RAIM and Failure Mode Slope: Effects of Increased Number of Measurements and Number of Faults

This article provides a comprehensive analysis of the impact of the increasing number of measurements and the possible increase in the number of faults in multi-constellation Global Navigation Satellite System (GNSS) Receiver Autonomous Integrity Monitoring (RAIM). Residual-based fault detection and integrity monitoring techniques are ubiquitous in linear over-determined sensing systems. An important application is RAIM, as used in multi-constellation GNSS-based positioning. This is a field in which the number of measurements, m, available per epoch is rapidly increasing due to new satellite systems and modernization. Spoofing, multipath, and non-line of sight signals could potentially affect a large number of these signals. This article fully characterizes the impact of measurement faults on the estimation (i.e., position) error, the residual, and their ratio (i.e., the failure mode slope) by analyzing the range space of the measurement matrix and its orthogonal complement. For any fault scenario affecting h measurements, the eigenvalue problem that defines the worst-case fault is expressed and analyzed in terms of these orthogonal subspaces, which enables further analysis. For h>(m−n), where n is the number of estimated variables, it is known that there always exist faults that are undetectable from the residual vector, yielding an infinite value for the failure mode slope. This article uses the range space and its complement to explain: (1) why, for fixed h and n, the failure mode slope decreases with m; (2) why, for a fixed n and m, the failure mode slope increases toward infinity as h increases; (3) why a failure mode slope can become infinite for h≤(m−n). A set of examples demonstrate the results of the paper.


Introduction
Multi-constellation Global Navigation Satellite Systems (GNSSs) have reached a maturity level where they are routinely relied upon as critical positioning systems that require a high degree of integrity [1,2]. The integrity of a positioning system is a measure of how much trust can be allocated to the correctness of the position solution [3]. This measure includes the ability of that system to be monitored (by itself or otherwise) and to provide timely warnings to the user when the system should not be used for positioning. Integrity monitoring, thus, requires the system to detect faulty measurements before they cause out-of-specification performance [4].
Receiver Autonomous Integrity Monitoring (RAIM) is one well-established method of ensuring the consistency of the positioning solution and assessing the integrity risk posed by available measurements [4][5][6]. Integrity risk is defined as the probability of undetected faults causing unacceptably large positioning errors [7]. Current implementations of residual-based RAIM (RB RAIM) are designed to detect faulty measurements and to evaluate the safety risk posed by possibly undetected faults (see Section 23.7 in [8]).
Integrity monitoring is applicable to a wide array of sensors that provide redundant measurements. Early approaches to RAIM emphasized its use to supplement various modes of aerospace navigation [9][10][11] or the ability of RAIM to enhance satellite-based augmentation services [12], such as the Wide Area Augmentation System (WAAS) [13]. The research in [13,14] proposed an implementation of weighted RAIM to compute Vertical Protection Levels (VPLs) for precision approach and landing supported by information from WAAS. Notable is that all the above methods assumed only single-measurement faults. This was justified by the assumption that measurement faults were caused by partial or complete satellite failure and that the likelihood of more than one satellite failing simultaneously is small.
Multi-measurement fault scenarios can be computationally challenging. In a scenario where the total number of measurements is denoted by m and the number of faulty measurements is denoted by h, the number of combinations of sensor faults that must be considered is ( m h ), which grows rapidly with both m and h. The growing availability of multiple GNSS constellations with multi-frequency measurements available per system means that the number of measurements available per epoch is rapidly increasing; therefore, m entering the 50-100 range is not unreasonable even in low-cost receivers [15][16][17][18].
In emerging applications, such as urban automotive navigation, healthy satellites could have faulty measurements (i.e., out-of-specification range errors) due to non-lineof-sight signals [19,20], strong multipath [21,22], ionospheric effects [23][24][25], and other environmental factors [26]. In low-latitude regions, ionospheric scintillation can be more pronounced [27], and persistent satellite oscillator anomalies resembling ionospheric scintillation have been recently reported to affect multiple GPS satellites [28,29]. Spoofing is an important threat to GNSS, which is achieved by simultaneously altering all satellite measurements in a targeted region [30][31][32][33]. These examples demonstrate that multimeasurement faults (i.e., h 1) are a reasonable possibility that cannot be ignored. In such multi-fault hypotheses, the fault direction is unknown; therefore, an upper bound on the integrity risk is derived for the worst-case fault direction in each h-fault scenario, using the worst-case failure mode slope [7,34]. This slope is defined as the largest ratio of the fault-induced estimation error to the fault-induced residual [34]. The failure mode slope is infinite when a fault is undetectable from the residual vector. For example, when the fault is in the range space of the measurement matrix, it is undetectable and the failure mode slope is infinite (see p. 110 in [10]). Such a fault can always be found when h > (m − n), where n is the dimension of the vector that is being estimated. Single (i.e., h = 1) and double measurement (i.e., h = 2) fault scenarios are considered in, e.g., refs. [13,34], respectively. Multi-measurement fault scenarios (1 ≤ h) are considered in [7,35], where the worst-case fault vector was determined by solving an eigenvalue problem. The worst-case slope is the maximum eigenvalue and the worst-case fault direction corresponds to its eigenvector. The analysis of [7] considers only one component of the state vector, which would be important in applications such as the vertical error in precision aircraft landing.
However, in other applications, such as land and sea navigation, there is interest in how multiple faults affect vector quantities, i.e., the horizontal position [36,37]. This paper studies how the RB RAIM failure mode slope changes as a function of the number of measurements, m, and the number of faulty measurements, h. The analysis uses the SVD as a tool: (1) to explicitly characterize the fault-induced estimation error and the fault-induced residual; (2) to find and characterize the linear space of faults that affect the residual, but not the estimate; (3) to find and characterize the linear space of (undetectable) faults that affect the estimate, but not the residual; and (4) to provide an analytic expression for the worst-case fault direction for all 1 ≤ h ≤ m. In addition, the expression that results from the SVD approach provides additional physical insight into the solution. In the case where h > (m − n), this article provides an orthogonal basis for the (m − n) dimensional linear space of faults that have infinite failure mode slope and are, hence, undetectable by residual-based detectors. Finally, this paper shows that, even in the case that h ≤ (m − n), it is possible to have an infinite failure mode slope and provides analytic expressions that determine when this is the case. The examples in Section 10.4 demonstrate the main points of the article, including an example of undetectable faults when h = m − n.
This paper is organized as follows: Section 2 introduces the measurement model, including assumptions and models of the noise and fault. Section 3 defines the notation and symbols adopted. Section 4 uses the SVD decomposition of the measurement matrix to analyze the effects of noise and faults on the estimation error and residual. Section 5 reviews concepts related to integrity risk, while Section 6 reviews the concept of the failure mode slope. Section 7 presents new results on the best and worst-case fault direction vectors for general fault scenarios, showing them to be intrinsically related to certain singular vectors of the measurement matrix. An analytical expression for the upper bound on the estimation error is also provided. Section 8 analyzes worst-case fault modes for different fault scenarios, beginning with single-measurement faults, then double-measurement faults, and, ultimately, multi-measurement faults. Section 9 discusses the generalization of the approach when only subspaces of the estimated state are of interest. Section 10 presents and discusses GNSS examples demonstrating the results herein. Section 11 provides concluding remarks.

