Risking to underestimate the integrity risk

As parameter estimation and statistical testing are often intimately linked in the processing of observational data, the uncertainties involved in both estimation and testing need to be properly propagated into the final results produced. This necessitates the use of conditional distributions when evaluating the quality of the resulting estimator. As the conditioning should be on the identified hypothesis as well as on the corresponding testing outcome, omission of the latter will result in an incorrect description of the estimator’s distribution. In this contribution, we analyse the impact this omission or approximation has on the considered distribution of the estimator and its integrity risk. For a relatively simple observational model it is mathematically proven that the rigorous integrity risk exceeds the approximation for the contributions under the null hypothesis, which typically has a much larger probability of occurrence than an alternative. Actual GNSS-based positioning examples confirm this finding. Overall we observe a tendency of the approximate integrity risk being smaller than the rigorous one. The approximate approach may, therefore, provide a too optimistic description of the integrity risk and thereby not sufficiently safeguard against possibly hazardous situations. We, therefore, strongly recommend the use of the rigorous approach to evaluate the integrity risk, as underestimating the integrity risk in practice, and also the risk to do so, cannot be acceptable particularly in critical and safety-of-life applications.


Introduction
The DIA method for the detection, identification and adaptation of model misspecifications combines estimation with testing. Parameter estimation is conducted to determine estimates for the parameters of interest, and statistical testing is conducted to validate the results with the aim of removing any unwanted biases that may be present. To rigorously capture the estimation-testing combination, the DIA estimator has recently been introduced by Teunissen (2017) together with a unifying probabilistic framework. This allows one to take into account the intricacies of the combination when evaluating the contributions of the decisions and estimators involved. Procedures followed in practice are usually conditional ones implying that the quality and the performance of the resulting estimator must be described based on its subsequent conditional distribution. Hence, employing the distribution of the estimator under an identified hypothesis without regard to the conditioning process that led to the decision of accepting this hypothesis may impact the quality description of the resulting estimator in terms of precision, unbiasedness, confidence region and integrity risk.
In this contribution, we turn our attention specifically to the integrity risk, which-in short-is the probability that, whatever hypothesis is true in reality, the estimator of unknown parameters, directed by the testing outcome, is outside an acceptable area or volume around its targeted value. The estimator's integrity risk is thus one minus its confidence level. As integrity plays a crucial role in critical and safety-of-life applications, for instance in aviation, when GNSS positioning is used to fly an approach to an airport, stringent requirements on integrity obviously apply.

3
We compare, using a number of GNSS positioning examples, the integrity risk using unconditional distributions with the one obtained by rigorous evaluation of the correct conditional ones. We demonstrate that with the approximate approach of using unconditional distributions to evaluate the integrity risk, for instance when accounting for the event of removing from the solution an observation identified as faulty, one may obtain too optimistic figures, and thereby compromise the whole concept of integrity. The actual integrity risk, evaluated using the correct conditional distributions, may, in fact, be significantly larger.
This contribution is organized as follows. We start with a brief review of the detection, identification, and adaptation procedure, including the DIA estimator and its statistical distribution. Next, the integrity risk is defined, rigorous as well as approximate, with the latter following from neglecting the conditioning on the testing outcome. We then demonstrate in graphical form, using a simple observational model with just a single unknown parameter, both the unconditional and conditional distributions, so that the different contributions to the integrity risk, as well as the differences between the two approaches, are understood. We also prove in this section that, under the null hypothesis, the rigorous integrity risk always exceeds the approximate one. The integrity risk comparison is then continued, but now for a number of actual satellite-based single-point positioning examples. These findings show that one indeed runs a serious risk of underestimating the actual integrity risk (or overestimating the confidence level) when using the unconditional distributions instead of the conditional ones. We hereby note that our findings, although demonstrated by means of an application of the DIA procedure, are equally valid for any other method of fault detection and exclusion, and, therefore, hold true for a wide variety of different applications, such as geodetic quality control (Kösters and van der Marel 1990;Amiri Simkooei 2001;Perfetti 2006), navigational integrity (Teunissen 1990b;Gillissen and Elema 1996;Yang et al. 2014), structural health integrity (Verhoef and de Heus 1995;Yavaşoğlu et al. 2017;Durdag et al. 2018), and integrity monitoring of GNSS (Jonkman and de Jong 2000;Kuusniemi et al. 2004;Hewitson and Wang 2006). Finally, a summary with conclusions are presented.

