A New Approach to Unwanted-Object Detection in GNSS/LiDAR-Based Navigation

In this paper, we develop new methods to assess safety risks of an integrated GNSS/LiDAR navigation system for highly automated vehicle (HAV) applications. LiDAR navigation requires feature extraction (FE) and data association (DA). In prior work, we established an FE and DA risk prediction algorithm assuming that the set of extracted features matched the set of mapped landmarks. This paper addresses these limiting assumptions by incorporating a Kalman filter innovation-based test to detect unwanted object (UO). UO include unmapped, moving, and wrongly excluded landmarks. An integrity risk bound is derived to account for the risk of not detecting UO. Direct simulations and preliminary testing help quantify the impact on integrity and continuity of UO monitoring in an example GNSS/LiDAR implementation.


Introduction
This paper describes the design, analysis, and preliminary testing of a new method to quantify safety in GNSS/LiDAR navigation systems. An integrity risk bound is derived, which accounts for failures to detect undesirable, unmapped and wrongly extracted obstacles. The paper describes an innovation-based method, which is an alternative to the solution separation approach used in [1]. In addition, the paper provides the means to quantify the impact of unwanted objects (UO) on the risk of incorrect association. This work is intended for driverless cars, or highly automated vehicles (HAV) [2,3], operating in changing environments where unknown, moving obstacles (cars, buses, and trucks) are not wanted as landmarks for localization, and may occlude other useful, mapped landmarks.
This research leverages prior analytical work carried out in civilian aviation navigation where safety is assessed in terms of integrity and continuity [4]. These performance metrics are sensorand platform-independent. Integrity is a measure of trust in sensor information: integrity risk is the probability of undetected sensor errors causing unacceptably large positioning uncertainty [4]. Continuity is a measure of the navigation system's ability to operate without unscheduled interruption. Both loss of integrity and loss of continuity can place the HAV in hazardous situations [4,5].
Several methods have been established to predict integrity and continuity risks in GNSS-based aviation applications [6][7][8]. Unfortunately, the same methods do not directly apply to HAVs, because ground vehicles operate under sky-obstructed areas where GNSS signals can be altered or blocked by buildings and trees.
HAVs require sensors in addition to GNSS, including LiDARs, cameras, or radars. This paper focuses on LiDARs because of their prevalence in HAVs, of their market availability, and of our prior experience. A raw LiDAR scan is made of thousands of data points, each of which individually does paper assumes that UOs only mask one unknown landmark at a time as the HAV drives by. Section 3 describes the innovation-based approach employed to detect the UO (which differs from the solution separation detector employed in [1]). An integrity risk bound is then derived to incorporate the risk of not detecting a UO when one might be present. This bound is analytically evaluated in two steps in Section 4: we account for the impact of undetected UO: (a) on the probability of hazardously misleading information (HMI) under the correct association (CA) hypothesis, and (b) on the probability of incorrect association (IA). Navigation integrity performance is then assessed in Section 5 using direct simulations and preliminary testing for an example implementation using GNSS and two-dimensional LiDAR data.

Background: Integrity Risk Bound Accounting for Incorrect Associations
This section presents an overview of the integrity risk evaluation method described in [1,26,28], which uses a multiple-hypothesis innovation-based DA process.

