Localization Requirements for Autonomous Vehicles

1 Localization Requirements for Autonomous V ehicles T yler G. R. Reid, Sarah E. Houts, Robert Cammarata, Graham Mills, Siddharth Agarwal, Ankit V ora, and Gaurav P andey Abstract —A utonomous vehicles require precise knowledge of their position and orientation in all weather and traffic conditions for path planning, per ception, contr ol, and general safe operation. Here we derive these requir ements for autonomous vehicles based on first principles. W e begin with the safety integrity level, defining the allowable probability of failure per hour of operation based on desired improv ements on road safety today . This draws comparisons with the localization integrity levels r equired in aviation and rail where similar numbers ar e derived at 10 -8 probability of failure per hour of operation. W e then define the geometry of the problem, where the aim is to maintain kno wledge that the vehicle is within its lane and to determine what r oad lev el it is on. Longitudinal, lateral, and vertical localization error bounds (alert limits) and 95% accuracy requir ements ar e deriv ed based on US road geometry standards (lane width, curvatur e, and vertical clearance) and allowable vehicle dimensions. For passenger vehicles operating on freeway roads, the result is a r equired lateral error bound of 0.57 m (0.20 m, 95%), a longitudinal bound of 1.40 m (0.48 m, 95%), a vertical bound of 1.30 m (0.43 m, 95%), and an attitude bound in each direction of 1.50 deg (0.51 deg, 95%). On local streets, the road geometry makes requir ements more stringent where lateral and longitudinal error bounds of 0.29 m (0.10 m, 95%) are needed with an orientation requirement of 0.50 deg (0.17 deg, 95%). Index T erms —Autonomous vehicles, automated driving, local- ization, positioning, requirements, safety , integrity I . I N T RO D U C T I O N T HE challenge facing localization for autonomous systems in terms of required accuracy and reliability at scale is unprecedented. As will be sho wn, autonomous v ehicles require decimeter-le vel positioning for highway operation and near- centimeter level for operation on local and residential streets. These requirements stem from one goal: ensure that the vehicle knows it is within its lane. Horizontally , this is broken down by lateral (side-to-side) and longitudinal (forward-backward) components. V ertically , the vehicle must kno w what road lev el it is on when located among multi-level roads. At any giv en time, the vehicle will have an estimate of its maximum position error in each direction. These are known as protection lev els and are depicted in Figure 1. The maximum allow able protection levels in each direction to ensure safe operation are kno wn as the alert limits. These alert limits are design T . G. R. Reid and G. Pandey are with Research and Advanced En- gineering, Ford Motor Company , Palo Alto, CA 94304, e-mail: { treid21, gpandey2 } @ford.com S. E. Houts, and G. Mills are with Ford Autonomous V ehicles LLC, Palo Alto, CA 94304, e-mail: { shouts, gmills47 } @ford.com Robert Cammarata, S. Agarwal, and A. V ora are with Ford Au- tonomous V ehicles LLC, Dearborn, MI 48124, e-mail: { rcammar1, sagarw20, av ora3 } @ford.com Fig. 1. Definition of localization protection lev els for automotive applications. variables; in our case they need to be suf ficiently small to ensure that the vehicle stays within its lane at all times. If the protection level is larger than the alert limit at any giv en time, there is less certainty the vehicle will remain within its lane. These bounds will be shown to be a function of vehicle dimensions (length and width) along with road geometry standards (lane width and curvature). The challenge of decimeter location accuracy is put in perspectiv e by T able I which sho ws the progress in localization throughout the last century [1]. In the early 1900s, the state of the art were the tools used for navigation at sea. This consisted of a sextant to measure latitude by the stars and a precise mechanical clock known as a marine chronometer to measure longitude. Combined, these sensors gave rise to approximately 3 km of position accuracy at sea [2]. The Second W orld W ar accelerated the use of radio in navigation to support emerging aviation operations. Air navigation was needed in all weather in real-time. Land-based radio beacons were developed which gav e rise to approximately 500 meters of accurac y but this required proximity to this infrastructure’ s limited range [3]– [5]. In the 1960s, the first satellite navig ation system, T ransit, came online. Operated by the US Navy , Transit offered 25 me- ters of accuracy , supporting the localization requirements of Polaris ballistic missile submarines [6]–[8]. This system had only a handful of satellites in low Earth orbit, resulting in sometimes an hour or more to obtain a position fix. In the 2 T ABLE I E VO L UT I O N O F L O C AL I Z A T IO N AC C UR AC Y IN T HE L AS T C EN T U RY . B A S ED O N DAT A F RO M [ 1 ] – [9 ] . System Y ears Active Horizontal Accuracy [m] Latency Fix T ype Coverage Celestial / Chronometry 1770 – 1920 3,200 Hours 2D Global but not available when overcast LORAN-C 1957 – 2010 460 None 2D North America, Europe, Pacific Rim T ransit 1964 – 1996 25 30 – 100 min 2D Global GPS 1995 – Present 3 None 3D Global Fig. 2. Society of Automotive Engineers (SAE) levels of road vehicle autonomy (source: National Highway T raffic Safety Administration). Fig. 3. Historical trend in widely av ailable RMS position accuracy from a variety of technologies. Compiled by the authors based on data from [2]–[12]. 1990s, the Global Positioning System (GPS) came online, now offering 1–5 meters of accuracy in open skies everywhere on Earth in real-time [12], [13]. Figure 3 shows this progression as a clear trend in the last century: an order of magnitude increase in localization accuracy ev ery 30 years. This predicts the 2020s to be the first decade of the decimeter . As will be shown here, we are well poised, as this trend is to wards the needs of autonomous vehicle operation. Figure 2 sho ws the Society of Automotiv e Engineers (SAE) lev els of vehicle autonomy [14]. Le vel 0 represents no automa- tion where the dri ver is responsible for all aspects of driving and exemplifies most vehicles up to approximately the 1970s. Lev el 1 represents some driv er assistance features for either braking / throttle or steering but the dri ver is still e xpected to monitor and control the vehicle. This includes features like cruise control and Anti-lock Braking Systems (ABS). Lev el 2 is partial automation, where the human dri ver is responsible for monitoring the scene and the system is responsible for some dynamic driving tasks including lateral and longitudinal motion (steering, propulsion, and braking). The human driver must be ready to take ov er dynamic driving tasks immediately when the dri ver determines the system is incapable. Examples of level 2 systems are T esla’ s Autopilot released in 2014 and General Motor’ s Super Cruise released in 2017 [15], [16]. Lev el 3 is conditional automation, meaning that in certain circumstances, the vehicle is within its Operational Design Domain (ODD). The system is responsible for monitoring the scene and dynamic dri ving tasks including lateral and longitudinal motion (steering, propulsion, and braking). The human dri ver must be ready to take over dynamic dri ving tasks within a defined time when the system determines it’ s incapable or the vehicle is outside of its ODD and notifies the driver . Le vel 4 is highly automated where the system can perform all dynamic driving tasks within its ODD. This mode of operation maybe geofenced to areas with appropriate supporting infrastructure (e.g. maps and connectivity) and may further be restricted to certain weather conditions. In 2018, this represents largely research vehicles such as W aymo’ s self- driving miniv an which is gearing towards initial ride-sharing service [17]. Le vel 5 is full automation, where the vehicle is capable of performing all dynamic dri ving tasks in all areas and under all conditions. Positioning accuracy requirements for connected vehicle (V2X) applications ha ve been previously broken down by Basnayake et al. [18] into the categories of which-road ( < 5 meters), which-lane ( < 1.5 meters), and where-in-lane ( < 1.0 meter) based on the desired function or operation. The National Highway Safety Administration (NHTSA) has, as 3 part of its Federal Motor V ehicle Safety Standards in V2V Communications, determined that position must be reported to an accuracy of 1.5 meters (1 σ or 68%) as this is tentatively believ ed to provide lane-lev el information for safety applica- tions [19]. V ehicle positioning requirements were further de- veloped by Stephenson [20] who explored the Required Nav- igation Performance (RNP) for Adv anced Driv er Assistance Systems (AD AS) and automated driving. Stephenson added the functional category of activ e vehicle control requiring an accuracy better than 0.1 meters. In this paper, we focus on full autonomous operation which requires the accuracy needed for activ e control. In this context, ‘autonomous vehicle’ will refer to level 3+ systems, though some of what is shown here can also be applied to level 2. The process follo wed to de velop these requirements is outlined in Figure 4. W e begin with defining the statistics of the problem by establishing a target lev el of safety . Follo wing methodologies developed in civil aviation, the target lev el of safety is used to allocate appropriate integrity