Fault Detection and Exclusion for Tightly Coupled GNSS/INS System Considering Fault in State Prediction

To ensure navigation integrity for safety-critical applications, this paper proposes an efficient Fault Detection and Exclusion (FDE) scheme for tightly coupled navigation system of Global Navigation Satellite Systems (GNSS) and Inertial Navigation System (INS). Special emphasis is placed on the potential faults in the Kalman Filter state prediction step (defined as “filter fault”), which could be caused by the undetected faults occurring previously or the Inertial Measurement Unit (IMU) failures. The integration model is derived first to capture the features and impacts of GNSS faults and filter fault. To accommodate various fault conditions, two independent detectors, which are respectively designated for GNSS fault and filter fault, are rigorously established based on hypothesis-test methods. Following a detection event, the newly-designed exclusion function enables (a) identifying and removing the faulty measurements and (b) eliminating the effect of filter fault through filter recovery. Moreover, we also attempt to avoid wrong exclusion events by analyzing the underlying causes and optimizing the decision strategy for GNSS fault exclusion accordingly. The FDE scheme is validated through multiple simulations, where high efficiency and effectiveness have been achieved in various fault scenarios.


Introduction
Tightly coupled navigation system of Global Navigation Satellite Systems (GNSS)/Inertial Navigation System (INS) is widely acknowledged as a suitable navigation solution for civil and military aircraft, aerial photogrammetry, Unmanned Aerial Vehicle (UAV), and Mobile Mapping Systems (MMS) [1]. It provides better performance than either GNSS or INS stand-alone system because it combines their advantages to give a continuous and complete navigation solution with high long-and short-term accuracy [2]. Additionally, tight integration achieves the balance between efficiency and performance in comparison with loose integration and deep integration [3].
Tight integration is usually implemented with an Extended Kalman Filter (EKF) which is a recursive estimator to generate optimal current-time state estimates in nominal cases [4]. However, the EKF-based integration system may produce large errors due to various faults in the system. The faults that affect current-time state estimates may exist in the measurements of GNSS and/or Inertial Measurement Unit (IMU), and may occur now and/or in the past.
In Safety-Critical Applications (SCAs), Fault Detection and Exclusion (FDE) is a critical aspect to prevent users from potential risk caused by rare sensor faults in navigation system. For example, the position failure of an aircraft or train may threaten the safety of the on-board passengers.
of EKF, faults in IMU can also lead to the estimate bias in state prediction [28]. Despite the fact that Hardware Physics Redundancy (HPR) can significantly improve the reliability of IMU, it is necessary to pay due attention to the faults in IMU measurements. A significant number of serious accidents have happened due to IMU failures, such as the crashes of the Qantas F72 and Croatia Boeing 737-200 [29]. In addition, given that low-cost IMU sensors may be carried on UAVs for future UAM applications, such as passenger/cargo air transportation, the output of IMU must be monitored against the possible faults.
In this paper, we rigorously analyze the influence of FF on FDE and state estimates, and further propose an FDE algorithm to cope with both GNSS faults and FF. With FF being considered, special attentions should be attached to the mutual interference between GNSS faults and FF due to its adverse effects on fault detection performance. Accordingly, an FD scheme with parallel detectors, which are respective designated for GNSS fault and FF, is developed to separate their impacts. Then a two-step FE scheme including GNSS fault exclusion and filter recovery is presented. GNSS fault exclusion intends to remove the faulty measurements in GNSS and filter recovery aims to eliminate the estimate bias in state prediction. Regarding to GNSS fault exclusion, an optimized decision strategy is designed to improve the success rate of exclusion, and the mechanism of fault separation, a measure of the fault-exclusion capability, is investigated to reveal the underlying causes of wrong exclusion.
This paper is organized as follows. In Section 2, the mathematical model of GNSS/INS tight integration is described in detail considering various error sources and failure modes. With these analyses, we propose a novel fault detection scheme with two parallel detectors in Section 3. Then a two-step fault exclusion algorithm is presented in Section 4. In Section 5, simulations are carried out to validate the performance of the proposed algorithm in various fault scenarios. Finally, Section 6 concludes the paper and presents some perspectives.

Tightly Coupled GNSS/INS Integration Model
In this paper, tightly coupled GNSS/INS integration is implemented by adopting a closed-loop error-state EKF. The architecture is illustrated in Figure 1. Here, the errors estimated by EKF are fed back every iteration to correct the system itself, maintaining a linear approximation in the system model [1]. Hardware Physics Redundancy (HPR) can significantly improve the reliability of IMU, it is necessary to pay due attention to the faults in IMU measurements. A significant number of serious accidents have happened due to IMU failures, such as the crashes of the Qantas F72 and Croatia Boeing 737-200 [29]. In addition, given that low-cost IMU sensors may be carried on UAVs for future UAM applications, such as passenger/cargo air transportation, the output of IMU must be monitored against the possible faults.
In this paper, we rigorously analyze the influence of FF on FDE and state estimates, and further propose an FDE algorithm to cope with both GNSS faults and FF. With FF being considered, special attentions should be attached to the mutual interference between GNSS faults and FF due to its adverse effects on fault detection performance. Accordingly, an FD scheme with parallel detectors, which are respective designated for GNSS fault and FF, is developed to separate their impacts. Then a two-step FE scheme including GNSS fault exclusion and filter recovery is presented. GNSS fault exclusion intends to remove the faulty measurements in GNSS and filter recovery aims to eliminate the estimate bias in state prediction. Regarding to GNSS fault exclusion, an optimized decision strategy is designed to improve the success rate of exclusion, and the mechanism of fault separation, a measure of the fault-exclusion capability, is investigated to reveal the underlying causes of wrong exclusion.
This paper is organized as follows. In Section 2, the mathematical model of GNSS/INS tight integration is described in detail considering various error sources and failure modes. With these analyses, we propose a novel fault detection scheme with two parallel detectors in Section 3. Then a two-step fault exclusion algorithm is presented in Section 4. In Section 5, simulations are carried out to validate the performance of the proposed algorithm in various fault scenarios. Finally, Section 6 concludes the paper and presents some perspectives.

