadcast
in cell. Each MS has one access level of the ten levels from 0 to 9. In addition, it may also have one or several levels
of the five special access levels from l1 to 15. Access level is stored in SIM card. BCCH system information
broadcasts access levels and special access levels that the network grants and the information that whether all
MSs allow emergency call or allow special access levels only. If the mobile originated call is not emergency call, the
MS can access to network only when it belongs to the granted access level or granted special access level. If the
mobile originated call is emergency call, the MS can access to network only when all the MSs in the cell allow
emergency call or it belongs to the granted special access level.
When an MS wants to establish connection with the network, it sends a channel request to network through RACH
channel. Channel request information contains 8-bit useful signaling information, among which 3 bits–6 bits are
used as the minimal indicator of access cause. The system processes different channel requests based on this
rough indication. It differentiates the granted calls from the denied calls and assigns proper channels for the
granted calls. This kind of process is especially useful when the network is overload and the flow control is
required. Since the channel capacity is limited, this indicator cannot transfer all the information from MS, such as
the detailed cause of channel request, user identity and the features of mobile equipment. These kinds of
information are sent in the following SABM messages. The 8-bit information also contains the random
discriminator sent by the MS and the immediate assignment command (it contains information about the assigned
channel). Immediate assignment command carries the discriminator sent by the previous MS. MS compares this
discriminator with its own discriminator and judges whether it is the message for itself from network. Since there
29
are at most 5 bits in the 8 bits information carrying discriminator, only 32 MSs can be differentiated at the same
time. Further discrimination of the MSs requires the response information at Um interface. Channel request
information belongs to internal information of BSS.
In GSM, RACH is a kind of ALOH. In order to reduce the collision on RACH during MS access to network and
improve the efficiency of RACH channel and MS access. GSM specifies the required access algorithm for MS. This
kind of algorithm defines three parameters: Tx_interger T, the maximum retransmission times RET, and parameter
S related to T and channel combination.
T represents the number of timeslots between two transmissions when continuous channel requests are sent. S is
an intermediate variable depends on T and the configuration of CCCH. See the description of this parameter in
Chapter 7. RET is the MS maximum retransmission times allowed in order to avoid access collision. Each time after
MS sends access request, T3120 is to receive (or reject) immediate assignment message. MS will retransmit access
request for the messages that are not received or rejected when T3120 times out under the premise that RET is
not exceeded and restart the T3120. When the retransmission times reaches RET and T3120 times out, T3126 will
be started to receive (or reject) immediate assignment message. When T3126 times out, cell re-selection will be
initiated.
1.10.2 Initial Immediate Assignment
After decoding the channel request information, BTS sends a channel required message to BSC. This message
contains important additional information and the estimation of TA by BTS. After receiving this message, BSC
selects a proper channel for this request and activates the land resources by sending a channel active message to
BTS. BTS returns a channel active acknowledge message to BSC. If BSC receives this message, BTS will send an
immediate assignment command or immediate assignment extended message on CCCH. In order to improve
channel efficiency, GSM introduces the message layout of immediate assignment extended that contains the
assignment information of two MSs. The immediate assignment message contains the assignment information of
one MS. According to GSM specifications, MS must identity the immediate assignment (extended) information for
the last three channel requests.
If there is no channel to activate, BSC will send an immediate assignment reject or immediate assignment
extended reject message to MS. After receiving the reject message, MS stops T3120 based on one of the last three
channel requests and starts T3122. During the specified time of T3122, MS has no access to network and turns into
idle mode. Before T3122 times out, MS cannot initiate connection attempt except emergency call within the same
cell.
After receiving immediate assignment message, MS compares the received assignment command with the
information stored in its channel request and judges whether this message is for itself. If this message matches one
of its last three channel requests, MS will stop T3120 or T3126 and switch to the assigned channel. Then it starts to
establish the signaling link by using Set Asynchronous Balanced Mode (SABM) command.
1.10.3 Initial Message
After receiving immediate assignment message and decoding it, MS adjusts its configuration of transmission and
reception to the assigned channel and transmits signaling according to the TA value specified by BSS and the initial
maximum transmission power broadcast in BCCH system information (see the description of msTxPwrMaxCCH).
MS sends an SABM frame on assigned SDCCH/TCH to establish the asynchronous balanced mode (SAPI=0) that is
used to establish signaling message link layer connection under acknowledgement mode. According to GSM
protocol, SABM carries an initial message that contains layer 3 service request information.
When two MSs send the same channel requests (which is possible in high traffic volume area), the two MSs may
respond to the same dedicated channel. in order to save this problem, after receiving SABM frame, BTS makes no
modification but sends a UA frame (no frame number acknowledgement) containing the same information as that
30
of initial message. If the information of UA frame is different from that of SABM frame, MS will abandon this
channel and start reaccess process. Only the right MS can stay on this channel.
SABM frame carries four kinds of initial messages: CM service request (such as call setup, short message, and
supplementary service), location updating request (generic location updating, periodic location updating, and IMSI
attach), IMSI detach, and paging response. All these messages contain the identity of MS, detailed access cause,
and MS classmark (indicating some key features such as transmission power level, encryption algorithm, short
message capacity, and frequency capacity).
After receiving the initial message, BTS sends an establish indication message to BSC. BSC receives this message
and sends complete layer 3 information to MSC to request SCCP connection to MSC. Layer 3 information carries
the causes for CM service request, which includes mobile originated call, emergency call, location updating, and
short message service. This information also carries cipher key sequence number, MS identification number, and
some physical information of the MS such as transmit power level, ciphering algorithm, pseudo-synchronization,
and short message. After receiving this information, MSC sends connection confirmed message to BSC (if the
connection cannot be established, MSC will send SCCP refused message) to indicate that the signaling link between
MS and MSC has been established. By this time, MSC can control the transmission properties of RR management;
BSS monitors the transmission quality and prepares for handover. Then the MM connection begins.
Authentication or encryption is triggered when required in the following processing.
The process of immediate assignment is shown in Figure 1-13.
Figure 1-13 Immediate assignment
In the immediate assignment process, T3101 starts when BSC sends channel active message to BTS and ends when
the establish indication is received. If T3101 times out before signaling channel is established, the activated
channel will be released.
1.10.4 Immediate Assignment Failure
� If a failure occurs to the underlaying MS on the new channel before the establishment of signaling link, the
network releases the assigned channel of MS. The following processing depends on the failure type and
previous actions. If the failure is caused by the mismatch of message field in decision contention and no re-
assignment is initiated, the immediate assignment is restarted.
If the failure is caused by other reasons or if the re-assignment triggered by the mismatch of message field in
decision contention is carried out and the assignment still fails, MS turns into idle mode and triggers cell re-
selection.
� If the available information is not sufficient to define a channel after the MS receives immediate assignment
message, RR connection fails.
� If the assigned frequencies of MS belong to two or more than two frequency bands, RR connection fails. If the
assigned frequency of MS is not consistent with the requested frequency but supported by MS, MS accesses
31
the channel with the frequency used in channel request. If MS does not support the assigned frequency, RR
connection fails.
� If T3101 times out before the signaling channel is established, network releases the assigned channel.
Network cannot tell whether MS resends the access attempt or not.
1.11 Authentication and Encryption
GSM takes lots of measures to protect the safety of system, such as using Temporary Mobile Subscriber Identity
(TMSI) to protect IMSI, using Personal Identification Number (PIN) to protect SIM card, authentication through
authentication center (AUC) for network access, encryption, and equipment identity register.
Authentication and encryption require a group of three parameters that generated in AUC. Each client is assigned a
Mobile Station International ISDN Number (MSISDN) and IMSI when registers in GSM network. IMSI is preserved
onto SIM card through SIM printer and SIM printer will generate a corresponding client authentication value Ki that is stored
in SIM card and AUC as permanent information. AUC has a pseudo number generator used to generate a random
number RAND. GSM defines algorithm A3, A8, and A5 that are used for authentication and encryption. In AUC,
RAND and Ki together produce a response number SRES through A3 authentication algorithm and a Kc through A8
encryption algorithm. RAND, Kc, and SRES form a three-parameter group of client. This group is stored in the data
base of this client in HLR. Generally, AUC transfers five groups of parameters to HLR for automatic storage. HLR can
save ten groups of such parameters. When MSC/VLR requests for three-parameter group transfer, HLR sends five
groups at the same time for MSC/VLR to use one by one. When there are two groups left, MSC/VLR will request for
transfer again.
1.11.1 Authentication
Authentication is the process that GSM network checks whether the IMSI or TMSI from MS at radio interface is
valid or not. The purpose of authentication is to avoid unauthorized access to GSM network and the theft of
private information by illegal users. Authentication also provides parameters for MS to calculate new encryption
key.
The network initiates authentication procedure in the following situations:
� MS requesting for the change of information in VLR or HLR;
� Service access, including MS originated call, MS terminated call, MS activation and deactivation, and
supplementary services;
� The first network access after MSC/VLR reboot;
� Mismatching Cipher key Sequence;
Whether to initiate authentication procedure depends on if the Kc value of the last service processing stored in
network consistent with that of the present access stored in MS. If consistent, authentication procedure can be
escaped and this Kc value is used directly for encryption; if not, Kc value needs to be recalculated. MS does not
send Kc value to network through radio path for the sake of privacy. Therefore, Cipher Key Sequence Number
(CKSN) is introduced. CKSN is sent to MS by MSC/VLR through authentication request message during the last
network access. It is stored in both SIM card and MSC/VLR. During the initial access of MS, CKSN is sent to
MSC/VLR through the initial request message of SABM frame. MSC/VLR compares it with the last CKSN. If they are
not consistent, authentication is required before encryption. If CKSN=0, it means no Kc is assigned. Authentication
procedure is initiates and controls by network. MSC/VLR sends an authentication request message to MS to initiate
authentication procedure and T3260.
I. Authentication Success
The procedure for authentication success is shown in Figure 1-14:
32
Figure 1-14 Procedure for successful authentication
2. AUTHENTICATION REQUEST contains a RAND (128 bits) and a CKSN. The Ki and RAND together generate a
SERS (32 bits) through algorithm A3 and a Kc (64 bits) through algorithm A8. The new Kc replaces the former
key and is stored in SIM card together with CKSN.
3. MS sends AUTHENTICATION RESPONSE to network. After receiving this message, the network stops T3260
and checks its validity (network compares it with the SERS generated by Ki and RAND through algorithm A3
and check whether they are consistent or not), and then enters the subsequent procedures, such as
encryption.
II. Authentication Reject
If authentication fails, it means AUTHENTICATION RESPONSE is invalid.
� If the MS uses TMSI, the network will initiate identity procedure. If the IMSI provided by the MS is different
from that in network, the network will restart the authentication procedure; if the IMSI is correct, the
network will send AUTHENTICATION REJECT to the MS.
� If the MS uses IMSI, the network will send AUTHENTICATION REJECT directly to MS. The procedure for
authentication reject is shown in Figure 1-15:
MSC
AUT_RES(2)
AUT_REJ(3)
BSCBTSMS
AUT_REQ(1)
Figure 1-15 Procedure for authentication reject
After sending AUTHENTICATION REJECT message, the network releases all the MM connections under
establishment and restarts the procedure for RR connection release.
After receiving AUTHENTICATION REJECT message, MS sets the roaming disabled flag and deletes information such
as TMSI, LAI, and cipher key.
If MS receives AUTHENTICATION REJECT message in IMSI DETACH INITIATED state, it stops T3220 after RR
connection is released. If possible, MS initiates local release procedure after the normal release procedure or
T3220 timeout; if not (such as the IMSI detach after switch off), MSRR exits abnormally.
If MS receives AUTHENTICATION REJECT message in other state, it exits all MM connections and call re-
establishment procedures, stops T3210 and T3230, sets and starts T3240 to enter WAIT FOR NETWORK COMMAND
33
state and wait for the release of RR connection; If RR connection is not released after T3240 timeout, MS will exit
RR connection abnormally. Under the two conditions above, MS enters MM IDLE and NO IMSI state.