risk to each element of the system including localization. Next, we define the geometry of the problem to establish positioning bounds. This will be sho wn to be a function of road geometry standards such as lane widths and road curvature along with permissible vehicle dimensions. This analysis will focus on road and passenger vehicle standards in the United States, though the same principles can be applied to other regions and vehicle types. In safety critical localization systems, the instantaneous estimate of the maximum possible error in position is known as the protection lev el. Figure 1 shows our definition of the lateral, longitudinal, and vertical protection levels around the vehicle. W e define this as a box as this is a logical breakdo wn for road vehicles, though other forms based on ellipsoids hav e been proposed [21]. Some sensors and systems are better at pro viding lateral information such as cameras which can recognize lane lines and other types of sensors that can provide longitudinal information such as wheel odometry . The hard bounds on allowable lateral, longitudinal, and vertical protec- tion lev els are known as alert limits and are design choices which are dictated by geometry . W e will choose these such that we always know we are within the lane. If our protection lev el is larger than our alert limit we cannot guarantee we are within the lane. T ogether , the desired integrity level and geometric bounds define the requirements of localization as a system. Safety-critical localization systems specify their perfor - mance in terms of accuracy , integrity , and av ailability . A vail- ability is a measure of ho w often our protection lev els are larger than our alert limits. If we are always within the maximum permissible error (alert limits), we have 100% av ailability . If we do so only some of the time, we hav e only limited av ailability . As a system, when operating in autonomous mode, localization must always be av ailable. On the flip side, localization av ailability could be one of the metrics used to determine if the vehicle is within its Operational Design Domain to enable autonomous features. This could be a function of where high definition maps or other forms of supporting infrastructure are present. Fig. 4. Our approach to developing localization requirements for autonomous vehicles. W e derive system integrity risk allocation based on a target level of safety . This risk budget is then distributed throughout the autonomous vehicle system, follo wing methodologies developed in ci vil aviation. W e define the geometry of the problem to establish positioning bounds based on vehicle dimensions and road geometry . Combining these defines the desired distribution of our position errors and the localization requirements. Integrity describes ho w often our true error is outside of our estimate of maximum possible error or protection le vel. Outside of this and hazardous information is being fed to the vehicle’ s decision making and control systems. This is the probability of system failure, usually specified as probability of failure per hour of operation. W e will deri ve the require- ment on integrity based on the desired level of road safety . This will specify a le vel which represents improv ement in road safety today by dra wing comparisons to safety le vels achiev ed in commercial aviation. W e will also tie this integrity number to existing design safety standards in automotiv e and other industries. Figures 5 and 6 summarize the relationship between protection lev el, alert limit, a vailability , misleading information, and hazardous misleading information. These will 4 (a) Case I: P L < AL along with e xamples of nominal, misleading, and hazardous misleading information. (b) Case II: AL < P L resulting in no availability . Fig. 5. Relationship between protection lev el, alert limit, av ailability , and different operations. be developed in more detail throughout the text. Accuracy is described by the typical performance of the system, usually measured at the 95th percentile. This is a manifestation of the desired statistical distribution of local- ization errors, where alert limits usually define the maximum allow able error for operation to the desired integrity level which define the tails of the statistical distribution. Hence, accuracy is a measure of nominal performance and integrity a measure of the limits. This relationship is shown in Figure 4. At present, there is no one localization technology that can meet the requirements presented here for safe operation in all weather , road, and traffic scenarios. T oday , Ford Motor Com- pany’ s autonomous vehicle research platform makes use of a complex sensor fusion strategy for localization and perception as shown in Figure 7. This includes LiDAR, radar , cameras, a Global Navigation Satellite System (GNSS) receiv er , and an Inertial Measurement Unit (IMU). Each of these are a system in itself, and hence localization is a system of systems. Since no one technology can achieve the requirements in all scenarios, this will require multi-modal sensing and their Fig. 6. The Stanford Diagram. This shows the relationship between actual error , protection lev el, and alert limit. Fig. 7. Example of Ford’ s research autonomous vehicle platform sensors used in localization and perception. intelligent combination to achiev e the integrity lev els needed for safe operation. Though the sensor strate gy shown in Figure 7 can meet many of the requirements that will be developed here in a research setting, the sensor costs are such that man y challenges lie ahead on the path to production. Decimeter accuracy will require a trade-off between onboard sensors, compute resources / storage, and supporting infrastructure such as high definition maps and GNSS corrections. Such infrastructure may also limit where self-driving features are enabled due to av ailability of precise localization. Ultimately , precise vehicle location is only useful in context and hence a-priori maps are a major piece of the puzzle. W e will limit the scope of this paper to localization requirements as mapping is a vast and complex area in its own right. W e will touch on mapping requirements as they relate to localization. 5 I I . I N T E G R I T Y In 2016, there were 34,439 fatal car crashes in the United States, resulting in 37,461 fatalities [22], [23]. On a per mile basis, this is 1.18 f atalities per 100 million miles tra veled (1.18 × 10 -8 fatalities / mile) [23]. The cause of vehicle crashes are estimated as follows: 94%( ± 2.2%) from human driver errors; 2%( ± 0.7%) from electrical and mechanical component failures; 2%( ± 1.3%) from en vironmental factors contributing to slick (lo w µ ) roads such as water , ice, sno w , etc.; and 2%( ± 1.4%) from unknown reasons [24]. In total, road fatali- ties account for 95% of all transportation related fatalities in the United States where 2% come from rail, 2% from water transport, and 1% from aviation [23]. Though the number of fatalities per road mile has decreased by fi ve-fold since the 1960s, it has remained relati vely constant o ver the last decade [23], [25]. Figure 8 compares fatalities on the road with commercial aviation on a per vehicle mile basis between 1960 – 2015 in the US. This sho ws that between 2010 – 2015, commercial aviation av eraged 2.50 × 10 -10 fatalities per mile, making air trav el nearly two orders of magnitude safer than road tra vel when using this metric. Improvements in road safety are being proposed through automation, where sensors, silicon, and software are being combined into a virtual dri v er system which aims to perform many of the tasks of the human driv er today . The first generation of commercially available virtual dri ver systems must be safer than the human drivers the y aim to replace if they are to be socially accepted. V ehicle component failures are currently responsible for only 2% of crashes [24]. If this same metric is upheld for virtual driv er systems which aim to replace the human factors representing 94% of crash causation today , then we striv e to achiev e roughly two orders of magnitude improvement in road safety . This brings the necessary system requirements for autonomous road vehicles up to the lev els mandated in civil a viation, an industry known for its safety achie ved through strict training for air and ground crew , supporting infrastructure, and well-dev eloped standards. Fig. 8. Fatalities per vehicle mile 1960 – 2015 for road vehicles and commercial aviation in the US. Based on data from [23]. Fig. 9. Ratio of fatal accidents (crashes) to total reported accidents (crashes) between 1960 – 2015 for road vehicles and commercial aviation in the US. Based on data from [23] where data for road vehicles was only available from 1990 onward. In some recent years, commercial aviation saw no fatal accidents and hence the appearance of missing data. Our starting point for this analysis will be the goal of a one hundred times improvement in road safety through the virtual driv er system. This is the lev el of commercial aviation today at 2.50 × 10 -10 fatalities per mile and hence will be our target. T o put this in units of fatal crashes per road vehicle mile, we must di vide by the ratio of fatalities to fatal crashes which in 2016 was 37,461 / 34,439 = 1.09 [23]. Being conservati ve, this leads to a target level of safety of T LS = 2 × 10 -10 fatal crashes per v ehicle mile. T o translate this into system le vel requirements, we must examine both historical data and the autonomous vehicle architecture, an approach