Tightly Coupled GNSS/INS Integration Model
In this paper, tightly coupled GNSS/INS integration is implemented by adopting a closed-loop error-state EKF. The architecture is illustrated in Figure 1. Here, the errors estimated by EKF are fed back every iteration to correct the system itself, maintaining a linear approximation in the system model [1]. The main target of GNSS/INS tight integration is to correct the INS solution and to compensate the inertial sensor errors, with GNSS measurements as external aiding. Let be the number of GNSS constellations used in the integration. Then, the (15 + + 1)-parameter error state in the filter is shown as follows [3]: The main target of GNSS/INS tight integration is to correct the INS solution and to compensate the inertial sensor errors, with GNSS measurements as external aiding. Let N const be the number of Sensors 2020, 20, 590 4 of 21 GNSS constellations used in the integration. Then, the (15 + N const + 1)-parameter error state in the filter is shown as follows [3]: where δφ, δv, and δp denote the INS error states of attitude, velocity, and position, respectively; ∇ a and ∇ g are the accelerometer and gyro bias vectors; δρ u and δ . ρ u respectively represent the GNSS receiver clock state vectors, i.e., N const pseudorange biases caused by clock offset regarding each constellation and 1 pseudorange rate bias for receiver clock drift. Specifically, the IMU bias drift in each direction is modelled as a first-order Gauss-Markov process in the filter.
The discrete-time process model and measurement model are shown in Equations (2) and (3), respectively.
where Φ k|k−1 is the state transition matrix from epoch (k − 1) to epoch k; H k denotes the measurement matrix; z k is the measurement vector; and ω k and ν k are the process noise vector and measurement noise vector, respectively. Both ω k and ν k are modeled as Gaussian White Noise (GWN), with process noise covariance matrix Q k and measurement noise covariance matrix R k , respectively. In EKF, prediction and update are two essential steps to obtain an optimal state vector estimate. As shown in (4) and (5), the prediction step is used to predict the state vector x and the associated covariance matrix P from the last to the current epoch, using the assumed process model.
where the superscripts "−" and "+" represent a predicted (a prior) estimate and an updated (a posterior) estimate, respectively. As shown in Equations (6) and (7), the update step is used to update the state vector and the associated covariance matrix according to the measurement model.
where K k is the Kalman gain matrix and r k is the innovation vector. The Kalman gain matrix K k is determined as: The innovation vector is defined as the difference between the actual measurement vector and the predicted one as shown in Equation (9).
When EKF operates in a closed-loop mode, the predicted state vectorx − k is zero because of the feedback process [1]. As a result: Sensors 2020, 20, 590

of 21
where ρ G is the GNSS pseudorange vector and ρ I is the predicted pseudorange vector from INS-derived navigation solution (before update) [3]. If the filter works optimally (i.e., fault-free), the innovation sequence r k is a zero-mean GWN, whose covariance matrix V k is given as [3]: In addition to the error states, we should also pay attention to the absolute states (i.e., attitude, velocity, position, IMU sensor biases, and receiver clock states) for the following reasons. First, the navigation system intends to provide the navigation solution rather than the error states to the users. Second, the predicted measurements ρ I and the innovations r k depend on the predicted absolute navigation information. To illustrate the relationship between the error states and the absolute states (labeled as y), the system-propagation (prediction) process and the measurement-update (update) process in GNSS/INS tight integration are shown in Figure 2.

Error Analysis of Tight Integration Model
Navigation errors are unavoidable due to various errors (noises) in the prediction and update steps of the filter. According to Figure 2, these errors can be divided into three parts: GNSS pseudorange errors, IMU measurement errors, and last navigation solution errors. Table 1 presents a brief introduction to the errors that affect the current-time state estimate, including their causes and models (a detailed illustration is given in [30]). Table 1. Sources, causes, and models of the errors in the integration system.

Sources
Causes Models

GNSS pseudoranges
They are caused by Signal-In-Space errors, ionosphere and troposphere propagation delay, multipath and receiver noise, etc.
The measurement noise is modeled as zero-mean GWN with covariance matrix Rk.

IMU measurements
For high-end IMU, only bias drift and random noises should be considered 1 .
Bias drift is modeled as a first order Gauss-Markov process and is included in the error states; random noises are modeled as zero-mean GWN and their covariance is given in Qk.

Last navigation solution
The noises in last navigation solution are caused by the noises in previous prediction and update steps.
The noises are described by a zero-mean multidimensional Gaussian distribution, whose covariance matrix is PK−1.
According to Figure 2, both the noises in last navigation solution and those in IMU measurements lead to the errors in INS-derived navigation solution and therefore impact the INS-

Error Analysis of Tight Integration Model
Navigation errors are unavoidable due to various errors (noises) in the prediction and update steps of the filter. According to Figure 2, these errors can be divided into three parts: GNSS pseudorange errors, IMU measurement errors, and last navigation solution errors. Table 1 presents a brief introduction to the errors that affect the current-time state estimate, including their causes and models (a detailed illustration is given in [30]).
According to Figure 2, both the noises in last navigation solution and those in IMU measurements lead to the errors in INS-derived navigation solution and therefore impact the INS-derived measurements. Based on these analyses, the simplified mathematical models of GNSS pseudorange vector ρ G and the predicted pseudorange vector ρ I are given as follows: where ρ R is the noise-free (true) pseudorange vector; ε G is the pseudorange noise vector; ε I represents the INS-derived pseudorange noise vector; ε y is the noise vector of INS-derived navigation solution; and G is the geometry matrix of the observations [1]. Substituting Equations (12) and (13) into (10), we can get: Table 1. Sources, causes, and models of the errors in the integration system.

GNSS pseudoranges
They are caused by Signal-In-Space errors, ionosphere and troposphere propagation delay, multipath and receiver noise, etc.
The measurement noise is modeled as zero-mean GWN with covariance matrix R k .