Integrity Risk Definition and Integrity Risk Bound
The integrity risk, or probability of hazardous misleading information (HMI) at time k , is noted ( ) k P HMI , and is defined in Figure 1. The safety criterion is: predefined integrity risk requirement set by a certification authority (similar to requirements set for aviation applications in [4,8]). Values for k REQ I , that might be used in future HAV applications can be found in [5]. The integrity risk is the probability of the car being outside the alert limit requirement box (blue shaded area) when it was estimated to be inside the box. When lateral deviation is of primary concern, then the alert limit is the distance  between edge of car and edge of lane.
In [26,28], we established an analytical bound on the integrity risk, which accounts for the risk of incorrect associations. This bound is expressed as: is the tail probability function of the standard normal distribution;  is the specified alert limit that defines a hazardous situation [4,5,8] (e.g., see Figure 1);  Figure 1. Defining Integrity Risk for Automotive Applications. The integrity risk is the probability of the car being outside the alert limit requirement box (blue shaded area) when it was estimated to be inside the box. When lateral deviation is of primary concern, then the alert limit is the distance between edge of car and edge of lane.
In [26,28], we established an analytical bound on the integrity risk, which accounts for the risk of incorrect associations. This bound is expressed as: with where k is an index identifying a time step; K designates a range of indices: K ≡ {0, . . . , k}, from filter initiation to time k; CA K is the correct association hypothesis for all landmarks, at all times 0, ..., k; Q{ } is the tail probability function of the standard normal distribution; is the specified alert limit that defines a hazardous situation [4,5,8] (e.g., see Figure 1); σ k is the standard deviation of the estimation error for the vehicle state of interest (or linear combination of states); P χ 2 {do f , T} is the probability that a chi-squared-distributed random variable with "dof " degrees of freedom is lower than some value T; n l is the number of measurements at time step l; m l is the number of estimated state parameters at time step l; I FE,l is an integrity risk budget allocation, i.e., a fraction of I REQ,k that we choose to satisfy: I FE,k << I REQ,k ; L 2 l is the minimum mean normalized separation between landmark features that can be guaranteed with probability larger than 1 − I FE,l . The normalized feature separation metric is derived in [28]. L 2 l is derived at FE using a map or database of landmarks or using landmark observations at previous time-steps in SLAM; λ 2 l is a mapping coefficient from separation space to EKF innovation space. This coefficient is determined by solving an eigenvalue problem in [28]. The minimum eigenvalue is taken to lower bound P(CA K ), which is conservative; forms a probabilistic lower bound on the mean innovation's norm, which is further described in the Section 2.2.
The integrity risk bound in Equation (1) is refined in this paper to account for the presence of UOs and for failures to detect them. Equation (1) captures a key tradeoff in data association: on the one hand, using only few measurements can cause a large nominal estimation error and hence large P(HMI k |CA K ); but on the other hand, few measurements from sparsely distributed landmarks can improve P(CA K ) because features are "separated", distinguishable, and therefore can be robustly associated. P(HMI k ) is unknown, but we can assess safety by comparing I REQ,k to the upper bound given in Equations (1)-(3), where all terms are known.

Innovation-Based Data Association
Equation (1) is derived for an innovation-based DA process, which is further described in the following paragraphs. Let n L be the total number of visible landmarks and n F the number of estimated feature parameters per landmark. Feature parameters can include landmark position, size, orientation, surface properties, etc. When using LiDAR only (we integrate GNSS in Section 5), the total number of feature parameters within the visible landmark set is: n k ≡ n L n F . We can stack the actual (true) values of the extracted feature parameters for all landmarks in an n k × 1 vector z k . Letẑ k be an estimate of z k . We assume that the cumulative distribution function ofẑ k can be bounded by a Gaussian function with mean z k and covariance matrix V k [31][32][33]. We use the notation:ẑ k ∼ N(z k , V k ).
The nonlinear measurement equation can be written in terms of the m k × 1 state parameter vector where x k includes vehicle pose parameters and may also include landmark feature parameters (for SLAMtype approaches); v k is the extracted measurement noise vector: v k ∼ N(0 n×1 , V k ), where 0 a×b is an a × b matrix of zeros.
The mean ofẑ k is z k = h k (x k ). Equation (4) can be linearized about an estimate x k of x k : The ordering of landmarks inẑ k is arbitrary and unknown. A nearest-neighbor approach (described below) is used to determine the ordering of measurement-to-state coefficients in h k (x k ) and H k . Failing to find the landmark ordering that matches that ofẑ k causes estimation errors called incorrect associations (IA).
If n L landmarks are extracted, there are (n L !) ways to arrange measurements inẑ k , which we call (n L !) candidate associations. For clarity of exposition, we assume that the total number of mapped landmarks, or of previously observed landmarks when using SLAM, is also the number n L of extracted landmarks (procedures to address this assumption are given in [1]). Let subscript i designates association hypotheses, for i = 0, . . . , n A , where n A = n L ! − 1. We define i = 0 the fault-free, correct association (CA) hypothesis, and the other n A hypotheses are IA. IA impacts the EKF estimation process through the innovation vector γ i,k . Vector γ i,k is an effective indicator of CA because it is zero mean only for the correct association.
In all IA cases, the mean of γ i,k is not zero and is expressed in terms of n × n permutation matrices A i,k , for i = 1, . . . , n A , as where where ε k is the EKF state prediction error vector (ε k ≡ x k − x k ) and I a is the a × a identity matrix. Let P k be the EKF state prediction error covariance matrix. We select the association candidate that satisfies the nearest-neighbor association criterion [9], defined as The probability of correct association is the probability of the following event occurring: We can determine the a priori distributions of variables γ 2 i,k , for i = 0, . . . , n A , except their mean values that are unknown. In [28], we show that the term L 2 l λ 2 l used in Equation (1) is a lower bound on the mean innovation's norm (1) is a bound on P(HMI k ), but it assumes that no UO is present. We first design a UO detector and derive a new P(HMI k ) bound in Section 3, and then we establish an analytical method to evaluate the impact of undetected UOs on this new bound in Section 4.

