Auto Safety, Integrity, Autonomy: Live Test Results Show Confidence

An innovative positioning engine for safety-oriented navigation of autonomous cars uses a dual-frequency GNSS receiver, automotive cameras, accurate maps, low-cost inertial sensors and vehicle odometry. A real-time integrity layer bounds the error of each estimated value with a confidence level for safe driverless navigation.

By Enrique Domínguez Tijero, Adrian Chamorro Moreno, Maria Teresa Fernández Calzón, Jessica García, Javier Ibañez-Guzmán, Emmanuel Stawiarski, Philippe Xu, Giuseppe Avellone, Fabio Pisoni, Emanuela Falletti and Miguel Ortiz

Live testing of an autonomous car in November 2019 yielded positioning performances with safety confidence, achieved by estimated protection levels designed into the positioning engine. In the European Safety Critical Applications Positioning Engine (ESCAPE) GNSS Engine (EGE), a real-time precise point positioning (PPP) hybrid algorithm employs dual-frequency GPS and Galileo measurements, inertial sensors and PPP corrections from a web server over a cellular network.

A robust hybrid GNSS (GPS + Galileo) standard positioning algorithm performs consistency checks in parallel for safety. This improves the accuracy by integrating data from several vehicle sensors. EGE enables potential use of the Galileo signal authentication feature and tests provision of an integrity layer to assess the degree of trust one can associate with the position information provided by the device.

Automotive intelligent cameras provide lateral distance measurements to road-lane markings, combined with data showing position computed relative to lane-level accurate maps. This yields an accurate position relative to the map and enables estimation of the associated integrity Protection Levels (PLs), computed for multiple-target integrity risks (IRs).


In safety-critical applications such as autonomous driving, the integrity layer is crucial, because it can be more important to know whether the information is reliable than the precise information itself. This integrity layer determines the degree of usability of the location and orientation estimations to ensure that the vehicle operates safely.

The EGE is close to market releasee, with safety as its core specification. The design is based on ISO 26262 recommendations in “Road vehicles—Functional safety,” an international standard for functional safety of electrical and/or electronic systems in production automobiles since 2011.

ESCAPE provides a hybrid solution with an integrity layer making the most of all the sensors found in Level 4 SAE vehicles. Level 4 is defined as “mind off”: no driver attention is ever required for safety. For example, the driver may safely go to sleep or leave the driver’s seat. Self-driving might be initially supported in limited spatial areas (geofenced) or under special conditions. Outside these, the vehicle must be able to safely abort the trip; that is, park the car, if the driver does not retake control.


EGE components are organized in a modular architecture: a main board hosting the GNSS sensors and processing and a core module implementing system functions. All interfaces, configurations and form factors comply with recognized sector trends.

EGE’s automotive-grade GNSS receiver is capable of simultaneously processing signals from two different GNSS frequencies and from different satellite constellations. This capability is common in high-end professional receivers but it represents a leading-edge industrial development in the automotive Tier 2 sector, where the EGE meets combined highly demanding safety and high-volume, comparatively limited cost and size requirements.

The receiver supports the new Navigation Message Authentication service of Galileo in the open E1 signal, where added cryptographic protection in the navigation message provides data-level authentication.

Finally, the new GNSS receiver includes several core signal-processing enhancements: better receiver sensitivity and tracking capability, multipath mitigation, more intermediate frequency (IF) channels and flexibility in routing IF samples, jamming detection and mitigation, and optimization of the GNSS data flow.

The EGE software is hosted in a multi-processor system-on-chip. Its architecture is organized in three layers: the board support package, the middleware layer and the algorithm facility application layer.

Figure 1: Conceptual block diagram of the in-car system including the ESCAPE GNSS Engine


The EGE uses two main position and integrity algorithms:

GNSS+SENSORS ALGORITHM. GNSS measurements are integrated with those provided by the inertial measurement unit (IMU) to provide a GNSS position with integrity. This position is computed by combining Standard Point Positioning (SPP) and Precise Point Positioning (PPP) algorithms. The PPP algorithm can reach decimeter-level positioning accuracy. The corrections service does not require data from reference stations near the user. Instead, it processes code-phase and carrier-phase GNSS observations from a worldwide network and computes corrections to the GNSS broadcast ephemeris. These are sent to the user over the internet, providing a precise trajectory over long distances.