mirroring that taken in civil aviation [26]. Figure 10 shows the system breakdown of the autonomous vehicle including the virtual dri ver and other vehicle modules. Furthermore, it sho ws one possible of allocation of integrity risk across indi vidual elements with an end tar get level of safety of T LS = 2 × 10 -10 fatal crashes / vehicle mile. T o arri ve at this distribution, we must work backwards from the T LS . W e must first account for the fact that not ev ery malfunction will directly lead to a hazard that will cause a f atal crash. Some failures may only lead to a lane departure or minor crash. In aviation, this fatal accident to incident ratio P F : I is taken as 1:10 [27], [28], and Figure 9 sho ws why . This plot shows the yearly ratio of fatal to total reported accidents for commercial aviation and road transport. A viation is shown to be 1:14 and automotiv e 1:172. This is not unexpected, due to the higher speed of operation of aircraft and consequently , the sev erity of crashes. Based on this historical data, we have conservati vely chosen the automotive fatal crash to incident ratio as P F : I = 10 -2 fatal crashes / failure, meaning one fatal crash for ev ery one hundred incidents where an incident could be seen as a lane departure or minor crash. Our chosen fatal crash to incident ratio is conservati ve, since this number represents the ratio of fatal crashes to all police reported crashes, not necessarily to all incidents. The 6 Fig. 10. V irtual dri ver system integrity risk allocation. Unless otherwise indicated, values are gi ven as failures per mile. This diagram makes certain assumptions about ho w faults cascade through the system. For example, failures in localization output are assumed to lead directly to failures in planning though planning can also have its own independent failures as well. The target lev el of safety is deriv ed based on numbers achiev ed in practice in aviation between 2010 - 2015. The fatal crash to incident ratio is based on historical road data from [23] (see Figure 9). crash data in commercial aviation is generally reliable due to the strict reporting requirements. In automotiv e, this is less so, as not all minor crashes are reported. It is estimated that 60% of property-damage-only crashes and 24% of all injury crashes are not reported to the police [29]. Furthermore, the data supports that the 1 fatal crash for ev ery 100 police reported crashes is consistent between functional road types, e.g. interstate and local urban roads, at least to within a factor of 2 – 3 [30], [31]. Hence, we believe we are within an order of magnitude with this estimate for the majority of driving scenarios. The next step is to allocate the acceptable lev el of integrity risk to vehicle systems P v eh and to the virtual driv er system P v ds . These are related to the target lev el of safety T LS and fatal crash to incident ratio P F : I as follows: (1) T LS = P F : I ( P v eh + P v ds ) T o reach our T LS = 2 × 10 -10 fatal crashes / vehicle mile, we will allocate equal integrity risk to both the virtual driv er and vehicle systems. This works out to P v ds = P v eh = 10 -8 failures / mile and is reflected in Figure 10. For clarity , plugging in these v alues into equation (1) giv es the desired result: (2) T LS = P F : I ( P v eh + P v ds ) = 10 − 2 fatal crashes failure  10 − 8 + 10 − 8  failure mile = 2 × 10 − 10 fatal crashes / mile Examination of historical data rev eals that vehicle system failure rates P v eh are very nearly 10 -8 failures / mile today . This can be estimated through police reported crashes, NHTSA estimates of crash causation due to vehicle systems, and the number of vehicle miles dri ven. On average, between 2010 – 2015 there was 5,800,000 police reported crashes per year on US roads [23]. These crashes are the rounded sum of fatal crashes, an actual count from the Fatality Analysis Reporting System, injury crashes, and property damage only crashes, which are estimates from the National Automotiv e Sampling System-General Estimates System [23]. Currently , NHTSA estimates 2%( ± 0.7%) of these crashes to be caused by vehicle systems [24]. Using this, along with the fact that 3,005,829,000,000 miles were dri ven on average in the US between 2010 – 2015, we can obtain an estimate of historical failure rate ˆ P v eh : (3) ˆ P v eh = 5 , 800 , 000 crashes 3 , 005 , 829 , 000 , 000 miles × 2% = 3 . 8 × 10 − 8 failures / mile Though there are sources of uncertainty in each of the values used abov e, this sho ws that vehicle systems are at the proposed order of magnitude, indicating that 10 -8 failures / mile can likely be attained if it is not already . Achieving the desired integrity risk for the virtual driv er system P v ds will require a closer look at its subsystems. In our case, we are focused on localization. Localization will need to have a lo wer probability of failure since it feeds other elements of the virtual driver system. This includes hardware and software failures within perception, localization, planning, and control. Figure 10 shows the internal elements of the virtual driv er system and the importance of localization within the system. The output of localization is an input to planning, and the output of planning is the input to control, therefore failures in localization propagate do wnstream. One possible allocation of inte grity risk to all virtual driv er subsystems is shown in Figure 10 where localization is targeted at P loc = 10 -9 failures / mile. This diagram assumes that f ailures at any gi ven point do wnstream are a combination of upstream input failures along with failures of the giv en subsystem. P loc is typically referred to as the probability of the localization 7 T ABLE II L O CA L I Z A TI O N R E Q UI R E M EN T S F O R M A RI T I M E , A V IATI O N , A N D R A IL . T ransport Mode Operation Accuracy (95%) [m] Alert Limit [m] Probability of Failure Maritime [33] Open Ocean, Coastal 10 ** 25 ** 10 -5 / 3 h Port, Hydrography, Drilling 1 ** 2.5 ** 10 -5 / 3 h A viation [28], [34] LPV 200 Air- port Approach 4 * 35 * 10 -7 / 150 s CA T II / III Instrument Landing 2.9 * 5 * 10 -9 / 150 s Rail [35] T rain control - 20 ** 10 -9 / h Parallel track discrimination - 2.5 ** 10 -9 / h *V ertical **Horizontal system outputting hazardous misleading information (as de- scribed in Section I). T o get this in terms of failures per hour of operation (a more common unit), we first need to determine the vehicle speed range. Maximum speed limits in the US are found in T e xas at 85 mph (137 km/h). On the lower side, we will consider the minimum speed at which airbags will deploy , which corresponds to 10 mph (16 km/h) [32]. These speeds giv e the following range: (4) P loc = 10 − 9 failures mile × (10 − 85) mile hour ≈ 10 − 8 failures hour In this analysis of the localization system, we will examine an allowable integrity risk of 10 -8 failures / hour of operation. This is the requirement on the localization system as a whole, which itself may be comprised of several subsystems, sensors, and independent localization algorithms based on GNSS, IMU, cameras, LiD AR, maps, and other elements. This is the number that must be achieved in all weather and traffic scenarios where the vehicle intends operation. The gold standard from ISO 26262 for automotiv e functional safety is 10 Failures In Time (FIT) which corresponds to 10 failures in one billion hours of operation or 10 -8 failures / hour of operation. This aligns with our intended target. This is Automotiv e Safety Integrity Lev el (ASIL) D, the highest standard for current automobiles. Though the error distribution of the localization system may not be Gaussian, when thinking of this in Gaussian terms, (1 – 10 -8 ) is 99.999999% or approximately 5.73 σ . The localization requirements in maritime [33], avia- tion [27], [28], [34], and rail [35], [36] for specific operations are giv en in T able II for comparison. Here, we specify the 95% localization accuracy , the alert limit which is the hard bound on position error to ensure safe operation, and the acceptable probability of system failure or integrity risk. In aviation, the operations giv en correspond to airport precision approach T ABLE III T Y PI C A L C H AR AC T E R IZ ATI O N O F S A F E TY R IS K B A SE D O N DA TA F RO M [ 3 8 ]– [ 4 2 ]. Category Safety Consequence of Failure Integrity Lev el (SIL) Catastrophic 4 Loss of multiple liv es Critical 3 Loss of a single life Marginal 2 Major injuries to one or more persons Negligible 1 Material damage, at most minor injuries No Consequence 0 No damages, except user dissatisfaction T ABLE IV A P PR OX I MATE C RO S S - D O M AI N M A P P IN G O F SA F E T Y L E VE L S B AS E D O N DAT A F RO M [ 3 8 ] –[ 4 3 ] . Probability General Automotiv e A viation Railway of Failure Programmable ISO 26262 DO-178/254 CENELEC per Hour Electronics 50126 IEC-61508 128/129 - (SIL-0) QM D AL-E (SIL-0) 10 -6 10 -5 SIL-1 ASIL-A D AL-D SIL-1 10 -7 10 -6 SIL-2 ASIL-B/C D AL-C SIL-2 10 -8 10 -7 SIL-3 ASIL-D DAL-B SIL-3 10 -9 10 -8 SIL-4 - D AL-A SIL-4 and landing. The timescale associated with probability of failure of 150 seconds corresponds to the typical time this operation takes. Localizer Performance with V ertical guidance (LPV 200) gets the aircraft do wn to a decision height of 200 feet (61 m) above the runway where the pilot can decide to either land the aircraft or fly around and make another approach. CA T II / III is full instrument landing and hence the two orders of magnitude difference in acceptable failure rate since the system is fully automated. Maritime operations