Risks Involved with Unwanted Object Detection
In the presence of a UO, the innovation vector's norm in Equation (9) is nonzero under all association hypotheses. In this case, the correct association hypothesis must be redefined. We call correct association (CA) the one where all landmarks that are not occluded by a UO are correctly associated, i.e., where the innovation vector would be zero mean if the UO was removed. The nonzero mean in the CA's innovation vector is caused by the UO only, not by other incorrectly associated landmarks.

Innovation-Based Detector
If a UO is present, γ i,k does not have a mean of zero even under CA. To identify such events, we can set a threshold T 2 k on the minimum innovation norm squared, or, since the process is performed over time, on the running sum of minimum innovation norms squared. Using innovations (instead of solution separations as in [1]) will facilitate evaluation of P(CA K ) in Section 4. The UO detection test statistic is defined as Since the innovation sequence is white, q 2 k is non-centrally chi-squared distributed with n DOF,k = k ∑ l=0 n l degrees of freedom and noncentrality parameter (NCP) µ 2 Q,k . We use the notation q 2 k ∼ χ 2 (n DOF,k , µ 2 Q,k ). µ 2 Q,k , which is further discussed in Section 4. The detection threshold T 2 k is set according to a continuity risk requirement C REQ to limit the risk of false alerts. False alerts occur when no UO is present, causing q 2 k 's NCP to be zero under CA. Thus, T 2 k is given by If T 2 k is exceeded, we interrupt the mission. (As an alternative to mission interruption, we could select a different set of landmark feature measurements as in [1,34], but this is beyond the scope of this paper.) This does not impact P(HMI k ). However, if T 2 k is not exceeded, a UO may still be present because the detection test statistic q 2 k is a random, noisy variable. Navigation errors due to undetected UOs can cause the vehicle to crash.

Integrity Risk in Presence of UO
To quantify the integrity risk caused by potentially undetected UOs, the P(HMI k ) definition in Equation (1) is modified: HMI is the joint event of the car being out of lane while no alert has been sent. The integrity risk is redefined as whereε k is the EKF state estimation error for the state of interest, e.g., for the vehicle's lateral deviation within its lane. Becauseε k and q 2 k are obtained after associating LiDAR data to a landmark map, we consider a set of mutually exclusive, exhaustive hypotheses of correct associations (CA) and incorrect associations (IA). We derived the following bounds: where H I k is the event of hazardous information (HI) at time k, defined as H I k ≡ |ε k | > ; ND K is the event of no detection (ND) at all previous times 0, ..., k, defined as is the CA hypothesis for all landmarks, at all times 0, ..., k; I A K is the IA hypothesis for any landmarks, at any time 0, ..., k.
In Section 4, we derive upper bounds on P(H I k ∩ ND K |CA K ) and P(ND K ∩ I A K ).