1.11.2 Encryption
Encryption occurs in service requests such as location updating, service access, and inter-office handover. It
requires the support of GSM network equipment (especially BTS), as well as the encryption ability of MS. The
encryption procedure is shown in Figure 1-16:
I. Signaling Procedure
BTS BSC MSC MS
Ciphering Mode CMP (4)
Cipher Mode CMD (1)Encryption Mode CMD (2)
Ciphering Mode CMD (3)
Cipher Mode CMP (5)
Figure 1-16 Encryption procedure
1. MSC sends BSC a Ciphering Mode CMD that contains encryption algorithm, Kc, and whether the MS is
required to add IMEI in Ciphering Mode CMP.
2. BSC decides the final algorithm based on the encryption algorithm in Ciphering Mode CMD, the encryption
algorithm that BSC allows, and the encryption algorithm that MS supports, and then inform BTS.
3. BSC sends MS Ciphering Mode CMD to inform MS of the selected encryption algorithm.
4. After receiving Ciphering Mode CMD, MS starts the transmission of ciphering mode and sends Ciphering
Mode CMP to the system.
5. After receiving the Ciphering Mode CMP from MS, BSC transfer it to MSC.
II. Procedure Description
� A5 algorithm
GSM protocol specifies eight kinds of encryption algorithm from A5/0 to A5/7. A5/0 stands for no encryption. The
encryption procedure is initiated by the network. The encryption information of Cipher Mode CMD specifies the
required encryption algorithm. The algorithm that generates encrypted code is called A5 algorithm. It calculates by
using the Kc (64 bits) and the current frame number (22 bits) to generate a 114-bit encryption sequence and then
implements XOR operation with the 114-bit burst. Two encryption sequences are used for uplink and downlink. For
each burst, one sequence is used for MS encryption and BTS decryption, the other sequence is used for BTS
encryption and MS decryption.
� Encryption algorithm selection
When MS initiates call request, the SABM frame carries Classmark 1 or 2 to indicate whether the MS supports
algorithm A5/1, A5/2, or A5/3, and reports Classmark 3 in CLASS MARK CHANGE to further indicate whether the
MS supports Algorithm A5/4, A5/5, A5/6, or A5/7(In system information, if ECSC=1, MS reports Classmark 3
immediately; if ECSC = 0, the Classmark 3 is reported after CLASSMARK ENQUIRY is initiated by the network.
Therefore, the configuration of ECSC = 1 is recommended when the encryption is used). MSC sends encryption
command based on the configuration of secret data. BSC chooses the intersection of the encryption algorithm
allowed in the command sent by MSC, the encryption algorithm allowed in BSC data configuration, and the
34
encryption algorithm supported in the MS report. In the intersection, BSC selects a proper algorithm based on the
priority level of A5/7 > A5/6 > A5/5 > A5/4 > A5/4 > A5/3 > A5/2 > A5/1 > A5/0.
� Encryption in handover
The HANDOVER REQUEST contains the encryption information unit that indicates the required encryption
algorithm and key. If one of the two A interfaces of BSS is in PHASE I, due to the limitation of ETSI GSM PHASE I
protocol (no ciphering mode setting information unit in handover command), the two A interfaces match only
when they share the same encryption algorithm (such as A5/2) to ensure the normal inter-BSC handover.
Otherwise, special treatment has to be made to the target MSC or target BSC (or the source MSC or source BSC) to
change the handover command for inter-BSC handover.
For the interconnection of A-interfaces when the encryption is used, whether special data configuration is required
for BSC and MSC must be considered.
1.11.3 TMSI Reallocation
After authentication and encryption, the system sends CM SERVICE ACCEPT or TMSI reallocation command to MS
and initiates T3250.
When MS registers in the location area for the first time, the network allocates a TMSI to it. When the MS leaves
this location area, it releases the TMSI. When the MS receives the TMSI reallocation command, it saves the TMSI
and LAI and sends TMSI reallocation complete message. After receiving this message, the network stops T3250.
If the system cannot identify TMSI of the MS, for example, when the data base error occurs, the MS must provide
its IMSI. The identification program is initiated before the TMSI reallocation to request for the IMSI.
The identification program sends identity request message to the MS, after receiving this message, the MS
provides its IMSI by sending identity response message to the network. When this procedure is over,
authentication, encryption, and IMSI reallocation are implemented if required.
1.11.4 Exceptional Situations
I. Authentication
� RR connection failure
If the network detects RR connection failure before receiving AUTHENTICATION RESPONSE, it releases all the MM
connections and terminates all the active MM procedures.
� T3260 timeout
T3260 is started when MSC sends authentication request to BSC and stops when MSC receives AUTHENTICATION
RESPONSE. If the T3260 times out before the AUTHENTICATION RESPONSE is received, the network releases RR
connection, terminates the authentication procedure and all the active MM procedures, and then releases all the
MM connections and initiates RR connection release procedure.
� Unregistered SIM card
If the SIM card of the MS is not registered, the network sends AUTHENTICATION REJECT message directly to the
MS.
II. Encryption
� Encryption reject
If BSS does not support the encryption algorithm specified in CIPHERING MODE CMD, it sends CIPHER MODE
REJECT message to MSC.
If the encryption is initiated in BSS before MSC requests for the change of encryption algorithm, BSS also sends
CIPHER MODE REJECT message to MSC.
35
� Un-encrypted MS
The CIPHERING MODE COMMAND message is valid when:
–The un-encrypted MS receives CIPHERING MODE COMMMAND message that requires encryption.
–The un-encrypted MS receives CIPHERING MODE COMMMAND message that requires non-encryption.
–The encrypted MS receives CIPHERING MODE COMMMAND message that requires non-encryption.
In other cases, CIPHERING MODE COMMAND is considered wrong. The MS sends RR STATUS message with the
cause of protocol error and performs no action.
III. TMSI Reallocation
� RR connection failure
If RR connection fails before TMSI reallocation complete message is received, all the MM connections are released
and both the old and new TMSIs are saved during a certain recovery time.
� T3250 timeout
T3250 is started when MSC sends TMSI_ REALL_ CMD message or LOC UPD ACC message with the new TMSI and
stops when MSC receives TMSI _REALL_COM. If T3250 times out before the TMSI _REALL_COM is received, MSC
sends CLEAR COM message to release RR connection and terminate TMSI reallocation.
1.12 Location Update
In GSM, the paging information cannot be sent in the whole network due to the capacity limit of the paging
channel. Therefore, the definition of location area (LA) is introduced. LAC contains many cells. The paging for the
MS is carried out through the paging in all the cells within the LA of the MS. The size of the LA is of vital importance
to the system performance in network design.
The registration management for the LA is required since the paging for the MS is carried out through the paging in
all the cells within the LA, which brings about the definition of location update. Location update is divided into
generic location update, periodic location update, and IMSI attach.
1.12.1 Generic Location Update (Inter-LA Location Update)
When the MS moves from one LA to another LA, registration is required. If the LAI stored in the MS is different
from the LAI of the current cell, the MS informs the network to change the location information it stores. This
procedure is called generic location update.
In idle mode, if cell re-selection occurs when the MS moves within the LA, the MS will not inform the network
immediately but implement cell re-selection without location update or network involvement. If the MS moves to
another LA after re-selection, the MS informs the network of this LA change, which is called forced registration.
According to whether the VLR changes or IMSI involves, generic location update is divided into the following types:
I. Intra VlR Location Update
It is the simplest location update that requires no IMSI. It happens in the current VLR without informing the HLR.
In the initial message carried by SABM frame, the access cause is MM LOCATION UPDATING REQUEST that carries
the MS TMSI and LAI. The generic location updating is indicated. MSC receives this message and forwards it to VLR.
VLR updates the MS location information and stores the new LAI, and then sends a new TMSI to MS if required (MS
uses the former TMSI if no TMSI is carried in the TMSI re-allocation command). After receiving the TMSI re-
allocation complete message, MSC sends location updating accept message and releases the channel. Location
updating completes.
36
Figure 1-17 Location updating procedure
II. Inter-VLR Location Updating, Sending TMSI
After the MS enters a cell, if the current LAI is different from the LAI it stores, it sends its LAI and TMSI to VLR
through MSC in location updating request. VLR deduces the former VLR based on the LAI and TMSI it received and
sends a MAP_SEND_IDENTIFICATION to the former VLR to request for IMSI and authentication parameter. The
former VLR sends the IMSI and authentication parameters to the current VLR. If the current VLR cannot obtain the
IMSI, it sends MS an identity request message to request for the IMSI. After receiving the IMSI, VLR sends HLR the
location updating message that contains the MS identity information for the data query and path establishment of
HLR. After receiving this message, HLR stores the number of the current VLR and sends MAP/D_CANCEL_LOCATION
to the former VLR if the current MSC/VLR has the normal service rights. After receiving this message, the former
VLR deletes all the information about this MS and sends the HLR a MAP/D_CANCEL_LOCATION_RESULT message to
confirm the deletion. The HLR will send MAP_INSERT_SUBSCRIBER_DATA message to provide the current VLR with
the information it requires (including authentication parameters) after the procedure for authentication,
encryption, and TMSI reallocation is over, and confirm the location updating after receiving the response from the
VLR.
III. Inter-VLR Location Updating, Sending IMSI
The procedure is similar with the procedure above but easier because it requests for authentication parameter
from the HLR through IMSI directly.
1.12.2 Periodic Location updating
The network and the MS lose contact when:
� The MS is switched on but moves out of the network coverage area (dead zone). The network lost contact
with the MS and regards it still in attach status.
� The MS sends IMSI detach message and the uplink quality is bad due to interference, the network may not be
able to decode this message correctly. The MS is still regarded in attach status.
� The MS is power off. It cannot inform the network of its status and the contact is lost.
37
If the paging for MS happens when the contact is lost, the system sends paging information in the LA that the MS
registered before. The network cannot receive the response from the MS. The system resource is wasted. To solve
this problem, the implicit detach timer is introduced in the VLR for the IMSI status management. In addition,
measures are taken in BSS to force the MS to report its location periodically. Therefore, the network is informed of
the status of MS. This kind of mechanism is called periodic location updating. The network sends a periodic
location updating time T3212 to all the users in the cell through BCCH to force the MS to send location updating
request with the cause of periodic location updating after T3212 times out.
Before the T3212 times out, if the timeout value is changed (for example, the service cell changes and the T3212
timeout value is broadcast), the MS uses the time when the change happens as the initial value and keep on
timing.
If the T3212 times out when the MS is in NO CELL AVAILABLE, LIMITED SERVICE, PLMN SEARCH, or PLMN SEARCH-
NORMAL SERVICE status, the location updating is initiated after the MS is out of these service status.
Periodic location updating ensures the close contact between network and mobile users. The shorter updating
period leads to better network performance. But the frequent location updating will increase the signaling flow
and reduce the utilization of the radio resources, or even affect the processing ability of MSC, BSC, and BTS. On
the other hand, it will greatly increase the power consumption of MS and reduce its standby time. The T3212
setting should be based on comprehensive consideration.
The procedure for periodic location updating is the same as that for generic location updating.
1.12.3 IMSI Attach and Detach
IMSI attach and detach means to attach a binary mark to the subscriber record in MSC/VLR. The former one is
marked as access granted, and the latter one is marked as access denied.
When the MS is switched on, it informs the network of its status change by sending an IMSI ATTACH message to
the network to inform. After receiving this message, the network marks the current user status in the system
database for the paging program.
If the current LAI and the LAI the MS stores are the same, IMSI attach is initiated. The procedure is similar to the
intra VLR location updating only that the location updating request message is marked as IMSI attach and the initial
message contains IMSI of the MS.
If the current LAI is different from the LAI stored, generic location updating is initiated.