happen at lower speeds and is why integrity is specified over 3 hours. Ho wev er , it can be shown that 10 -5 failures per 3 hours is roughly equiv alent to aircraft precision approach require- ments at 10 -7 failures per 150 seconds [37]. Rail has sep- arate along-track and cross-track requirements. Along-track requirements describe where trains are along a given track known as train control. Cross-track requirements are needed to distinguish which track the train is on known as parallel track discrimination. Track discrimination requirements are most strict since the inter-track spacing is tighter than the spacing kept between trains on the same line. Both rail operations require a failure rate of 10 -9 failures / hour of operation. For the virtual dri ver localization system, we are aiming for 10 -8 failures / hour or better since the virtual driver system itself will be designed to ASIL-D standards. Though this target integrity lev el has precedence in other transportation industries, the required alert limits do not. W e will show in the coming sections that alert limits needed for road vehicles is on the order of decimeters, an order of magnitude smaller than anything in T able II. T o put probability of failure per hour of operation in context, we will compare it to safety standards across dif- ferent industries. T able III shows the typical breakdown of Safety Integrity Lev el (SIL) by hazard category . The strictest 8 lev el (SIL-4) occurs where the consequence of failure is the loss of multiple human lives. The more lenient level, SIL-0, represent cases where the consequence of failure is only some dissatisfaction or discomfort. T able IV shows an approximate cross-domain mapping of aviation, rail, general programmable electronics, and automoti ve safety integrity le vels. In rail, aviation, and programmable electronics, the strictest lev els are those corresponding to failures which could cause the loss of multiple human li ves and correspond to an integrity level of 10 -9 failures / hour . In rail and electronics this is SIL-4. In aviation, this is Design Assurance Lev el (DAL) A. The automotiv e industry’ s strictest requirement, Automotiv e Safety Integrity Lev el (ASIL) D is closer to SIL-3 and D AL-B in practice or 10 -8 – 10 -7 failures / hour [43]. W e’ re tar geting 10 -8 failures / hour for the localization system, putting us in the range of ASIL-D. The virtual driver system will also be designed to ASIL-D standards, and hence it follo ws that subsystems like localization need to comply with this standard. I I I . H O R I Z O N T A L R E Q U I R E M E N T S The horizontal localization requirements for autonomous vehicles are a function of their physical dimensions and the road geometry . The goal is to keep the vehicle in its respectiv e lane during typical operation. This leads to lateral and longitudinal localization requirements as shown in Figure 11a. T o scale, this sho ws the lateral clearance that can be expected with a mid-size sedan (e.g. a F ord Fusion) on a straight stretch of US freeway . This makes it appear as though lateral and longitudinal requirements are decoupled, but this is not entirely the case. Figure 11b shows the coupling between these directions in turns, hence road curvature causes coupling between requirements in lateral and longitudinal directions. The analysis presented here will be focused on standards within the United States where assumptions will be made about typical vehicle width w v , vehicle length l v , road width w , and road radius of curv ature r . A similar analysis could be undertaken with road and vehicle standards of other regions. T ABLE V V E HI C L E D I ME N S I ON S T A N DA RD S IN T HE U S [ 4 4] , [4 5 ] . V ehicle T ype W idth [m] Length [m] Height [m] Passenger (P) 2.1 5.8 1.3 Single Unit T ruck (SU) 2.4 9.2 3.4 - 4.1 City Bus 2.6 12.2 3.2 Semitrailer 2.4 - 2.6 13.9 - 22.4 4.1 W e will begin with vehicle dimensions. Standards for road vehicle dimensions in the US are summarized in T able V and reflect maximum dimensions for different vehicle classes. A more detailed breakdown for some example passenger (P) vehicles is gi ven in T able VI. This ranges from the subcompact to large 6-wheel ‘dualie’ pickup trucks though the latter technically falls into the single unit truck (SU) category . As will be discussed, not all vehicles are meant for all roads, and hence some care must be taken when dev eloping the localization requirements for vehicles. For example, semi- trucks are not meant to be driv en on residential streets and (a) Straight road. (b) Curved road. Fig. 11. Bounding box required for localization broken down by lateral and longitudinal components. T ABLE VI T Y PI C A L V E HI C L E D I ME N S I ON S . V ehicle T ype Example * W idth [m] Length [m] Height [m] Subcompact Fiesta 1.72 4.06 1.48 Compact Focus 1.82 4.54 1.47 Mid-Size Fusion 1.85 4.87 1.48 Full-Size T aurus 1.94 5.15 1.54 Crossover Escape 1.84 4.52 1.68 Small SUV Edge 1.93 4.78 1.74 Standard SUV Explorer 2.00 5.04 1.78 V an T ransit 2.07-2.13 ** 5.59-6.70 ** 2.09-2.76 ** Pickup Truck F-series 2.03-2.43 ** 5.32-6.76 ** 2.06 *Based on 2018 Ford model year . **The wider F-series trucks & T ransits are dual wheeled or ‘dualies. ’ hence requirements should not be set to roadways that are impossible for such a vehicle to navigate. Here, we will focus on passenger vehicles. Next is road geometry . Road curv ature is a function of design speed and is based on limiting values of side friction factor f and superele vation e [44]. Superelev ation is the rotation of the pavement on the approach to and throughout a horizontal curve and is intended to help the driver by counter- ing the lateral acceleration produced by tracking the curve. The other important factor is road width, which typically ranges from 3.6 meters on standard free ways to 2.7 meters on limited residential streets [44]. Road width and curv ature are the elements that define the localization requirements to ensure the vehicle knows it is within its lane to the certainty lev el defined in Section II. The limiting cases for each road type have been assembled in T able VII for passenger type (P) 9 T ABLE VII S O ME L IM I T I NG ROA D DE S I G N E L EM E N TS , BA S ED O N D E SI G N S F O R PAS S E N GE R ( P ) V E H I CL E S . B A SE D O N DA TA F RO M [ 4 4 ], [ 46 ] , [ 4 7 ] . Road T ype Design Speed [km/h] Lane Width [m] Minimum Radius [m] Freew ay 80 - 130 3.6 195 ** Interchanges 30 - 110 3.6 - 5.4 150 - 15 Arterial 50 - 100 3.3 - 3.6 70 ** Collector 50 3.0 - 3.6 70 ** Local 20 - 50 2.7 * - 3.6 10 ** Hairpin Turn / Cul-de-Sac < 20 6.0 7 Single Lane Roundabout < 20 4.3 11 *The lower bound of 2.7 m is the exception, not the rule, and is typically reserved for residential streets with low traffic volumes. **Based on design speeds and limiting values of rate of roadway superelev ation e and coefficient of friction f . Fig. 12. Bounding box geometry in a turn. This shows the allow able maximum position error of the vehicle to ensure it is within the lane known as the alert limits. vehicles. The relationship between the road width and curvature and the interior bounding box around the vehicle is shown in Fig- ure 12. The relationship between the lateral and longitudinal bounds is found by Pythagoras:  y 2  2 +  r − w 2 + x  2 =  r + w 2  2 (5) Solving for x results in: x = r  r + w 2  2 −  y 2  2 + w 2 − r (6) This allows us to determine the dimensions of the bounding box giv en the road geometry . In turn, given the vehicle Fig. 13. Lateral and longitudinal alert limit trade off for freeway and interchange geometry and passenger vehicle dimension limits. This is limited by lane widths of 3.6 meters with a minimum curvature of 150 meters. dimensions, corresponding maximum permissible lateral and longitudinal errors (alert limits) can be deri ved. Lateral and longitudinal alert limits are a trade-off and there is a certain budget between them which is dependent on the road type. The lateral localization requirements are coupled to longitu- dinal through the allowed curv ature and width of the road. For example, on the highway at high speed, the allowable road curvature is minimal and roads are fairly straight. This allows for the bounding box length to be large longitudinally before lateral requirements are overly constrained. Ultimately , choosing length y fixes width x or vice versa, and the resulting lateral and longitudinal alert limits are related to the vehicle length l v and width w v as follows: Lateral Alert Limit = ( x − w v ) / 2 Longitudinal Alert Limit = ( y − l v ) / 2 (7) Using equations (6) and (7), the trade-of f between lateral and longitudinal alert limits for freeways assuming passenger vehicle design limits is shown in Figure 13. This shows that as the longitudinal requirements are relaxed to sev eral meters, the lateral requirements become more stringent. Howe ver , ultimately on/off ramps must be found within a reasonable tolerance on the freew ay , so there is a more stringent longi- tudinal requirement based on vehicle operation. This is also constrained by situations where v ehicles may be operating collaborativ ely and sharing their location via communications channels (V2X) [21]. In this design study , we limit the longitudinal alert limit to be less than half the length of a subcompact vehicle or 1.5 meters, well within the limits of reasonable highway following distances (ev en with the combined errors of two vehicles operating collaboratively) and the vehicle’ s ability to appropriately find on/of f-ramps. With this longitudinal design number , we use Figure 13 to determine the required lateral alert limit to be 0.72 meters. The lateral alert limit for other vehicle types is summarized in T able VIII. On the highway , lateral dominates the requirements since the coupling with curvature is negligible and is approximately 10 Fig. 14. Lateral and longitudinal alert limit trade off for local road geometry and passenger vehicle dimension limits. Narrow streets are assumed to be 3.0 meters wide with a minimum curvature of 20 meters or 3.3 meters wide with minimum curv ature of 10 meters. Single lane roundabouts and hairpin / cul-de-sac geometry is included for comparison. 