Detection, identification and adaptation (DIA)
A brief recap of the DIA-datasnooping procedure is provided, and the DIA estimator introduced in Teunissen (2017) is presented. Then an inventory of all possible testing decisions is compiled, and the distribution of the DIA estimator is decomposed into contributions, conditioned on the testing outcome and the hypothesis.

Statistical hypotheses
We first formulate the null-and alternative hypotheses, denoted by  0 and  i , respectively. Throughout the paper, as alternative hypotheses, we consider those describing outliers in individual observations. Here we restrict ourselves to the case of one outlier at a time. In that case there are as many alternative hypotheses as there are observations. Therefore, the observational model under  0 and  i is given as with E(⋅) the expectation operator, D(⋅) the dispersion operator, y ∈ ℝ m the normally distributed random vector of observables linked to the estimable unknown parameters through the design matrix A ∈ ℝ m×n of rank(A) = n , and Q yy ∈ ℝ m×m the positive-definite variance matrix of y . The redundancy of  0 is r = m − rank(A) = m − n . c i is the canonical unit vector having one as its ith entry and zeros elsewhere, and b i is the scalar bias. Note that [A c i ] is a known matrix of full rank. As the number of observations is equal to m, there are also m alternative hypotheses  i defined in (2) The best linear unbiased estimator (BLUE) of the unknown parameters x is given by yy being an orthogonal projector that projects onto the orthogonal complement of the range space of c i .

DIA-datasnooping procedure
The DIA method has been widely employed in a variety of applications, such as the quality control of geodetic networks and the integrity monitoring of GNSS models, see, e.g., Teunissen (1990a) and Amiri Simkooei (2001). The DIA steps are realized using the misclosure vector t ∈ ℝ r given as where the m × r matrix B is a full-rank matrix, with rank(B) = r, of which the range space is an orthogonal complement of that of A , i.e., [A B] ∈ ℝ m×m is invertible and A T B = 0. Assuming that the measurement errors are normally distributed, i.e., y

Page 3 of 16 29
As t is zero-mean under  0 and also independent of x 0 , it provides all the available information useful for validation of  0 (Teunissen 2017). Thus, an unambiguous testing procedure can be established through assigning the outcomes of t to the statistical hypotheses  i for i = 0, 1, … , m.
The DIA-datasnooping procedure is specified as follows.
and k ,r is the -percentage of the central Chi-square distribution with r degrees of freedom. If  0 is accepted, then x 0 is provided as the estimate of x . Otherwise, go to next step.
Identification: Compute Baarda's test statistic for all alternative hypotheses as (Baarda 1967;Teunissen 2000) in which Adaptation: When  i is selected, then x i is provided as the estimate of x.
The partitioning  i in terms of the (original) misclosure vector is introduced in Teunissen (2017), and an example is shown in Fig. 3 in [Ibid]. Note that the above datasnooping partitioning would need modification in case of 'iterated datasnooping' (Kok et al. 1984) for multiple outlier testing which involves consecutive rounds of detection and identification until no further outlier is detected.

DIA estimator
Given the above three steps, estimation and testing are combined in DIA-datasnooping. Teunissen (2017) presents a unifying framework to rigorously capture the probabilistic properties of this combination, see also Teunissen et al. (2017). As such, the DIA estimator x was introduced, which captures the whole estimation-testing scheme and it is given as with p j (t) being the indicator function of region  j , i.e., p j (t) = 1 for t ∈  j and p j (t) = 0 elsewhere. Therefore, the DIA estimator x is a combination of x j for j = 0, 1, … , m and the misclosure vector t. The probability density function (PDF) of x under  i reads (Teunissen 2017) where the second equality is a consequence of with

Testing decisions
As was shown above, the decisions of the testing procedure are driven by the outcome of the misclosure vector t. If  i is true, then the decision is correct if t ∈  i , and wrong if t ∈  j≠i . We, therefore, discriminate between the following events With * = {CA, FA, MD i , CD i , WI i , CI i }, we denote the probability of * by P * . satisfying Computation of P * requires information about the misclosure PDF which is given in (5). Here, it is important to note the difference between the CD-and CI-probability, i.e.P CD i ⩾ P CI i . They would be the same if there were only one single alternative hypothesis, say  1 , since then  1 = ℝ r ∕ 0 .