IMU measurements
For high-end IMU, only bias drift and random noises should be considered 1 .
Bias drift is modeled as a first order Gauss-Markov process and is included in the error states; random noises are modeled as zero-mean GWN and their covariance is given in Q k .

Last navigation solution
The noises in last navigation solution are caused by the noises in previous prediction and update steps.
The noises are described by a zero-mean multi-dimensional Gaussian distribution, whose covariance matrix is P K−1 .

Fault Analysis of Tight Integration Model
The navigation system can occasionally encounter significantly large output errors due to the potential faults in the integrated system. Similar to the errors, the faults that impact current-time state estimates can be divided into three parts as shown in Table 2. Table 2. Sources, causes, and types of the faults in the integration system.

Sources Causes Types
GNSS pseudoranges (labeled as b G ) They are caused by satellite clock jump, clock drift, incorrect ephemeris, etc.
Typical fault types include: ramp faults and step faults [31].
IMU measurements (included in b y ) IMU faults, including bias instability and scale-factor non-linearity, gyro drift, etc., may occur due to various internal and external causes, e.g., mechanical failures, abnormal temperature, excessive humidity, severe vibration, etc. [32].
Typical faults in IMU are in the form of ramp faults, step faults, periodic faults, and constant output.
Last navigation solution (included in b y ) The faults in last navigation solution are caused by the undetected faults occurring prior to current time, including the previous faults in IMU and GNSS.
The type of this fault is related to the types and duration of the previous faults in GNSS and IMU [28], and it can be stepped, ascending or descending.
According to Figure 2 and Table 2, current-time GNSS faults impact the state update step, while faults in IMU measurements or in the last navigation solution lead to the bias in INS-derived navigation solution (i.e., state prediction step). The bias is called "filter fault (FF)" in this paper as stated in the Introduction. All the recursive effects of the undetected faults occurring previously are represented by FF. It is justified because it is filter fault and current-time GNSS faults that directly impact the current-time innovations and state estimates. As a result, taking the faults into consideration, ρ G and ρ I can be modeled as: where b G denotes the GNSS fault vector and b y is the vector of the bias in INS-derived navigation solution (i.e., FF). Both b G and b y represents the effects of various faults on current-time innovations and state estimates. Then the innovation vector is re-written as: Equation (17) illustrates the effects of noises and faults on the innovations and lays the foundation of the design of FDE schemes. Their effects on the navigation solution are given in Appendix A.

Fault Detection Based on AIME
AIME is a typical FD scheme for tightly coupled GNSS/INS system, with better performance in detecting ramp faults than the snapshot methods [10]. AIME exploits the sequential innovations in the siding window of length l to build the chi-squared test statistic.
First, batch processing is used to determine the averaged innovation vector r avg as follows: where V −1 avg denotes the inverse of the averaged innovation covariance matrix, determined by: Second, the test statistic is established as follows: The statistic s avg follows a central chi-squared distribution whose degrees of freedom (DOF) is equal to the number of visible satellites N sat in fault-free cases, and it follows a non-central chi-squared distribution in fault scenarios [10].
Third, the detection threshold T A is determined based on the probability of false alarm P FA which is obtained from the navigation performance requirements. For example, this value is 8 × 10 −6 per approach in LPV-200 [9]. The threshold is determined by: where F( * N sat ) denotes the cumulative distribution function (CDF) of the central chi-squared distribution with N sat DOF. If s avg > T A , a fault alert is raised.
To further interpret AIME, we take an eigenvalue-decomposition perspective. Since the covariance matrix V k is symmetric and positive definite, V k can be expressed as: where L denotes an orthogonal matrix of eigenvectors, andV k is the diagonal eigenvalue matrix whose eigenvalues are all positive. Then,r wherer k denotes the transformed innovation vector whose covariance matrix isV k . Hence, the elements inr k are uncorrelated with each other. The test statistic s k is given as: Equations (22)-(24) prove that s avg follows N sat -DOF chi-squared distribution. A detailed proof is provided in [10].

Enhanced AIME Scheme Based on Fault Grouping
AIME is designed to detect GNSS faults and it will experience performance degradation when FF occurs due to the interference between GNSS faults and FF as shown in Equation (17). To separate Sensors 2020, 20, 590 8 of 21 the effects of GNSS faults and FF, an enhanced AIME method, FG-AIME, is proposed based on fault grouping, which comprises parallel GNSS fault detector and FF detector.
First, the test statistic in GNSS fault detector is constructed as follows. According to Equation (17), an innovation-based vector unaffected by FF is obtained by: where I denotes the N sat -by-N sat identity matrix and S is the least squares coefficient matrix defined as: Then we calculate the corresponding covariance matrix of r G as: Using Equation (11), it is easy to prove that: It is worth noting that V G is singular with rank of (N sat − 3 − N const ) [33]. Consequently, before building the test statistic, eigenvalue decomposition of V G must be performed: where L G denotes the orthogonal matrix of eigenvectors andV G is the diagonal eigenvalue matrix. The eigenvalues comprise (N sat − 3 − N const ) non-zero elements and (3 + N const ) zero elements (including 3 position elements and N const receiver clock element). We define L e G andV e G as the parts, which are corresponding to non-zero eigenvalues, of L G andV G , respectively. Then we transform r G into r e G by: The test statistic s G avg in GNSS fault detector is constructed with r e G andV e G in the same way as AIME approach (i.e., Equations (18)- (20)). This statistic follows a central and non-central chi-squared distribution with (N sat − 3 − N const ) DOF in fault-free cases and faulty cases, respectively.
Second, the test statistic in FF detector is built as follows. The innovation-based vector r F for FF detection is obtained as: Unfortunately, as shown in Equation (31), r F is affected by GNSS faults because which satellites are faulty is unknown before FE. The test statistic based on r F reflects, therefore, the effects of both GNSS faults and FF. After excluding the faulty satellites in FE, the FF detector should be repeated using the new innovation vector free of the effects of GNSS faults (see Figure 3 in Section 4.1).   Then we calculate the corresponding covariance matrix of r F as: where V F is also singular, whose rank is (3 + N const ). The derivation of test statistic s F avg in FF detector is the same as that in AIME, and it is omitted for the sake of brevity.
In FG-AIME, P FA should be properly allocated to the two fault detectors. A simple principle for the allocation is provided: P F FA should be high if the prior probability of FF is larger than that of GNSS faults, e.g., using low-cost IMU in the system; otherwise P G FA should be high to enhance the FD capability for GNSS faults. Specially, only GNSS faults will be detected when P G FA = P FA . Therefore, the adjustable allocation of P FA indeed enhances the adaptability of the proposed FD scheme to various scenarios. In fact, the optimal allocation should be determined considering both the FD capability and the integrity risk, but this is beyond the scope of this paper.