Analytical Bounds on Risks Caused by Undetected Unwanted Objects
As stated in Section 1, this paper assumes that UOs only mask one unknown landmark at a time as the HAV drives by. This can be extended to multiple UOs masking one subset of landmarks at a time, using the procedures described in [1]. However, the performance analysis in Section 5 does not illustrate this case. The limitation is that the UO-free subset must be large enough to enable HAV pose estimation; the method requires landmark redundancy because it assumes an uncertain vehicle dynamic model and no inertial navigation system.

Risk of HMI Due to Undetected UO
We consider a set of mutually exclusive, exhaustive hypotheses H h of a UO masking a landmark h (or landmark subset h) for h = 0, . . . , n H , where n H is the total number of hypotheses. We note H 0 the fault-free (no UO) hypothesis. Using the law of total probability, P(H I k ∩ ND K |CA K ) is rewritten as We have no prior knowledge on the probability of occurrence of H h , but we can bound the sum of their occurrence probabilities by 1. Thus, P(H I k ∩ ND K |CA K ) can be upper-bounded using the following expression: Recalling thatε k and q 2 k are statistically independent (e.g., [35,36]), we can rewrite the bound in Equation (15) as Under the correct association hypothesis (CA K ), the distributions ofε k and q 2 k are known except for mean valuesε k ∼ N(µ k , σ 2 k ) and q 2 k ∼ χ 2 (n DOF,k , µ 2 Q,k ). Thus, Equation (16) can be upper-bounded using receiver autonomous integrity monitoring (RAIM) methods [6,7,[34][35][36][37]. A UO causes a shift in the mean ofε k and in the NCP of q 2 k . Large UO-induced feature measurement errors cause largeε k (i.e., high risk of HI) but also cause large q 2 k , which makes the UO easier to detect (i.e., low risk of ND). To analyze this tradeoff, innovation-based chi-squared RAIM methods consider the failure mode slope (FMS) [34][35][36][37]. Given a UO hypothesis H h for h = 0, the FMS is the ratio of the mean estimation error over the NCP of the test statistic g h,k ≡ (µ 2 k /µ 2 Q,k ) 1/2 . Recent analytical results in [35] were established in the context of GNSS/INS integration. They provide the means to recursively determine the FMS when using an EKF for estimation and a sequence of innovations for detection. We use this method to determine the bound in Equation (16) where η is a search parameter (called the fault magnitude in [36]) that is easily determined at each time step k using a one-dimensional search, e.g., using an interval-halving method [36], and where

Risk of Incorrect Association Due to Undetected UO
This subsection aims at evaluating the other unknown term in Equation (13): P(ND K ∩ I A K ). The presence of a UO can cause the risk of IA to grow without bound. In this case again, the detector is leveraged to limit the impact of UO on safety risks. However, in contrast with Section 4.1, two major challenges must be tackled to upper-bound P(ND K ∩ I A K ): (i) the events I A K and ND K are correlated because both events depend on the same innovation vectors; and (ii) unlike on the left-hand side in Equation (17), there is no condition on association (no "given CA K "), so we do not know which association is used to compute the innovations in the detection test statistic q 2 k .
In response, we used an approach based on the minimum detectable error (MDE) concept used in the GPS Local Area Augmentation System (LAAS) [4, 38,39]. The MDE is a probabilistic bound on the NCP of the chi-squared detection test statistic. The Appendix A shows that where µ 2 MDE,l is the MDE due to a UO at time l. µ 2 MDE,l can be computed using the following equation: The probability I MDE,l is an integrity risk requirement allocation, i.e., a fraction of I REQ,l such that I MDE,l << I REQ,l . µ 2 MDE,l is the smallest value that the detection test statistic NCP can take to ensure that the risk of no detection stays below I MDE,l . µ 2 MDE,l is a probabilistic bound, not a random variable (which addresses challenge (i) above), and is independent of the association candidate (Equation (20) only depends on the number of degrees of freedom, thus addressing (ii)).