When the MS is switched off, the IMSI detach is triggered by a key-press. Only one command is sent to MSC/VLR
from the MS. This is an unacknowledged message. After receiving this message, MSC informs VLR to do detach
mark to this IMSI while the HLR is not informed of the no-radio of this user. When the paging for this user occurs,
HLR requests for the MSRN from the VLR and is informed of the no-radio of this user by this time. Therefore, no
paging program is implemented. The paging message is handled directly, such as playing the record: "The
subscriber is powered off."
The procedure above is explicit IMSI detach. There is also implicit detach. The implicit detach happens before the
implicit detach timer times out. If the contact between MS and network is not established, the VLR sets the IMSI
status as detach. The implicit detach timer is set longer than the periodic location updating timer T3212 to avoid
"abnormal" implicit detach. The implicit detach is denied during the establishment of radio connection. The
implicit detach timer is reset after the release of radio connection. Implicit detach timer is also called IMSI delete
time.
VLR deletes the IMSI marked as detach periodically (The period is adjustable) and reports the user status to the
HLR.
38
1.12.4 Exceptional Situations
I. MS
� Access denied because of access level limit
MS stays in the service cell and performs the normal cell re-selection procedure without triggering location
updating. When the current cell allows access or other cell is selected, The MS initiates location updating
immediately.
� IMMEDIATE ASSIGNMENT REJECT message is received during random access
MS stays in the service cell and starts T3122 based on the value in the immediate assignment reject message. The
normal cell selection and re-selection procedure is performed. If the cell that the MS stays changes or T3122 times
out, the MS initiates location updating.
� Random access failure
If the random access fails, T3213 is started. After the T3213 times out, the random access procedure is initiated. If
two successive random accesses fail, the location updating is terminated. For the subsequent processing, see the
following description.
� RR connection failure: Location updating procedure is terminated. For the subsequent processing, see the
following description.
� T3210 timeout: Location updating fails. For the subsequent processing, see the following description.
� The completion of RR connection is abnormal: Location updating fails. For the subsequent processing, see the
following description.
� Location updating reject due to reasons other than #2, #3, #6, #11, #12, or #13: MS waits for the release of
RR connection. For the subsequent processing, see the following description.
# 2 (IMSI unknown in HLR)
# 3 (Illegal MS)
# 6 (Illegal ME)
# 11 (PLMN not allowed)
# 12 (Location Area not allowed)
# 13 (Roaming not allowed in this location area)
Subsequent processing: If the T3210 is still timing, stop it; If T3210 times out, RR connection fails. Add 1 to the
location updating attempt timer. The following processing depends on the LAI (stored and received from the
service cell) and the value of the location updating attempt timer.
If the location updating status is UPDATED, the stored LAI and the received LAI are the same, and the location
updating attempt timer is less than 4, MS keeps the UPDATED status. After the release of RR connection, the sub
status of MM IDLE becomes NORMAL SERVICE. The MS also stores the information about the former location
updating type. The T3211 is started after RR connection release. After it times out, the location updating
procedure is started again.
If the location updating status is not UPDATED, or the stored LAI is different from the received LAI, or the location
updating attempt timer is equal to or less than 4, the MS deletes the ciphering key sequence, LAI, TMSI stored in
SIM card and sets the location updating status as NOT UPDATED. After the release of RR connection, the sub status
of MM IDLE becomes ATTEMPTING TO UPDATE. After the RR connection release, if the location updating attempt is
less than 4, T3211 is started. Otherwise, T3212 is started. After the T3211 or T3212 times out, the location
updating procedure is started again.
After the sub status of MM IDLE becomes ATTEMPTING TO UPDATE, the MS will do the following:
� If T3211, T3213, or T3212 times out, perform location updating.
� If LA changes, perform generic location updating
39
� If the cause for the status change is (3), (4), (6) (the cause is not the abnormal release with unknown reason),
or (7) (cause “retry in the new cell”), perform location updating when entering the new cell.
� If the cause for the status change is (5), (6) (the cause is abnormal release with unknown reason), or (7) (the
cause is not “retry in the new cell”), location updating is not performed when entering the new cell.
� No IMSI detach.
� Support emergency call request
� Respond the paging with IMSI
� Perform generic location updating triggered by the request from CM layer (if the location updating
succeeds, the MML connection request will be accepted. For details, see section 4.5.1 of the Protocol 0408).
II. Matching Between IMSI Delete Time and T3212
If the periodic location updating fails for four times, T3212 will be started for the next update. In the bad coverage
area, especially in the area where the uplink and downlink do not match (downlink is better than uplink), after the
periodic location update fails,
Another location updating is initiated after T3212 times out. Therefore, the T3212 is set to be shorter in the bad
coverage area. In addition, if the IMSI delete time is less than twice of the T3212, the users stay in the service area
but cannot be called. So the IMSI delete time should be more than twice of the T3212 and based on LAC.
III. Network
� RR connection failure
Among all the sub procedures attached to the location updating procedure, if the RR connection fails, it is handled
according to the exception handling of other common procedures.
If no other common procedure is attached to the location updating procedure, the MS location updating is
terminated.
� Protocol error
If the network detects protocol error after receiving LOCATION UPDATING REQUEST, it sends LOCATION UPDATING
REJECT message to the MS with the following cause if possible:
#96 required IE error
#99 IE error or no IE exists
#100 Conditional IE error
#111 Protocol error, undefined
After sending LOCATION UPDATING REJECT to the MS, the network initiates channel release procedure.
1.13 MS Originating Call Flow
The MS needs to set up a main signaling link to connect to MSC first, and then initiates the authentication,
encryption, and TMSI reassignment flow.
1.13.1 Called Number Analysis
After the authentication, encryption, and TMSI reassignment flow are over, the MS starts the call setup flow.
First, the MS sends a SETUP message to the network side. This message contains called number and the required
services. The MSC implements the call proceeding according to the message.
When receive the SETUP message, the MSC sends the outgoing call message SEND_INFO_FOR_O/C_CALL to the
VLR. After receive the outgoing call message, the VLR analyzes the items such as called number, the calling party
capability, and network resources capability according to the user information obtained from the HLR during the
location updating process, to check whether to accept this call request. If a certain item cannot be passed, the VLR
40
sends the RELEASE COMPLETE message to the MS. The call fails. The MS then proceeds to release the bottom layer
connection and switches to the idle state. If the above items can be passed, the VLR sends the COMPLETE_CALL
message to the MSC. After receive this message, the MSC sends the CALL PROCEEDING message to the MS. It
means that the call request is accepted and the call is set up.
Figure 1-18 MS originating call flow
1.13.2 Voice Channel Assignment (Follow-up Assignment)
After send the CALL PROCEEDING message to the MS, the MSC activates the follow-up assignment according to the
service request. That is, assign the TCH voice channel to the user. At this time, the MSC sends the ASSIGNMENT
REQUEST message to the BSC. This message contains the information such as the requested channel type to
request the BSC to assign the TCH voice channel for the call.
After receive the channel request from the MSC, the BSC sends the Channel Activation for TCH message to the BTS
to activate corresponding terrestrial resources and start a timer at the same time if the TCH channel resources are
available. If the BTS has prepared the resources such as circuit, the BTS sends the CHANNEL ACTIVATION ACK
message to the BSC. If the BSC has no available resources to assign, it sends the RESOURCE FAILURE message to the
MSC. But if the system allows queuing, the BSC sends the QUEUING INDICATION message to the MSC and places
the assignment request in the queue and starts the timer T11. If the T11 times out, the BSC sends the CLEAR
REQUEST message to the MSC.
The immediate assignment request, intra-BSC handover, and inter-BSC handover do not support queuing. Only the
TCH resource request (that is, the assignment request and intra-cell handover) allows queuing. The TCH resource
requests in the queue are assigned with relevant channels in the sequence of their priorities. In the length of the
queue reaches its threshold or the timer times out, the request is rejected.
When the BSC receives the CHANNEL ACTIVATION ACK message from the BTS, the BSC puts the physical
information of the channel provided by the BTS in the ASSIGNMENT COMMAND message (this message contains
the information such as channel type, voice/data indication, channel rate, voice decoding algorithm and
transparent transmission indicator, assignment priority and CIC). The ASSIGNMENT COMMAND message is sent to
the MS through the SDCCH channel.
41
Figure 1-19 TCH channel assignment procedure
After receive the ASSIGNMENT COMMAND message from the BTS, the MS adjusts the transceiver configuration to
the TCH channel and then sends the SABM message to the BTS through the FACCH channel in the way of stolen
frame. After the BTS receives the SABM message, the BTS sends the ESTABLISH INDICATION message to the BSC
and then sends an Unnumbered Acknowledge (UA) to the MS, just as the initial signaling channel assignment does.
After receive the UA, the MS sends the ASSIGNMENT COMMPLETE message to the BTS through the FACCH
channel. If the MS fails to identify the assignment information and fails to occupy the specified channel due to the
radio interface failure, radio interface message failure or interference, or hardware problems, the MS returns to
the original channel and sends the ASSIGNMENT FAILURE to the BTS. If the MS does not receive the ASSIGNMENT
COMMAND sent from BTS or the BTS does not receive the response message sent from MS due to interference or
other causes, the system starts the corresponding timers (such as T3103 or T3107) and when the timer times out,
the channel is released.
When receive the ASSIGNMENT COMPLETE message, the BSC sends the ASSIGNMENT COMPLETE message to the
MSC. At the same time, it also sends the RF CHANNEL RELEASE message to the BTS to release the occupied SDCCH
signaling channel. When the BTS releases the signaling channel, it sends the RF CHANNEL RELEASE ACK message to
the BSC. After the BSC receive the message, it considers that the signaling channel is in idle state and can be
assigned to other channel requests.
For different purposes, the GSM has three different channel assignment flows. They are initial channel assignment,
follow-up channel assignment, and handover channel assignment.
� Initial channel assignment: is mandatory to establish the link transmission between the MS and the network.
For example, process the location updating request.
During the establishment of the signaling transmission, if the TCH channel is assigned preferably, this assignment is
called very early assignment (VEA). After the MSC sends the ASSIGNMENT REQUEST message, the BSC does not
apply for new channel but initiate the Mode_Modify flow. After the Mode_Modify is complete, the BSC reports the
ASSIGNMENT COMPLETE message to the MSC.
If the SDCCH channel is assigned first, and the TCH channel is assigned when it is needed, and then ASSIGNMENT
REQUEST message from MSC is sent before the Alerting message, this assignment is called early assignment (EA).
If the SDCCH channel is assigned first and the TCH is assigned after the called party sends the CONNECT message,
Generally, it adopts the EA mode.
42
Figure 1-20 Mode modify in the early assignment flow
If the EA mode is used in the initial assignment, when no SDCCH is available, assign the TCH channel for the
channel request directly. The TCH channel replaces the SDCCH channel to send the signaling message. Please note
that using the TCH channel to transmit the signaling wastes the resources a lot because one TCH channel equals
eight SDCCH channels. When this situation is quite serious, add more SDCCH to meet the requirement in time.
� Follow-up channel assignment
After the signaling channel finishes the authentication and encryption process, if there is still voice or data request,
the follow-up channel assignment is triggered to assign a TCH channel.
� Handover channel assignment
This assignment is used to apply for channels due to handover during the call process.
The system judges whether the handover occurs in the SDCCH or in the TCH to assign corresponding channels. The
handover flow and the assignment flow in the cell are the same. The only difference is that the message names are
different. Similar to the immediate assignment flow, in the MS assignment flow, the timer T3107 starts when the
BSC sends the ASSIGNMENT COMMAND message to the BTS. After the BSC receives the ASSIGNMENT COMPLETE
message from the BTS, the timer T3107 resets. Generally, the timeout of the timer is caused by the bad radio
coverage. When the timer times out, the MS is considered disconnected with the network and the resources are
released for other MSs. Based on the statistics, the channel assignment is generally complete within two seconds.
If the BSC does not receive the ASSIGNMENT COMPLETE message within two seconds, the assignment fails. But
sometime, the network quality is bad, some messages needs to be sent several times, in this case, the assignment
can be extended to five seconds. Generally, if the traffic load of the cell is heavy, set the timer as 2 seconds to 5
seconds. If not heavy, set the timer as 10 seconds.