Decomposition of f̄x( | i )
Given the events in (13) and using the total probability rule, f̄x( | i ) can be decomposed as follows: where Therefore, in case j = 0, due to x 0 being independent of t, we have The proof of (16) and (17) is given as follows. The conditional PDF f̄x |t∈ j |t ∈  j ,  i is obtained through the following general expression in which (Teunissen 2017)

Substituting (19) into (18) gives
Comparing the structure of (20) with that of (18), we a c h i e v e ( 1 6 ) . F o r j = 0, w e h a v e f̂x 0 ,t , | i = f̂x 0 ( | i )f t | i of which the substitution into (20) gives (17). Note that the conditional PDFs f̂x j |t∈ j |t ∈  j ,  i for j ≠ 0 are non-normal, which is further discussed in the following sections.

Integrity risk
Being an estimator of x, the DIA estimator x is likely to be considered a good estimator if it is close to x with a sufficiently large probability. Defining 'closeness' as 'lying in an x-centered region  x ', and 'sufficiently large' as ' 1 − ' for a very small , then x is an acceptable estimator of x if We refer to the above probability as integrity risk, see also, e.g., Schuster et al. (2007) and Salós et al. (2010). The integrity risk (21) is thus one minus the probability of x lying inside the confidence region  x . In the sequel, we denote this probability by IR.
Assuming that ∑ m j=0 P �  j � = 1, with P  j being the probability of occurrence of  j , describing a bias in the single jth measurement, cf. (2), the integrity risk can be decomposed, using the total probability rule, as Here it is important to realize that the above expression depends on the bias value b i under  i for i = 1, … , m. One may take a conservative route by computing each term in the summation for a bias value b i which maximizes the product (22), using (15) and (16), can be expressed as The conditional probabilities in the above equation are computed based on the PDFs f̂x Would one neglect the correlation between x j and t, and use the unconditional PDFs f̂x j | i instead, an approximation of the rigorous integrity risk IR| i is obtained as In IR| i , one conditions on both the hypothesis and the testing outcome, while in IR o | i , one conditions only on the hypothesis and not on the testing outcome.
The difference between the rigorous and approximate integrity risks under  i reads Note, in the above summation, that j runs from 1 to m as . For a given region  x , the difference within square brackets depends on the difference between f̂x j |t∈ j |t ∈  j ,  i and f̂x j | i . The conditional PDF f̂x j |t∈ j |t ∈  j ,  i would become equal to the PDF f̂x j | i , if the correlation between x j and t would be zero. With (11), however, there is a non-zero correlation between x j and t, driven by Q̂x 0x0 , Q tt and L j . In addition, the conditional PDF f̂x j |t∈ j |t ∈  j ,  i , using the total probability rule, can be written as which reveals that is mainly driven by the term in the summation corresponding with j = i. This in tandem with (27) gives saying that for a very large bias magnitude, the difference between rigorous and approximate integrity risk vanishes.
Finally, we note that the issue of correlation-neglect between x j and t also comes up if one would use the outcomes of testing in an a posteriori evaluation. In that case one would have to work with the PDF of x|t ∈  j which is different from that of x j , despite the fact that both random vectors, x|t ∈  j and x j , have the same sample outcome (Teunissen 2017). For instance, if  j is the identified hypothesis, confidence levels are typically evaluated in practice as P x j ∈  x | i , see e.g. (Wieser 2004;Devoti et al. 2011;Dheenathayalan et al. 2016), while they should be evaluated as P x j ∈  x |t ∈  j ,  i . The difference between their hypothesis averaged versions will then provide differences as those between (23) and (24).