Complete Fault Detection and Exclusion Scheme
A complete architecture of the proposed FDE scheme is shown in Figure 3. For the purpose of ensuring navigation continuity, the proposed FE scheme performs two functions: excluding the faulty satellites, and recovering the filter after GNSS fault exclusion or FF detector's alarm. Filter recovery represents the process of correcting the estimate bias in state prediction (i.e., b y ), which will be illustrated in detail in Section 4.3. Additionally, as stated in Section 3.2., the FF detector should be repeated after GNSS fault exclusion. Finally, after the entire FE process, FD should be repeated to make sure that the system has no fault alarm before outputting the navigation solution.

Alternative Hypotheses and Statistics for GNSS Fault Exclusion
GNSS fault exclusion is attempted when GNSS fault detector alarms. There are a set of alternative hypotheses for exclusion. Each of them is linked to a subset which labels the satellites as faulty/healthy according to the associated hypothesis. Figure 4 provides an example of various subsets.

Alternative Hypotheses and Statistics for GNSS Fault Exclusion
GNSS fault exclusion is attempted when GNSS fault detector alarms. There are a set of alternative hypotheses for exclusion. Each of them is linked to a subset which labels the satellites as faulty/healthy according to the associated hypothesis.  To avoid calculating the statistics for all the subsets, we pre-set the probability accounting for unconsidered fault modes to filter out the subsets with low probabilities. Then the maximum number of simultaneous faults that need to be considered is determined based on the prior fault probability of each subset. The method to determine and the monitored subsets is provided in ARAIM baseline algorithm description [9].
For each subset determined above, the statistic is constructed based on the corresponding hypothesis. For subset , a new innovation-based vector is given as: where ( ) denotes the least squares coefficient matrix corresponding to subset , determined by: To avoid calculating the statistics for all the subsets, we pre-set the probability P ignored accounting for unconsidered fault modes to filter out the subsets with low probabilities. Then the maximum number N max of simultaneous faults that need to be considered is determined based on the prior fault probability of each subset. The method to determine N max and the monitored subsets is provided in ARAIM baseline algorithm description [9].
For each subset determined above, the statistic is constructed based on the corresponding hypothesis. For subset j, a new innovation-based vector is given as: Sensors 2020, 20, 590 10 of 21 where S ( j) denotes the least squares coefficient matrix corresponding to subset j, determined by: where G ( j) denotes the geometry matrix for subset j. It is obtained by substituting the rows in G, which is corresponding to the satellites labeled as faulty in subset j, with vectors whose entries are all zero.
Substituting (17) into (33), we get: According to Equation (35), r G corresponding to the satellites labeled as healthy in subset j, which is determined by: where A H takes the corresponding rows of A ( j) . We then compute the covariance matrix V H as: F is the number of satellites assumed faulty in subset j.
The test statistic s

Decision Strategy for GNSS Fault Exclusion
To allow the navigation service to continue without loss of continuity in fault scenarios, FE is required to accurately exclude the faulty measurements. Consequently, when designing the GNSS fault exclusion scheme, we should take special measures to avoid wrong exclusions, including over exclusion and incomplete exclusion, as shown in Table 3. The proposed decision strategy for GNSS fault exclusion with the use of the statistics determined above is illustrated below and a flowchart of the algorithm implementation is provided for summarization. If GNSS fault detector alarms, a set of satellites of size N e should be excluded. A basic strategy to determine the best candidate set of satellites for exclusion is provided in ARAIM [9], which is shown as follows. For each possible size N e of the set, we determine the best candidate for exclusion by finding the subset with the smallest chi-squared statistic [9]: Sensors 2020, 20, 590 11 of 21 For the candidate subset j N e , a chi-squared test should be performed for consistency check [9], and the threshold T (new) G is computed as: The subset is deemed to pass the test when s . The search for the effective candidate for exclusion starts from N e = 1 and stops when the best candidate of N e passes the test above.
In addition to the previous process, extra measures should be taken to reduce the probability of wrong exclusion. We provide an efficient approach based on the comparison between the candidate subsets j N e and j N e +1 for this purpose. Figure 5 presents the complete process of determining the best candidate for GNSS fault exclusion. In Figure 5, the procedures in the red-dotted box are used to cope with wrong exclusion, where the COMPARE module aims to determine whether there is over exclusion or incomplete exclusion.  Figure 5. Flowchart of the determination of best candidate for GNSS fault exclusion.
The output of the COMPARE module is Y only when the following two statements are both true: 1. All the satellites labeled as faulty in subset are labeled as faulty in subset ; 2. The difference of the statistics ∆ between subset and subset is smaller than the corresponding threshold ∆ . The determination of ∆ and ∆ is given in Appendix B.
In this module, statement 1 is used to determine whether healthy satellites are excluded in and statement 2 is to avoid over exclusion. Detailed illustration will be given in Section 5.3.