Problem Formulation
Consider the following over-determined linear measurement model, which applies to multi-constellation GNSS: where y ∈ R m×1 is the measurement vector; H ∈ R m×n is the measurement matrix, with m > n and rank(H) = n; x ∈ R n is a vector to be estimated; η ∈ R m is measurement noise that is assumed to be Gaussian with η ∼ N (0, C η ), where C η = σ 2 η I; and f ∈ R m is the fault (sometimes also referred to as the bias or failure). The fault f is defined as: where µ ∈ R is the magnitude of the fault, and the unit vector f is the fault direction. In the absence of a fault, µ = 0. This papers investigates the impact of f on the estimation error and the fault detector, within the context of evaluating Hazardously Misleading Information (HMI). This paper uses the term fault scenario to mean a combination of faults affecting h measurements (i.e., the vector f has h non-zero components). The failure mode is defined to be a specific combination of measurements within a fault scenario. Note that there are M h = ( m h ) different failure modes within each fault scenario. For each failure mode, one of the goals of this paper is to explicitly define the worst-case fault direction and its failure-mode slope.
In many applications, the analyst is only interested in a rotated subvector of x. Such situations are easily addressed within the context of this article by defining z = M x and applying the methods herein to the vector z instead of x. In this context, M combines a rotation and projection matrix. For example, in an automotive application, the horizontal position error is usually of primary interest. Assume that GNSS provides an estimate of x = [x, y, z, b] ∈ R 4 , where x, y, z are the position coordinates in an Earth-Centered Earth-Fixed (ECEF) reference frame, and b is the receiver clock bias. Then, M ∈ R 2×4 can be defined as: where T E R ∈ R 4×4 is a rotation matrix from ECEF to tangent plane [38]. This definition of M transforms x from ECEF to tangent plane and only retains the horizontal position components, removing the vertical position and the clock bias components.
In the analysis that follows, the derivations will be performed on the general case, estimating the full estimation vector x. Later in the paper, the horizontal position special case will be considered.