Numerical analysis: single alternative hypothesis
In this section, we evaluate both the "rigorous" and "approximate" integrity risks defined by (23) and (24). To get a better understanding of their characteristics, we consider a simple observational model with only a single alternative (1), there is only one unknown parameter (n = 1) and also the redundancy of the model is one (r = 1), i.e., x ∈ ℝ and t ∈ ℝ. The canonical form of such a model, applying the Tienstra-transformation  to the (assumed) normally distributed vector of observables y (Teunissen 2017), reads which is specified for i ∈ {0, a} as for some b a ∈ ℝ∕{0}, and also L a ∈ ℝ which establishes the following link: With the mean of x 0 and t given by (29) and (30) The corresponding DIA-datasnooping procedure is defined as With the above three steps, the DIA estimator and its PDF under  i , i ∈ {0, a}, are given by and (29) Page 6 of 16 In (34), the second equality follows from  c 0 = ℝ∕ 0 .

Decomposition of f̄x | 0 and f̄x | a
As there is only one alternative hypothesis  a , the events in (13) are reduced to four events CA, FA, MD and CD, and the decomposition of f̄x | i in (15) is then simplified to Note that the subscripts of MD and CD as in (13) are dropped, as  a is the only alternative. In Fig. 1, assuming (for example) that 2 x 0 = 0.5m 2 , 2 t = 2 m 2 and L a = 0.5, we show how the PDFs f̄x | 0 (top) and f̄x | a (middle and bottom) are formed according to (35) which is also equal to f̂x a | a . The probability of false alarm P FA is usually user defined by setting the appropriate size of  0 , hence an input to the DIA procedure both under null and alternative hypotheses. To assess the PDF of x 0 and x under the alternative H a , one additionally needs to set the size of the bias b a , or alternatively, one may choose to set the correct detection probability P CD as we did here.
As was mentioned earlier, the conditional PDFs f̂x a |FA ( |FA) and f̂x a |CD ( |CD) are non-normal, which for the case of one single alternative can be expressed as Substituting (36) and (37) into (35), given P FA = 1 − P CA and P CD = 1 − P MD , we have In Fig. 1, in agreement with (38), as P FA decreases, in the graphs on top, the curve of f̄x | 0 in red gets close to that of f̂x 0 | 0 in blue. Also, when P CD increases from 0.40 to 0.99, in the graphs in the middle and at the bottom, the | a curve of f̄x | a in red gets close to that of f̂x a | a in black and to that of f̄x |CD ( |CD) as well.
Non-normality of f̂x a |FA ( |FA) and f̂x a |CD ( |CD) To appreciate the non-normality of the two PDFs f̂x a |FA ( |FA) and f̂x a |CD ( |CD), we show them for different values of the contributing factors, namely P FA , The contributing parameters are set to be 2 x 0 = 0.5m 2 , 2 t = 2 m 2 , and L a = 0.5. Panels, from left to right, correspond to P FA = 10 −3 and P FA = 10 −1 . Panels in the middle and at the bottom correspond to, resp., P CD = 0.4 and P CD = 0.99 P MD = 1 − P CD , x 0 , t and L a , in Fig. 2. To highlight the non-normality of f̂x a |FA ( |FA) and f̂x a |CD ( |CD), we have also plotted (for reference) their normal counterparts having the same mean and variance in black. These normal PDFs, respectively, correspond with the random variables Note that the above random variables are only introduced here to illustrate the departure from normality of x a |FA and x a |CD .
The panels to the left side of Fig. 2 demonstrate the behavior of f̂x a |FA ( |FA) in blue, in comparison to f̂x fa ( ) in black. We note that the following situations x 0 ↑, t ↓, L a ↓ and P FA ↑ make the PDF f̂x a |FA ( |FA) get closer to a normal one. This can be explained as follows. We first consider the impact of x 0 , t and L a which drive the correlation between x a and t as If this correlation becomes zero, then the PDF f̂x a |FA ( |FA) becomes identical to the unconditional normal PDF f̂x a | 0 . As (40) suggests, this would be realized if L a → 0 and t → 0 as well as x 0 → ∞. Now, we consider the impact of P FA , which can be explained through (36). Since P CA = 1 − P FA , increasing P FA (thus decreasing P CA ) leads to smaller differences between f̂x a |FA ( |FA) and f̂x a | 0 . This can also be seen by comparing the dashed blue curves with the solid black ones in the first row of Fig. 1.
Shown to the right of Fig. 2 are the graphs of f̂x a |CD ( |CD) together with those of f̂x cd ( ). The response of f̂x a |CD ( |CD) to the changes in the parameters x 0 , t and L a is similar to that of f̂x a |FA ( |FA). f̂x a |CD ( |CD) in addition depends on P CD according to (37). Since P CD = 1 − P MD , increasing P CD (thus decreasing P MD ) leads to smaller differences between f̂x a |CD ( |CD) and f̂x a | a . This can also be seen by comparing the dashed blue curves with the solid black ones in the second and third rows of Fig. 1.