Analysis of Fault Separation Problem
Fault separation represents the separability [16] between two fault modes. Fault separation intends to quantitatively analyze the possibility of the event that satellite 2 is flagged as faulty when fault actually occurs in satellite 1. Fault separation also attempts to reveal the underlying causes of wrong exclusion, which is significant for FE performance improvement in future researches.
Assuming hypothesis is right, then the statistic ̅ ( ) follows a central chi-squared distribution and ̅ ( ) follows a non-central chi-squared distribution when ( ) ≤ ( ) ( ≠ ). Based on this, we present an indicator to reveal the separability between hypothesis and hypothesis as follows.
An innovation-based vector for hypothesis is given by: where ( ) , a where ( ) is a diagonal matrix whose diagonal elements are non-zero eigenvalues of . Based on Equation (24), the non-central parameter ( ) is determined by: For single-fault scenarios, a correlation coefficient for fault separation independent of fault magnitude is calculated as: The output of the COMPARE module is Y only when the following two statements are both true: 1.
All the satellites labeled as faulty in subset j N e are labeled as faulty in subset j N e ; 2.
The difference of the statistics ∆s between subset j N e and subset j N e is smaller than the corresponding threshold T ∆s . The determination of ∆s and T ∆s is given in Appendix B.
In this module, statement 1 is used to determine whether healthy satellites are excluded in j N e and statement 2 is to avoid over exclusion. Detailed illustration will be given in Section 5.3.

Analysis of Fault Separation Problem
Fault separation represents the separability [16] between two fault modes. Fault separation intends to quantitatively analyze the possibility of the event that satellite 2 is flagged as faulty when fault actually occurs in satellite 1. Fault separation also attempts to reveal the underlying causes of wrong exclusion, which is significant for FE performance improvement in future researches.
Assuming hypothesis j 0 is right, then the statistic s F ( j j 0 ). Based on this, we present an indicator to reveal the separability between hypothesis j 0 and hypothesis j as follows.
An innovation-based vector for hypothesis j is given by: where transformation matrix, satisfies: where V ( j) is a diagonal matrix whose diagonal elements are non-zero eigenvalues of V H . Based on Equation (24), the non-central parameter δ ( j) is determined by: For single-fault scenarios, a correlation coefficient C j j 0 for fault separation independent of fault magnitude is calculated as: where q ( j 0 ) represents the normalized fault vector for hypothesis j 0 , i.e., q ( j 0 ) = [0, 0, . . . , 1, 0, . . . 0] T . Note that the coefficients for multi-faults scenarios can also be obtained based on Equation (43)  is an indicator to reveal the separability between hypotheses, and the bigger it is, the lower the probability of the misjudgment will be.

Filter Recovery After GNSS Fault Exclusion
After excluding the faulty satellites, filter recovery attempts to correct the estimate bias b y (i.e., FF). In this section, two filter recovery schemes are proposed, including bias compensation method and re-filter method. The schemes presented here are preliminary and should be viewed as examples of filter recovery for the integrated system.
First, as shown in Figure 3, the FF detector should be repeated after GNSS fault exclusion as follows: where j e corresponds to the best candidate for GNSS fault exclusion determined in Section 4.2. Given that the hypothesis j e is very likely to be right, r F will be unaffected by GNSS faults, i.e., S ( j e ) ·b G = 0. Consequently, FF detector will only reflect FF. The new test statistic s F in FF detector is determined based on r F and V F in the same way as s F avg . Second, the filter recovery schemes are given as follows. The bias compensation method is to compensate the INS-derived navigation solutionŷ − k using the estimateb y of the estimate bias b y . Based on (44), we have:b The re-filter method is to store the historical measurements in a preceding horizon of m epochs and re-run the filter from epoch (k − m + 1) to current epoch k with faulty satellites excluded. Appendix C presents the method to properly determine the length of the preceding horizon. However, the re-filter method will be unavailable when faults occur in the unique IMU sensor. To cope with these cases, new fault exclusion strategies will be investigated for the integrated system with redundant IMU sensors in future work.

Simulation Description
A simulation platform of EKF-based tightly coupled GNSS/INS system is built to demonstrate the proposed FDE scheme. The simulation parameters of IMU (aviation-grade) and GNSS measurements are shown in Table 4 [1]. Various faults are added to GNSS pseudoranges and IMU raw measurements as shown in Table 5. Ramp fault with slope of 0.1 m/s is a typical failure type in GNSS pseudoranges [31]. The step faults added to the accelerometer are also justified for the following reasons. First, using closed-loop integration architecture, slowly growing errors (i.e., ramp faults) exert little influence on both the navigation solution and the innovations because IMU sensor errors are estimated and fed back to INS for corrections every epoch. Second, step faults of about 0.2 m/s 2 in IMU may be caused by a sudden change of the constant biases, which is possible, especially for low-cost sensors [34].  As shown in Figure 6, the trajectory in this simulation is of a 418-s aircraft motion generated by Spirent SimGen, in a speed of 200 m/s with two 45 • turns in opposite directions and a 500 m climb [1].

Fault Detection Based on AIME and FG-AIME
This section demonstrates the proposed FD scheme in various fault scenarios. In the following simulations, P FA is set to 8e-6 (see [9]) and the length of sliding window l (see Section 3.1) is set to 10 s. Figures 7 and 8 compare the performance of AIME and FG-AIME in GNSS fault scenario (No. 1 in Table 5) and IMU fault scenario (No. 3 in Table 5), respectively. Regarding the performance on timely detection, results show that FG-AIME is superior to AIME with the detection delay reduced by 12 s and 2 s, respectively. In Figure 8, the decrease of the test statistic in FF detector is caused by the gradual closed-loop correction process for the step faults in IMU. Additionally, Figure 8 proves that IMU faults should also be monitored because they can issue a fault alarm and may lead to large navigation errors. Note that, 90% of P FA is allocated to GNSS fault detector in Figure 7 (scenario No. 1) to enhance the detection capability of GNSS faults, while the major part of P FA is assigned to FF detector in Figure 8 because we assume that an unreliable IMU is used and IMU faults are considered in the simulation (scenario No. 3).  As shown in Figure 6, the trajectory in this simulation is of a 418-s aircraft motion generated by Spirent SimGen, in a speed of 200 m/s with two 45° turns in opposite directions and a 500 m climb [1].