1 centimeter over the length of the lar gest pickup trucks. Hence, on the highway , the longitudinal alert limit is to some extent a design parameter . On local streets, with sharp turns, the curvature coupling results in tighter requirements in both directions. Figure 14 shows the trade-off between lateral and longitudinal alert limits for local road geometry for passenger vehicle limits. In this plot, we restrict the analysis to roads 3.3 meters wide with a curvature of 10 meters and 3.0 meters wide with a curvature of 20 meters. Also sho wn are the results for single lane roundabouts and hairpin turns. Though T able VII sho ws that some roads can be as narro w as 2.7 meters, this is the exception not the rule and we felt it too restricting to limit requirements based on this number . In addition, roads with tight curvature usually have wider lanes to accommodate as shown by the design recommendations for single lane roundabouts and hairpin turns / cul-de-sacs. Hence, these requirements are still conservati ve when neglecting 2.7 meters wide lanes [47]. For local streets, Figure 14 shows the trade-of f between lateral and longitudinal alert limits. Thinking of limiting cases where vehicles are ne gotiating 90 de gree turns, it seems logical that both directions become equally important to properly complete the maneuver , so the alert limits should be balanced equally in both directions. Figure 14 sho ws the equality point to be 0.33 meters for both the lateral and longitudinal alert lim- its for the largest passenger vehicles. Other vehicle types are summarized in T able VIII. For scale, when operating in urban en vironments, 0.33 meters is also the minimum width of stop lines which are mandated to be between 0.3 and 0.6 meters (12 - 24 inches) [48]. I V . V E RT I C A L R E Q U I R E M E N T S The recommended minimum vertical clearance for roads in the US is 4.4 meters (14.5 feet) [25]. This standard dri ves the permissible vertical height, including load, to be between Fig. 15. Example of a multi-level interchange in Phoenix, AZ. The ‘Mini Stack’ is at the intersection of Interstate 10, State Route 51, and Loop 202. 4.1 meters (13.5 feet) and 4.3 meters (14.5 feet), though this varies some what by state [44], [45]. Hence to reliably determine which road le vel we are on of an interchange for example, we must know our position to a fraction of this clearance height. Bounding our vertical position to ± half of this clearance is insuf ficient since this lea ves a potential ambiguity on multi-decked roads or interchanges. An example of such an interchange is the ‘Mini Stack’ in Phoenix, Arizona shown in Figure 15. This multi-lev el interchange is at the intersection of Interstate 10, State Route 51, and Loop 202. For certainty , one-third of the minimum vertical clearance should be sufficient to resolve the ambiguity of which road lev el the vehicle is on. Hence the required V ertical Alert Limit (V AL) is: V AL = min. vertical clearance 3 = 4 . 4 m 3 = 1 . 47 m (8) Here, the vertical alert limit is vehicle independent (i.e. not dependent on vehicle dimensions) since it is used only to determine the road lev el. This differs from horizontal require- ments de veloped in Section III which striv e to maintain a vehicle of certain dimensions within the bounds of the lane. This is reflected in T able VIII which summarizes the lateral, longitudinal, and vertical alert limits for several vehicle types and dif ferent road operations including free ways / interchanges and local roads. It should be noted that this vertical positioning analysis has some limitations. As this analysis is seen as the far reaching goal for highly automated systems, the assumption here is that the vehicle will hav e a form of map to help in resolving position. In the interim, other applications such as V2X will likely not have maps. In the V2X scenario, the limiting factor for the vertical requirement is the trajectory estimation to determine whether or not a principal other v ehicle is on a collision path with the subject vehicle. That is, elev ation error will make a grade-separate interaction appear to be an at- grade crossing with collision potential. This is a more complex analysis to perform which is outside the scope of this paper . 11 T ABLE VIII H O RI Z O N T A L ( L A T ER A L / LO N G I TU D I NA L ) A N D V E RT I CA L L O C A LI Z A T I ON A L ERT L IM I T R E Q UI R E ME N T S F O R U S F R E EWA Y S A ND L OC A L R OA D S . V ehicle T ype Local Roads Freew ays & Interchanges Lat. [m] Long. [m] V ert. [m] Lat. [m] Long. [m] V ert. [m] Mid-Size 0.48 0.48 1.47 0.85 1.50 1.47 Full-Size 0.42 0.42 1.47 0.80 1.50 1.47 Standard Pickup 0.38 0.38 1.47 0.76 1.50 1.47 Passenger V ehicle Limits 0.33 0.33 1.47 0.72 1.50 1.47 6-Wheel Pickup - - - 0.56 1.50 1.47 V . O R I E N TA T I O N R E Q U I R E M E N T S The horizontal and vertical alert limits discussed so far are the acceptable limit for all combined sources of error . As will be discussed in this section, this will include errors in both positioning and attitude (orientation). The vehicle attitude is described in terms of its roll θ , pitch φ , and heading ψ angles. Errors in these parameters will rotate the position protection lev el box around the vehicle and result in a lar ger effecti ve protection lev el. This effect is sho wn in Figure 16. This shows how errors in heading and position map to a larger combined protection lev el area and hence why kno wledge of attitude error is important. Fig. 16. Combined effect of lateral / longitudinal position and heading errors on ov erall protection level. Heading errors rotate position errors and lead to a larger effecti ve area of uncertainty . This ef fect leads to requirements on acceptable errors in roll, pitch, and heading as well as position. W e will begin with mapping errors in position and orientation into a combined protection lev el. Assuming a box around the vehicle of width x , length y , and height z (following the notation of Figure 12), maximum errors in roll ± δ θ , pitch ± δ φ , and heading ± δ ψ angles are mapped through the following Euler sequence: x 0 = R 3 ( ± δ ψ ) R 2 ( ± δ θ ) R 3 ( ± δ φ ) x (9) where x is the dimensions of the box [ x, y, z ] T reflecting position protection lev el, x 0 is the dimensions of the inflated box [ x 0 , y 0 , z 0 ] T representing the protection lev el from both positioning and orientation, and R i are the following rotation matrices: R 1 ( ± δ φ ) =   1 0 0 0 cos( ± δ φ ) − sin( ± δ φ ) 0 sin( ± δ φ ) cos( ± δ φ )   (10) R 2 ( ± δ θ ) =   cos( ± δ θ ) 0 sin( ± δ θ ) 0 1 0 − sin( ± δθ ) 0 cos( ± δ θ )   (11) R 3 ( ± δ ψ ) =   cos( ± δ ψ ) − sin( ± δ ψ ) 0 sin( ± δ ψ ) cos( ± δ ψ ) 0 0 0 1   (12) The position protection le vel x is related to errors in lateral δ lat , longitudinal δ lon , and vertical δ v er t positioning as follow: x =   x y z   =   w v + 2 δ lat l v + 2 δ lon 2 δ v er t   (13) W e are after the worst-case error bounds, which are ob- tained by letting all the terms constructi vely add by setting cos( ± δ · ) → cos( δ · ) and ± sin( ± δ · ) → sin( δ · ) . By necessity , errors in orientation will also hav e to be small, meaning δ θ , δ φ , and δ ψ will be  1 radian (57 degrees). This allows us to make a small angle approximation to simplify these equations, where cos( δ · ) → 1 and sin( δ · ) → δ · . Multiplying out and neglecting higher order terms results in the following: x 0 =   1 δ ψ δ θ δ ψ 1 δ φ δ θ δ φ 1   x (14) Combining equations (13) and (14) along with our definition of protection levels given by Figure 1 (where now Lat. PL = ( x 0 − w v ) / 2 , Lon. PL = ( y 0 − l v ) / 2 , and VPL = z 0 / 2 ) gives the combined protection lev el as a function of position and orientation errors: Lat. PL = δ lat + ( δ lon + l v / 2) δψ + δ v er t δ θ Lon. PL = δ lon + ( δ lat + w v / 2) δψ + δ v er t δ φ VPL = δ v er t + ( δ lat + w v / 2) δθ + ( δ lon + l v / 2) δφ (15) T o gi ve a sense of how the above equations scale, Figure 17 shows the lateral, longitudinal, and vertical protection lev el inflation as a function of attitude error for the freeway alert limits gi ven in T able VIII. This assumes the same angular error in each direction and sho ws ho w quickly these inflate our protection le vels. The allocation of position and orientation error budgets is ultimately a design choice which will be examined in more detail in Section VII. 12 Fig. 17. Example of protection level inflation as a function of attitude error (on all axes). This assumes passenger vehicle design limits and the highway/interchange alert limits giv en in T able VIII. V I . U P DA T E F R E Q U E N C Y The time required between successive localization updates (latency) is a function of the vehicle speed and road geometry . The longer the update interval, the larger the distance between localization updates. For example, at 100 km/h (62 mph), 10 Hz gi ves localization updates 2.7 meters apart, the lane width of some local streets. At 130 km/h (80 mph), 10 Hz yields 