Rigorous vs approximate integrity risk
The rigorous and approximate integrity risks for the case of working with a single alternative hypothesis  a are formulated in, respectively, the first and the second rows of Table 1. The difference between them reads (39) The difference between IR and IR o lies in the difference between f̂x a |FA ( |FA) and f̂x a | 0 and the difference between f̂x a |CD ( |CD) and f̂x a | a . These differences, as discussed previously, depend on x a ,t , P FA and, in case of the latter, on P CD . In case x a ,t = 0, then f̂x a |FA ( |FA) = f̂x a | 0 and f̂x a |CD ( |CD) = f̂x a | a , thereby IR = IR o . As nominal conditions are more likely than anomalies incurring measurement biases, the probability of the occurrence of  0 is far larger than that of  a , see e.g. Wu et al. (2013). Thus, the impact of (IR| a − IR o | a ) is downweighted by the small value of P  a . Therefore, in the following, we first discuss the behavior of (IR| 0 − IR o | 0 ) and then the behavior of (IR − IR o ).

Evaluation of IR| 0 − IR o | 0
It can be shown that the difference (IR| 0 − IR o | 0 ) in (42) is always positive. For a proof, see the Appendix. Assuming 2 x 0 = 0.5m 2 and 2 t = 2 m 2 , Fig. 3 illustrates graphs of (IR| 0 − IR o | 0 ) (solid lines) and those of (IR| 0 ) (dashed lines) as a function of AL, for P FA = 10 −1 (top) and (41) , and L a = 0.5, 1.5 (in blue and red, resp.). Comparing the solid lines with their corresponding dashed lines, we note, depending on the values of L a and P FA , that after a certain alert limit, the values of (IR| 0 ) and (IR| 0 − IR o | 0 ) approach each other, implying that the approximate integrity risk IR o | 0 gets very small indeed. We explain this behavior for the blue curves at the bottom when AL = 4 m. The probability mass of the PDFs f̂x a |FA ( |FA) and f̂x a | 0 , the dashed blue curve and the black curve in the upper left panel in Fig. 1, are at the level of 2 × 10 −2 and 6 × 10 −5 , respectively, outside  x = [x − 4, x + 4]. In addition, the probability mass of the PDF f̂x 0 | 0 outside  x = [x − 4, x + 4] is at the level of 10 −8 . These values, given P FA = 10 −3 , will then result in a difference at the level of 8 × 10 −8 between (IR| 0 ) and (IR| 0 − IR o | 0 ). As a consequence of this case, the Table 1 Integrity risk based on the DIA estimator ( IR ) and its approximation by ignoring the correlation between x a and t ( IR o ) for the case of a null-and a single alternative hypotheses. approximate integrity risk under the null hypothesis is too optimistic by a factor of 300.
It can be seen that the graphs of (IR| 0 − IR o | 0 ) take only positive values. We note that all curves as a function of AL show almost the same signature. They first increase and then decrease to zero. Since this behavior depends on AL, it can be explained by looking at the integral part in (42), which is the difference between P |x a − x| > AL|FA and P |x a − x| > AL| 0 . We have As shown in the Appendix, P(|x a − x| ≤ AL| 0 ) is always greater than P(|x a − x| ≤ AL|FA). Therefore, it can be concluded that the PDF f̂x a | 0 is more peaked around x than f̂x a |FA ( |FA). Therefore, when AL increases, P |x a − x| > AL| 0 decreases more rapidly than P |x a − x| > AL|FA . This, together with (44) and the fact that the probabilities P |x a − x| > AL| 0 and P |x a − x| > AL|FA are continuous functions of AL, results in an increasing and then decreasing behavior for In Fig. 3, when L a increases, the cur ve of (IR| 0 − IR o | 0 ) stretches over a larger range of values of AL. This is due to the fact that increasing L a reduces the peakedness of the PDFs f̂x a | 0 and f̂x a |FA ( |FA) around x . The impact of changing L a on f̂x a | 0 and f̂x a |FA ( |FA) is demonstrated in (31) and Fig. 2 (top-left), respectively. Therefore, both the probabilities P |x a − x| > AL| 0 and P |x a − x| > AL|FA behave more smoothly as function of AL, and so does their difference.
Decreasing by a factor of 10 2 , we note that the values of (IR| 0 − IR o | 0 ) in Fig. 3 also decrease by almost a factor of 10 2 . Reducing by a factor of 10 2 will reduce (IR| 0 − IR o | 0 ) by the same amount if P |x a − x| > AL|FA remains invariant. However, as Fig. 2 (bottom-left) shows, reducing by a factor of 10 2 increases P |x a − x| > AL|FA , which results in (IR| 0 − IR o | 0 ) decreasing by a factor slightly smaller than 10 2 .