Fault Detection Based on AIME and FG-AIME
This section demonstrates the proposed FD scheme in various fault scenarios. In the following simulations, is set to 8e-6 (see [9]) and the length of sliding window (see Section 3.1) is set to 10 s. Figures 7 and 8 compare the performance of AIME and FG-AIME in GNSS fault scenario (No. 1 in Table 5) and IMU fault scenario (No. 3 in Table 5), respectively. Regarding the performance on timely detection, results show that FG-AIME is superior to AIME with the detection delay reduced by 12 s and 2 s, respectively. In Figure 8, the decrease of the test statistic in FF detector is caused by the gradual closed-loop correction process for the step faults in IMU. Additionally, Figure 8 proves that IMU faults should also be monitored because they can issue a fault alarm and may lead to large navigation errors. Note that, 90% of is allocated to GNSS fault detector in Figure 7 (scenario No. 1) to enhance the detection capability of GNSS faults, while the major part of is assigned to FF detector in Figure 8 because we assume that an unreliable IMU is used and IMU faults are considered in the simulation (scenario No. 3). Figure 9 evaluates the performance of FG-AIME when GNSS faults and IMU faults occur simultaneously (scenario No. 4). Regarding the detection delay, the performance of AIME and FG-AIME is quite similar. However, we cannot conclude that FG-AIME is of little significance in this case. As mentioned earlier, the motivation of FG-AIME is to separate the effects of GNSS faults and FF. This is beneficial for the two detectors in FG-AIME to reflect the faults more accurately. Furthermore, the information of fault sources provided by FG-AIME is essential for FE to determine whether to exclude GNSS satellites and whether to perform filter recovery. Moreover, from the perspective of integrity monitoring, this information is also important for integrity risk evaluation because the effects of GNSS faults and FF on the position errors are quite different [28], which is derived in detail in Appendix A.        Figure 9 evaluates the performance of FG-AIME when GNSS faults and IMU faults occur simultaneously (scenario No. 4). Regarding the detection delay, the performance of AIME and FG-AIME is quite similar. However, we cannot conclude that FG-AIME is of little significance in this case. As mentioned earlier, the motivation of FG-AIME is to separate the effects of GNSS faults and FF. This is beneficial for the two detectors in FG-AIME to reflect the faults more accurately. Furthermore, the information of fault sources provided by FG-AIME is essential for FE to determine whether to exclude GNSS satellites and whether to perform filter recovery. Moreover, from the perspective of integrity monitoring, this information is also important for integrity risk evaluation because the effects of GNSS faults and FF on the position errors are quite different [28], which is derived in detail in Appendix A.

GNSS Fault Exclusion, Fault Separation, and Filter Recovery
This section demonstrates the FE scheme in various fault scenarios. Notes for Figures Figure 10 shows the instantaneous statistics for GNSS fault exclusion in a single-fault case (i.e., SV-3 is faulty) when the detector starts to alarm (see Figure 7). The following process is an illustration of Figure 5, i.e., the flowchart of GNSS fault exclusion. Based on Equation (38), the best candidate Test Statistics Test Statistics  which shows that SV-4 is healthy and excluding SV-3 is sufficient. Therefore, SV-3 will be excluded, which is obviously a right exclusion.   Table 5). Among single-fault hypotheses, the best candidate is hypothesis (SV-6, SV-6). This candidate can pass the consistency-check test because the threshold is 26.6 as mentioned earlier. If there are no extra steps, SV-6 will be excluded, which is apparently a wrong exclusion. The extra steps are given as follows. The best candidate is hypothesis (SV-1, SV-3) or (SV-3, SV-1). According to the COMPARE module in Figure 5, candidate is the best candidate for exclusion because Statement 1 is false, i.e., the satellite (i.e., SV-6) assumed faulty in candidate is assumed healthy in candidate . Therefore, SV-1 and SV-3 will be excluded, which is a right exclusion. Accordingly, Figure 11 proves the effectiveness of the proposed GNSS FE scheme in avoiding wrong exclusion.  Figure 10 shows the instantaneous statistics for GNSS fault exclusion in a single-fault case (i.e., SV-3 is faulty) when the detector starts to alarm (see Figure 7). The following process is an illustration of Figure 5, i.e., the flowchart of GNSS fault exclusion. Based on Equation (38), the best candidate j 1 is hypothesis (SV-3, SV-3) among single-fault hypotheses (i.e., N e = 1). This candidate can pass the consistency-check test because the threshold is 26.6 for N e = 1 based on Equation (39). Then, extra steps are taken to avoid wrong exclusion: the best candidate j 2 among dual-fault hypotheses is hypothesis (SV-3, SV-4) or (SV-4, SV-3) and the difference ∆s = s