1.13.3 Call Connection
After receiving the ASSIGNMENT COMPLETE message from the BSC, the MSC sends the Initial Address Message (IAM)
that includes the information used to establish the route to the called network. The MSC will receive the call setup
report soon. If succeeds, the MSC receives an ADDDRESS COMPLETE message (ACM); if fails because of certain
reason (such as busy line or congestion), the MSC receives a RELESASE message from the called end.
If MSC receives the ACM, MSC sends the ALERTING message to the MS (MS translates it into ring back tone). This
message is a DTAP message. If no answer is received from the called party and the calling party does not terminate
the connection, the network will terminate the call or perform no answer call transfer after a while.
If the called party picks up the phone, MSC receives an ANSWER message. The link between the calling party and
the called party is connected. MSC sends a CONNECT message in the CC protocol to the MS. After receiving this
message, the MS sends a CONNECT ACKNOWLEDGE message in the CC protocol to the system. The system starts
charging after receiving this message. If the called end is data device, it enters CONNECT status directly after
43
receiving the SETUP indication. The call connection procedure is over and the two parties start the conversation or
data transmission service.
1.13.4 Call Release
If the calling party hangs up first, the MS sends disconnect message to MSC through FACCH. After receiving this
message, the MSC sends release message to inform the called party to terminate the communication. The end-to-
end connection is over. But the call is not complete, because certain tasks such as sending charge indication are
performed. When the connection to the MS is no longer necessary, the system sends a RELEASE message to the
MS and starts T308. After receiving this message, the MS sends a RELEASE COMPLETE message to the system and
the call is over. The MS stops the T308 after receiving the RELEASE COMPLETE message. Similarly, if the called party
hangs up first, it sends a RELEASE message to the calling party. The MSC sends the calling party a DISCONNECT
message after receiving the RELEASE message. If the call is terminated in an abnormal way, this message further
indicates the cause for that.
When the MSC receives the RELEASE COMPLETE message from the MS, it sends a CLEAR COMMAND message to
BSC to release all the signaling links. This message contains the cause for the call clearance, such as handover
complete or location updating complete. The call connection release is over. If the abnormal release occurs
because of radio link failure or device failure, the BSC sends a CLEAR REQUEST message to the MSC.
After receiving the CLEAR REQUEST message, BSC sends a CHANNEL RELEASE message to the MS and starts T3109
to show that all the lower layer links are released. Meanwhile, it requires the MS to enter the idle mode. When the
MS receives the CHANNEL RELEASE message, it removes the uplink signaling link (to stop sending the
measurement report of uplink channel associated signaling on SACCH). The MS sends DISC message to BTS and
starts T3110. After receiving this message, The BTS sends UA to MS and the RELEASE INDICATION to the BSC. When
the T3110 times out or the MS receives the UA frame, it enters the idle mode.
Figure 1-21 Call release
In order to ensure the timely removal of the uplink and downlink, when the BSC sends the CHANNEL RELEASE
message to the MS for the uplink removal, it also sends a deactivate SACCH (SACCH) to the BTS requiring for the
release of the downlink signaling (to stop the signaling connection between the two parties). After receiving this
message, the BTS stops the transmission of the downlink SACCH frame and sends the deactivate SACCH
acknowledgement to the MSC.
After receiving the RELEASE INDICATION message, BSC resets the T3109 and starts the T3111, and sends RF
CHANNLE RELEASE to the BTS (the T3111 is reset at the same time), requiring for the release of TCH resources.
44
When the BSC receives the RF CHANNLE RELEASE acknowledgement message from the BTS, it sends a CLEAR
COMPLETE message to the MSC, indicating that the radio link clearance is over and the channel is available for
reallocation.
After receiving the CLEAR COMPLETE message, the MSC releases the SCCP connection by sending RLSD and
receiving RLC. The whole MS originating call flow is over.
1.13.5 Exceptional Situations
I. No Establish Indication Message Is Received After Channel Activation
The main causes are:
� The MS may send many channel requests even if the BSS works well, which activates many signaling channels.
But the MS only occupies one of them. Other channels are released by the BSC after the T3101 times out as
they cannot receive the establish indication from the MS. If the Tx_interger is proper, the cause for this
problem is that the uplink reception is normal but the downlink signal cannot be received by the MS. Under
such circumstances, the received level and the received quality of uplink and downlink should be checked. If
the MS is not far away from the BTS but the received level and the received quality are bad, check the
antenna feeder and the TRX in BTS.
� Improper configuration of Tx-integer in BSC
The Tx-integer affects the interval of channel request re-sending. Improper Tx-integer only leads to the activation
of many channels by BSS, but no call will be affected.
II. BSC Sending Immediate Assignment Reject
If the BSC sends immediate assignment reject to the MS after receiving the channel required message, the usual
causes are:
� No proper signaling channel is available for the MS because of all channels are busy or the channels are
blocked.
� BTS sends channel activation negative acknowledge after receiving the channel activation message.
If the BTS sends lots of channel activation negative acknowledge messages to the BSC, it is usually because the
transmission at Abis interface is not stable, which leads to the inconsistent channel status of the BSC and BTS, or
because errors occur in certain board of BTS.
III. MSC Sending Disconnect Message Instead of Assignment Request to Terminate the Call
In the call connection process, the immediate assignment is followed by the assignment procedure. But due to
certain reasons, the MSC sends a disconnect message instead of the assignment request message to the MS and
then terminates the call. Under such circumstances, many complaint phones from users cannot get through. Check
the following:
� The A interface circuit of MSC
� The data consistencies of the A interface between the MSC and BSC, especially the circuit pool data.
IV. Assignment Failure
After receiving the assignment request, the BSC sends assignment failure message instead of assignment
complete. The usual causes are:
� No proper voice channel is available for the MS.
BSC has no proper voice channel for the MS because all the voice channels are busy or the channels are blocked.
The cause value carried by the assignment failure message is no radio resource.
� The MS voice channel access fails.
Under this condition, the assignment failure is reported from the MS.
45
Due to the special features of the radio transmission, this kind of assignment failure occurs most frequently and is
unsolvable. If the occurrence rate is too high, check the antenna feeder, the BTS board, and the parameters related
to channel access in BSC data configuration.
� The A interface circuit of BSC fails, for example, the CIC in the assignment request is not available.
� The hardware of BSC fails.
The cause value in the assignment failure message sent by BSC is equipment failure.
� The transmission at A interface fails.
V. Directed Retry
After receiving the assignment request message from the MSC, if no TCH is available and the BSC allows directed
retry, the BSC implements the handover with the cause value of directed retry to change the service cell of the MS.
VI. Exceptional Procedure Due to Call Drop
Call drop may occur any time during the call flow, which affects the following procedures. For example, the call
drop occurs when the BSC receives the assignment request message from the MSC. The assignment procedure
may be not complete (the channel may be just assigned and no assignment command message is sent). Under this
condition, BSC may send clear request message instead of assignment complete message or assignment failure
message to the MSC.
VII. Exceptional Procedure Due to Hangup
Hang up of the calling party or the called party may occur any time during the call flow, which affects the following
procedures. For example, the hangup occurs when the BSC receives the assignment request from the MSC. Under
this condition, the call flow may be terminated before the BSC sends assignment complete or assignment failure to
the MSC. This assignment procedure neither succeeds (BSC sends assignment complete) nor fails (BSC sends
assignment failure).
VIII. Exceptional procedure because MSC sends clear command
After the A interface connect is established, MSC may send clear command or disconnect message to the BSC
during the call flow, which affects the following procedures. For example, the hang up occurs when the BSC
receives the assignment request from the MSC. Under this condition, the call flow may be terminated before the
BSC sends assignment complete or assignment failure to the MSC. This assignment procedure neither succeeds
(BSC sends assignment complete) nor fails (BSC sends assignment failure)
If it happens many times, analysis the following two factors:
� The cause value carried in the clear command
The cause value is usually the call control if the call is terminated in a normal way. Otherwise, the cause value may
be protocol error, equipment failure, or others.
� The interval between the clear command or disconnect message and the last message
The interval between the clear command or disconnect message and the last message indicates whether the
exceptional procedure is triggered by timeout.
1.14 MS Originated Call Flow
1.14.1 Enquiry
After the signaling link for the calling end is established, the Initial Address Message with Information (IAI) is send
from the calling end to the GMSC. The IAI contains the MSISDN of the called party. GMSC analyzes the
identification number of the CCS7 of the HLR and sends this HLR the SEND_ROUTING_INFORMATION message.
46
After receiving this message, the HLR checks the user record, and then performs different procedures and
responds the GMSC as follows:
� Under normal circumstances, the HLR only has the partial information about the identification of the current
VLR, such as the CCS7 address or the universal mark. To get the routing information for the call, the HLR sends
the VLR a PROVIDE ROAMING_ NUMBER message that contains the user IMSI information, requiring the VLR
to provide a MSRN for this call. When the MSC/VLR receives this message, it selects a roaming number from
the idle numbers to temporarily connect it to the IMSI, and sends the PROVIDE_ROAMING_NUMBER_RESULT
message with the MSRN assigned to this call in it to the HLR. When the HLR receives the MSRN, it transfers
the information by sending a SEND_ROUTING_INFORMATION_RESULT message to the call originating GMSC.
Then the GMSC can find the VLR with the obtained MSRN and sends the IAI to it. After receiving this message,
the MSC restores the IMSI of this user in its memory record with the MSRN and starts the paging for the MS.
After the call is established, this roaming number is released for another user.
� If the record of the called party is set as Barring of All Incoming Calls (BAIC) or Barring of Incoming Calls when
roaming is outside the home PLMN country (BIC_roam) according to the message sent by the VLR and the
user is in roaming now, the HLR rejects this call.
� If the user record is set as Call Forwarding Unconditional (CFU), the HLR sends the MSRN to the original GMSC
to analyze this number and redefine the routing.
� If no VLR number of the user is found and no call forwarding is set, Error message will be sent to the GMSC.
1.14.2 Paging
After receiving the IAI from the GMSC, the called MSC sends a SEND_INFO_I/C_CALL message to the VLR and the
VLR will analyze the called number and the network resource capacity to check whether this requirement is
acceptable. If certain item is not accepted, it informs the calling end that the call establishment fails. Under normal
circumstances, the VLR sends the MSC a PAGING MAP message that contains the location area identification (LAI)
and the IMSI or TMSI of the called party, informing the MSC to perform the paging procedure.
When the MSC obtains the LA information of the MS from the VLR, it sends all the BSCs in this LA the paging
message that contains the cell list and the TMSI and IMSI information required for paging. The IMSI can be used in
the paging for the MS through the cell paging channel. In addition, it is also used to confirm the paging subchannel
in the discontinuous reception processing.
BSC sends the PAGING COMMAND to all the cells in the LA. This command message contains the paging channel
group number and the timeslot number (obtained by the calculation of the last three numbers of the IMSI, the
total number of the paging channels, and the total number of the paging timeslots).
When the cell receives this paging command, it sends the PAGING REQUEST message on the paging channel. The
message contains the IMSI or TMSI of the user paged.
If the called MS detects the paging by decoding the paging information, it sends a channel request to initiate the
channel allocation process. After receiving the immediate assignment command from the network, the MS sends
the initial message of PAGING RESPOSE on the channel assigned through the SABM frame, and then implements
the authentication, encryption, TMSI reallocation, and finally begins the call establishment process.
47
Figure 1-22 Paging flow
1.14.3 Call Establishment for the Called Party
After the TMSI reallocation is over, the MSC sends the MS a SETUP message that includes all the details required
such as the service type and the calling number. After receiving this message, the called MS confirms the
information and sends a CALL CONFIRMED message back if the service is available. The call confirmed message
carries the parameters that the MS selects, such as the channel type (full rate TCH or half rate TCH) and the service
type.