Notation
Different equality symbols will be used to distinguish between definitions, computations, and theoretical models used for analysis. The symbol ' ' indicates a definition of a specific model or quantity. The symbol ' . =' indicates that the quantity on the left-hand side can computed from the quantities on the right-hand side. The symbol '=' indicates that an equation is a theoretical model, not a definition or a computation used in implementations. Such models are used for analysis and physical interpretation of quantities.
The analysis of this article will use the singular value decomposition (SVD). The SVD of a matrix H ∈ R m×n is where U = [U 1 , U 2 ] ∈ R m×m is a unitary matrix with two orthogonal submatrices U 1 = [u 1 1 , · · · , u n 1 ] ∈ R m×n and U 2 = [u 1 2 , · · · , u m−n 2 ] ∈ R m×(m−n) ; Σ ∈ R n×n is positive definite and diagonal, where the diagonal elements α 1 ≥ α 2 ≥ . . . ≥ α n > 0 are the singular values of H; and V ∈ R n×n is unitary. These matrices have interpretations that are useful for the analysis: V is an orthonormal basis for the domain of H; U 1 is an orthonormal basis for the n dimensional linear space that is the range of H; and U 2 is an orthonormal basis for the (m − n) dimensional linear space that is orthogonal to the range of H.
The term eigenvalue problem will refer to the constrained quadratic optimization problem of the form: where A ∈ R n×n is a real symmetric matrix. The solution x * ∈ R n is the eigenvector corresponding to the largest eigenvalue of A [39]. That eigenvalue is max When necessary, the actual and estimated values of a quantity are distinguished by x andx, respectively. Vectors and matrices are written in boldface, with vectors in lowercase and matrices in uppercase. For example, v ∈ R n is an n-element vector and V ∈ R n×n is an n × n matrix. Positive definiteness (i.e., v V v > 0, ∀v = 0) and semi-definiteness (i.e., v V v ≥ 0, ∀v = 0) of a matrix is indicated by V 0 and V 0, respectively. The matrix I n×n = I n ∈ R n×n is the n × n identity matrix. The symbol v indicates the unit vector in the direction of vector v. The vector e i is the i-th column of I, which is the i-th standard basis vector of R n , where i ≤ n. Throughout the article, tr(·) is the trace operator and · is the L 2 norm. For random vector ζ, its mean squared value will be denoted as ζ 2 M = E ζ ζ . Other notations will be defined when used.

Analysis of the Estimation Error and Residual
For measurements described by Equation (1), the minimum-variance unbiased (MVU) estimate of x is computed as [40]: where In the special case where C η = σ 2 η I, this simplifies to H * (H H) −1 H . This special case is the main focus of this article.
The analyses that follow use the SVD of H to analyze the impact of faults on the estimation ofx. Substituting Equation (4) into the definition of H * in Equation (7) yields H * = V Σ −1 U 1 , so that Equation (7) becomes: Equation (8) is derived in Equation (S5) of Section S1 in the Supplementary Materials [41].

Effects of Noise and Faults on the Estimate
To analyze the effect of the measurement noise η and fault f, substitute (1) into (7): The estimatex is a Gaussian random variable with The estimation error defined as δx =x − x relates to the noise and fault vector as: The expected value and covariance of the estimation error are: The fault induces an unknown bias δx f on the estimate but does not affect its covariance, which remains C x . The estimation error distribution is Gaussian: Section S2 of the Supplementary Materials [41] shows that the mean-squared-error (MSE) of the estimate is: where Equation (14) shows that the fault and noise have independent effects on the norm of the estimation error.
The first term allows the evaluation of the effect of specific faults on the estimate, given any specific instances of the measurement matrix H and fault vector f. This will allow the analyst to find bounds on the estimation error under different fault scenarios.
It is convenient to rewrite the fault f using the orthogonal basis of R m defined by the columns of U: where a ∈ R n and b ∈ R (m−n) are coefficient vectors. Specifically, Substituting the orthogonal decomposition of (16) into (10) yields: Equation (18) shows that δx f V Σ −1 U 1 f = V Σ −1 a, which has the following interpretation.

Fact 1.
Any portion of a fault f that is within the span of the (m − n) dimensional linear space defined by the columns of U 2 has no effect on the estimate.