Summary of the New Integrity Risk Bound, Accounting for Presence of UO
In the presence of UOs due to wrong landmark feature extraction, the probability of hazardous misleading information (HMI) at time k can be bounded by the following expression: with where µ 2

MDE,l
is derived from is the worst-case failure mode slope (FMS) over all UO hypotheses, determined using the method given in [35]; P NCχ 2 do f , µ 2 , T is the probability that a non-centrally chi-squared distributed random variable with "dof " degrees of freedom and noncentrality parameter µ 2 is lower than some value T; T 2 k . is a detection threshold set in accordance to a continuity risk requirement C REQ in Equation (11); I MDE,l is an integrity risk budget allocation, i.e., a fraction of I REQ,k , chosen to satisfy I MDE,k << I REQ,k .

Direct Simulation: Vehicle Roving through a GNSS-Denied Area
This analysis investigated the safety performance of a GPS/LiDAR navigation system onboard a vehicle roving through a forest-type environment. GPS signals were blocked by the tree canopy, and low-elevation satellite signals did not penetrate under the trees. Tree trunks served as landmarks for a two-dimensional LiDAR using a SLAM-type algorithm.
The measurement vectorẑ k in Equation (4) was augmented with GPS code and carrier measurements. The state vector x k was augmented to include an unknown GPS receiver clock bias and carrier phase cycle ambiguities. Time-correlated GPS signals and nonlinear LiDAR data were processed in a unified time-differencing EKF derived in [33,34]. The main simulation parameter values are listed in Table 1, and a differential GPS measurement error model was used, which is fully described in [41]. In this scenario, GPS and LiDARs essentially relayed each other with seamless transitions from open sky through GPS-denied areas where landmarks were modeled as poles with nonzero radii. As shown in Figures 2-4 and 6, we consistently employed the following yellow-green-blue color code: the mission started with the vehicle operating in a GPS available area (yellow-shaded). Satellite signals available during initialization enabled accurate estimation of cycle ambiguities, so that vehicle positioning uncertainty did not exceed a few centimeters. Then, as the vehicle moved and crossed the GPS-and LiDAR-available area (green-shaded) and the LiDAR-only area (blue-shaded), seamless variations in covariance were achieved. A detailed description of this simulation is given in [41]. In this scenario, the likelihood of IA is high.
First, as shown in Figure 2, we assumed that no UO was present but IAs occurred. One indicator of IA is displayed on the top of the upper left-hand-side (LHS) plot in Figure 2. It shows that the actual cross-track positioning error (thick black line) versus distance travelled exceeded the corresponding one-sigma covariance envelope (thin black line). This suggests that errors impacting positioning are not captured by the covariance. This is confirmed on the lower part of the upper LHS chart in Figure 2, where the black curve showing the P(H I k |CA K ) bound stayed below 10 −7 . This curve can directly be derived from the EKF covariance. It does not account for IA. In contrast, the red P(H I k )-bound curve reached a first plateau of I FE,k = 10 −9 as soon as two landmarks were visible by design of our risk evaluation method [28]. The P(H I k ) curve then suddenly increased to 10 −5 at approximately 29 m of travel distance.
To explain this sudden jump, the top right-hand-side (RHS) chart in Figure 2 shows that, at the travel distance of 29 m (i.e., at travel time = 29 s) corresponding to the large increase in predicted integrity risk, landmark "1" was hidden behind landmark "4". To the LiDAR, landmark "1" became visible again at the next time step, which made correct measurement association with either landmark "1" or "4" extremely challenging. The P(H I k ) bound accounted for the risk caused by such events. This is consistent with other results presented in [1,[26][27][28].
The bottom LHS chart in Figure 2 shows the simulated GPS satellite geometry on an azimuth elevation plot of the sky. At travel time 29 s, the tree canopy blocked all satellite signals. The bottom RHS chart displays the simulated LiDAR measurements showing again that landmark "1" was not visible from the LiDAR's viewpoint.
To explain this sudden jump, the top right-hand-side (RHS) chart in Figure 2 shows that, at the travel distance of 29 m (i.e., at travel time = 29 s) corresponding to the large increase in predicted integrity risk, landmark "1" was hidden behind landmark "4". To the LiDAR, landmark "1" became visible again at the next time step, which made correct measurement association with either landmark "1" or "4" extremely challenging. The ( ) k P HI bound accounted for the risk caused by such events. This is consistent with other results presented in [1,[26][27][28]. The bottom LHS chart in Figure 2 shows the simulated GPS satellite geometry on an azimuth elevation plot of the sky. At travel time 29 s, the tree canopy blocked all satellite signals. The bottom RHS chart displays the simulated LiDAR measurements showing again that landmark "1" was not visible from the LiDAR's viewpoint. In Figure 3, the risk of having a UO occluding a landmark is taken into account. Our new integrity risk evaluation method was implemented. We could quantify the impact on P(HMI k ) of undetected UOs assuming systematic CA by measuring the difference between the dashed black line P(H I k |CA K ) derived using [28] and the solid black line P(HMI k |CA K ). We noticed again that P(H I k |CA K ) (directly derived from the EKF covariance) was a poor safety metric because it stayed below 10 −7 , whereas P(HMI k |CA K ), accounting for UOs, exceeded 10 −2 . In parallel, the red curves account for the risk of incorrect association (IA). The difference between the dashed red line and the solid red line, which respectively reached 10 −5 and above 10 −2 , shows the impact on P(HMI k ) of undetected UOs.
To better understand the shape of the overall P(HMI k ) bound, Figure 4 shows the contributions of each single-UO hypothesis (assuming no UO, assuming a UO masking landmark "1", assuming a UO masking landmark "2", etc.). In Figure 4, the color code used in the LHS graph is also employed in the RHS plot to represent the landmark involved in the corresponding fault hypothesis. Peaks in P(HMI k )-bound contributions occurred when the landmark geometry and redundancy was too poor to ensure reliable detection of a given UO. The overall P(HMI k ) bound was the maximum of all the contributions at each time step and is represented with a thick green line.
contributions of each single-UO hypothesis (assuming no UO, assuming a UO masking landmark "1", assuming a UO masking landmark "2", etc.). In Figure 4, the color code used in the LHS graph is also employed in the RHS plot to represent the landmark involved in the corresponding fault hypothesis. Peaks in ) ( k HMI P -bound contributions occurred when the landmark geometry and redundancy was too poor to ensure reliable detection of a given UO. The overall ) ( k HMI P bound was the maximum of all the contributions at each time step and is represented with a thick green line.