After receiving the call confirmed message, the MSC sends the assignment command to the BSC for the voice
channel allocation. After the assignment procedure is over, the called MS sends an ALERTING message to the
network and a ringing prompt occurs to the called MS. when the MSC receives this message, it sends an Address
Complete Message (ACM) to the calling end. After receiving this message, the calling end makes a ring back tone
as the originating user prompter.
The called user hears the ringing and responds, and then sends a CONNECT message to the MSC. After receiving
this message, the MSC connects all the transmission links. The end-to-end transmission is established.
1.14.4 The Influence of Call Transfer to Routing
In the supplementary services, call transfer has the greatest influence on call routing. The call transfer is mainly
caused by Call Forwarding Unconditional (CFU), Call Forwarding Busy (CFB), Call Forwarding on mobile subscriber
Not Reachable (CFNRc), and Call Forwarding on No Reply (CFNRy). The routing selection for each function is as
follows:
I. CFU
When the GMSC sends the SEND_ROUTING_INFORMATION message to the HLR, if the CFU function is available,
the HLR sends the SEND_ROUTING_INFORMATION_RESULT message with the transfer number in it back to the
GMSC for it to redefine the routing.
II. CFB
When the GMSC finds the VMSC/VLR with the MSRN obtained from the HLR, but the called end is busy and the
CFB function is available, the VMSC/VLR implements the call transfer of the transfer number and sends it to the
48
third party. If the CFB function is not available, the GNSC handles the call directly, such as playing the user bush
record.
III. CFNRc
The routing selection for this function is based on how the network decides the called party is not reachable. The
processing is different for different criteria.
If the last location registration of the called user fails, and the HLR keeps the record of this situation and knows the
MS is unreachable, it makes the CFNRc decision by itself.
If the HLR does not keep the record of this situation, the call flow continues until the MSC performs the paging for
the user and gets no response from the user in due time. The user is decided not reachable. The MSC forwards this
call. This kind of situation has many causes. One of them is that the user enters the dead zone or the MS is power-
off, but the VMSC has not made the periodic check on the IMSI attached user yet, so it cannot judge the MS status
and the paging fails. Another cause is that the MS is in frequent location updating on the edge of the LA and
cannot respond the paging or the channel request fails, which leads to paging timeout.
If the MS is in IMSI detach (the MS is switched off or out of the service area for a long time), because the detach
tag is in the VLR instead of the HLR, the call forwarding can only be initiated by the VMSC/VLR. When the VLR
periodically deletes the long-term detached IMSI and informs the HLR, the HLR need not contact the VLR.
IV. CFNRy
If the paging of the VMSC for the user succeeds and the called end sends the ALERTING message to the system, but
the called user makes no response in due time and the CFNRy function is activated, the call forwarding procedure
is initiated.
V. CW and HOLD
Call Waiting (CW) is a supplementary service. When the MSC receives the IAI from the calling end, if the called user
is in another conversation and the CW function is enabled, the MSC skips the paging procedure and directly sends
a SETUP message to the MS by using the current signaling mode. When the CW function is enabled, the handover
of the two calls can be performed.
When the CFB and the CW are enabled at the same time, the CW is initiated first if another call is coming. The CFB
will be initiated when a third call is coming.
1.14.5 Exceptional Situations
This section only analyzes the common abnormal procedures. For other abnormal procedures, see "Mobile
Originating Call Establishment Procedure."
Upon paging failure, the MSC prompts voice information to the calling party, indicating the called MS is outside the
serving area or cannot be connected. In this case, trace the signaling on interfaces A and Abis to check whether the
paging failure is caused by:
� No PAGING COMMAND at A interface
� No PAGING COMMAND at Abis interface
� No PAGING RESPONSE at Abis interface
� No PAGING RESPONSE at A interface
I. No Paging Command at A Interface
Through signaling tracing over interface A, the MSC is detected that it has not sent a PAGING message to the BSC.
In this case, check the data configuration and MS information in the MSC/VLR and HLR on the NSS side.
Additionally, power off the called MS, power it on and make a test call to check whether the MS is normal.
� Checking user data in VLR
49
When an MS is paged, the MSC judges the current state of the MS by the user data (including MS active state,
registered LA, cell information), and decides whether or how to send the PAGING message.
If the MS state has changed (for example, the MS is switched off, or has entered a different LA) and has not
registered in the network normally or updated user data in VLR, the MS may probably be unable to be paged.
In that case, the MS only need to initiate a location updating procedure to ensure that the user data in VLR is
correct. The period of periodic location updating is indicated in system information. On MSC side, there is also a
location updating period (See "Location updating Procedure"). The two parameters of BSC and MSC must satisfy a
certain relationship, which requires that MS must initiate a location updating procedure within the period specified
in MSC.
� Checking RA- or Cell-Related parameter settings in MSC
If a routing area or cell related parameter is incorrectly set in the MSC, the transmission of the PAGING message
may fail. For example, if a wrong target BSC is selected, the PAGING message that should have been sent to the
local BSC will be sent to another BSC.
II. No Paging Command at Abis Interface
Upon receiving the PAGING message from the MSC, the BSC detects that the MSC has not sent PAGING COMMAND
to the BTS over interface Abis. In this case, check the operations and data configuration in the BSC。
� Checking if flow control is enabled
Check if the system load suddenly increases due to centralized transmission of short messages or mass access
bursts.
� Checking relevant data configuration
Check if the CGI information in BSC data configuration is consistent with the LAC information in the PAGING
message over A interface. Additionally, if RA- or cell-related parameter is not correctly set in the MSC, for example,
a wrong target BSC is selected, the PAGING COMMAND message cannot be successfully sent over Abis interface.
Check whether the following parameters in the [System information table] are correctly set: "BS_AG_BLKS_RES",
"CCCH-CONF" and "BS_PA_MFRMS".
III. No Paging Response at Abis Interface
Through signaling tracing over Abis interface, the BSC is detected that it has not received the Establishment
Indication (PAGING RESPONSE) after sending PAGING COMMAND to the BTS. In this case, check the relevant data
configuration and radio signal coverage.
� Check if there is PCH or AGCH overload due to centralized short message transmission or mass access bursts.
� Check the called MS or SIM in it.
� Check BTS by making test calls in a different cell.
� Check data configuration in BSC
Check whether the following parameters in the [System information table] are correctly configured:
"BS_AG_BLKS_RES", "CCCH-CONF", "BS_PA_MFRMS", "Tx-integer," and "MS MAX retrans". Check the setting
for "location updating period" in BSC and that in MSC
� Check radio signal coverage
Due to the problem of radio signal coverage, there might be some blind coverage areas. The MS that has
entered a blind coverage area cannot receive the PAGING REQUEST message. In that case, the MS cannot be
paged.
Such cases, if any, only exist in partial areas.
50
IV. No Paging Response at A Interface
Through signaling tracing at Abis interface, the BSC is detected that it has received an Establishment Indication
(PAGING RESPONSE) message from the BTS but this message is not reported over interface A.
1.15 HO
As a key technology in the cellular mobile telecommunication system, handover (HO) can reduce the call drop rate
and the network cross interference. The handover procedure consists of handover trigger, handover preparation
and decision, and handover execution.
HO can be divided into synchronous HO and asynchronous HO based on Timing Advance (TA). Synchronous HO
means the two cells are synchronized with each other and the MS can calculate the new TA (the HO command
indicates whether the HO is synchronous or not). Asynchronous HO requires the BTS to calculate the new TA.
When the MS receives the HO command and requests for the new BTS access, the new BTS informs the MS of the
calculated TA. The MS access to the new channel can also be divided into four types: synchronous, asynchronous,
pre-synchronous, and pseudo-synchronous. The first three types are required in MS and the last one is optional.
The pseudo-synchronous HO can be performed only when the MS supports this function. In the pseudo-
synchronous HO, the handover command from the BTS of the original service cell contains the RTD value (the TA
difference between the source BTS and the target BTS). The MSC calculates the TA required for the access to the
new BTS based on the RTD value.
The HO process involves MS, BTS, BSC, and MSC. According to the location where the HO happens, the HO can be
divided into intra-cell HO and inter-cell HO. To be more specific, intra-cell HO, intra-BTS HO, intro-BSC HO, intra-
MSC HO, and inter-MSC HO. The function of each unit is: MS measures the downlink performance and the signal
strength; BTS monitors the received signal level and quality of the uplink and the interference level of the idle
traffic channel; BSC handles the measurement report and makes the HO decision; MSC decides the target cell of
the inter-BSC HO.
1.15.1 HO Preparation
I. Measurement Report
The HO decision depends on the measurement report (MR) sent by MS through uplink SACCH to the network and
the MR of the uplink sent by BTS. These two reports are sent to BSC at the same time for decision. The system
information that includes the parameters of the current cell and the neighbor cell are sent to the MS under the
dedicated mode through the downlink SACCH. The MS reports the RXLEV and quality, TA value, power control, and
DTX usage to the network according to the system information. In addition, the MS also performs the pseudo-
synchronization with the neighbor cell defined by the system for HO and measures the RXLEV from the BCCH. The
MS measures all the frames except the idle frames that are used to synchronize the neighbor cell and decode SCH.
The MS reports the condition of the cell and the six neighbor cells with the strongest RXLEV it measures during the
measurement period to the system for the HO decision.
� Measurement period
The SACCH measurement period is different if the MS occupies different channel under the dedicated mode.
–If the SACCH is associated with SDCCH, the measurement period is 470ms, because a complete SACCH
message block occupies two 51 multiframes of SDCCH.
–If the SACCH is associated with TCH, the measurement period is 480 ms, because a complete SACCH message
block occupies four 26 multiframes of TCH.
A complete MR consists of four continuous SACCH bursts. On the SDCCH, the four bursts are transmitted
continuously. On the TCH, each 26 multiframe has only one SACCH burst, so a complete MR requires four 26
multiframes.
51
Figure 1-23 Measurement period
Whether to use DTX or not, the MR has two values: full measurement value and sub measurement value. For
details, see the DTX description in Chapter 2.
� MR processing
BTS handles the uplink MR it makes and the downlink MR it collects from the MS. It obtains the sample values of
the RXLEV, RXQUAL, and TA, and then calculates the arithmetical mean value and the weighted mean value based
on the related parameters. When the time is up, the system decides whether to perform the level handover,
quality handover, or distance handover.
II. Neighbor Cell Monitoring
To establish the HO relation with the neighbor cells, the MS must listen to the standard frequency of the neighbor
cells defined in the system message. The standard frequency carries the synchronous channel and frequency
correction channel. One way to decide the received channel is the standard frequency channel is to confirm that
the frequency carries a FCCH. The MS also decodes the SCH that carries the TDMA frame number and BSIC. The MS
can only analyze the BCCH standard frequency of the neighbor cell in the idle timeslot of the TCH multiframe. In
fact, during the data exchange, the interval between the end of the reception and the beginning of the
transmission (about 1 ms) can be used to measure the RXLEV and the RXQUAL, but it is not sufficient to measure
the level of the neighbor cell. The interval between the end of the transmission and the beginning of the reception
(about 2 ms) is sufficient to measure the level of the neighbor cell, but not sufficient to find the FCCH. In the 26
muliframe of TCH, there is always an idle frame (about 6 ms) available for MS to decode the FCCH and SCH. But the
FCCH of the neighbor cell may not be found during this timeslot. Therefore, the use of the arithmetic feature of the
two numbers 26 and 51 is required. Because these two numbers have no common factor, the FCCH can be found
during the 11 periods. When SACCH is associated with SDCCH, although its period is also 51 multiframe, the SDCCH
channel assigned to the MS only occupies 1/8 of the 51 multiframe. Since there are lots of idle timeslots, the MS
can synchronize the neighbor cell.
When the MS receives the SCH, the synchronization is established. To translate the message on the downlink CSCH,
the MS must know the training sequence of the CSCH. The training sequence is of eight types, matching the BCC 0
to BCC 7 of BSIC respectively. The BSIC carried by the SCH can inform the MS of the training sequence number of
its service cell.
