Any condition where a measurement no longer behaves according to the assumed model \(\mathbf{z}_k = h(\mathbf{x}_k) + \mathbf{v}_k\) with \(\mathbf{v}_k \sim \mathcal{N}(\mathbf{0},\,\mathbf{R}_k)\). A fault violates the distributional assumptions of the estimator. The filter has no internal way to know it; it ingests the corrupted measurement and silently drifts away from truth.
Extra noise stays consistent with the filter's noise model, just larger. The filter's covariance \(\mathbf{P}\) grows accordingly and remains a valid bound on the error. A fault breaks the model: the residual carries a systematic, non-zero-mean component that the filter does not anticipate, so \(\mathbf{P}\) stays small and becomes inconsistent with the true error.
(1) Spoofing or jamming (intentional bias); (2) unmodeled bias (satellite-clock anomaly, thermal drift, multipath); (3) wrong model parameters (incorrect lever arm, timing offset, scale factor); (4) geometry collapse (satellite dropout or sudden HDOP spike not captured in \(\mathbf{R}\)).
Healthy: \(\boldsymbol{\nu}_k = \mathbf{z}_k - h(\hat{\mathbf{x}}_k^-) \sim \mathcal{N}(\mathbf{0},\,\mathbf{S}_k)\). Ramp fault on one channel with rate \(\dot{b}_f\) starting at \(t_0\): \(\nu_k \approx v_k + \dot{b}_f(t_k - t_0)\). The mean of the innovation grows linearly in time while \(\mathbf{S}_k\) stays at its healthy value.
\(\mathbf{S}_k = \mathbf{H}\mathbf{P}^-\mathbf{H}^\top + \mathbf{R}\) depends only on the filter's own model: the Jacobian, the predicted covariance, and the assumed measurement noise. None of those quantities know anything about a fault. So \(\mathbf{S}_k\) stays small and the test statistic \(\nu_k/\sqrt{S_k}\) grows just because the numerator does.
\(D^2 = \boldsymbol{\nu}^\top\,\mathbf{S}^{-1}\,\boldsymbol{\nu}\). It is the multivariate generalization of "number of sigmas". Each component of \(\boldsymbol{\nu}\) is weighted by its uncertainty, and correlations between components are accounted for via the inverse covariance. Reduces to \((\nu/\sigma)^2\) in the scalar case.
\(D^2 \sim \chi^2(m)\) where \(m\) is the number of measurement components stacked into \(\boldsymbol{\nu}\). This makes detection a hypothesis test against a chi-squared threshold.
\(D^2 \gtrless \gamma\) with \(\gamma = \chi^2_{m,\,1 - P_{\rm FA}}\). \(D^2 > \gamma\) declares a fault; \(D^2 \le \gamma\) declares healthy. Tighter \(\gamma\) means faster detection but more false alarms.
\(D^2 = 225/25 = 9.0\). Just above \(\gamma = 8.83\), so yes — declared a fault at \(P_{\rm FA} = 0.3\%\). The corresponding sigma count is \(\sqrt{D^2} = 3\): a 3-sigma event.
Time-to-detect \(T_D = t_D - t_0\): elapsed time between the fault starting and the detector declaring the fault. Trade-off: tighter detection threshold (smaller \(\gamma\)) means faster detection but more false alarms; looser threshold means fewer false alarms but slower detection on slowly-growing faults.
(1) Exclusion: drop the offending sensor and continue with the remaining ones; (2) accommodation: inflate \(\mathbf{R}\) for the suspect sensor or augment the state with a per-sensor bias; (3) recovery: re-introduce the sensor once its innovations return to nominal; (4) multi-filter: run sub-filters each excluding one sensor; the consistent sub-filter identifies the bad one.
Accuracy: how close is the estimate to truth, on average. Integrity: can I trust this estimate right now, including under a single-sensor fault? Integrity is a worst-case guarantee, not an average-case statistic.
The fault corrupts \(\hat{\mathbf{x}}\) but does not enter \(\mathbf{P}\), because the filter has no internal mechanism that recognizes a model violation. \(\mathbf{P}\) stays small while the true error grows, and the resulting ellipse no longer contains truth — the filter is "confidently wrong".
\(\mathrm{HPL} = n_\alpha \sqrt{P_{\mathrm{int},N} + P_{\mathrm{int},E}}\) and \(\mathrm{VPL} = n_\alpha \sqrt{P_{\mathrm{int},D}}\). \(P_\mathrm{int}\) is the diagonal of the integrity covariance from the multi-filter architecture, not the main filter's \(\mathbf{P}\). \(n_\alpha\) is the multiplier for the desired containment probability (e.g., \(2.576\) for 99%).
Hazardous Misleading Information: the true position error exceeds the reported protection level while the fault is still undetected. Horizontal: \(e_H > \mathrm{HPL}\). Vertical: \(|e_D| > \mathrm{VPL}\). HMI is the most critical failure mode in any safety-critical navigation system because the operator believes a guarantee that no longer holds.
HMI exposure is the total time during the event in which the true error exceeds the protection level. It is at most equal to \(T_D\) (you cannot keep being misleading after detection if you respond), but can be smaller if the error stays under the protection level for part of the pre-detection window. The F-47 ANS Requirement 4 sets \(T_D \le 5\) s and HMI-exposure \(\le 1\) s as separate thresholds, both of which the test campaign must observe.
Run \(N\) sub-filters, each one excluding a different sensor. Under a single-sensor fault, exactly one sub-filter (the one excluding the faulted sensor) stays statistically consistent — its \(D^2\) traces stay below threshold across all its remaining sensors. Scanning the column of sub-filter \(D^2\) traces, the "all healthy" column identifies which satellite to exclude.
For a slowly-growing bias, any single-sample \(D^2\) may stay below the 1-DOF threshold for a long time because the bias is small. Summing 30 samples (with 30-DOF threshold) accumulates evidence: a small per-sample bias becomes a large summed statistic. Trade-off: latency. The window has to fill before the test fires, so detection of an instantaneous large fault is delayed by up to \(M-1\) samples.