Effects of Noise and Faults on the Measurement Residual
The measurement residual is whereŷ The matrix P is the projection matrix onto the range space of H. It is symmetric, positive semi-definite, and idempotent with rank(P) = n. See Lemma S1 of Section S1 in the Supplementary Materials [41].
The effect of noise η and fault f on the measurement residual is analyzed by substituting (1) into (19): Equation (20) shows that r = r f + r η where the fault-induced residual is r f = Q f and the noise-induced residual is r η = Q η. The matrix Q (I − P) = U 2 U 2 ∈ R m×m is the projection matrix onto the complement of the range space of H. Therefore, Q P = P Q = 0 and Q H = 0. The properties of Q are discussed in Lemma S2 of Section S1 of the Supplementary Materials [41]. It is a symmetric, positive semi-definite, and idempotent matrix with rank(Q) = (m − n). Substituting Equation (16) into (20) yields Equations (20) and (21) have the following interpretation.

Fact 2.
Any portion of a fault f that is within the span of the n dimensional linear space defined by the columns of U 1 has no effect on the residual.
The expected value and covariance of r are: The covariance matrix C r is only positive semi-definite, so not invertible [42]. The distribution of r is Gaussian: Section S3 of the Supplementary Materials [41] shows that the MSE of the residual is: where The residual MSE defined in (24) is the sum of a fault-dependent component, r f 2 , and a noise-dependent component, r η 2 M .

Fault Decisions
The residual-based test statistic is with faults declared when T r ≥ T * . (Alternatively, RAIM methods can be defined based on a parity vector [7,10]. By the definition of a parity vector, it is the case that any parity vector must satisfy p R U 2 y, where R is a unitary matrix. Therefore, r = U 2 R p and r = p because U 2 U 2 = I. Because r = p , the two test statistics are completely equivalent. This article chooses to focus on the residual vector. All results herein extend directly to the parity vector.) Based on Equation (19), the test statistic can also be computed as T r . = y Q y. The procedures to select T * based on the probability of false alarm and continuity risk specifications are described in [13,43].

Integrity Risk Evaluation
Integrity risk evaluates the probability of having Hazardously Misleading Information (HMI) [8]. HMI refers to the case when the estimation error exceeds a predefined threshold referred to as alarm limit L, while the fault detector T r does not detect a fault. It is written as: The probability of HMI, P(HMI), is evaluated under different fault hypotheses H h,i . The number of fault hypotheses for m measurements, of which h are fault-affected, is M h = ( m h ) (i.e., the number of permutations of m items taken h at a time). Therefore, the integrity risk can then be expressed as: where the possible M h hypotheses for each h = 1, . . . , m are assumed mutually exclusive and jointly exhaustive. Full evaluation of integrity risk requires evaluating each term in the summation of (28). However, this incurs a heavy computational cost when M h becomes large; therefore, some references employ hypothesis reduction approaches that only evaluate a subset of hypotheses, while accounting for the remaining hypotheses by assigning them a probability of occurrence [44]. For example, if a bound P R can be defined such that In this case, the analyst only needs to evaluate P h (HMI) for h = 1, . . . , h . The procedures to determine h and the corresponding P R are described in [45,46]. These papers presents reasonable values for h in the context of the historical data of single satellite failure. They do not consider situations with large numbers of faulty measurements due to spoofing, non-line-of-sight signals, etc.

Hypothesis Probabilities
Let P(H h ) denote the probability of one of the h-fault scenarios occurring. Usually the probabilities of occurrence of all fault hypotheses H h,i are assumed to be equal: The allocation of the nominal probabilities for each fault scenario is such that where P 0 is the probability of the fault-free scenario. The value of each P(H h,1 ) is small and determined empirically. See, e.g., ref. [7].

Evaluating P(HMI
The probability of HMI under the i-th of the h-fault hypotheses is The failure mode slope, which is reviewed in Section 6, provides a means of predicting the probability that P ( δx 2 > L 2 ) (T r < T , H h,i ) based on T r , as defined in Equation (26).

Failure Mode Slope
The literature defines the failure mode slope g f as the ratio between the norm of the fault-induced bias of the estimate, δx f and the norm of fault-induced residual r f : as in refs. [4,7,35,43,[47][48][49][50]. Equation (32) can be reorganized as: which shows that, for a given g f , the norm of the fault-induced estimation bias grows proportionately with norm of the fault-induced residual. The largest estimation error δx f induced by the fault f that is not detectable for the residual test T r ≤ T is: When the maximum failure mode slope is bounded, g f ≤ḡ f , over a specified set of possible fault scenarios (e.g., 1 ≤ h ≤ h ), then selecting T as a function of L 2 g 2 f allows the RAIM designer to control the probability of HMI. If T r > T or g f >ḡ f for the current set of available satellites, RAIM can declare the navigation solution to be unavailable [11,48].
Based on Equations (15) and (25), for any given fault direction f, the failure mode slope can be computed as: where the fault direction f defines the coordinate vectors a and b, as in Equation (17). The failure mode slope depends on the satellite constellation geometry (i.e., H through Σ, U 1 and U 2 ), and on fault direction through f, but not on the fault magnitude.