Evaluation of IR − IR o
Here, we investigate the behavior of the integrity risks when both the null-and alternative hypotheses are taken into account. The difference (IR − IR o ) in (41), due to the contribution of  a , depends on the bias value b a . Considering 2 x 0 = 0.5 m 2 , 2 t = 2 m 2 and P  0 = 0.9 (thus P  a = 0.1; (44) the latter probability is usually much smaller in practice), Fig. 4 shows the curves of (IR − IR o ) as a function of b a for two different values of AL in  x = [x − AL, x + AL], L a and P FA . Decreasing L a , although the correlation x a ,t decreases, the difference (IR − IR o ) may increase or decrease depending on AL and P FA . It can be seen that (IR − IR o ) does not change too much as a function of b a . This is due to the fact that any change in b a will change (IR| a − IR o | a ), of which the impact is downweighted by P  a = 0.1. Note that IR is larger than IR o in most cases, revealing that using the approximate integrity risk instead of the rigorous one generally will be hazardous. The IR o does not provide a safe bound to the actual IR.

Numerical analysis: multiple alternative hypotheses
So far, for simplicity, we have been working with an observational model with one unknown parameter and one redundancy. In this section, we work with a satellite-based = 0.5 m 2 , 2 t = 2 m 2 and P  0 = 0.9. The variation of P FA and L a is highlighted through changing the style and color of the curve, respectively: P FA = 10 −1 in solid line and P FA = 10 −3 in dashed line, L a = 0.5 in blue and L a = 1.5 in red 1 3 single-point positioning (SPP) model based on the observations of m satellites with four unknown parameters ( n = 4 ) and r = m − 4 redundancy. As alternative hypotheses, we consider those given in (2). In that case there are as many alternative hypotheses as there are observations.
We first present the observational model, and then we analyze, by means of three practical examples, the difference between the rigorous and approximate integrity risk for the contributions under the null hypothesis (  0 ).

SPP observational model
Assuming there are m pseudorange observations, the observational model under  i for i = 0, 1, … , m is given as T contains the receiver-satellite unit direction vectors u i as its rows, e m is the m-vector of ones, and again c 0 b 0 = 0. The unknown receiver coordinate components and clock error are, respectively, denoted by the 3-vector x and scalar dt. The dispersion of the observables is characterized through the standard deviation p and the identity matrix I m . At this stage, to simplify our analysis, we do not consider a satellite-elevation-dependent variance matrix. In the following, we only concentrate on the  0 -driven difference between IR and IR o , as the probability of the occurrence of  0 is by far larger than that of the alternative hypotheses.