BSIC also enables the MS to differentiate the cells using the same BCCH frequency. The two cells with the same
BCCH frequency and BSIC must be far from each other. The MS reports the six neighbor cells with the strongest
signals, but differentiates them according to the BSIC and frequency it obtains to achieve the pre-synchronization.
The MR only contains the sequence number of the frequencies in the BA list. Therefore, if a cell shares the same
frequency and BSIC with the neighbor cell and its signal is strong enough, error report and decision of MS may
occur, leading to HO failure and call drop.
52
III. Conditions Required for Neighbor Cells to Join in HO Decision Queue
When the BTS receives the report on the neighbor cell from the MS, it checks whether this neighbor cell is
qualified to join in the HO decision queue. The following conditions must be met:
RXLEV(n) > RxLevMinCell(n)+ MAX(0,Pa(n)) + OFFSET (2-4)
Pa(n)=MS_TXPWR_MAX(n) -MAX_POWER_OF_MS
RXLEV(n) is the RXLEV of the neighbor cell; RxLevMinCell(N) is the minimal access level of the neighbor cell;
OFFSET is the offset of the minimal access level; MS_TXPWR_MAX(n) is the maximal transmit power of MS defined
by the system; MAX_POWER_OF_MS is the maximal transmit power the MS can achieve. The unit is dBm.
RxLevMinCell(n) and MS_TXPWR_MAX(n) are defined by the HO cell parameters. Under the dedicated mode, the
system informs the MS by sending the system message through SACCH. The neighbor cell can be listed in the HO
candidate cells only when its RXLEV is qualified according to the formula above.
The defined RxLevMinCell (n) must be higher than the RXLEV_ACCESS_MIN. If it is too low, the threshold for the
candidate cells is reduced, which may lead to HO failure. The purpose to define the Pa is to ensure the low power
MS can access the neighbor cell only when the RXLEV is high enough, thus improving the quality of conversation.
1.15.2 HO Types
HO must be performed on time under different conditions to ensure the quality of communication. According to
the cause of the HO, it can be divided into Power Budget (PBGT) HO, edge HO, bad quality (BQ) HO, direct retry,
and timing advance (TA) HO.
I. PBGT HO
PBGT HO is based on path loss. PBGT HO algorithm looks for a cell with less path loss to decide whether HO is
necessary. The biggest difference between the PBGT HO and others is that the triggering condition is path loss but
not receiving power.
The formula of PBGT HO is as follows:
PBGT (n) > PGBT_Ho_Margin (n) (2-5)
PBGT(n) = ( BSTX_MAX - RXLEV_DL - PWR_C_D ) - ( BSTX_MAX(n)- RXLEV_NCELL(n) )- ( RXLEV_DL - RXLEV_UL -
SENSI_CORRECT)- max ( BSTX_MAX(n)- min(MSTX_MAX(n),P) - BSTX_MAX + min (MSTX_MAX,P) ,0 )
BSTX_MAX: The maximum transmit power of BS in service cell
BSTX_MAX (n): The maximum transmit power of BS in neighbor cell
RXLEV_DL: The downlink received signal level in service cell
RXLEV_UL: The uplink received signal level in service cell
SENSI_CORRECT: The correct factor of MS/BS receiver sensitivity
RXLEV_NCELL (n): the received signal level of MS from neighbor cell n
PWR_C_D: the decrease of the transmission power in BTS power control
P: Max MS Transmission power
MSTX_MAX (n): Max MS transmit power allowed of the neighboring cell n
MSTX_MAX: Max MS transmit power allowed of the service cell
The neighbor cell with the biggest PBGT (n) is selected as the target cell for HO. The PGBT_Ho_Margin is the
defined RXLEV difference value between the service cell and the neighbor cell when the HO is initiated. If this value
is too low, it may lead to ping-pong handover; if it is too high, HO hysteresis may occur and the HO efficiency is
reduced. Since the PGBT_Ho_Margin is defined for the specific neighbor cell, the traffic load can be adjusted
accordingly. For example, when cell A and cell B are adjacent, A is the high-traffic cell and B is the low-traffic cell,
53
the call distribution can be balanced by reducing the PGBT_Ho_Margin from A to B and increasing that from B to A.
In fact, this way to balance the call distribution equals the decrease of the coverage area for cell A and the increase
of the coverage area for cell B.
PBGT HO only happens between the peer cells. .
II. Edge HO
The uplink/downlink edge HO margin is defined in the HO parameters. When BSC finds in the MRs from the MS
and BTS that the uplink or downlink RXLEV is lower than the edge HO margin defined, it selects a proper neighbor
cell from the MRs as the target cell to initiate HO, thus avoiding the call drop.
In the edge HO, the RXLEV of the neighbor cell should be higher than that of the service cell by a certain value. This
value is called the edge HO margin. This algorithm is also used to avoid ping-pong handover. The edge HO margin
should be higher than the minimal access level of the MS.
III. BQ HO
The decision mechanism of BQ HO is similar to that of the edge HO. When BSC finds in the MRs from the MS and
BTS that the bit error rate of the uplink or downlink is higher than the BQ HO margin defined, the BQ HO is
initiated. To further differentiate the BQ HO, the interference HO is introduced. If the RXLEV is higher than the
defined RXLEV margin of the interference HO and the RXQUAL is higher than the quality HO margin, the frequency
interference exists. The interference HO will trigger the intra-cell HO (when the intra-cell HO is available) first to
improve the bad conversation quality due to interference, and then trigger the inter-cell HO. The intra-cell HO is
not effective when the frequency hopping is used. By improving the interference HO margin, the BQ HO will be
mainly performed between cells.
IV. Direct Retry
During the call establishment, the SDCCH is assigned first and then is the TCH. If the service cell has no idle TCH,
the call attempt usually fails because of TCH congestion. To fully utilize the radio resources and reduce the
congestion, the direct retry function is introduced. When the SDCCH is assigned, but no TCH is available, the
assignment request is sent in the form of MR and the call is accessed to the idle speech channel. After the direct
retry function is enabled, the queuing function can be activated to provide enough time for the system to select
the neighbor cell available for direct retry.
V. TA HO
TA HO can be used to control the coverage area of the BTS. When the BSC finds the TA value reported by the MS is
higher than the defined margin, the TA HO is initiated. If the TA margin is relatively low, the frequent ping-pong
handover may be triggered. Therefore, special attention should be paid to the matching of different kinds of HO.
1.15.3 HO Process Analysis
I. Intra-Cell HO
In the real network, sometimes the interference may occur to certain frequency or a certain TRX fails, leading to
the high RXLEV but low RXQUAL or the remarkably low signal level of TRX. To improve the conversation quality and
avoid the call drop, the intra-cell HO is used.
The intra-cell HO is initiated by the RXLEV margin or RXQUAL quality. During the conversation, BSC analyzes the MR
from the MS and BTS. If the requirement for intra-cell HO margin is satisfied, it sends a CHANNEL ACTIVE message
to BTS to initiate the intra-cell HO. The connection process is similar to the TCH assignment during the call
establishment. Because the TCH is also assigned within the cell, the BTS can indicate the MS to perform the intra-
cell HO through HO command or assignment command. When the BSC receives the ASSIGNMENT
COMPLETE/HANDOVER COMPLETE message from the BTS, it sends MSC the HO PERFOMED message that contains
54
the HO type. Then the BSC sends a RF CHANNEL RELEASE message to BTS. After receiving the message, the BTS
releases the TCH resource and sends a RF CHANNEL RELEASE ACK message back.
When the intra-cell HO is enabled, intra-cell HO increases a lot, and the system load also increases. Therefore, if
the traffic load is already heavy, the intra-cell HO function is not recommended.
II. Intra-BSC HO
Intra-BSC HO is performed by BSC and no MSC has to be involved. To inform MSC that the HO is complete, BSC will
send a HO PERFOMED message to MSC. The whole procedure is shown in Figure 1-24.
1. The MS sends MR to BTS1 on SACCH at Um interface, and BTS1 forwards the message to the BSC.
2. BSC receives the MR. If it decides that the MS should be handed over to another cell, it sends Channel
Activation to BTS2 of the target cell to activate the channel.
Figure 1-24 Intra BSC HO
3. BTS2 receives the CHANNEL ACTIVATE. If the channel type is correct, it turns on the power amplifier on the
specified channel to receive information in the uplink direction, and send CHANNEL ACTIVATE ACK to the BSC.
4. After receiving the CHANNEL ACTIVATE ACK from BTS2, the BSC sends HANDOVER COMMAND to the MS
through BTS1 and starts T3103. The handover command contains all the feature information of the
transmission on the new channel and the data required for MS access. It also indicates whether this HO is
synchronous or asynchronous.
5. After receiving the HANDOVER COMMAND, the MS decides the type of it. If it is synchronous HO, the MS
sends the target cell four continuous HANDOVER ACCESS messages on the assigned TCH, and then starts the
transmission based on the calculated. For the synchronous HO, the former TA can be used; for pre-
synchronous HO, the TA in the handover command is used (If the TA is not provided in the handover
command, the default value is used); for pseudo-synchronous HO (MS reported whether this HO is supported
or not before), the TA is calculated based on the difference value provided in the handover command. Please
note that the HANDOVER ACCESS is send by the access burst. It is the only time when the access burst is used
on the DCH. It only contains the 8-bit HO reference number obtained from the handover command. Since this
reference number is known to the target cell, the target cell can check whether the access request is from the
expected MS with this number.
The HO reference number is not fully defined in the protocol. During the HO access, if the assigned TCH is on
the BCCH, due to synchronization error and delay or other reasons, the access burst may offset to the BCCH
RACH timeslot. If the 8-bit reference number is the same as a service application number, the system will
regard it as a random access by mistake and assign the SDCCH through AGCH, leading to a waste of AGCH and
SDCCH. But as the access burst contains the BSIC information, only the HO access cell will be affected.
55
Since there are more than four HO access bursts, and after the new BSS assigns a channel to the MS, it will no
re-assign this channel to other MS, even if no reference number is used, the network can find the MS to
access and the HO will not be affected.
To further avoid the waste of radio resources, the reference number is assigned a fixed value that is different
from the application number for service type in random access.
6. BTS2 receives the HANDOVER ACCESS from the MS, and send HANDOVER DETECT to the BSC notifying that
the HANDOVER ACCESS message is received.
7. For asynchronous HO, after the BTS2 channel of the target cell is activated, it waits for the MS access on the
assigned DCH (until the T3103 times out). When it detects the handover access from the MS, the BTS2 sends
the HO DETECT message to the BSC and the PHYSICAL INFO that contains the calculated TA to the MS. During
the PHYSICAL INFO transmission, the network initiates T3105. Before receiving the SABM frame response
from the MS, the BTS2 re-enables the T3105 after timeout and resends the PHYSICAL INFO NY1. For
asynchronous HO, after receiving the PHYSICAL INFO, the MS sends the SABM to the BTS2; for synchronous
HO, the MS sends the SABM to the BTS2 immediately after sending the HANDOVER ACCESS.
8. For asynchronous HO, the MS starts the T3124 when sending the HANDOVER ACCESS message for the first
time and stops the T3124 after receiving the PHYSICAL INFO. For details, see the parameter description
section.
9. After receiving the first SABM, BTS2 sends BSC the EST IND to inform it of the radio link establishment. When
the network receives this message, it sends an ESTABLISHE INDICATION message to the BSC to show that the
data link layer is established. Meanwhile, it also sends the UA response frame to the MS. after receiving the
UA response, the MS regards that the signaling answer mode is established with this cell.
10. The MS sends HANDOVER COMPLETE to the BTS2, and BTS2 forwards it to the BSC. Then it sends the target
cell a HANDOVER COMPLETE message that only contains the handover complete indication but no other
information. The MS stops considering the possibility to return to the former channel only when this message
is sent. If the MS does not receive the PHYSICAL INFO from the target cell or the UA response frame, it sends
a HANDOVER FAILURE message on the source channel.