3.6 meters between successi ve updates, the width of a freew ay lane. The relationship between v ehicle speed, sampling rate, and the distance between samples is given in Figure 18. A lag in position update leads directly to further uncertainty in localization, predominantly in the longitudinal direction. Hence this lag must be managed such that it does not become a dominant factor . Fig. 18. The relationship between sample rate, speed, and distance between samples. Section III sho wed that highway operation requires a lon- gitudinal protection le vel of 1.5 meters. At highway speeds of up to 130 km/h (80 mph), 100 Hz giv es rise to 0.36 meter spacing between successi ve position updates and 200 Hz gives 0.17 meters. This dri ves our requirement since we want the contribution of this uncertainty to be only a small component of our protection level. An update of 200 Hz corresponds to a successiv e point spacing one tenth of our chosen alert limit and seems most appropriate. An update of 200 Hz may seem fast for localization technologies, where LiD AR and GNSS typically output position updates at 10 – 20 Hz, b ut when combined with an inertial measurement unit (IMU), rates of 200 Hz can be achieved. This requirement is ultimately that on the system as a whole, not each piece individually . The update rate can be throttled based on speed, slo wing during low speed driving to save compute and power , and to increase range. For example, at 100 km/h (62 mph) on the freew ay , one-tenth the longitudinal alert limit can be achiev ed at 150 Hz. Howe v er , as was shown in Section III, operation on local streets requires tighter requirements. Even on local streets where sharp turns are taken at 15 km/h (10 mph), we require our alert limit to be 0.33 meters, one tenth of this number at this speed corresponds to 125 Hz. Hence, 100 Hz or greater appears to be the appropriate update rate for both highway and local street operation. V I I . L O C A L I Z A T I O N R E Q U I R E M E N T S D E S I G N In this section we will summarize the design process for allocating localization requirements. This balances allow able errors in position and attitude. The results are summarized in T ables IX and X. Our design equations are based on (15), where we require protection lev els ≤ alert limits. This guarantees kno wledge that we are within the desired lane and on the appropriate road level to the degree of safety needed for operation. These design equations are as follo ws: δ lat + ( δ lon + l v / 2) δψ + δ v er t δ θ ≤ Lat. AL δ lon + ( δ lat + w v / 2) δψ + δ v er t δ φ ≤ Lon. AL δ v er t + ( δ lat + w v / 2) δθ + ( δ lon + l v / 2) δφ ≤ V AL (16) In the above, our protection lev els are written as a function of both position and orientation errors as de veloped in Sec- tion V. These coupled equations must satisfy the constraints dev eloped in Sections III and IV, which describe the total allow able lateral, longitudinal, and vertical errors (alert limits) as a function of the road geometry and v ehicle dimensions. These alert limits are summarized in T able VIII. W e are most constrained in horizontal components, espe- cially the lateral direction, so we will use this as our driving constraint equation. Assuming angular errors are allowed to be the same in each direction, namely δ θ = δ φ = δ ψ = δ λ , the lateral component of (16) simplifies to: δ lat + ( δ lon + δ v er t + l v / 2) δλ ≤ Lat. AL (17) Section III sho wed that for passenger v ehicle limits, the sum of allow able longitudinal and v ertical errors for freew ay operation 13 turns out to be approximately half the vehicle length l v / 2 , so a good rule of thumb is: δ lat + l v δ λ ≤ Lat. AL (18) Since the limiting l v for passenger vehicles is 5.8 meters and the lateral alert limit was set at 0.72 meters for freew ay operation (see T able VIII), the acceptable error in orientation δ λ must be less than 0.1 radians (5.73 degrees) otherwise we quickly exceed this limit. A reasonable choice for δ λ seems to be an orientation error of 1.5 degrees (0.03 radians) which leads to a contribution of 0.15 meters when scaled by l v . This leads to a required lateral positioning error δ lat limit of 0.57 meters to meet our combined requirement. Local streets have more stringent requirements. Though longitudinal requirements are tighter , equation (18) is still a reasonable approximation of how errors scale. Since the lateral alert limit in these conditions is 0.33 meters for passenger vehicle limits (see T able VIII), we require nearly a threefold improv ement compared to freew ay design numbers. This puts us around 0.5 degrees of orientation error δ λ which leads to an error contribution of 0.05 meters when scaled by l v . This leaves us with an allowable lateral position error δ lat of 0.29 meters. Using design equations (16-18) as a guide, along with the geometric bounds gi ven in T able VIII representing the total combined alert limits, bounds for position and orientation errors can be produced. T o ov erload notation, we will also refer to these position and orientation bounds as alert limits. Using these numbers, we can obtain an approximation for the 95% accuracy requirements by assuming a Gaussian distribution. Though the error distribution of the localization system may not be Gaussian, when thinking of this in Gaussian terms, (1 – 10 -8 ) is 99.999999% or approximately 5.73 σ . This gives us a sense when ev aluating localization technologies of what statistics we should be looking for in terms of metrics like 95% accuracy performance (1.96 σ ). In other words, when deriving hard error bounds (the alert limits) on localization requirements to a degree of certainty of (1 – 10 -8 ) we will take 95% (1.96 σ ) accuracy as approximately one third of this number since 1.96 σ / 5.73 σ = 1 / 2.92. This relationship is shown visually in Figure 19 for lateral freew ay positioning requirements. Ultimately , there will be other considerations on the distribution of localization errors including smoothness of output and additional parameters such as acceleration and jerk which are rele vant to controlling the vehicle for passenger comfort [49], [50]. Putting all of the information de veloped so far together , requirements can be broken do wn by road type and operation. The requirements for freeways and interchanges are summa- rized in T able IX for a variety of vehicles ranging from mid- size to large ‘dualie’ pickup trucks. This includes position and attitude alert limits, 95% accuracy , and the integrity requirements de veloped in Section II. The requirements for local roads are summarized in T able X for passenger vehicles. Though speeds are lower , the road geometry is tighter , leading to more stringent requirements on localization. These results indicate that highway operations will require lateral accuracies in the 0.2 meters (95%) range, a conclusion Fig. 19. The desired error distribution for lateral positioning on freeways for passenger vehicle dimension limits, assuming a Gaussian distribution. This shows the 95% accuracy at 0.20 meters and hard error bound at 0.57 m at 99.999999% which is a probability of (1 – 10 -8 ). which matches the requirements for lane departure warning systems [21], [51]. Longitudinal and vertical requirements are more forgi ving, with numbers in the 0.4 meters (95%) range, with pointing requirements in each direction of 0.5 degrees (0.01 radians) (95%). Operations on local roads require lateral and longitudinal accuracies in the 0.1 meters (95%) range with pointing requirements of 0.17 degrees (3 milliradians) (95%). V I I I . C O N C L U S I O N The localization requirements for autonomous vehicles rep- resent the next order of magnitude in accuracy needs for widespread deployment. Here, localization requirements in terms of accuracy , integrity , and latency were dev eloped based on vehicle dimensions, road geometry standards, and a target level of safety . Integrity risk allocation lev eraged the approach taken in ci vil aviation where similar requirements on localization are derived at 10 -8 probability of failure per hour of operation. Combining this with road geometry standards, requirements emerge for dif ferent road types and operation. For passenger vehicles operating on freew ays, the result is a required lateral error bound of 0.57 m (0.20 m, 95%), a longitudinal bound of 1.40 m (0.48 m, 95%), a vertical bound of 1.30 m (0.43 m, 95%), and an attitude bound in each di- rection of 1.50 deg (0.51 deg, 95%). On local streets, the road geometry makes requirements more stringent where lateral and longitudinal error bounds of 0.29 m (0.10 m, 95%) are needed with an orientation requirement of 0.50 deg (0.17 deg, 95%). It should be emphasized that these requirements are not for one particular localization method or technology , b ut for the system comprised of many pieces. In addition, the system must meet both 95% accuracy requirements and safety integrity lev el requirements in all weather and traf fic conditions where operation is intended. Demonstrating the desired integrity lev els cannot be pro ven by v ehicle testing alone, where reason- able sized testing fleets would hav e to be driv en for potentially decades to obtain the necessary data [52]. Hence, innov ati ve certification solutions may be necessary [52], [53]. In addition, the localization requirements presented here are with respect to knowledge of where roads and lanes are in the world. Hence, 14 T ABLE IX L O CA L I Z A TI O N R E Q UI R E M EN T S F O R U S F R E EWA Y O P E RATI O N W I T H I N TE R C H AN G E S . T H I S A S SU M E S M I NI M U M L A N E W I D T HS O F 3 . 