Best and Worst-Case Faults
Equation (35) shows that it is the direction of the fault, not the magnitude, that is of interest. Because Σ is diagonal, Equation (35) is equivalent to where α i are the singular values of H. Based on Equation (36), with a and b defined as in Equation (17), the following conclusions are straightforward: Best Case: For any fault that has a = 0 and b = 1, the fault direction f ∈ span(U 2 ). In this case, the numerator is zero and the failure mode slope g f = 0. Physically, this means that the fault has absolutely no impact on the state estimate.
Worst Case: For any fault that has a = 1 and b = 0, the fault direction f ∈ span(U 1 ). In this case, the denominator is zero and the failure mode slope g f = ∞.
Physically this means that the fault has no impact on the residual. Therefore, the residual test cannot detect it.
Note that, in both cases, the fault direction is not unique. Rather, each case allows an uncountably infinite number of fault directions within a finite dimensional subspace of R m .
Within the worst-case subspace, certain directions can still be considered worse than others. The problem of finding a unit vector a that maximizes the numerator (i.e., the estimation error for µ = 1) is formulated as: The problem in Equation (37) is a constrained quadratic maximization problem as in (5), of which the solution is the eigenvector corresponding to the largest eigenvalue of U 1 Σ −2 U 1 . Therefore, the worst-case fault direction that has the greatest impact on the estimate per unit change in fault magnitude is the vector f w = u n 1 , making the worst-case fault vector f = µ u n 1 . Using Equation (17), the coefficient vector corresponding to this fault direction is: where e n ∈ R n is the n-th standard n dimensional unit direction vector. Using Equation (14), the corresponding mean-squared estimation error is: This shows that the growth in the estimation error caused by the fault f = µ u n 1 is directly proportional to the inverse of the smallest singular value of H and the residual vector is not affected.
This section discussed the best and worst-case fault directions in the general case. Typically, these worst-case faults have non-zero contributions from all sensors; therefore, they do not correspond to any specific fault scenario with h < m. When a fault has a non-zero component in the linear space spanned by U 2 (i.e., b = 0), then g f is finite. The next section analyzes and determines the worst-case fault for general h-fault scenarios.

Single, Double, Multi-Measurement Faults
This section considers different h-fault scenarios. The failure mode slope of Equation (32) can be used as the metric for fault impact; therefore, the worst-case fault direction is defined as: This problem will be solved for different h-fault scenarios, beginning with faults affecting single measurements (i.e., h = 1), then two measurements (i.e., h = 2), and finally culminating with a general discussion of multi-measurements faults (i.e., h ≥ 1). For each scenario, the analysis determines conditions when there are faults that cause the failure mode slope to be infinite. When the failure mode slope is finite the worst-case fault direction is determined.

Single-Measurement Faults
Single-measurement faults have the form f = µ e j for j = 1, . . . , m. For each such single-measurement fault, Equation (40) becomes where u i(j) 1 is the j-th element of vector u i 1 for i = 1, . . . , n and u i(j) 2 is the j-th element of vector u i 2 for i = 1, . . . , (m − n). For each j, the value of g f (e j ) can be determined. The one with the largest value determines the worst-case single sensor failure (i.e., fault direction).
In the single fault scenario, g f can be infinite if an entire row of U 2 is zero. For example, the rank 4 matrix H defined as: which means that a single-sensor fault on any one of measurements 2, 3, or 4 cannot be detected by the residual (or parity) test statistic.

Double-Measurement Faults
For a double-measurement fault, two of the measurements are affected, not necessarily to the same extent. The fault is a linear combination of the individual measurement directions: where, for j = k, e jk s j e j + s k e k is the overall fault direction, and s j , s k ∈ [−1, 1] are scaling coefficients such that e jk 2 = s 2 j + s 2 k = 1. The fault direction vector e jk can be written as: where s ∈ R 2 , and D jk ∈ R m×2 are a binary matrix of which the only non-zero elements are in the j-th and k-th positions of the two columns, respectively, i.e.: For each such two-fault mode, Equation (40) becomes with ∆ jk = D jk Q D jk ∈ R 2×2 , Q = U 2 U 2 , and Γ jk = D jk U 1 Σ −2 U 1 D jk ∈ R 2×2 . Given these definitions, Both Γ jk and ∆ jk are symmetric and, at least, positive semi-definite. The failure mode slope for each pair (j, k) is determined by the value of s that maximizes g f (e jk ), as defined in Equation (45). This optimization problem is: When ∆ jk is positive definite (i.e., nonsingular and invertible), then it has a square root matrix, denoted as ∆ 1 2 jk , which is, itself, positive definite and symmetric [42], and ∆ jk can be expressed as ∆ jk = ∆ 1 2 jk ∆ 1 2 jk . As discussed in [35], the problem in Equation (46) is equivalent to Letting q = ∆ 1 2 jk s, the problem becomes: where (48) is an eigenvalue problem of which the solution q * jk is the eigenvector corresponding to the largest eigenvalue, denoted as λ * jk , of Ψ jk . Therefore, s * = ∆ − 1 2 q * and g * f = λ * jk . Each pair of satellites yields a value for λ * jk . There are ( m 2 ) possible combinations that must be evaluated to quantify the worst-case impact of double-measurement faults on the estimation error and solution integrity.