11. After receiving the HANDOVER COMPLETE message, the BSC stops the T3103 and sends MSC the HANDOVER
PERFORMED that contains the handover type. Meanwhile, the BSC initiates the local release for the former
channel of BTS1. When the target cell receives the handover complete message from the MS, it forwards it to
the BSC. After receiving this message, the BSC sends the RF CHANNEL RELEASE message to inform the source
cell to release the former TCH. When the source cell receives this report, it sends a RF CHANNEL RELEASE ACK
to indicate the radio channel is released and available for another assignment.
III. Intra MSC HO
Compared with the intra-BSC HO procedure, the procedure for the inter-BSC HO only has several A interface
signaling added.
1. When the MS has to be handed over to the cell where the BSC2 belongs to, the BSC1 sends a HO REQUIRED
message that contains cell ID of the target cell group and the source cell and the HO cause to the MSC and
starts T7 at the same time.
2. After the MSC receives this message, if it shares the same LAC with the target cell, it searches the BSC of the
target cell (BSC2) and sends the BSC2 a HANDOVER REQUEST message that contains the information of the
target cell and the source cell, transmission mode, encryption mode, classmark, and the channel type
required. When the BSC2 receives this message, it sends MSC a CC message to indicate that the connection
between the MSC and its SCCP is established for transmission of the information from the A interface.
3. After the new channel is activated, the BSC2 sends the MSC a HO REQUEST ACK to indicate that the channel is
available. This message carries the HO command with the information about the resource allocation in it to
show that the local end is ready for HO.
4. After receiving the HO REQUEST ACK, the MSC sends a HO COMMAND to the BSC1. BSC1 stops
the T7 and starts the T8, and forwards the HO COMMAND to the MS and starts T3103, informing
56
the MS to access the new channel. This command contains the cell ID, channel type, and HO
reference.
5. After receiving the HO COMPLETE from the BSC2, MSC sends a CLEAR COMMAND to the BSC1. This command
contains the clear cause (such as HO clear). BSC1 stops T8 and T3103, and releases the former channel.
Meanwhile, it sends a CLEAR COMPLETE message to the MSC.
Figure 1-25 Inter-BSC HO within MSC
T3103 is started when BSC sends the HO command and cleared when the BSC receives the HO COMPLETE (INTRA
BSC) or CLEAR COMMAND (INTER BSC). The T3103 should be set less than T8. During the HO, the BSC provides the
time for TCH both in the source cell and the target cell according to the T3103. When the T3103 is timing, two
channels are reserved. The longest HO (INTER MSC) may take about five seconds, so the T3103 can be set to five
seconds. If it is set too long, the system resources will be wasted.
If the target cell and the source cell are not in the same LA, a location updating will be performed at the end of
each call.
IV. Inter-MSC HO
The procedure for inter-MSC HO is shown in Figure 1-26.
1. When MSCa receives the HANDOVER REQUIRED message from the BSC, if it finds that the LAC of the
preferred target cell is not in the local LAC list, it queries the remote LAC list that contains the routing address
of the neighbor MSC/VLR.
2. When the target MSCb is found, the MSCa sends a PREPARE HANDOVER message that contains the
HANDOVER REQUEST to it.
3. After receiving the PREPARE HANDOVER message, the MSCb sends the VLRb an ALLOCATE_HO_NUMBER
message to request for HO number (HON) assignment. The HON indicates the routing between MSCa and
MSCb.
4. VLRb selects an idle HON and sends it to MSCb through the SEND HO REPORT message.
5. MSCb establishes a SCCP link to the target BSC and sends a HANDOVER REQUEST message to BSCB. Then the
BSC activates the channel of the target cell. After receiving the channel activation response from the target
cell, the BSC sends MSCb a HANDOVER REQUEST ACK message that contains the HO command.
6. After receiving this message, MSCb sends a PREPARE HANDOVER ACK message that contains the HANDOVER
REQUEST ACK and the HON to the MSCa.
57
7. MSCa receives this message and sends an IAM to MSCb. The IAM contains the HON assigned by VLRb for
MSCb to identify which speech channel is reserved for the MS. MSCb sends a SEND HO REPORT RESP
message to the VLRb anytime after it receives the IAM.
Figure 1-26 Inter-MSC HO
8. After MSCa receives the ACM from the MSCb, it sends the HO command to the MS. Then the MS will perform
the HO access to the target cell.
9. After receiving the HO access message from the MS, MSCb sends MSCa a PROCESS ACCESS SIGNALLING
message to indicate that the HO is detected.
10. When the target cell receives the HANDOVER COMPLETE message from the MS, it informs the MSCb. Then
the MSCb sends a SEND END SIGNAL REQ message to MSCa to inform it the HO is complete. After the
HO-DETECT or HO-COMPLETE is received, the connection between MSCa and MSCb is established. MSCb will
release the HON.
11. When MSCa receives the HO complete message, it sends a clear command to the former BSC to release the
channel resource. The inter-MSC HO is complete. To avoid the PSTN/ISDN contradiction of the MSCa and
MSCb, MSCb must send an answer signaling when receiving the HO-DETECT/COMPLETE.
12. MSCa controls the call until it is cleared. When MSCa clears the MS call, it also clears the call control function
of MSCa and sends a MAP-SEND-END-SIGNAL message to release the MSCb MAP resource.
MSCb sends a HO failure indication to the MSCa if the MSCb cannot identify the target cell, the HO to the
target cell is not allowed, the target cell has no radio channel available, or the data error occurs. The MSCa
will perform the HO to the secondary cell or terminate the HO.
V. Subsequent Inter-MSC HO
After the MSCb receives the HO request, it checks this target cell belongs to MSCb and performs the inter-MSC HO.
After the HO is complete, it informs the MSC.
The subsequent HO is the handover of MSCb to other MSC after an inter-MSC HO is complete. The target MSC can
be the former MSCa or the new MSCb’. The circuit switch happens in the MSCa for both situations. After the
subsequent HO is complete, the connection between MSCa and MSCb is released. The procedure for the
subsequent HO with circuit switch is as follows:
� MSCb is handed over back to MSCa
58
Figure 1-27 MSCb is handed over back to MSCa
1. MSCb sends MAP PREPARE SUBSEQUENT HANDOVER request to MSCa. This message contains MSCa number,
target cell ID, and all the information in HO REQUEST.
2. MSCa is the call control MSC. It can search the idle channel immediately without target HO number routing.
3. After the radio channel is assigned, MSCa sends a MAP PREPARE SUBSEQUENT HANDOVER response back.
4. If the TCH is busy, BSSa sends a QUEUING INDICATION to MSCb (optional). MSC sends MSCb the MAP
FORWARD ACCESS SIGNALLING request that contains the subsequent TCH assignment result (HO REQUEST
ACK or HO FAILURE). If the radio channel cannot be assigned or the error occurs to the target cell ID, or the
target cell ID does not match the target MSC number according to the HO REQUEST, a MAP PREPARE
SUBSEQUENT HANDOVER response that contains the HO FAILURE information in it is sent to the MSCb. MSCb
keeps the connection to the MS.
5. If the MSCa is successfully assigned, and the MAP PREPARE SUBSEQUENT HANDOVER response is sent to
MSCb. The MSCb requests the handover of the MS to the new cell of the MSCa by sending a HO command.
6. After receiving the HO complete message, MSCa releases the circuit connection to MSCb.
7. MSCa must send a proper MAP message to terminate the MAP procedure for MSCa and MSCb during the
basic HO. When MSCb receives the MAP SEND END SIGNAL response message, it releases the BSSb resources.
� MSCb is handed over to MSCb'
59
Note 1: This message can be sent anytime after the IAM is received.
Figure 1-28 MSCb is handed over to MSCb'
1. MSCb receives the HO request and finds that the target cell does not belong to the MSCb. It sends a PREPARE
SUBS HANDOVER to the MSCa. This message contains the MSCb’ ID, target cell ID, and all the information in
HO REQUEST. MSCa will initiate a basic HO to MSCb’.
2. If the MSC can be found in the MSCa LAC list and remote LAC list (it contains information about other MSC),
after the HON is provided by the VLRb’ and the MSCb’ channel is activated,
3. MSCa sends a MAP PREPARE SUBSEQUENT HANDOVER response message to the MSCb. This message
contains the HO REQUEST ACK from the BSSb’ and the BSSMAP information that may be special.
4. After receiving this message, MSCb sends the HO command to the MS. After the access succeeds, if the
MSCa receives the MAP SEND END SIGNAL REQUEST (it contains the HO COMPLETE information of the BSSb’)
from the MSCb’, the HO is complete and the connection between MSCa and MSCb is released. MSCa also
sends the MAP SEND END SIGNAL response to MSCb to end their MAP conversation. MSCb receives this
message and releases the radio resources.
5. After the subsequent HO is complete, the MSCb’ replaces the MSCb. Any subsequent inter-MSC HO is the
same as described above.
The remote LAC list of MSCa must be complete and contain as many MSCs as possible besides the neighbor MSC.
For example, if a user in place A calls another user in place B, the MSC in place A must contains all the data of the
MSCs and cells within the area between A and B. Otherwise, the HO cannot be performed and the call drops.
1.15.4 Exceptional Situations
The following are some extra exceptional situations on the basis of what has described before.
60
I. HO Failure Due to CIC Exception
If the CIC allocated in the Handover REQ received by BSC is marked as BLOCK, BSC will respond to MSC with
Handover Failure due to "requested terrestrial resource unavailable".
II. HO Failure Due to MS Access Failure
If the BTS cannot decode Handover Access or Handover Completed correctly when a MS accesses the new channel,
the HO will fail. The MS returns to the old channel, and responds with a Hanover Failure message.
For the intra-BSC handover, if the BSC has not received the Handover CMP message on the new channel, or
Handover Failure message on the old channel at expiry of timer T3103A, it will consider the call as dropped and
send a Clear REQ message to the MSC on the old channel. Upon receiving the Clear CMD message from the MSC,
the BSC releases the old channel and notifies the target cell to release the new channel. If timer T3103B1 or
T3103B2 times out, the target cell will release the new channel.
For the inter-BSC handover, if BSC1 has not received the Handover CMP message at expiry of timer T3103B2, it will
send a Clear REQ message to the MSC to release the call. If BSC2 has not received the Handover DET or Handover
CMP message, it will send a Clear REQ message to the MSC for the same purpose.
1.16 Call Re-Establishment
1.16.1 Introduction
The re-establishment procedure allows MS to resume a connection in progress after a radio link failure, possibly in
a new cell or in a new location area (re-establishment in a new location area initiates no location updating).
Whether call re-establishment is allowed depends on the calling status, the cell's allowance of call re-
establishment, and activated MM connection (MM is in status 6 "MM connection activated" or status 20 " Waiting
for additional MM connection" Call re-establishment can only be initiated by MS. GSM protocol does not specify
the implementation mode for the short message service and the independent call supplementary service. In the
other end, no voice is heard during the call re-establishment.
During the radio transmission, a connection may be broken suddenly because of the great transmission loss due to
obstructions such as bridges, buildings, or tunnels. When the call re-establishment is used, the MS can maintain
the conversation by using another cell in a short time, thus improving the network quality. Call re-establishment
can be regarded as the HO initiated by MS to save the interrupted call in the current cell.
Call re-establishment is of two types according to the entity that has the radio link failure first.
I. Radio Link Failure Occurs to MS First
The MS sends a call re-establishment request in the selected cell (source cell or target cell). The former channel
resource is released after the BTS timer times out.
II. Radio Link Timeout Occurs to BSS First
After the radio link timer in BTS times out, the BTS sends a radio link failure message to the BSC and BSC activates
the SACCH. According to the protocol, the network must handle the context for a while after detecting the lower
layer faults for the successful call re-establishment. The implementation mode and duration are decided by the
equipment provider. After detecting the radio link failure, the MS selects a neighbor cell with the highest RXLEV
within five seconds and sends the channel request in the selected cell. This cell should not be barred and the C1 is
over 0. In addition, this cell must permit the call re-establishment. If all the neighbor cells are not qualified, the call
re-establishment is abandoned.