Preliminary Testing in an Incorrect-Association-Free Environment
Preliminary experimental testing was carried out using data collected in a structured environment shown in Figure 5. Static simple-shaped landmarks were located at locations sparse enough to ensure successful outcomes for FE and DA. Because the results presented here were free of incorrect associations, ) ( k HMI P was expected to match ) | ( K k CA HMI P . This test data was used to focus on the risk of UO misdetection. Measurements from carrier phase differential GPS (CPDGPS) as well as LiDAR scanners were synchronized and recorded. In order to obtain a full 360-degree LiDAR scan, two 180-degree LiDAR scanners were assembled back-to-back. The LiDAR scanners had a specified 15-80-m range limit, a 0.5-degree angular resolution, a 5-Hz update rate, and a ranging accuracy of 1-5 cm (1 sigma) [42]. The GPS antenna was mounted on top of the front LiDAR. The lever-arm distance between the two LiDARs was accounted for. The two LiDARs and the GPS antenna were mounted on a rover also carrying the GPS receiver and data-link. An embedded computer onboard the vehicle recorded all measurements including the raw GPS data from the reference station transmitted via a wireless spread-spectrum data-link. Truth trajectory was obtained using a fixed CPDGPS solution.
The upper LHS chart in Figure 6 confirms that this is an incorrect-association-free scenario because the actual error (thick line) fits within the covariance envelope (thin line) throughout the test. In addition, the lower LHS graph in Figure 6 shows ) (