Evaluation of IR| 0 − IR o | 0
Setting i = 0 in (25), we have which shows, for a given satellite geometry (design matrix), that the difference (IR| 0 − IR o | 0 ) depends on P FA = ,  x and Q yy . In the following, for a few satellite geometries, we illustrate (IR| 0 − IR o | 0 ) as function of the contributing factors. Note, we will compute the integrity risk for the horizontal components and the vertical component separately. As such, the integrity risk for the vertical component is computed for where x H ∈ ℝ 2 and x V ∈ ℝ are, respectively, the horizontal components and the vertical component of x.
Region  x H is a circle with radius AL, and  x H is an ellipse driven by cofactor matrix Ĉx H 0x H 0 . Without loss of generality, our illustrations will be depicted for x = 0, thus x V = 0 and x H = 0.
Example 1: Fig. 5 The skyplot in Fig. 5 (top) shows a geometry of six satellites. The graphs of the difference (IR| 0 − IR o | 0 ) as a function of AL are shown for the vertical component [second row] and the horizontal components (third and fourth rows) for different values of p (cf. 45) and P FA = . The third row corresponds with  x H , cf. (48), while the fourth row corresponds with  x H , cf. (49). It is important to note that (IR| 0 − IR o | 0 ) has always 'positive' values for all components, meaning that employing the approximate integrity risk instead of the rigorous one could be dangerous, depending on the application at hand. To get a better appreciation of such danger, the values of (IR| 0 − IR o | 0 ) together with (IR| 0 ) are tabulated in Table 2 0148, implying that the approximate integrity risk (IR| 0 ) is too optimistic by a factor of 8. We also note that all graphs as a function of AL show almost the same signature. They first increase and then decrease to zero at different slopes. Since this behavior depends on the AL values, it can be explained by looking at We now, as an example, take the vertical component integrity risk. Assuming that x V = 0 and p = 1m, Fig. 6 illustrates the PDFs f̂x V j V | 0 (dashed blue curves) and f̂x V j |t∈ j V |t ∈  j ,  0 for = 10 −1 (solid blue curves) and = 10 −2 (solid red curves), for all six alternative hypotheses j = 1, … , 6. It can be seen that the PDF f̂x . This, together with (50) and the fact that the probabilities In Fig. 5, when p increases, the graph of (IR| 0 − IR o | 0 ) stretches over a larger range of AL. This is due to the fact that increasing p reduces the peakedness of the PDFs f̂x * j * | 0 and f̂x * j |t∈ j * |t ∈  j ,  0 around zero. Therefore, both the probabilities P(x * j ∈  c x * |t ∈  j ,  0 ) and P(x * j ∈  c x * | 0 ) behave more smoothly as function of AL, and so does their difference. Decreasing = P FA by a factor of 10, we note that the graphs of (IR| 0 − IR o | 0 ) for both the vertical and horizontal components also decrease by almost a factor of 10. In (46), the dependence on the false alarm probability is introduced by P(t ∈  j | 0 ) and P(x j ∈  c x |t ∈  j ,  0 ). With the definition of  0 in (6) and  j≠0 in (8), for some scalar 0 < s < 1, we have Therefore, if reduces, for instance, by a factor of 10, then the probability P t ∈  j≠0 | 0 also decreases by a factor of 10. For the vertical component, as Fig. 6 shows, changing from 10 −1 to 10 −2 does not significantly affect the shape of f̂x V j |t∈ j V |t ∈  j ,  0 for j = 2, 3, 5, 6. Therefore, the leading factors driving the difference between (IR| 0 − IR o | 0 ) for = 10 −1 and (IR| 0 − IR o | 0 ) for = 10 −2 are the probabilities P t ∈  j≠0 | 0 which, according to (51), get 10 times smaller when reducing from 10 −1 to 10 −2 . Therefore, the reduction of (IR| 0 − IR o | 0 ) due to reducing from 10 −1 to 10 −2 is expected to be by almost one order of magnitude.
From Fig. 6, we note that the difference between the two PDFs f̂x V j V | 0 and f̂x V j |t∈ j V |t ∈  j ,  0 can be arranged in an ascending order for j = 6, 3, 5, 2, 1, 4. To understand the impact of conditioning on t ∈  j on x j , we consider (11), which describes the link between x j and t established through L j , cf. (12). For the observational model at hand, in which the redundancy is r = 2 and also x ∈ ℝ 3 , L j is a 3 × 2 matrix which can be decomposed as L j = [l j,1 , l j,2 , l j,3 ] T with l j,i ∈ ℝ 2 (i = 1, 2, 3). The conditional PDF f̂x V j |t∈ j V |t ∈  j ,  0 is then given by in which with q̂x 0xV 0 ∈ ℝ 3 the covariance vector between x 0 and x V 0 , w j ( ) given by (7), and the average receiver-satellite unit direction vector ū = 1 m ∑ m j=1 u j . The above equations reveal that the impact of L j on the vertical component x V j is governed by various factors. Table 3 gives the values of |q T x 0xV 0 (u j −ū)| ||c t j || Q tt in (53) for p = 1m for all hypotheses j = 1, … , 6. As the value of P t ∈  j | 0 does not V | 0 (dashed blue curves) and f̂x V j |t∈ j V |t ∈  j ,  0 for = 10 −1 (blue curves) and = 10 −2 (red curves), for the model in (45), corresponding to the satellite geometry in Fig. 5 and p = 1m, for all six alternative hypotheses j = 1, … , 6. The probability given on top of each panel is computed for = 10 −1 change too much for different j (see Fig. 6), it can be stated that the shapes of the regions  j are similar to each other. Therefore, the leading factor driving the difference in the shape of f̂x which is by far greatest for j = 4. This explains the discrepa n c y b e t w e e n f̂x V 4 |t∈ 4 V |t ∈  4 ,  0 a n d f̂x V j≠4 |t∈ j≠4 V |t ∈  j≠4 ,  0 . The red and blue curves for j = 4 in Fig. 6 (middle right) really differ from those in the other panels.  Example 3: Fig. 8 In Fig. 8, we present the same type of information as in Figs. 5 and 7, but now for a multi-constellation example given in Blanch et al. (2012), Appendix J. This constellation is made of five GPS (G) and five Galileo (E) satellites. In this case, we have three position parameters and two receiver clock parameters (one for GPS and one for Galileo). The misclosure vector is of the dimension of five. Note that the results in Fig. 8 use an elevation-dependent variance ( C int in the mentioned paper) for the observations. Also here, like in the previous examples, we note the 'positive' values for (IR| 0 − IR o | 0 ).