61
During the call re-establishment, the MS cannot return into the idle mode. If the MS selects a cell in different LA as
the target cell for call re-establishment, it cannot perform location updating until the call ends.
Under normal circumstances, the call re-establishment procedure lasts about 4 to 20 seconds. Most users have
hung up the phone before the procedure is over. Therefore, the call re-establishment cannot achieve its goal but
wastes a lot of radio resources. For the areas with limited channel resources, the activation of this function is not
recommended.
1.16.2 Call Re-Establishment Procedure
Figure 1-29 shows the procedure for call re-establishment.
Figure 1-29 Call re-establishment
1. After the MM connection failure indication is reported to the CM entity, if the MS receives at least one
request for MM connection re-establishment from CM, it will initiate the call re-establishment procedure. If
several CM entities request for re-establishment, only one re-establishment procedure will be initiated.
2. After the CM sends the request for the re-establishment of MM connection, MM sublayer sends a request for
the establishment of RR connection and enters the WAIT FOR REESTABLISH state. This request includes an
establishment cause and a CM re-establishment request. When the RR sublayer indicates a RR connection is
established (the CM re-establishment request message has been sent through the Um interface), the MM
sublayer starts T3230 and indicates to all the CM entities that the MM connection is under construction. The
MM sublayer stays in WAIT FOR REESTABLISH state.
The CM Re-establishment Request message contains the MS identity (IMSI or TMSI), Classmark 2, and
encrypted sequence number.
Whether the CM entity can request for re-establishment depends on protocol discriminator (PD).
3. After receiving the CM re-establishment request, the network analyzes the request type and starts the MM
program or RR program. The network can start the classmark enquiry program to obtain more information
about the MS encryption ability. The network can also decide to perform the authentication procedure or
ciphering mode setting procedure.
4. When the RR sublayer indicates the ciphering mode setting procedure is over or the CM SERVICE ACCEPT
message is received, the MM connection is re-established. The T3230 stops and informs all the CM entities
related to the re-establishment to enter the MM CONNECTION ACTIVE state.
62
5. If the network cannot connect the re-establishment request to the current MS call, it sends the CM SERVICE
REJECT with the reject cause to the MS.
The reject cause (value) includes unidentifiable call (#38), unidentifiable IMSI (# 4), unauthorized ME (# 6),
network failure (#17), congestion (#22), unsupported service (#32), and temporary service failure (#34)。
6. After receiving the CM SERVICE REJECT, the MS stops T3230 and releases all MM connections and RR
connections. If the reject cause if #4, the MS deletes the TMSI, LAI, and CKSN in SIM card, and changes the
status from “updating” into “no updating”, and then enters the “WAIT FOR NETWORK COMMAND” state. The
location updating will be initiated after the RR release.
If the reject cause is #6, the MS deletes the TMSI, LAI, and CKSN in SIM card, and changes the status from
"updating" into “roaming inhibit”. The SIM is regarded invalid until the MS is switched off or the SIM card is
pulled out.
1.16.3 Exceptional Situations
I. Re-Establishment Prohibition or Failure
When MM connection is established, the MM layer may send an indication to the CC layer. If the MM layer is
disconnected, the connection may be re-established through CC request.
If the re-establishment is not allowed, and the call is initiated within the establishment or clearing period, the CC
layer shall release MM connections.
If re-establishment is unsuccessful, MM connections shall be released, and a release indication shall be sent to the
CC layer.
II. RR Connection Failure
If random access failure or RR CONNECTION FAILURE is detected by the MS, the MS will stop timer T3230, abort
the call re-establishment procedure, and release all MM connections.
If RR CONNECTION FAILURE is detected by the MSC, the MSC will abort the call re-establishment procedure and
release all MM connections.
III. T3230 Time-out
If the T3230 times out, the MS will stop call re-establishment and release MM and RR connections.
1.16.4 SM Procedure
Short messages can be transmitted either on SDCCH or SACCH. A short message procedure can be classified into
short message calling procedure and called procedure. For details, see GSM03.40 protocol.
63
1.16.5 Short Message Procedure on SDCCH When MS is calling
I. Signaling Procedure
Figure 1-30 Short message procedure on SDCCH when MS is calling
II. Procedure Description
The random access, immediate assignment, authentication, and encryption procedures of short message
procedure on SDCCH when MS is calling are the same as general procedures. After encryption, the MS sends SABM
again, notifying the network side that this user needs short message service (SMS). Then, BSC provides a
transparent-transmission channel for MS to exchange short message information with MSC. In this procedure, the
MSCs of some manufacturers are capable to send ASS REQ to BSC, requesting it to assign channel for short
message transmission. The time for sending ASS REQ is the same as that for a common call. BSC can provide SMS
either by allocating other channels or by using the original SDCCH.
Point to Point short messages protocol is divided into connection management layer (CM), relay layer (RL),
transport layer (TL) and application layer (AL).
CP_DATA and CP_ACK are the messages on CM layer, CP_DATA is used to transmit the content of RL and AL
message, and CP_ACK is the acknowledgement message of CP_DATA.
The release procedure after message is sent is the same as general ones.
64
1.16.6 Short Message Procedure on SDCCH When MS is called
I. Signaling Procedure
Figure 1-31 Short message procedure on SDCCH when MS is called
II. Procedure Description
The paging response and immediate assignment procedures of short message procedure on SDCCH when MS is
called are the same as general procedures. For the short message procedure when MS is called, after encryption,
the BSC sends EST REQ to MS to establish short message connection. When EST CNF is received from MS, the
connection is successfully established. BSC transparently transmits the short message till the end of the
transmission.
The release procedure after message is sent is the same as general ones.
1.16.7 Short Message Procedure on SACCH When MS is calling
I. Signaling Procedure
Figure 1-32 Short message procedure on SACCH when MS is calling
II. Procedure Description
The MS sends CM SERV REQ through FACCH. The MSC responds with the CM SERV ACC message and establishes CC
layer connection. Then, it establishes RR layer connection on SACCH, and sends the short message.
65
1.16.8 Short Message Procedure on SACCH when MS is called
I. Signaling Procedure
Figure 1-33 Short Message Procedure on SACCH when MS is Called
II. Procedure Description
The BSC receives the CP DATA message from MSC, and establishes an RR layer connection for SMS. Upon reception
of CP ACK from MS, MSC sends the short message.
1.17 CBS
Cell Broadcast Service (CBS) is similar to paging station broadcast information. It means the mobile network
operator broadcasts the public information to the mobile users within a certain area. The information that the
users can read is called CBS message. It is generated by the Cell Broadcast Entity (CBE) and sent to the Cell
Broadcast Center (CBC) for processing. After the processing, it is forwarded to the BSC and broadcast to the users
through CBCH. The MS can only receive the CBS message in idle mode. Unlike the Point to Point Short Message
service, the CBS message is broadcast without the acknowledgement of the user terminal.
CBS includes:
� Common public information service, such as weather, news, stock market, exchange rate, and lottery.
� Special public information service, such as people search, traffic navigation, and call charge prompt.
� Advertising service, such as information about stores, restaurants, and theaters.
1.17.1 CBS Mechanism
Operators or information providers can define the cell broadcast area through CBE. The minimal area is a cell and
the maximal area can be all the cells of the BSCs that the CBC connects with. Features such as intervals, duration,
and priority levels can also be specified to meet different requirements. The field length of the CBS message sent
to BSC from CBC must be 82 bytes. If the length is shorter than 82 bytes, fill codes are added to it. If the length
exceeds 82 bytes, the message is broken to a maximum of 15 pages. If the sending fails, the message may be sent
again and the message with high priority level is sent first. The CBS information is sent to the proper cells through
four continuous SMS BROADCAST REQUEST messages or one SMS BROADCAST COMMAND message. Each CBS
message contains 82-byte user information and 6-byte header. The CBS message can be sent to BTS in the form of
SMS BROADCAST REQUEST or SMS BROADCAST COMMAND. For details, see 1.17.2
BTS can send the CBCH Load Indication message to BSC and the system will speed up or delay the message sending
according to this message. Although the BSC considers the CBCH capacity when sending the message and the BTS
66
can indicate the status of the current CBCH, when the CBCH LOAD INDICATION mode is enabled, the BTS can send
CBCH LOAD INDICATION to request for immediate broadcast of the m(1-15) SMSCB timeslot message when the
CHCB is idle. After the BSC sends the m timeslot message, it sends messages according to its own schedule. If the
message volume that the BTS requests exceeds the volume that the BSC can provide, the BSC only sends the
messages within its volume limit. When the CBCH LOAD INDICATION mode is enabled, the BTS can send CBCH
LOAD INDICATION to stop the sending of the m(1-15) timeslot message if overload occurs. Then the BSC will
continue the sending according to its own schedule.
CBCH LOAD INDICATION is only used in DRX mode.
The CBCH is of two types: basic CBCH and extended CBCH. They are four continuous multiframes. The TB of basic
CBCH is 0, 1, 2, or 3; The TB of extended CBCH is 4, 5, 6, or 7. TB = (FN DIV 51) mod (8).
For the basic CBCH, the CBS message head is sent on the multiframe with TB being 0; for the extended CBCH, it is
sent on the multiframe with TB being 4. The system message on BCCH indicates whether the CBS is available or
not. When SMSCB is used, the BS_AG_BLKS_RES is set as 1 or above. When the CBCH is mapped to the
CCCH+SDCCH/4, the number of BS_AG_BLKS_RES will not be limited by SMSCB.
MS recomposes the CBS message and displays it for the user.
MS obtains the CBS message from the CBCH. BTS informs MS of the short message information during the
schedule in the form of bitmap by sending schedule message. There are three reception modes for MS on CBCH:
� Non-DRX mode. MS reads the first block of all message timeslots. The rest blocks will be read if the message
head indicates that the following timeslots are used. If the MS does not support other reception mode, or it
does not receive the scheduling for the next message timeslot, Non-DRX mode is used.
� First DRX mode. If MS receives the scheduling for the next message timeslot, but the first scheduling message
of the last scheduling period, or all the information of the last period or even earlier period is not received,
first DRX mode is used.
� Second DRX mode. If MS receives the important information of the last scheduling period and reads the first
scheduling message of the current period, second DRX mode is used.
Whether the network uses DRX to receive the broadcast short message can be set through the maintenance
console in BSC.
1.17.2 BSC-BTS Message Transmission Mode
A CBS message consists of eighty eight 8-bit bytes. These bytes are divided into four message blocks with each
block containing twenty two 8-bit bytes. Each block is added by an 8-bit block type, and the length of the block is
twenty three 8-bit bytes. A CBS message contains four continuous blocks: first block, second block, third block, and
fourth block.
As Figure 1-34 shows, when the SMS BROADCAST REQUEST mode is used, the message is sent to BTS from BSC.
The BSC handles the queuing, repetition, and short message sending. It also considers the CBCH capacity and takes
charge of the SMS segmentation at radio interface. In the SMS BROADCAST REQUEST message, each SMSCB
Information cell carries a complete frame that can be transmitted on CBCH and the layer 2 information that
indicates the radio path. SMSCB Channel Indicator cell indicates the CHCH used for broadcast. If this cell does not
provide the information, the basic CBCH will be used.
67
Figure 1-34 SMS BROADCAST REQUEST
As Figure 1-35 shows, when the SMS BROADCAST COMMAND mode is used, SMS BROADCAST COMMAND
message is sent to BTS from BSC. BSC requires the immediate message sending during the next CBCH time. The
default broadcast mode for BTS can also be set through this message. In the default broadcast mode, if there is no
other message to broadcast, BTS will send the default message.
Figure 1-35 SMS BROADCAST REQUEST
In the SMS BROADCAST COMMAND message, the SMSCB message cell contains the information to be broadcast on
CBCH. It has four continuous blocks with a maximum of 88 bytes. BTS segments the message and establishes the
block format. It also adds bytes to the block if required. SMSCB Channel Indicator cell indicates the CHCH used for
broadcast. If this cell does not provide the information, the basic CBCH will be used.