Multi-Measurement Faults
This section generalizes the approach of Section 8.2 to the general case of h sensor failures. A fault that affects h measurements, for 1 ≤ h ≤ m, can be written as: where π denotes a permutation of the set of integers between 1 and m that has cardinality |π| = h. The fault direction vector e π can be written as: where e π 2 = 1 and s ∈ R h with s 2 = 1. The matrix D π ∈ R m×h is as defined in (44), but with h unique columns.
For the h-fault scenario, the g f (f) in Equation (40) is equivalent to Letting π j denote the j-th element of π for j ∈ {1, . . . , h} and defining Φ = U 1 Σ −2 U 1 , the matrix Γ π = D π Φ D π ∈ R h×h has the form: where u i,π j 1 denotes the element in row i and column π j of U 1 (similarly for u i,π j 2 ). The matrix ∆ π = D π Q D π ∈ R h×h has the form: The matrix ∆ π is singular if any vector in the span of D π lies entirely in the span of U 1 or if at least one of the rows of U 2 is zero. Additionally, Section S4 of the Supplementary Materials [41] shows that ∆ π is singular whenever h > m − n but does not say anything about the case h ≤ (m − n).
As was conducted to convert from Equation (46) to (48), the square root of ∆ π defines The worst-case fault direction problem from Equation (40) for the h-fault scenario is equivalent to: For some values of h, ∆ π can be singular for some π. Therefore, there are two cases to be considered: ∆ π is singular and ∆ π is nonsingular. When ∆ π is nonsingular, the solution to Equation (53) is the eigenvector corresponding to the largest eigenvalue λ * π of Ψ π . Then, s * = ∆ − 1 2 π q * π and the worst-case fault direction is: The failure mode slope g * f = λ * π is finite. When ∆ π is singular, the matrix ∆ − 1 2 π does not exist, so the problem in Equation (53) cannot be formulated and solved. This case is discussed in Section 8.4.

Undetectable Faults
This section further discusses the case that ∆ π is singular. Let q denote the number of zero eigenvalues of ∆ π , with 0 < q < h. Consider an eigendecomposition ∆ π = W A W , where W = [w 1 , · · · , w q , · · · , w h ] ∈ R h×h and A = diag(λ 1 , · · · , λ h ) ∈ R h×h , with {λ i } i=1,...,q = 0. The eigenvectors corresponding to the zero eigenvalues span a linear subspace of which the basis is {w i } i=1,...,q . For s in this linear subspace: where W q = [w 1 , . . . , w q ] ∈ R h×q and c ∈ R q , with c 2 = 1. Any s in this subspace will be in the null space of ∆ π , meaning that r f = 0. Therefore, g f = ∞. The fault-induced estimation error is δx f = Σ −1 U 1 D π W q c, with norm where Υ = W q D π U 1 Σ −2 U 1 D π W q is symmetric and positive semi-definite. The vector that maximizes the quadratic form in Equation (55) is: Equation (56) is an eigenvalue problem; therefore, c * is the eigenvector associated with the largest eigenvalue υ * of Υ. Of all the undetectable fault directions, the fault direction that causes the largest estimation error is and the worst-case fault-induced estimation error (per unit fault) is: max c ( δx f 2 ) = υ * .

Effect of Number of Faults on Failure Mode Slope
Whether g f is finite (i.e., ∆ π is singular) depends on (1) how many measurements have faults, h, and (2) the structure of the measurement matrix H. The discussion below summarizes how the failure mode slope changes with the number of faults h.
When singular, rank(∆ π ) < h, the worst-case fault direction is given by Equation (57) and the failure mode slope is unbounded, i.e., g f = ∞. (b) As h increases toward (m − n), the numerator in Equation (40) is bounded above by the squared reciprocal of the smallest singular value (i.e., 1 α 2 n ), while the (worstcase) denominator can decrease toward zero, which causes the failure mode slope to increase toward infinity. (c) When h > (m − n), ∆ π is singular. Therefore, there is at least one fault direction, as defined in Equation (57), that will make r f 2 = 0. As a result, g f = ∞.
(d) For h = m, D π = I m and ∆ π = Q. This ∆ π has (m − n) eigenvalues values that are one and n eigenvalues that are zero. The eigenvectors corresponding to the zero eigenvalues are in span(U 1 ), which is the null space of U 2 . As stated in Section 6, any fault in span(U 1 ) is not detectable from the residual and has g f = ∞. In particular, the worst-case fault direction is f w = u n 1 , which is undetectable and affects the state estimation error the most. This is the same solution as that in Equation (57).