CAMERA-BASED ALGORITHM. Road-lane data stored in accurate digital maps are integrated with intelligent camera measurements to provide the lateral distance to the lane markings. This enables a second positioning service with accuracies that can reach a few centimeters in the cross direction. The algorithm employs speed and yaw rate measurements from the vehicle IMU to reach the maximum possible accuracy.


The integrity of a positioning estimate refers to the confidence one can give to the correctness of the estimate with respect to the true (but unknown) quantity. This confidence is expressed in the language of GNSS positioning with the concepts of PL and IR. The PL should bound the error with a certain confidence level. The IR is the probability that the error exceeds the PL. A well-established and trustable framework to set IRs and compute PLs is compulsory for any application requiring an estimated position as an input to safety critical operations. It is required for financial transactions such as road tolling or insurance, and law enforcement, though risk levels differ.

The EGE provides each position estimate with a PL. PLs are computed with the Kalman Integrated PL algorithm, based on dynamically modeling the different components of the positioning error with a properly parameterized error probability distribution. Each distribution is processed and updated separately, contributing to the total error probability. The PL is computed as the maximum error level whose probability is below a given IR. The integrity module sends the integrity solution as a set of PLs corresponding to different target IRs to the application vehicle controlling software stack.

One way to use these PLs is to raise an alert when the PL corresponding to a certain IR becomes greater than the alarm limit required by the user depending on the circumstances.

Figure 2: July test, along-track/longitudinal errors bounded by the computed PLs

Figure 3: Cross/lateral errors bounded by the computed PLs


The EGE was integrated in a UTC-Renault autonomous car for driving tests in July 2019 at the University of Technology of Compiègne (UTC) in France. The car also carried a high-grade trajectory reference system (GNSS+high-grade IMU); its post-processed centimeter-error solution served as a truth reference to assess EGE performance.

The tests followed a route covering three different environments: Open Sky, Sub-Urban and Urban. The EGE GNSS receiver tracked L1/E1 and L5/E5a bands. This inherently limits the number of usable satellites currently in orbit, so only a maximum of 7–9 dual-frequency satellites were in view: 3–5 GPS L1&L5 satellites and 3–5 Galileo satellites. The final EGE GNSS receiver will be capable of tracking GPS L1 and L2C and Galileo E1 and E5b, thus increasing the number of available dual-frequency GPS satellites.

Camera measurements (lane-marks) were usually available for Open Sky roads but not in roundabouts and not always for Sub-Urban and Urban streets. Figures show EGE results in each environment, running PPP and enhancing the computed solution with camera measurements and vehicle sensors.

In Open Sky conditions, along and cross errors are below 1 meter, a very good result considering only 6–9 dual-frequency satellites in view and no camera measurements available at some parts of the route.

In Sub-Urban, the lower amount of camera measurements increases the cross/lateral errors, while in Urban, besides having fewer camera measurements, the limited number of satellites in view due to buildings increases the error in both dimensions. Nevertheless, Sub-Urban errors are close to 1 meter and almost all Urban errors are below 2 meters; again, excellent results.

The size of the computed PLs is also very low, satisfying the IR for which they were computed. Figures two and three show PLs computed in real time by successfully bounding error of the estimated positions.

Public tests of the ESCAPE project took place in November. A Renault ZOE electric car was autonomously driven on tracks and manually on public roads.

During the track demo, participants and journalists rode in the driverless vehicle on the UTC track. In the manual demo, the car was driven on a public road in Compiègne to demonstrate the system’s potential in a peri-urban environment. No passengers rode in the car, but participants watched a live video of the test, broadcast with the estimated position obtained using the EGE along with RTK.


The EGE provides a hybrid solution with an integrity layer, making the most of all sensors that should be present in Level 4 SAE vehicles. Enabling automated driving functions up to SAE Level 4, EGE creates a new paradigm of safety-oriented navigation technology on the road.