Preliminary Testing in an Incorrect-Association-Free Environment
Preliminary experimental testing was carried out using data collected in a structured environment shown in Figure 5. Static simple-shaped landmarks were located at locations sparse enough to ensure successful outcomes for FE and DA. Because the results presented here were free of incorrect associations, P(HMI k ) was expected to match P(HMI k |CA K ). This test data was used to focus on the risk of UO misdetection.
Measurements from carrier phase differential GPS (CPDGPS) as well as LiDAR scanners were synchronized and recorded. In order to obtain a full 360-degree LiDAR scan, two 180-degree LiDAR scanners were assembled back-to-back. The LiDAR scanners had a specified 15-80-m range limit, a 0.5-degree angular resolution, a 5-Hz update rate, and a ranging accuracy of 1-5 cm (1 sigma) [42]. The GPS antenna was mounted on top of the front LiDAR. The lever-arm distance between the two LiDARs was accounted for. The two LiDARs and the GPS antenna were mounted on a rover also carrying the GPS receiver and data-link. An embedded computer onboard the vehicle recorded all measurements including the raw GPS data from the reference station transmitted via a wireless spread-spectrum data-link. Truth trajectory was obtained using a fixed CPDGPS solution.
The upper LHS chart in Figure 6 confirms that this is an incorrect-association-free scenario because the actual error (thick line) fits within the covariance envelope (thin line) throughout the test. In addition, the lower LHS graph in Figure 6 shows P(HMI k )-bound contributions for each single-UO hypothesis. The six P(HMI k ) bounds corresponding to UO hypotheses are shown using the same color code as in Figure 4, and the UO-free hypothesis is the dashed line. The color code is used on the RHS chart, which also shows the landmark geometry. In the LHS graph, P(HMI k ) increases substantially when accounting for undetected UO (thick black curve), as compared to ignoring their potential presence (dashed red line). UO occluding landmarks "1" and "2" cause by far the largest increase in P(HMI k ) bound. In this SLAM-type implementation where the map is built incrementally, landmarks observed early in the rover trajectory play a key role throughout the mission, which explains the method's sensitivity to potential extraction faults on landmarks "1" and "2". In future work, we will try to reduce the P(HMI k ) bound using redundant information from other sensors, from additional landmarks, and from additional landmark features.
Sensors 2018, 18, x 13 of 17 Figure 5. Experimental setup of a forest-type scenario, where a GPS/LiDAR-equipped rover is driving by six landmarks (cardboard columns) in a GPS-denied area. GPS is artificially blocked by a simulated tree canopy and a precise differential GPS solution is used for truth trajectory determination.

Conclusions
This paper presents a new approach to improve the safety of LiDAR-based navigation by quantifying the risks of missed detection of unwanted objects (UO). UOs can occlude useful landmarks, thereby causing large navigation errors. We established a bound on the integrity risk caused by UOs. First, we presented an innovation-based detector, and we established an analytical  Figure 5. Experimental setup of a forest-type scenario, where a GPS/LiDAR-equipped rover is driving by six landmarks (cardboard columns) in a GPS-denied area. GPS is artificially blocked by a simulated tree canopy and a precise differential GPS solution is used for truth trajectory determination.
Sensors 2018, 18, x 13 of 17 Figure 5. Experimental setup of a forest-type scenario, where a GPS/LiDAR-equipped rover is driving by six landmarks (cardboard columns) in a GPS-denied area. GPS is artificially blocked by a simulated tree canopy and a precise differential GPS solution is used for truth trajectory determination.

Conclusions
This paper presents a new approach to improve the safety of LiDAR-based navigation by quantifying the risks of missed detection of unwanted objects (UO). UOs can occlude useful landmarks, thereby causing large navigation errors. We established a bound on the integrity risk caused by UOs. First, we presented an innovation-based detector, and we established an analytical

Conclusions
This paper presents a new approach to improve the safety of LiDAR-based navigation by quantifying the risks of missed detection of unwanted objects (UO). UOs can occlude useful landmarks, thereby causing large navigation errors. We established a bound on the integrity risk caused by UOs. First, we presented an innovation-based detector, and we established an analytical expression for the impact of undetected UO on the positioning error assuming correct association. Then, we derived a bound on the risk of incorrect association (IA) in the presence of UO. Direct simulation and preliminary testing in a structured environment demonstrated the proposed method's ability to quantify safety risks in the presence of both UOs and IAs. It showed, for example, that the Kalman filter covariance is a poor metric of safety performance. The analysis of our preliminary experimental results suggests that additional redundant information from other sensors would be needed to safely detect UOs in the LiDAR's surroundings.