Effect of Fault on Horizontal Position
The previous sections analyzed the general case for the full estimation vector x. In some applications, the analyst might only be interested in a portion of the estimation vector z that is linearly related to x. For example, in automotive transportation applications, there is often a focus on the horizontal position. In this case, the goal is to analyze how the worst-case fault affects the horizontal position, which satisfies The failure mode slope associated with the horizontal position is defined as: Because both y andŷ are unchanged despite the transformation on the estimation vector, the measurement residual r, defined in (19), remains unchanged. The horizontal position error is: which makes the fault-induced and noise-dependent portions of the horizontal position error, respectively: The worst-case fault direction for the horizontal position error can be found by the same methods used in the previous subsections. The only difference is that the matrix Φ used to compute Γ in Section 8.2 becomes: The norm of the fault-induced horizontal position error is and the analysis in Section 8 for g f defined in (32) could be repeated with g f defined as in Equation (58).

Example Discussion
This section provides examples demonstrating selected topics from the paper in the context of GNSS applications.

Fixed Number of Measurements
Consider the measurement matrix H used in [43,49]: The number of measurement is m = 6. The number of variables to be estimated is n = 4. The pseudorange noise vector η is considered to be zero-mean Gaussian with standard deviation σ η = 3.30 m, i.e., η ∼ N (0, σ 2 η ). The position vector portion of x is represented in a local tangent plane.
For single-measurement faults, h = 1, the fault is written as f i = µ e i ∈ R 6 , where e i is the i-th standard basis vector in the R 6 for i = 1, . . . , 6. The squared failure mode slope g i f relating δz f to r f for each i is computed by Equation (41) Figure 1 plots the horizontal position error norm versus the norm of the residual vector. This axes format matches that used in, e.g., refs. [10,11,43]. For each satellite, Figure 1 displays two items: (1) lines with slope g i f , and (2) samples of δz computed for three values of µ and N = 1000 instances of noise η. For each instance, the η, µ, and e i are used to construct a measurement vector y using (1), which is solved for δz using (59) and the residual-based test statistic r is computed using (24). Because η is a Gaussian random vector, simulating N measurements with the same f i produces a point cloud of ( r , δz ) values, each depicted by a dot. Each point cloud is an ellipsoid of which the center is the mean ( δr f , δz f ) (for a given µ). For the smallest value of µ, the six clusters are very near the origin. As µ increases, the cluster corresponding to fault direction e i moves away from the origin along the line with slope g i f , as the theory predicts. The largest failure mode slope occurs for i = 1 (i.e., green). This means that a fault on the measurements from satellite 1 will cause the largest change in the estimated vector per unit increase in δr f . This does not, however, mean that this fault will produce the largest estimated position error for a given value of µ, because its effect on both δz f and δr f can be small, while g f is their ratio. Table 1 shows the values of δz f , r f , and g f for µ = 100. A fault on a measurement from satellite 4 produces the largest position error, but it also produces a proportionally larger test statistic. The value of µ affects both the numerator and denominator of g f but not their ratio and, hence, not the value of g f .  Table 2 shows the worst-case squared failure mode slopes for different h-fault scenarios. In addition, it shows the fault-induced horizontal position error and residual squared norms, computed for µ = 1. Due to the fact that the largest single measurement fault slopes in Table 1 correspond to measurements i = 1 and i = 4, one might assume that when h = 2, the worst-case failure mode slope would occur when measurements from these two satellites are affected. This turns out not to be the case. The largest g f corresponds to faults on satellites 1 and 6 with coefficients s = 0.9352 −0.3541 and the overall fault direction, as defined in (43).
The matrix H is expressed as: As m is increased, the first (m − 1) rows remain the same, while one new row is added.
Using this H, for the first six fault scenarios (i.e., h = 1, . . . , 6), each column of Table 3 shows the worst-case g f for a fixed value of h as a function of m. Each column of Table 3 is graphed in Figure 2 as a dotted line of a unique color. The color code corresponding to different values of h is defined along the right side of the figure. Note that, for each fixed h (i.e., any column), the value of g f decreases as m increases. Section 6 discussed that the detection threshold T * can be set as a function of the worstcase failure mode slope g * f . The fact that g f decreases for fixed h as m increases allows the designer to reduce integrity risk for the h-fault scenario by increasing the number of measurements used.