GNSS Fault Exclusion, Fault Separation, and Filter Recovery
FE is significantly small, which shows that SV-4 is healthy and excluding SV-3 is sufficient. Therefore, SV-3 will be excluded, which is obviously a right exclusion.
exclusion. The extra steps are given as follows. The best candidate 2 is hypothesis (SV-1, SV-3) or (SV-3, SV-1). According to the COMPARE module in Figure 5, candidate 2 is the best candidate for exclusion because Statement 1 is false, i.e., the satellite (i.e., SV-6) assumed faulty in candidate 1 is assumed healthy in candidate 2 . Therefore, SV-1 and SV-3 will be excluded, which is a right exclusion. Accordingly, Figure 11 proves the effectiveness of the proposed GNSS FE scheme in avoiding wrong exclusion. To illustrate the concept of fault separation, Figure 12 presents the reciprocal of correlation coefficient in single-fault cases. In this figure, we predefine that hypothesis 0 is true and hypothesis is false ( ≠ 0 ). The larger the coefficient ( 0 ) −1 is, the higher the probability of misjudging hypothesis as right will be. For example, it is hard to determine whether to exclude SV-3 or SV-6 when ramp fault occurs in SV-3 because ( 0 → 3 → 6 ) −1 is large and then the statistic corresponding to hypothesis (SV-6, SV-6) will be small, which has been proved in Figure 10.   Table 5). Among single-fault hypotheses, the best candidate j 1 is hypothesis (SV-6, SV-6). This candidate can pass the consistency-check test because the threshold is 26.6 as mentioned earlier. If there are no extra steps, SV-6 will be excluded, which is apparently a wrong exclusion. The extra steps are given as follows. The best candidate j 2 is hypothesis (SV-1, SV-3) or (SV-3, SV-1). According to the COMPARE module in Figure 5, candidate j 2 is the best candidate for exclusion because Statement 1 is false, i.e., the satellite (i.e., SV-6) assumed faulty in candidate j 1 is assumed healthy in candidate j 2 . Therefore, SV-1 and SV-3 will be excluded, which is a right exclusion. Accordingly, Figure 11 proves the effectiveness of the proposed GNSS FE scheme in avoiding wrong exclusion.
To illustrate the concept of fault separation, Figure 12 presents the reciprocal of correlation coefficient in single-fault cases. In this figure, we predefine that hypothesis j 0 is true and hypothesis j is false (j j 0 ). The larger the coefficient C j j 0 −1 is, the higher the probability of misjudging hypothesis j as right will be. For example, it is hard to determine whether to exclude SV-3 or SV-6 when ramp fault occurs in SV-3 because C j→SV6 j 0 →SV3 −1 is large and then the statistic corresponding to hypothesis (SV-6, SV-6) will be small, which has been proved in Figure 10. FF detection should be repeated after GNSS fault exclusion to eliminate the effects of GNSS faults. Figure 13 shows the chi-squared statistics in FF detector before and after GNSS fault exclusion when faults occur in SV-1 and SV-3. As shown in Equation (31), the innovation-based vector ̃ is affected by GNSS fault, and thus the test statistics cannot accurately reflect the magnitude of filter fault before GNSS fault exclusion. As shown in Equation (34), the effects of GNSS faults are eliminated by excluding the faulty satellites when constructing the new vector . When there is a right exclusion, i.e., excluding both SV-1 and SV-3, FF can be accurately reflected by the statistic. This also proves that the faults occurring previously may lead to the noticeable estimate bias. In contrast, if there is a wrong exclusion or no exclusion, the test statistics will be affected by GNSS faults and cannot reflect the estimate bias accurately. Consequently, Figure 13 indeed indicates the importance of repeating FF detection step after GNSS FE.
To further reveal the underlying causes of Figure 13, Figure 14 compares the estimate of the estimate bias , including 3 position components and 1 receiver clock component, before and after GNSS FE when faults occur in SV-1 and SV-3. The associated chi-squared statistics in Figure 13 are calculated based on these components and the covariance matrix given in Equations (32) and (35). Noticeable differences between the two subfigures are shown in Figure 14, where the right subfigure reflects the estimate bias (i.e., ) more accurately owing to the elimination of GNSS faults' interference by excluding the faulty satellites (SV-1 and SV-3). Without GNSS exclusion, the estimate is heavily "polluted" by the effects of GNSS faults, and it cannot track the true status of filter fault consequently. As a result, it is necessary to estimate the magnitudes of filter fault after GNSS fault exclusion for both fault detection and filter recovery.
Filter recovery is used to remove the estimate bias in the filter. Figure 15 provides the comparison of north position errors using different filter recovery strategies when fault occurs in SV-3. Results show that both the bias compensation method ("Exclusion and Compensation") and the re-filter method ("Exclusion and Re-filter") are conducive to reducing the navigation error after GNSS fault exclusion. Note that, when using the re-filter method, we simply re-run the integration process from 200 s with SV-3 excluded to show the performance of this method. Actually, as mentioned in Section 4.3, the start epoch of the re-filter process can be optimally determined by the method provided in Appendix C. Figure 15 also verifies the importance of FE by comparing the errors with and without exclusion: the position errors increase continuously when the faulty measurements are not excluded from the system ("No Exclusion" curve) while errors are greatly reduced when the proposed FDE scheme is employed in fault scenario.  FF detection should be repeated after GNSS fault exclusion to eliminate the effects of GNSS faults. Figure 13 shows the chi-squared statistics in FF detector before and after GNSS fault exclusion when faults occur in SV-1 and SV-3. As shown in Equation (31), the innovation-based vector r F is affected by GNSS fault, and thus the test statistics cannot accurately reflect the magnitude of filter fault before GNSS fault exclusion. As shown in Equation (34), the effects of GNSS faults are eliminated by excluding the faulty satellites when constructing the new vector r F . When there is a right exclusion, i.e., excluding both SV-1 and SV-3, FF can be accurately reflected by the statistic. This also proves that the faults occurring previously may lead to the noticeable estimate bias. In contrast, if there is a wrong exclusion or no exclusion, the test statistics will be affected by GNSS faults and cannot reflect the estimate bias accurately. Consequently, Figure 13 indeed indicates the importance of repeating FF detection step after GNSS FE.