Summary and conclusion
The message of this contribution finds its origin in the combination of parameter estimation and statistical testing. These two activities are typically disconnected in practice when it comes to describing the quality of the eventual estimator. That is, the distribution of the estimator under an identified statistical hypothesis is used without regard to the conditioning process that led to the decision to accept this hypothesis as the working model. We analyzed what the contribution of this simplification is to the actual integrity risk.
Considering a null hypothesis and a single alternative, the different distributions were first shown graphically for a simple observational model with a one-dimensional unknown parameter and a one-dimensional misclosure for statistical testing. It was demonstrated that, with normally distributed observables and linear models, the distributions of the estimators conditioned on false alarm and correct detection turn out to be no longer normal. To compute the integrity risk rigorously, one needs to condition on both the hypothesis and the testing outcome. An approximate risk is obtained, however, when one omits the connection between testing and estimation and thus only conditions on the hypothesis and not on the testing outcome.
For the simple observational model, it was mathematically proven that the rigorous integrity risk exceeds the approximate one. This comparison of the rigorous and approximate integrity risk was then continued by means of a number of satellite-based single-point positioning examples, focusing again on the contributions under the null hypothesis. Although a mathematical proof for the multidimensional case does not yet exist, these examples support the previously obtained conclusion that the approximate integrity risk has a tendency of being smaller than its rigorous counterpart. Thus, by including the uncertainty of the decision process driven by statistical testing and using conditional distributions instead of unconditional ones, the actual integrity risk may end up being larger than the computed approximate one. In other words, the approximate approach may provide a too optimistic description of the integrity risk and thereby not sufficiently safeguard against possibly hazardous situations.
We, therefore, clearly advocate the use of the rigorous approach to evaluate the integrity risk, as underestimating the risk, or knowingly allowing this possibility to exist, cannot be acceptable particularly in critical and safety-of-life applications. Table 3 Evaluation of (53) for Example 1 (Fig. 5)