Multi-Measurement Faults: Increasing h
Each row of Table 3 shows the worst-case g f for a fixed value of m as a function of h. Note that for each fixed m (i.e., any row), the value of g f increases with h. The fact that g f increase for fixed m as h increases shows that integrity risk increases with higher h-fault scenarios. For a given H, m is constant. The reason why the worst-case g f increases as a function of h is explained as follows. As h increases to h = h + 1, the matrix D π gains an additional column and the vector s gains an additional row. This allows more flexibility in choosing the worst-case fault direction, which maximizes g f . Whatever direction caused the worstcase fault for h is still a viable fault for h (just set the coefficient for the new row of s to zero); however, the additional column of D π may allow the optimization defined in Section 8.3 to find a new fault direction such that g f (h ) ≥ g f (h). The fact that the worst-case g f increases with h is shown by Table 2 for the specific H in Equation (62); each row in Table 3 for the H defined in Equation (63); and the colored dots at any fixed value of m in Figure 2. Figure 3 separately graphs the numerator x f w (blue) and denominator r f w (red) of Equation (40)  . For each m, as h increases, the value of x f w tends toward, but is bounded above by 1 α n , where, for this example, α n = 1.938 for m = 22. The increase toward the upper bound is not monotonic. The worst-case fault f w is defined based on the ratio g f defined in Equation (32). This ratio can increase even if the numerator decreases with h, as long as the denominator decreases at least a proportionate amount. For each m, as h increases, the value of r f w tends (not monotonically) toward zero. As the r f w approaches zero, g f approaches infinity. The fact that g f increases toward infinity is not due to δx f becoming very large but due to r f approaching zero. Table 3. Values of the worst-case g f for the first six fault scenarios. As m increases, the worst-case g f decreases uniformly for a fixed h. As h increases, the worst-case g f increases uniformly for a fixed m.

How Does g f Become Infinite for h ≤ (m − n)?
Define h * as the value of h at which ∆ π becomes nonsingular for a given H. For h ≥ h * , there exist faults that do not affect the residual and, therefore, are undetectable from it for any threshold T .
Consider the H in Equation (63) that produced the results in Table 3. For m = 6 and (m − n) = 2, g f is finite for h = 1 and 2 and infinite for h > 2; therefore, h * = 3. For m = 7 and (m − n) = 3, h * = 4 and there are 3 finite values of g f . For all values of m, there are, at most, (m − n) finite values of g f since ∆ π is singular for all h > (m − n). From Table 3, for m = 6 to 10, h * = (m − n) + 1, which is the known case [10].
As shown in Section 8. This shows that increasing the number of measurements m results in a trade-off. For a given h, g f (m) decreases as m increases; however, g f (m − n) is non-decreasing with m, and h (m) may become less than or equal to (m − n).

Conclusions
This paper analyzed the effect of measurement faults on the estimation error, measurement residual, and the failure mode slope in linear over-determined systems, such as GNSS. Of particular interest is the case where m is large because the number of GNSS measurements is increasing. The singular value decomposition provides formulas for the fault-induced estimation error and residual vector (see Equations (10) and (20), respectively) in terms of the orthogonal basis (i.e., U 1 ) for the range of H and the complement of the range space (i.e., U 2 ). This decomposition provides convenient formulas for the failure mode slope and worst-case fault in Equations (36) and (40). Using this decomposition, Section 7 provides U 1 as a basis for the n dimensional linear space of faults that are undetectable from the residual (or parity) vector and U 2 as the basis for the linear space of faults that affect the residual vector without affecting the estimate. For each fault scenario affecting h measurements, finding the worst-case fault is known to be an eigenvalue problem. Herein, this eigenvalue problem is written in terms of these two linear spaces, as in Equations (51) and (53). The detectability of any fault in the h-fault scenario from the residual vector depends on whether the range space of the matrix D π , which is a permutation of h columns of the identity matrix, has a component in the linear space spanned by U 1 . Building on this idea, it is clear from Equation (40) that, as h increases, the numerator is bounded above by the squared reciprocal of the smallest singular value (i.e., 1 α 2 n ), while the (worst-case) denominator can decrease toward zero, which causes the failure mode slope to increase toward infinity. Alternatively, for a fixed h, as the number of measurements m increases, the dimension of the vector r f in the denominator increases, which tends to decrease the failure mode slope for h. Simulated GNSS examples are included to demonstrate the results derived herein.

Data Availability Statement:
No new data were created or analyzed in this study. Data sharing is not applicable to this article.