Conclusions and Prospects
This paper presents a comprehensive Fault Detection and Exclusion (FDE) scheme for tightly coupled navigation system of Global Navigation Satellite Systems (GNSS)/Inertial Navigation System (INS), with special emphasis on the fault in state prediction (called filter fault). The scheme is beneficial to ensuring navigation safety of civil and military aircraft, Unmanned Aerial Vehicle (UAV), etc. Theoretical analyses quantitatively reveal the different effects of GNSS faults and filter fault on the filter, which motivates the design of an effective FDE scheme to handle these faults independently. Accordingly, the Fault Detection (FD) scheme, comprising two detectors, is designed to separate the effects of GNSS faults and filter fault. And the two-step Fault Exclusion (FE) scheme, with GNSS fault exclusion and filter recovery, is developed to exclude the faulty satellites and eliminate the effects of To further reveal the underlying causes of Figure 13, Figure 14 compares the estimateb y of the estimate bias b y , including 3 position components and 1 receiver clock component, before and after GNSS FE when faults occur in SV-1 and SV-3. The associated chi-squared statistics in Figure 13 are calculated based on these components and the covariance matrix given in Equations (32) and (35). Noticeable differences between the two subfigures are shown in Figure 14, where the right subfigure reflects the estimate bias (i.e., b y ) more accurately owing to the elimination of GNSS faults' interference by excluding the faulty satellites (SV-1 and SV-3). Without GNSS exclusion, the estimate is heavily "polluted" by the effects of GNSS faults, and it cannot track the true status of filter fault consequently. As a result, it is necessary to estimate the magnitudes of filter fault after GNSS fault exclusion for both fault detection and filter recovery.    Filter recovery is used to remove the estimate bias in the filter. Figure 15 provides the comparison of north position errors using different filter recovery strategies when fault occurs in SV-3. Results show that both the bias compensation method ("Exclusion and Compensation") and the re-filter method ("Exclusion and Re-filter") are conducive to reducing the navigation error after GNSS fault exclusion. Note that, when using the re-filter method, we simply re-run the integration process from 200 s with SV-3 excluded to show the performance of this method. Actually, as mentioned in Section 4.3, the start epoch of the re-filter process can be optimally determined by the method provided in Appendix C. Figure 15 also verifies the importance of FE by comparing the errors with and without exclusion: the position errors increase continuously when the faulty measurements are not excluded from the system ("No Exclusion" curve) while errors are greatly reduced when the proposed FDE scheme is employed in fault scenario.

Conclusions and Prospects
This paper presents a comprehensive Fault Detection and Exclusion (FDE) scheme for tightly coupled navigation system of Global Navigation Satellite Systems (GNSS)/Inertial Navigation System (INS), with special emphasis on the fault in state prediction (called filter fault). The scheme is beneficial to ensuring navigation safety of civil and military aircraft, Unmanned Aerial Vehicle (UAV), etc. Theoretical analyses quantitatively reveal the different effects of GNSS faults and filter fault on the filter, which motivates the design of an effective FDE scheme to handle these faults independently. Accordingly, the Fault Detection (FD) scheme, comprising two detectors, is designed to separate the effects of GNSS faults and filter fault. And the two-step Fault Exclusion (FE) scheme, with GNSS fault exclusion and filter recovery, is developed to exclude the faulty satellites and eliminate the effects of filter fault. Multiple simulations are conducted to validate the new scheme in various fault scenarios.

Conclusions and Prospects
This paper presents a comprehensive Fault Detection and Exclusion (FDE) scheme for tightly coupled navigation system of Global Navigation Satellite Systems (GNSS)/Inertial Navigation System (INS), with special emphasis on the fault in state prediction (called filter fault). The scheme is beneficial to ensuring navigation safety of civil and military aircraft, Unmanned Aerial Vehicle (UAV), etc. Theoretical analyses quantitatively reveal the different effects of GNSS faults and filter fault on the filter, which motivates the design of an effective FDE scheme to handle these faults independently. Accordingly, the Fault Detection (FD) scheme, comprising two detectors, is designed to separate the effects of GNSS faults and filter fault. And the two-step Fault Exclusion (FE) scheme, with GNSS fault exclusion and filter recovery, is developed to exclude the faulty satellites and eliminate the effects of filter fault. Multiple simulations are conducted to validate the new scheme in various fault scenarios. The results show that: (a) this scheme excels in detecting single or multiple GNSS faults, filter fault, and simultaneous faults in both GNSS and Inertial Measurement Unit; (b) the FE scheme can accurately identify and exclude the faulty satellites with the optimized decision strategy, and the filter recovery scheme shows promising performance in eliminating the effects of filter fault; (c) the indicators for fault-exclusion capability analysis quantify the difficulty in identifying the faulty satellites, which actually reveals the underlying causes of wrong exclusion.
Possible improvements and future work include: (a) integrity risk derivation for the integrated system; (b) design of new FDE scheme with redundant IMUs; (c) FE capability enhancement based on the analysis of fault separation.  Substituting Equation (17) into (A1), we have: where y k is the true navigation solution. Then, Equation (A2) can be re-written as: Equations (A2) and (A3) reveal the effects of GNSS faults and filter fault on the navigation solution, and they also prove the necessity of considering FF and separating the effects of these two faults in fault detection. Additionally, these equations are the foundations of integrity risk derivation.

Appendix B. Determination of ∆s and T ∆s in COMPARE Module
The difference of the statistics between subset j 1 and subset j 2 , i.e., ∆s = s FE , is used to determine whether the candidate j 1 is an incomplete exclusion. According to the rank one update formula [9], we have: where i represents the index of the satellite which is assumed faulty in hypothesis j 2 but healthy in hypothesis j 1 ; g i is the i th row of G ( j 1 ) ; and r ( j 1 ) k , which forms a normal distribution. Based on Equation (A4), we get: where ∆s follows 1-DOF central chi-squared distribution when satellite i is healthy and Υ is a coefficient derived from Equation (A4). Then the corresponding threshold T ∆s can be obtained based on the CDF of 1-DOF central chi-squared distribution as shown in Equation (21).

Appendix C. Determination of the Optimal Preceding Horizon Length for Re-Filter Method
First, we derive the expectation of the navigation errors caused by current and previous faults. Based on Equation (A3), the expectation µ k is determined as: Substituting Equation (2) into Equation (A6), we have: where b Ik is the IMU fault vector. Then, µ k = (I − K k ·H k )·Φ k|k−1 ·µ k−1 + (I − K k ·H k )·b Ik + K k ·b Gk (A8) Let A k = (I − K k ·H k ) and B k = (I − K k ·H k )·Φ k|k−1 , we get: where m is the length of the preceding horizon that needs to be determined. The first two terms on the right-hand side of Equation (A9) reflect the effects of the navigation solution bias in epoch (k − m) and the faults in the preceding horizon, respectively. It has been proved that k−m+1 i=k B i ·µ k−m tends to decrease as m becomes large [35]. If m = k, this term will be 0.
Obviously, the determination of the optimal length m shows a tradeoff between the complexity and the residual errors, i.e., k−m+1 i=k B i ·µ k−m . So, the optimal length should be determined considering both the computational payload and the acceptable residual errors.