6 M E T E RS A ND A L LO W A BL E S P E E DS U P TO 1 37 K M / H ( 85 M PH ) . V ehicle T ype Accuracy (95%) Alert Limit Prob . of Failure (Integrity) Lateral [m] Long. [m] V ertical [m] Attitude * [deg] Lateral [m] Long. [m] V ertical [m] Attitude * [deg] Mid-Size 0.24 0.48 0.44 0.51 0.72 1.40 1.30 1.50 10 -9 / mile (10 -8 / hour) Full-Size 0.23 0.48 0.44 0.51 0.66 1.40 1.30 1.50 10 -9 / mile (10 -8 / hour) Standard Pickup 0.21 0.48 0.44 0.51 0.62 1.40 1.30 1.50 10 -9 / mile (10 -8 / hour) Passenger V ehicle Limits 0.20 0.48 0.44 0.51 0.57 1.40 1.30 1.50 10 -9 / mile (10 -8 / hour) 6-Wheel Pickup 0.14 0.48 0.44 0.51 0.40 1.40 1.30 1.50 10 -9 / mile (10 -8 / hour) *Error in each direction (roll, pitch, and heading). T ABLE X L O CA L I Z A TI O N R E Q UI R E M EN T S F O R U S L O C AL ROA D S . T H I S A SS U M E S L AN E S 3 . 0 M E T ER S WI D E W I T H A M I N I MU M C U RV A T UR E O F 20 M ET E R S O R 3 . 3 M E T E RS W ID E W I T H M I N IM U M C U RV AT UR E O F 10 M E TE R S . V ehicle T ype Accuracy (95%) Alert Limit Prob . of Failure (Integrity) Lateral [m] Long. [m] V ertical [m] Attitude * [deg] Lateral [m] Long. [m] V ertical [m] Attitude * [deg] Mid-Size 0.15 0.15 0.48 0.17 0.44 0.44 1.40 0.50 10 -9 / mile (10 -8 / hour) Full-Size 0.13 0.13 0.48 0.17 0.38 0.38 1.40 0.50 10 -9 / mile (10 -8 / hour) Standard Pickup 0.12 0.12 0.48 0.17 0.34 0.34 1.40 0.50 10 -9 / mile (10 -8 / hour) Passenger V ehicle Limits 0.10 0.10 0.48 0.17 0.29 0.29 1.40 0.50 10 -9 / mile (10 -8 / hour) *Error in each direction (roll, pitch, and heading). these requirements are with respect to the map. The map will also hav e its own uncertainty σ map with respect to the global reference, e.g. the WGS-84 datum, as also discussed in [51]. The relationship between the vehicle’ s localization uncertainty in the global frame σ g l obal , its localization uncertainty relative to the map σ rel ative , and the uncertainty of the map itself σ map with respect to the global frame is giv en by the following: σ 2 g l obal = σ 2 rel ative + σ 2 map (19) W ell geo-referenced maps tied to global datums such as WGS-84 will likely be necessary for interoperability of maps between potentially many map suppliers. These maps can be made with surve y-grade equipment and post-processing and could ha ve errors much less than the real-time vehicle localization requirements. What has been presented here are localization requirements based on the limiting road geometry . Additional requirements based on operational and other constraints will continue to ev olve, but this provides a baseline. These geometrical con- straints represent the worst cases; with a-priori highly detailed maps of the en vironment, the road geometry will be known and hence localization resources can be adjusted on the fly to meet demand and could ev en be a layer in the map itself. Achieving these requirements represents challenges in sensor and algorithm dev elopment along with multi-modal sensor fusion to obtain the reliability levels needed for safe operation. Some techniques in v olving LiD AR, radar , and cameras rely on a-priori maps and giv e map-relative position. Others such as GNSS give global absolute position. Combining these and other technologies and selecting those most appropriate for the desired lev el of autonomous operation in a way that ensures integrity for safe operation is the challenge that lays ahead. A C K N O W L E D G M E N T S The authors would like to thank Ford Motor Company for supporting this work. R E F E R E N C E S [1] T . G. R. Reid, “Orbital diversity for global navigation satellite systems, ” Ph.D. dissertation, Stanford University , 2017. [Online]. A v ailable: https://searchworks.stanford.edu/view/12064597 [2] P . V . H. W eems, “Accuracy of Marime Navigation, ” Navigation , vol. 2, no. 10, pp. 354–357, 1951. [Online]. A v ailable: http: //doi.wiley .com/10.1002/j.2161- 4296.1951.tb00481.x 15 [3] R. Dippy , “Gee: a radio navigational aid, ” Journal of the Institution of Electrical Engineer s - P art IIIA: Radiolocation , vol. 93, no. 2, pp. 468–480, 1946. [Online]. A vailable: http://digital- library .theiet.or g/ content/journals/10.1049/ji- 3a- 1.1946.0131 [4] R. J. Kelly and D. R. Cusick, “Distance Measuring Equipment and its Evolving Role in A viation, ” Advances in Electr onics and Electr on Physics , vol. 68, pp. 1–243, jan 1986. [Online]. A vailable: https://www .sciencedirect.com/science/article/pii/S0065253908608549 [5] S. Lo, Y . H. Chen, B. Peterson, and R. Erikson, “Distance Measuring Equipment Accuracy Performance T oday and for Future Alternati ve Position Navigation and Timing (APNT), ” in Proceedings of the 26th International T echnical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2013) , Nashville, TN, 2013, pp. 711–721. [6] T . A. Stansell, “The Navy Navigation Satellite System: Description and Status, ” Navigation , vol. 15, no. 3, pp. 229–243, sep 1968. [Online]. A v ailable: http://doi.wiley .com/10.1002/j.2161- 4296.1968.tb01612.x [7] ——, “T ransit, the Navy Na vigation Satellite System, ” Navigation , vol. 18, no. 1, pp. 93–109, mar 1971. [Online]. A v ailable: http://doi.wiley .com/10.1002/j.2161- 4296.1971.tb00077.x [8] B. W . Parkinson, T . Stansell, R. Beard, and K. Gromov , “A History of Satellite Navigation, ” Navigation , vol. 42, no. 1, pp. 109–164, mar 1995. [Online]. A vailable: http://doi.wiley .com/10.1002/j.2161- 4296. 1995.tb02333.x [9] W illiam J. Hughes T echnical Center Federal A viation Administration GPS Product T eam, “Global Positioning System (GPS) Standard Positioning Service (SPS) Performance Analysis Report, Report #72, ” T ech. Rep., 2011. [Online]. A vailable: http://www .nstb.tc.f aa.gov/ reports/P AN72 { } 0111.pdf [10] ——, “Global Positioning System (GPS) Standard Positioning Service (SPS) Performance Analysis Report, Report #32, ” T ech. Rep., 2001. [Online]. A v ailable: http://www .nstb .tc.faa.gov/reports/P AN32 { } 0101. pdf [11] ——, “Global Positioning System (GPS) Standard Positioning Service (SPS) Performance Analysis Report, Report #52, ” T ech. Rep., 2006. [Online]. A v ailable: http://www .nstb .tc.faa.gov/reports/P AN52 { } 0106. pdf [12] ——, “Global Positioning System (GPS) Standard Positioning Service (SPS) Performance Analysis Report, Report #96, ” T ech. Rep., 2017. [Online]. A v ailable: http://www .nstb .tc.faa.gov/reports/P AN96 { } 0117. pdf [13] F . van Diggelen and P . K. Enge, “The W orld’ s first GPS MOOC and W orldwide Laboratory using Smartphones, ” in Proceedings of the 28th International T echnical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2015) , T ampa, FL, 2015, pp. 361 – 369. [14] SAE International, “T axonomy and Definitions for T erms Related to Driving Automation Systems for On-Road Motor V ehicles (J3016B), ” T ech. Rep., 2018. [Online]. A vailable: https://www .sae.org/standards/ content/j3016 { } 201806/ [15] J. Hughes, “Car Autonomy Levels Explained, ” 2018. [Online]. A v ailable: http://www .thedrive.com/sheetmetal/15724/ what- are- these- lev els- of- autonomy- anyway [16] E. Ackerman, “Cadillac Adds Level 2 Highway Autonomy W ith Super Cruise, ” 2017. [Online]. A v ailable: https://spectrum.ieee.org/cars- that- think/transportation/self- dri ving/ cadillac- adds- lev el- 2- highway- autonomy- with- super- cruise [17] M. Harris, “W aymo Filings Gi ve New De- tails on Its Driv erless T axis, ” 2018. [On- line]. A v ailable: https://spectrum.ieee.org/cars- that- think/transportation/ self- driving/w aymo- filings- give- ne w- details- on- its- driv erless- taxis [18] C. Basnayake, T . Williams, P . Alv es, and G. Lachapelle, Can GNSS drive V2X? , oct 2010, vol. 21. [Online]. A vailable: http: //gpsworld.com/transportationroadcan- gnss- dri ve- v2x- 10611/ [19] National Highway T raffic Safety Administration and Department of T ransportation, “Federal Motor V ehicle Safety Standards; V2V Commu- nications, Docket No. NHTSA20160126, RIN 2127AL55, ” W ashington, DC, T ech. Rep., 2017. [20] S. Stephenson, “Automotive applications of high precision GNSS, ” Ph.D. dissertation, University of Nottingham, dec 2016. [Online]. A v ailable: http://eprints.nottingham.ac.uk/38716/ [21] Y . Feng, C. W ang, and C. Karl, “Determination of Required Positioning Integrity Parameters for Design of V ehicle Safety Applications, ” in Pr oceedings of the 2018 International T echnical Meeting of The Institute of Navigation , Reston, V irginia, 2018, pp. 129–141. [22] Insurance Institute for Highway Safety and Highway Loss Data Institute, “Fatality Facts. ” [Online]. A v ailable: http://www .iihs.or g/iihs/ topics/t/general- statistics/fatalityfacts/state- by- state- o verview [23] U.S. Department of Transportation, “T ransportation Statistics Annual Report (TSAR) 2017, ” W ashington, DC, 2017. [24] S. Singh, “Critical reasons for crashes in vestigated in the National Motor V ehicle Crash Causation Survey (T raffic Safety Facts Crash - Stats. Report No. DOT HS 812 115), ” National Highway Traf fic Safety Administration, W ashington, DC, T ech. Rep., 2015. [Online]. A vailable: https://crashstats.nhtsa.dot.gov/Api/Public/V ie wPublication/812115 [25] C. V . Oster and J. S. Strong, “Analyzing road safety in the United States, ” Researc h in Tr ansportation Economics , vol. 43, no. 1, pp. 98–111, jul 2013. [Online]. A vailable: https://www .sciencedirect.com/ science/article/pii/S0739885912002090 [26] A. C. Busch, “Methodology for Establishing A T arget Level of Safety, ” Department of Transportation, Federal A viation Administration, Atlantic City Airport, NJ, T ech. Rep., 1985. [Online]. A vailable: http://www .tc.faa.go v/its/worldpac/techrpt/cttn85- 36.pdf [27] R. J. Kelly and J. M. Davis, “Required Navigation Performance (RNP) for Precision Approach and Landing with GNSS Application, ” Navigation , vol. 41, no. 1, pp. 1–30, mar 1994. [Online]. A v ailable: http://doi.wiley .com/10.1002/j.2161- 4296.1994.tb02320.x [28] B. Roturier , E. Chatre, and J. V entura-Trav eset, “The SBAS integrity concept standardised by ICA O: Application to EGNOS, ” Navigation - P aris , vol. 49, no. 196, pp. 65–77, 2001. [29] L. Blincoe, T . R. Miller, E. Zaloshnja, and B. A. Lawrence, “The Economic and Societal Impact of Motor V ehicle Crashes, 2010 (Revised), ” U.S. Department of Transportation, National Highway T raffic Safety Administration, W ashington DC, T ech. Rep., 2015. [Online]. A v ailable: www .ntis.gov . [30] Ore gon Department of T ransportation, “2013 Crash Rates by Jurisdiction and Functional Classification, ” Oregon Department of Transportation, T ech. Rep., 2013. [Online]. A v ailable: https://www .oregon.go v/ODOT/ [31] ——, “2014 Crash Rates by Jurisdiction and Functional Classification, ” Oregon Department of T ransportation, T ech. Rep., 2014. [Online]. A v ailable: https://www .oregon.go v/ODOT/ [32] M. W ood, N. Earnhart, and K. Kennett, “Airbag Deployment Thresholds from Analysis of the N ASS EDR Database, ” SAE International J ournal of P assenger Cars - Electronic and Electrical Systems , vol. 7, no. 1, pp. 2014–01–0496, apr 2014. [Online]. A v ailable: http://papers.sae.org/2014- 01- 0496/ [33] International Maritime Or ganization, “Re vised maritime policy and requirements for a future GNSS, ” 2002. [34] J. Speidel, M. T ossaint, S. W allner , and J. ´ A. ´ Avila-Rodr ´ ıguez, “Integrity for A viation Comparing Future Concepts, ” Inside GNSS , pp. 54–64, 2013. [35] J. Marais, J. Beugin, and M. Berbineau, “A Survey of GNSS- Based Research and Developments for the European Railway Signaling, ” IEEE Tr ansactions on Intelligent T ransportation Systems , vol. 18, no. 10, pp. 2602–2618, oct 2017. [Online]. A v ailable: http://ieeexplore.ieee.or g/document/7857080/ [36] A. Filip, H. Mocek, and J. Suchanek, “Significance of the Galileo Signal- in-Space Integrity and Continuity for Railway Signalling and T rain Control, ” in 8 th W orld Congress on Railway Resear ch (WCRR) , Seoul, K orea, 2008. [37] T . Reid, T . W alter , J. Blanch, and P . Enge, “GNSS Integrity in The Arctic, ” Navigation , vol. 63, no. 4, pp. 469–492, dec 2016. [Online]. A v ailable: http://doi.wiley .com/10.1002/na vi.169 [38] E. V erhulst, “From Safety Integrity Level to Assured Reliability and Resilience Level for Compositional Safety Critical Systems.” 2013. [39] E. V erhulst and B. H. Sputh, “ARRL: A criterion for compositional safety and systems engineering: A normative approach to specifying components, ” in 2013 IEEE International Symposium on Softwar e Reliability Engineering W orkshops (ISSREW) . IEEE, nov 2013, pp. 37–44. [Online]. A vailable: http://ieeexplore.ieee.or g/lpdocs/epic03/ wrapper .htm?arnumber=6688861 [40] P . Baufreton, J. P . Blanquart, J. L. Boulanger, H. Delseny , J. C. Derrien, J. Gassino, G. Ladier, E. Ledinot, M. Leeman, and P . Qu ´ er ´ e, “Multi- domain comparison of safety standards, ” in Pr oceedings of the 5th international confer ence on embedded real time software and systems (ERTS-2010) , T oulouse, 2010. [41] J.-P . Blanquart, J.-M. Astruc, P . Baufreton, J.-L. Boulanger , H. Delseny , J. Gassino, G. Ladier , E. Ledinot, M. Leeman, and J. Machrouh, “Criticality categories across safety standards in different domains, ” in Pr oceedings of the 5th international conference on embedded real time softwar e and systems (ERTS 2012) , T oulouse, 2012. [42] J. Machrouh, J.-P . Blanquart, P . Baufreton, and J.-L. Boulanger, “Cross domain comparison of System Assurance, ” in Pr oceedings of the 5th international confer ence on embedded real time software and systems (ERTS-2012) , T oulouse, 2012. 16 [43] P . Kafka, “The Automotive Standard ISO 26262, the Innov ativ e Dri ver for Enhanced Safety Assessment & T echnology for Motor Cars, ” Pr ocedia Engineering , vol. 45, pp. 2–10, jan 2012. [Online]. A vailable: https://www .sciencedirect.com/science/article/pii/S1877705812031244 [44] American Association of State Highway and T ransportation Officials, “A Policy on Geometric Design of Highways and Streets, ” 2001. [45] U.S. Department of Transportation Federal Highway Administration, “Federal Size Re gulations for Commercial Motor V ehicles, ” W ashington, DC, p. 17, 2017. [46] United States Department of T ransportation and Federal Highway Administration, “Roundabouts: An Informational Guide, ” McLean, VI, T ech. Rep., 2000. [Online]. A vailable: https://www .fhwa.dot.gov/ publications/research/safety/00067/00067.pdf [47] W ashington State Department of Transportation, “Design Manual, ” Olympia, W A, 2017. [48] United States Department of T ransportation Federal Highway Admin- istration, “Manual on Uniform Traf fic Control Devices for Streets and Highways, ” 2009. [49] C. C. Smith, D. Y . McGehee, and A. J. Healey , “The Prediction of Passenger Riding Comfort From Acceleration Data, ” Journal of Dynamic Systems, Measurement, and Contr ol , vol. 100, no. 1, p. 34, mar 1978. [50] R. O’Brien, P . Iglesias, and T . Urban, “V ehicle lateral control for automated highway systems, ” IEEE T ransactions on Contr ol Systems T echnology , vol. 4, no. 3, pp. 266–273, may 1996. [Online]. A vailable: http://ieeexplore.ieee.or g/document/491200/ [51] EDMap Consortium, “Enhanced digital mapping project: final report, ” Brussels, 2004. [52] N. Kalra and S. M. Paddock, “Driving to safety: How many miles of driving would it take to demonstrate autonomous vehicle reliability?” T ransportation Resear ch P art A: P olicy and Practice , vol. 94, pp. 182–193, dec 2016. [Online]. A vailable: https://www .sciencedirect.com/ science/article/pii/S0965856416302129 [53] P . Koopman and M. W agner , “Autonomous V ehicle Safety: An Interdisciplinary Challenge, ” IEEE Intelligent Tr ansportation Systems Magazine , vol. 9, no. 1, pp. 90–96, 2017. [Online]. A vailable: http://ieeexplore.ieee.or g/document/7823109/ Dr . T yler G. R. Reid is a Research Engineer on the Controls and Automated Systems team at Ford Motor Company working in the area of localization and mapping. He is also a lecturer at Stanford Univ ersity in Aeronautics and Astronautics. He re- ceiv ed his Ph.D. (’17) and M.S. (’12) in Aeronautics and Astronautics from Stanford where he worked in the GPS Research Lab . In 2015, he worked as a Software Engineer at Google’ s Street V ie w . He completed his B.Eng. in Mechanical Engineering (’10) at McGill Univ ersity . Dr . Sarah E. Houts is a Research Engineer at Ford Autonomous V ehicles LLC, working on mapping and localization technologies for Autonomous V e- hicles. She recei ved her Ph.D. (’16) and M.Sc. (’08) in Aeronautics and Astronautics from Stanford Uni- versity , where she worked in the Aerospace Robotics Lab focusing on localization and path planning for autonomous underwater vehicles. She also receiv ed her B.S. (’06) in Aerospace Engineering from UC San Diego. Robert Cammarata is a Supervisor for the Autonomous V ehicle Systems Engineering (A VSE) team at Ford Autonomous V ehicles LLC. One aspect of his current responsibilities include overseeing and dev eloping systems engineering strategies and functional safety activities for autonomous vehicle systems. He achiev ed a Master of Science in Electrical Engineering from the University of Michigan. Prior to employment at Ford, he held positions at Chrysler, Mercedes Benz RDNA, kV A, Apple, T esla, and GM developing embedded software, embedded architectures, functional safety analysis and cybersecurity solutions for traditional, hybrid, electrified, and autonomous vehicles. Dr . Graham Mills is a Research Engineer at Ford Autonomous V ehicles, LLC specializing in LiDAR calibration and mapping. He received his PhD (’15) in Geomatics and Geology from Queen’s University , where his research focused on automated classification of rock surface geometry in LiD AR scans. Siddharth Agarwal is a Research Engineer at Ford Autonomous V ehicles LLC. He received his M.S. (’15) in Electrical Engineering from T e xas A&M Univ ersity with a research focus on Unmanned Aerial V ehicles. His areas of interest include lo- calization, mapping, and multi-agent autonomous systems. Ankit V ora Ankit V ora is a Research Engineer at Ford Autonomous V ehicles LLC working in the area of mapping and localization. His research focus is on SLAM, state estimation for autonomous vehicles, localization, and place recognition. He receiv ed his M.S.E. (’16) in Mechanical Engineering, specializ- ing in Robotics, from the Univ ersity of Pennsylva- nia. Dr . Gaura v Pandey is a T echnical Expert in the Controls and Automated Systems department of Ford Motor Company . He is currently leading the mapping and localization group at Ford and is work- ing on developing localization algorithms for SAE lev el 3 and level 4 autonomous vehicles. Prior to Ford, Dr. Pandey was an Assistant Professor at the Electrical engineering department of Indian Institute of T echnology (IIT) Kanpur in India. At IIT Kanpur he was part of two research groups (i) Control and Automation, (ii) Signal Processing and Communi- cation. His research focus is on visual perception for autonomous vehicles and mobile robots using tools from computer vision, machine learning, and information theory . He did is B-T ech from IIT Roorkee in 2006 and completed his Ph.D. from Univ ersity of Michigan, Ann Arbor in December 2013.